Patent Application
20170332234
Electronic devices may be configured to operate under certain ranges of conditions. Operating outside of these ranges may affect device performance, or even lead to malfunction.
Examples are disclosed that relate to the securing of a distributed sensor system. One example provides a security component configured to be communicatively coupled between a trusted element and a distributed sensor system. The security component includes a secured controller configured to receive a signal for forwarding to a sensor of the distributed sensor system, authenticate the signal as being sent from the trusted element, and when the signal is authenticated as being sent from the trusted element, forward the signal to the sensor. Further, when the signal is not authenticated as being sent from the trusted element, the secured controller configured to not forward the signal to the sensor. The security component also includes a feedback controller configured to analyze signals received from the distributed sensor system and send one or more feedback instructions to the trusted element based at least on the signals from the distributed sensor system.
This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter. Furthermore, the claimed subject matter is not limited to implementations that solve any or all disadvantages noted in any part of this disclosure.
Electronic devices may include or otherwise communicate with various sensors for detecting environmental conditions, operating conditions, user inputs, and other detectable conditions. For example, a device may include one or more temperature sensors to detect operating temperatures that may be damaging to the device or uncomfortable to a user. In the event that such a temperature is reached, a controller may control device operation to mitigate the temperature, for example by shutting down the device.
However, the use of sensor information to control device operation may pose security risks. For example, if thermal limits or other sensor-related operating settings are maliciously changed, or if sensor signals are spoofed or hijacked, device operation and/or a user experience may be compromised. Further, individually configuring security for each sensor of a distributed sensor system of a device may be complex and potentially error-prone.
Accordingly, examples are disclosed that relate to providing a secured sensor interface to help address security concerns with a distributed sensor system. As described in more detail below, a security component may be disposed communicatively between a distributed sensor system and other device components, such that all communication with the distributed sensor system occurs via the security component. The security component is configured to authenticate the sources of communications sent to the sensor system from other computing device components (e.g. an application processor), and to permit the communication to occur when the communication is authenticated as being sent from a trusted element. Further, other security measures also may be applied, as described below.
The secured sensor interface may be incorporated into any suitable device including or communicating with one or more sensors.
The head-mounted display (HMD) device 10 comprises a sensor system 28 including one or more sensors, such as one or more thermal sensors 30, which may be disposed in different locations around the HMD device 10. Sensor system 28 may additionally or alternatively include one or more location sensors 32. Example location sensors include, but are not limited to, optical sensor(s) (e.g. depth camera(s) and/or RGB camera(s)), accelerometer(s), gyroscope(s), magnetometer(s), and global positioning system (GPS) sensors. The sensor system 28 may additionally or alternatively include other suitable sensors, such as a voltage/current sensor 34, an accelerometer/gyroscope 36, and a microphone/audio sensor 38. The sensors illustrated in
The distributed sensor system 212 may include any suitable sensors. Examples include example one or more analog sensors 214, one or more digital sensors 216, one or more display on-die sensors 218, and/or any other suitable sensors. Such sensors may measure any suitable internal or environmental conditions, such as temperature, audio, voltage/current/power, pressure, vibrations, position, light, and humidity. The distributed sensor system 212 further may additionally or alternatively include sensors for capturing images and/or video. The distributed sensor system 212, the application processor 204, and/or the trusted devices 202 may communicate with the security component 210 via a link in some examples, such as an inter-integrated circuit (I2C), serial peripheral interface (SPI), or other communication link.
The security component 210 includes various modules for providing a secure interface between the trusted devices (e.g., the application processor 204) and the distributed sensor system 212. The security component 210 and the modules thereof may be implemented via any suitable hardware, examples of which are described in more detail below.
First, the security component 210 includes a configuration table 220 that stores configurations for the distributed sensor system in computer memory. Examples of such configurations include sensor limits for one or more of the sensors of the distributed sensor system (e.g. for comparing to sensor signals to control computing device operation), and programmable behaviors for the distributed sensor system. In some examples, two or more configurations may be stored for a sensor, depending upon how the sensor data is used by the computing device.
Information from the configuration table 220 may be communicated to the sensors of the distributed sensor system. The information from the configuration table may be communicated periodically, at startup, or on any other suitable basis. The communicated information from the configuration table 220 is stored in internal registers, for example, of the sensors of the distributed sensor system 212. Thus, the configuration table may be used to update configurations stored at the sensors to control behaviors of the sensors. As an example, the configurations stored at the sensors may control when the sensor sends an instruction to the trusted device (e.g., via the security component 210) to thereby control operation of the trusted device based on a sensed condition. As a more specific example, a thermal sensor may store a sensor limit which, if exceeded, triggers an instruction requesting a system shutdown or other suitable action to prevent overheating. The configuration table thus also may store a value corresponding to this sensor limit, which is used to update the sensor limit stored at the thermal sensor. In other examples, the sensor may be configured to send information indicating the sensed condition, such as a temperature value in the above scenario. In such examples, the security component may compare the information received from the sensor to the value stored in the configuration table to determine whether to trigger a power management response.
In either of these example scenarios (e.g., where sensed values are compared to values stored in the configuration table 220 and/or an internal register of the associated sensor), an unauthorized alteration of the configuration table 220 may affect operation of the electronic device 200. In order to prevent such unauthorized alteration, the configuration table 220 may be secured, such that access to the table is limited by a security controller 222 according to a selected security mechanism. Any suitable security protocol or combination of security protocols may be utilized to control access to the configuration table 220. In some examples, a one-time programmability mechanism may be used, in which the configuration information stored in the configuration table is stored in registers that are one-time programmable. In other words, the values of the configuration table are written once in non-volatile memory. Such programming may be performed at a manufacturing facility or in the field, and may provide a relatively higher level of restriction for further changes to the table. For this security mechanism and others described below, access control may be provided on a per-table, per-sensor, or per-memory location basis. In other words, using the one-time programmable protocol as an example, all values for the table may be set (written once in memory) at substantially the same time for a per-table scenario or individually for a per-sensor or per-memory location scenario.
In another example, a time-windowing modification protocol may be utilized in which configuration information may only be programmed within a predefined time period, for example, as measured from an event such as resetting the security component/trusted device/electronic device. As a more specific example, upon a reset of the electronic device 200, memory registers of the configuration table may be loaded with default values, and the register values are allowed to be modified (e.g., by any device or by an authorized device, depending on the security protocol) within a predefined time period (e.g., within a defined number of milliseconds from system boot or a defined number clock cycles based on a counter), after which the contents will be locked. The modified configuration information may be persistent until a next authorized change, or reloaded to default information after every reset. In this example, the security controller 222 may track the time and/or counter to determine when the time window has elapsed. Responsive to detecting that the time window has elapsed, the security controller 222 may prevent further changes to the table until a next reset or other power event.
The configuration table 220 may utilize locking-bit protection to control access to the table once the time window has elapsed to prevent modification of the configuration table values until the electronic device 200 is reset or powered down. A locking bit may be set globally for the configuration table, or may be set individually to represent a group of one or more values. This bit can be set to locked once (e.g., by the security controller 222), but cannot be unlocked until the next system reset that powers down the electronic device. The registers may remain configurable until the respective lock bit(s) are set.
The configuration table 220 may additionally or alternatively control access based on host and device authorization. For example, various components in a system-on-chip or other integrated circuit (e.g., trusted elements 206 and untrusted elements 208 of the application processor 204) may communicate using a network of buses (e.g., control and data buses) or a protocol on top of a physical bus (e.g., an Advance High-Performance Bus). The control bus or a part of the protocol may utilize a source identifier (ID) for the host (e.g., application processor 204) and a destination ID for the security component 210. The source ID and destination ID may determine the transfer of data from a source component to a destination component. When the source IDs are immutable and non-spoofable (e.g., sufficiently unique, hardcoded, and/or non-programmable), such IDs may serve as authenticating elements. The changing of limits in the configurable registers of the configuration table 220 thus may be restricted to certain entities within the system, such as the trusted elements of application processor 204, with matching whitelisted source IDs. This authentication may be used in conjunction with one or more other security protocols, such as time-windowing.
As described above, the security protocol controlling access to the configuration table 220 may be tied to a reset or power event. For example, the time-window for changing the values of the configuration table may be started in response to a reset or power event. In order to protect against unauthorized reset or power events, the security component 210 may include a power/reset monitor 224. The power/reset monitor 224 may monitor the system continuously or periodically and assert a “system shutdown” indication if a power/reset attack is detected. The power/reset monitoring may be performed in any suitable manner, such as via microcode or a hardware state machine that continually compares values in the configuration table 220 and values of registers of the sensors in the distributed sensor system 212 to monitor for changes. In another example, hardware signals (e.g., wires) may feed into the security component 210 by way of dedicated power/reset detector circuits. If an attack is detected (e.g., if the values between the configuration table and sensor are determined to be different), the security component 210 may issue a system shutdown instruction to power down the electronic device 200, even if none of the sensors has issued a shutdown instruction or provided a signal that would indicate a system shutdown e.g., a sensed temperature that is above an associated temperature limit in the configuration table 220). Once a system shutdown from the security component is triggered, a reset or power down action may not clear the shutdown request until a specific authorized modification sequence is detected and accepted by the secured controller (e.g., during a time-windowing period). In this way, potential further attacks may be prevented once an initial attack is detected. The shutdown instruction in this example is independent of sensor status and is triggered by the attack detection (e.g., by the power/reset monitor 224).
Shutdown instructions generated by the security component 210 during an attack may be provided via a shutdown request module of a feedback controller 226 of the security component 210. The shutdown request module may send a shutdown request to power management component e.g., via a system shutdown control module 229 of the power management component). In response, the power management component 228 or feedback controller 226 may send an instruction to the charging component 230 to power down the electronic device 200.
Shutdown requests or other power changes for the electronic device 200 also may be generated based on signals from the sensors of the distributed sensor system 212 provided to the feedback controller 226. Signals from analog sensors 214 may first pass through an analog-to-digital converter 231 of power management component 228 (or other suitable analog-to-digital converter) for conversion to digital values before being passed to the feedback controller. The feedback controller 226 may be configured to analyze the signals from the sensors to determine feedback instructions for controlling operation of the electronic device 200. For example, if a thermal sensor output indicates that a temperature is above an associated threshold, the feedback instructions may comprise a shutdown request to prevent overheating. The feedback controller 226 may send the feedback instructions, such as a shutdown request or a charging component adjustment, to power management component 228 or charging component 230. Power management component 228 may, in response, shut down the electronic device via a system shutdown control 233 and/or adjust an amount and/or speed of charging of the electronic device (e.g., via a throttle tuning module 235 of the charging component 230).
Another security consideration for the electronic device 200 relates to the security of the signals transmitted between the sensors and the trusted devices. As an interface, the security component 210 may verify the signals from the sensors and/or trusted devices before passing the signals on to the associated destination (e.g., the trusted devices and/or the sensors). The signals from the distributed sensor system 212 and/or from the trusted devices 202 may be provided (e.g., via a link, such as an inter-integrated circuit (I2C), serial peripheral interface (SPI), or other communication interface) to a secured controller 232 of the security component for authentication. The secured controller 232 may authenticate the received signals as being sent from authorized devices, e.g., based on source IDs or other authentication protocol, before forwarding the signals to an associated destination, such as the feedback controller or application processor. In this way, signals received from unauthorized/untrusted elements may be ignored or used to trigger an attack prevention response, as described above.
At 310, the method includes receiving signals from the sensor(s). The signals may include a sensor measurement, such as an absolute or relative temperature value, voltage/current value, decibel level, etc., and/or an instruction, such as a shutdown request, based on a sensor measurement. At 312, the method includes analyzing the signals received from the sensor(s), and at 314, sending instructions to the application processor, power management component, and/or charging component based at least on the analysis of the signals from the sensors. For example, where the signals from the sensors indicate that a temperature is over a threshold for the electronic device, the instructions may include feedback to a power management component requesting a system shutdown, a reduction in an amount and/or speed of charging being provided to the device via a charging component, or other suitable feedback. The feedback instructions may, in turn, be processed by the power management component, and power management instructions may be generated based on the feedback instructions. As examples, the power management instructions may instruct the power management component to shut down the electronic device or change the amount and/or speed of charging being provided to the device).
As mentioned above, additional security measures also may be applied, such as time-windowing. In such examples, the response used by the system to an unauthorized signal may vary depending upon the reason the signal is determined not to be authorized. For example, a signal from an untrusted element may trigger a warning, while a signal received from a trusted element but outside of a time window of modification may not trigger a warning, or trigger a different warning.
Continuing with
In some examples, the configuration table may include different thresholds for a given sensor, wherein each threshold corresponding to a different responsive action or instruction. For example, if a signal from the sensor is above a first threshold but below a second threshold, the feedback controller may send an instruction to the power management component to adjust a charging speed of the electronic device. Further, if the signal from the sensor is above both the first and second thresholds, the feedback controller may send an instruction to the power management component to shut down the electronic device.
The feedback instruction sent at 508 may be configured to change operation of the device in any suitable manner, such as to cause the measurement to be within the threshold or to mitigate a security breach. For example, the feedback instruction may include a shutdown request that is sent to the application processor/power management component, as indicated at 510. As another example, the feedback instruction may include an instruction to change a charging amount and/or speed, as indicated at 512. As another example, if the sensor is an audio sensor, the instruction may include lowering a volume of output audio or displaying a warning to a user responsive to detecting that the output audio is above a threshold. As yet another example, if the sensor is a voltage/current sensor, the instruction may include an instruction to a power management/charging component to reduce a charging amount and/or speed or shut down the device responsive to determining that the voltage/current is above a threshold. Further, if the sensor is a vibration, pressure, or moisture sensor, the instruction may include an instruction to the power management/charging component to shut down the device to prevent damage.
The above-described methods and systems may provide a secured sensor interface to protect against unauthorized attempts to control operation of a device and/or unauthorized attempts to change responses to sensor signals. The secured sensor interface may be implemented in any suitable manner, such as by one or more storage devices (e.g., holding instructions executable by a processor), processors, field-programmable gate arrays (FPGAs), application-specific integrated circuits (ASICs), systems-on-chip (SoCs) and/or other hardware elements configured to secure communications between the distributed sensor system and the trusted devices/elements.
In some embodiments, the methods and processes described herein may be tied to a computing system of one or more computing devices. In particular, such methods and processes may be implemented as a computer-application program or service, an application-programming interface (API), a library, and/or other computer-program product.
Computing system 600 includes a logic machine 602 and a storage machine 604. Computing system 600 may optionally include a display subsystem 606, input subsystem 608, communication subsystem 610, and/or other components not shown in
Logic machine 602 includes one or more physical devices configured to execute instructions. For example, the logic machine may be configured to execute instructions that are part of one or more applications, services, programs, routines, libraries, objects, components, data structures, or other logical constructs. Such instructions may be implemented to perform a task, implement a data type, transform the state of one or more components, achieve a technical effect, or otherwise arrive at a desired result.
The logic machine may include one or more processors configured to execute software instructions. Additionally or alternatively, the logic machine may include one or more hardware or firmware logic machines configured to execute hardware or firmware instructions. Processors of the logic machine may be single-core or multi-core, and the instructions executed thereon may be configured for sequential, parallel, and/or distributed processing. Individual components of the logic machine optionally may be distributed among two or more separate devices, which may be remotely located and/or configured for coordinated processing. Aspects of the logic machine may be virtualized and executed by remotely accessible, networked computing devices configured in a cloud-computing configuration.
Storage machine 604 includes one or more physical devices configured to hold instructions executable by the logic machine to implement the methods and processes described herein. When such methods and processes are implemented, the state of storage machine 604 may be transformed—e.g., to hold different data.
Storage machine 604 may include removable and/or built-in devices. Storage machine 604 may include optical memory (e.g., CD, DVD, HD-DVD, Blu-Ray Disc, etc.), semiconductor memory (e.g., RAM, EPROM, EEPROM, etc.), and/or magnetic memory (e.g., hard-disk drive, floppy-disk drive, tape drive, MRAM, etc.), among others. Storage machine 604 may include volatile, nonvolatile, dynamic, static, read/write, read-only, random-access, sequential-access, location-addressable, file-addressable, and/or content-addressable devices.
It will be appreciated that storage machine 604 includes one or more physical devices. However, aspects of the instructions described herein alternatively may be propagated by a communication medium (e.g., an electromagnetic signal, an optical signal, etc.) that is not held by a physical device for a finite duration.
Aspects of logic machine 602 and storage machine 604 may he integrated together into one or more hardware-logic components. Such hardware-logic components may include field-programmable gate arrays (FPGAs), program- and application-specific integrated circuits (PASIC/ASICs), program- and application-specific standard products (PSSP/ASSPs), system-on-a-chip (SOC), and complex programmable logic devices (CPLDs), for example.
The term “module” may be used to describe an aspect of computing system 600 implemented to perform a particular function. In some cases, a module may be instantiated via logic machine 602 executing instructions held by storage machine 604. It will be understood that different modules may be instantiated from the same application, service, code block, object, library, routine, API, function, etc. Likewise, the same module may be instantiated by different applications, services, code blocks, objects, routines, APIs, functions, etc. The term “module” may encompass individual or groups of executable files, data files, libraries, drivers, scripts, database records, etc.
When included, display subsystem 606 may be used to present a visual representation of data held by storage machine 604. This visual representation may take the form of a graphical user interface (GUI). As the herein described methods and processes change the data held by the storage machine, and thus transform the state of the storage machine, the state of display subsystem 606 may likewise be transformed to visually represent changes in the underlying data. Display subsystem 606 may include one or more display devices utilizing virtually any type of technology. Such display devices may be combined with logic machine 602 and/or storage machine 604 in a shared enclosure, or such display devices may be peripheral display devices.
When included, input subsystem 608 may comprise or interface with one or more user-input devices such as a keyboard, mouse, touch screen, or game controller. In some embodiments, the input subsystem may comprise or interface with selected natural user input (NUI) componentry. Such componentry may be integrated or peripheral, and the transduction and/or processing of input actions may be handled on- or off-board. Example NUI componentry may include a microphone for speech and/or voice recognition; an infrared; color, stereoscopic, and/or depth camera for machine vision and/or gesture recognition; a head tracker, eye tracker, accelerometer, and/or gyroscope for motion detection and/or intent recognition; as well as electric-field sensing componentry for assessing brain activity.
When included, communication subsystem 610 may be configured to communicatively couple computing system 600 with one or more other computing devices. Communication subsystem 610 may include wired and/or wireless communication devices compatible with one or more different communication protocols. As non-limiting examples, the communication subsystem may be configured for communication via a wireless telephone network, or a wired or wireless local- or wide-area network. In some embodiments, the communication subsystem may allow computing system 600 to send and/or receive messages to and/or from other devices via a network such as the Internet.
Another example provides for a security component configured to be communicatively coupled between a trusted element and a distributed sensor system, the security component comprising a secured controller configured to receive a signal for forwarding to a sensor of the distributed sensor system, authenticate the signal as being sent from the trusted element, when the signal is authenticated as being sent from the trusted element, forward the signal to the sensor, and when the signal is not authenticated as being sent from the trusted element, not forward the signal to the sensor, and the security component also comprising a feedback controller configured to analyze signals received from the distributed sensor system and send one or more feedback instructions to the trusted element based at least n the signals from the distributed sensor system. Such an example may additionally or alternatively further include the security component, wherein the security component is configured to be communicatively coupled to a power management component and a charging component of the distributed sensor system, and wherein the feedback controller is configured to send power management instructions to one or more of the power management component and the charging component based at least on the signals from the distributed sensor system. Such an example may additionally or alternatively further include the security component, wherein power management instructions comprise an instruction configured to cause the power management component to control the charging component. Such an example may additionally or alternatively further include the security component, wherein authenticating the signal as being sent from the trusted element comprises determining that the signal was sent from one of a plurality of trusted elements. Such an example may additionally or alternatively further include the security component, wherein the security component s configured to be communicatively coupled to a thermal sensor of the distributed sensor system, and wherein the signals received from the distributed sensor system include a signal from the thermal sensor indicating that the temperature is above a temperature threshold. Such an example may additionally or alternatively further include the security component, wherein the one or more feedback instructions include a shutdown request in response to the signal indicating that the temperature is above the temperature threshold. Such an example may additionally or alternatively further include the security component, wherein the security component is configured to be communicatively connected to an application processor that includes the trusted element and one or more untrusted elements. Such an example may additionally or alternatively further include the security component, wherein the security component is configured to communicate with one or more of the trusted element and the sensor of the distributed sensor system via an inter-integrated circuit (I2C). Such an example may additionally or alternatively further include the security component, wherein the security component comprises one or more of an application-specific integrated circuit (ASIC) and a component of a system-on-chip (SoC). Any or all of the above-described examples may be combined in any suitable manner in various implementations.
Another example provides for, on a security component communicatively coupled between a trusted element and a distributed sensor system, a method comprising, with a secured controller of the security component, receiving a signal for forwarding to a sensor of the distributed sensor system, authenticating the signal as being sent from the trusted element, when the signal is authenticated as being sent from the trusted element, forwarding the signal to the sensor, and when the signal is not authenticated as being sent from the trusted element, not forwarding the signal to the sensor, and, with a feedback controller of the security component, analyzing signals received from the distributed sensor system, and sending one or more feedback instructions to the trusted element based at least on the signals received from the distributed sensor system. Such an example may additionally or alternatively further include the method, wherein the distributed sensor system includes a power management component and a charging component, and wherein the method further comprises, via the feedback controller, sending a power management instruction to the power management and/or charging component for controlling operation of the charging component. Such an example may additionally or alternatively further include the method, wherein the distributed sensor system includes one or more thermal sensors, and wherein the signals received from the distributed sensor system include a signal indicating that the temperature is above a temperature threshold. Such an example may additionally or alternatively further include the method, further comprising, via the feedback controller, sending a shutdown request when the signals received from the distributed sensor system indicate that the temperature is above the temperature threshold. Such an example may additionally or alternatively further include the method, wherein the trusted element is included in an application processor, the application processor including one or more trusted elements and one or more untrusted elements. Any or all of the above-described examples may be combined in any suitable manner in various implementations.
Another example provides for an electronic device comprising a distributed sensor system including a power management component, a trusted element, and a security component communicatively coupled between the distributed sensor system and the trusted element, the security component comprising a secured controller configured to receive a signal for forwarding to a sensor of the distributed sensor system, authenticate the signal as being sent from the trusted element, when the signal is authenticated as being sent from the trusted element, forward the signal to the sensor, and when the signal is not authenticated as being sent from the trusted element, not forward the signal to the sensor, and the security component also comprising a feedback controller configured to analyze signals received from the distributed sensor system, and send one or more feedback instructions to one or more of the trusted element, the power management component, and the charging component based at least on the signals received from the distributed sensor system, the one or more feedback instructions executable to control operation of the electronic device. Such an example may additionally or alternatively further include the electronic device, further comprising a charging component, wherein the feedback instructions include power management instructions for the power management component to control the charging component. Such an example may additionally or alternatively further include the electronic device, wherein the one or more power management instructions includes a charging instruction for controlling a charging speed for charging the electronic device with the charging component. Such an example may additionally or alternatively further include the electronic device, wherein the distributed sensor system includes one or more thermal sensors, wherein the signals received from the distributed sensor system include a signal indicating that the temperature is above a temperature threshold, and wherein the one or more feedback instructions from the feedback controller include a shutdown request in response to the signal indicating that the temperature is above the temperature threshold. Such an example may additionally or alternatively further include the electronic device, further comprising an application processor, the application processor comprising the trusted element and one or more untrusted elements. Such an example may additionally or alternatively further include the electronic device, wherein the security component is communicatively connected to one or more of the trusted element nd the distributed sensor system via an inter-integrated circuit (I2C). Any or all of the above-described examples may be combined in any suitable manner in various implementations.
It will be understood that the configurations and/or approaches described herein are exemplary in nature, and that these specific embodiments or examples are not to be considered in a limiting sense, because numerous variations are possible. The specific routines or methods described herein may represent one or more of any number of processing strategies. As such, various acts illustrated and/or described may be performed in the sequence illustrated and/or described, in other sequences, in parallel, or omitted. Likewise, the order of the above-described processes may be changed.
The subject matter of the present disclosure includes all novel and non-obvious combinations and sub-combinations of the various processes, systems and configurations, and other features, functions, acts, and/or properties disclosed herein, as well as any and all equivalents thereof.
