Method and apparatus for secure network enclaves
US-9319220-B2 · Apr 19, 2016 · US
Trusted execution environment extensible computing device interface
US10097513B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10097513-B2 |
| Application number | US-201414485737-A |
| Country | US |
| Kind code | B2 |
| Filing date | Sep 14, 2014 |
| Priority date | Sep 14, 2014 |
| Publication date | Oct 9, 2018 |
| Grant date | Oct 9, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Constructs to define a Trusted Execution Environment Driver that can implement a standard communication interface in a first environment for discovering and/or exchanging messages with secure applications/services executed in a Trusted Execution Environment (TrEE). The first environment can represent an environment with a different security policy from the TrEE. The TrEE driver can include a standard interface and/or mechanism by which applications/services and drivers within a first environment can access secure applications/services in the TrEE, a standard interface and/or mechanism by which third-party vendors can expose their TrEE applications/services to a first environment, a standard interface and/or mechanism by which a TrEE can request applications/services, on its own behalf, from the first environment, and a standard interface and/or mechanism to facilitate the management of secure application/services and/or provide I/O prioritization and security protection for individual secure applications/services.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: providing an interface platform including a non-extensible interface and a plurality of extensible interfaces, each of the plurality of extensible interfaces specifically configured to communicate with an associated application or service within a third party environment in a format specific to the associated application or service, and the non-extensible interface providing a single extension point for a plurality of applications or services in a client environment to communicate with third party applications or services in the third party environment; identifying a priority of the plurality of applications or services to be executed within the client environment, wherein the plurality of applications or services includes a first application or a first service having a higher priority than a background application or background service; receiving from the first application or first service among the plurality of applications or services within the client environment, via the non-extensible interface, a first request to establish a first communication with a second application or second service within the third party environment, the first request includes a first message in a first format, and wherein the first application or first service has a first security policy and the second application or second service has a second security policy that is different from the first security policy; receiving from the background application or background service among the plurality of applications or services within the client environment, via the non-extensible interface, a second request to establish a second communication with a third application or third service within the third party environment, wherein the second request includes a second message; selecting, from the plurality of extensible interfaces, a first extensible interface being associated with the second application or second service within the third party environment; selecting, from the plurality of extensible interfaces, a second extensible interface being associated with the third application or third service within the third party environment; modifying, by the first extensible interface, the first format of the first message to a second format of the first message, based at least in part on the first security policy and the second security policy; establishing, via the first extensible interface, the first communication between the first application or first service and the second application or second service; establishing, via the second extensible interface, the second communication between the background application or background service and the third application or third service; transmitting, via the first communication, the second format of the first message to the second application or second service prior to transmitting, via the second communication, the second message to the third application or third service in response to the first application or the first service having the higher priority than the background application or background service; and transmitting and receiving data between the first application or first service and the second application or second service. 2. The method of claim 1 , wherein the third party environment comprises at least one of an operating system, a hypervisor layer, or firmware. 3. The method of claim 1 , further comprising: identifying an Access Control List (ACL) associated with the third party environment, the ACL including ACL permissions; verifying, by the ACL, that the first application or first service is permitted to access the second application or second service, wherein establishing the communication between the first application or first service and the second application or second service is further based on the ACL permissions. 4. The method of claim 3 , wherein the ACL includes at least one security policy associated with an individual application or service within the third party environment. 5. A computer-readable storage device having computer-executable instructions thereon that, upon execution, configure a computer to perform operations comprising: providing an interface platform including a non-extensible interface and a plurality of extensible interfaces, each of the plurality of extensible interfaces operable to communicate with an associated application or service in a first environment in a specific message format, and the non-extensible interface providing a single extension point for a plurality of applications or services in a second environment to communicate with third party applications or services in the first environment; identifying a priority of the plurality of applications or services to be executed within the second environment, wherein the plurality of applications or services includes a first application or a first service having a higher priority than a background application or background service; receiving, via the non-extensible interface, a first request from the first application or first service among the plurality of applications or services within the second environment to establish a first communication with a second application or second service within the first environment, the first request includes a first message in a first format, and wherein the first environment has a first security policy and the second environment has a second security policy that is different from the first security policy; receiving from the background application or background service among the plurality of applications or services within the second environment, via the non-extensible interface, a second request to establish a second communication with a third application or third service within the first environment, wherein the second request includes a second message; selecting, from the plurality of extensible interfaces, a first extensible interface being associated with the second application or second service within the first environment; selecting, from the plurality of extensible interfaces, a second extensible interface being associated with the third application or third service within the first environment; modifying, by the first extensible interface, the first format of the first message to a second format of the first message, based at least in part on the first security policy and the second security policy; establishing, via the first extensible, the first communication between the first application or the first service and the second application or the second service; establishing, via the second extensible interface, the second communication between the background application or background service and the third application or third service; transmitting, via the first communication, the second format of the first message to the second application or the second service prior to transmitting, via the second communication, the second message to the third application or third service in response to the first application or the first service having the higher priority than the background application or background service; and transmitting and receiving data between the first application or first service and the second application or second service, in response to establishing the first communication. 6. The computer-readable storage device of claim 5 , wherein the first security policy is a higher level security policy than the second security policy. 7. The computer-readable storage device as claim 5 , wherein the first or second message comprises a request to access a resource in the first environment, the resource including at least one of an application, a storage facility, or a service. 8. The method of claim 1 , wherein the first extensible in
Assignees
Inventors
Classifications
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
- G06F21/53Primary
by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title
Access control lists [ACL] · CPC title
- H04L63/00Primary
Network architectures or network communication protocols for network security (cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00; network architectures or network communication protocols for wireless network security H04W12/00; security arrangements for protecting computers or computer systems against unauthorised activity G06F21/00) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10097513B2 cover?
- Constructs to define a Trusted Execution Environment Driver that can implement a standard communication interface in a first environment for discovering and/or exchanging messages with secure applications/services executed in a Trusted Execution Environment (TrEE). The first environment can represent an environment with a different security policy from the TrEE. The TrEE driver can include a st…
- Who is the assignee on this patent?
- Microsoft Technology Licensing Llc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/53. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Oct 09 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).