Method and system for maintaining secure data input and output
Abstract
Methods and systems for enhancing the security of data during input and output on a client computer system are provided to prevent attempts by unauthorized code to access, intercept, and/or modify data. Example embodiments provide a plurality of obfuscation techniques and security enhanced drivers that use these obfuscation techniques to prohibit unauthorized viewing/receiving of valid data. When the drivers are used together with the various obfuscation techniques, the security enhanced drivers provide mechanisms for “scheduling” the content of the storage areas used to store the data so that valid data is not available to unauthorized recipients. When unauthorized recipients attempt to access the “data,” they perceive or receive obfuscated data. The obfuscation techniques described include “copy-in,” “replace and restore,” and “in-place replacement” de-obfuscation/re-obfuscation techniques. In one embodiment, a security enhanced display driver, a security enhanced mouse driver, a security enhanced keyboard driver, and a security enhanced audio driver are provided. To complement the security enhancements, the methods and systems also provide for a watchdog mechanism to ensure that the driver is functioning as it should be and various user interface techniques for denoting security on a display device.
Claims
exact text as granted — not AI-modified1 . A driver in a computing environment for providing secure access to valid data, comprising:
a resource lockout mechanism that is structured to control access to a resource that stores the valid data and; an obfuscation mechanism that uses the resource lockout mechanism to dynamically obfuscate the valid data to create obfuscated data and dynamically de-obfuscate the obfuscated data to create valid data such that the valid data is accessible to only an authorized requester and obfuscated data is accessible otherwise.
2 . The driver of claim 1 wherein the obfuscation mechanism obfuscates by one of transforming the valid data and hiding the valid data.
3 . The driver of claim 1 wherein the obfuscated data is one of an opaque bitmap, a pattern, a random bitmap, noise, masked valid data, encrypted data, an image, a logo, an advertisement, a random audio sequence, and a random input sequence.
4 . The driver of claim 1 wherein the obfuscation mechanism de-obfuscates upon copy-out of data to one of a playback device and an input device interpreter.
5 . The driver of claim 4 wherein the playback device is a video display.
6 . The driver of claim 4 wherein the playback device is an audio speaker.
7 . The driver of claim 4 wherein the input interpreter processes pointer device input.
8 . The driver of claim 4 wherein the input interpreter processes keystroke device input.
9 . The driver of claim 1 wherein the obfuscation mechanism obfuscates and de-obfuscates by using the resource lockout mechanism to replace valid data stored in the resource with obfuscated data and then restore valid data in the resource.
10 . The driver of claim 9 wherein the resource is a frame buffer of a video display system.
11 . The driver of claim 9 wherein the resource is an audio buffer.
12 . The driver of claim 9 wherein the replacement of valid data stored in the resource with obfuscated data and the restoration of valid data is performed by in-place replacement of the stored data.
13 . The driver of claim 1 wherein the resource lockout mechanism controls access to the resource through a priority scheduling technique.
14 . The driver of claim 13 wherein the obfuscation and de-obfuscation is performed in response to receiving events that indicate when valid data is required.
15 . The driver of claim 13 wherein the obfuscation and de-obfuscation is performed by polling the computing environment to determine when valid data is required.
16 . The driver of claim 1 wherein the resource lockout mechanism controls access to the resource by ensuring that the driver processes the input before other drivers present in the computing environment.
17 . The driver of claim 16 further comprising intercepting input intended for an other driver present in the computing environment.
18 . The driver of claim 1 implemented as software.
19 . The driver of claim 1 implemented as hardware.
20 . The driver of claim 1 wherein the driver is implemented by modifying an existing driver in the computing environment to include the resource lockout mechanism and the obfuscation mechanism.
21 . The driver of claim 1 , further comprising an interception mechanism that is structured to intercept input to an other driver in the computing environment and to process the input.
22 . The driver of claim 21 wherein the input is processed and possibly transformed before being forwarded to the other driver.
23 . The driver of claim 21 wherein the input is processed by the driver instead of being forwarded to the other driver.
24 . The driver of claim 1 , further comprising an interception mechanism that is structured to intercept output from an other driver in the computing environment and to process the output.
25 . A method in a computing environment for providing secure access to valid data, comprising:
controlling access to a resource that stores the valid data using a resource lockout mechanism; and using the resource lockout mechanism, dynamically obfuscating the valid data to create obfuscated data and dynamically de-obfuscating the obfuscated data to create valid data such that the valid data is accessible to only an authorized requestor and obfuscated data is accessible otherwise.
26 . The method of claim 25 wherein obfuscating is implemented by one of transforming the valid data and hiding the valid data.
27 . The method of claim 25 wherein the obfuscated data is one of an opaque bitmap, a pattern, a random bitmap, noise, masked valid data, encrypted data, an image, a logo, an advertisement, a random audio sequence, and a random input sequence.
28 . The method of claim 25 wherein the de-obfuscating is performed upon copy-out of data to one of a playback device and an input device interpreter.
29 . The method of claim 28 wherein the playback device is a video display.
30 . The method of claim 28 wherein the playback device is an audio output device.
31 . The method of claim 28 wherein the input interpreter processes pointer device input.
32 . The method of claim 28 wherein the input interpreter processes keystroke device input.
33 . The method of claim 25 wherein the obfuscating and de-obfuscating is performed by using the resource lockout mechanism to replace valid data stored in the resource with obfuscated data and then restore valid data in the resource.
34 . The method of claim 33 wherein the resource is a frame buffer of a video display system.
35 . The method of claim 33 wherein the resource is an audio buffer.
36 . The method of claim 33 wherein the replacement of valid data stored in the resource with obfuscated data and the restoration of valid data is performed by in-place replacement of the stored data.
37 . The method of claim 25 wherein the resource lockout mechanism controls access to the resource through a priority scheduling technique.
38 . The method of claim 37 wherein the obfuscating and de-obfuscating is performed in response to receiving events that indicate when valid data is required.
39 . The method of claim 37 wherein the obfuscating and de-obfuscating is performed by polling the computing environment to determine when valid data is required.
40 . The method of claim 25 wherein the resource lockout mechanism controls access to the resource by ensuring that the method processes the input before other code present in the computing environment.
41 . The method of claim 25 implemented in software.
42 . The method of claim 25 implemented in hardware.
43 . A computer-readable memory medium containing instructions for controlling a computer processor to provide secure access to valid data, by:
controlling access to a resource that stores the valid data using a resource lockout mechanism; and using the resource lockout mechanism, dynamically obfuscating the valid data to create obfuscated data and dynamically de-obfuscating the obfuscated data to create valid data such that the valid data is accessible to only an authorized requestor and obfuscated data is accessible otherwise.
44 . The computer-readable memory medium of claim 43 wherein obfuscating is implemented by one of transforming the valid data and hiding the valid data.
45 . The computer-readable memory medium of claim 43 wherein the obfuscated data is one of an opaque bitmap, a pattern, a random bitmap, noise, masked valid data, encrypted data, an image, a logo, an advertisement, a random audio sequence, and a random input sequence.
46 . The computer-readable memory medium of claim 43 wherein the de-obfuscating is performed upon copy-out of data to one of a playback device and an input device interpreter.
47 . The computer-readable memory medium of claim 46 wherein the playback device is a video display.
48 . The computer-readable memory medium of claim 46 wherein the playback device is an audio speaker.
49 . The computer-readable memory medium of claim 46 wherein the input interpreter processes pointer device input.
50 . The computer-readable memory medium of claim 46 wherein the input interpreter processes keystroke device input.
51 . The computer-readable memory medium of claim 43 wherein the resource lockout mechanism controls access to the resource through a priority scheduling technique.
52 . The computer-readable memory medium of claim 43 wherein the resource lockout mechanism controls access to the resource by ensuring that the method processes the input before other code present in the computing environment.
53 . A system for incorporating a security enhanced driver into an existing operating system having a device driver that processes one of an input event and an output event, the system comprising:
a resource lockout mechanism that is structured to control access to a resource that stores designated valid data; and an obfuscation mechanism that dynamically obfuscates the designated valid data and de-obfuscates the obfuscated data using the resource lockout mechanism such that the designated valid data is accessible to only an authorized requestor and invalid data is accessible otherwise.
54 . The system of claim 53 wherein the resource lockout mechanism is configured as a portion of a modified device driver.
55 . A system for incorporating a security enhanced driver into an existing operating system, the operating system having an ordering of device drivers that process input and output according to the ordering, the system comprising:
a security enhanced driver configured for installation as a driver first in the ordering such that the security enhanced driver intercepts one of input and output and ensures that content associated with the one of the input and output is accessible in a valid form only to requestors authorized to access the content and that invalid data is accessible to requestors not authorized to access the content.
56 . A system for secure access to valid data in a computer environment, comprising:
a storage area to store valid data; and a resource lockout mechanism to lock out other processes during activation of a resource to access of the stored valid data to thereby prevent other processes access to the valid data.
57 . The system of claim 56 wherein the resource lockout mechanism is configured to designate the access resource as the highest priority process in the computing environment wherein operation of the access resource prohibits any other process from operating.
58 . The system of claim 56 , further comprising an obfuscation mechanism activated during the access process and configured to dynamically obfuscate the valid data to create obfuscated data and dynamically de-obfuscate the obfuscated data to create valid data such that the valid data is accessible to only an authorized requestor and obfuscated data is accessible otherwise.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.