Patent Grant
7353531
The subject matter of the present application may also be related to the following U.S. Patent Applications: “Data Event Logging in Computing Platform,” Ser. No. 09/979,902, filed Nov. 27, 2001; “Data Integrity Monitoring in Trusted Computing Entity,” Ser. No. 09/979,903, filed Nov. 27, 2001; “Information System,” Ser. No. 10/080,476, filed Feb. 22, 2002; “Method of and Apparatus for Investigating Transactions in a Data Processing Environment,” Ser. No. 10/080,478, filed Feb. 22, 2002; “Method of and Apparatus for Ascertaining the Status of a Data Processing Environment,” Ser. No. 10/080,479, filed Feb. 22, 2002; “Trusted Platform Evaluation,” Ser. No. 10/194,831, filed Jul. 11, 2002; “Privacy of Data on a Computer Platform,” Ser. No. 10/206,812, filed Jul. 26, 2002; and “Method and Apparatus for Locking an Application Within a Trusted Environment,” Ser. No. 10/208,718, filed Jul. 29, 2002.
The invention relates establishing and/or maintaining a trusted computing environment. A first computing device can be said to regard a second computing device as trustworthy if the first computing device can expect the second computing device to operate or behave in a known manner.
In the present context, “trust” and “trusted” are used to mean that a device or service can be relied upon to work in an intended, described or expected manner, and has not been tampered with or subverted in order to run malicious applications. A specification for trusted computing has been developed by the Trusted Computing Platform Alliance and can be found at www.trustedpc.org.
A conventional trusted computing device comprises a tamper resistant tester which can test the device to ascertain if it is trustworthy. The outcome of the test can be used within the device or reported to another computing device attempting to communicate with it. An exemplary trusted component is described in the applicants co-pending International Patent Application Publication No. PCT/GB00/00528 entitled “Trusted Computing Platform”, the contents of which are incorporated by reference herein. If the outcome of the test is reported to another device, then that other device can use the report to determine a trust policy vis-a-vis the device offering the report, which controls its communication with the reporting device.
One disadvantage of a computing environment comprised of trusted computing devices of the kind mentioned above arises where a trusted computing device becomes compromised, e.g. by a virus. The trusted computing devices in the environment do not know if the other computing devices within the environment have been compromised unless they challenge the other computing devices to verify that they have not been compromised. The challenge-verification process can consume undesirable amounts of time and/or processing resources.
An object of the invention is the amelioration of the aforementioned disadvantage.
According to one aspect, the invention comprises a method of operating a trusted computing system, the method comprising providing an assessor to receive a report from, and pertaining to the trustworthiness of, a first computing device, and the assessor updating the trust policy of a second computing device in accordance with the report.
According to another aspect, the invention comprises an assessor for controlling a trusted computing system, the assessor comprising a receiver for receiving a report from, and pertaining to the trustworthiness of, a first computing device, an updater for updating the trust policy of a second computing device in accordance with the report, and a transmitter for transmitting the updated policy to the second computing device.
Hence, the invention can provide an efficient way of informing computing devices within an environment about the trustworthiness of other computing devices within the environment, so as to establish or maintain a trusted computing environment. In maintaining a trusted computing environment, the invention may enable a computing device to be sure of, and keep up to date with, the level of trustworthiness of other computing devices in the environment.
In one embodiment, the report contains an assessment of the trustworthiness that has been prepared by the reporting computing device itself. In another embodiment, the report provides information about the reporting computing device that is sufficient to allow the assessor to assess the trustworthiness of the reporting computing device. Preferably, the reporting computing device comprises a trusted component which evaluates the trustworthiness of the computing device and provides the report. The trusted component is preferably resistant to tampering and capable of applying a digital signature to the report to permit authentication of the report. The reporting computing device may be triggered to provide the report in response to a certain event or any one of a number of predetermined events. For example, the reporting computing device may be triggered to report by a request from an assessor for a trustworthiness report, or by being initialised or reset, or by the occurrence of an undesirable event (e.g. the computing device being compromised by a virus).
The assessor may, subsequent to receiving a trustworthiness report, update the trust policies of more than one computing device, one of which may be the computing device that provided the trustworthiness report.
A computing device in the context of the invention may be, for example, a computer or a peripheral (such as a scanner or printer) or other device having some data processing ability.
By way of example only, some embodiments of the invention will now be described by reference to the accompanying drawings in which:
The trusted computing environment 100 of
Each of the computing devices 112 to 118 comprises a trusted component and a memory 122 holding a policy. A policy allows a computing device to determine the level to which it trusts other computing devices sharing the environment.
As an example, a policy within a computing device may list the surrounding computing devices and specie the degree to which each of them is to be trusted. In order to set the degree of trust, a policy may specify that a particular computing device is to be interacted with for all purposes, selected purposes or not at all.
As a further example, a policy within a computing device may specify a list of components (either software or hardware) that are untrusted. If a computing device containing such a policy finds one or more of these components in another computing device, then it can determine accordingly the degree to which it trusts that other computing device.
Each trusted component 120 is arranged, in a known manner, to assess the trustworthiness of the computing device with which it is associated, and to report its assessment to the assessor 110. The report may contain, for example, a decision made by the trusted component as to the trustworthiness of its host computing device, or the trusted component may simply audit its host so that the report lists the components of its host. Examples of trusted components, and the monitoring of components or processes of a host, are found in the applicants co-pending International Patent Applications as follows: Publication No. PCT/GB00/02004 entitled “Data Logging in Computing Platform” filed on 25 May 2000 and Publication No. PCT/GB00/00495 entitled “Protection of the Configuration of Modules in Computing Apparatus”, filed on 15 Feb. 2000, the contents of which are incorporated by reference.
The trusted component 120 can be arranged to be triggered to report by any of a number of events. For example, the report can be triggered by a request for a report received from the assessor 110, initialisation or resetting of the host computing device, or by some undesirable event (e.g. detection of the computing device being compromised by a known virus or the loading or addition of components unrecognised by the trusted component). Alternatively, the trusted component 120 can be arranged to make periodic reports to the assessor.
To maintain security, the trusted component 120 and the memory 122 holding the policy are incorporated in the corresponding computing device in such a manner that the trusted component 120 can perform its assessments on the computing device and yet the computing device is unable to modify the operation of the trusted component or the content of the policy. The memory 122 is arranged to accept updates to the policy that are certified by containing the digital signature of the assessor 110. Similarly, the trusted component is arranged to certify its outgoing reports with a digital signature which the assessor 110 can verify. The memory 122 containing the policy may be integrated with the trusted component 120.
As shown in
In the present embodiment, the assessor polls the trusted components within the computing devices 112 to 118 for trustworthiness reports. Consider the case where printer 118 has been contaminated by a virus. The report from this device alerts the assessor 110 to this fact and the assessor 110 responds by transmitting updated policies to the computing devices 112 to 118. The extent to which an updated policy curtails the extent to which the computing device hosting the policy interacts with the affected device 118 depends on the relationship between the two computing devices. In this example, the policy of device 116 is updated to reflect that it can only send urgent print requests to printer 118 and the policies of devices 112 and 114 are updated to reflect that they are not to interact with the printer 118 or, due the continuing potential for it to be compromised by printer 118, computing device 116.
Due to the invention, a trusted computing network or environment can be established or maintained without a computing device being required to directly challenge the trustworthiness of another device when it is required to communicate with that device.
| Number | Date | Country | Kind |
|---|---|---|---|
| 0104670.5 | Feb 2001 | GB | national |
| Number | Name | Date | Kind |
|---|---|---|---|
| 5032979 | Hecht et al. | Jul 1991 | A |
| 5144660 | Rose | Sep 1992 | A |
| 5283828 | Saunders et al. | Feb 1994 | A |
| 5341422 | Blackledge et al. | Aug 1994 | A |
| 5359659 | Rosenthal | Oct 1994 | A |
| 5361359 | Tajalli et al. | Nov 1994 | A |
| 5404532 | Allen et al. | Apr 1995 | A |
| 5421006 | Jablon et al. | May 1995 | A |
| 5440723 | Arnold et al. | Aug 1995 | A |
| 5448045 | Clark | Sep 1995 | A |
| 5491750 | Bellare et al. | Feb 1996 | A |
| 5511184 | Lin | Apr 1996 | A |
| 5572590 | Chess | Nov 1996 | A |
| 5619571 | Sandstrom et al. | Apr 1997 | A |
| 5701343 | Takashima et al. | Dec 1997 | A |
| 5706431 | Otto | Jan 1998 | A |
| 5774717 | Porcaro | Jun 1998 | A |
| 5809145 | Slik et al. | Sep 1998 | A |
| 5815702 | Kannan et al. | Sep 1998 | A |
| 5819261 | Takahashi et al. | Oct 1998 | A |
| 5841868 | Helbig, Sr. | Nov 1998 | A |
| 5841869 | Merkling et al. | Nov 1998 | A |
| 5844986 | Davis | Dec 1998 | A |
| 5890142 | Tanimura et al. | Mar 1999 | A |
| 5892900 | Ginter et al. | Apr 1999 | A |
| 5892902 | Clark | Apr 1999 | A |
| 5937159 | Meyers et al. | Aug 1999 | A |
| 5940513 | Aucsmith et al. | Aug 1999 | A |
| 5958016 | Chang et al. | Sep 1999 | A |
| 5966732 | Assaf | Oct 1999 | A |
| 6021510 | Nachenberg | Feb 2000 | A |
| 6038667 | Helbig | Mar 2000 | A |
| 6081894 | Mann | Jun 2000 | A |
| 6091956 | Hollenberg | Jul 2000 | A |
| 6098133 | Summers et al. | Aug 2000 | A |
| 6115819 | Anderson | Sep 2000 | A |
| 6253324 | Field et al. | Jun 2001 | B1 |
| 6253349 | Maeda et al. | Jun 2001 | B1 |
| 6266774 | Sampath et al. | Jul 2001 | B1 |
| 6289462 | McNabb et al. | Sep 2001 | B1 |
| 6327533 | Chou | Dec 2001 | B1 |
| 6327652 | England et al. | Dec 2001 | B1 |
| 6330670 | England et al. | Dec 2001 | B1 |
| 6374250 | Ajtai et al. | Apr 2002 | B2 |
| 6405318 | Rowland | Jun 2002 | B1 |
| 6414635 | Stewart et al. | Jul 2002 | B1 |
| 6507909 | Zurko et al. | Jan 2003 | B1 |
| 6510418 | Case et al. | Jan 2003 | B1 |
| 6529143 | Mikkola et al. | Mar 2003 | B2 |
| 6529728 | Pfeffer et al. | Mar 2003 | B1 |
| 6539425 | Stevens et al. | Mar 2003 | B1 |
| 6609199 | DeTreville | Aug 2003 | B1 |
| 6650902 | Richton | Nov 2003 | B1 |
| 6678827 | Rothermel et al. | Jan 2004 | B1 |
| 6678833 | Grawrock | Jan 2004 | B1 |
| 6694434 | McGee et al. | Feb 2004 | B1 |
| 6697944 | Jones et al. | Feb 2004 | B1 |
| 6716101 | Meadows et al. | Apr 2004 | B1 |
| 6757824 | England | Jun 2004 | B1 |
| 6772331 | Hind et al. | Aug 2004 | B1 |
| 6785015 | Smith et al. | Aug 2004 | B1 |
| 6799270 | Bull et al. | Sep 2004 | B1 |
| 6853988 | Dickinson et al. | Feb 2005 | B1 |
| 6868406 | Ogg et al. | Mar 2005 | B1 |
| 6889325 | Sipman et al. | May 2005 | B1 |
| 6948073 | England et al. | Sep 2005 | B2 |
| 20010037450 | Metlitski et al. | Nov 2001 | A1 |
| 20010051515 | Rygaard | Dec 2001 | A1 |
| 20020012432 | England et al. | Jan 2002 | A1 |
| 20020023212 | Proudler | Feb 2002 | A1 |
| 20020095454 | Reed et al. | Jul 2002 | A1 |
| 20020184488 | Amini et al. | Dec 2002 | A1 |
| 20030018892 | Tello | Jan 2003 | A1 |
| 20030037237 | Abgrall et al. | Feb 2003 | A1 |
| Number | Date | Country |
|---|---|---|
| 2187855 | Jun 1997 | CA |
| 0 304 033 | Feb 1989 | EP |
| 0 580 350 | Jan 1994 | EP |
| 0 825 511 | Feb 1998 | EP |
| 0 849 657 | Jun 1998 | EP |
| 0 465 016 | Dec 1998 | EP |
| 0 895 148 | Feb 1999 | EP |
| 1 030 237 | Aug 2000 | EP |
| 1 056 014 | Nov 2000 | EP |
| 2 336 918 | Nov 1999 | GB |
| 2 353 885 | Mar 2001 | GB |
| 2001-0016655 | Jan 2001 | JP |
| 9325024 | Dec 1993 | WO |
| 9411967 | May 1994 | WO |
| 9524696 | Sep 1995 | WO |
| 9527249 | Oct 1995 | WO |
| 9729416 | Aug 1997 | WO |
| 9826529 | Jun 1998 | WO |
| 9836517 | Aug 1998 | WO |
| 9840809 | Sep 1998 | WO |
| 9845778 | Oct 1998 | WO |
| 9527249 | Oct 1999 | WO |
| 0031644 | Jun 2000 | WO |
| 0048062 | Aug 2000 | WO |
| 0048063 | Aug 2000 | WO |
| 0054125 | Sep 2000 | WO |
| 0054126 | Sep 2000 | WO |
| 0073913 | Dec 2000 | WO |
| 0123980 | Apr 2001 | WO |
| Number | Date | Country | |
|---|---|---|---|
| 20020119427 A1 | Aug 2002 | US |
