Flexible instruction sets for obfuscated virtual machines
US-2016253189-A1 · Sep 1, 2016 · US
CPU obfuscation for cloud applications
US9760736B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9760736-B2 |
| Application number | US-201514868572-A |
| Country | US |
| Kind code | B2 |
| Filing date | Sep 29, 2015 |
| Priority date | Sep 29, 2015 |
| Publication date | Sep 12, 2017 |
| Grant date | Sep 12, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A cloud deployment system is used for obfuscating CPU operation codes in a set of machines operating in a distributed computing environment. A reprogrammable microcode replaces a hardware instruction set, the microcode layer containing a set of original operation codes. A first transform of the set of original operation codes produces a first set of transformed operation codes. A first transformed microcode is created which incorporates the first set of transformed operation codes instead of the original operation codes. An operating system and an application is compiled using the first set of transformed operation codes to produce a first cross compiled operating system and application. The first transformed microcode, the first cross compiled operating system and application are deployed to a respective first one of the set of machines, the first one of the machines equipped with a softcore processor.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method for obfuscating CPU operation codes in a set of machines operating in a distributed computing environment comprising: providing a reprogrammable microcode layer to replace a hardware instruction set, the reprogrammable microcode layer containing a set of original operation codes; generating a first transform of the set of original operation codes producing a first set of transformed operation codes; generating a first transformed microcode which incorporates the first set of transformed operation codes instead of the original operation codes; compiling an operating system and an application using the first set of transformed operation codes to produce a first cross compiled operating system and application; deploying the first transformed microcode, the first cross compiled operating system and application to a respective first one of the set of machines, the first one of the machines equipped with a softcore processor; generating a second transform of the set of operation codes producing a second set of transformed operation codes and a second transformed microcode which incorporates the second set of transformed operation codes instead of the original operation codes; compiling an operating system and an application using the second set of transformed operation codes to produce a second cross compiled operating system and application; deploying the second transformed microcode, the second cross compiled operating system and application to a respective second one of the set of machines, the second one of the machines equipped with a softcore processor; and wherein the generating, compiling and deploying are repeated on a periodic basis, each cycle using a new set of transformed operation codes. 2. The method as recited in claim 1 further comprising: in response to an event, generating a third transform of the set of operation codes producing a third set of transformed operation codes and a third transformed microcode which incorporates the third set of transformed operation codes instead of the original operation codes; compiling an operating system and an application using the third set of transformed compiler files to produce a third cross compiled operating system and application; and deploying third transformed microcode, the third cross compiled operating system and application to the respective first one of the set of machines. 3. The method as recited in claim 1 , wherein the first microcode has been hardened by one or more techniques selected from the group consisting of providing multiple, alternate encodings in the transformed operation codes for a first operation code in the original operation codes, providing multiple No Operation operation codes in the transformed operation codes, and providing multiple Branch Relative operation codes in the transformed operation codes. 4. The method as recited in claim 1 , wherein the set of machines is operating in a cloud environment and the set of machines is grouped into a first and a second subsets of machines each having a plurality of machines, wherein the deploying is repeated for each machine in the first and the second subsets, wherein the first transformed microcode, the first cross compiled operating system and application are deployed to the first subset of machines and wherein the second transformed microcode, the second cross compiled operating system and application are deployed to the second subset of machines. 5. The method as recited in claim 2 , wherein the event is selected from the group of a detected intrusion, a successful intrusion or an expiration of a predetermined period of time from a last deployment of a transformed microcode, a cross compiled operating system and application. 6. The method as recited in claim 1 , wherein the generating, compiling and deploying are repeated on a more frequent periodic basis for a set of critical machines than for a set of noncritical machines. 7. Apparatus, comprising: a set of machines including a first machine with a first processor and a first computer memory; the first computer memory holding computer program instructions executed by the first processor to deploy system images to others of the set of machines, the computer program instructions comprising: program code, operative for providing a reprogrammable microcode layer to replace a hardware instruction set, the reprogrammable microcode layer containing a set of original operation codes; program code, operative for generating a first transform of the set of original operation codes producing a first set of transformed operation codes; program code, operative for generating a first transformed microcode which incorporates the first set of transformed operation codes instead of the original operation codes; program code, operative for compiling an operating system and an application using the first set of transformed operation codes to produce a first cross compiled operating system and application; program code, operative for deploying a system image including the first transformed microcode, the first cross compiled operating system and application to a respective first one of the set of machines, the first one of the machines equipped with a softcore processor; program code, operative for generating a second transform of the set of operation codes producing a second set of transformed operation codes and a second transformed microcode which incorporates the second set of transformed operation codes instead of the original operation codes; program code, operative for compiling an operating system and an application using the second set of transformed operation codes to produce a second cross compiled operating system and application; program code, operative for deploying the second transformed microcode, the second cross compiled operating system and application to a respective second one of the set of machines, the second one of the machines equipped with a softcore processor; and wherein the program code for generating, compiling and deploying when executed are executed on a periodic basis, each cycle using a new set of transformed operation codes. 8. The apparatus as recited in claim 7 further comprising: program code, operative in response to an event for generating a third transform of the set of operation codes producing a third set of transformed operation codes and a third transformed microcode which incorporates the third set of transformed operation codes instead of the original operation codes; program code, operative for compiling an operating system and an application using the third set of transformed compiler files to produce a third cross compiled operating system and application; and program code, operative for deploying third transformed microcode, the third cross compiled operating system and application to the respective second one of the set of machines. 9. The apparatus as recited in claim 7 , wherein the first microcode has been hardened by one or more techniques selected from the group consisting of providing multiple, alternate encodings in the transformed operation codes for a first operation code in the original operation codes, providing multiple No operation operation codes in the transformed operation codes, and providing multiple Branch Relative operation codes in the transformed operation codes. 10. The apparatus as recited in claim 7 , wherein the set of machines is comprises a plurality of machines operating in a cloud environment and the set of machines is grouped into a first and a second subsets of machines each having a plurality of machines, wherein the deploying is repeated for each machine in the first and the second subsets, wherein the first tr
Assignees
Inventors
Classifications
using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM] · CPC title
by adding security routines or objects to programs · CPC title
- G06F21/14Primary
against software analysis or reverse engineering, e.g. by obfuscation · CPC title
to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself · CPC title
Protecting access to data via a platform, e.g. using keys or access control rules · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9760736B2 cover?
- A cloud deployment system is used for obfuscating CPU operation codes in a set of machines operating in a distributed computing environment. A reprogrammable microcode replaces a hardware instruction set, the microcode layer containing a set of original operation codes. A first transform of the set of original operation codes produces a first set of transformed operation codes. A first transfor…
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification G06F21/14. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Sep 12 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).