KR101934601B1 - Secure device data records - Google Patents

Abstract

Secure Device Data Records (DDR) are provided. In some embodiments, a system for secure DDRs includes a processor of a wireless communication device for wireless communication using a wireless network, and a memory coupled to the processor and configured to provide instructions to the processor, And the security enforcement environment comprises: monitoring the service usage of the wireless communication device using the wireless network; And to generate a plurality of device data records of the monitored service usage of the wireless communication device using the wireless network, wherein each device data record is associated with a unique sequence sequence identifier. In some embodiments, the secure execution environment is located in an application processor, in a modem processor, and / or in a subscriber identity module (SIM).

Description

Security Device Data Recording {SECURE DEVICE DATA RECORDS}

The present invention relates to secure device data recording.

With the advent of mass market digital communications and content distribution, many access networks, such as wireless networks, cable networks and digital subscriber line (DSL) networks, are burdened with user capacity, such as Evolution-Data Optimized (EVDO) (HSPA), Long Term Evolution (LTE), Worldwide Interoperability for Microwave Access (WiMax), and Wi-Fi (Wireless Fidelity) wireless networks. Although the wireless network capacity is increasing with new higher capacity wireless radio access technologies such as multiple input / output (MIMO) and more frequency spectrum is used in the future, this capacity increase is more than necessary to meet the growing digital networking demand I will write.

Similarly, although wireline access networks, such as cable and DSL, may have a higher average capacity per user, wireline user service consumption habits are very likely to consume the available capacity quickly and degrade the overall network service experience Trend toward high bandwidth applications. This trend will also negatively impact service provider revenues as some components of service provider costs rise with increasing bandwidth.

The present invention can be implemented in a variety of ways, including processes; Device; system; Composition of matter; A computer program product configured on a computer readable storage medium; And / or a processor, such as a processor, configured to execute instructions stored and / or provided by memory coupled to the processor. In this specification, any other forms that these implementations or inventions may take may be referred to as techniques. In general, the order of the steps of the described process may vary within the scope of the invention. Unless otherwise stated, components such as a processor or memory, which are described as being configured to perform the task, may be implemented as a general component or a component that is constructed to perform the task temporarily configured to perform a task at a given time . As used herein, the term " processor " refers to one or more devices, circuits, and / or processing cores configured to process data, such as computer program instructions.

Various embodiments of the present invention are described in the following detailed description and the accompanying drawings.
1 illustrates a high-level diagram of an advanced wireless service platform end-to-end DDR reporting and processing system in accordance with some embodiments.
Figure 2 illustrates a process for booting, executing and updating DDR firmware in accordance with some embodiments.
Figure 3 illustrates an architecture for a secure embedded DDR processor in an APU implementation in accordance with some embodiments.
Figure 4 illustrates another architecture for a secure embedded DDR processor in an APU implementation with a modem bus driver in accordance with some embodiments.
Figure 5 illustrates another architecture for a secure embedded DDR processor in an APU implementation with a modem bus driver in accordance with some embodiments.
6 illustrates an architecture for a secure embedded DDR processor in an MPU implementation in accordance with some embodiments.
Figure 7 illustrates another architecture for a secure embedded DDR processor in an MPU implementation in accordance with some embodiments.
8 illustrates an architecture for a secure embedded DDR processor in an APU and a data path security verifier (DPSV) in an MPU implementation in accordance with some embodiments.
9 illustrates an architecture for a secure embedded DDR processor in a subscriber identity module (SIM) and a data path security verifier (DPSV) in an MPU implementation according to some embodiments.
10 illustrates another architecture for a secure embedded DDR processor in a Subscriber Identity Module (SIM) according to some embodiments and a data path security verifier (DPSV) in an MPU implementation.
Figure 11 illustrates another architecture for a secure embedded DDR processor in a Subscriber Identity Module (SIM) and a data path security verifier (DPSV) in an MPU implementation in accordance with some embodiments.
12 shows a flowchart of a secure boot sequence in accordance with some embodiments.
FIG. 13 illustrates a functional diagram for passing DDR Service Processor mailbox messages between secure and non-secure memory areas according to some embodiments.
Figure 14 illustrates a flow diagram for DDR processor service controller session authentication and verification according to some embodiments.
15 shows a flow diagram for secure device data records for implementing a Device Supported Services (DAS) in accordance with some embodiments.
16 illustrates an advanced wireless service platform end-to-end DDR reporting and processing system in accordance with some embodiments.

The detailed description of one or more embodiments of the invention is provided below with the accompanying drawings, which illustrate the principles of the invention. While the invention will be described in conjunction with such embodiments, the invention is not limited to any embodiment. The scope of the invention is to be limited only by the claims and the invention includes many alternatives, modifications and equivalents. Numerous specific details are set forth in the following description to provide a thorough understanding of the present invention. These details are provided for the purposes of illustration and the invention may be practiced in accordance with the claims, without any or all of these specific details. For clarity, technical data known in the art relating to the invention are not described in detail in order not to unnecessarily obscure the invention.

In some embodiments, secure device data records (DDR) are provided. In some embodiments, secure DDRs for device-supported services are provided. In some embodiments, secure DDRs for device-supported services may be used to monitor service usage of a wireless communication device (e.g., based on a source address, a port address, a destination address, a destination port, Based monitoring of the use of network services). In some embodiments, the secure DDRs for device-aided services may be used for monitoring the service usage of the ports of the wireless communication device (e.g., source address, port address, destination Based monitoring of the use of network services, such as those based on a 5-tuple of addresses, destination ports and protocols. In some embodiments, the system for secure DDRs comprises: a processor of a wireless communication device for wireless communication using a wireless network, wherein the processor is configured as a secure execution environment and the secure execution environment comprises a wireless communication device service Monitoring usage; A processor configured to generate a plurality of device data records of a monitored service usage of a wireless communication device using a wireless network, wherein each device data record is associated with a unique sequence sequence identifier; And a memory coupled to the processor and configured to provide instructions to the processor. In some embodiments, the system for secure DDRs comprises: a processor of a wireless communication device for wireless communication using a wireless network, wherein the processor is configured with a security execution environment, the security execution environment comprising: a wide area wireless network , 2G, 3G, 4G, etc.), WiFi network or connection, USB network or connection, Ethernet network or connection, Firewire connection, Bluetooth connection, NFC connection or other I / And to monitor service usage of the wireless communication device using one or more of the networks and I / O connections for devices not limited to them; A plurality of device data records of a monitored service usage of a wireless communication device using a wireless network, each device data record being associated with a unique sequence sequence identifier; And a memory coupled to the processor and configured to provide instructions to the processor. In some embodiments, a secure execution environment including a secure DDR processor is located in an application processor, a modem processor and / or a subscriber identity module (SIM).

In most of the described embodiments, the secure device data record processing system may include a wide area wireless network connection (e.g., a 2G, 3G, or 4G connection) or a wide area wireless modem (e.g., 2G, 3G, or 4G) Modem). As will be appreciated by those skilled in the art, the secure device data record processing system may include one or more additional I / O networks, connections, ports or modems (e.g., a WiFi network, connection, port or modem; , A port or modem, an Ethernet network, a connection, a port or a modem, a FireWire network, a connection, a port or a modem, a Bluetooth network, a connection, a port or a modem, a local area network (NFC) network, O connections, ports, or modems).

In some embodiments, a system for secure DDRs is a processor of a wireless communication device for wireless communication using a wireless network, wherein the processor is configured as a secure execution environment, the secure execution environment comprises a wireless network (and possibly a device One or more additional I / O connections for the wireless communication device); Each device data record being configured to generate a plurality of device data records of a monitored service usage of a wireless communication device using a wireless network (and possibly one or more additional I / O connections for the device) Wherein each device data record is one of an ordered sequence of device data records having sequential device data records that provide historical accounting of service usage for a service usage interval encompassed by each device data record associated with a secured unique sequence sequence identifier Gt ;; < / RTI > And a memory coupled to the processor and configured to provide instructions to the processor. In this way, the communication activity for the device wireless access network connection (or other I / O port communication connection) can be securely monitored and reported to the network server for further processing to determine whether the device access service policies are enforced appropriately , Or whether the malicious software in the device operating environment connects to the network (or other I / O connection or port). In some embodiments, a security implementation that includes a secure DDR processor environment is located in an application processor, a modem processor, and / or a subscriber identity module (SIM).

In some embodiments, the communication channel for communicating secure device data records to a network server for further analysis and processing includes a secure message reception feedback loop, and if the secure message feedback loop is interrupted, a device environment security error condition Detected and operated. In some embodiments, the ordered sequence of device data recording is communicated to the service controller using a signed or encrypted communication channel. In some embodiments, the service controller observes device data records to determine if it complies with a device based access network (or other I / O connections or ports) access policy. In some embodiments, the service controller also observes the integrity of the ordered sequence of device data records to determine whether device data records are tampered with or are missing. In some embodiments, if the service processor determines that the device data records are tampered with or not missing, the service controller returns a signed or encrypted device data record receive message. In some embodiments, if the service processor determines that device data records are tampered with or missing, the service controller does not return an error message or return the displayed or encrypted device data record receive message. In some embodiments, if the system for secure DDRs receives an error message from a service controller, or if it receives an error message within a period of time or within a certain number of transmitted device data records or within a predetermined amount of processed communication information (I) a device setup error message may be generated for delivery to a security manager or server, or (ii) one or more wireless network connections for a wireless communication device (Or other I / O connections or ports) are blocked or limited to a predetermined set of secure destinations. In this way, unauthorized manipulation (such as by creating a wireless network (or other I / O port) connection service usage characteristics in which the device service processor, device operating environment, device operating system or device software does not conform to expected or permitted policies A device configuration error message may be generated or a device wireless network connection (or other I / O connection connection) may be restricted or blocked. These embodiments may be useful in securing a device based network connection (or I / O control) policy and may also be useful in identifying any malicious software present in unauthorized device software or devices . In some embodiments, regulation in a wireless network connection (or other I / O connection) is sufficient to allow a connection to a limited number of network destinations or resources to allow further analysis or troubleshooting of device configuration error conditions.

Various techniques for providing a device-assisted service (DAS) are described in U.S. Application No. 2010/0192212, entitled " AUTOMATED DEVICE PROVISIONING AND ACTIVATION " filed on March 2, 2009, Filed January 27, 2010 under the title "DEVICE ASSISTED CDR CREATION, AGGREGATION, MEDIATION AND BILLING", U.S. Published Patent Application No. 12 / 380,780 (Attorney Docket Number RALEP007), U.S. Published Application No. 2010/0197266 Filed January 27, 2010, entitled " SECURITY TECHNIQUES FOR DEVICE ASSISTED SERVICES ", co-pending U.S. Patent Application No. 12 / 695,019 (Attorney Docket No. RALEP022) and U.S. Published Application No. 2010/0199325, No. 12 / 694,445 (Attorney Docket Number RALEP025).

In some embodiments, the DDR processor may be used for wireless communication devices (e.g., cellular phones, smart phones, laptops, PDAs, gaming devices, music devices, tablets, computers, (DAS) for use with wireless network services for wireless communication devices, such as a wireless network, and / or any other device having a wireless communication connection. In some embodiments, a secure DDR processor (e.g., implemented / executed in a secure execution environment) is provided. In some embodiments, the DDR processor is secured using various techniques described herein. In some embodiments, the DDR processor includes a DDR generator. In some embodiments, the DDR processor generates DDR. In some embodiments, a DDR processor reports DDRs to a network element (e.g., a service controller, DDR network storage system, and / or other network element). In some embodiments, a secure DDR processor reports DDRs to a device element / function, such as a service processor, which aggregates DDRs in reporting (e.g., or processor reports) delivered to the network element And may include other service usage and / or other information). In some embodiments, service processor reports as well as DDR are generated and forwarded to network elements. In some embodiments, the DDR processor is secured using various techniques described herein.

In some embodiments, the DDRs may be configured to support device-supported and / or device-based monitored service usage (based on various criteria such as specific time intervals and / or events) as described herein in connection with various embodiments, . In some embodiments, DDRs are reported periodically. In some embodiments, DDRs are reported based on a request from an event and / or a network element (e.g., a service controller or other network element / function). In some embodiments, the DDRs are delivered to a device service processor (e.g., or other device element / function), and the device service processor aggregates these DDRs and periodically provides service usage reports including these DDRs And provides these service usage reports based on requests and / or events. In some embodiments, each DDR includes a unique identifier (e.g., a unique sequence identifier). In some embodiments, the lost DDR may be detected using a unique identifier (e.g., the sequence count and / or time stamp information associated with each DDR may be determined using sequence count and / or timestamp information) Enable the detection of potentially suspicious service usage events, e.g., device data records that are lost, delayed, and / or harmed, and enable the response / corrective actions to be performed on suspicious service usage events Can be performed at the time of detection). In some embodiments, if the DDR is not received within a certain time interval, the access controller is activated to limit network access until the DDRs are properly generated and reported (e.g., a network element such as a service controller Sends a keep alive signal to the device to implement a timeout interval to confirm receipt of properly generated and verified DDRs from the device and if the keepalive signal is not received within a certain time interval, Based secured connection controller may implement limited network access control functionality).

In some embodiments, a DDR network storage system is provided as described herein in connection with various embodiments. In some embodiments, the DDR network storage system and other devices, such as DDR tuning functions (e.g., DDR records and / or DDR reports or CDR, micro CDR, and / or IPDR or other service usage reports, ≪ / RTI > and / or coordinating network-based service usage reports). In some embodiments, the network-based coordination function coordinates DDRs (e.g., aggregated DDRs and / or DDR reports) with one or more network-based service utilization metrics. In some embodiments, the network-based coordination function coordinates DDRs with two or more network-based service usage metrics. In some embodiments, the network-based coordination function may include at least two of the network-based service usage metrics (e.g., CDRs, FDRs, IPDRs, and / or the like), including traffic-related events such as NBS and / or QoS and / DPI-based measures). In some embodiments, the network-based coordination function may be configured to provide service to a plurality of device-based service utilization metrics (e.g., DDRs including traffic related events, such as NBS and / or QoS, service processor reports, and / Device-based service usage metrics) to a network-based service usage metric. In some embodiments, the network-based coordination function coordinates two or more device-based service usage metrics into two or more network-based service usage metrics. In some embodiments, the network-based coordination function coordinates two or more device-based service usage metrics, where one of the device-based service usage metrics is secured (e.g., One or more of the other device-based service usage metrics are not secure (e.g., considered to be secured and / or trusted based on technologies) As reported, not fully trusted). In some embodiments, the coordination function adjusts based on various different reporting formats, such as time scale intervals, units of measure, and / or other different criteria used for different device and network based various service usage measures.

In some embodiments, a secure connection controller is provided as described herein with respect to various embodiments. In some embodiments, the DDR processor includes a secure connection controller. In some embodiments, the secure connection control ensures that the wireless communication device with the DAS will not open the network connection unless the device is properly reporting and / or reporting secure DDRs.

In some embodiments, the DDR processor includes secured network busy state (NBS) monitoring and reporting functions as described herein with respect to various embodiments. In some embodiments, the network element aggregates NBS information received from one or more wireless communication devices from the same sector and / or from various sectors near the service and uses the same network busy status rules (e.g., connection control, Charging and notification) and / or changing existing NBS rules accordingly.

In some embodiments, a secure boot sequence is provided. In some embodiments, the secure boot sequence ensures that the DDR processor is secured and appropriately generates DDRs before providing open network access control to the wireless communication device. In some embodiments, the secure boot sequence includes using a secure connection controller to limit network connections until the secure boot sequence is complete. In some embodiments, the secure boot sequence includes identifying the DDR ACK and the received frames.

In some embodiments, a processor of a wireless communication device for wireless communication using a wireless network is provided, wherein the processor is configured with a security software or firmware instruction execution environment, wherein the program in the security software or firmware instruction execution environment comprises: Monitoring service usage of the wireless communication device using the wireless communication device; Wherein the device data records are secure device data records for use of a monitored service and each device data record is configured to generate a plurality of device data records (DRRs) for a monitored service usage of a wireless communication device using a wireless network, Wherein each device data record forms part of an ordered sequence of device data records having each sequential device data record providing a history of service usage for a service usage interval covered by the data record, Associated with the sequence identifier.

In some embodiments, the sequence of device data records makes a report that is contiguous and uninterrupted for device service usage while the device is active in the network. In some embodiments, the security software or firmware instruction execution environment is located and configured such that the network can be accessed only through the data path monitored by the program in the security software or firmware instruction execution environment. In some embodiments, the security software or firmware instruction execution environment is located in a modem processor (e.g., MPU). In some embodiments, the security software or firmware instruction execution environment is located in an application processor (e.g., an APU). In some embodiments, the security software or firmware instruction execution environment is located in a subscriber identity module (SIM) (e.g., a SIM card). In some embodiments, the security software or firmware instruction execution environment is located in a combination of APU, MPU, and / or SIM

In some embodiments, device data records are secured using various encryption techniques described herein, such as using one or more of encryption, digital signature, and integrity check.

In some embodiments, a DDR processor located in a secure execution environment is configured to communicate a sequence of device data records to a device data record store function, such as in a network element (e.g., a service controller) In combination with the identifier, the plurality of secure device data records provide traceability for identifying whether one or more usage records are tampered with or missing from the sequence of data records transmitted to the storage function. In some embodiments, the unique sequence identifier comprises one or more of the following: a sequence count, a time stamp, a start time indicator, a stop time indicator, Time interval identifier and the total usage count at the beginning or end of the recording, the reference time, or the elapsed time from the beginning or end of the recording.

In some embodiments, the creation of a new device data record is determined by one or more of the following: a predetermined time, an elapsed period, an elapsed period since the last report, a maximum limit of elapsed time since the last report, Usage, amount of data usage after one or more aspects of the end report, maximum limit for one or more aspects of data usage since the last report, request to generate DDR, maximum amount of memory or storage media required to contain or process DDR information before transmission Device power on or power off, modem or device subsystem power on or off, modem or device subsystem power state entry or exit, device or device subsystem authentication to a network element or server, or one or more service usage activities Or service history Detected events triggered by unauthorized tampering or detection of fraudulent events or by transition to new network busy status and / or QoS traffic events.

In some embodiments, a DDR processor, service processor, or other device-based element / function transmits DDRs based on one or more of the following: increased maximum time, increased maximum service usage, polling from service processor and / Or polling from the service controller. In some embodiments, the maximum time increase in the DDR transmission is set to ensure that the service being seized once service controller authentication is established is minimized or eliminated. In some embodiments, at least some of the limited set of network service activities may be handled by a service controller or other network element that is required to operate the device ' s network connectivity capabilities once the service controller authenticates with the service processor and follows proper operation of the secure DDR generator Lt; / RTI > In some embodiments, at least a portion of the limited set of network service activities includes a connection to a minimum set of roaming network service activities necessary to initiate a roaming network process to authenticate a connection privilege for the device. In some embodiments, at least a portion of the limited set of network service activities includes a connection to a minimum set of roaming network service activities necessary to initiate a corporate network process to authenticate a connection privilege to the device. In some embodiments, at least a portion of the limited set of network service activities includes a connection to a minimum set of roaming network service activities necessary to initiate an MVNO network process to authenticate connection privileges for the device. In some embodiments, at least a portion of a more liberal set of service activities is available to connect to at least a subset of the services available in the roaming network. In some embodiments, at least a portion of a more liberal set of service activities is available to access at least a subset of the services available in the MVNO network. In some embodiments, at least some of the more liberal set of service activities is available for accessing at least a subset of the services available in the corporate network.

In some embodiments, the device data recording service usage information comprises one or more of the following measurements: voice services (e.g., VOIP) usage logs; Text service usage records; Data network service usage records; Data network flow data records; Data network general purpose, full or collective service usage records; Use of services that are at least partially classified by fabric destination; Service usage records classified at least in part by three-layer network communication information such as an IP address or an ATM address; Use of services that are at least partially classified by 4-layer network communication information, such as IP address and port combinations; Data network service usage records comparable to network based flow data records such as network based FDR, CDR or IPDR; Use of services at least partially classified by time of day; Use of services that are at least partially classified by geographic location; Use of services that are at least partially classified by the active network service of the device; Use of services that are at least partially classified by the roaming network connected to the device; Use of services that are at least partially classified by network busy status or network congestion; Use of services at least partially classified by QoS; Service usage records that are at least partially classified by seven-layer network communication information such as a server name, a domain name, a URL, a referrer host, or application service flow information; Use of services that are at least partially classified by network communication protocols such as TCP, UDP, DNS, SMTP, IMAP, POP, FTP, HTTP, HTML, and VOIP; A service that is at least partially classified by the application name or application identifier granted by the operating system or by another application identifier unique to the application acquisition or request service (e.g., a device user identifier, such as an Android user ID on an Android-based device) use; And use of services that are at least partially classified by service activity.

In some embodiments, a DDR processor located in a secure execution environment is configured to transmit device data records to a network element (e.g., a storage function located on a network). In some embodiments, a DDR processor located in a secure execution environment is configured to provide a secure communication channel between a security software or firmware instruction execution environment and a storage function (e.g., a network element such as a service controller) located in the network , And the communication channel security protocol is configured to prevent unauthorized operation of secure device data records (DDRs). In some embodiments, a DDR processor located in a secure execution environment is configured to perform an authentication sequence or process with a network element (e.g., a service controller), wherein the secure device data write sequence initiation message includes an authentication protocol replacement sequence It is sent to the following network destination to authenticate the network element before sending the security data records.

In some embodiments, a DDR processor located in a secure execution environment is configured to: send a device data write sequence (e.g., via a secure channel) to a network element; A secure access controller implementation for network access restriction to a predetermined subset of available network destinations; Receiving a security message from a trusted network element (e.g., from a network element directly or from a network element to a DDR processor in a secure execution environment); If an acknowledged (e.g., appropriately secured and configured) message is received that acknowledges receipt of one or more secure device data records or acknowledges the access network authentication sequence, then the secure connection controller may send an unrestricted or less Allow limited access; If acknowledging receipt of the one or more secure device data records or acknowledging the access network authentication sequence is not received, acknowledgment of receipt of one or more secure device data records or acknowledgment of the access network authentication sequence is received The secure connection controller limits access to the network destination or a predetermined set of functions.

In some embodiments, a DDR processor located in a secure execution environment is configured with an access controller that restricts access to a network destination or a predetermined set of functions, if the predetermined maximum amount of time is less than one Or the time at which the first message acknowledgment of the authentication sequence is received by the DDR processor in the secure execution environment and the second message acknowledgment of the at least one secure device data records or authentication sequence is received by the DDR processor in the secure execution environment Between the time being; Or between the time at which one or more secure device data records are transmitted by the DDR processor in the secure execution environment and the time at which one or more secure device data records or message recognition receipt of the authentication sequence is received by the DDR processor in the secure execution environment Restrict access if it passes; Otherwise the access controller allows unrestricted or less restrictive connections to the network.

In some embodiments, the DDR processor located in the secure execution environment is configured to forward the device data record to the device data record store function located on the network by first sending the device data record to the second program function located on the device , Transfers the device data record to the second program function located on the device, and then transfers it to the device data record storage function located in the network. In some embodiments, the DDR processor located in the secure execution environment is configured to provide a second service usage reporting sequence in addition to the secure device data writing sequence. In some embodiments, another client function / element (e.g., service processor function / element or agent) is configured to provide a second service usage report sequence in addition to the secure device data write sequence . In some embodiments, the second service usage report sequence includes a service usage classification that is at least partially different from the secure device data records. In some embodiments, the difference between the device data usage classifications includes at least in part a record that includes one or more of the following: application information, 7th layer network information, service flow related information, user defined input information, Busy status information, active network information, or other information not included in other records.

In some embodiments, a DDR processor located in a secure execution environment is configured to transmit a device data write sequence and a second device data write sequence in a manner that allows for simplified adjustment of two writes. In some embodiments, a DDR processor located in a secure execution environment may include an approximate alignment of measurement interval start and stop times encompassed by one or more second service usage reports, and a measurement encompassed by one or more secure device data records And to provide a second service usage report sequence in a manner that provides a duration.

In some embodiments, the DDR processor located in the secure execution environment is configured to: generate and record a characterization of the network performance based on monitoring the service usage of the wireless communication device using the wireless communication network; Analyzing a characterization evaluation of the network performance and reducing the performance characterization evaluation to one or more network performance statistics summarizing the performance level or congestion level of the network undergoing the device; Generate a plurality of network performance report messages including a sequence of network performance statistics generated at different times; Wherein the network performance report messages are secured network performance reports; And to send secure network performance reports to a storage function located in the network.

In some embodiments, each wireless device is configured as a device data record store and processing function for wireless communication over a wireless network in a wireless communication with a plurality of wireless communication devices including a secure device data record generator, as, Wherein the processor of the network device further provides: separate security communication channels between each of the plurality of secure device data write processors and the network device, wherein the communications channel security protocol is configured to allow unauthorized tampering of the device data records to be detected Being; Receiving a plurality of device data records from each of the secure device data write processors over a secure communication channel, wherein the plurality of secure device data records are service usage records for the monitored service usage of the wireless communication device using the wireless network, Device data recording forms part of an ordered sequence of device data records with each sequential device data record providing uninterrupted historical reporting of service usage over a service usage period encompassed by device data recording, The sequence forms a close and uninterrupted report of the use of the device service, and each device data record is associated with a unique sequence order identifier; Providing a device data write storage function in which a device data write sequence for each device is stored; Analyzing the stored sequence of device data records to determine, for each device, whether the one or more device data records have been compromised by verifying that the information in the service usage record is properly configured according to the secure communication channel protocol; Determining, for each device, whether one or more device data records have been removed or blocked from the device data write sequence originally transmitted from the device by determining whether security proximity sequence identifiers for the entire sequence are all present in the sequence; And if any of the device data records have been forged, delayed, or removed, a fraud detection error flag is set for that device to limit network access, and a signal is also sent by the network device or network administrator to take further action .

In some embodiments, the secure device data records included in the device data write sequence include a secure network performance report that characterizes network performance or congestion at the time the secure device data record was created. In some embodiments, the device data write sequence is used at least in part as a record of service usage that forms an input factor in business logic or rules used to compute a service usage invoice. In some embodiments, the device data write sequence is used at least in part as a record of service usage forming an input factor in business logic or rules used to determine if one or more device access network service policies are being enforced appropriately. In some embodiments, the device data write sequence is used at least in part as a record of service usage forming an input factor in updating an end user service use notification message, a service usage notification display, or a service purchase message trigger event .

In some embodiments, the network device processor is further configured to receive a device data write sequence from a secure device data record generator, and to receive a device data write sequence from a second device program function that transfers the device data write. In some embodiments, the network device processor is further configured to receive a second service use data write sequence from the second device program function. In some embodiments, the two device data write sequences may include at least some different service usage classifications (e.g., use of classification parameters; 3/4 hierarchy and / or class hierarchy) for the same (or approximately the same or overlapping) 7 layers). In some embodiments, the network device processor is also configured to compare two data writing sequences and to determine whether the two sequences of service usage reports match each other within an allowable tolerance limit.

In some embodiments, the secure device data record (s) may include 5-tuple classification information (e.g., source address, port address, destination address, destination port, and destination address) received from the service processor included in the DDR report (E.g., domain name, application identifier, HTTP information, association classifications, and / or other information described herein) along with corresponding seven-tier classification information (e.g., May be sent to a service controller (e.g., or other network element) to assist in service usage coordination and / or verification, using various techniques. In some embodiments, one or more of the service usage reconciliation and / or verification operations using the 7-tier classification information and the 5-tuple classification information is performed near the client (e.g., in the secure execution area). In some embodiments, one or more of the service usage reconciliation and / or verification operations using the 7-tier classification information and the 5-tuple classification information is performed near the client (e.g., in the secure execution domain) One or more of the service usage adjustment and / or verification operations using the information and the 5-tuple classification information is performed in the network (e.g., in one or more network elements, such as a service controller).

In some embodiments, a portion of the verification criteria is to determine whether the two sequences of service utilization reports are consistent with reported network performance levels or network congestion levels. In some embodiments, the tolerance limit is based on total data usage over a usage period covered by two data recording sequences.

In some embodiments, the network device processor is further configured to identify an amount of service usage for one or more classification categories in a second service usage recording sequence that can be coordinated with service usage for one or more classification categories in the secure device data writing sequence do. In some embodiments, the criteria in the classification category adjustment include determining whether two sequences of service usage reports are consistent in reported network performance levels or network congestion levels.

In some embodiments, the network device processor is also configured to identify an amount of service usage from a second service usage record sequence that can not be reconciled with a known service usage classification in the secure device data writing sequence. In some embodiments, the criteria in the classification category adjustment include determining whether two sequences of service usage reports are consistent in reported network performance levels or network congestion levels.

In some embodiments, the minimum tolerance limit is a quantity of service usage for one or more classification categories in a second service usage recording sequence that may be consistent with or associated with one or more classification categories in the secure device data recording sequence, It is based on percentages. In some embodiments, a fraud detection error flag is set for the device to limit network access when the minimum tolerance limit is not met, and the network device or network manager also sends a signal to take further action.

In some embodiments, the maximum tolerance limit may be determined based on the amount of service usage, the relative amount or percentage of service usage for one or more classification categories in the second service use recording sequence that can not be matched or associated with one or more classification categories in the secure device data recording sequence . In some embodiments, when the maximum tolerance limit is exceeded, a fraud detection error flag is set for the device to limit network access and the network devices or network manager sends a signal to take further action.

In some embodiments, the network device processor is further configured to determine whether a service usage report encompassed by the secure device data write sequence is within predetermined tolerance limits with one or more device service usage enforcement policies intended to be prepared do. In some embodiments, if the tolerance limits are exceeded, the fraud detection error flag for the device is set to limit network access and the network device or network manager sends a signal to take further action. In some embodiments, the network device processor is configured to determine whether a service usage report encompassed by the second device service usage report sequence matches within one or more device service usage enforcement policies intended to be prepared within certain tolerance limits Respectively. In some embodiments, if the tolerance limits are exceeded, the fraud detection error flag for the device is set to limit network access and the network device or network manager sends a signal to take further action.

In some embodiments, the network device processor is also configured to provide one or more security messages to each of the multi-device programs operating in the security software or firmware instruction execution environment, wherein the security messages include receiving one or more secure device data records Or acknowledge the access network authentication sequence. In some embodiments, the network device processor is configured to perform, for each device, an unrestricted or less restrictive network connection for a specified or predetermined period of time in a message from a network device processor to a program operating in a security software or firmware command execution environment To send a series of security messages directing or implicitly issuing commands to programs operating in the security software or firmware command execution environment to permit the security software or firmware command execution environment. In some embodiments, the network device processor is configured to send, for each device, a security message instructing a program operating in the security software or firmware command execution environment to limit network access to a network destination or a predetermined set of functions Respectively.

In some embodiments, secure network busy status (NBS) monitoring and reporting is provided. In some embodiments, secure NBS monitoring and reporting facilitates NBS billing and control enforcement. In some embodiments, a processor of a wireless communication device for wireless communication using a wireless network is comprised of a security software or firmware instruction execution environment, and the DDR processor in a secure execution environment comprises: ≪ / RTI > Generate and record a characterization of network performance based on monitoring of service usage of the wireless communication device over the wireless communication network; Analyzing a characterization of the network performance and reducing the performance characteristic rating to one or more network performance statistics that provide an indication of the performance level or congestion level of the network the device is experiencing; Generate a plurality of network performance report messages including a sequence of network performance statistics generated at different times; The network performance report message is a secure network performance report; And to send secure network performance reports to a storage function located in the network.

In some embodiments, the measure of network busy status or network congestion is formed by observing one or more of the following: a number of network connection attempts, a number of connection successes, a number of connection failures, a delay between a connection attempt and a connection success ), Network throughput data rate, data error rate, packet error rate, packet repetition rate, one-way or bi-directional delay, one-way or two-way delay jitter, TCP traffic back off parameter, TCP window parameter , Modem channel quality, modem channel power, modem channel signal-to-noise ratio, modem over the air data rate, or network throughput data rate versus modem OTA data rate, and the subnetwork of the network to which the device is connected.

In some embodiments, the measure of service use comes from observing network traffic generated by the use of a device user's service. In some embodiments, the measure of service use is: communicating one or more network traffic sequences between the device and the network function; And a subset of service usage monitoring that includes a network traffic sequence to generate and record a characterization of network performance.

In some embodiments, each wireless device is configured as a device security network performance record store and processing function for wireless communication over a wireless network in a wireless communication via a plurality of wireless communication devices including a secure network performance record generator The processor of the device: providing a separate secure communication channel between each of the plurality of secure network performance record generators and the network device, wherein the communication channel security protocol is configured such that unauthorized tampering of the secure network performance record can be detected; Receiving a plurality of secure network performance records from each of the secure network performance record generators over a secure communication channel, wherein the plurality of secure network performance records are network performance statistics providing an indication of the level of performance or congestion level of the network experienced by the device ; Providing a device security network performance recording function in which a secure network performance recording sequence for each device is stored; Analyzing security network performance records received from a plurality of devices connected to the same subnetwork to determine a subnetwork of the network to which each device is connected and to evaluate an overall characteristic evaluation of the performance level or congestion level for the subnetwork, Performing the same operation to determine an overall characteristic evaluation of a performance level or a congestion level for other subnetworks connected to the network; Store the results of the overall characterization of the performance level or congestion level for each sub-network that has been characterized, and make stored results available to other network devices or functions; And if any of the device data records have been forged, delayed, or removed, set a fraud detection error flag for that device to restrict network access and also signal the network device or network administrator to take further action .

In some embodiments, a network performance characterization system is provided. In some embodiments, the network performance characterization system comprises a processor of a wireless communication device for wireless communication over a wireless network, wherein the processor is configured with security software or a firmware command execution environment, In the environment, the program: communicates a plurality of traffic sequences between the device and the network device, wherein the traffic sequences are secured; And initiate each traffic sequence based on one or more of the following: a predetermined time or time interval, a service usage event or service usage condition that occurs in response to a message that occurs in the device and is delivered from the network device; And a processor (e. G., A DDR processor) of a network device that communicates securely with the program in a secure execution environment, comprising: monitoring a plurality of secure traffic sequences between the service use of the wireless communication device using the wireless network; Using the monitoring results of the secure traffic sequences to generate and record a characterization of network performance; Analyzing a characterization of the network performance and reducing its performance characterization to one or more network performance statistics that provide an indication of the level of performance or congestion level of the network the device is experiencing; And generate a plurality of network performance reports comprising a sequence of network performance statistics generated at different times; Here, the network performance reports are stored in the network performance report storage function; And the network performance report storage function is made available to other network devices or functions.

In some embodiments, DDRs apply to one or more of the following activities: service billing, service control, and / or access control; Service usage measurements (e.g., fraud resistance and scalable device measurements of service use); Validation of monitored service usage; Verify that service usage control policies are properly implemented on the device; And source of performance monitoring and / or measurement.

In some embodiments, DDRs are based on a set time interval; Based on a set usage size (e.g., a buffer size limit or a predefined size limit or other criteria for the device); When modem resources reach a predefined threshold (e.g., a usage threshold, such as an out-of-memory or access to memory usage limit); In response to a request from a service processor executing in an application processor of the wireless communication device; In response to a request from a service controller (e.g., directly or indirectly through the service processor running on the application / general purpose processor of the wireless communication device) to the network element.

In some embodiments, the coordination process is provided to coordinate service processor usage reports for a plurality of device data records and monitored wireless communication devices to verify reported service usage for each of the monitored wireless communication devices , Device data records received from each of the plurality of monitored wireless communication devices, and device data records for each predefined time interval, or for each received service processor usage report and associated device data records Adjustment of service processor usage reports based on a comparison or based on a predefined amount of service usage volume / population usage, based on predefined time intervals, or based on service policy verification settings; Verifying that the monitored wireless communication device has not been tampered with or tampered with (e.g., a discrepancy that has crossed the tolerance between missing, changed, delayed and / or unadjusted DDRs or received micro CDRs and DDRs); Verifying that the service usage of the monitored wireless communication device complies with the relevant service policy and / or service plan; Verifying that the monitored wireless communication device has properly implemented the traffic control policy of the associated service policy / service plan for a period of time (e.g., QoS, NBS, throttling); For each of the monitored wireless communication devices, verifying the accuracy of the received service usage metric using the received plurality of device data records and service processor usage reports; And adjustment using tolerance limits. In some embodiments, the tolerance limit (e.g., fixed amount, percent based) describes the deviation between the received device data records and the service processor usage reports during the synchronized monitored time period, The tolerance set for the service provider setting tolerance, the unclassified service usage in the received device data records and / or the coordination process for service usage that can not be associated with known service activities, Redirected service usage activities and / or other possible differences and / or variations.

In some embodiments, the coordination engine performs one or more of the following: one or more patterns describing synchronization errors or traffic classification errors due to time lapse (e.g., training period, periodic improvement using heuristics) judgment; Determining whether received device data records are properly associated within policy service usage activities (e.g., reverse DNS lookup, whitelist, web crawler); Performs classification operations similar to those of the service processor classification (for example, the seven-layer service use activity classification as reported in the micro CDR / uCDR) for a plurality of received device data records, Grouping the use of records into service usage activity classes used by the service processor; Determining a percentage of each service usage activity that can be verified by determining service usage metrics of service processor usage reports for each service activity classification and then classifying service usage metrics of received device data records; For example, implementation of adaptive peripherals for coordination using threshold-based comparison techniques with the use of DDRs and reverse DNS for packet classification, and then host-sponsored services versus ALL whitelist host names, host-sponsored services versus all known Perform a comparison (with an acceptable error percentage) and identify possible fraud scenarios, using a percentage of the allowed use for host name, host-sponsored service-to-synchronization fault tolerance; Perform coordination on one or more of the following classified services: Supported services, user (eg, open access) services, carrier services, network protection services that are part of the service plan classification definition Services that can be classified as background and thus can be delayed to protect network bandwidth / resources for foreground / high priority services); And third service usage metrics (e.g., network-based CDRs, FDRs, and / or IPDRs). In some embodiments, the secure device data record (s) may include 5-tuple classification information (e.g., source address, port address, destination address, destination port, and destination address) received from the service processor included in the DDR report (E.g., domain name, application identifier, HTTP information, association classifications, and / or other information described herein) along with corresponding seven-tier classification information (e.g., May be sent to a service controller (e.g., or other network element) to assist in service usage coordination and / or verification, using various techniques.

In some embodiments, the DDRs include one or more of a source address, a port address, a destination address, a destination port, and a 5-tuple classification information and a byte count including a protocol (e.g., inbound and outbound) The limitations describe one or more of the following: information that is classified by the service processor (e.g., application information, association (s)) with the benefit of measurement differences, time synchronization differences, and / or information not available in the DDR processor classifier Information, simple classification implementations / algorithms in DDR processors, etc.). In some embodiments, the service processor usage reports include 7-layer monitored service usage information (e.g., domain name, application identifier, HTTP information, association classification, and / Other information described), and only a percentage of the received device data records are identified as traffic associated with the service usage activity, and for each service usage activity, for each unclassified traffic varied by activity (E.g., " closed " for a very wide variety of CNNs), the sum of all unclassified permissions does not exceed the total unclassified received device data records information, To relax the tolerance for the second time interval and to tighten the tolerance for the second time interval, It is longer than the first time interval. In some embodiments, the secure device data record (s) may include 5-tuple classification information (e.g., source address, port address, destination address, destination port, and destination address) received from the service processor included in the DDR report (E.g., domain name, application identifier, HTTP information, association classifications, and / or other information described herein) along with corresponding seven-tier classification information (e.g., May be sent to a service controller (e.g., or other network element) to assist in service usage coordination and / or verification, using various techniques.

Advanced Wireless Services Platform ( AWSP )

In some embodiments, an Advanced Wireless Services Platform (AWSP) is provided. As described herein with respect to various embodiments, in some embodiments, the AWSP provides an improved networking technology platform that supports existing services and also provides a wireless network (e.g., a 4G, 3G and / or 2G network Enabling a variety of new Internet and data service capacities. As described herein with respect to various embodiments, in some embodiments, a wireless device, processor (s), firmware (e. G., As described herein with respect to various embodiments) DDR firmware) and software provide an improved role for billing, access control and service notification in wireless network service policies.

As described herein with respect to various embodiments, in some embodiments, the AWSP supports a wide range of services, devices, and applications for the consumer, enterprise, and machine to machine markets. In some embodiments, AWSP supports a variety of device types, including 4G and 3G smartphones, 4G and 3G feature phones, 4G and 3G USB dongles and cards, 4G-to-WiFi and 3G to-WiFi bridge devices, 4G and 3G notebook and netbook computer devices, 4G and 3G slate computer devices, 4G and 3G consumer devices (e.g., cameras, personal navigation devices, music players, Various types of consumer and industrial devices with minimal user interface (UI) capacity, such as geo-location tracking devices, parking bill collectors, and vending machines.

In some embodiments, the AWSP includes a device data record (DDR) processor. In some embodiments, the DDR processor may be an AWSP compliant processor (e.g., a processor or a set of AWSP certified and / or certified processors that are compatible with the ASWP, support ASWP, e.g., through a wireless carrier AWSP chipset authentication program) Lt; RTI ID = 0.0 > hardware < / RTI > execution environment. As described herein with respect to various embodiments, in some embodiments, the AWSP compliant processor is authenticated such that the processor has the appropriate service delivery qualification on the AWSP.

In some embodiments, a DDR Firmware Developer ' kit (DDR FDK) is provided. In some embodiments, the DDR FDK may include firmware code (eg written in C), detailed DDR processor specifications, detailed chipset security implementation environment (SEE) specifications, DDR processor chipset test criteria, and DDR processor chipset authentication procedures . For example, an approved chipset partner may integrate DDR firmware into a Chipset Certification Device (CCD) for approved or certified processor (s) (e.g., a chipset approved or authorized under the AWSP chipset certification program) . In some embodiments, the CCD includes an approved Chipset Partner Chipset Board Support Package (BSP) for a smartphone / feature phone device that includes chipsets submitted to the AWSP chipset authentication program. In some embodiments, the CCD includes a smartphone / feature phone device that includes an approved chipset partner chipset submitted to an AWSP chipset authentication program. In some embodiments, various operating systems (OS) are supported (e.g., Linux, Android, Apple, Microsoft, Palm / HP, Symbian, and / or various other operating systems and / or platforms).

In some embodiments, the improved functionality includes the integration of a service processor (SP) kernel program and an application. In some embodiments, in addition to the DDR firmware, a service processor software development tool (SP SDK) is provided. In some embodiments, as described herein with respect to various embodiments, the SP SDK includes software and detailed information for integrating the SP SDK kernel program and application software into the device OEM. In some embodiments, the approved chipset partner CCD may be coupled to a wireless carrier's 3G (EVDO / UMTS) network or wireless communication using a mutually acceptable WWAN wireless modem chipset certified for operation on a wireless carrier's network Lt; RTI ID = 0.0 > LTE < / RTI >

DDR  Processor overview

In some embodiments, the DDR processor is implemented within security firmware embedded in either an application processor unit (APU) or a modem processor unit (MPU). In some embodiments, the DDR processor is provided as part of the device firmware build that is installed by the OEM at the time of manufacture. In some embodiments, the DDR processor monitors incoming and outgoing IP packets and collects various statistics (e.g., device data records (DDR)). In some embodiments, the DDR is, in part, a record of the amount of data being used or transmitted that is consumed along the IP flow. In some embodiments, the IP flow is specified by a source address, a destination address, a source port, a destination port, and a protocol type. In some embodiments, the service device data record includes information about the corresponding seven-layer classification information (e.g., domain name, application identifier, HTTP information, association classifications, and / or other information described herein) (E. G., Source address, port address, destination address, destination port and protocol). In some embodiments, DDRs also include other types of classifications for network service use, as described herein with respect to various embodiments. In some embodiments, DDRs also include various statistics based on or related to network service usage, as described herein with respect to various embodiments. In some embodiments, the DDRs may be configured to support 2G, 3G, and 3G in a home and roaming network conditions for various service usage history reporting, access control, and service policy enforcement verification functions, as described herein with respect to various embodiments. And 4G wireless networks.

1 illustrates a high-level diagram of an advanced wireless service platform end-to-end DDR reporting and processing system in accordance with some embodiments. In Figure 1, four DDR implementation choices are shown for securely installing a DDR processor (e.g., DDR processor firmware and / or functionality) into an APU chipset or MPU chipset. Each of these three choices is described in greater detail below and in more detail in the next section.

In some embodiments, the wireless communication device includes a DDR processor 114 in a secure execution environment. In some embodiments, the DDR processor 114 may be coupled to a DDR generator function (e.g., to another element / function of the device and / or to a network such as the service controller 122) as described herein with respect to various embodiments. Function to generate secure DDRs, which may be reported as element / function. Various architectures are provided to implement DDR processors in secure execution environments.

The device architecture 101 includes a DDR processor 114 in a data path secure area 140 (e.g., located in an application / general purpose processor unit (APU)) as shown. The application program 130 is monitored (e.g., service usage based monitoring) using the service processor application program 112. The kernel program 132 is monitored using the service processor kernel program 113. An operating system (OS) 134 is located over a network stack 136 for network connection, monitored by a DDR processor 114 for any network connection via a modem bus driver and physical bus 142 do. As shown, a 3G or 4G wireless network connection is provided via 3G or 4G modem 150 to 3G or 4G networks 104, respectively. These device architectures and similar device architectures are described in more detail below.

The device architecture 102 includes a DDR processor 114 in a data path security zone 143 (e.g., located in a Modem Processor Unit (MPU)) as shown. In the device architecture 102, the device architecture 102 is similar to the device architecture 101 except that the data path secure area 143 is located in a 3G or 4G modem 151. [ Network communication via the modem 151 and modem bus driver and physical bus 149 and modem I / O 156 is performed by a DDR processor 114 (not shown) for any network connection via modem data path and signal processing 154 ). ≪ / RTI > These device architectures and similar device architectures are described in more detail below.

The device architecture 103 includes a DDR processor 114 in a data path secure area 145 (e.g., located in an APU or other processor / memory, e.g., a SIM card) as shown. The device architecture 103 does not require the APU modem bus driver and the physical bus to be in the secure zone and instead the data path security verifier 152 is included in the data path security zone 147 in the MPU to enable the DDR processor 114 The device architecture 103 is similar to the device architecture 101 except that it restricts network connections only to traffic monitored by the device architecture 101. [ These device architectures and similar device architectures are described in more detail below.

The device architecture 103A includes a DDR processor 114 in a data path secure area 918 (e.g., located in the SIM 913) as shown. In the device architecture 103A, as in the device architecture 103, the device architecture 103A is similar to the device architectures 101 and 102 except that there are two data path security zones. The data path security zone 143 is located in the 3G or 4G modem 151 and the data path security zone 918 is located in the SIM 913. The device architecture 103A does not require the modem bus driver and the physical bus 149 to be in the secure zone and instead the data path security verifier 152 is included in the data path secure area 143 in the MPU, The network connection is limited only to the traffic monitored by the DDR processor 114 in the network 913. These device architectures and similar device architectures are described in more detail below. The device architecture 103A allows a service provider to have complete control over DDR processor functionality because the SIM is considered an industry "carrier-owned" entity in the device.

As will be appreciated by those skilled in the art, the DDR processor 114 may be embedded in the secure area of any other functional processor having a companion MPU for enforcing network connectivity. These functional processors in which the DDR processor 114 may be embedded include, for example, video processors, audio processors, display processors, location (e.g., GPS) processors and other special purpose processors , Digital signal processors (DSP), general purpose processors such as microprocessors, and the like.

In some embodiments, a service controller 122 is provided as shown. In some embodiments, the service controller 122 is provided as an AWSP network server cloud system. In some embodiments, the service controller 122 is provided as an AWSP network server cloud system that is used to perform one or more of the following: collecting device service usage reports; Managing any aspects of the device based network service policy; Network busy status (NBS) confirmation for various base stations in a network (e.g., wireless network (s)); Managing user notification and service plan selection UI processes configured in the device (s) (e.g., wireless communication device (s)); And managing any aspects of service fraud detection. In some embodiments, the service controller 122 includes secure DDR processing, use coordination and fraud detection 124 as shown. In some embodiments, the service controller 122 forwards the monitored service usage (e.g., coordinated service usage based on processed and coordinated secure DDRs) to the network service usage reporting system 180. In some embodiments, reported service usage is aggregated and delivered to network billing system 190 (e.g., for billing for reported service usage).

In some embodiments, the service controller 122 communicates with various device-based elements of the AWSP system. In some embodiments, the service controller 122 communicates with various device-based elements of the AWSP system, including the DDR processor 114 and the service processor. In some embodiments, the service processor 112 may include an application service processor 112 (e.g., an application space or a framework space program) and a kernel service processor 113 (e.g., a kernel space or a driver space program) . In some embodiments, application service processor 112 and kernel service processor 113 execute or execute in an OS partition in an application processor unit (APU) of a device (e.g., a wireless communication device). In some embodiments, the service processor is typically not in a secure execution area.

In some embodiments, the service processor may be configured to collect network busy status (NBS) information, service use classification and reporting, some network service policy enforcement functions, and / or other functions, as described herein with respect to various embodiments. / RTI > and / or any user notification function and roaming access policy enforcement function. In some embodiments, the service processor may also be configured to assist a service provider (e.g., a service provider for wireless network services or other services) in determining how to provide optimized services, information, and / Record and report device service usage information.

In some embodiments, the DDR processor 114 forwards the DDRs to the service controller 122. In some embodiments, the DDR processor 114 communicates the DDRs to the service controller 122 via the Internet, the carrier network, and / or other network rolls. In some embodiments, the DDR processor 114 does not direct the DDRs to the service controller 122, but instead the DDR processor 114 forwards the DDRs to the service processor. The service processor may now forward the DDRs to the service controller 122, in some embodiments, with additional service usage reports and / or other service policy management and user notification communications generated or received by the service processor, do.

For example, the APU OS runtime environment is generally not considered trusted or trusted even though the service processor may be protected by the OS and / or other security elements in the system. Also, the network data path between the DDR processor 114 and the service processor is not considered safe or reliable and the data path between the service processor and the service controller 122 is also the same. Thus, in some embodiments, the DDR processor 114 and the service controller 122 use cryptographic techniques to provide a secure link from the DDR processor 114 to the service controller 122. In some embodiments, the DDR processor 144 is considered to be secure and trusted based on various implementations and techniques as described herein with respect to various embodiments. In some embodiments, a variety of services for monitoring service usage and for securing control performed by the DDR processor 114 in the network data path and for securing the DDR reporting channel from the DDR processor 114 to the service controller 122 Techniques are described herein in connection with various embodiments.

In some embodiments, the secure connection controller functionality within the DDR processor 114 is employed as described below, so that if the DDR flow is tampered with or blocked, then the device network connection data path connection managed by the DDR processor 114 But only to those network destinations that are required to manage DDR processor 114 communications with the service controller 12. In some embodiments, the connection controller function in the DDR processor 114 receives feedback from the service controller 122 to limit the connection or allow full access. For example, a restricted contact list (e.g., a list of host names, IP addresses, and / or other identifiers for a contact list) may be pre-integrated within the DDR processor SEE, as described in more detail herein, Path < / RTI >

In some embodiments, DDR transmission from a secure, reliable, and trusted DDR processor 114 is provided by DDR reporting techniques including: (1) DDR processor firmware is a secure execution environment (SEE ); ≪ / RTI > (2) The data path between the DDR processor and the radio modem antenna connection (eg, 3G or 4G network modem antenna connection) is secured by a security to prevent the fraud software or firmware from forming data paths that bypass the DDR processor data path processing do; (3) the DDRs transmitted from the DDR processor 114 to the service controller 122 are integrity checked by methods that protect them from unauthorized manipulation or replay; And (4) an authentication process between the DDR processor 114 and the service controller 122 associated with the unique DDR reporting sequence identifiers and the authentication session keep-alive timers is performed between the DDR processor 114 and the service controller 122 Used to maintain and verify secure connections. For example, if the flow of DDR records between the secure session or the DDR processor 114 and the service controller 122 is interrupted, then the secure connection control function at the DDR processor 114 may be directed to the modem data path to the network destination It may be necessary to reestablish a secure authenticated session between the DDR processor 114 and the service controller 122. [

In some embodiments, the DDR processor 114 also includes a secure network busy status monitoring function (e.g., NBS monitoring) as similarly described herein in connection with various embodiments. In some embodiments, the NBS monitoring logs and reports various network and modem performance parameters and also calculates and reports a measure of network congestion referred to herein as network busy status (NBS). In some embodiments, the NBS is a measure of the level of network congestion in a given base station sector for a given measurement time interval. In some embodiments, all of this information is included in the network busy status report (NBSR), which is part of the DDR message reports sent to the service controller 122 via the service processor 112.

Secure Image Programming, Secure Boot, Secure Execution, and Security Firmware Of the update  summary

In some embodiments, the DDR processor system includes a dedicated security enforcement environment (SEE) within an application processor unit (APU) or modem chipset. In some embodiments, the SEE enables a trusted occurrence of security of the DDRs as described herein. The basic functionality of SEE according to some embodiments is described below.

In some embodiments, the SEE is a secure memory execution partition that can not be accessed by any external program, bus, or device port. In some embodiments, the secure memory execution partition includes a code space and a data space. In some embodiments, a secure boot loader runs within the SEE. In some embodiments, only the other code images allowed to run in the SEE are secure images, where the signature signifies a digitally signed image that has been verified by the secure boot loader. In some embodiments, at the time of device fabrication, the secure boot loader is programmed into non-volatile memory on an on-chip SEE. For example, a secure boot loader can retrieve a secure image from non-volatile memory and install it in SEE in a trusted and secure way. In some embodiments, the secure boot loader is the only element that can load images into the SEE.

In some embodiments, the DDR processor 114 is implemented as a secure image. The installation of a DDR processor image to SEE using a secure boot loader is described below. Other secure images may be similarly installed as will be apparent to those skilled in the art in view of embodiments as described herein.

In some embodiments, the DDR processor image is digitally signed by the device OEM. For example, the secure boot loader can verify the signature using the boot loader verification key, and reject the image if the signature is invalid. In some embodiments, the boot loader verification key is a 2048-bit RSA public key embedded within the secure boot loader image.

In some embodiments, the signed DDR processor image is stored in an on-chip non-volatile memory. In some embodiments, the signed DDR processor image is stored in off-chip nonvolatile memory (e.g., if the on-chip storage capacity of the chipset is too limited to store such images).

Figure 2 illustrates a process for booting, executing, and updating DDR firmware in accordance with some embodiments. As shown in FIG. 2, at 210, when the device boots, the secure boot loader retrieves the DDR processor image from the non-volatile memory, installs it in the SEE, and executes it. In some embodiments, during installation and before execution, the secure boot loader verifies the digital signature of the DDR processor image using the boot loader verification key. If the signature is invalid, no action is taken and the error message is sent to the service controller via the service processor, and the secure boot loader may fall back to the pre-stored image, as described herein with respect to various embodiments. .

In some embodiments, the data path from the non-secure OS stack elements to the modem (s) monitored and controlled by the DDR processor must pass through the SEE and is applicable to the DDR processor, as shown in FIG. 2 (220) . Once the dedicated OS stack data for the modem is delivered to the SEE memory, the secure DDR processor program analyzes and manipulates dedicated data for the modem as described herein with respect to various embodiments. In some embodiments, the DDR processor includes a secure data interface from the SEE to the modem data path to ensure that there is no data path that can avoid SEE (e.g., avoid detection and / or monitoring by the DDR processor) . Examples of secure execution partitions and data interface solutions include trusted APIs, ARM Trust Zone, Intel Smart & Secure or a custom solution or proprietary solution from, for example, a chipset provider for specific chipsets.

In some embodiments, a communication channel (e.g., a DDR mailbox) may include a DDR processor program execution in the SEE and a non-secure OS environment (e. G., An application space or user Space) of the service processor application program. Exemplary techniques for providing a DDR mailbox include a DMA channel, a logical channel (e.g., an endpoint) within the modem bus driver (e.g., USB interface) between the APU and the MPU, And a shared memory using a piggyback channel at the top of the channel.

In some embodiments, the DDR processor firmware image is updated, as indicated at 240 in FIG. In some embodiments, the DDR processor firmware image includes an OEM process supported by the chipset provider for OTA (over the air) and over the network update (s) of the chipset nonvolatile memory firmware image provided to the device OEM . In some embodiments, the DDR processor may be configured to perform the following functions when exiting the power save state: during an initial power-up cycle and / or at any other times when the download can be performed in a secure manner, It is stored with firmware drivers. In some embodiments, a DDR processor may be configured to store one image that is currently in operation and a newly downloaded image (e.g., each image may be a certain maximum size, such as 0.5 MB or other size limits) Volatile memory space sufficient to accommodate images. In some embodiments, the secure boot loader includes a firmware image switch for using the new image once the download is complete. For example, the image switch function may include a fallback system so that if the new image has an invalid signature or if the new image is older than the current image as indicated by the number of modifications contained within each image If it is, it will switch to the current image. The current image may be maintained until at least the new image is accepted by the secure boot loader.

DDR  Processor implementation Example  summary

The DDR processor may be implemented as a separate processor for the secure embedded DDR firmware (e.g., in the AWSP chipset) included in the APU implementation, the MPU implementation, and the APU / MPU combined implementation, as described herein in accordance with various embodiments. May be provided using configurations. Those skilled in the art will also appreciate that similar and various other secure partition configurations for providing secure embedded DDR firmware may be provided in view of the various embodiments described herein.

In some embodiments, the DDR processor is coupled to a DDR processor 114 and a modem bus driver and a physical bus 142, such as the APUs shown in the device architecture 101, implemented in the data path secure area 140, Lt; / RTI > chipset SEE and non-volatile memory, such as the implementation of the APU chipset. The DDR processor is connected directly to the 2G, 3G, or 4G modem data path directly below the modem driver data path processing function and directly above the modem bus driver data path processing function (for example, USB drivers, SDIO drivers, or similar bus driver functions in general) Lt; / RTI > For example, using this approach, the entire data path through the modem bus driver and under a DDR processor via a 2G, 3G, or 4G network modem can be secured to prevent data paths that avoid DDR processor data path processing .

In some embodiments, the DDR processor is coupled to the DDR processor 114 and to the MPUs 102 shown in the device architecture 102 in which the modem data path and signal processing 154 are implemented in the data path secure area 143, Implementation using 2G, 3G, or 4G MPU chipset SEE and integration into non-volatile memory. The DDR processor is implemented securely on the 2G, 3G, or 4G modem data path directly below the modem bus driver and logical channel interface. For example, using this approach, the entire data path under a DDR processor to a 2G, 3G, or 4G network is secured to prevent data paths that avoid DDR processor data path processing.

In some embodiments, the DDR processor may be implemented in a DDR processor 114 such that the DDR processor 114 is implemented in the data path security zone 145 and the data path security verifier 152 and modem data path and signal processing 154 are implemented as shown in FIG. As well as the integration into the APU chipset SEE and non-volatile memory, such as the APU and MPU implementations shown in the device architecture 103 implemented in the data path security zone 147. The DDR processor is securely implemented on the 2G, 3G, or 4G modem data path below the OS stack and somewhere above the modem bus driver. For example, using this approach, rather than securing the entire data path under the DDR processor through the modem bus driver and through a 2G, 3G, or 4G network modem, the data path between the DDR processor and the modem wireless network connection connection Is secured by verifying the integrity of the data streamed between the DDR processor and the Data Path Security Verifier (DPSV) 152 functions. Any data path information that is properly described and verified is not communicated to or from the wireless network connection. For example, this approach eliminates the need to secure APU firmware, hardware, and data path elements in addition to the DDR processor itself.

application On the processor  Built-in DDR  Processor implementation

In some embodiments, a DDR processor may be embedded within an application processor unit (APU) (e.g., a smartphone APU or other wireless communication device APU) to provide service access monitoring and access control to multiple wireless modems. Provides a single secure DDR processor location on the data path (e.g., a 2G / 3G / 4G wireless network data path or other device I / O connection or port). In addition, the APU implementation approach may allow APU chipset vendors that do not necessarily have WAN modem components or technologies to implement solutions that follow various AWSP technologies as described herein. In addition, the APU implementation approach generally allows OTA and OTN firmware updates for APU implementations (e.g., which may be more complex to provide in any MPU implementations) as generally described herein do. Many disclosed embodiments describe DDR APU implementations in which a DDR acts on a communication flow through one or more wide area networks, connections, or modems. As will be appreciated by those skilled in the art, APU embodiments for a secure device data record processing system may be implemented using one or more additional I / O networks, connections, ports, or modems (e.g., a WiFi network, A Bluetooth network, a connection, a port, or a modem, an Ethernet network, a connection, a port or a modem, a FireWire network, a connection, a port or a modem, , Connections, ports, or modems; or other I / O connections, ports, or modems).

Referring to the device architecture 101 as shown in FIG. 1, the DDR processor is embedded in the APU chipset SEE and non-volatile memory as described above. In conjunction with the DDR processor SEE, the secure data path environment represented by data path security section 140 includes a DDR processor 114 and a modem bus driver and physical bus 142. For example, if the physical bus to the modem and the modem bus driver are secured (e.g., if not otherwise accessible) to fraudulent software or firmware attempting to bypass the DDR processor 114, the modem itself For example, a 3G modem or 4G modem 150) need not be secured. In particular, the DDR processor 114 is located directly below the modem driver data path processing function and above the 2G, 3G, or even above the modem bus driver data path processing functions (e.g., USB drivers, SDIO drivers or similar bus driver functions in general) Or 4G modem data path. In some embodiments, the entire data path under the modem bus driver and the DDR processor 114 via the 2G, 3G, or 4G modem is secured to prevent data paths that bypass the DDR processor data path processing. In some embodiments, an I / O port (e.g., a USB driver, an SDIO driver, an Ethernet driver, a FireWire driver, a WiFi driver, a Bluetooth driver, (And may be processed to enforce the policy), as classified as being passed through the DDR processor block, or reported. Thus, in some embodiments, the modem bus driver may be secured in the DDR SEE or in its own SEE, or the modem bus driver code and data path may be accessed by software or firmware of the APU that may bypass the DDR processor 114 This should not be possible.

Figure 3 illustrates an architecture for a secure embedded DDR processor in an APU implementation in accordance with some embodiments. 3 illustrates, in accordance with some embodiments, key functional elements within an APU-based solution, where the DDR processor 114 is in the SEE of the APU with other APU security programs, and the service processor application program 112 Lt; / RTI > of the DDR processor is via a shared mailbox (e. G., Shared memory). Figure 3 also shows the interface to a non-volatile memory in which there is a secure boot code (e.g., for software download) to ensure that all security codes are the verified first digital signature before the download is considered complete. In some embodiments, the data path is a separate interface, where the data frames are sent to the secure environment for the DDR processor to perform a DDR usage metric, in addition to control of network connections that are connected and limited or unrestricted.

3, an APU may be logically partitioned into an APU chipset application program 302, an APU chipset kernel program 304, and a Security Execution Environment (SEE) represented as an APU security enforcement environment 306. The APU security enforcement environment 306 may include a network element / function (e.g., service controller 122 and / or other element (s) / service (e.g., Function (s)). In some embodiments, the secure program nonvolatile (NV) memory 340 includes OS / OEM secure device system program files 342, secure DDR processor program files 346, and APU secure device system program files 348, which may be retrieved by a secure boot loader in the APU Security Execution Environment (SEE) 306 to be downloaded into SEE memory before code execution can occur as described herein.

The APU chipset application program 302 includes user application programs 130, a service processor application program 112 (e.g., for implementing various service processor functions that are not required to be implemented in the kernel, as described herein) , And OEM application programs 310. The APU chipset kernel programs 304 include an OEM kernel program 312, a service processor kernel program 113 (e.g., for implementing various service processor functions that are preferably implemented in the kernel as described herein), an APU A system kernel program 314, and APU device drivers and other BSP kernel programs 316. As also shown, OS 134 includes user / application space and kernel space implementation portions, as will be apparent to those skilled in the art. Is communicated via the APU network stack device driver 318 in the kernel space 304 as indicated by the network connection (e.g., 3G or 4G wireless network connection).

The APU SEE 306 may include security DDR processor programs 326, APU security device system programs (e.g., modem bus driver, modem driver) 328, and OS / And a security execution memory 322 for execution / storage. The APU SEE 306 also includes a program signature verifier 332 for verifying secure DDR processor programs 326 and / or other security programs in the secure execution memory 322 as described herein. The APU SEE 306 also includes an NV memory I / O 334 as shown. APU SEE 306 also includes a secure execution boot loader and updater (e.g., a secure on-board NVRAM) 336 for implementing secure execution boot processes and security update processes as described herein.

In some embodiments, the network data path 324 for any user or kernel mode applications or services is delivered from the APU networking stack device driver 318 and monitored using secure DDR processor programs 326. [

As further described herein, the secure DDR processor programs 326 communicate with the service processor application program 112 using a DDR mailbox function and a communication channel as indicated via the DDR mailbox data 320 . In some embodiments, the DDR Mailbox function provides a secure communication channel using various techniques as described herein. In some embodiments, the DDR Mailbox function is used to deliver secure DDRs generated using the secure DDR processor program 326 for use with the monitored network service for the service processor application program 112. In some embodiments, the service processor application program 112 delivers secure DDRs to network elements / functions such as the service controller 122. In some embodiments, the service processor application program 112 may be a secure DDRs with service processor reporting (e.g., application-based monitoring / 7-tier or application layer based monitoring, as described herein) (Including device-based micro-CDR / uCDR based on the use of monitored services based on application program 112 and / or service processor kernel programs 113) to a network element / function such as service controller 122 do. In some embodiments, the service processor application program 112 may be configured to monitor (e.g., adjust) the device-assisted service usage monitoring based on two DAS-enabled service usage metrics by a service controller or other network element / And / or security DDRs with service processor reports for overlapping and / or common time periods / intervals.

Figure 4 illustrates another architecture for a secure embedded DDR processor in an APU implementation with a modem bus driver in accordance with some embodiments. In particular, FIG. 4 illustrates in more detail how the DDR processor 114 may be implemented in an APU security operating environment with a modem bus driver 428 (e.g., a 2G, 3G or 4G modem bus driver). The DDR processor 114 monitors the IP packets sent to and from the modem bus driver 428 (e.g., a USB driver / controller), which may include a wireless connection using a 2G / 3G / 4G modem 440 Lt; RTI ID = 0.0 > 430 < / RTI > In some embodiments, the DDR processor 114 may include a device I / O driver (e.g., a USB driver, a 2G / 3G / 4G modem driver, an SDIO driver, an Ethernet driver, a FireWire driver, a WiFi driver, Or near-field communication driver) and provides IP I / O connectivity through the data path to secure DDR data path processing or monitoring.

The secure execution boot loader and updater 336 may read from the nonvolatile (NV) memory 334 the DDR processor 114 and the modem 338 as execution memory in the SEE, represented as the DDR secure execution memory 420, Bus driver images (e.g., after code signature verification using secure program signature verifier 332). The DDR processor 114 and the modem bus driver image and other secure images are all part of the secure bootload to be signed before being executed.

As shown, the DDR processor is on a 2G, 3G, or 4G modem data path, and all traffic between the OS stack and the 2G, 3G, or 4G network is monitored by the DDR processor 114. The DDR processor OS stack data path interface 424 is provided to connect between the DDR Secure Execution Environment (SEE) 420 in the kernel and the non-secure OS stack. The DDR processor modem data path interface 426 is also provided to couple the DDR processor 114 similarly to the modem data path provided by the modem bus driver 428. In some embodiments, the DDR processor 114, which is provided on the data path line and is not merely a clone / monitoring / drop function, may also implement the access controller function, for example, as described herein, The integrity of the network connection is maintained when the DDR processor 114 is manipulated or blocked from reaching the service controller 122 or when the service processor 112 is tampered with.

As also shown, the DDR processor mailbox interface 422 is provided to implement a mailbox function for passing DDR mailbox data 320 between the secure DDR SEE 420 and the insecure service processor application 112. As will be apparent to those skilled in the art in view of the various embodiments described herein, the DDR mailbox functionality may be implemented in a variety of ways.

In some embodiments, the DDR processor and the USB driver run in a secure environment on the application processor chipset, such as DDR secure execution memory 420. In some embodiments, the secure environment may include any unauthorized capability such as DDR processor code or modem bus driver / controller code (e.g., USB driver / controller or other device I / O driver / controller such as 2G / 3G / 4G Modem driver / controller, SDIO driver / controller, Ethernet driver / controller, FireWire driver / controller, WiFi driver / controller, Bluetooth driver / controller or local communication driver / controller). In some embodiments, the secure environment includes data from a DDR processor to a physical modem bus driver (e.g., a USB port, an Ethernet port, a FireWire port, a WiFi port, a Bluetooth port, an NFC port, or another I / O bus port) It also ensures that the path is isolated from firmware outside the secure environment. That is, no firmware outside the security environment can affect the precise collection of statistics by the DDR processor. In some embodiments, the secure environment further ensures that there is no coding capability other than a DDR processor accessing a sensitive cryptographic store, such as a key. This includes, for example, protecting sensitive storage from debug monitoring and / or other monitoring / connection activities or techniques. As will be apparent to those skilled in the art, rather than a simple DDR processor, the APU firmware should be secure and should not contain any bugs or vulnerabilities that could be exploited to allow unauthorized access. For example, a typical attack is a buffer overflow, in which an attacker chooses an input that causes an unconfirmed buffer to cross the boundary, resulting in an unintended behavior that an attacker can exploit.

There are various examples of APU chipset SEE implementation techniques that can be used to satisfy these requirements as described above. For example, a conventional CPU with firmware that is upgradeable (e.g., including a DDR processor) may be provided. The firmware may be stored in non-volatile (NV) memory or may be stored in flash memory which may be reprogrammed / updated with new or upgraded firmware. Firmware can be installed at the time of manufacture and provides a compliant security environment by design. Strict quality assurance testing is necessary to ensure that errors are not likely to provide a means for a secure environment. The new firmware image must have a valid digital signature before it can be accepted for installation. Version control checks may be included to prevent returning to older versions. Firmware that enables signatures and versions is in firmware that may be upgradeable. As another example, secure partitioned CPUs may be provided, such as ARM Trustzone or Intel Smart & Secure (e.g., or other suitable alternative including potentially provider-customized secure environment CPU partitioning techniques). DDR processor, modem bus driver (eg USB driver / controller or 2G / 3G / 4G modem driver / controller, SDIO driver / controller, Ethernet driver / controller, FireWire driver / controller, WiFi driver / controller, Controller or other device I / O driver / controller such as a local communication driver / controller) and any intervening code may be executed in a secure partition, such as Trustzone's (for example, Smart & Secure) security mode. The secure boot procedure can be performed using a DDR processor, a modem bus driver (eg USB driver / controller or 2G / 3G / 4G modem driver / controller, SDIO driver / controller, Ethernet driver / controller, FireWire driver / controller, WiFi driver / , Another device I / O driver / controller such as a Bluetooth driver / controller or a local communications driver / controller) and any intervening code may be included in the digitally signed version controlled code image. In this approach, hardware firewalls can protect sensitive crypto storage from normal mode firmware. The hardware firewall also ensures that normal mode firmware can not tamper with the data path between the DDR processor and the physical modem bus driver (e.g., a USB port), so that service usage metrics and / / / ≪ / RTI >

Figure 5 illustrates another architecture for a secure embedded DDR processor in an APU implementation with a modem bus driver in accordance with some embodiments. In particular, Figure 5 shows that the APU stack driver for the 2G / 3G or 4G modem 410 is located in the DDR secure execution memory 420 instead of the APU kernel space 404 as shown in Figure 5 4.

Built-in modem processor DDR  Processor implementation

In some embodiments, in an MPU implementation, the DDR processor is in a modem processor with other secure modem data path processing code and hardware functions. For example, in an MPU-based secure DDR processor implementation, once the data path under the modem bus driver interface is secured, it is relatively difficult to hack the device to create a data path to reach the network by avoiding the DDR processor. In addition, for some MPU chipset families, compared to implementing the same functions in some APU families that do not have standard hardware security partition characteristics, such as ARM Trust Zone and Intel Smat & Secure, the security execution environment, secure boot loader, and security Implementing non-volatile memory can be simpler. Also, the MPU implementation may have less interaction with the OS kernel build than with the APU implementation. In some embodiments with MPU implementations, the DDR processor 114 may be coupled to a wireless wide area network modem, such as a 2G, 3G, or 4G modem, or to a modem such as a USB modem, an Ethernet modem, a FireWire modem, a WiFi modem, Modem, or other I / O modem. While many of the described embodiments are for implementing MPUs in a wireless wide area network modem, other variations, including other I / O device modems, as will be apparent to those skilled in the art are possible without departing from the scope of the present disclosure.

However, in the MPU DDR processor implementation, the modem processor environment may not have a CPU with the same performance and secure execution memory space as the APU solution. This obvious disadvantage can be mitigated by designing and optimizing the DDR processor firmware so that the code memory size is small and the CPU performance requirements are typically suitable for relatively low power modem processor chipset CPUs. Also, as described above, the OTA and OTN Updater processes may be more complex than those obtained by any APU chipset provider and their OEMs.

Figure 6 illustrates an architecture for a secure embedded DDR processor in an MPU implementation in accordance with some embodiments. In particular, Figure 6 shows an MPU implementation that includes a modem data path from a built-in DDR processor and a DDR processor to a network of data path secure areas. In this approach, the DDR processor 114 is embedded in the secure execution memory (SEE) 604 and the secure execution memory 630 of the modem chipset (e.g., 3G or 4G MPU chipset). As shown, to ensure that fraudulent software or firmware can not bypass the DDR processor, the data path security zone includes a DDR processor 114 that follows modem data path processing and modem signal processing taking place between the DDR processor and the antenna . In some embodiments, the DDR processor 114 is securely implemented in the 3G or 4G modem data path directly below the modem bus driver 610 and the logical channel interface, The path is secured to prevent data paths from bypassing the DDR processor data path processing.

Similar to the APU-based approach described above, FIG. 6 illustrates the major functional blocks within a modem-based solution where the DDR processor 114 is responsible for using the modem's SEE monitoring service over the network data path 632, Under the DDR modem networking protocol code 636, and under the DDR modem data path processing 638, along with other secure modem code 634, and the communication channel of the DDR processor to the service processor application program (e.g., , Served by a USB endpoint). This interface may be piggybacked on top of an existing logical communication channel between the APU and the MPU using a separate logical communication channel. In some embodiments, the receipt of DDR mailbox data 320 is a service processor application code.

As also shown in FIG. 6, the interface to the non-volatile memory (e.g., for software / firmware download / update) where the secure boot code resides is the first one that is verified before all security codes are considered to be complete It is a digital signature. The data path is a separate interface where data frames are sent to the secure environment for the DDR processor to make connections and perform DDR usage metrics in addition to controlling limited or unrestricted network connections.

The modem chipset non-secure execution environment 602 includes a modem bus communication driver 610. In some embodiments, a logical communication channel for modem data path traffic 622 and above the DDR modem data path processing 624 is also provided. In some embodiments, a logical communication channel 612 for modem control settings and status reporting, modem status data 614, modem control data 616, modem diagnostic data 618, and other unsecured modem functions (620) is also provided.

Figure 7 illustrates another architecture for a secure embedded DDR processor in an MPU implementation in accordance with some embodiments. In particular, Figure 7 illustrates how the DDR processor 114 is implemented in an MPU security operating environment in which the data path through the 3G or 4G modem network processing and signal processing is secured from the connection from the software or firmware other than the DDR processor to the antenna . In some embodiments, the secure boot loader process operates similarly to that described above.

As shown, the APU chipset application programs 702 include DDR mailbox data 710 that is communicated to the service processor application program 112 similar to that described herein. As shown, the APU chipset kernel program 704 includes an APU stack interface 712 for a 3G / 4G modem, an APU stack interface 714 for other modems, and a modem chipset non- And a 3G or 4G modem bus driver 716 for communicating with the 3G or 4G modem bus driver 722 of the service processor kernel program 706.

In some embodiments, the DDR processor 114 follows a data path that takes into account the security network / service usage metrics and / or connection controls similar to those described herein with respect to various embodiments. In some embodiments, the DDR processor OS stack data interface (IE) 728 is coupled between the DDR Secure Execution Environment (SEE) and the (potentially) unsecured modem bus driver interface 722 of the modem chipset non-secure execution environment 706 Lt; / RTI > As also shown, the DDR processor modem data path interface 730 is provided to similarly connect the DDR processor 114 to the modem data path processing and modem signal processing 740 occurring between the DDR and the antenna. As described herein, DDR is on the data path and is not simply a clone / monitoring / drop function, as it is possible that DDR reports are unauthorized or blocked from reaching the service controller, This is because the DDR processor also implements the access controller functionality according to some embodiments in case the processor is tampered with, thereby maintaining the integrity of the network connection.

As also shown, the mailbox function is provided to pass data between the secure DDR SEE 725 and the insecure service processor application program 112. In particular, the DDR processor mailbox interface (IF) 724 communicates with the DDR mailbox 720 located in the modem chipset non-secure execution environment 706. The DDR mailbox data 710 is shown to be provided to the insecure service processor application program 112, which is provided via a modem communication path via modem bus driver 722 and modem bus 718 as shown. The DDR processor mailbox interface (IF) 724 communicates with the DDR processor 114 and is located in the DDR SEE 725. As will be apparent to those skilled in the art in view of the various embodiments described herein, the mailbox functionality may be implemented in a variety of ways. As described above in connection with various APU based embodiments, in accordance with some embodiments, the secure area includes all data path processing steps under the DDR processor, and any data to the network that bypasses the DDR processor via the modem There is no route.

In some embodiments, the DDR processor executes in a secure environment of MPU-based embodiments similar to that described above with respect to APU-based embodiments. In some embodiments, the secure environment ensures that unauthorized capabilities do not replace or alter the DDR processor code. In some embodiments, the secure environment also ensures that the data path from the DDR processor to the antenna is isolated from firmware outside the secure environment. That is, no firmware outside the security environment has the capability to influence the accurate collection of statistics by the DDR processor. In some embodiments, the security environment further ensures that the ability to access sensitive cryptographic storage, such as keys, is not present in code other than the DDR processor. For example, this may include protecting sensitive storage from debug monitoring and / or other monitoring / access operations or techniques. As will also be apparent to those skilled in the art, the MPU firmware, rather than just the DDR processor, must be secure and should not contain any errors or vulnerabilities that could be exploited to allow unauthorized access. For example, a typical attack is a buffer overflow, in which an attacker chooses an input that causes an unconfirmed buffer to cross the boundary, resulting in an unintended behavior that an attacker can exploit.

An example of a Security Execution Environment (SEE) implementation in MPU embodiments includes those similarly described above for various Security Execution Environment (SEE) implementations in an APU embodiment.

modem On the processor  Data Path Security Verifier Combined application On the processor  Built-in DDR  Processor implementation

In some embodiments, the DDR processor is embedded in the SEE APU chipset and the data path security verifier (DPSV) is embedded in the MPU chipset, as shown in the device architecture 103 of FIG. For example, the DPSV may use encryption techniques to obtain a secure and reliable data path between a secure DDR processor and a modem network antenna connection. This prevents deceptive software or firmware and data connections between the modem bus, the physical modem bus, and the networks that do not need to secure the modem data path elements on the DPSV elements. By establishing a secure communication channel between the DDR processor and the DPSV, a secure channel combination is created so that the network data path that is securely handled by the DDR processor, even if the deceptive software or firmware successfully connects to the modem bus interface to bypass the DDR processor Only flows can reach a 3G or 4G modem connection to the wireless access network. When fraudulent software or firmware bypasses the DDR processor and communicates unsolicited data path information intended for the modem, the DPSV blocks network data paths that are not processed by the DDR processor and are not cryptographically secured.

Figure 8 illustrates an architecture for a secure embedded DDR processor in an APU and a data path security verifier (DPSV) in an MPU implementation in accordance with some embodiments. 8, the DDR processor 114 is embedded in the APU chipset SEE and a second comparison firmware image referred to herein as a data path security verifier (DPSV) 836 is stored in the MPU chipset SEE For example, 3G or 4G MPU chipset SEE). As also shown, there are two data path security zones to prevent fraudulent software or firmware from escaping the DDR processor, one containing the DDR processor only and the second containing the modem data path processing between the DDR and the antenna, (E.g., such a second data path security zone is similar to that of a modem-only implementation of a DDR processor).

As noted above, this approach does not require security for the APU 3G or 4G modem bus driver and the physical bus. For example, some vendors and / or chipset providers (e.g., AWSP APU chipset providers) may be required to create two firmware images and two data path security zones to provide data between the DDR processor SEE and the modem antenna connection You can think of it as easier than securing the path. Compared to the APU implementation-based approach, the firmware for the APU is somewhat simplified and eliminates the security design work involved in securing the modem bus driver and the physical bus. Compared to the MPU implementation-based approach, modem firmware is also simplified. For example, in some APU chipset architectures, it may be difficult to secure the data path from the DDR processor through the modem bus driver, the modem physical bus, and the modem itself. Also, in some MPU chipsets, it may be necessary to simplify or reduce the size of the security firmware program image required by the MPU, similar to the above. Simpler and smaller firmware can reduce the frequency of updates that are required or perhaps remove them together. The APU DDR processor and MPU DPSV implementation approach described herein reduces the firmware required by the MPU to DPSV. This allows more complex data path processing by the DDR processor to be implemented on the APU where (i) the security firmware execution memory is generally larger and the CPU performance is generally higher, and (ii) the firmware update system is generally more capable This is good and more flexible. However, the APU DDR processor and MPU DPSV implementation approach also has problems. The main problem is that the firmware is typically embedded in both the wireless network chipset (MPU) and the device application processor (APU) chipset.

8, a first SEE 810 is implemented on the APU chipset, which is similar to that described herein, using the OS stack data path interface and / or the modem data path interface 818 to provide 2G / And a DDR processor 114 for securely monitoring communications from the APU stack driver for the 3G / 4G modem 806. A second SEE 832 is implemented on the MPU chipset, which includes a data path security verification (DPSV) program 836. The DPSV 836 is on the data path for the modem as shown. For example, the DPSV function can be very simple: the DPSV 836 only passes data path information that is processed and acknowledged by the DDR processor 114. The DPSV 836 is coupled to the DDR processor 114 to know the secret session key of the DDR processor data path and to receive acknowledgment from the DDR processor 114. How DDR processor 114 binds the secure data path channel to DPSV 836 and how DPSV 836 ensures that all 3G or 4G modem network service usage is properly monitored and processed Techniques are provided herein.

Referring to APU SEE 810, a program signature verifier 820, a non-volatile memory I / O 822, and a secure execution boot loader and updater 824, as described herein similarly with respect to various embodiments, ). The APU SEE 810 also includes a DDR security enforcement memory 812. The DDR secure execution memory 812 is coupled to the data bus 812 via a modem data path interface 818 for data path communications to the modem bus 818 via the OS stack data path interface 816 and the modem bus driver 826, And a DDR processor 114 for monitoring the path. The DDR secure execution memory 812 also includes a DDR processor 810 for providing DDR mailbox data 810 from the DDR processor 114 to the service processor application program 112 as shown and as described herein. And a mailbox interface. Similarly, the DPSV 836 authenticates the DDR processor 114 using the DPSV mailbox interface 842 as a communication channel and establishes a secret session key that is used for message integrity verification between the two. Various techniques for implementing a secure connection between the DDR processor 114 and the DPSV 836 are described herein.

In some embodiments, the DDR processor executes in a secure environment of APU-based embodiments, similar to that described above in connection with APU-based embodiments. In some embodiments, the secure environment does not guarantee any unauthorized capability to replace or change the DDR processor code. In some embodiments, the secure environment also ensures that the ability to access sensitive cryptographic storage, such as keys, is not present in code other than the DDR processor. This may include, for example, protecting sensitive storage from debug monitoring and / or other monitoring / connection activities or techniques. As will also be apparent to those skilled in the art, the APU firmware, rather than only the DDR processor, should be free of errors or vulnerabilities that may be exploited to allow secure and unauthorized access. For example, a typical attack is a buffer overflow in which an attacker chooses an input that causes an unconfirmed buffer to exceed its boundary, resulting in an unintended behavior that an attacker can exploit.

Similarly, in some embodiments, the DPSV runs in a secure environment. In some embodiments, the secure environment does not guarantee any unauthorized capability to replace or change the DPSV code. In some embodiments, the secure environment also ensures that the ability to connect to a sensitive cryptographic store, such as a key, is not present in code other than DPSV. In some embodiments, the secure environment further ensures that there is no code to interface with the appropriate cryptographic functions of the DPSV or the ability to communicate between the DPSV and the DDR processor. This may include, for example, protecting sensitive storage from debug monitoring and / or other monitoring / connection activities or techniques. As will also be apparent to those skilled in the art, the MPU firmware, other than only the DPSV, should be secure and should not contain any errors or vulnerabilities that could be exploited to allow unauthorized access. For example, a typical attack is a buffer overflow in which an attacker chooses an input that causes an unconfirmed buffer to exceed its boundary, resulting in an unintended behavior that an attacker can exploit.

In some embodiments, the APU includes a data path processor (DPP) that includes DDR processor functionality, secured in the APU SEE as described herein. In some embodiments, the APU DPP also includes other service monitoring, control, and notification functions. In some embodiments, the modem includes a Data Path Security Verifier (DPSV) that secures the path between the APU DPP and the modem network data path so that only DPPs are allowed to communicate with other software, firmware, buses, So that it can be transmitted to the modem. In some embodiments, the modem DPSV is coupled to the APU DPP by one or more of similar or other techniques as will be apparent to those skilled in the art in view of the techniques described herein and / or the various embodiments described herein. For example, the APU DPP can be provided on a secure data path to a modem network connection where the software, firmware, bus or ports on the device can not be avoided. This may be a data path embedded in the hardware through hardware design or it may be a secured data path to a security firmware or software execution environment for all data path elements under the APU DPP. The APU DPP and the modem exchange public keys and / or digital certificates and then execute a key exchange process for mutual authentication, resulting in a secret shared session key to be used as a basis for message integrity verification.

Once a secret sharing session key is established between the APU DPP and the DSPV, the APU DPP attaches an integrity confirmation in each frame to be transmitted using the session key, and the modem acknowledges the integrity confirmation using the session key. The modem only allows frames with valid integrity checks to be sent and blocks frames that do not contain valid integrity checks, meaning that only frames processed by the APU DPP are transmitted. Similarly, the modem DPSV uses the session key to attach an integrity check for each received frame, and the APU DPP uses the session to verify integrity before being sent to a higher layer (e.g., application layer, etc.) .

In some embodiments, modem downlink flow data path messages between the DPSV and the DPP are arranged. In some embodiments, the APU DPP upflow message may include the downstream flow sequence information so that the modem DPSV can verify that the APU DPP receives all downstream packets, otherwise the modem DPSV can inform the APU DPP , Inform the service controller and / or take action, such as limiting the connection and / or other appropriate operations.

In some embodiments, the APU DPP generates secure DDRs and communicates the DDRs to the service controller in an arranged and secured manner as described herein in connection with various embodiments.

In some embodiments, the service processor application and / or the service processor kernel program may inform the APU DPP about which sockets / flows belong to which applications (e.g., monitoring, billing, and / or controlling application- APU DPP knows which applications are generating or receiving traffic to assist with application classification tags for billing, traffic control, and / or user notification policies.

In some embodiments, the APU DPP performs various functions. In some embodiments, the APU DPP may perform DDR processor functions. The APU DPP may perform any or all of the service monitoring functions of a Charging Agent (CA) and / or a Policy Decision Agent (PDA). The APU DPP can calculate all network traffic and, in some instances, classify traffic by application and / or destination, NBS, time of day, active network, and / or various other criteria as described herein. APU DPP can generate accounting records. The APU DPP may forward the accounting records to a service controller (e.g., or other network billing function) and / or a device notification UI.

In some embodiments, the APU DPP performs access controller functions. For example, the APU DPP may instruct the service processor application and / or the kernel program to allow or block / remove or background applications or destinations. A service processor application and / or a kernel program may allow / block or background applications by manipulating application connections to the network or by blocking application program boot / start sequences, or by suspending / resuming applications. The service processor application and / or the kernel program may perform blocking functions by reprogramming or blocking application management functions in the OS (e.g., Android activity management and / or service management functions). The APU DPP instructs the service processor application / kernel program to control the application and / or traffic, or the DPP directly controls the traffic. The APU DPP may perform policy enforcement functions as described herein with respect to various embodiments.

In some embodiments, the APU DPP may perform NBS monitoring and / or reporting functions. For example, the APU DPP may detect NBS, modem performance parameters, network assets included in the link, and / or geographical location information.

In some embodiments, the APU DPP obtains network time from the network with a " secure " ping-loop system to verify that the network time stamp is not blocked or delayed. For example, the APU DPP can perform a ping-loop whenever it has a reliable local clock or whenever reporting is started and / or stopped.

Examples of Security Execution Environment (SEE) implementations in the APU DDR processor and MPU DPSV embodiments include examples similar to those described above for various Security Execution Environment (SEE) implementations in APU embodiments. Specific examples are also listed below. Exemplary commercially available APU examples include: Intel Atom (e.g., Z5xx, Z6xx, D4xx, D5xx series) based solutions with Intel Trusted Execution Technology including TPM support; And ARM-based solutions with ARM Trusted Zone Architecture. Exemplary APU detailed requirements may also include generic hardware security blocks (e.g., AES, DES, RSA, Diffie-Hellman, SHA and random generator). Exemplary commercially available MPUs include: EVDO chipset based solutions (e.g., an ARM11-based CPU architecture, including ARM Trusted Zone Architecture with many common hardware cipher blocks); HSPA chipset based solutions (eg Snapdragon / ARM based CPU architecture, including ARM Trusted Zone Architecture with many common hardware cipher blocks); And LTE chipset-based solutions (Snapdragon / ARM-based CPU architecture, including ARM Trusted Zone Architecture with many common hardware cipher blocks).

9 illustrates an architecture for a secure embedded DDR processor in a Subscriber Identity Module (SIM) and a Data Path Security Validator (DPSV) in an MPU implementation in accordance with some embodiments. 9, the DDR processor 114 is embedded in the SIM SEE 918 and the data path security verifier (DPSV) 936 is coupled to the MPU chipset SEE 932 (e.g., 3G or 4G MPU chipset SEE). Data communications from the APU, such as those similarly described herein, including the Mailbox function, communicate using the SIM bus driver 911 using the modem and SIM bus 912 as shown.

9, a first SEE 918 is implemented in the SIM 913, which is connected to the SIM bus driver 916 from the modem and the SIM bus 912 to the OS stack data path < RTI ID = 0.0 > Interface 924 and / or a modem data path interface 926 to monitor communications securely. The Mailbox function is provided similar to that described herein using a DDR Processor Mailbox Interface 922, DDR Mailbox Data 914, and DDR Mailbox Data 910, as shown.

The data path communication to the 3G / 4G modem data path and signal processing element 928 via the SIM bus 913 to the modem and the 3G / 4G modem bus driver 934, as also shown in FIG. 9, Lt; RTI ID = 0.0 > SIM < / RTI > data security verifier 936 as described above. The modem SIM data security verifier 936 is implemented in the modem chipset SEE 932 of the modem chipset / MPU 930 as shown. Additionally, there is a DPSV mailbox 842 that provides a communication channel to the APU, which is the final destination setting in the SIM to be the DDR processor, for setting up and authenticating the secret session key used as the basis for message integrity verification.

In some embodiments, the SIM includes a data path processor (DPP) with embedded DDR functionality secured in the SIM SEE. For example, the SIM DPP may also include other service monitoring, control and notification functions. In some embodiments, the modem includes a data path security verifier (e.g., a data path security verifier) that allows the DPP to transmit on the modem even if other software, firmware, busses, or ports connect to the modem by securing the path between the SIM DPP and the modem network data path DPSV).

In some embodiments, the modem DPSV is connected to the SIM DPP by one of the following techniques and / or similar or other techniques as will be apparent to those skilled in the art in view of the various embodiments described herein.

For example, a SIM DPP may be provided in a secured data path to a modem network connection where software, firmware, busses or ports on the device are inevitable. The secured data path may be a data path embedded in the hardware through a hardware design or data path secured with security firmware or software execution environment for all data path elements under the SIM DPP. In some embodiments, communication between the DPSV 936 and the DDR processor 114 is secured using various secure communication technologies, such as those described herein. In some embodiments, the DPSV has a unique secret / public key pair and a digital certificate (cert) that verifies that the public key is genuine. The DDR processor has a unique secret / public key pair and a digital certificate certifying that the public key is authentic. DPSV and DDR processors exchange public keys and certificates to authenticate each other and execute a key exchange process that results in a shared secret session key. The DDR processor receives upstream network data flows from the device OS networking stack and uses the session key to attach an integrity check to each upflow data message sent by the DDR processor to the DPSV. The DPSV intercepts any upward flow data path information that does not have a valid integrity check from the DDR processor and informs the DDR processor that it is receiving invalid upstream data so that the DDR processor can send fraud events to the service controller Can be informed. The DPSV receives the downlink network data flow and attaches an integrity check to each downflow data message it sends to the DDR processor using the session key. Each downlink flow data message is, for example, arranged such that the data message can not be blocked or replayed without being detected by the DDR processor. If the DDR processor receives a downflow data message with an invalid integrity check, the DDR processor rejects the message and notifies the service controller of possible fraud events. The DDR processor acknowledges each unacknowledged downflow data message in the next upflow data message it sends to the DPSV. If the DPSV stops receiving downstream data message acknowledgments, it blocks downstream network data flows and informs the DDR processor that the DDR processor is aware of possible fraud events to the service controller. The DDR processor securely transmits DDR reports to the service controller by the service processor as described herein in connection with various embodiments.

In some embodiments, the modem downstream flow data path messages between the DPSV and the DPP are arranged. In some embodiments, the SIM DPP upflow messages include downstream flow sequence information so that the modem DPSV can determine that the SIM DPP will receive all downstream packets, otherwise the modem DPSV informs the SIM DPP, Inform the service controller, and / or take action, such as a limited connection or other appropriate operation (s).

In some embodiments, the SIM-MPU interface is a physical interface (e.g., bus). In some embodiments, the SIM-MPU interface is a logical interface (e.g., via an untrusted APU). In some embodiments, the SIM is a logically independent security hardware module (e.g., part of a secure execution environment) embedded in any device processing element (e.g., SIM, video processor, audio processor, to be.

In some embodiments, the SIM and MPU exchanges include several components. In some embodiments, the MPU and SIM each have their own public / secret encryption key pair with proof. In some embodiments, the MPU and SIM exchange keys using a key exchange protocol. In some embodiments, this key exchange occurs on the physical bus between the MPU and the SIM. In some embodiments, this key exchange occurs via a logical bus (e.g., via an untrusted APU). Such key exchange protocols are well known in the art and have not been described herein. In some embodiments, the MPU and the SIM have mutually authenticated keys using the certificates, then they establish a shared session key. In some embodiments, the MPU and SIM initialize the transfer count value to zero, the receive count value to zero, the maximum transfer count value to the integer N, and the maximum receive count value to the integer M. In some embodiments, the values of M and N are the same. In some embodiments, the values of M and N are implementation-dependent and can be determined based on the reception of the MPU and transmit packet processing capability. For example, by choosing M = 3 and N = 2, the SIM block expects to get an ACK frame from the MPU after three or fewer received packets and after at least two transmitted packets; Otherwise, the SIM determines that fraud has occurred and informs the network element.

In some embodiments, the MPU sends only the relevant portion of the transmission frame to the SIM for each outgoing packet to reduce SIM processing requirements. In some embodiments, the relevant portion of the transmission frames includes a header, a transmission count, and an integrity check. In some embodiments, the header includes information such as one or more of a source and destination address, source and destination ports, a protocol tag, and a byte packet length. In some embodiments, the transmission counts the transmitted frames and counts increments with each transmission frame. In some embodiments, integrity verification is determined by hashing at least one of a session key, a header, and a transfer count.

In some embodiments, the MPU also transmits only the relevant portion of the received frame to the SIM for each incoming packet. In some embodiments, the relevant portion of the received frames includes a header, a transmission count, and an integrity check. In some embodiments, the header is the same as a transport frame header (e.g., one or more of source and destination addresses, source and destination ports, protocol tag, and byte packet length). In some embodiments, reception counts an increase in each received frame. In some embodiments, integrity verification is determined by hashing at least one of a session key, a header, and a transfer count.

In some embodiments, the frame acknowledgment (e.g., ACK) is the sum of the maximum transmission count, the maximum reception count, and the integrity check. In some embodiments, the maximum transfer count is set to (transfer count + N), where the transfer count is the transfer count from the most recent transfer frame. In some embodiments, the maximum reception count is set to (reception count + M), where the reception count is the reception count from the most recently received frame. In some embodiments, integrity verification is determined by hashing at least one of a session key, a maximum transmission count, and a maximum reception count.

In some embodiments, the interface between the MPU and the SIM is a logical channel (e. G., Via an untrusted APU). In some embodiments, in terms of transmission, the APU transmits the SIM only in a transport frame header (e.g., one or more of source and destination addresses, source and destination ports, protocol tag, and byte packet length). In some embodiments, the SIM returns a transfer count, a maximum receive count (e.g., receive count + M), and an integrity check to the APU. In some embodiments, the SIM increases the value of the transfer count for each transmitted frame. In some embodiments, the SIM determines integrity verification by hashing at least one of a session key, a header and a transmission frame count, and a maximum reception count. In some embodiments, the APU attaches the header and frame body to the SIM-delivery transfer count, maximum receive count and integrity check and sends the result to the MPU. In some embodiments, the MPU transmits only frames that pass integrity confirmation at one time. In these embodiments, the MPU may not use the maximum transfer count.

In some embodiments, the interface between the MPU and the SIM is a logical channel (e. G., Via an untrusted APU). In some embodiments, the MPU on the receive side receives a header (e.g., one or more of source and destination addresses, source and destination ports, protocol tags, and byte packet length), receive count, . In some embodiments, the reception count is incremented for each received packet. In some embodiments, integrity verification is determined by hashing at least one of a session key, a header, and a reception count. In some embodiments, the APU transmits only the header (e.g., source and destination addresses, source and destination ports, protocol tag, and / or byte packet length), receive count, and integrity confirmation to the SIM. In some embodiments, the MPU may process more than one received frame before obtaining the SIM acknowledgment feedback. In some embodiments, a SIM ACK frame (e.g., a representation of a maximum received count) is piggybacked into a frame as described herein.

In some embodiments, the MPU sends the entire data frame to the SIM, which allows the SIM to be acknowledged in terms of transmission and reception with integrity confirmation attached. In some embodiments, the DSPV engine adds integrity checks to the data frames and sends them to the SIM. In these embodiments, the SIM interfaces with the APU, and the SIM (DDR processor) is in the middle of data exchange.

In some embodiments, in each transmission frame, the MPU increases the transmission count and compares the value with a value of the maximum transmission count as obtained from the most recent frame acknowledgment. In some embodiments, if the transmission count is greater than the maximum transmission count, the MPU determines that the SIM has not received valid transmission frame data. In some embodiments, the MPU notifies the network element (e.g., a trusted whole, such as a service controller) that fraud has occurred after determining that the SIM has not received valid transmission frame data.

In some embodiments, if the MPU detects an integrity check that is not valid in frame acknowledgment, or if the SIM detects an integrity check that is not valid in the transmission frame, the MPU or SIM determines that a malicious action has occurred. In some embodiments, when the MPU or SIM determines that a malicious action has occurred, the MPU or SIM informs the network element (e.g., the trusted whole, such as a service controller) that fraud has occurred. In some embodiments, if the MPU or SIM has not determined malicious behavior to occur, the SIM updates the DDR data collection using the header from the transmission frame and reports the results to the network element.

In some embodiments, in each received frame, the MPU increases the reception count and compares the value with the value of the maximum transmission count as obtained from the most recent frame acknowledgment. In some embodiments, if the reception count is greater than the maximum reception count, the MPU determines that the SIM has not received valid received frame data. In some embodiments, the MPU determines that the SIM has not received valid received frame data and then notifies the network element (e.g., the trusted whole, such as a service controller) that fraud has occurred.

In some embodiments, if the MPU detects an integrity check that is not valid in the frame acknowledgment, or if the SIM detects an invalid integrity check in the received frame, the MPU or SIM determines that a malicious action has occurred. In some embodiments, when the MPU or SIM determines that a malicious action has occurred, the MPU or SIM informs the network element (e.g., the trusted whole, such as a service controller) that fraud has occurred. In some embodiments, if the MPU or SIM has not determined that malicious activity has occurred, the SIM updates the DDR data collection using the header from the received frame and reports the results to the network element.

In some embodiments, the SIM DPP generates secure DDRs and communicates secure DDRs to the service controller in an arranged and secure manner as described herein in connection with various embodiments.

In some embodiments, the service processor application and / or the service processor kernel program may inform the SIM DPP which sockets / flows belong to which application so that the SIM DPP knows which application is in the application classification tag for billing, traffic control and notification policy You will know whether to generate or receive traffic to help.

In some embodiments, the SIM DPP performs a variety of functions, as described herein. For example, SIM DPP can perform DDR processor functions. The SIM DPP can perform service monitoring functions of any or all of the billing assistant (CA) and / or policy decision aid (PDA). The SIM DPP counts all traffic to the network and, in some cases, classifies traffic by application and / or destination, NBS, time of day (TOD), active network, and / or various other criteria. SIM DPP can generate accounting records. The SIM DPP may forward accounting records to a service controller (e.g., or other network billing function) and / or a device notification UI.

As another example, the SIM DPP can perform various access controller functions. The SIM DPP may instruct the service processor application and / or the kernel program to allow or block / remove or background applications or destinations. The service processor application and / or the kernel program may allow, block, remove or background applications by manipulating application connections to the network, by blocking application program boot / start sequences, or by suspending / resuming applications. The service processor application and / or the kernel program may perform blocking functions by reprogramming or blocking application management functions in the OS (e.g., Android drive management and / or service management functions). By way of example, the SIM DPP instructs the service processor application and / or the kernel program to control the application and / or traffic, or directly controls the traffic in the DPP. The SIM DPP may also perform policy enforcement functions as described herein.

As another example, the SIM DPP may perform NBS monitoring and / or reporting functions. The SIM DPP can detect NBS, modem performance parameters, network assets included in the link, and geographic location.

As another example, the SIM DPP can obtain network time from the network with a " secure " ping-loop system, thereby proving that the network time stamp is blocked and not delayed. For example, a SIM DPP may have a local reliable clock or perform a ping-loop each time a report is started and / or stopped.

 10 illustrates another architecture for a secure embedded DDR processor in a subscriber identification module (SIM) and a data path security verifier (DPSV) in an MPU implementation in accordance with some embodiments. In some applications, it may be desirable to place the DDR processor in a stand-alone chipset that attaches to the APU or MPU chipset, such as a SIM card. Figure 10 illustrates such an implementation in accordance with some embodiments. For example, the embedded DDR processor can be implemented in a smartphone APU chipset combined with a Data Path Security Verifier (DPSV) implemented in a 3G or 4G wireless modem chipset.

In some embodiments, a hardware or firmware security data path between the DDR processor and the modem DPSV is not required, as shown in FIG. 10, where the DDR processor is enabled by providing the data path logical channel transfer function in the APU, (E. G., Or other stand-alone security chipset) by providing mailbox data communication between the service controller and the DDR processor for connection on the SIM card. In addition, the DDR processor report to the service controller may not be secure with any of the system elements in the APU secured in the hardware-assisted security execution environment (SEE).

Referring to FIG. 10, the secure DDR processor 114 is located in the DDR secure execution memory 1042 of the SIM security enforcement environment 1040 in the SIM as shown above, similarly as described above with respect to FIG. The architecture of the APU is similar to that shown and described above with respect to FIG. 9 except that the APU SIM 1012 and the APU bus driver function 1014 to the modem bus transfer function are located in the APU chipset kernel program 1004, as shown in FIG. . The secure DPSV 1026 may also include a modem for monitoring communications from the 3G / 4G modem bus driver using the 3G / 4G modem data path and signal processing components 1028, similar to that described above in connection with FIG. Is located in the modem chipset SEE 1024. However, compared to FIG. 9, in FIG. 10, the MPU and SIM are separate hardware or chipsets that communicate with the APU via independent communication buses. In particular, the MPU communicates with the APU via the modem bus 1018 using the APU SIM to the 3G / 4G modem bus driver 1022 and modem bus transfer function 1012 to the APU modem bus driver 1014 as shown do. The SIM communicates with the APU via the SIM bus 1016 to the SIM bus driver 1010 using the SIM bus driver 1032. [ The DPSV also uses the DPSV mailbox 842 as a communication channel for authenticating the DDR processor 114 in the SIM where the connection is established within the APU. As shown, the APU has two communication channels: a first communication channel with a DDR processor and a second communication channel with a DPSV.

In some embodiments, a first logical communication channel is created on the SIM bus 1016 between the service processor DDR mailbox 910 in the APU and the DDR mailbox 1034 in the SIM, (E.g., the service processor application program 112 and / or the service processor kernel program 113) using the DDR processor mailbox interface 1044 for the DDR mailbox data 1034 to the service processor 1032, DDR < / RTI > A second logical data channel is created on the SIM bus 1016 between the OS networking stack and the DDR processor 114 and which also uses the OS stack data path interface 1046 for the SIM bus driver 1032 as shown Is a logical channel intended for all OS networking stack communications with 3G or 4G networks. A third logical communication channel is created between the SIM DDR processor 114 and the modem DPSV 1026. As shown, the third logical communication channel includes a SIM bus interface (e.g., a modem data path interface to the SIM bus driver 1032) located on the SIM, a SIM bus driver 1010 located on the APU, A modem for the modem bus transfer function 1012 located, a modem bus driver 1014 located on the APU, and a modem bus interface 1022 located on the modem.

In some embodiments, the communication between the DPSV 1026 and the DDR processor 114 is secured using various secure communication techniques, as described herein. In some embodiments, the DPSV has a unique secret / public key pair and a digital certificate (cert) that verifies that the public key is genuine. The DDR processor has a unique secret / public key pair and a digital certificate certifying that the public key is authentic. The DPSV and DDR processors exchange public keys and certificates to perform a key exchange process to authenticate each other and result in a shared secret session key. The DDR processor receives upstream network data flows from the device OS networking stack and uses the session key to attach an integrity check to each upflow data message that the DDR processor sends to the DPSV. The DPSV intercepts any upward flow data path information that does not have a valid integrity check from the DDR processor and notifies the DDR processor that it is receiving invalid upstream data, Can be informed. The DPSV receives the downlink network data flow, and using the session key, the DPSV attaches an integrity check to each downstream data message that it sends to the DDR processor. Each downlink flow data message is, for example, arranged such that the data message can not be blocked or replayed without being detected by the DDR processor. If the DDR processor receives a downflow data message with an invalid integrity check, the DDR processor rejects the message and notifies the service controller of possible fraud events. The DDR processor acknowledges each unacknowledged downflow data message in the upflow data message after sending it to the DPSV. If the DPSV stops receiving downstream data message acknowledgments, it blocks downstream network data flows and informs the DDR processor that the DDR processor is aware of possible fraud events to the service controller. The DDR processor securely transmits DDR reports to the service controller by the service processor as described herein in connection with various embodiments.

In some embodiments, the DDRs transmitted from the DDR processor to the service controller are integrity checked and arranged in a manner that can not be tampered with or redone. The authentication process between the DDR processor and the service controller coupled with the unique DDR reporting sequence identifier and the set of authentication session keep-alive timers is used to maintain and verify the secure connection between the DDR processor and the service controller. If the security session or flow of DDR records between the DDR processor and the service controller is interrupted, the access control function in the DDR processor will restrict access to the 3G or 4G modem data path to the network destination, You will need to reset the session.

Figure 11 illustrates another architecture for a secure embedded DDR processor in a Subscriber Identity Module (SIM) and a Data Path Security Verifier (DSPV) in an MPU implementation in accordance with some embodiments. 11 is similar to FIG. 9, except that the SIM data path interface 1110 is provided for direct communication from a SIM with a 3G or 4G modem bus driver 934 in the MPU, as shown. The SIM communications may communicate with the APU through the modem bus 911 to communicate with the APU via the APU stack interface 906 for the 3G or 4G modem and the modem bus driver 911, 1112 to the 3G or 4G modem bus driver 934 using the SIM data path interface 1110. [

In some embodiments, various other architectures, including various other locations of a DDR processor, may be provided using these or similar techniques which will now become apparent to those skilled in the art in view of the embodiments described herein.

In some embodiments, various other architectures, including various other locations of a DDR processor and / or DPSV, may be provided using these or similar techniques, which will now become apparent to those skilled in the art in view of the embodiments described herein have.

For example, a DDR processor (e.g., various secured elements of a service processor and / or the like) may be deployed in various other locations, including higher level network access policy enforcement in the network stack Operating environment). In particular, any functions performed by the service processor without hardware security may be located in hardware secured execution memory. These features may include 3G and 4G network data path processing and usage reporting functions, 3G and 4G network application access management and usage reporting functions, and 3G and 4G service user notification and customer activity status functions.

16 illustrates an embodiment in which a security enforcement environment (referred to in FIG. 16 as a data path security zone 140 or SEE) includes security service processor elements 1604. FIG. Figure 16 may include various device I / O ports (e.g., 2G, 3G, 4G, WiFi, Ethernet, USB, FireWire, Bluetooth and NFC) numbered from # 1 to #N O < / RTI > modems 250 for a < / RTI > The modem bus driver and physical layer bus 142 are located in a secure execution environment (data path security zone 140) such that the secure execution environment includes security service processor elements 1604 and security service processor elements 1604 and devices Protects the data path between the I / O ports. In some embodiments, the security service processor element 1604 includes a portion of a service processor that desires to be protected from malware or unauthorized user tampering or configuration changes, Elements, I / O port communication activity monitoring and reporting, I / O port communication control or traffic control, application activity monitoring, application control, application access control or traffic control, network destination monitoring and reporting, network destination access control or traffic control , And device environment monitoring and integrity verification. The network stack 136 is also shown in FIG. 16 in a secure execution environment, but if the data path under the monitoring point in the security service processor elements 1604 and I / O modems 250 is secured (e.g., Data path connections are not available or allowed), generally not all network stack functions need to be implemented in a secure execution environment. In the embodiments shown in FIG. 16, the security service processor elements 1604 interact with the network stack 136 to implement various I / O port activity monitoring and control functions described herein. Non-secured service processor elements 1602 are also included in user interface elements, but are not limited thereto.

In some embodiments, using security run-time partitioning techniques, many portions or the entire service processor functionality is implemented in hardware-secured execution environments at the APU or MPU. In some embodiments, using secure CPU segmentation techniques, many portions or the entire service processor functionality is implemented in hardware-secured execution environments at the APU or MPU. As an illustrative example, service processor functions that may be executed within a secure execution environment include: one or more 2G, 3G or 4G networks (and / or other I / O ports such as Ethernet, WiFi, USB, FireWire, Bluetooth or NFC Policy management for a set of policy instructions stored in a secure execution environment, such as policy management for application access management, application traffic handling, application access monitoring and reporting, or application access service history reporting And reporting. As another illustrative embodiment, security service processor element functions that may be executed within a secure execution environment include policies for one or more applications that specify whether the policy is to block, allow, or control applications according to a set of policy instructions stored in the secure execution environment . ≪ / RTI > As another illustrative embodiment, security service processor element functions that may be executed within a secure execution environment include those in which the policy includes application activity monitoring and reporting or operational environment monitoring and reporting (e.g., in a secure state or device operating environment, ≪ / RTI > monitoring the presence of one or more applications). In another exemplary embodiment, the security service processor element functions that may be executed within the secure execution environment include one that may include a web site, domain, URL, IP and / or TCP address, server name, other devices, Managing policies for the above network destinations or resources, wherein the policies include connection management, traffic control, connection monitoring, or access service history reporting. In another exemplary embodiment, the security service processor element functions that may be executed within the secure execution environment include managing policies for one or more roaming access networks. As another exemplary embodiment, the security service processor element functions that may be executed within a secure execution environment may include communication activity in one or more device I / O connections, including one or more 2G, 3G, 4G and / or other I / And monitoring and reporting the results. In some embodiments, the security service processor element functions that may be executed within the secure execution environment include communication activities in one or more device I / O connections, including one or more 2G, 3G, 4G and / or other I / Monitoring, classification (e.g., identifying applications and / or network destinations in connection with I / O port activity), and reporting. In some embodiments, a service controller located in a network provides a set of policy instructions stored in a secure execution environment by passing them over a secure communication link to a secure service processor element as described herein. In some embodiments, such policy enforcement operations, including reporting, may include sending a report to a service controller located on the network over a secure communications link to a secure execution environment as described herein for further processing of the reports . In some embodiments, sending a report to a security enforcement entity, which is located in a network via a secure communication link, to a security enforcement environment may include authenticated security sequencing and receipt protocols as described herein.

As another exemplary embodiment, the security service processor element functions that may be executed within the secure execution environment may include one or more of the following: (i) 2G, 3G, and 4G application access policies (e.g., (E.g., by blocking one or more other I / O ports, such as blocking, adjusting, deferring for later transmission, applying a given QoS level), or service usage history (and / or Ethernet, WiFi, USB, FireWire, Bluetooth or NFC) A security application manager that identifies traffic associated with a particular application or a group of applications that manage one or more of the applications (e.g., historical reports for application access); (ii) Whether to allow the application to work or to allow the application to work (Iii) 3G and 4G application access (and / or application access, or service usage history reporting for one or more other I / O ports) to a network access policy and device set by the service controller (Iv) 3G and 4G network traffic classified and handled according to 7-tier destination and network busy status, as well as application identifiers, 3/4 tier destinations. In some embodiments, securing these service processor functions may be increased by: (i) enabling the service processor to obtain a similar level of protection from the described hacking and malicious software for lower levels of stack processing, (E. G., The DDR processor SEE implementations described herein) with the various operating environment techniques described in U.S. Pat. ) And modem antenna connections to protect or guard against unauthorized tampering or tampering with the device's malicious software and (iii) to implement sufficient security or protected memory and more complex data path handling functions Provide sufficient security execution environment CPU cycles.

In some embodiments, secure communication between a device-based security service processor element operating in a secure execution environment in a network-based service controller and a device connected to a wide area access network is performed by one or more I / O ports (e.g., 2G (Or I / O ports including, but not limited to, 3G, 4G, Ethernet, WiFi, USB, FireWire, Bluetooth or NFC) Where the secure communication includes a secure message receipt feedback loop. In some embodiments, if the secure message feedback loop is interrupted, a security service processor element secure communication channel error condition is detected and activated. In some embodiments, the ordered sequence of security service processor element I / O activity reporting is communicated to the service controller using a signed or encrypted communication channel, and if the ordered sequence is interrupted or tampered with, Processor element security The communication channel error condition is detected and activated. In some embodiments, the service controller observes the integrity of the ordered sequence of security service processor element I / O activity reports to determine whether device data records are tampered with or are missing. In some embodiments, if the security service processor element determines that the I / O activity monitoring records are tampered with or not missing, the service controller returns a signed or encrypted I / O activity monitoring log receipt message. In some embodiments, if the security service processor element determines that the I / O activity monitoring records are unauthorized manipulation or missing, the service controller either returns an error message or receives a signed or encrypted I / O activity monitoring record receipt message . In some embodiments, if the security service processor element receives an error message from the service controller, or receives a signed or encrypted I / O activity monitoring log receipt message within a certain period of time or a certain number of transmitted I / O activity monitoring (I) a device configuration error message is generated for delivery to a security manager or a server, and / or (ii) the wireless network connections or other I / O connections or one or more of the ports of the wireless communication device are blocked or limited to a predetermined set of secure destinations. In this way, if a device security service processor element, a device operating environment, a device operating system, or a device software does not comply with expected or permitted policies, A device configuration error message may be generated, or a device wireless network connection or other I / O connection connection may be restricted or blocked. These embodiments may be useful in securing device based network connection (or I / O control) policies and may also be useful in identifying any malicious software present in device software or devices that are tampered with. In some embodiments, the restriction in wireless network connections or other I / O connections results in a resource sufficient to allow additional analysis or troubleshooting of a limited number of network destinations or device configuration error conditions.

In some embodiments, a security service processor element executing in a secure execution environment and communicating with a service controller via a secure communication link comprising a secure message receipt feedback loop may observe the device application and / or I / O port activity , Generates one or more of the following device activity reports: service usage reports, service usage reports including service usage classifications, application service usage reports, network destination service usage reports, service usage including network type identifiers Service usage reports including location identifiers, application access monitoring reports, application access service history reports, application activity monitoring reports, device driven environment monitoring reports.

In some embodiments, a security service processor element executing in a secure execution environment and communicating with a service controller via a secure communication link comprising a secure message receipt feedback loop may observe the device application and / or I / O port activity , And generates a roaming network service usage report.

In some embodiments, the service controller observes security service processor element I / O activity logs to determine if the device complies with service controller policy conditions. In some embodiments, determining whether a device complies with a service controller policy condition includes verifying that the device security service processor element is properly implementing a device policy. In some embodiments, the device policy to be verified is a network access service policy enforcement set. In some embodiments, the device policy to be verified is a network access service policy enforcement set that includes a network access service plan policy enforcement set and is a set of policies for one or more network access control or traffic control, network application control, network destination control , Network billing or history reporting, and network service usage notification. In some embodiments, the verified device policy may be used to determine whether the device application activity matches a predetermined set of policies (e.g., whether the applications connecting to the network or other I / O ports are all permitted applications Or to determine whether applications connecting to the network or other I / O ports behave according to expected policy behavior). In some embodiments, the device policy verification includes whether the device is connected to authorized or unauthorized networks. In some embodiments, device policy validation may be performed to determine whether a device communicates specific content over one or more allowed wireless connections or other I / O ports, or for a particular one or more wireless networks or I / And whether the content is communicated. In some embodiments, device policy validation includes whether a device communicates a particular content over a secure link that is allowed on one or more wireless connections or other I / O ports, or communicates a particular content on a non-secure link. In some embodiments, device policy verification includes whether the device is communicating from an allowed location or from an unacceptable location. In some embodiments, the device policy verification includes whether or not the device operating environment monitoring reports indicate that there is no malicious software or faulting condition in the device operating environment.

In some embodiments, the security service processor elements 1604 are implemented within a secure execution environment (data path security zone 140) located on the SIM card. The various embodiments and related discussions described with reference to Figures 9, 10, and 11 can be implemented by replacing the DDR processor 114 simply by security service processor elements, as understood by those skilled in the art, Facilitates the implementation of security service processor elements 1604 in the SIM card by adjusting the example descriptions. This allows complex device wide area network access control or billing functions to be implemented in a SIM card that can be controlled and distributed by a network operator, as described in the context of various security service processor element embodiments.

Additional embodiments are now provided for various aspects of DDR processor functional operations.

DDR  Firmware installation, security Credentials  Configuration and update

12 shows a flowchart of a secure boot sequence in accordance with some embodiments. In some embodiments, the system (e.g., any APU, SIM and / or MPU in which the DDR is embedded in the wireless communication device) 1204 is reset and / or powered up at 1202, By executing a secure boot (for example, by executing a secure boot code). As part of the secure boot, the initialization routine is performed to configure the system parameters (e.g., to configure the registry to secure the secure domain, such as HW / firmware firewall memory) to establish secure / normal domain boundaries and interfaces. The secure boot code also has a connection as a source of trust hidden in all other firmware / software. At step 1206, a public key authentication step is performed where the secure boot downloads and verifies its own public key (e.g., using a hashing technique) Key. At 1208, the secure boot proceeds with the download and verifies / authorizes the digital signature of all security software packages (e.g., including the DDR processor including the DDR generator) before allowing the normal software routines to be downloaded. For example, this may be done using a chain of trust that is made at the origin of trust. At 1210, the secure boot determines if all signatures are properly authorized. If any of the digital signatures fails, the secure boot may be initiated as indicated at 1202 (e.g., the watch dog timer expires) and / or until the platform is urgently transferred to the new image And is maintained in a rest state as shown at 1212 until no. If all of the digital signatures are properly authorized, the secure boot proceeds from 1214 to another download (e.g., including the application). Normal operation proceeds and a secure boot is completed at 1216. It is determined in step 1218 whether there is a new image. If not, normal operation continues at 1216. When a new security software image is downloaded (e.g., an image is stored in a new area of flash memory with a " security " flag set), the system has a secure boot to read a new image (e.g., based on the flag) It can return to the reset state and accept the digital signature of the image before it becomes the current image.

Service processor and DDR  Mailbox communication channel between processors

FIG. 13 illustrates a functional diagram for passing DDR Service Processor mailbox messages between secure and non-secure memory areas in accordance with some embodiments. In some embodiments, the logical communication channel between the DDR processor 1314 and the service processor 1312 may be used to communicate secure DDR messages (e.g., DDR message bundles) to the service controller (e.g., Via a network). In some embodiments, such logical communication channels have been mentioned in the various embodiments described herein as DDR mailbox data functional elements / blocks. For example, for ease of implementation, it is assumed that the DDR processor does not have its own IP address and can only use its logical channel to send its message through the service processor to the service controller. The logical channel may be based on a shared memory (e. G., Normal domain) architecture, represented generally as area shared memory 1310. [ As described herein with respect to various embodiments, the DDR messages are encrypted and can only be decrypted by the service controller. This logical channel can also be used for the service controller to transmit new DDR software updates.

In some embodiments in which the DDR processor is located in the APU, the shared memory may be connected through both the service processor and the DDR processor using the direct memory access (DMA) engine of the APU.

In some embodiments where the DDR processor is located in the MPU, the modem interface is provided to support additional logical channels (e.g., USB endpoints for 2G / 3G / 4G) to meet these requirements. In some embodiments, the logical channel is piggybacked on top of the existing configuration and status channel providing the control channel between the APU and the MPU.

DDR  Processor Record Generator

In some embodiments, the DDR record covers the measurement period. Measuring periods are generally adjacent without periods of traffic between periods, which means that the next period begins immediately after the end of the current period. At the beginning of the period, all previous DDRs are deleted. During the period, the table of DDRs grows because each observed IP flow makes entries in the table. The period ends when the DDR store exceeds a predefined limit or DDR reporting is requested by the service processor. DDR data that has not yet been sent to the service processor application remains in memory during power cycles and battery power.

In some embodiments, at the end of the measurement period, the DDR report is prepared by the DDR processor and transmitted to the service processor. For example, various secure communication and / or cryptographic techniques may be used to ensure that the content of the report is kept confidential and that any unauthorized manipulation of the DDR report will be detected by the service controller.

In some embodiments, the report also includes time stamps that identify the beginning and end of the measurement period. The time stamp is calibrated and verified through a periodic handshake with the service controller to ensure that the DDR processor time base is unchanged. Data compression is used to minimize the size of the report.

In some embodiments, each DDR reporting message includes a unique sequence identifier that allows the service controller to determine whether any DDRs are blocked from the sequence. The report is stored by the service processor for further processing to the service controller. Data stored by the service processor remains in the memory during power cycles and battery power.

In some embodiments, the DDR processor is located in a modem where a secure DDR usage report is sent to a service processor (e.g., a communications agent in the service processor) that is sent to the service controller.

DDR  Processor connection controller

Figure 14 illustrates a flow diagram for DDR processor service controller session authentication and verification in accordance with some embodiments. In some embodiments, the DDR processor includes an access controller function (e.g., a connection controller). In some embodiments, at reset and / or power-up, a DDR processor connection control function, such as a connection controller, limits network access (e.g., only a small number of preconfigured IP addresses and / / Host name that includes wireless service provider services).

In some embodiments, the access controller ensures that the service processor accurately communicates the DDRs to the service controller. If the DDR flow is interrupted or tampered, the access controller blocks the cellular (e.g., or managed WiFi) wireless network connection until the proper DDR flow is restored. In some embodiments, the network access restriction is only applied to networks having network access services maintained and managed by the network operator. For example, these functions may be disabled for WiFi connections that are not managed by the network operator.

In some embodiments, once the modem is authenticated via AAA (e.g., via a PPP session), after initial power-up and / or after recovery from a power save, (E.g., based on a set of IP addresses / host names and / or other criteria) until it gets feedback from the service controller. Also, while traffic is running and the DDR processor is transmitting DDR records / reports, it is constantly expected to receive secure DDR ACK frames to allow open access, otherwise it will re-enter the restricted access state.

Referring now to FIG. 14, at reset and / or power-up after the initial power-up or power-save mode, the process begins as indicated at 1402. At 1404, the connection controller limits network connections to limited flows (e.g., configured or preconfigured within a secure area). At 1406, the connection controller waits for feedback from the service controller to the open network connection. At 1408, it is determined whether feedback is received from the service controller. If not, the process returns to 1406 and continues to wait for feedback from the service controller. If feedback is received (e.g., and the secured service controller feedback is properly verified and / or approved as described herein), the access controller opens the network connection and the DDR reports are sent at 1410 Start. At 1412, it is determined whether a DDR ACK frame is received in response to such DDR report (s). If not, the process returns to 1404 and the network connection is restricted. If a DDR ACK frame is received (e.g., and the secure DDR ACK frame is properly verified and / or approved as described herein), the access controller continues to maintain an open network connection at 1414 And transmits DDR reports.

DDR  Processor network busy status ( NBS ) monitoring

In some embodiments, network busy status (NBS) monitoring may be used to monitor information in a network busy state (e.g., or in a network congested state) to a service controller for storage, network congestion analysis, and / And / or securely reporting, and controlling policy security objectives. For example, NBS monitoring can perform one or more of the following functions in SEE: active network information (e.g., active network type, home / roaming, current carrier, base station, and / or base Station sector); Monitor network access attempts and successes; Monitoring network speed; Monitoring round trip delay time; Monitoring packet error rate; Implementing an algorithm to classify busy status of the monitoring network to modem performance parameters (e.g., RF channel, RF signal strength and diversity, SNR, original modem bit rate, original modem bit error rate, and / or channel bandwidth); And network busy status history within DDRs.

DDR  Connection and security of secure communication channel between processor and service controller

In some embodiments, connecting and securing a secure communication channel between the DDR processor and the service controller is provided as described below. The DDR processor has a unique secret / public key pair and a digital certificate (cert) that proves that the public key is genuine. The service controller has its own secret / public key pair. Its public key is well known and included in the DDR processor code image. The DDR processor sends its public key and credentials to the service controller, which in turn executes a key exchange process that authenticates each other and results in a shared secret session key. The DDR processor uses the session key to encrypt the DDR reports it sends to the service controller and to attach an integrity check to the message it sends to the service controller. The service controller uses the session key to attach an integrity check to the message it sends to the DDR processor.

As will be apparent to those skilled in the art in view of the various embodiments described herein, various other secure communication and encryption techniques are used to provide for secure connection and connection of secure communications between the DDR processor and the service controller.

APU / MPU  In the implementation DDR  Processor and DPSV  Connection and security of secure communication channel between

In some embodiments, connecting and securing a secure communication channel between a DDR processor and a DPSV in an APU / MPU implementation is provided as described below. The DPSV has a unique secret / public key pair and a digital certificate (cert) that proves that the public key is genuine. The DDR processor has a unique secret / public key pair and a digital certificate (cert) that proves that the public key is genuine. The DPSV and DDR processor exchange the public keys and certificates to perform a key exchange process that authenticates each other and results in a shared secret session key. The DDR processor receives upstream network data flows from the device OS networking stack and uses the session key to attach an integrity check to each upflow data message it sends to the DPSV. The DPSV intercepts the upstream flow data path information that does not have a valid integrity check from the DDR processor and informs the DDR processor that it is receiving invalid upstream data so that the DDR processor can notify the service controller of possible fraud events. The DPSV receives downlink network data flows and attaches an integrity check to each downflow data message it sends to the DDR processor using the session key. Each downlink flow data message is arranged such that the data message can not be blocked or replayed without being detected by the DDR processor. If the DDR processor receives a downflow data message with an invalid integrity check, the DDR processor rejects the message and notifies the service controller of possible fraud events. The DDR processor acknowledges each un-denied downstream data message in the next upflow data message it sends to the DPSV. If the DPSV stops receiving downflow data message acknowledgment, it blocks downstream network data flows and informs the DDR processor that the DDR processor is able to notify the service controller of possible fraud events. The DDR processor securely transmits the DDR reports to the service controller by the service processor as described herein. DDRs transmitted from a DDR processor to a service controller are integrity checked and arranged in a way that can not be tampered with or redone. A set of unique DDR reporting sequence identifiers and an authentication session between the service controller and the DDR processor coupled with the authentication session keep alive timer are used to maintain and verify a secure connection between the DDR processor and the service controller. If a secure session or flow of DDR records between the DDR processor and the service controller is interrupted, the access controller function in the DDR processor will restrict access to the 2G, 3G or 4G modem data path to the network destination, It becomes necessary to reset the authenticated session.

As will be apparent to those skilled in the art in view of the various embodiments described herein, various other secure communication and security technologies may be used to provide and secure a secure communication channel between the DDR processor and the DPSV in the APU / MPU implementation .

DDR  Processor OEM  Security Requirements for Programming

In some embodiments, code signing for a DDR processor is provided. In particular, the DDR processor code image is digitally signed by the device OEM. The signature is verified by the secure boot loader using a fixed public key embedded within the secure boot loader code image. This enforces security requirements that drive the security code-signing function in which the OEM maintains the confidentiality of a fixed signing key. OEMs ensure that only authorized personnel can access code signing functionality and that they do so only for legitimate DDR processor images.

In some embodiments, a random seed for the DDR device secret key is provided. In particular, when manufacturing a device, a secret / public key pair called a DDR device key is granted. The DDR device key is unique to each device and is used to establish a secure communication link to the service controller. For example, a DDR device key may be a Diffie-Hellman key pair with a 1024-bit modulus, a 1024-bit base, and a 128-bit private exponent. The secret exponent of the DDR device key (DDR device secret key) is unique to each device and is stored, for example, in 128 bits of on-chip nonvolatile memory (e.g., OTP memory) in the SEE. The modulus and bass are common to all devices and are embedded within the DDR processor image. The open portion of a DDR device key (e.g., DDR device public key) is not permanently stored: instead, it is calculated by the DDR processor using modulus, base and secret exponent. The DDR processor includes a factory initialization routine that is executed while the device is initialized and tested at the factory. The factory initialization routine generates the DDR device secret key and programs it into the nonvolatile memory of the SEE. The DDR device secret key never connects to the DDR processor without leaving the device. The factory initialization routine computes the DDR device public key and sends it to the factory tester. For example, a factory tester can provide a 128-bit random string that is used by the factory initialization routine as a seed to generate a DDR device secret key. This requires the factory tester to include or have a connection to a high quality random bit source. Various suitable methods may be used, such as FIPS 140-2 (" deterministic random number generator "), which is seeded with the output of a hardware random source.

In some embodiments, at the time of device fabrication, a digital certificate called a DDR device certificate is given to the device. The DDR device credentials are unique to each device and are used to establish a secure communication link with the service controller. The contents of the DDR device certificate include the DDR device public key. The DDR device certificate is signed by issuing a certificate authority, and the signature is verified by the service controller when establishing the secure link. The DDR device credentials are not sensitive information, and may be stored, for example, in either on-chip or off-chip non-volatile memory. The OEM issues a DDR device certificate for the DDR device public key that is exported by the factory initialization routine, which implements the security requirements that the OEM operates or has access to. If the OEM chooses to connect to the CA from outside, the OEM's primary obligation is that only authenticated personnel can request proof and do so only for devices with DDR device public keys that are legitimately exported by the FI routine . If the OEM chooses to operate the CA, the OEM has an additional obligation to maintain the security of the CA, especially the CA's fixed key that signs the certificate.

As will be apparent to those skilled in the art in view of the various implementations described herein, various other security technologies may be used or desired for OEM programming for DDR processors.

15 illustrates a flow diagram for secure device data writes for implementing Device Supported Services (DAS) in accordance with some embodiments. At step 1502, the process begins. (E.g., using DAS client-based monitoring techniques, including various techniques described herein for implementing, for example, secure DDRs). At 1506, secure device data records of the monitored service usage of the wireless communication device using the wireless network are generated. In some embodiments, each device data record is one of an ordered sequence of device data records having each sequential device data record providing a history of service usage for a service usage interval encompassed by the device data record, The device data record is associated with a secured unique sequence sequence identifier. At 1508, device data records (DDRs) are adjusted and verified using various tuning and verification techniques described herein. For example, DDRs can be verified using a unique sequence sequence identifier (e.g., various other integrity verification based techniques, as described herein for various embodiments). As another example, the DDRs can be configured to compare service processor reports (e.g., 7-tier classification reports) and / or network-based service usage reports (e.g., 7-tier classification reports), as described herein with respect to various embodiments For example, network flow records, such as CDR or IPDR, to other service usage reports. At 1510, the process is terminated (e. G., Can be repeated for continued service usage monitoring).

Exemplary service policy validation combinations

In some embodiments, the communication device includes: one or more communication I / O ports, at least one of which is a wide area network connection port; A repository for storing device communication activity policies; A secure execution environment that is not accessible by user application software; To monitor device data communication activity at one or more device I / O ports so that the device policy enforcement client performs the device communication enforcement policy in a secure environment. One or more secure data path processing agents configured to generate a device data record summarizing an aspect and to forward device data records to a network element via a trusted communications link to a wide area network connection port; And a trusted data path between one or more secure data path processing agents and one or more I / O ports that can not be accessed by the device user application software. In some embodiments, the data path is trusted because data tampering or modification in the data path is detectable. In some embodiments, intermediate elements in the data path can not be modified or tampered with data without detection. In some embodiments, the data path is trusted because the data being transmitted on that path is signed. In some embodiments, a trusted data path between one or more secure data path processing agents and one or more I / O ports is also configured to secure communication by encryption.

In some such embodiments, the trusted communication link includes a secure message receipt feedback loop.

In some embodiments, the one or more secure data path processing agents are also configured to limit the connection of one or more device I / O ports, and if the secure message accept feedback loop indicates an error, Limit the connection of the above device I / O ports. In some embodiments, the restriction of the connection for one or more device I / O ports allows communication to a network element that is configured to provide an error handling service to the device if there is a security message receipt feedback loop error condition.

In some embodiments, the communication device receives a device communication activity policy from a network element. In some embodiments, the device communication activity policy includes an application activity monitoring policy. In some embodiments, the device communication activity policy includes a network destination, address, or resource monitoring policy.

In some embodiments, the information suitable for the device policy enforcement client to verify that it properly implements the device communication activity policy includes communication activity records for one or more device I / O ports.

In some embodiments, the secure execution environment and the one or more secure data path processing agents are located in a secure execution partition controlled by the application processor. In some embodiments, the secure execution environment and the one or more secure data path processing agents are located in a secure execution partition controlled by the operating system or security compartment software. In some embodiments, the secure execution environment and the one or more secure data path processing agents are located in a secure execution partition controlled by the modem processor. In some embodiments, a secure execution environment and one or more secure data path processing agents are located on the SIM card.

In some embodiments, the wide area network is a wireless network, and the information suitable for the device policy enforcement client to verify that it properly implements the device communication activity policy includes wireless network service usage records.

In some embodiments, the wide area network is a wireless network and the device communication activity policy includes a network access control policy for the wireless network. In some such embodiments, the wireless network access control policy is a set of one or more control policies for one or more applications operating on the device. In some embodiments, the wireless network access control policy is a set of one or more specific access control policies for one or more network destinations, addresses or resources accessible on the wireless network. In some embodiments, the wireless network is a roaming network, and the network access control policies are specific to device roaming network connection conditions and define policies different from home network connection conditions.

In some embodiments, the wide area network is a wireless network and the device communication activity policy includes a network access service usage history reporting policy for a wireless network. In some such embodiments, the network access service usage history reporting policy is a set of one or more service usage history reporting policies for one or more applications operating on the device. In some embodiments, the network access service usage history reporting policy is a set of one or more service usage reporting policies for one or more network destinations, addresses, or resources accessible to the wireless network. In some embodiments, the wireless network is a roaming network, and the network access service usage history reporting policy is specific to device roaming network connection conditions and defines home network connection conditions and other service usage history reporting policies. In some such embodiments, the device communication activity policy includes requesting access network service cost recognition or payment indication from the device user and limiting the device roaming network access rights if the user does not provide a service cost recognition or payment indication .

In some embodiments, the network system includes: a memory configured to store a device communication activity policy; A trusted communication link over a wide area network to one or more secure data path processing agents; A communication link over a wide area network to a device policy enforcement client; And a policy verification processor configured to: (i) store device data records, (ii) receive device data records from a communication device over a trusted communication link, (Iii) determining whether the device policy enforcement client properly implements the device communication activity policy; and (iii) determining whether the device communication enforcement client properly implements the device communication activity policy. And (iv) the analysis is configured to take an error handling action if the device policy enforcement client indicates that it does not properly implement the device communication activity policy.

In some such embodiments, the trusted communication link includes a secure message receipt feedback loop. In some embodiments, the network system communicates with the device when an error condition exists in the secure message receipt feedback loop, when displaying an error condition for the management or error tracking system, and when analyzing the error or providing an error message to the device user And an error processing processor for detecting when the error occurs.

In some embodiments, the network system communicates device communication activity policies to the device. In some embodiments, the device communication activity policy includes an application activity monitoring policy. In some embodiments, the device communication activity policy includes a network destination, address, or resource monitoring policy.

In some embodiments, the information suitable for verifying that a device policy enforcement client properly implements a device communication activity policy includes communication activity records for one or more device I / O ports.

In some embodiments, the wide area network is a wireless network, and the information suitable for verifying that the device policy enforcement client properly implements the device communication activity policy includes device wireless network service usage records.

In some embodiments, the wide area network is a wireless network and the device communication activity policy includes a network access control policy for the wireless network. In some such embodiments, the wireless network access control policy is a set of one or more control policies for one or more applications operating in the device. In some embodiments, the wireless network access control policy is a set of one or more specific access control policies for one or more network destinations, addresses or resources accessible to the wireless network. In some embodiments, the wireless network is a roaming network and the network access control policy is specific to the device roaming network connection conditions and defines policies different from home network connection conditions.

In some embodiments, the wide area network is a wireless network and the device communication activity policy includes a network access service usage history reporting policy for the wireless network. In some such embodiments, the network access service usage history reporting policy is a set of one or more service usage history reporting policies for one or more applications operating on the device. In some embodiments, the network access service usage history reporting policy is a set of one or more service usage reporting policies for one or more network destinations, addresses or resources accessible to the wireless network. In some embodiments, the wireless network is a roaming network and the network access service usage history reporting policy specifies device roaming network connection conditions and defines home network connection conditions and other service usage history reporting policies.

Example combination using an incoming feedback loop

In some embodiments, the communication device comprises: one or more I / O ports, at least one of which is a wide area network connection port; A security execution environment that can not be accessed by user application software; (i) to run in a secure environment, (ii) to monitor communication activity for one or more device I / O ports, (iii) to generate device data records summarizing aspects of device I / O port communication activity , (iv) communicate the device data record to the network element via a trusted communication link to the wide area network connection port, and the trusted communication link comprises a secure message receipt feedback loop, wherein one or more secure data path processing agents (V) track successful data transmissions received from the network element and the transmitted device data records, and (vi) ) If one or more successful transmission receipt One or more secure data path processing configured to limit the connection of one or more I / O ports if not received for corresponding transmitted device data records within a particular event interval after transferring the device data record to a network element on the network Agents; And a secure data path between one or more secure data path processing agents and one or more I / O ports that can not be accessed by the device user application software. In some such embodiments, the restriction of connection to one or more device I / O ports allows the communication device to communicate with a network element that is configured to provide an error handling service to the device if there is a security message receipt feedback loop error condition . In some such embodiments, the specific event interval includes a period, a number of transmitted records, or communication with many network elements.

In some embodiments, the secure execution environment and the one or more secure data path processing agents are located in a secure execution partition controlled by the application processor. In some embodiments, the secure execution environment and the one or more secure data path processing agents are located in a secure execution partition controlled by the modem processor. In some embodiments, a secure execution environment and one or more secure data path processing agents are located on the SIM card.

In some embodiments, aspects of the device I / O port communication activity summarized in the device data record include a summary of device application connection activity. In some embodiments, aspects of the device I / O port communication activity summarized in the device data record include a summary of device network connection activity. In some embodiments, aspects of the device I / O port communication activity summarized in the device data record include a summary of device content communication activity.

In some embodiments, the network system includes: a trusted communication link to a wide area network to one or more secure data path processing agents for receiving device data records, wherein the device data records are stored in a device I / O port Wherein the trusted communication link comprises a secure message receipt feedback loop and the network based system includes a summary of aspects of the communication activity for one or more A trusted communication link transmitting to the secure data path processing agent; And a storage system for storing device data records. In some embodiments, the network system further includes an error handling processor that detects when an error condition exists in the secure message receipt feedback loop, and after detecting an error, when the error condition is indicated by the management or error tracking system . In some embodiments, the network system includes a system for communicating with a device during an error condition to analyze an error condition or to provide an error message to a device user.

In some embodiments, the network system further comprises a device data record analyzer that is configured to: (i) store a device I / O port communication activity policy that includes an acceptable device I / O port communication behavior , (ii) compare I / O port communication activity policies with device data records, and (iii) display device data records indicating I / O port communication activities outside the behavior limits specified in the I / O port communication activity policy The I / O port activity error condition.

In some embodiments, aspects of the device I / O port communication activity summarized in the device data record include a summary of device application connection activity. In some embodiments, aspects of the device I / O port communication activity summarized in the device data record include a summary of device network connection activity. In some embodiments, aspects of the device I / O port communication activity summarized in the device data record include a summary of device content communication activity.

SIM  Example combinations using cards

In some embodiments, the communication device includes: one or more communication I / O ports, including at least a wide area network connection port; A repository for storing device communication activity policies; (I) a security execution environment that is not accessible by user application software, (ii) a device that is configured to execute in a secure execution environment and to communicate with a device to one or more I / O ports One or more secure data path processing agents configured to operate in data path communications, and (iii) a trusted data path link for data path communications from one or more secure data path processing agents to one or more I / O port modems Wherein the one or more I / O port modems are configured with a trusted data path link that includes a secure modem processor execution environment that is not accessible by user application software. In some embodiments, one or more secure data path processing agents are also configured with trusted communication links to network elements for wide area network connection ports.

In some such embodiments, the device communication activity policy is a device I / O port communication reporting policy, and the one or more secure data path processing agents are configured to: (i) monitor and / or monitor communication activity performed on one or more I / (Ii) make a device data record summarizing communication activity, and (iii) transmit device data records to the network element on a trusted communication link. In some embodiments, monitoring and / or reporting of communication activity includes monitoring data usage. In some embodiments, the monitoring and / or reporting of data usage includes a classification of network destinations to be connected in association with data usage. In some embodiments, the monitoring and / or reporting of data usage includes a classification of device applications that generate data usage. In some embodiments, monitoring communication activity includes monitoring roaming service usage. In some embodiments, monitoring communication activity includes monitoring service usage for one or more QoS classes. In some embodiments, monitoring communication activity includes monitoring voice usage.

In some embodiments, the service processor is also configured to collect application information from the device agent.

In some embodiments, the device communication activity policy is a device I / O port communication control policy and the service processor is configured to: (i) monitor communication activity performed at one or more I / O ports; and (ii) Lt; RTI ID = 0.0 > I / O < / RTI >

In some embodiments, the communication control policy specifies a control policy for one or more network destinations. In some embodiments, the communication control policy specifies a control policy for one or more device applications. In some embodiments, the communication control policy specifies a control policy for the roaming network. In some embodiments, the communication control policy specifies a control policy for the QoS class of service.

In some embodiments, trusted data path communications between one or more secure data processing agents and one or more I / O port modems are secured by signing or by encrypting with a shared key. In some embodiments, the one or more secure data path processing agents are also configured with a trusted communication link to the network element for the wide area network connection port, and the shared key is obtained from the network element.

Although the foregoing embodiments have been described in some detail for purposes of clarity of understanding, the invention is not limited to the details provided. There are many alternative ways of implementing the invention. The disclosed embodiments are illustrative and not restrictive.

Claims (28)

As a network system,
A memory configured to store a device communication activity policy applicable to at least a first of the plurality of mobile end user devices;
Maintaining separate secure data channels between each of the plurality of mobile end user devices and the service controller and providing each sequence of DDR generated by a Device Data Record (DDR) generator operating in each device to each channel Wherein each DDR sequence comprises information executed by a secure DDR generator for data communication activity of each mobile end user device; And
Includes a policy validation processor,
The policy validation processor, for the first mobile end user device,
Analyzing data communication activity information from one or more received DDRs of the sequence of DDRs generated by the secure DDR generator of the first mobile end user device,
Determining whether the first mobile end user device is operating or operating according to the device communication activity policy based on the analysis result indicating the unexpected policy action,
And to initiate an error handling operation if the first mobile end user device determines that it has not operated or has not operated in accordance with the device communication activity policy. The method according to claim 1,
Determining whether the first mobile end user device is operating or operating in accordance with the device communication activity policy comprises determining that the policy enforcement client at the first mobile end user device does not correctly implement the device communication activity policy Network system. The method according to claim 1,
Wherein the secure DDR generator operates on a first mobile end user device. The method of claim 3,
A secure DDR generator operating on the first mobile end user device may encrypt the DDR and then submit the encrypted DDR to an unsecured area of the first mobile end user device for transmission to the service controller via the secure data channel And the service controller decrypts the encrypted DDR. The method of claim 3,
Wherein the secure DDR generator operating in the first mobile end user device performs an authentication protocol alternation sequence with the service controller prior to sending the secure DDR to the service controller. The method of claim 3,
The secure DDR generator executes information for data communication activity of the first mobile end user device to create an ordered sequence of DDRs, and each DDR in the sequence terminates the use of the wireless network service for the service usage interval covered by the DDR Wherein the network system provides no historical accounting. The method according to claim 1,
Wherein the policy validation processor and the service controller operate on the same hardware device. The method according to claim 1,
Wherein the analysis results include a fraud detection error flag set by the policy verification processor if the analysis of the one or more received DDRs indicates that the information in the DDR is not configured according to a prescribed protocol. The method according to claim 1,
Wherein the analysis results include a fraud detection error flag set by the policy verification processor if the analysis of the one or more received DDRs indicates that one or more DDRs have been lost in the expected sequence. The method according to claim 1,
The analysis results indicate that if the analysis of one or more received DDRs indicates that the data communication activity information in one or more received DDRs can not be coordinated with the second source of service usage information then the fraud detection error flag set by the policy verification processor The network system. The method according to claim 1,
Wherein the analysis result indicates an unexpected policy action if the data communication activity information indicates that the application is connected to the network and the device communication activity policy indicates that the application does not allow the network to access the network. The method according to claim 1,
Wherein the analysis result indicates an unexpected policy action when data communication activity information indicates that one or more applications are connected to the network in a manner not allowed by a device communication activity policy. The method according to claim 1,
Wherein the analysis result indicates an unexpected policy action if the data communication activity information indicates that the device is connected to a network that is not allowed by the device communication activity policy. The method according to claim 1,
Wherein the analysis result indicates an unexpected policy action when the data communication activity information indicates that the device communicates its specific content via a network that does not allow specific content by the device-initiated policy. system. The method according to claim 1,
The analysis results indicate that if the data communication activity information indicates that the device communicates a particular content over an unsecured link and the device communication activity policy indicates that certain content needs to be communicated over the secure link, Wherein the network behavior is indicative of policy behavior. The method according to claim 1,
Wherein the error handling operation comprises a network access restriction for a first mobile end user device. The method according to claim 1,
Wherein the error handling operation comprises a notification of at least one of a user of the first mobile end user device and a network administrator. delete delete delete delete delete delete delete delete delete delete delete

Images