US2005102266A1PendingUtilityA1

Method and system for maintaining secure data input and output

48
Assignee: XSIDES CORPPriority: Jun 8, 2001Filed: Dec 10, 2004Published: May 12, 2005
Est. expiryJun 8, 2021(expired)· nominal 20-yr term from priority
G06F 21/82Y10S707/99932Y10S707/99939
48
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Methods and systems for enhancing the security of data during input and output on a client computer system are provided to prevent attempts by unauthorized code to access, intercept, and/or modify data. Example embodiments provide a plurality of obfuscation techniques and security enhanced drivers that use these obfuscation techniques to prohibit unauthorized viewing/receiving of valid data. When the drivers are used together with the various obfuscation techniques, the security enhanced drivers provide mechanisms for “scheduling” the content of the storage areas used to store the data so that valid data is not available to unauthorized recipients. When unauthorized recipients attempt to access the “data,” they perceive or receive obfuscated data. The obfuscation techniques described include “copy-in,” “replace and restore,” and “in-place replacement” de-obfuscation/re-obfuscation techniques. In one embodiment, a security enhanced display driver, a security enhanced mouse driver, a security enhanced keyboard driver, and a security enhanced audio driver are provided. To complement the security enhancements, the methods and systems also provide for a watchdog mechanism to ensure that the driver is functioning as it should be and various user interface techniques for denoting security on a display device.

Claims

exact text as granted — not AI-modified
1 . A driver in a computing environment for providing secure access to valid data, comprising: 
 a resource lockout mechanism that is structured to control access to a resource that stores the valid data and;    an obfuscation mechanism that uses the resource lockout mechanism to dynamically obfuscate the valid data to create obfuscated data and dynamically de-obfuscate the obfuscated data to create valid data such that the valid data is accessible to only an authorized requester and obfuscated data is accessible otherwise.    
   
   
       2 . The driver of  claim 1  wherein the obfuscation mechanism obfuscates by one of transforming the valid data and hiding the valid data.  
   
   
       3 . The driver of  claim 1  wherein the obfuscated data is one of an opaque bitmap, a pattern, a random bitmap, noise, masked valid data, encrypted data, an image, a logo, an advertisement, a random audio sequence, and a random input sequence.  
   
   
       4 . The driver of  claim 1  wherein the obfuscation mechanism de-obfuscates upon copy-out of data to one of a playback device and an input device interpreter.  
   
   
       5 . The driver of  claim 4  wherein the playback device is a video display.  
   
   
       6 . The driver of  claim 4  wherein the playback device is an audio speaker.  
   
   
       7 . The driver of  claim 4  wherein the input interpreter processes pointer device input.  
   
   
       8 . The driver of  claim 4  wherein the input interpreter processes keystroke device input.  
   
   
       9 . The driver of  claim 1  wherein the obfuscation mechanism obfuscates and de-obfuscates by using the resource lockout mechanism to replace valid data stored in the resource with obfuscated data and then restore valid data in the resource.  
   
   
       10 . The driver of  claim 9  wherein the resource is a frame buffer of a video display system.  
   
   
       11 . The driver of  claim 9  wherein the resource is an audio buffer.  
   
   
       12 . The driver of  claim 9  wherein the replacement of valid data stored in the resource with obfuscated data and the restoration of valid data is performed by in-place replacement of the stored data.  
   
   
       13 . The driver of  claim 1  wherein the resource lockout mechanism controls access to the resource through a priority scheduling technique.  
   
   
       14 . The driver of  claim 13  wherein the obfuscation and de-obfuscation is performed in response to receiving events that indicate when valid data is required.  
   
   
       15 . The driver of  claim 13  wherein the obfuscation and de-obfuscation is performed by polling the computing environment to determine when valid data is required.  
   
   
       16 . The driver of  claim 1  wherein the resource lockout mechanism controls access to the resource by ensuring that the driver processes the input before other drivers present in the computing environment.  
   
   
       17 . The driver of  claim 16  further comprising intercepting input intended for an other driver present in the computing environment.  
   
   
       18 . The driver of  claim 1  implemented as software.  
   
   
       19 . The driver of  claim 1  implemented as hardware.  
   
   
       20 . The driver of  claim 1  wherein the driver is implemented by modifying an existing driver in the computing environment to include the resource lockout mechanism and the obfuscation mechanism.  
   
   
       21 . The driver of  claim 1 , further comprising an interception mechanism that is structured to intercept input to an other driver in the computing environment and to process the input.  
   
   
       22 . The driver of  claim 21  wherein the input is processed and possibly transformed before being forwarded to the other driver.  
   
   
       23 . The driver of  claim 21  wherein the input is processed by the driver instead of being forwarded to the other driver.  
   
   
       24 . The driver of  claim 1 , further comprising an interception mechanism that is structured to intercept output from an other driver in the computing environment and to process the output.  
   
   
       25 . A method in a computing environment for providing secure access to valid data, comprising: 
 controlling access to a resource that stores the valid data using a resource lockout mechanism; and    using the resource lockout mechanism, dynamically obfuscating the valid data to create obfuscated data and dynamically de-obfuscating the obfuscated data to create valid data such that the valid data is accessible to only an authorized requestor and obfuscated data is accessible otherwise.    
   
   
       26 . The method of  claim 25  wherein obfuscating is implemented by one of transforming the valid data and hiding the valid data.  
   
   
       27 . The method of  claim 25  wherein the obfuscated data is one of an opaque bitmap, a pattern, a random bitmap, noise, masked valid data, encrypted data, an image, a logo, an advertisement, a random audio sequence, and a random input sequence.  
   
   
       28 . The method of  claim 25  wherein the de-obfuscating is performed upon copy-out of data to one of a playback device and an input device interpreter.  
   
   
       29 . The method of  claim 28  wherein the playback device is a video display.  
   
   
       30 . The method of  claim 28  wherein the playback device is an audio output device.  
   
   
       31 . The method of  claim 28  wherein the input interpreter processes pointer device input.  
   
   
       32 . The method of  claim 28  wherein the input interpreter processes keystroke device input.  
   
   
       33 . The method of  claim 25  wherein the obfuscating and de-obfuscating is performed by using the resource lockout mechanism to replace valid data stored in the resource with obfuscated data and then restore valid data in the resource.  
   
   
       34 . The method of  claim 33  wherein the resource is a frame buffer of a video display system.  
   
   
       35 . The method of  claim 33  wherein the resource is an audio buffer.  
   
   
       36 . The method of  claim 33  wherein the replacement of valid data stored in the resource with obfuscated data and the restoration of valid data is performed by in-place replacement of the stored data.  
   
   
       37 . The method of  claim 25  wherein the resource lockout mechanism controls access to the resource through a priority scheduling technique.  
   
   
       38 . The method of  claim 37  wherein the obfuscating and de-obfuscating is performed in response to receiving events that indicate when valid data is required.  
   
   
       39 . The method of  claim 37  wherein the obfuscating and de-obfuscating is performed by polling the computing environment to determine when valid data is required.  
   
   
       40 . The method of  claim 25  wherein the resource lockout mechanism controls access to the resource by ensuring that the method processes the input before other code present in the computing environment.  
   
   
       41 . The method of  claim 25  implemented in software.  
   
   
       42 . The method of  claim 25  implemented in hardware.  
   
   
       43 . A computer-readable memory medium containing instructions for controlling a computer processor to provide secure access to valid data, by: 
 controlling access to a resource that stores the valid data using a resource lockout mechanism; and    using the resource lockout mechanism, dynamically obfuscating the valid data to create obfuscated data and dynamically de-obfuscating the obfuscated data to create valid data such that the valid data is accessible to only an authorized requestor and obfuscated data is accessible otherwise.    
   
   
       44 . The computer-readable memory medium of  claim 43  wherein obfuscating is implemented by one of transforming the valid data and hiding the valid data.  
   
   
       45 . The computer-readable memory medium of  claim 43  wherein the obfuscated data is one of an opaque bitmap, a pattern, a random bitmap, noise, masked valid data, encrypted data, an image, a logo, an advertisement, a random audio sequence, and a random input sequence.  
   
   
       46 . The computer-readable memory medium of  claim 43  wherein the de-obfuscating is performed upon copy-out of data to one of a playback device and an input device interpreter.  
   
   
       47 . The computer-readable memory medium of  claim 46  wherein the playback device is a video display.  
   
   
       48 . The computer-readable memory medium of  claim 46  wherein the playback device is an audio speaker.  
   
   
       49 . The computer-readable memory medium of  claim 46  wherein the input interpreter processes pointer device input.  
   
   
       50 . The computer-readable memory medium of  claim 46  wherein the input interpreter processes keystroke device input.  
   
   
       51 . The computer-readable memory medium of  claim 43  wherein the resource lockout mechanism controls access to the resource through a priority scheduling technique.  
   
   
       52 . The computer-readable memory medium of  claim 43  wherein the resource lockout mechanism controls access to the resource by ensuring that the method processes the input before other code present in the computing environment.  
   
   
       53 . A system for incorporating a security enhanced driver into an existing operating system having a device driver that processes one of an input event and an output event, the system comprising: 
 a resource lockout mechanism that is structured to control access to a resource that stores designated valid data; and    an obfuscation mechanism that dynamically obfuscates the designated valid data and de-obfuscates the obfuscated data using the resource lockout mechanism such that the designated valid data is accessible to only an authorized requestor and invalid data is accessible otherwise.    
   
   
       54 . The system of  claim 53  wherein the resource lockout mechanism is configured as a portion of a modified device driver.  
   
   
       55 . A system for incorporating a security enhanced driver into an existing operating system, the operating system having an ordering of device drivers that process input and output according to the ordering, the system comprising: 
 a security enhanced driver configured for installation as a driver first in the ordering such that the security enhanced driver intercepts one of input and output and ensures that content associated with the one of the input and output is accessible in a valid form only to requestors authorized to access the content and that invalid data is accessible to requestors not authorized to access the content.    
   
   
       56 . A system for secure access to valid data in a computer environment, comprising: 
 a storage area to store valid data; and    a resource lockout mechanism to lock out other processes during activation of a resource to access of the stored valid data to thereby prevent other processes access to the valid data.    
   
   
       57 . The system of  claim 56  wherein the resource lockout mechanism is configured to designate the access resource as the highest priority process in the computing environment wherein operation of the access resource prohibits any other process from operating.  
   
   
       58 . The system of  claim 56 , further comprising an obfuscation mechanism activated during the access process and configured to dynamically obfuscate the valid data to create obfuscated data and dynamically de-obfuscate the obfuscated data to create valid data such that the valid data is accessible to only an authorized requestor and obfuscated data is accessible otherwise.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.