-
公开(公告)号:US20180212966A1
公开(公告)日:2018-07-26
申请号:US15414371
申请日:2017-01-24
发明人: Manuel Costa
CPC分类号: H04L63/10 , G06F21/602 , G06F21/645 , H04L63/0435 , H04L63/0876 , H04L63/101 , H04L63/18
摘要: Techniques for securely sealing and unsealing enclave data across platforms are presented. Enclave data from a source enclave hosted on a first computer may be securely sealed to a sealing enclave on a second computer, and may further be securely unsealed for a destination enclave on a third computer. Securely transferring an enclave workload from one computer to another is disclosed.
-
公开(公告)号:US20180211067A1
公开(公告)日:2018-07-26
申请号:US15414421
申请日:2017-01-24
发明人: Manuel Costa
CPC分类号: G06F21/74 , G06F21/57 , H04L9/3247 , H04L9/3263
摘要: An abstract enclave identity is presented. An abstract identity may be a secure identity that may be the same for multiple related, but not identical, enclave instantiations. An enclave identity value may be determined from an abstract enclave identity type with respect to a instantiated enclave. An abstract identity value may be used to determine equivalence of two enclave instantiations that are not identical, such as two similar enclaves hosted on different computers, two enclaves hosted on different native enclave platforms, and two enclaves instantiated from different versions of the same enclave binary images.
-
公开(公告)号:US12056512B2
公开(公告)日:2024-08-06
申请号:US17357999
申请日:2021-06-25
发明人: Sylvan Clebsch , Stavros Volos , Sean Allen , Antonio Nino Diaz , John Starks , Kenneth Gordon , Manuel Costa
CPC分类号: G06F9/45545 , G06F9/44505 , G06F9/45558 , H04L9/0825 , H04L9/0861 , H04L9/3213 , H04L9/3247 , G06F2009/45583 , G06F2009/45587
摘要: A system comprising a hosting service configured to perform: providing, to a trusted entity on a central processing unit, a command for a launch of a virtual machine (VM); assigning, to the VM, at least a portion of memory for the guest operating system; submitting, to the trusted entity, a request to measure an address space of the VM to provide a measurement digest of the address space of the guest operating system; including, in a configuration object, a policy provided by the user for the service logic, wherein the policy defines one or more rules for the service logic, wherein the one or more rules include at least one rule for which containers may run in the guest operating system; hashing the policy to provide a hash digest of the policy; submitting, to the trusted entity, the hash digest of the policy; and completing the launch of the VM.
-
公开(公告)号:US11443033B2
公开(公告)日:2022-09-13
申请号:US15414355
申请日:2017-01-24
发明人: Manuel Costa
摘要: An abstract enclave identity is presented. An abstract identity may be a secure identity that may be the same for multiple related, but not identical, enclave instantiations. An enclave identity value may be determined from an abstract enclave identity type with respect to a instantiated enclave. Various enclave operations may be performed with an abstract identity, such as sealing data to an abstract identity, incrementing a monotonic counter, making trusted time measurement.
-
公开(公告)号:US10484346B2
公开(公告)日:2019-11-19
申请号:US15638180
申请日:2017-06-29
IPC分类号: G06F21/64 , H04L29/06 , G06F21/53 , G06Q20/06 , G06Q20/38 , G11B20/00 , H04L9/06 , H04L9/32 , G06F21/57 , G06F21/74 , G06Q20/00 , G06Q20/02 , H04L9/34 , H04L9/08
摘要: The disclosed technology is generally directed to blockchain and other security technology. In one example of the technology, a first node is endorsed. During endorsement of a first node, a pre-determined type of blockchain or other security protocol code to be authorized and a pre-determined membership list are stored in a trusted execution environment (TEE) of the first node. A determination is made as to whether the membership lists and pre-determined blockchain or other security protocol code to be authorized from the proposed members match. If so, TEE attestation is used to verify that nodes associated with prospective members of the consortium store the pre-determined type of blockchain or other security protocol code to be authorized. Upon TEE attestation being successful, a consortium network is bootstrapped such that the prospective members become members of the consortium network.
-
公开(公告)号:US20190182052A1
公开(公告)日:2019-06-13
申请号:US16273945
申请日:2019-02-12
发明人: Manuel Costa , Orion Tamlin Hodson , Sriram Kottarakurichi Rajamani , Marcus Peinado , Mark Eugene Russinovich , Kapil Vaswani
CPC分类号: H04L9/3247 , G06F9/5072 , G06F21/606 , G06F21/62 , G06F21/6236 , H04L63/06 , H04L63/08 , H04L63/12
摘要: Techniques to secure computation data in a computing environment from untrusted code. These techniques involve an isolated environment within the computing environment and an application programming interface (API) component to execute a key exchange protocol that ensures data integrity and data confidentiality for data communicated out of the isolated environment. The isolated environment includes an isolated memory region to store a code package. The key exchange protocol further involves a verification process for the code package stored in the isolated environment to determine whether the one or more exchanged encryption keys have been compromised. If the signature successfully authenticates the one or more keys, a secure communication channel is established to the isolated environment and access to the code package's functionality is enabled. Other embodiments are described and claimed.
-
公开(公告)号:US10142409B2
公开(公告)日:2018-11-27
申请号:US13632664
申请日:2012-10-01
摘要: A method is provided for a host node in a computer network to determine its coordinates in a d-dimensional network space, comprising discovering an address of a peer node in the network, measuring network latency between the host node and the peer node, determining whether network latency has been measured for at least d+1 peer nodes, where, if network latency has not been measured for at least d+1 peer nodes, estimating the network coordinates of the host node, and where, if network latency has been measured for at least d+1 peer nodes, calculating the network coordinates of the host node using d+1 measured latencies.
-
公开(公告)号:US10068097B2
公开(公告)日:2018-09-04
申请号:US14824310
申请日:2015-08-12
发明人: Olga Ohrimenko , Manuel Costa , Cedric Fournet , Christos Gkantsidis , Markulf Kohlweiss , Divya Sharma
摘要: A data center has a plurality of secure processing units; a plurality of data stores holding encrypted data records; and a network connecting the secure processing units and the data stores. The secure processing units comprise computing functionality configured to execute a data processing operation in parallel on the secure processing units by being configured to read encrypted records from the stores, process one or more of the encrypted records within the secure processing units, send one or more of the encrypted records to the stores. The data center is configured to carry out a secret shuffle of the data records to protect the privacy of data processed in the data center from an observer observing any one or more of: the reading of the records, the sending of the records, the writing of the records; the secret shuffle comprising a random permutation of the records hidden from the observer.
-
公开(公告)号:US20170033930A1
公开(公告)日:2017-02-02
申请号:US14865570
申请日:2015-09-25
发明人: Manuel Costa , Orion Tamlin Hodson , Sriram Kottarakurichi Rajamani , Marcus Peinado , Mark Eugene Russinovich , Kapil Vaswani
CPC分类号: H04L9/3247 , G06F21/606 , G06F21/62 , G06F21/6236 , H04L63/06 , H04L63/08 , H04L63/12
摘要: Techniques to secure computation data in a computing environment from untrusted code. These techniques involve an isolated environment within the computing environment and an application programming interface (API) component to execute a key exchange protocol that ensures data integrity and data confidentiality for data communicated out of the isolated environment. The isolated environment includes an isolated memory region to store a code package. The key exchange protocol further involves a verification process for the code package stored in the isolated environment to determine whether the one or more exchanged encryption keys have been compromised. If the signature successfully authenticates the one or more keys, a secure communication channel is established to the isolated environment and access to the code package's functionality is enabled. Other embodiments are described and claimed.
摘要翻译: 在不受信赖的代码的计算环境中保护计算数据的技术。 这些技术涉及计算环境中的孤立环境和应用程序编程接口(API)组件,以执行密钥交换协议,确保数据完整性和数据保密性,从而将数据传出隔离环境。 孤立的环境包括一个隔离的存储区域来存储代码包。 密钥交换协议还涉及存储在隔离环境中的代码包的验证过程,以确定一个或多个交换的加密密钥是否已被破坏。 如果签名成功地认证一个或多个密钥,则建立到隔离环境的安全通信信道,并且启用对代码包的功能的访问。 描述和要求保护其他实施例。
-
公开(公告)号:US11526613B2
公开(公告)日:2022-12-13
申请号:US16503455
申请日:2019-07-03
发明人: David Thomas Chisnall , Cédric Alain Marie Fournet , Manuel Costa , Samuel Alexander Webster , Sylvan Clebsch , Kapil Vaswani
摘要: A computer system has a separation mechanism which enforces separation between at least two execution environments such that one execution environment is a gatekeeper which interposes on all communications of the other execution environment. The computer system has an attestation mechanism which enables the gatekeeper to attest to properties of the at least two execution environments. A first one of the execution environments runs application specific code which may contain security vulnerabilities. The gatekeeper is configured to enforce an input output policy on the first execution environment by interposing on all communication to and from the first execution environment by forwarding, modifying or dropping individual ones of the communications according to the policy. The gatekeeper provides evidence of attestation both for the application specific code and the policy.
-
-
-
-
-
-
-
-
-
搜索结果
32 条记录 (耗时 0.02 秒)
