Patent•
Customizing operating system kernels with secure kernel modules
24 Jun 2020-
TL;DR: In this paper, the authors discuss configuring a kernel security module for loading to an operating system kernel to run kernel-level scripts on the kernel, the kernel security modules being configured to perform a security verification comprising operations of: identifying, at the kernel Security Module, a script received at the Kernel Security Module for requested execution by the Kernel, and verifying whether the script has a valid signature; determining, at Kernel Security module and based on the security verification, whether to permit the script to be processed by the kernel; and identifying, based on determining, executable code corresponding to the
Abstract: Disclosed embodiments relate to secure and reliable customization of operating system kernels Techniques include configuring a kernel security module for loading to an operating system kernel to run kernel-level scripts on the kernel, the kernel security module being configured to perform a security verification comprising operations of: identifying, at the kernel security module, a script received at the kernel security module for requested execution by the kernel, and verifying whether the script has a valid signature; determining, at the kernel security module and based on the security verification, whether to permit the script to be processed by the kernel; and identifying, based on the determining, executable code corresponding to the script to execute at the kernel
References
More filters
Patent•
16 Sep 1998
TL;DR: In this paper, a method of expanding a secure kernel memory area to accommodate additional software code includes the step of digitally signing the additional code by a trusted authority, and the code is copied into an unprotected memory where the digital signature is verified.
Abstract: A method of expanding a secure kernel memory area to accommodate additional software code includes the step of digitally signing the additional code by a trusted authority. The code has a digital signature to authenticate the source of the code and to control what code can be added to the secure kernel. The new code is copied into an unprotected memory where the digital signature is verified. The digital signature includes a unique integrated circuit (IC) identification number, which provides the IC manufacturer with the ability to control the secure kernel memory expansion of all or each of the ICs. If the code is authenticated via the digital signature, then those memory blocks are locked-in as protected memory and thus given “secure kernel” privileges.
41 citations
Patent•
30 Mar 2012
TL;DR: In this article, a system and method for implementing platform security on a consumer electronic device having an open development platform is described. The device is of the type which includes an abstraction layer operable between device hardware and application software, and a secured software agent is provided for embedding within the abstraction layer forming the operating system.
Abstract: A system and method is provided for implementing platform security on a consumer electronic device having an open development platform. The device is of the type which includes an abstraction layer operable between device hardware and application software. A secured software agent is provided for embedding within the abstraction layer forming the operating system. The secured software agent is configured to limit access to the abstraction layer by either blocking loadable kernel modules from loading, blocking writing to the system call table or blocking requests to attach debug utilities to certified applications or kernel components.
39 citations
Patent•
17 Dec 2002
TL;DR: In this paper, a method and system (400A-B) for executing an insecure routine and receiving a request from the insecure routine is provided. But the method does not address the security aspects of the request.
Abstract: A method and system (400A-B) for performing the method is provided. The method includes executing an insecure routine and receiving a request from the insecure routine. The method also includes performing a first evaluation of the request in hardware, and performing a second evaluation of the request in a secure routine in software. The computer system (400A-B) includes a processor (404) configurable to execute a secure routine and an insecure routine. The computer system (400A-B) also includes hardware coupled to perform a first evaluation of a request associated with the insecure routine. The hardware is further configured to provide a notification of the request to the secure routine. The secure routine is configured to perform a second evaluation of the request. The secure routine is further configured to deny a requested response to the request.
32 citations
Patent•
IBM1
TL;DR: In this article, a secure operating kernel maintains a "key ring" containing keys corresponding to trusted software vendors, which are used to verify that a given application was signed by an approved vendor.
Abstract: A method, computer program product, and data processing system are disclosed for ensuring that applications executed in the data processing system originate only from trusted sources are disclosed. In a preferred embodiment, a secure operating kernel maintains a “key ring” containing keys corresponding to trusted software vendors. The secure kernel uses vendor keys to verify that a given application was signed by an approved vendor. To make it possible for users to execute software from independent software developers, an administrative user may disable the above-described vendor key-checking as an option.
29 citations
Patent•
04 Mar 201122 citations