Patent application number | Description | Published |
20080244725 | METHOD AND APPARATUS FOR MANAGING PACKET BUFFERS - According to one example embodiment of the inventive subject matter, there is described herein a method and apparatus for securely and efficiently managing packet buffers between protection domains on an Intra-partitioned system using packet queues and triggers. According to one embodiment described in more detail below, there is provided a method and apparatus for optimally transferring packet data across contexts (protected and unprotected) in a commodity operating system. | 10-02-2008 |
20080244758 | SYSTEMS AND METHODS FOR SECURE ASSOCIATION OF HARDWARD DEVICES - An apparatus to protect one or more hardware devices from unauthorized software access is described herein and comprises, in one embodiment, a virtual machine manager, a memory protection module and an integrity measurement manager. In a further embodiment, a method of providing secure access to one or more hardware devices may include, modifying a page table, verifying the integrity of a device driver, and providing memory protection to the device driver if the device driver is verified. | 10-02-2008 |
20090158409 | REMOTE CONFIGURATION, PROVISIONING AND/OR UPDATING IN A LAYER TWO AUTHENTICATION NETWORK - A device capable of remote configuration, provisioning and/or updating comprising a network detector capable of detecting a network regardless of the state of the operating system on the device, wherein the network requires layer two authentication, and an Embedded Trust Agent capable of generating an authentication credential for layer two authentication and communicating the authentication credential via a layer two authentication protocol without a functioning operating system. | 06-18-2009 |
20090328042 | DETECTION AND REPORTING OF VIRTUALIZATION MALWARE IN COMPUTER PROCESSOR ENVIRONMENTS - Methods and systems to detect virtualization of computer system resources, such as by malware, include methods and systems to evaluate information corresponding to a computer processor operating environment, outside of or secure from the operating environment, which may include one or more of a system management mode of operation and a management controller system. Information may include processor register values. Information may be obtained from within the operating environment, such as with a host application running within the operating environment. Information may be obtained outside of the operating environment, such as from a system state map. Information obtained from within the operating environment may be compared to corresponding information obtained outside of the operating environment. Direct memory address (DMA) translation information may be used to determine whether an operating environment is remapping DMA accesses. Page tables, interrupt tables, and segmentation tables may be used to reconstruct a view of linear memory corresponding to the operating environment, which may be scanned for malware or authorized code and data. | 12-31-2009 |
20100083381 | Hardware-based anti-virus scan service - A device, system, and method are disclosed. In an embodiment, the device includes a storage medium to store files. The device also includes a manageability engine. The manageability engine accesses a virus signature file. The manageability engine then performs an anti-virus scan using patterns in the signature file to compare to one or more of the files. The manageability engine then reports the results of the scan to an external agent. | 04-01-2010 |
20100161926 | Data protection by segmented storage - A device, method, and system are disclosed. In one embodiment the device includes logic to handle and protect data. Specifically, the device includes logic to segment data that can receive a data object that needs to be stored. The logic within the device can segment the data object into a plurality of data segments. A segmented portion of the data object is an incomprehensible portion the data object when viewed in the segmented format. The device can then send each of the data segments to a several different storage locations. | 06-24-2010 |
20100169967 | Apparatus and method for runtime integrity verification - In some embodiments, a processor-based system may include at least one processor, at least one memory coupled to the at least one processor, a code block, and code which is executable by the processor-based system to cause the processor-based system to generate integrity information for the code block upon a restart of the processor-based system, securely store the integrity information, and validate the integrity of the code block during a runtime of the processor-based system using the securely stored integrity information. Other embodiments are disclosed and claimed. | 07-01-2010 |
20100250797 | PLATFORM BASED VERIFICATION OF CONTENTS OF INPUT-OUTPUT DEVICES - A platform to support verification of the contents of an input-output device. The platform includes a platform hardware, which may verify the contents of the I/O device. The platform hardware may comprise components such as manageability engine and verification engine that are used to verify the contents of the I/O device even before the contents of the I/O device are exposed to an operating system supported by a host. The platform components may delete the infected portions of the contents of I/O device if the verification process indicates that the contents of the I/O device include the infected portions. | 09-30-2010 |
20100262739 | IDENTIFIER ASSOCIATED WITH MEMORY LOCATIONS FOR MANAGING MEMORY ACCESSES - Embodiments of apparatuses, articles, methods, and systems for associating identifiers with memory locations for controlling memory accesses are generally described herein. Other embodiments may be described and claimed. | 10-14-2010 |
20100306177 | HOST OPERATING SYSTEM INDEPENDENT STORAGE-RELATED REMOTE ACCESS AND OPERATIONS - An embodiment may include circuitry that may be comprised in a host that may execute an operating system and/or in a server. The circuitry may generate, at least in part, and/or receive, at least in part, at least one request to initiate, at least in part, at least one operation at the host. The least one operation may facilitate, at least in part, examination remotely from the host of information stored at the host. The at least one operation may be performed independently from the operating system and also may be performed at least in part by the circuitry. The examination may facilitate, at least in part, remotely from the host, backup, recovery, and/or determination of corruption of mass storage data stored at the host. Of course, many variations, modifications, and alternatives are possible without departing from this embodiment. | 12-02-2010 |
20100306399 | Method and apparatus for operating system streaming - A method and apparatus for traversing a firewall between an Intranet and the Internet without the use of a proxy server is provided. Internet Small Computer Systems Interface (iSCSI) streaming over a firewall is provided by tunneling iSCSI over Hypertext Transport Protocol (Security) (HTTP(S)). | 12-02-2010 |
20100325729 | DETERMINATION BY CIRCUITRY OF PRESENCE OF AUTHORIZED AND/OR MALICIOUS DATA - An embodiment may include circuitry that may be comprised in a host. The host may include memory and a host processor to execute an operating system. The circuitry may be to determine, independently of the operating system and the host processor, the authenticity of signature list information, based at least in part upon authentication information received by the circuitry from a remote server. The circuitry also may be to determine, independently of the operating system and the host processor, based at least in part upon comparison of at least one portion of the signature list information with at least one portion of contents of the memory, whether authorized and/or malicious data are present in the at least one portion of the contents of the memory. Of course, many variations, modifications, and alternatives are possible without departing from this embodiment. | 12-23-2010 |
20100332744 | DATA RECOVERY AND OVERWRITE INDEPENDENT OF OPERATING SYSTEM - Methods and systems to access data in a computer system independent of an operating environment of the computer system, including to recover data to a remote system, to overwrite data, and to copy data to a hidden partition. A management system may directly access a storage device of the computer system and communicate with the remote system over a data channel that is secure from an operating environment of the computer system. The management system may access the storage device on a block basis, using a device driver associated with a storage device controller, and may include a virtualization engine to access the storage device. The remote system may include logic to request meta-data, to identify disk blocks corresponding to files of interest from the meta-data, and to construct the files of interest from the disk blocks. | 12-30-2010 |
20110078791 | Using chipset-based protected firmware for host software tamper detection and protection - A method, system, and computer program product for a host software tamper detection and protection service. A secure partition that is isolated from a host operating system of the host system, which may be implemented by firmware of a chipset of the host system, obtains file metadata from the host system and uses the file metadata to identify a first file for examination for tampering. The secure partition obtains data blocks for the first file, communicates with a service via an out-of-band communication channel, and uses information obtained from the service and the data blocks to determine whether the first file has been corrupted. The secure partition obtains the file metadata and the data blocks for the first file without invoking an operating system or file system of the host system. | 03-31-2011 |
20110078799 | Computer system and method with anti-malware - In some embodiments, approaches may provide an out-of-band (OOB) agent to protect a platform. The OOB agent may be able to use non-TRS methods to measure and protect an in-band security agent. In some embodiments, a manageability engine can provide out of band connectivity to the in-band and out-of-band security agents and provide access to the system memory resources without having to rely on OS services. This can be used for a trusted anti-malware and remediation service. | 03-31-2011 |
20110107355 | SYSTEMS AND METHODS FOR SECURE HOST RESOURCE MANAGEMENT - Systems and methods are described herein to provide for secure host resource management on a computing device. Other embodiments include apparatus and system for management of one or more host device drivers from an isolated execution environment. Further embodiments include methods for querying and receiving event data from manageable resources on a host device. Further embodiments include data structures for the reporting of event data from one or more host device drivers to one or more capability modules. | 05-05-2011 |
20110107423 | PROVIDING AUTHENTICATED ANTI-VIRUS AGENTS A DIRECT ACCESS TO SCAN MEMORY - A computer platform may support anti-virus agents that may be provided access to directly scan the memory. The computer platform may comprise a platform control hub, which may comprise a manageability engine and a virtualizer engine, wherein the manageability engine may allow the anti-virus agents to be downloaded to a platform hardware space that is isolated from an operating system. The manageability engine may authenticate the anti-virus agents and provide an access for the anti-virus agents to directly scan a memory or a storage device coupled to the platform hardware. | 05-05-2011 |
20110131447 | Automated modular and secure boot firmware update - A method, apparatus, system, and computer program product for an automated modular and secure boot firmware update. An updated boot firmware code module is received in a secure partition of a system, the updated boot firmware code module to replace one original boot firmware code module for the system. Only the one original boot firmware code module is automatically replaced with the updated boot firmware code module. The updated boot firmware code module is automatically executed with the plurality of boot firmware code modules for the system and without user intervention when the system is next booted. The updated boot firmware code module may be written to an update partition of a firmware volume, wherein the update partition of the firmware volume is read along with another partition of the firmware volume containing the plurality of boot firmware code modules when the system is booted. | 06-02-2011 |
20110145558 | Virtual Bus Device Using Management Engine - A management engine may be used to trap configuration cycles during the boot process and thereafter in response to operating system enumeration. As a result, a virtual bus device can be created. The bus device may be used to provision software to the platform even when the operating system is corrupted or non-functional. | 06-16-2011 |
20110153725 | SECURE OUT-OF-BAND STORAGE CONTROL - Embodiments of the present disclosure provide methods and computing devices configured to establish secure out-of-band storage control. In various embodiments, a management module in a client device may be used to communicate with a server device independent of an operating system of the client device, to facilitate remote storage services. Other embodiments may be disclosed and claimed. | 06-23-2011 |
20110154316 | Providing Software Distribution and Update Services Regardless of the State or Physical Location of an End Point Machine - In accordance with some embodiments, software may be downloaded to an end point, even when that said end point is not fully functional. An indication that software is available for distribution may be stored in a dedicated location within a non-volatile memory. That location may be checked for software to download, for example, on each boot up. The software may then be downloaded and verified. Thereafter, the location is marked to indicate that the software has already been downloaded. | 06-23-2011 |
20110161551 | VIRTUAL AND HIDDEN SERVICE PARTITION AND DYNAMIC ENHANCED THIRD PARTY DATA STORE - A system reserves and manages a hidden service partition through components of the hardware platform of a computing device. The hidden partition is not accessible by way of a host operating system on the computing device. A hardware platform controller provisions a portion of nonvolatile storage through configuration settings of the hardware platform controller. When the host system requests settings related to storage in the system, the request is routed through the interfaces of the hardware platform, and the hardware platform controller reports in accordance with the configuration settings, hiding the service partition. The hidden partition is dynamically modifiable through secure remote access to the hardware platform controller, not through the host system such as operating system or BIOS. | 06-30-2011 |
20110289306 | METHOD AND APPARATUS FOR SECURE SCAN OF DATA STORAGE DEVICE FROM REMOTE SERVER - A method and device for providing a secure scan of a data storage device from a remote server are disclosed. In some embodiments, a computing device may include an in-band processor configured to execute an operating system and at least one host driver, communication circuitry configured to communicate with a remote server, and an out-of-band (OOB) processor capable of communicating with the remote server using the communication circuitry irrespective of the state of the operating system. The OOB processor may be configured to receive a block read request from the remote server, instruct the at least one host driver to send a storage command to a data storage device, receive data retrieved from the data storage device and authentication metadata generated by the data storage device, and transmit the data and the authentication metadata to the remote server. | 11-24-2011 |
20120017011 | OUT-OF-BAND ACCESS TO STORAGE DEVICES THROUGH PORT-SHARING HARDWARE - A method, apparatus, system, and computer program product for enabling out-of-band access to storage devices through port-sharing hardware. Providing out-of-band access to storage devices enables system management functions to be performed when an operating system is non-functional as well as when the operating system is active. Storage commands originating with a management service can be interleaved with storage commands issued by the host operating system. The host operating system maintains ownership and control over its storage devices, but management activities can be performed while the host operating system is operational. | 01-19-2012 |
20120117348 | TECHNIQUES FOR SECURITY MANAGEMENT PROVISIONING AT A DATA STORAGE DEVICE - Techniques for a data storage device to locally implement security management functionality. In an embodiment, a security management process of the data storage device is to determine whether an access to non-volatile media of the data storage device is authorized. In certain embodiments, the data storage device is to restrict access to a secure region of the non-volatile storage media, the secure region to store information used and/or generated by a security management process of the data storage device. | 05-10-2012 |
20120131345 | SECURE SOFTWARE LICENSING AND PROVISIONING USING HARDWARE BASED SECURITY ENGINE - Provisioning a license and an application program from a first server to a computing platform over a network. The host application derives a symmetric key at least in part from a user password, and sends the license to a license management firmware component of a security engine, in a message signed by the symmetric key. The license management firmware component derives the symmetric key at least in part from the user password stored in a secure storage of the security engine, verifies the signature on the message using the symmetric key, verifies the first server's signature on the license, decrypts the license using a first private key of the license management firmware component corresponding to the first public key to obtain the second key, and sends the second key to the host application, which decrypts the application program using the second key. | 05-24-2012 |
20120159137 | SECURE LOCAL BOOT USING THIRD PARTY DATA STORE (3PDS) BASED ISO IMAGE - In some embodiments, the invention involves a method and apparatus for secure/authenticated local boot of a host operating system on a computing platform using active management technology (AMT) with a third party data store (3PDS)-based ISO firmware image. A portion of non-volatile memory is hardware secured against access by the host processor and OS, and accessible only to the AMT. The AMT comprises an AT/ATAPI protocol emulator to access an ISO boot image from secured memory, while appearing to the host processor as a communication with an AT/ATAPI device. Other embodiments are described and claimed. | 06-21-2012 |
20120226903 | SECURE PLATFORM VOUCHER SERVICE FOR SOFTWARE COMPONENTS WITHIN AN EXECUTION ENVIRONMENT - Apparatuses, articles, methods, and systems for secure platform voucher service for software within an execution environment. An embodiment includes the ability for a Virtual Machine Monitor, Operating System Monitor, or other underlying platform capability to restrict memory regions for access only by authenticated, authorized and verified software components. A provisioning remote entity or gateway only needs to know a platform's public key or certificate hierarchy to receive verification for any component. The verification or voucher helps assure to the remote entity that no malware running in the platform or on the network will have access to provisioned material. The underlying platform to lock and unlock secrets on behalf of the authenticated/authorized/verified software component provided in protected memory regions only accessible to the software component. | 09-06-2012 |
20130080764 | Secure Remote Credential Provisioning - An embodiment uses hardware secrets secured within a security engine to provide a secure solution for field key provisioning. An embodiment is operating system independent due to the out-of-band communications with the security engine. Secrets need not be provisioned during manufacturing time. An embodiment may ensure only security engine specific provisioned secrets are used at runtime. Other embodiments are addressed herein. | 03-28-2013 |
20130275769 | METHOD, DEVICE, AND SYSTEM FOR PROTECTING AND SECURELY DELIVERING MEDIA CONTENT - A method, device, and system for protecting and securely delivering media content includes configuring a memory controller of a system-on-a-chip (SOC) to establish a protected memory region, authenticating a firmware of a hardware peripheral using a security engine of the SOC, and storing the authenticated firmware in the protected memory region. The security engine may authenticate the firmware by authenticating a peripheral cryptographic key used to encrypt the firmware. Only authenticated hardware peripherals may access the protected memory region. | 10-17-2013 |
20130276146 | METHOD AND APPARATUS TO USING STORAGE DEVICES TO IMPLEMENT DIGITAL RIGHTS MANAGEMENT PROTECTION - Embodiments of systems, apparatuses, and methods to securely download digital rights managed content with a client are described. In some embodiments, a system establishes a secure root of trust for the client. In addition, the system establishes a secure tunnel between an agent of the client and a storage system of the client. Furthermore, the system securely downloads the digital rights managed content to the storage system via the secure tunnel and securely provides the digital rights managed content from the storage system to a display. | 10-17-2013 |
20130283383 | PLATFORM BASED VERIFICATION OF CONTENTS OF INPUT-OUTPUT DEVICES - A platform to support verification of the contents of an input-output device. The platform includes a platform hardware, which may verify the contents of the I/O device. The platform hardware may comprise components such as manageability engine and verification engine that are used to verify the contents of the I/O device even before the contents of the I/O device are exposed to an operating system supported by a host. The platform components may delete the infected portions of the contents of I/O device if the verification process indicates that the contents of the I/O device include the infected portions. | 10-24-2013 |
20130304986 | SYSTEMS AND METHODS FOR SECURE HOST RESOURCE MANAGEMENT - Systems and methods are described herein to provide for secure host resource management on a computing device. Other embodiments include apparatus and system for management of one or more host device drivers from an isolated execution environment. Further embodiments include methods for querying and receiving event data from manageable resources on a host device. Further embodiments include data structures for the reporting of event data from one or more host device drivers to one or more capability modules. | 11-14-2013 |
20130339496 | ENTERPRISE DEVICE CONFIGURATION SYSTEM - The present disclosure generally relates to a system and method for enterprise device customization. An example system may comprise an enterprise customization service and a device. The enterprise customization service may be configured to provide at least one of configuration or software to the device based on enterprise customization data. The device may include at least an enterprise customization application and the enterprise customization data. The enterprise customization application may be configured to cause the enterprise customization service to at least one of configure the device or to download software to the device based on the enterprise customization data. | 12-19-2013 |
20140047230 | COMPUTING DEVICE AND METHOD FOR WIRELESS REMOTE BOOT IN A NETWORKED ENVIRONMENT - In some embodiments, a secure authenticated remote boot of computing device over a wireless network is performed in a pre-boot execution environment (PXE) using active management technology (AMT) for remote discovery. In these embodiments, a management engine (ME) may maintain full control of a wireless interface and a wireless connection as booting begins. The ME may relinquish control of the wireless interface after a PXE timeout, in response to a shutdown command, or once the device has booted. The ME controls the use of an operating system received from a remote location. | 02-13-2014 |
20140047428 | AUTOMATED MODULAR AND SECURE BOOT FIRMWARE UPDATE - A method, apparatus, system, and computer program product for an automated modular and secure boot firmware update. An updated boot firmware code module is received in a secure partition of a system, the updated boot firmware code module to replace one original boot firmware code module for the system. Only the one original boot firmware code module is automatically replaced with the updated boot firmware code module. The updated boot firmware code module is automatically executed with the plurality of boot firmware code modules for the system and without user intervention when the system is next booted. The updated boot firmware code module may be written to an update partition of a firmware volume, wherein the update partition of the firmware volume is read along with another partition of the firmware volume containing the plurality of boot firmware code modules when the system is booted. | 02-13-2014 |
20140122895 | Providing Security Support for Digital Rights Management in Different Formats - In accordance with some embodiments, technologies may be provided that is adaptable to any existing and potentially future digital rights management application. Thus, it is not necessary to provide duplicate systems to handle disparate digital rights formats in some embodiments. | 05-01-2014 |
20140129827 | Implementation of robust and secure content protection in a system-on-a-chip apparatus - A content processing integrated circuit includes a system-on-a-chip (SoC) that further includes a processor to receive an authentication request from an external device for authenticating if the SoC is permitted to receive encrypted content from the external device, and to receive the encrypted content once the SoC is authenticated. An authentication processor is provided and coupled to the processor to authenticate the SoC to the external device when the processor receives the authentication request, and to generate a decryption key for decrypting the encrypted content. A decryption processor is provided and coupled to the processor and the authentication processor to receive the decryption key from the authentication processor and to decrypt the encrypted content with the decryption key. A wireless display system with such SoC is also described. A method of implementing a secure and robust content protection in a SoC is also described. | 05-08-2014 |
20140181504 | SECURE PROVISIONING OF COMPUTING DEVICES FOR ENTERPRISE CONNECTIVITY - Technologies for securely provisioning a personal computing device for enterprise connectivity includes a trusted computing device for wirelessly communicating with the personal computing device, generating a key pair for the personal computing device, generating a certificate signing request, sending the certificate signing request on behalf of the personal computing device, receiving an access certificate for enterprise connectivity, and securely exporting the access certificate and a private key of the key pair to the personal computing device. | 06-26-2014 |
20140189853 | CONTENT PROTECTION KEY MANAGEMENT - This disclosure is directed to content protection key management. In general, devices may include secure processing resources configured to derive content keys (e.g., for use in decrypting secure content) using key ladders. In one embodiment, a device may comprise, for example, at least a secure processing module to derive content keys for use in decrypting secure content. The secure processing module may include, for example, a key ladder storage module and a secure key storage module. The key ladder storage module may be to store at least one key ladder for use in deriving at least one content key. The secure key storage module may be to store the at least one content key derived using the key ladder. | 07-03-2014 |
20140281468 | Virtual Bus Device Using Management Engine - A management engine may be used to trap configuration cycles during the boot process and thereafter in response to operating system enumeration. As a result, a virtual bus device can be created. The bus device may be used to provision software to the platform even when the operating system is corrupted or non-functional. | 09-18-2014 |
20150039890 | METHOD AND DEVICE FOR SECURE COMMUNICATIONS OVER A NETWORK USING A HARDWARE SECURITY ENGINE - A method, device, and system for establishing a secure communication session with a server includes initiating a request for a secure communication session, such as a Secure Sockets Layer (SLL) communication session with a server using a nonce value generated in a security engine of a system-on-a-chip (SOC) of a client device. Additionally, a cryptographic key exchange is performed between the client and the server to generate a symmetric session key, which is stored in a secure storage of the security engine. The cryptographic key exchange may be, for example, a Rivest-Shamir-Adleman (RSA) key exchange or a Diffie-Hellman key exchange. Private keys and other data generated during the cryptographic key exchange may be generated and/or stored in the security engine. | 02-05-2015 |
20150057839 | CONFIGURING USER CUSTOMIZABLE OPERATIONAL FEATURES OF A VEHICLE - Embodiments of apparatus and methods for configuring user customizable operational features of a vehicle are described. In embodiments, an apparatus may include a communication module configured to be disposed in the vehicle, and communicate with a mobile device a user. The apparatus may further include a controller configured to be disposed in the vehicle and coupled with the communication module, to obtain from the mobile device, one or more preferences of the user for one or more user customizable features of the vehicle, and adjust the one or more user customizable operational features of the vehicle based at least in part on the one or more preferences of the user obtained. Other embodiments may be described and/or claimed. | 02-26-2015 |
20150074419 | SECURE VAULT SERVICE FOR SOFTWARE COMPONENTS WITHIN AN EXECUTION ENVIRONMENT - Embodiments of apparatuses, articles, methods, and systems for secure vault service for software components within an execution environment are generally described herein. An embodiment includes the ability for a Virtual Machine Monitor, Operating System Monitor, or other underlying platform capability to restrict memory regions for access only by specifically authenticated, authorized and verified software components, even when part of an otherwise compromised operating system environment. The underlying platform to lock and unlock secrets on behalf of the authenticated/authorized/verified software component provided in protected memory regions only accessible to the authenticated/authorized/verified software component. Other embodiments may be described and claimed. | 03-12-2015 |