Back in January Peter Oppenheimer stated that the iPad was continuing "its unprecedented adoption in business. And as more businesses adopt iPads, Apple needs to ensure corporate IT departments that their security meets higher standards. Last week four new security patents came to light and were captured in our report titled "Apple Advances Security System Technology for the Enterprise." Today, four additional security patents have been published by the US Patent and Trademark Office that cover systems and methods for tamper-resistant booting, fighting against malicious code aimed at portable devices and more.
Security Patent One: Apple's Patent Background
Security concerns for all types of processor-based electronic devices, and particularly for computing devices, have become significant. While some concerns may relate to detrimental actions which may be undertaken by defective code implemented by such devices, the greater concerns relate to the ramifications of various types of attacks made upon such devices through malicious code, including code conventionally known in the field by a number of names, such as "viruses", "worms", "Trojan horses", "spyware", "malware", and others. Such malicious code can have effects ranging from relatively benign, such as displaying messages on a screen, or taking control of limited functions of a device; to highly destructive, such as taking complete control of a device, running processes, transmitting and/or deleting files, etc. Virtually any type of imaginable action on a processor-based device has been the subject of attacks by malicious code.
Many of these attacks are directed at computing devices, such as workstations, servers, desktop computers, notebook and handheld computers, and other similar devices. Many of these computing devices can run one or more application programs which a user may operate to perform a set of desired functions. However, such attacks are not limited to such computing devices. A broader group of various types of devices, such as cell phones; personal digital assistants ("PDAs"); music and video players; network routers, switches or bridges; and other devices utilizing a microprocessor, microcontroller, or a digital signal processor, to execute coded instructions have been the subjects of attacks by malicious code.
A number of methodologies have been used in an attempt to reduce or eliminate both attacks and influence of malicious or defective code. Generally, these methodologies include detection, prevention, and mitigation. Specifically, these methodologies range from attempts to scan, identify, isolate, and possibly delete malicious code before it is introduced to the system or before it does harm (such as is the objective of anti-virus software, and the like), to restricting or containing the actions which may be taken by processes affected by malicious or defective code. However, such restrictions typically are configured statically based on a set of rules set forth in a security profile. Such statically configured rules do not always represent the dynamic conditions of an operating environment at runtime.
Apple's solution is based on their new patent application titled "Methods for Restricting Resources used by a Program based on Entitlements." According to one aspect of Apple's invention, in response to a request for launching a program, a list of one or more application frameworks to be accessed by the program during execution of the program is determined. Zero or more entitlements representing one or more resources entitled by the program during the execution are determined. A set of one or more rules based on the entitlements of the program is obtained from at least one of the application frameworks. The set of one or more rules specifies one or more constraints of resources associated with the at least one application framework. A security profile is dynamically compiled for the program based on the set of one or more rules associated with the at least one application framework. The compiled security profile is used to restrict the program from accessing at least one resource of the at least one application frameworks during the execution of the program.
According to another aspect of Apple's invention, in response to a request for launching a program, a list of resources to be accessed by the program during execution of the program is determined. A predetermined function of a library that provides access of the resources is invoked, including passing as a parameter one or more resource entitlements of the program, to obtain a set of rules for accessing resources associated with the library based on the resource entitlements. A security profile is dynamically generated for the program based on the set of rules, where the security profile is used to restrict the program from accessing other resources of the library that the program is not entitled during execution of the program.
Apple's patent FIG. 3 is a block diagram illustrating a system for operating a program in a restricted operating environment according to one embodiment of the invention.
For more details on this security patent, see application 10120185863. Apple's patent application was originally filed in Q1 2011 by inventors Ivan Krstic, Austin Jennings and Richard Hagy.
Security Patent Two: Apple's patent Background
Many computing devices today require some degree of information protection. Cryptography is one such method utilized in protecting computing devices. Cryptography refers to both encryption and decryption of information. Encryption is the process of changing intelligible information (plaintext) into unintelligible information (ciphertext) and decryption is the process of changing ciphertext back into plaintext.
Computing devices can encrypt data of varying sizes, from small sets to large blocks of data. Full-disk encryption (FDE) is a method that encrypts an entire disk volume on a computing device. Decryption of the entire disk volume is necessary before the disk volume is accessible. Full-disk encryption is considered more secure than file-level encryption since all files (including temporary files) are encrypted.
Although FDE is considered more secure than file-level encryption, systems with FDE employed are still vulnerable to attack. In one simple attack, a hacker can change the boot sequence of a computing device so that it boots from the hacker's own malicious code instead of performing the normal boot sequence. FDE systems must prompt the user for a password at boot time in order to unlock the FDE volume. The hacker's malicious code can display an identical looking screen that asks for the FDE password, but steals it instead of using the password to unlock the FDE volume. When the user enters the password, the hacker logs it and gains access to the computing device. The hacker can therefore surreptitiously steal the user's password. Without a chain of trust from the booter to the operating system kernel, such attacks are able to defeat even full-disk encrypted computing devices.
Apple's invention titled "System and Method for Tamper-Resistant Booting" relates to systems, methods, and non-transitory computer-readable storage media for booting a computing device having an encrypted storage medium using full disk encryption, referred to as tamper-resistant booting. One way to remedy the attacks outlined above is called tamper-resistant boot. When a computing device employs a high-security mode such as FDE, it should be more difficult for a hacker to change the boot sequence than when operating under lower-security modes. However, even in a computing device with an FDE-enabled storage medium, the operating system kernel is not encrypted. This is because the boot environment is not sufficiently complex to decrypt FDE volumes. Instead, the boot environment must rely on an operating system kernel to do the decryption. The unencrypted operating system kernel is an obvious weak link in the overall FDE security model, as it can be surreptitiously replaced with malicious password-stealing code by an attacker. One way for a computing device to address this deficiency is to verify the authenticity of the boot sequence by establishing a chain of trust from the firmware to the kernel in the operating system. A system receives at a boot time credentials associated with a volume key for a FDE enabled encrypted storage medium from a user. The system retrieves the unencrypted kernel and unencrypted kernel cache digest from the storage medium. The system then verifies that the kernel cache is authentic by comparing the retrieved kernel cache digest with a computed digest. Initiation and execution of the operating system is performed if the system determines that the kernel cache is authentic. The system produces an error if the kernel cache is not authentic.
A system practicing the method initiates the tamper-resistant booting process by first generating a volume key based on a full disk encryption password received from a user. The system encrypts the storage medium with the volume key to yield a full disk encrypted storage medium. Then the system encrypts the kernel cache with the full disk encryption volume key to yield a kernel cache digest, which the system stores on an unencrypted storage medium or an unencrypted portion of an otherwise encrypted storage medium, alongside the kernel cache itself. When the system boots, it verifies the integrity of the kernel cache based on the stored kernel cache digest and a computed digest.
The system verifies that the operating system has not been tampered with by booting the system with firmware and confirming, via the firmware, the integrity of the booter. The system passes control to the booter where the booter confirms a kernel cache of the operating system based on a stored kernel cache digest and a computed digest. Once the system determines that the operating system has not been tampered with, it passes control to the operating system for initiation and execution and any remaining boot tasks.
In one embodiment, the system disables tamper-resistant booting by generating, at the firmware level, a password verifier and comparing it to a password proof. The system generates the password verifier by applying a number of iterations of an encryption algorithm to a salt value and a password. Once the system receives a request from a user to disable tamper-resistant booting, the operating system generates a partial password proof. Generating a partial password proof is accomplished by applying a portion of the number of iterations of the encryption algorithm to the request password and the salt value, and then rebooting the computing device. Once the system reboots, the firmware retrieves the partial password proof and performs the remaining portion of the number of iterations of the encryption algorithm to produce the complete password proof. If the password proof matches the password verifier, the system disables tamper-resistant booting. In this way, the system authenticates a request to disable tamper-resistant boot.
Additionally, the system initializes tamper-resistant booting by establishing a database that stores password verifiers. The operating system generates a list of users that are authorized to disable tamper-resistant booting and sends the list to the firmware. The operating system generates password verifiers for each user and sends them to the firmware as well. The firmware stores this database in non-volatile random access memory (NVRAM). The system also generates a system salt in the firmware and stores the system salt in NVRAM for later use. The principles disclosed herein apply to a computing device having an encrypted storage medium using full disk encryption.
Apple's patent FIG. 13 illustrates establishing full disk encryption and patent FIG. 14 illustrates an exemplary method embodiment for establishing full disk encryption.
For more details on this security patent, see application 10120185683. Apple's patent application was originally filed in Q1 2011 by inventors Ivan Krstic and Joel Even.
A third security patent application was published today under the the number 20120185872 titled "Methods for Managing Authority Designation of Graphical User Interfaces." A fourth security patent application was discovered later this morning under applicaiton number 20120185700 titled "System and Method for Supporting Just in Time (JIT) with Randomly Allocating Memory Changes."
Today's Continuation Patents
In addition to the two security patent applications presented in today's report, the US Patent and Trademark Office did publish a series of older continuation patents dating back to between 2006 and 2009. The continuation patents that we list below are specifically referenced as such under the section titled "Cross-Reference to Related Applications." Generally speaking, continuation patents represent tweaks made to patent claims in an effort to get the patents granted by the USPTO and don't represent any noteworthy new development from the original patent filing. Here are today's continuation patents should you wish to review them:
Patently Apple presents a detailed summary of patent applications with associated graphics for journalistic news purposes as each such patent application is revealed by the U.S. Patent & Trade Office. Readers are cautioned that the full text of any patent application should be read in its entirety for full and accurate details. Revelations found in patent applications shouldn't be interpreted as rumor or fast-tracked according to rumor timetables. About Comments: Patently Apple reserves the right to post, dismiss or edit comments.
Check out Patent Bolt's Latest Report Titled: