Methods and systems for resilient encryption of data in memory
US-2022035750-A1 · Feb 3, 2022 · US
Customizable and dynamically mutable operating systems
US11941109B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11941109-B2 |
| Application number | US-202117645438-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 21, 2021 |
| Priority date | Dec 21, 2021 |
| Publication date | Mar 26, 2024 |
| Grant date | Mar 26, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Described herein are methods, systems, and computer-readable storage media for generation of a secure and dynamically mutable operating system. Techniques include receiving a request to execute an application causing instantiation of an operating system by identifying one or more needed modules that include core kernel modules and operating system service modules that are dynamically plugged-in or unplugged based on the execution of the application. Techniques may further include assigning a separate memory space with a separate virtual address for each of the one or more modules, generating a unique cryptographic key for each of the one or more modules, storing each virtual address and corresponding unique cryptographic key together. Further the operating system generation system encrypts each of the one or more modules using their corresponding unique cryptographic key.
First claim
Opening claim text (preview).
What is claimed is: 1. A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for generation of a secure and dynamically mutable operating system, the operations comprising: receiving a request to execute an application; instantiating an operating system for execution of the application, wherein the operating system instantiation includes identifying one or more modules needed to execute the application, wherein the identified one or more modules include core kernel modules and operating system service modules that are dynamically plugged-in or unplugged based on the execution of the application; assigning a separate memory space for each of the one or more modules, wherein each separate memory space is assigned a separate virtual address; generating a unique cryptographic key for each of the one or more modules; storing each virtual address and corresponding unique cryptographic key together; and encrypting each of the one or more modules using their corresponding unique cryptographic key. 2. The non-transitory computer readable medium of claim 1 , wherein the one or more operating system service modules can be unplugged within a threshold period. 3. The non-transitory computer readable medium of claim 1 , wherein instantiating the operating system for execution of the application further comprises executing each of the one or more modules as separate processes. 4. The non-transitory computer readable medium of claim 1 , wherein identifying the one or more modules needed to execute the application further comprises: identifying an operating system functionality required by the application; and generating a bundle for the identified operating system functionality. 5. The non-transitory computer readable medium of claim 3 , wherein generating the bundle for the identified operating system functionality comprises generating the bundle on a just-in-time basis. 6. The non-transitory computer readable medium of claim 1 , wherein the core kernel modules include default modules included in the instantiated operating system. 7. The non-transitory computer readable medium of claim 1 , wherein the receipt of the request to execute the application includes a request to store updates to the application. 8. The non-transitory computer readable medium of claim 1 , wherein the identification of the one or more modules needed for execution of the application is based on a confidence score. 9. The non-transitory computer readable medium of claim 1 , wherein the core kernel modules and operating system service modules that are dynamically plugged-in or unplugged based on the execution of the application are dynamically plugged-in or unplugged based on an impact to performance of the operating system upon inclusion of the identified one or more modules. 10. The non-transitory computer readable medium of claim 1 , wherein the core kernel modules and operating system service modules that are dynamically plugged-in or unplugged based on the execution of the application are dynamically plugged-in or unplugged based on an impact to security of the operating system upon inclusion of the identified one or more modules. 11. The non-transitory computer readable medium of claim 1 , wherein an operating system service module of the operating system service modules auto-terminates. 12. The non-transitory computer readable medium of claim 1 , wherein storing each virtual address and corresponding unique cryptographic key together further comprises storing the unique cryptographic key in association with the core kernel modules of the operating system. 13. The non-transitory computer readable medium of claim 1 , wherein the operations further comprise: monitoring capabilities accessed by the executing application; determining accessed capabilities not identified during instantiation of the operating system, wherein the determined capabilities are determined based on the identified one or more modules of the operating system; analyzing the determined capabilities accessed by the executing application; and mitigating the determined capabilities, wherein the mitigation is based on the analysis of the determined capabilities. 14. A computer-implemented method for generation of a secure and dynamically mutable operating system, the method comprising: receiving a request to execute an application; instantiating an operating system for execution of the application wherein the operating system instantiation includes identifying one or more modules needed to execute the application, wherein the identified one or more modules include core kernel modules and operating system service modules that are dynamically plugged-in or unplugged based on the execution of the application; assigning a separate memory space for each of the one or more modules, wherein each separate memory space is assigned a separate virtual address; generating a unique cryptographic key for each of the one or more modules; storing each virtual address and corresponding unique cryptographic key together; and encrypting each of the one or more modules using their corresponding unique cryptographic key. 15. The method of claim 14 , wherein the one or more operating system service modules can be unplugged within a threshold period. 16. The method of claim 14 , wherein instantiating the operating system for execution of the application further comprises executing each of the one or more modules as separate processes. 17. The method of claim 14 , wherein identifying the one or more modules needed to execute the application further comprises: identifying an operating system functionality required by the application; and generating a bundle for the identified operating system functionality. 18. The method of claim 14 , wherein generating the bundle for the identified operating system functionality comprises generating the bundle on a just-in-time basis. 19. The method of claim 14 , further comprising: monitoring capabilities accessed by the executing application; determining accessed capabilities not identified during instantiation of the operating system, wherein the determined capabilities are determined based on the identified one or more modules of the operating system; analyzing the determined capabilities accessed by the executing application; and mitigating the determined capabilities, wherein the mitigation is based on the analysis of the determined capabilities. 20. A secure and dynamic operating system generation system, comprising: one or more memory devices storing processor-executable instructions; and one or more processors configured to execute the instructions to cause the secure and dynamic operating system generation system to perform operations comprising: receiving a request to execute an application; instantiating an operating system for execution of the application, wherein the operating system instantiation includes identifying one or more modules needed to execute the application, wherein the identified one or more modules include core kernel modules and operating system service modules that are dynamically plugged-in or unplugged based on the execution of the application; assigning a separate memory space for each of the one or more modules, wherein each separate memory space is assigned a separate virtual address; generating a unique cryptographic key for each of the one or more modules; storing each virtual address and corre
Assignees
Inventors
Classifications
- G06F21/53Primary
by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title
Loading of operating system · CPC title
Generation of secret information including derivation or calculation of cryptographic keys or passwords · CPC title
Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage · CPC title
Test or assess a computer or a system · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11941109B2 cover?
- Described herein are methods, systems, and computer-readable storage media for generation of a secure and dynamically mutable operating system. Techniques include receiving a request to execute an application causing instantiation of an operating system by identifying one or more needed modules that include core kernel modules and operating system service modules that are dynamically plugged-in…
- Who is the assignee on this patent?
- Cyberark Software Ltd
- What technology area does this patent fall under?
- Primary CPC classification G06F21/53. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Mar 26 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).