US2023094864A1PendingUtilityA1

System and method for end-to-end data trust management with real-time attestation

53
Assignee: WEEVE NETWORKPriority: Apr 26, 2021Filed: Sep 28, 2022Published: Mar 30, 2023
Est. expiryApr 26, 2041(~14.8 yrs left)· nominal 20-yr term from priority
G06F 21/577G06F 2221/034G06F 21/64G06F 21/566G06F 21/72G06F 21/53G06F 21/755G06F 2221/2149
53
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A system and method for real-time attestation which attests to the untouchability of processors from external influences. The system and method comprise a security mechanism that extracts information about a program's full-control execution path and then validates that information with a highly isolated guard process during runtime, which is running in a trusted environment. This trusted guard application also acts as a remote attester client and sends the currently running control flow graph to a remote attestator server on demand.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A system for end-to-end data trust management with real-time attestation, comprising:
 a first networked computing device comprising a firmware memory a processor and an instrumented firmware stored in the firmware memory and operable on the processor, the instrumented firmware comprising a first plurality of programming instructions that, when operating on the processor, causes the first networked computing device to:
 create a compartmentalized normal operating environment; 
 create a compartmentalized high-privileged operating environment; 
 create a golden hash value from a set of instructions running in the normal operating environment; and 
 send the golden hash value to a trusted guard application; 
   wherein the trusted guard application is executed in the high-privileged operating environment of the first networked computing device;   wherein the trusted guard application:
 prepares a device-specific cryptographically signed authenticated message with the golden hash; and 
 sends the device-specific cryptographically signed authenticated message to a remote attestation server; and 
   the remote attestation server comprising at least a second plurality of programming instructions stored in a memory of, and operating on at least one processor of, a second networked computing device, wherein the second plurality of programming instructions, when operating on the at least one processor, causes the second networked computing device to:
 receive the golden hash value from the networked computing device via the device-specific cryptographically signed authenticated message; and 
 validate the integrity of the golden hash against at least one of a plurality of stored verified control flow hash values. 
   
     
     
         2 . The system of  claim 1 , further comprising an application programming interface. 
     
     
         3 . The system of  claim 2 , wherein the trusted guard application passes data packets to the remote attestation server via the application programming interface. 
     
     
         4 . The system of  claim 1 , wherein the instrumented firmware is implemented using containers. 
     
     
         5 . The system of  claim 1 , wherein a failed validation of the golden hash value results in an alert. 
     
     
         6 . The system of  claim 1 , further comprising a user interface that displays real-time attestation data. 
     
     
         7 . The system of  claim 1 , wherein the golden hash value is generated from all the instructions between two branch instructions. 
     
     
         8 . The system of  claim 1 , wherein the first networked computing device comprises any computing device with a processor that is communicatively coupled to another computing device. 
     
     
         9 . The system of  claim 1 , further comprising a secure messaging establishment protocol. 
     
     
         10 . The system of  claim 9 , wherein the secure messaging establishment protocol uses a third-party mediator to verify network activity. 
     
     
         11 . A method for end-to-end data trust management with real-time attestation, comprising the steps of:
 in a networked computing device comprising a firmware memory, a processor, and an instrumented firmware stored in the firmware memory and operable on the processor:
 creating a compartmentalized normal operating environment on a processor; 
 creating a compartmentalized high-privileged operating environment on the processor; 
 creating a golden hash value from a set of instructions; and 
 sending the golden hash value to a trusted guard application running in the high-privileged operating environment of the processor; 
   in the trusted guard application:
 preparing a device-specific cryptographically signed authenticated message with the golden hash value; 
 sending the device-specific cryptographically signed authenticated message to a remote attestation server; and 
   validating, at the remote attestation server, the integrity of the golden hash value against at least one of a plurality of stored verified control flow hash values.   
     
     
         12 . The method of  claim 11 , further comprising an application programming interface. 
     
     
         13 . The method of  claim 12 , wherein the trusted guard application and the remote attestation server pass data packets via the application programming interface. 
     
     
         14 . The method of  claim 11 , wherein the instrumented firmware is implemented using containers. 
     
     
         15 . The method of  claim 11 , wherein a failed validation of the golden hash value results in an alert. 
     
     
         16 . The method of  claim 11 , further comprising a user interface that displays real-time attestation data. 
     
     
         17 . The method of  claim 11 , wherein the golden hash value is generated from all the instructions between two branch instructions. 
     
     
         18 . The method of  claim 11 , wherein the networked computing device comprises any computing device with a processor that is communicatively coupled to another computing device. 
     
     
         19 . The method of  claim 11 , further comprising a secure messaging establishment protocol. 
     
     
         20 . The method of  claim 19 , wherein the secure messaging establishment protocol uses a third-party mediator to verify network activity.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.