Methods and Systems for Protecting Data in USB Systems
Abstract
The various embodiments described below are directed to providing authenticated and confidential messaging from software executing on a host (e.g. a secure software application or security kernel) to and from I/O devices operating on a USB bus. The embodiments can protect against attacks that are levied by software executing on a host computer. In some embodiments, a secure functional component or module is provided and can use encryption techniques to provide protection against observation and manipulation of USB data. In other embodiments, USB data can be protected through techniques that do not utilized (or are not required to utilize) encryption techniques. In accordance with these embodiments, USB devices can be designated as “secure” and, hence, data sent over the USB to and from such designated devices can be provided into protected memory. Memory indirection techniques can be utilized to ensure that data to and from secure devices is protected.
Claims
exact text as granted — not AI-modified1 . A method comprising:
receiving a request from an application for a USB transaction; querying the application for a memory location that is to be the subject of the transaction; receiving a memory location indication from the application, the memory location indication comprising, in an event that the application is a secure application, an indication associated with protected memory; processing the memory location indication into a transaction description (TD); and processing the TD with a host controller effective to either copy in or copy out data relative to the protected memory location associated with the memory location indication.
2 . The method of claim 1 , wherein protected memory is only accessible by a USB host controller.
3 . The method of claim 1 , wherein the act of processing the TD comprises copying in or copying out the data only if the protected memory location is associated with a secure USB device that is the subject of the USB transaction.
4 . The method of claim 1 , wherein the host controller copies data in or out of the protected memory using direct memory access (DMA) techniques.
5 . The method of claim 1 further comprising, if the data is to be provided by the host controller into protected memory, associating integrity data with the data that is to be provided into the protected memory, the integrity data being useable to verify the integrity of the data that is provided into the protected memory.
6 . The method of claim 1 further comprising, if the data is to be provided by the host controller into protected memory, associating integrity data with the data that is to be provided into the protected memory, the integrity data being useable to verify the integrity of the data that is provided into the protected memory, said associating comprising appending a counter having a counter value to individual data packets that are provided into the protect memory.
7 . The method of claim 1 further comprising, if the data is to be provided by the host controller into protected memory, associating integrity data with the data that is to be provided into the protected memory, the integrity data being useable to verify the integrity of the data that is provided into the protected memory, said associating comprising appending a counter having a counter value to individual data packets that are provided into the protect memory, the counter values comprising monotonically increasing values.
8 . (canceled)
9 . A system comprising:
a USB component assembly configured to:
receive a request from an application for a USB transaction;
query the application for a memory location that is to be the subject of the transaction;
receive a memory location indication from the application, the memory location indication comprising, in an event that the application is a secure application, an indication associated with protected memory;
process the memory location indication into a transaction description (TD);
process the TD with a host controller effective to either copy in or copy out data relative to the protected memory location associated with the memory location indication.
10 . The system of claim 9 , wherein protected memory is only accessible by a USB host controller.
11 . The system of claim 9 , wherein data that is copied in or out of the protected memory location is associated with a secure USB device that is the subject of the USB transaction.
12 . The system of claim 9 , wherein the host controller copies data in or out of the protected memory using direct memory access (DMA) techniques.
13 . The system of claim 9 , wherein if the data is to be provided into protected memory, the component assembly associates integrity data with the data that is to be provided into the protected memory, the integrity data being useable to verify the integrity of the data that is provided into the protected memory.
14 . One or more computer-readable media having computer-readable instructions which, when executed by one or more processors, cause the one or more processors to perform acts comprising:
receiving a request from an application for a USB transaction; querying the application for a memory location that is to be the subject of the transaction; receiving a memory location indication from the application, the memory location indication comprising, in an event that the application is a secure application, an indication associated with protected memory; processing the memory location indication into a transaction description (TD); and processing the TD with a host controller effective to either copy in or copy out data relative to the protected memory location associated with the memory location indication.
15 . The one or more computer-readable media of claim 14 , wherein protected memory is only accessible by a USB host controller.
16 . The one or more computer-readable media of claim 14 , wherein the act of processing the TD comprises copying in or copying out the data only if the protected memory location is associated with a secure USB device that is the subject of the USB transaction.
17 . The one or more computer-readable media of claim 14 , wherein the host controller copies data in or out of the protected memory using direct memory access (DMA) techniques.
18 . The one or more computer-readable media of claim 14 further comprising, if the data is to be provided by the host controller into protected memory, associating integrity data with the data that is to be provided into the protected memory, the integrity data being useable to verify the integrity of the data that is provided into the protected memory.
19 . The one or more computer-readable media of claim 14 further comprising, if the data is to be provided by the host controller into protected memory, associating integrity data with the data that is to be provided into the protected memory, the integrity data being useable to verify the integrity of the data that is provided into the protected memory, said associating comprising appending a counter having a counter value to individual data packets that are provided into the protect memory.
20 . The one or more computer-readable media of claim 14 further comprising, if the data is to be provided by the host controller into protected memory, associating integrity data with the data that is to be provided into the protected memory, the integrity data being useable to verify the integrity of the data that is provided into the protected memory, said associating comprising appending a counter having a counter value to individual data packets that are provided into the protect memory, the counter values comprising monotonically increasing values.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.