US2013282934A1PendingUtilityA1

Methods and Systems for Protecting Data in USB Systems

55
Assignee: MICROSOFT CORPPriority: Jun 28, 2002Filed: Jun 20, 2013Published: Oct 24, 2013
Est. expiryJun 28, 2022(expired)· nominal 20-yr term from priority
G06F 2221/2153G06F 21/72G06F 2221/2147G06F 21/85G06F 2212/1052G06F 2221/2105G06F 13/4282G06F 13/28G06F 21/78G06F 13/362G06F 21/73G06F 21/606G06F 2221/2129G06F 12/1408G06F 3/065G06F 21/1011
55
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

The various embodiments described below are directed to providing authenticated and confidential messaging from software executing on a host (e.g. a secure software application or security kernel) to and from I/O devices operating on a USB bus. The embodiments can protect against attacks that are levied by software executing on a host computer. In some embodiments, a secure functional component or module is provided and can use encryption techniques to provide protection against observation and manipulation of USB data. In other embodiments, USB data can be protected through techniques that do not utilized (or are not required to utilize) encryption techniques. In accordance with these embodiments, USB devices can be designated as “secure” and, hence, data sent over the USB to and from such designated devices can be provided into protected memory. Memory indirection techniques can be utilized to ensure that data to and from secure devices is protected.

Claims

exact text as granted — not AI-modified
1 . A method comprising:
 receiving a request from an application for a USB transaction;   querying the application for a memory location that is to be the subject of the transaction;   receiving a memory location indication from the application, the memory location indication comprising, in an event that the application is a secure application, an indication associated with protected memory;   processing the memory location indication into a transaction description (TD); and   processing the TD with a host controller effective to either copy in or copy out data relative to the protected memory location associated with the memory location indication.   
     
     
         2 . The method of  claim 1 , wherein protected memory is only accessible by a USB host controller. 
     
     
         3 . The method of  claim 1 , wherein the act of processing the TD comprises copying in or copying out the data only if the protected memory location is associated with a secure USB device that is the subject of the USB transaction. 
     
     
         4 . The method of  claim 1 , wherein the host controller copies data in or out of the protected memory using direct memory access (DMA) techniques. 
     
     
         5 . The method of  claim 1  further comprising, if the data is to be provided by the host controller into protected memory, associating integrity data with the data that is to be provided into the protected memory, the integrity data being useable to verify the integrity of the data that is provided into the protected memory. 
     
     
         6 . The method of  claim 1  further comprising, if the data is to be provided by the host controller into protected memory, associating integrity data with the data that is to be provided into the protected memory, the integrity data being useable to verify the integrity of the data that is provided into the protected memory, said associating comprising appending a counter having a counter value to individual data packets that are provided into the protect memory. 
     
     
         7 . The method of  claim 1  further comprising, if the data is to be provided by the host controller into protected memory, associating integrity data with the data that is to be provided into the protected memory, the integrity data being useable to verify the integrity of the data that is provided into the protected memory, said associating comprising appending a counter having a counter value to individual data packets that are provided into the protect memory, the counter values comprising monotonically increasing values. 
     
     
         8 . (canceled) 
     
     
         9 . A system comprising:
 a USB component assembly configured to:
 receive a request from an application for a USB transaction; 
 query the application for a memory location that is to be the subject of the transaction; 
 receive a memory location indication from the application, the memory location indication comprising, in an event that the application is a secure application, an indication associated with protected memory; 
 process the memory location indication into a transaction description (TD); 
 process the TD with a host controller effective to either copy in or copy out data relative to the protected memory location associated with the memory location indication. 
   
     
     
         10 . The system of  claim 9 , wherein protected memory is only accessible by a USB host controller. 
     
     
         11 . The system of  claim 9 , wherein data that is copied in or out of the protected memory location is associated with a secure USB device that is the subject of the USB transaction. 
     
     
         12 . The system of  claim 9 , wherein the host controller copies data in or out of the protected memory using direct memory access (DMA) techniques. 
     
     
         13 . The system of  claim 9 , wherein if the data is to be provided into protected memory, the component assembly associates integrity data with the data that is to be provided into the protected memory, the integrity data being useable to verify the integrity of the data that is provided into the protected memory. 
     
     
         14 . One or more computer-readable media having computer-readable instructions which, when executed by one or more processors, cause the one or more processors to perform acts comprising:
 receiving a request from an application for a USB transaction;   querying the application for a memory location that is to be the subject of the transaction;   receiving a memory location indication from the application, the memory location indication comprising, in an event that the application is a secure application, an indication associated with protected memory;   processing the memory location indication into a transaction description (TD); and   processing the TD with a host controller effective to either copy in or copy out data relative to the protected memory location associated with the memory location indication.   
     
     
         15 . The one or more computer-readable media of  claim 14 , wherein protected memory is only accessible by a USB host controller. 
     
     
         16 . The one or more computer-readable media of  claim 14 , wherein the act of processing the TD comprises copying in or copying out the data only if the protected memory location is associated with a secure USB device that is the subject of the USB transaction. 
     
     
         17 . The one or more computer-readable media of  claim 14 , wherein the host controller copies data in or out of the protected memory using direct memory access (DMA) techniques. 
     
     
         18 . The one or more computer-readable media of  claim 14  further comprising, if the data is to be provided by the host controller into protected memory, associating integrity data with the data that is to be provided into the protected memory, the integrity data being useable to verify the integrity of the data that is provided into the protected memory. 
     
     
         19 . The one or more computer-readable media of  claim 14  further comprising, if the data is to be provided by the host controller into protected memory, associating integrity data with the data that is to be provided into the protected memory, the integrity data being useable to verify the integrity of the data that is provided into the protected memory, said associating comprising appending a counter having a counter value to individual data packets that are provided into the protect memory. 
     
     
         20 . The one or more computer-readable media of  claim 14  further comprising, if the data is to be provided by the host controller into protected memory, associating integrity data with the data that is to be provided into the protected memory, the integrity data being useable to verify the integrity of the data that is provided into the protected memory, said associating comprising appending a counter having a counter value to individual data packets that are provided into the protect memory, the counter values comprising monotonically increasing values.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.