US20230216878A1 - Threat prevention by selective feature deprivation - Google Patents
Threat prevention by selective feature deprivation Download PDFInfo
- Publication number
- US20230216878A1 US20230216878A1 US18/068,672 US202218068672A US2023216878A1 US 20230216878 A1 US20230216878 A1 US 20230216878A1 US 202218068672 A US202218068672 A US 202218068672A US 2023216878 A1 US2023216878 A1 US 2023216878A1
- Authority
- US
- United States
- Prior art keywords
- computing system
- token
- features
- deprivation
- cause
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000002265 prevention Effects 0.000 title description 5
- 238000009795 derivation Methods 0.000 claims abstract description 26
- 238000000034 method Methods 0.000 claims abstract description 20
- 238000005516 engineering process Methods 0.000 claims abstract description 11
- 238000012545 processing Methods 0.000 claims description 44
- 238000003860 storage Methods 0.000 claims description 27
- 238000004519 manufacturing process Methods 0.000 claims description 13
- 238000013461 design Methods 0.000 claims description 12
- 230000004044 response Effects 0.000 claims description 12
- 230000007257 malfunction Effects 0.000 claims description 7
- 238000009826 distribution Methods 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 12
- 230000015654 memory Effects 0.000 description 12
- 238000007726 management method Methods 0.000 description 10
- 238000004891 communication Methods 0.000 description 9
- 238000013500 data storage Methods 0.000 description 9
- 238000012360 testing method Methods 0.000 description 8
- 238000004146 energy storage Methods 0.000 description 6
- 230000009471 action Effects 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000000116 mitigating effect Effects 0.000 description 4
- 230000008520 organization Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000001514 detection method Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000013403 standard screening design Methods 0.000 description 2
- 230000007704 transition Effects 0.000 description 2
- 241000208140 Acer Species 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000003139 buffering effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000006837 decompression Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000003116 impacting effect Effects 0.000 description 1
- 208000015181 infectious disease Diseases 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000001902 propagating effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001502 supplementing effect Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/108—Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
Definitions
- Embodiments relate generally to computer security, and more particularly, to preventing threats by selective feature deprivation in computing systems.
- Disadvantages of the ‘compensating controls’ model include that it is often complex to define a ‘virtual patch’, as it requires understanding an exploit and devising an effective pattern matching and/or heuristics solution in a way that does not create false positives (e.g., impacting the system) or false negatives (e.g., allowing exploitation); suitable network security infrastructure between vulnerable computing systems and potential infection sources is not always available; and if the attack is performed over encrypted protocols (e.g., transport layer security (TLS)), the efficacy of network security requires suitable decryption operations, which in most cases is not available.
- TLS transport layer security
- FIG. 1 is a diagram of feature controller system according to some embodiments.
- FIG. 2 is a diagram of a feature deprivation system according to some embodiments.
- FIG. 3 is a diagram of a deprivation token according to some embodiments.
- FIG. 4 is a flow diagram of component manufacturer feature deprivation processing according to some embodiments.
- FIG. 5 is a flow diagram of feature controller processing according to some embodiments.
- FIG. 6 is a schematic diagram of an illustrative electronic computing device to perform component manufacturer feature deprivation processing and/or feature controller processing according to some embodiments.
- Implementations of the disclosure provide a method and system for preventing threats based on known vulnerabilities by making selected features of computing systems affected by those vulnerabilities temporarily unavailable or ‘deprived.’
- Embodiments of the present invention include a computing system, or one or more components of a computing system, pre-configured during a manufacturing step such that one or more features (or sets of features) of the components and/or computing systems are pre-set to be enabled.
- a vulnerability becomes known that affects a feature
- the feature can be selectively disabled (e.g., made unavailable) remotely by a management entity such as a computer system manufacturer or an enterprise information technology (IT) department to prevent attempts to exploit the computing system based on the vulnerability until a permanent solution (e.g., a patch or system upgrade) becomes available.
- a management entity such as a computer system manufacturer or an enterprise information technology (IT) department to prevent attempts to exploit the computing system based on the vulnerability until a permanent solution (e.g., a patch or system upgrade) becomes available.
- IT enterprise information technology
- Embodiments do not rely on detection or analysis of a vulnerability by external logic but enables control of feature deprivation built into the computing system, by external triggers sent to the computing system to activate selective “protected modes” with one or more features disabled.
- the functionality of the one or more features can be restored/enabled once the computing system has been appropriately patched or upgraded, or a time period defined in a deprivation token has expired.
- patching the computing system to address the vulnerability includes re-enabling previously disabled features.
- re-enabling disabled features is performed after a time period defined in a deprivation token has expired.
- re-enabling disabled features is performed by as part of a firmware update.
- re-enabling disabled features is performed by the same mechanism that the features were disabled, but with an indication of enabling the features instead of disabling the features.
- Embodiments may also be used to deprive certain features, or parts thereof such as quality of service levels, even for handling of bugs or mitigating performance issues in computing systems.
- Feature deprivation can be easily triggered by communication of a small deprivation token to affected computing systems, and the feature deprivation action can be taken consciously and simply to prevent exploitation of vulnerabilities in widely deployed computing systems.
- the capability to selectively control feature deprivation being built into the computing system at the time of design and/or manufacturing allows this capability to be tested prior to sale and/or distribution of the computing system and to be used when the computing system is in the field (e.g., operated by users) without extensive testing once a vulnerability becomes known. In some embodiments this allows for better unit testing of features by having the capability to isolate selected components or features throughout the development and testing cycle.
- Some advantages include quick threat prevention; enablement of slower, more structured vulnerability patching; deterrence of potential brand and legal implications which may be caused by such vulnerabilities; the capability for potential mitigations also for non-security issues; broad coverage where a single deprivation token can address multiple vulnerabilities in multiple components, products and versions of firmware (e.g., for situations where individual binary-based patches are required for different firmware and/or components).
- FIG. 1 is a diagram of feature controller system 102 according to some embodiments.
- Computing system 100 may include one or more stationary or portable electronic or handheld electronic devices, for instance desktop computers, smartphones, portable computers, tablet computers, wearable computers, consumer electronics devices (e.g., television sets, stereo equipment, digital video recorders (DVRs), set-top boxes, satellite receivers, etc.), personal computers (“PCs”), network PCs, minicomputers, servers, server blades, mainframe computers, field programmable gate arrays (FPGAs), Internet of Things (IOT) devices, and the like.
- Computing system 100 includes feature controller system 102 to selectively disable and/or re-enable one or more features of the computing system. In an embodiment, disabling one or more features is performed in response to detection of a known vulnerability of the computing system, but the present approach is not limited to this scenario.
- a vulnerability may be any weakness or deficiency in the security of the computing system, such as resulting from a side-channel attack, a race condition exploit, memory corruption, return oriented programming (ROP), buffer overflow, use-before-free, etc.
- ROP return oriented programming
- Computing system 100 includes one or more features, such as feature 1 104 , feature 2 106 , ... feature N 110 , where N is a natural number.
- a feature may be any capability of computing system 100 , whether implemented in firmware or hardware of any component of the computing system.
- a feature may be any capability of a processor and/or computing system that may end up being exploitable. Examples include out-of-order execution, privilege levels and protection domains, speculative execution, software guard extension (SGX) technology commercially available from Intel Corporation, security enclaves, support for various data formats, time-based handshakes between components, virtualization of components, etc.
- SGX software guard extension
- a feature may be any function or capability of firmware running on computing system 100 , such as disabling local area discovery or other functions in Internet Protocol (IP) version 6 (IPv6) or disabling a “system defense” feature of Intel® Active Management Technology (AMT).
- IP Internet Protocol
- IPv6 Internet Protocol version 6
- AMT Intel® Active Management Technology
- Feature controller 108 of feature controller system 102 within computing system 100 includes the capability to receive a notification of a vulnerability and identification of one or more features affected by the vulnerability and to disable the one or more features on any component of computing system 100 .
- feature controller 108 includes the capability to re-enable the disabled one or more features.
- FIG. 2 is a diagram of a feature deprivation system 200 according to some embodiments.
- component manufacturer computing system 202 When a vulnerability affecting one or more features of a component of computing system 100 becomes known, component manufacturer computing system 202 generates a deprivation token 204 to indicate the vulnerability, one or more features to be disabled, and a valid time period for the deprivation of the one or more features to be effective.
- the component affected by the vulnerability is a processor
- the component manufacturer is a processor manufacturer (such as Intel® Corporation for example) whose computing system generates the deprivation token.
- component manufacturer computing system 202 sends a deprivation token 204 to a computing system 206 of the computing system manufacturer (such as Lenovo®, Apple®, Hewlett Packard (HP®), Dell®, Acer®, Asus®, and so on).
- Computing system manufacturer computing system 206 then sends the deprivation token 204 using known communications methods to affected personal computing systems 208 .
- the token is sent to affected computing systems through a management entity such as a converged security management engine (CSME) commercially available from Intel Corporation and through an interface such as the host to CSME controller interface (HECI).
- CSME converged security management engine
- the deprivation token is included in an update to the firmware (e.g., the basic input/output system (BIOS)) of the personal computing systems 208 .
- firmware e.g., the basic input/output system (BIOS)
- component manufacturer computing system 202 sends deprivation token 204 to a computing system 210 of the enterprise IT organization to be deployed to affected managed enterprise computing systems 212 in the organization.
- computing system manufacturer computing system 206 sends the deprivation token 204 to enterprise IT computing system 210 instead of component manufacturer computing system 202 .
- component manufacturer computing system 202 sends the deprivation token directly to one or more personal computing systems 208 and/or enterprise computing systems 212 .
- FIG. 3 is a diagram of a deprivation token 204 according to some embodiments.
- deprivation token 204 is small (e.g., perhaps as small as a few hundred bytes) and does not require an extensive process of designing, testing, validating, signing, provisioning, and supporting like typical patching deployments.
- deprivation token 204 is generated and digitally signed by component manufacturer computing system 202 . In another embodiment, deprivation token 204 is generated and digitally signed by computing system manufacturer computing system 206 .
- Deprivation token 204 includes at least one vulnerability identifier (ID) 302 , a valid time 304 for the deprivation to be effective, one or more feature IDs such as feature J ID 306 , feature K ID 312 , ... feature M ID 318 , and a digital signature 324 . In other embodiments, additional fields may be added to the deprivation token.
- Vulnerability ID 302 uniquely identifies the at least one vulnerability to be addressed by this deprivation token. Vulnerability ID 302 may be repeated for multiple vulnerabilities.
- each feature field includes an enable/disable (E/D) flag indicating whether the feature is to be enabled or disabled.
- E/D enable/disable
- feature J ID 306 includes E/D flag 308
- feature K ID 312 includes E/D flag 314
- ... feature M ID 318 includes E/D flag 320 .
- feature IDs also uniquely identify a version of the feature that is to be deprived.
- each feature field includes a version (VER) indicating feature version. For example, feature J ID 306 includes VER 210 , feature K ID 312 includes VER 316 , ...
- the version field can affect which versions of the feature are affected by processing of the deprivation token.
- the version could signify that the currently indicated (vulnerable) version and all prior versions are affected by the deprivation token, but later versions are not affected by the deprivation token (e.g., once the firmware is updated for a computing system then the deprivation token is not effective for that computing system).
- Digital signature 312 is used to authenticate and/or attest to the validity of the deprivation token 204 using known cryptographic methods.
- valid time field 304 specifies a time period for which disabling of the one or more features is desired. Computing system 100 then disables the one or more features for the specified time period, and then automatically re-enables one or more features after the specified time period has expired.
- the time period defines an elapsed time from reception of the deprivation token (e.g., a relative time).
- the time period specifies an ending time and date (e.g., an absolute time, such as indicating the deprivation token is not valid after the specified time and date).
- both time periods may be specified in the deprivation token.
- a deprivation token when any of the conditions specified by the valid time field 304 are met, the deprivation token becomes ineffective and the features are re-enabled.
- a deprivation token may sent every X days (where X is a natural number) to a plurality of computing systems with X+1 days validity while patching efforts are underway, and the patched computing systems can then be re-enabled without sending additional deprivation tokens.
- a “heartbeat” model may be used whereby component manufacturer computing system 202 periodically sends successive deprivation tokens 204 to computing system manufacturer computing systems 206 and/or enterprise IT computing systems 210 , each deprivation token specifying an applicable time period, and the recipients of the deprivation tokens re-enable the one or more features after the last time period has expired.
- features may be grouped into sets of features for disablement/enablement based on a vulnerability.
- FIG. 4 is a flow diagram of component manufacturer feature deprivation processing 400 according to some embodiments.
- component manufacturer designs and tests the component to work properly even if one or more selected features disabled. This gives the manufacturer confidence that even if a vulnerability is detected in the future that exposes a selected feature to an exploit as a result of the vulnerability, the selected feature can be disabled without causing the component or the computing system 100 to malfunction.
- embodiments of the present invention allow the component manufacturer to “pre-validate” mitigation efforts involving disabling features of components already in the stream of commerce in response to future detection of vulnerabilities. This capability may be used to enhance unit testing and validation.
- a component manufacturer operating component manufacturer computing system 202 determines that a vulnerability exists for one or more features of a component developed by component manufacturer.
- a processor manufacturer such as Intel® Corporation
- the component manufacturer determines the vulnerability exists through its own research, development, and/or testing activities.
- the vulnerability is detected by automatically running tests and analysis by component manufacturer computing system 202 on components, enterprise computing systems 212 and/or personal computing systems 208 .
- the vulnerability is identified and becomes known through the activities of others, such as computer security researchers, security companies, anti-virus companies, hackers, and so on.
- component system manufacturer desires to prevent threats and/or exploits based on the vulnerability as soon as possible, without waiting for perhaps lengthy efforts to develop a patch as a permanent solution.
- the “vulnerability” may actually be a critical function defect, design flaw or fault instead of a security vulnerability.
- component manufacturer computing system 202 generates a deprivation token 204 to address the vulnerability.
- component manufacturer computing system 202 publishes the derivation token.
- publishing the derivation token comprises sending the derivation token to one or more enterprise IT computing systems 210 and/or one or more computing system manufacturer computing systems 206 .
- the recipient of the derivation token from the component manufacturing computing system 202 then distributes the derivation token to affected computing systems.
- enterprise IT computing system 210 sends the derivation token to affected enterprise computing systems 212
- computing system manufacturer computing system 206 sends the derivation token to affected personal computing systems.
- component manufacturing computing system 202 sends the derivation token directly to one or more affected enterprise computing systems 212 and/or one or more affected personal computing systems 208 without the involvement of enterprise IT computing system 210 or computing system manufacturer computing systems 206 .
- FIG. 5 is a flow diagram of feature controller 108 processing 500 according to some embodiments.
- feature controller 108 of a computing system 100 receives a deprivation token 204 using known communications methods.
- feature controller 108 verifies the validity of the deprivation token. In an embodiment, verification includes authentication of digital signature 310 of deprivation token 204 using known cryptographic methods. If deprivation token 204 is verified at block 506 , then at block 508 feature controller 108 disables one or more features of computing system 100 as specified by the deprivation token. The mechanism for disabling the feature is implementation specific depending on the selected feature.
- receiving the deprivation token indicating a selected feature is to be disabled may result in firmware in computing system 100 making the selected feature (whether specific to firmware or hardware) inactive or otherwise unavailable. Processing ends at block 510 . If at block 506 the deprivation token is not verified, then processing ends at block 510 .
- processing similar to FIG. 5 is performed to re-enable one or more features.
- feature controller 108 re-enables the specified one or more features.
- feature controller 108 re-enables the specified one or more features only if a time period specified in valid time 304 of a previously received and processed deprivation token 204 has elapsed.
- FIG. 6 is a schematic diagram of an illustrative electronic computing device to perform component manufacturer feature deprivation processing and/or feature controller processing according to some embodiments.
- Electronic computing device 600 is representative of computing system 100 .
- computing device 600 includes one or more processors 610 including one or more processors cores 618 and feature controller 108 .
- the computing device 600 includes management engine (ME) 668 having feature controller 108 .
- computing device 600 includes one or more features 104 , 106 , ... 108 which may be enabled and/or disabled by feature controller 108 .
- processors 610 include one or more features 104 , 106 , ... 108 which may be enabled and/or disabled by feature controller 108 .
- the computing device performs component manufacturer processing as described in FIG. 4 .
- the computing device is to implement feature controller processing, as provided in FIG. 5 .
- Computing device 600 may additionally include one or more of the following: cache 662 , a graphical processing unit (GPU) 612 (which may be the hardware accelerator in some implementations), a wireless input/output (I/O) interface 620 , a wired I/O interface 630 , memory circuitry 640 , power management circuitry 650 , non-transitory storage device 660 , and a network interface 670 for connection to a network 672 .
- the following discussion provides a brief, general description of the components forming the illustrative computing device 600 .
- Example, non-limiting computing devices 600 may include a desktop computing device, blade server device, workstation, laptop computer, mobile phone, tablet computer, personal digital assistant, or similar device or system.
- the processor cores 618 are capable of executing machine-readable instruction sets 614 , reading data and/or instruction sets 614 from one or more storage devices 660 and writing data to the one or more storage devices 660 .
- machine-readable instruction sets 614 may include instructions to implement component manufacturer feature deprivation processing, as provided in FIG. 4 , or feature controller processing, as provided in FIG. 5 .
- the processor cores 618 may include any number of hardwired or configurable circuits, some or all of which may include programmable and/or configurable combinations of electronic components, semiconductor devices, and/or logic elements that are disposed partially or wholly in a PC, server, mobile phone, tablet computer, or other computing system capable of executing processor-readable instructions.
- Processor cores 618 may include one or more features 104 , 106 , ... 108 .
- the computing device 600 includes a bus or similar communications link 616 that communicably couples and facilitates the exchange of information and/or data between various system components including the processor cores 618 , the cache 662 , the graphics processor circuitry 612 , one or more wireless I/O interfaces 620 , one or more wired I/O interfaces 630 , one or more storage devices 660 , and/or one or more network interfaces 670 .
- the computing device 600 may be referred to in the singular herein, but this is not intended to limit the embodiments to a single computing device 600 , since in certain embodiments, there may be more than one computing device 600 that incorporates, includes, or contains any number of communicably coupled, collocated, or remote networked circuits or devices.
- the processor cores 618 may include any number, type, or combination of currently available or future developed devices capable of executing machine-readable instruction sets.
- the processor cores 618 may include (or be coupled to) but are not limited to any current or future developed single- or multi-core processor or microprocessor, such as: on or more systems on a chip (SOCs); central processing units (CPUs); digital signal processors (DSPs); graphics processing units (GPUs); application-specific integrated circuits (ASICs), programmable logic units, field programmable gate arrays (FPGAs), and the like.
- SOCs systems on a chip
- CPUs central processing units
- DSPs digital signal processors
- GPUs graphics processing units
- ASICs application-specific integrated circuits
- FPGAs field programmable gate arrays
- the bus 616 that interconnects at least some of the components of the computing device 600 may employ any currently available or future developed serial or parallel bus structures or architectures.
- the system memory 640 may include read-only memory (“ROM”) 642 and random-access memory (“RAM”) 646 .
- ROM read-only memory
- RAM random-access memory
- a portion of the ROM 642 may be used to store or otherwise retain a basic input/output system (“BIOS”) 644 .
- BIOS basic input/output system
- the BIOS 644 provides basic functionality to the computing device 600 , for example by causing the processor cores 618 to load and/or execute one or more machine-readable instruction sets 614 .
- At least some of the one or more machine-readable instruction sets 614 cause at least a portion of the processor cores 618 to provide, create, produce, transition, and/or function as a dedicated, specific, and particular machine, for example a word processing machine, a digital image acquisition machine, a media playing machine, a gaming system, a communications device, a smartphone, a neural network, a machine learning model, or similar devices.
- the computing device 600 may include at least one wireless input/output (I/O) interface 620 .
- the at least one wireless I/O interface 620 may be communicably coupled to one or more physical output devices 622 (tactile devices, video displays, audio output devices, hardcopy output devices, etc.).
- the at least one wireless I/O interface 620 may communicably couple to one or more physical input devices 624 (pointing devices, touchscreens, keyboards, tactile devices, etc.).
- the at least one wireless I/O interface 620 may include any currently available or future developed wireless I/O interface.
- Example wireless I/O interfaces include, but are not limited to: BLUETOOTH®, near field communication (NFC), and similar.
- the computing device 600 may include one or more wired input/output (I/O) interfaces 630 .
- the at least one wired I/O interface 630 may be communicably coupled to one or more physical output devices 622 (tactile devices, video displays, audio output devices, hardcopy output devices, etc.).
- the at least one wired I/O interface 630 may be communicably coupled to one or more physical input devices 624 (pointing devices, touchscreens, keyboards, tactile devices, etc.).
- the wired I/O interface 630 may include any currently available or future developed I/O interface.
- Example wired I/O interfaces include but are not limited to universal serial bus (USB), IEEE 1394 (“FireWire”), and similar.
- the computing device 600 may include one or more communicably coupled, non-transitory, data storage devices 660 .
- the data storage devices 660 may include one or more hard disk drives (HDDs) and/or one or more solid-state storage devices (SSDs).
- the one or more data storage devices 660 may include any current or future developed storage appliances, network storage devices, and/or systems. Non-limiting examples of such data storage devices 660 may include, but are not limited to, any current or future developed non-transitory storage appliances or devices, such as one or more magnetic storage devices, one or more optical storage devices, one or more electro-resistive storage devices, one or more molecular storage devices, one or more quantum storage devices, or various combinations thereof.
- the one or more data storage devices 660 may include one or more removable storage devices, such as one or more flash drives, flash memories, flash storage units, or similar appliances or devices capable of communicable coupling to and decoupling from the computing device 600 .
- the one or more data storage devices 660 may include interfaces or controllers (not shown) communicatively coupling the respective storage device or system to the bus 616 .
- the one or more data storage devices 660 may store, retain, or otherwise contain machine-readable instruction sets, data structures, program modules, data stores, databases, logical structures, and/or other data useful to the processor cores 618 and/or graphics processor circuitry 612 and/or one or more applications executed on or by the processor cores 618 and/or graphics processor circuitry 612 .
- one or more data storage devices 660 may be communicably coupled to the processor cores 618 , for example via the bus 616 or via one or more wired communications interfaces 630 (e.g., Universal Serial Bus or USB); one or more wireless communications interfaces 620 (e.g., Bluetooth®, Near Field Communication or NFC); and/or one or more network interfaces 670 (IEEE 802.3 or Ethernet, IEEE 802.11, or Wi-Fi®, etc.).
- wired communications interfaces 630 e.g., Universal Serial Bus or USB
- wireless communications interfaces 620 e.g., Bluetooth®, Near Field Communication or NFC
- network interfaces 670 IEEE 802.3 or Ethernet, IEEE 802.11, or Wi-Fi®, etc.
- Processor-readable instruction sets 614 and other programs, applications, logic sets, and/or modules may be stored in whole or in part in the system memory 640 . Such instruction sets 614 may be transferred, in whole or in part, from the one or more data storage devices 660 . The instruction sets 614 may be loaded, stored, or otherwise retained in system memory 640 , in whole or in part, during execution by the processor cores 618 and/or graphics processor circuitry 612 .
- the computing device 600 may include power management circuitry 650 that controls one or more operational aspects of the energy storage device 652 .
- the energy storage device 652 may include one or more primary (i.e., non-rechargeable) or secondary (i.e., rechargeable) batteries or similar energy storage devices.
- the energy storage device 652 may include one or more supercapacitors or ultracapacitors.
- the power management circuitry 650 may alter, adjust, or control the flow of energy from an external power source 654 to the energy storage device 652 and/or to the computing device 600 .
- the power source 654 may include, but is not limited to, a solar power system, a commercial electric grid, a portable generator, an external energy storage device, or any combination thereof.
- the processor cores 618 , the graphics processor circuitry 612 , the wireless I/O interface 620 , the wired I/O interface 630 , the storage device 660 , and the network interface 670 are illustrated as communicatively coupled to each other via the bus 616 , thereby providing connectivity between the above-described components.
- the above-described components may be communicatively coupled in a different manner than illustrated in FIG. 6 .
- one or more of the above-described components may be directly coupled to other components, or may be coupled to each other, via one or more intermediary components (not shown).
- one or more of the above-described components may be integrated into the processor cores 618 and/or the graphics processor circuitry 612 .
- all or a portion of the bus 616 may be omitted and the components are coupled directly to each other using suitable wired or wireless connections.
- FIGS. 4 and 5 Flowcharts representative of example hardware logic, machine readable instructions, hardware implemented state machines, and/or any combination thereof for implementing computing device 600 , for example, are shown in FIGS. 4 and 5 .
- the machine-readable instructions may be one or more executable programs or portion(s) of an executable program for execution by a computer processor such as the processor 610 shown in the example computing device 600 discussed above in connection with FIG. 6 , or management engine 668 .
- the program may be embodied in software stored on a non-transitory computer readable storage medium such as a CD-ROM, a floppy disk, a hard drive, a DVD, a Blu-ray disk, or a memory associated with the processor 610 , but the entire program and/or parts thereof could alternatively be executed by a device other than the processor 610 and/or embodied in firmware or dedicated hardware (such as management engine 668 ).
- a device other than the processor 610 and/or embodied in firmware or dedicated hardware (such as management engine 668 ).
- any or all of the blocks may be implemented by one or more hardware circuits (e.g., discrete and/or integrated analog and/or digital circuitry, an FPGA, an ASIC, a comparator, an operational-amplifier (op-amp), a logic circuit, etc.) structured to perform the corresponding operation without executing software or firmware.
- hardware circuits e.g., discrete and/or integrated analog and/or digital circuitry, an FPGA, an ASIC, a comparator, an operational-amplifier (op-amp), a logic circuit, etc.
- the machine-readable instructions described herein may be stored in one or more of a compressed format, an encrypted format, a fragmented format, a compiled format, an executable format, a packaged format, etc.
- Machine readable instructions as described herein may be stored as data (e.g., portions of instructions, code, representations of code, etc.) that may be utilized to create, manufacture, and/or produce machine executable instructions.
- the machine-readable instructions may be fragmented and stored on one or more storage devices and/or computing devices (e.g., servers).
- the machine-readable instructions may require one or more of installation, modification, adaptation, updating, combining, supplementing, configuring, decryption, decompression, unpacking, distribution, reassignment, compilation, etc.
- the machine-readable instructions may be stored in multiple parts, which are individually compressed, encrypted, and stored on separate computing devices, wherein the parts when decrypted, decompressed, and combined form a set of executable instructions that implement a program such as that described herein.
- the machine-readable instructions may be stored in a state in which they may be read by a computer system, but require addition of a library (e.g., a dynamic link library (DLL)), a software development kit (SDK), an application programming interface (API), etc., in order to execute the instructions on a particular computing device or other device.
- a library e.g., a dynamic link library (DLL)
- SDK software development kit
- API application programming interface
- the machine-readable instructions may be configured (e.g., settings stored, data input, network addresses recorded, etc.) before the machine-readable instructions and/or the corresponding program(s) can be executed in whole or in part.
- the disclosed machine-readable instructions and/or corresponding program(s) are intended to encompass such machine readable instructions and/or program(s) regardless of the particular format or state of the machine readable instructions and/or program(s) when stored or otherwise at rest or in transit.
- the machine-readable instructions described herein can be represented by any past, present, or future instruction language, scripting language, programming language, etc.
- the machine-readable instructions may be represented using any of the following languages: C, C++, Java, C#, Perl, Python, JavaScript, HyperText Markup Language (HTML), Structured Query Language (SQL), Swift, etc.
- FIGS. 4 and 5 may be implemented using executable instructions (e.g., computer and/or machine-readable instructions) stored on a non-transitory computer and/or machine-readable medium such as a hard disk drive, an SSD, a flash memory, a read-only memory, a compact disk, a digital versatile disk, a cache, a random-access memory and/or any other storage device or storage disk in which information is stored for any duration (e.g., for extended time periods, permanently, for brief instances, for temporarily buffering, and/or for caching of the information).
- a non-transitory computer readable medium is expressly defined to include any type of computer readable storage device and/or storage disk and to exclude propagating signals and to exclude transmission media.
- A, B, and/or C refers to any combination or subset of A, B, C such as (1) A alone, (2) B alone, (3) C alone, (4) A with B, (5) A with C, (6) B with C, and (7) A with B and with C.
- the phrase “at least one of A and B” is intended to refer to implementations including any of (1) at least one A, (2) at least one B, and (3) at least one A and at least one B.
- the phrase “at least one of A or B” is intended to refer to implementations including any of (1) at least one A, (2) at least one B, and (3) at least one A and at least one B.
- the phrase “at least one of A and B” is intended to refer to implementations including any of (1) at least one A, (2) at least one B, and (3) at least one A and at least one B.
- the phrase “at least one of A or B” is intended to refer to implementations including any of (1) at least one A, (2) at least one B, and (3) at least one A and at least one B.
- Descriptors “first,” “second,” “third,” etc. are used herein when identifying multiple elements or components which may be referred to separately. Unless otherwise specified or understood based on their context of use, such descriptors are not intended to impute any meaning of priority, physical order or arrangement in a list, or ordering in time but are merely used as labels for referring to multiple elements or components separately for ease of understanding the disclosed examples.
- the descriptor “first” may be used to refer to an element in the detailed description, while the same element may be referred to in a claim with a different descriptor such as “second” or “third.” In such instances, it should be understood that such descriptors are used merely for ease of referencing multiple elements or components.
- Example 1 is an apparatus to perform threat prevention by selective feature deprivation.
- the apparatus includes a processing device; and a memory device coupled to the processing device, the memory device having instructions stored thereon that, in response to execution by the processing device, cause the processing device to: generate a deprivation token to cause disabling of a selected one or more features of a component of a computing system to prevent an exploit of a vulnerability affecting the selected one or more features; and publish the derivation token to at least one of a computing system manufacturer computing system and an enterprise information technology (IT) computing system.
- IT enterprise information technology
- Example 2 the subject matter of Example 1 can optionally include instructions stored in the memory device that, in response to execution by the processing device, cause the processing device to distribute the derivation token to the computing system.
- Example 3 the subject matter of Example 1 can optionally include wherein the computing system comprises at least one of an affected enterprise computing system and a personal computing system.
- Example 4 the subject matter of Example 1 can optionally include instructions stored in the memory device that, in response to execution by the processing device, cause the processing device to determine the selected one or more features that can be disabled, without causing the computing system to malfunction, at a time of design or manufacturing of the component.
- Example 5 the subject matter of Example 1 can optionally include instructions stored in the memory device that, in response to execution by the processing device, cause the processing device to determine if the vulnerability exists for the selected one or more features.
- Example 6 the subject matter of Example 1 can optionally include wherein the deprivation token comprises a vulnerability identifier (ID), a valid time, one or more feature IDs, and a digital signature.
- ID vulnerability identifier
- the deprivation token comprises a vulnerability identifier (ID), a valid time, one or more feature IDs, and a digital signature.
- Example 7 the subject matter of Example 6 can optionally include instructions stored in the memory device that, in response to execution by the processing device, cause the processing device to digitally sign the deprivation token prior to publishing the derivation token.
- Example 8 the subject matter of Example 6 can optionally include wherein the deprivation token comprises an enablement field to cause re-enabling of a previously disabled selected one or more features on the computing system.
- Example 9 the subject matter of Example 6 can optionally include wherein the valid time to cause disabling of the selected one or more features for a specified time period.
- Example 10 the subject matter of Example 1 can optionally include wherein the component comprises a processor and the feature is a hardware capability of the processor.
- Example 11 the subject matter of Example 1 can optionally include including the deprivation token in a firmware update to the computing system.
- Example 12 is a method for performing threat prevention by selective feature deprivation.
- the method includes generating a deprivation token to cause disabling of a selected one or more features of a component of a computing system to prevent an exploit of a vulnerability affecting the selected one or more features; and publishing the derivation token to at least one of a computing system manufacturer computing system and an enterprise information technology (IT) computing system.
- IT enterprise information technology
- Example 13 the subject matter of claim 12 can optionally include distributing the derivation token to the computing system.
- Example 14 the subject matter of claim 12 can optionally include determining the selected one or more features that can be disabled, without causing the computing system to malfunction, at a time of design or manufacturing of the component.
- Example 15 the subject matter of claim 12 can optionally include determining if the vulnerability exists for the selected one or more features.
- Example 16 the subject matter of claim 12 can optionally include wherein the deprivation token comprises a vulnerability identifier (ID), a valid time, one or more feature IDs, and a digital signature.
- ID vulnerability identifier
- the deprivation token comprises a vulnerability identifier (ID), a valid time, one or more feature IDs, and a digital signature.
- Example 17 the subject matter of claim 16 can optionally include digitally signing the deprivation token prior to publishing the derivation token.
- Example 18 the subject matter of claim 12 can optionally include wherein the deprivation token comprises an enablement field to cause re-enabling of a previously disabled selected one or more features on the computing system.
- Example 19 the subject matter of claim 12 can optionally include including the deprivation token in a firmware update to the computing system.
- Example 20 is at least one non-transitory machine-readable storage mediums having instructions that, when executed, cause at least one processor to generate a deprivation token to cause disabling of a selected one or more features of a component of a computing system to prevent an exploit of a vulnerability affecting the selected one or more features; and publish the derivation token to at least one of a computing system manufacturer computing system and an enterprise information technology (IT) computing system.
- a deprivation token to cause disabling of a selected one or more features of a component of a computing system to prevent an exploit of a vulnerability affecting the selected one or more features
- IT enterprise information technology
- Example 21 the subject matter of claim 20 can optionally include instructions that, when executed, cause at least one processor to distribute the derivation token to the computing system.
- Example 22 the subject matter of claim 20 can optionally include instructions that, when executed, cause at least one processor to determine the selected one or more features that can be disabled, without causing the computing system to malfunction, at a time of design or manufacturing of the component.
- Example 23 the subject matter of claim 20 can optionally include wherein the deprivation token comprises a vulnerability identifier (ID), a valid time, one or more feature IDs, and a digital signature.
- ID vulnerability identifier
- the deprivation token comprises a vulnerability identifier (ID), a valid time, one or more feature IDs, and a digital signature.
- Example 24 the subject matter of claim 20 can optionally include instructions that, when executed, cause at least one processor to digitally signing the deprivation token prior to publishing the derivation token.
- Example 25 the subject matter of claim 20 can optionally include wherein the deprivation token comprises an enablement field to cause re-enabling of a previously disabled selected one or more features on the computing system.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Hardware Redundancy (AREA)
Abstract
A method of preventing exploitation of a vulnerability of a computing system includes generating a deprivation token to cause disabling of a selected one or more features of a component of the computing system to prevent an exploit of a vulnerability affecting the selected one or more features; and publishing the derivation token to at least one of a computing system manufacturer computing system and an enterprise information technology (IT) computing system for distribution to affected computing systems.
Description
- This application claims the benefit of priority from and is a continuation of U.S. Pat. Application No. 17/132,531 filed on Dec. 23, 2020, the full disclosure of which is incorporated herein by reference.
- Embodiments relate generally to computer security, and more particularly, to preventing threats by selective feature deprivation in computing systems.
- From time-to-time exploitable vulnerabilities in computing systems become known. The vulnerabilities often cannot be patched immediately for various reasons (e.g., a corrective patch is not yet available, system downtime is not approved at this time, etc.). This creates significant windows of opportunity for attackers to attempt exploits based on these vulnerabilities.
- Current solutions try to address the vulnerability by patching or otherwise updating the computing systems to overcome the vulnerability as soon as possible or by creating a set of compensating controls on the network side to limit the possibility of an exploit reaching the computing system and using the vulnerability. In some cases, these attempts are described as ‘virtual patching’ of the computing system. Disadvantages of patching is that patches are often not available when the vulnerability is discovered and the time to develop, certify and distribute patches allows the computing systems to remain vulnerable. Disadvantages of the ‘compensating controls’ model include that it is often complex to define a ‘virtual patch’, as it requires understanding an exploit and devising an effective pattern matching and/or heuristics solution in a way that does not create false positives (e.g., impacting the system) or false negatives (e.g., allowing exploitation); suitable network security infrastructure between vulnerable computing systems and potential infection sources is not always available; and if the attack is performed over encrypted protocols (e.g., transport layer security (TLS)), the efficacy of network security requires suitable decryption operations, which in most cases is not available.
- So that the manner in which the above recited features of the present embodiments can be understood in detail, a more particular description of the embodiments, briefly summarized above, may be had by reference to embodiments, some of which are illustrated in the appended drawings. It is to be noted, however, that the appended drawings illustrate only typical embodiments and are therefore not to be considered limiting of its scope. The figures are not to scale. In general, the same reference numbers will be used throughout the drawings and accompanying written description to refer to the same or like parts.
-
FIG. 1 is a diagram of feature controller system according to some embodiments. -
FIG. 2 is a diagram of a feature deprivation system according to some embodiments. -
FIG. 3 is a diagram of a deprivation token according to some embodiments. -
FIG. 4 is a flow diagram of component manufacturer feature deprivation processing according to some embodiments. -
FIG. 5 is a flow diagram of feature controller processing according to some embodiments. -
FIG. 6 is a schematic diagram of an illustrative electronic computing device to perform component manufacturer feature deprivation processing and/or feature controller processing according to some embodiments. - Implementations of the disclosure provide a method and system for preventing threats based on known vulnerabilities by making selected features of computing systems affected by those vulnerabilities temporarily unavailable or ‘deprived.’ Embodiments of the present invention include a computing system, or one or more components of a computing system, pre-configured during a manufacturing step such that one or more features (or sets of features) of the components and/or computing systems are pre-set to be enabled. When a vulnerability becomes known that affects a feature, the feature can be selectively disabled (e.g., made unavailable) remotely by a management entity such as a computer system manufacturer or an enterprise information technology (IT) department to prevent attempts to exploit the computing system based on the vulnerability until a permanent solution (e.g., a patch or system upgrade) becomes available.
- Embodiments do not rely on detection or analysis of a vulnerability by external logic but enables control of feature deprivation built into the computing system, by external triggers sent to the computing system to activate selective “protected modes” with one or more features disabled. The functionality of the one or more features can be restored/enabled once the computing system has been appropriately patched or upgraded, or a time period defined in a deprivation token has expired.
- In some embodiments, patching the computing system to address the vulnerability includes re-enabling previously disabled features. In an embodiment, re-enabling disabled features is performed after a time period defined in a deprivation token has expired. In an embodiment, re-enabling disabled features is performed by as part of a firmware update. In an embodiment, re-enabling disabled features is performed by the same mechanism that the features were disabled, but with an indication of enabling the features instead of disabling the features. Embodiments may also be used to deprive certain features, or parts thereof such as quality of service levels, even for handling of bugs or mitigating performance issues in computing systems.
- Having a feature deprivation capability built into the computing system (or any component of the computing system) at the time of design and/or manufacturing provides for potential temporary future mitigation of a vulnerability until a permanent solution for the problem is found and deployed without the need to deduce, build and deploy small or large threat preventions. Feature deprivation can be easily triggered by communication of a small deprivation token to affected computing systems, and the feature deprivation action can be taken consciously and simply to prevent exploitation of vulnerabilities in widely deployed computing systems. The capability to selectively control feature deprivation being built into the computing system at the time of design and/or manufacturing allows this capability to be tested prior to sale and/or distribution of the computing system and to be used when the computing system is in the field (e.g., operated by users) without extensive testing once a vulnerability becomes known. In some embodiments this allows for better unit testing of features by having the capability to isolate selected components or features throughout the development and testing cycle.
- Some advantages include quick threat prevention; enablement of slower, more structured vulnerability patching; deterrence of potential brand and legal implications which may be caused by such vulnerabilities; the capability for potential mitigations also for non-security issues; broad coverage where a single deprivation token can address multiple vulnerabilities in multiple components, products and versions of firmware (e.g., for situations where individual binary-based patches are required for different firmware and/or components).
-
FIG. 1 is a diagram offeature controller system 102 according to some embodiments.Computing system 100 may include one or more stationary or portable electronic or handheld electronic devices, for instance desktop computers, smartphones, portable computers, tablet computers, wearable computers, consumer electronics devices (e.g., television sets, stereo equipment, digital video recorders (DVRs), set-top boxes, satellite receivers, etc.), personal computers (“PCs”), network PCs, minicomputers, servers, server blades, mainframe computers, field programmable gate arrays (FPGAs), Internet of Things (IOT) devices, and the like.Computing system 100 includesfeature controller system 102 to selectively disable and/or re-enable one or more features of the computing system. In an embodiment, disabling one or more features is performed in response to detection of a known vulnerability of the computing system, but the present approach is not limited to this scenario. - A vulnerability may be any weakness or deficiency in the security of the computing system, such as resulting from a side-channel attack, a race condition exploit, memory corruption, return oriented programming (ROP), buffer overflow, use-before-free, etc.
-
Computing system 100 includes one or more features, such as feature 1 104, feature 2 106,... feature N 110, where N is a natural number. As used herein, a feature may be any capability ofcomputing system 100, whether implemented in firmware or hardware of any component of the computing system. For example, a feature may be any capability of a processor and/or computing system that may end up being exploitable. Examples include out-of-order execution, privilege levels and protection domains, speculative execution, software guard extension (SGX) technology commercially available from Intel Corporation, security enclaves, support for various data formats, time-based handshakes between components, virtualization of components, etc. For example, a feature may be any function or capability of firmware running oncomputing system 100, such as disabling local area discovery or other functions in Internet Protocol (IP) version 6 (IPv6) or disabling a “system defense” feature of Intel® Active Management Technology (AMT). -
Feature controller 108 offeature controller system 102 withincomputing system 100 includes the capability to receive a notification of a vulnerability and identification of one or more features affected by the vulnerability and to disable the one or more features on any component ofcomputing system 100. Whencomputing system 100 is patched to address the vulnerability,feature controller 108 includes the capability to re-enable the disabled one or more features. -
FIG. 2 is a diagram of afeature deprivation system 200 according to some embodiments. When a vulnerability affecting one or more features of a component ofcomputing system 100 becomes known, componentmanufacturer computing system 202 generates adeprivation token 204 to indicate the vulnerability, one or more features to be disabled, and a valid time period for the deprivation of the one or more features to be effective. For example, when the component affected by the vulnerability is a processor, the component manufacturer is a processor manufacturer (such as Intel® Corporation for example) whose computing system generates the deprivation token. Forpersonal computing systems 208 purchased by individual users from a computing system manufacturer (either directly from the computing system manufacturer or through a retail store), componentmanufacturer computing system 202 sends adeprivation token 204 to acomputing system 206 of the computing system manufacturer (such as Lenovo®, Apple®, Hewlett Packard (HP®), Dell®, Acer®, Asus®, and so on). Computing systemmanufacturer computing system 206 then sends thedeprivation token 204 using known communications methods to affectedpersonal computing systems 208. In one embodiment, the token is sent to affected computing systems through a management entity such as a converged security management engine (CSME) commercially available from Intel Corporation and through an interface such as the host to CSME controller interface (HECI). In one embodiment, the deprivation token is included in an update to the firmware (e.g., the basic input/output system (BIOS)) of thepersonal computing systems 208. Forenterprise computing systems 212 managed by an enterprise information technology (IT) organization (e.g., in a business, government agency, non-profit organization, or other entity), componentmanufacturer computing system 202 sendsdeprivation token 204 to acomputing system 210 of the enterprise IT organization to be deployed to affected managedenterprise computing systems 212 in the organization. In another embodiment, computing systemmanufacturer computing system 206 sends thedeprivation token 204 to enterpriseIT computing system 210 instead of componentmanufacturer computing system 202. In another embodiment, componentmanufacturer computing system 202 sends the deprivation token directly to one or morepersonal computing systems 208 and/orenterprise computing systems 212. -
FIG. 3 is a diagram of adeprivation token 204 according to some embodiments. As compared to typical patches and software/firmware updates,deprivation token 204 is small (e.g., perhaps as small as a few hundred bytes) and does not require an extensive process of designing, testing, validating, signing, provisioning, and supporting like typical patching deployments. - In one embodiment,
deprivation token 204 is generated and digitally signed by componentmanufacturer computing system 202. In another embodiment,deprivation token 204 is generated and digitally signed by computing systemmanufacturer computing system 206.Deprivation token 204 includes at least one vulnerability identifier (ID) 302, avalid time 304 for the deprivation to be effective, one or more feature IDs such asfeature J ID 306,feature K ID 312, ...feature M ID 318, and adigital signature 324. In other embodiments, additional fields may be added to the deprivation token.Vulnerability ID 302 uniquely identifies the at least one vulnerability to be addressed by this deprivation token.Vulnerability ID 302 may be repeated for multiple vulnerabilities. Thefeature IDs J ID 306 includes E/D flag 308,feature K ID 312 includes E/D flag 314, ...feature M ID 318 includes E/D flag 320. This allows individual features to be enabled or disabled in the same deprivation token. In one embodiment, feature IDs also uniquely identify a version of the feature that is to be deprived. In one embodiment, each feature field includes a version (VER) indicating feature version. For example, featureJ ID 306 includesVER 210,feature K ID 312 includesVER 316, ...feature M ID 318 includes E/D VER 322. In an embodiment, the version field can affect which versions of the feature are affected by processing of the deprivation token. For example, the version could signify that the currently indicated (vulnerable) version and all prior versions are affected by the deprivation token, but later versions are not affected by the deprivation token (e.g., once the firmware is updated for a computing system then the deprivation token is not effective for that computing system).Digital signature 312 is used to authenticate and/or attest to the validity of thedeprivation token 204 using known cryptographic methods. - In an embodiment,
valid time field 304 specifies a time period for which disabling of the one or more features is desired.Computing system 100 then disables the one or more features for the specified time period, and then automatically re-enables one or more features after the specified time period has expired. In one embodiment, the time period defines an elapsed time from reception of the deprivation token (e.g., a relative time). In another embodiment, the time period specifies an ending time and date (e.g., an absolute time, such as indicating the deprivation token is not valid after the specified time and date). In another embodiment, both time periods may be specified in the deprivation token. In any case, when any of the conditions specified by thevalid time field 304 are met, the deprivation token becomes ineffective and the features are re-enabled. For example, a deprivation token may sent every X days (where X is a natural number) to a plurality of computing systems with X+1 days validity while patching efforts are underway, and the patched computing systems can then be re-enabled without sending additional deprivation tokens. - In an embodiment, a “heartbeat” model may be used whereby component
manufacturer computing system 202 periodically sendssuccessive deprivation tokens 204 to computing systemmanufacturer computing systems 206 and/or enterpriseIT computing systems 210, each deprivation token specifying an applicable time period, and the recipients of the deprivation tokens re-enable the one or more features after the last time period has expired. - In an embodiment, features may be grouped into sets of features for disablement/enablement based on a vulnerability.
-
FIG. 4 is a flow diagram of component manufacturerfeature deprivation processing 400 according to some embodiments. During design and manufacturing time for a component, component manufacturer designs and tests the component to work properly even if one or more selected features disabled. This gives the manufacturer confidence that even if a vulnerability is detected in the future that exposes a selected feature to an exploit as a result of the vulnerability, the selected feature can be disabled without causing the component or thecomputing system 100 to malfunction. Thus, embodiments of the present invention allow the component manufacturer to “pre-validate” mitigation efforts involving disabling features of components already in the stream of commerce in response to future detection of vulnerabilities. This capability may be used to enhance unit testing and validation. - At
block 402, a component manufacturer operating componentmanufacturer computing system 202 determines that a vulnerability exists for one or more features of a component developed by component manufacturer. For example, a processor manufacturer (such as Intel® Corporation) may determine that a vulnerability exists for a feature of a processor. In one scenario, the component manufacturer determines the vulnerability exists through its own research, development, and/or testing activities. In one embodiment, the vulnerability is detected by automatically running tests and analysis by componentmanufacturer computing system 202 on components,enterprise computing systems 212 and/orpersonal computing systems 208. In another scenario, the vulnerability is identified and becomes known through the activities of others, such as computer security researchers, security companies, anti-virus companies, hackers, and so on. Regardless of who initially detected the vulnerability, component system manufacturer desires to prevent threats and/or exploits based on the vulnerability as soon as possible, without waiting for perhaps lengthy efforts to develop a patch as a permanent solution. In another embodiment, the “vulnerability” may actually be a critical function defect, design flaw or fault instead of a security vulnerability. - At
block 404, componentmanufacturer computing system 202 generates adeprivation token 204 to address the vulnerability. Atblock 406, componentmanufacturer computing system 202 publishes the derivation token. In one embodiment, publishing the derivation token comprises sending the derivation token to one or more enterpriseIT computing systems 210 and/or one or more computing systemmanufacturer computing systems 206. Atblock 408, the recipient of the derivation token from the componentmanufacturing computing system 202 then distributes the derivation token to affected computing systems. For example, enterpriseIT computing system 210 sends the derivation token to affectedenterprise computing systems 212, and computing systemmanufacturer computing system 206 sends the derivation token to affected personal computing systems. In one embodiment, componentmanufacturing computing system 202 sends the derivation token directly to one or more affectedenterprise computing systems 212 and/or one or more affectedpersonal computing systems 208 without the involvement of enterpriseIT computing system 210 or computing systemmanufacturer computing systems 206. -
FIG. 5 is a flow diagram offeature controller 108processing 500 according to some embodiments. Atblock 502,feature controller 108 of a computing system 100 (such as anenterprise computing system 212 or personal computing system 208) receives adeprivation token 204 using known communications methods. Atblock 504,feature controller 108 verifies the validity of the deprivation token. In an embodiment, verification includes authentication ofdigital signature 310 ofdeprivation token 204 using known cryptographic methods. Ifdeprivation token 204 is verified atblock 506, then atblock 508feature controller 108 disables one or more features ofcomputing system 100 as specified by the deprivation token. The mechanism for disabling the feature is implementation specific depending on the selected feature. For example, receiving the deprivation token indicating a selected feature is to be disabled may result in firmware incomputing system 100 making the selected feature (whether specific to firmware or hardware) inactive or otherwise unavailable. Processing ends atblock 510. If atblock 506 the deprivation token is not verified, then processing ends atblock 510. - In another embodiment, processing similar to
FIG. 5 is performed to re-enable one or more features. In this case, atblock 508feature controller 108 re-enables the specified one or more features. In another embodiment,feature controller 108 re-enables the specified one or more features only if a time period specified invalid time 304 of a previously received and processeddeprivation token 204 has elapsed. -
FIG. 6 is a schematic diagram of an illustrative electronic computing device to perform component manufacturer feature deprivation processing and/or feature controller processing according to some embodiments.Electronic computing device 600 is representative ofcomputing system 100. In some embodiments,computing device 600 includes one ormore processors 610 including one ormore processors cores 618 andfeature controller 108. In some embodiments, thecomputing device 600 includes management engine (ME) 668 havingfeature controller 108. In some embodiments,computing device 600 includes one ormore features 104, 106, ... 108 which may be enabled and/or disabled byfeature controller 108. In an embodiment,processors 610 include one ormore features 104, 106, ... 108 which may be enabled and/or disabled byfeature controller 108. In some embodiments, the computing device performs component manufacturer processing as described inFIG. 4 . In some embodiments, the computing device is to implement feature controller processing, as provided inFIG. 5 . -
Computing device 600 may additionally include one or more of the following:cache 662, a graphical processing unit (GPU) 612 (which may be the hardware accelerator in some implementations), a wireless input/output (I/O)interface 620, a wired I/O interface 630,memory circuitry 640,power management circuitry 650,non-transitory storage device 660, and anetwork interface 670 for connection to anetwork 672. The following discussion provides a brief, general description of the components forming theillustrative computing device 600. Example,non-limiting computing devices 600 may include a desktop computing device, blade server device, workstation, laptop computer, mobile phone, tablet computer, personal digital assistant, or similar device or system. - In embodiments, the
processor cores 618 are capable of executing machine-readable instruction sets 614, reading data and/orinstruction sets 614 from one ormore storage devices 660 and writing data to the one ormore storage devices 660. Those skilled in the relevant art will appreciate that the illustrated embodiments as well as other embodiments may be practiced with other processor-based device configurations, including portable electronic or handheld electronic devices, for instance smartphones, portable computers, wearable computers, consumer electronics, personal computers (“PCs”), network PCs, minicomputers, server blades, mainframe computers, FPAGs, IOT devices, and the like. For example, machine-readable instruction sets 614 may include instructions to implement component manufacturer feature deprivation processing, as provided inFIG. 4 , or feature controller processing, as provided inFIG. 5 . - The
processor cores 618 may include any number of hardwired or configurable circuits, some or all of which may include programmable and/or configurable combinations of electronic components, semiconductor devices, and/or logic elements that are disposed partially or wholly in a PC, server, mobile phone, tablet computer, or other computing system capable of executing processor-readable instructions.Processor cores 618 may include one ormore features 104, 106, ... 108. - The
computing device 600 includes a bus or similar communications link 616 that communicably couples and facilitates the exchange of information and/or data between various system components including theprocessor cores 618, thecache 662, thegraphics processor circuitry 612, one or more wireless I/O interfaces 620, one or more wired I/O interfaces 630, one ormore storage devices 660, and/or one or more network interfaces 670. Thecomputing device 600 may be referred to in the singular herein, but this is not intended to limit the embodiments to asingle computing device 600, since in certain embodiments, there may be more than onecomputing device 600 that incorporates, includes, or contains any number of communicably coupled, collocated, or remote networked circuits or devices. - The
processor cores 618 may include any number, type, or combination of currently available or future developed devices capable of executing machine-readable instruction sets. - The
processor cores 618 may include (or be coupled to) but are not limited to any current or future developed single- or multi-core processor or microprocessor, such as: on or more systems on a chip (SOCs); central processing units (CPUs); digital signal processors (DSPs); graphics processing units (GPUs); application-specific integrated circuits (ASICs), programmable logic units, field programmable gate arrays (FPGAs), and the like. Unless described otherwise, the construction and operation of the various blocks shown inFIG. 6 are of conventional design. Consequently, such blocks need not be described in further detail herein, as they will be understood by those skilled in the relevant art. The bus 616 that interconnects at least some of the components of thecomputing device 600 may employ any currently available or future developed serial or parallel bus structures or architectures. - The
system memory 640 may include read-only memory (“ROM”) 642 and random-access memory (“RAM”) 646. A portion of theROM 642 may be used to store or otherwise retain a basic input/output system (“BIOS”) 644. TheBIOS 644 provides basic functionality to thecomputing device 600, for example by causing theprocessor cores 618 to load and/or execute one or more machine-readable instruction sets 614. In embodiments, at least some of the one or more machine-readable instruction sets 614 cause at least a portion of theprocessor cores 618 to provide, create, produce, transition, and/or function as a dedicated, specific, and particular machine, for example a word processing machine, a digital image acquisition machine, a media playing machine, a gaming system, a communications device, a smartphone, a neural network, a machine learning model, or similar devices. - The
computing device 600 may include at least one wireless input/output (I/O)interface 620. The at least one wireless I/O interface 620 may be communicably coupled to one or more physical output devices 622 (tactile devices, video displays, audio output devices, hardcopy output devices, etc.). The at least one wireless I/O interface 620 may communicably couple to one or more physical input devices 624 (pointing devices, touchscreens, keyboards, tactile devices, etc.). The at least one wireless I/O interface 620 may include any currently available or future developed wireless I/O interface. Example wireless I/O interfaces include, but are not limited to: BLUETOOTH®, near field communication (NFC), and similar. - The
computing device 600 may include one or more wired input/output (I/O) interfaces 630. The at least one wired I/O interface 630 may be communicably coupled to one or more physical output devices 622 (tactile devices, video displays, audio output devices, hardcopy output devices, etc.). The at least one wired I/O interface 630 may be communicably coupled to one or more physical input devices 624 (pointing devices, touchscreens, keyboards, tactile devices, etc.). The wired I/O interface 630 may include any currently available or future developed I/O interface. Example wired I/O interfaces include but are not limited to universal serial bus (USB), IEEE 1394 (“FireWire”), and similar. - The
computing device 600 may include one or more communicably coupled, non-transitory,data storage devices 660. Thedata storage devices 660 may include one or more hard disk drives (HDDs) and/or one or more solid-state storage devices (SSDs). The one or moredata storage devices 660 may include any current or future developed storage appliances, network storage devices, and/or systems. Non-limiting examples of suchdata storage devices 660 may include, but are not limited to, any current or future developed non-transitory storage appliances or devices, such as one or more magnetic storage devices, one or more optical storage devices, one or more electro-resistive storage devices, one or more molecular storage devices, one or more quantum storage devices, or various combinations thereof. In some implementations, the one or moredata storage devices 660 may include one or more removable storage devices, such as one or more flash drives, flash memories, flash storage units, or similar appliances or devices capable of communicable coupling to and decoupling from thecomputing device 600. - The one or more
data storage devices 660 may include interfaces or controllers (not shown) communicatively coupling the respective storage device or system to the bus 616. The one or moredata storage devices 660 may store, retain, or otherwise contain machine-readable instruction sets, data structures, program modules, data stores, databases, logical structures, and/or other data useful to theprocessor cores 618 and/orgraphics processor circuitry 612 and/or one or more applications executed on or by theprocessor cores 618 and/orgraphics processor circuitry 612. In some instances, one or moredata storage devices 660 may be communicably coupled to theprocessor cores 618, for example via the bus 616 or via one or more wired communications interfaces 630 (e.g., Universal Serial Bus or USB); one or more wireless communications interfaces 620 (e.g., Bluetooth®, Near Field Communication or NFC); and/or one or more network interfaces 670 (IEEE 802.3 or Ethernet, IEEE 802.11, or Wi-Fi®, etc.). - Processor-
readable instruction sets 614 and other programs, applications, logic sets, and/or modules may be stored in whole or in part in thesystem memory 640.Such instruction sets 614 may be transferred, in whole or in part, from the one or moredata storage devices 660. The instruction sets 614 may be loaded, stored, or otherwise retained insystem memory 640, in whole or in part, during execution by theprocessor cores 618 and/orgraphics processor circuitry 612. - The
computing device 600 may includepower management circuitry 650 that controls one or more operational aspects of theenergy storage device 652. In embodiments, theenergy storage device 652 may include one or more primary (i.e., non-rechargeable) or secondary (i.e., rechargeable) batteries or similar energy storage devices. In embodiments, theenergy storage device 652 may include one or more supercapacitors or ultracapacitors. In embodiments, thepower management circuitry 650 may alter, adjust, or control the flow of energy from anexternal power source 654 to theenergy storage device 652 and/or to thecomputing device 600. Thepower source 654 may include, but is not limited to, a solar power system, a commercial electric grid, a portable generator, an external energy storage device, or any combination thereof. - For convenience, the
processor cores 618, thegraphics processor circuitry 612, the wireless I/O interface 620, the wired I/O interface 630, thestorage device 660, and thenetwork interface 670 are illustrated as communicatively coupled to each other via the bus 616, thereby providing connectivity between the above-described components. In alternative embodiments, the above-described components may be communicatively coupled in a different manner than illustrated inFIG. 6 . For example, one or more of the above-described components may be directly coupled to other components, or may be coupled to each other, via one or more intermediary components (not shown). In another example, one or more of the above-described components may be integrated into theprocessor cores 618 and/or thegraphics processor circuitry 612. In some embodiments, all or a portion of the bus 616 may be omitted and the components are coupled directly to each other using suitable wired or wireless connections. - Flowcharts representative of example hardware logic, machine readable instructions, hardware implemented state machines, and/or any combination thereof for implementing
computing device 600, for example, are shown inFIGS. 4 and 5 . The machine-readable instructions may be one or more executable programs or portion(s) of an executable program for execution by a computer processor such as theprocessor 610 shown in theexample computing device 600 discussed above in connection withFIG. 6 , ormanagement engine 668. The program may be embodied in software stored on a non-transitory computer readable storage medium such as a CD-ROM, a floppy disk, a hard drive, a DVD, a Blu-ray disk, or a memory associated with theprocessor 610, but the entire program and/or parts thereof could alternatively be executed by a device other than theprocessor 610 and/or embodied in firmware or dedicated hardware (such as management engine 668). Further, although the example program is described with reference to the flowcharts illustrated inFIGS. 4 and 5 , many other methods of implementing theexample computing devices 600 may alternatively be used. For example, the order of execution of the blocks may be changed, and/or some of the blocks described may be changed, eliminated, or combined. Additionally or alternatively, any or all of the blocks may be implemented by one or more hardware circuits (e.g., discrete and/or integrated analog and/or digital circuitry, an FPGA, an ASIC, a comparator, an operational-amplifier (op-amp), a logic circuit, etc.) structured to perform the corresponding operation without executing software or firmware. - The machine-readable instructions described herein may be stored in one or more of a compressed format, an encrypted format, a fragmented format, a compiled format, an executable format, a packaged format, etc. Machine readable instructions as described herein may be stored as data (e.g., portions of instructions, code, representations of code, etc.) that may be utilized to create, manufacture, and/or produce machine executable instructions. For example, the machine-readable instructions may be fragmented and stored on one or more storage devices and/or computing devices (e.g., servers). The machine-readable instructions may require one or more of installation, modification, adaptation, updating, combining, supplementing, configuring, decryption, decompression, unpacking, distribution, reassignment, compilation, etc. in order to make them directly readable, interpretable, and/or executable by a computing device and/or other machine. For example, the machine-readable instructions may be stored in multiple parts, which are individually compressed, encrypted, and stored on separate computing devices, wherein the parts when decrypted, decompressed, and combined form a set of executable instructions that implement a program such as that described herein.
- In another example, the machine-readable instructions may be stored in a state in which they may be read by a computer system, but require addition of a library (e.g., a dynamic link library (DLL)), a software development kit (SDK), an application programming interface (API), etc., in order to execute the instructions on a particular computing device or other device. In another example, the machine-readable instructions may be configured (e.g., settings stored, data input, network addresses recorded, etc.) before the machine-readable instructions and/or the corresponding program(s) can be executed in whole or in part. Thus, the disclosed machine-readable instructions and/or corresponding program(s) are intended to encompass such machine readable instructions and/or program(s) regardless of the particular format or state of the machine readable instructions and/or program(s) when stored or otherwise at rest or in transit.
- The machine-readable instructions described herein can be represented by any past, present, or future instruction language, scripting language, programming language, etc. For example, the machine-readable instructions may be represented using any of the following languages: C, C++, Java, C#, Perl, Python, JavaScript, HyperText Markup Language (HTML), Structured Query Language (SQL), Swift, etc.
- As mentioned above, the example processes of
FIGS. 4 and 5 may be implemented using executable instructions (e.g., computer and/or machine-readable instructions) stored on a non-transitory computer and/or machine-readable medium such as a hard disk drive, an SSD, a flash memory, a read-only memory, a compact disk, a digital versatile disk, a cache, a random-access memory and/or any other storage device or storage disk in which information is stored for any duration (e.g., for extended time periods, permanently, for brief instances, for temporarily buffering, and/or for caching of the information). As used herein, the term non-transitory computer readable medium is expressly defined to include any type of computer readable storage device and/or storage disk and to exclude propagating signals and to exclude transmission media. - “Including” and “comprising” (and all forms and tenses thereof) are used herein to be open ended terms. Thus, whenever a claim employs any form of “include” or “comprise” (e.g., comprises, includes, comprising, including, having, etc.) as a preamble or within a claim recitation of any kind, it is to be understood that additional elements, terms, etc. may be present without falling outside the scope of the corresponding claim or recitation. As used herein, when the phrase “at least” is used as the transition term in, for example, a preamble of a claim, it is open-ended in the same manner as the term “comprising” and “including” are open ended.
- The term “and/or” when used, for example, in a form such as A, B, and/or C refers to any combination or subset of A, B, C such as (1) A alone, (2) B alone, (3) C alone, (4) A with B, (5) A with C, (6) B with C, and (7) A with B and with C. As used herein in the context of describing structures, components, items, objects and/or things, the phrase “at least one of A and B” is intended to refer to implementations including any of (1) at least one A, (2) at least one B, and (3) at least one A and at least one B. Similarly, as used herein in the context of describing structures, components, items, objects and/or things, the phrase “at least one of A or B” is intended to refer to implementations including any of (1) at least one A, (2) at least one B, and (3) at least one A and at least one B. As used herein in the context of describing the performance or execution of processes, instructions, actions, activities and/or steps, the phrase “at least one of A and B” is intended to refer to implementations including any of (1) at least one A, (2) at least one B, and (3) at least one A and at least one B. Similarly, as used herein in the context of describing the performance or execution of processes, instructions, actions, activities and/or steps, the phrase “at least one of A or B” is intended to refer to implementations including any of (1) at least one A, (2) at least one B, and (3) at least one A and at least one B.
- As used herein, singular references (e.g., “a”, “an”, “first”, “second”, etc.) do not exclude a plurality. The term “a” or “an” entity, as used herein, refers to one or more of that entity. The terms “a” (or “an”), “one or more”, and “at least one” can be used interchangeably herein. Furthermore, although individually listed, a plurality of means, elements or method actions may be implemented by, e.g., a single unit or processor. Additionally, although individual features may be included in different examples or claims, these may possibly be combined, and the inclusion in different examples or claims does not imply that a combination of features is not feasible and/or advantageous.
- Descriptors “first,” “second,” “third,” etc. are used herein when identifying multiple elements or components which may be referred to separately. Unless otherwise specified or understood based on their context of use, such descriptors are not intended to impute any meaning of priority, physical order or arrangement in a list, or ordering in time but are merely used as labels for referring to multiple elements or components separately for ease of understanding the disclosed examples. In some examples, the descriptor “first” may be used to refer to an element in the detailed description, while the same element may be referred to in a claim with a different descriptor such as “second” or “third.” In such instances, it should be understood that such descriptors are used merely for ease of referencing multiple elements or components.
- The following examples pertain to further embodiments. Example 1 is an apparatus to perform threat prevention by selective feature deprivation. The apparatus includes a processing device; and a memory device coupled to the processing device, the memory device having instructions stored thereon that, in response to execution by the processing device, cause the processing device to: generate a deprivation token to cause disabling of a selected one or more features of a component of a computing system to prevent an exploit of a vulnerability affecting the selected one or more features; and publish the derivation token to at least one of a computing system manufacturer computing system and an enterprise information technology (IT) computing system.
- In Example 2, the subject matter of Example 1 can optionally include instructions stored in the memory device that, in response to execution by the processing device, cause the processing device to distribute the derivation token to the computing system.
- In Example 3, the subject matter of Example 1 can optionally include wherein the computing system comprises at least one of an affected enterprise computing system and a personal computing system.
- In Example 4, the subject matter of Example 1 can optionally include instructions stored in the memory device that, in response to execution by the processing device, cause the processing device to determine the selected one or more features that can be disabled, without causing the computing system to malfunction, at a time of design or manufacturing of the component.
- In Example 5, the subject matter of Example 1 can optionally include instructions stored in the memory device that, in response to execution by the processing device, cause the processing device to determine if the vulnerability exists for the selected one or more features.
- In Example 6, the subject matter of Example 1 can optionally include wherein the deprivation token comprises a vulnerability identifier (ID), a valid time, one or more feature IDs, and a digital signature.
- In Example 7, the subject matter of Example 6 can optionally include instructions stored in the memory device that, in response to execution by the processing device, cause the processing device to digitally sign the deprivation token prior to publishing the derivation token.
- In Example 8, the subject matter of Example 6 can optionally include wherein the deprivation token comprises an enablement field to cause re-enabling of a previously disabled selected one or more features on the computing system.
- In Example 9, the subject matter of Example 6 can optionally include wherein the valid time to cause disabling of the selected one or more features for a specified time period.
- In Example 10, the subject matter of Example 1 can optionally include wherein the component comprises a processor and the feature is a hardware capability of the processor.
- In Example 11, the subject matter of Example 1 can optionally include including the deprivation token in a firmware update to the computing system.
- Example 12 is a method for performing threat prevention by selective feature deprivation. The method includes generating a deprivation token to cause disabling of a selected one or more features of a component of a computing system to prevent an exploit of a vulnerability affecting the selected one or more features; and publishing the derivation token to at least one of a computing system manufacturer computing system and an enterprise information technology (IT) computing system.
- In Example 13, the subject matter of claim 12 can optionally include distributing the derivation token to the computing system.
- In Example 14, the subject matter of claim 12 can optionally include determining the selected one or more features that can be disabled, without causing the computing system to malfunction, at a time of design or manufacturing of the component.
- In Example 15, the subject matter of claim 12 can optionally include determining if the vulnerability exists for the selected one or more features.
- In Example 16, the subject matter of claim 12 can optionally include wherein the deprivation token comprises a vulnerability identifier (ID), a valid time, one or more feature IDs, and a digital signature.
- In Example 17, the subject matter of claim 16 can optionally include digitally signing the deprivation token prior to publishing the derivation token.
- In Example 18, the subject matter of claim 12 can optionally include wherein the deprivation token comprises an enablement field to cause re-enabling of a previously disabled selected one or more features on the computing system.
- In Example 19, the subject matter of claim 12 can optionally include including the deprivation token in a firmware update to the computing system.
- Example 20 is at least one non-transitory machine-readable storage mediums having instructions that, when executed, cause at least one processor to generate a deprivation token to cause disabling of a selected one or more features of a component of a computing system to prevent an exploit of a vulnerability affecting the selected one or more features; and publish the derivation token to at least one of a computing system manufacturer computing system and an enterprise information technology (IT) computing system.
- In Example 21, the subject matter of claim 20 can optionally include instructions that, when executed, cause at least one processor to distribute the derivation token to the computing system.
- In Example 22, the subject matter of claim 20 can optionally include instructions that, when executed, cause at least one processor to determine the selected one or more features that can be disabled, without causing the computing system to malfunction, at a time of design or manufacturing of the component.
- In Example 23, the subject matter of claim 20 can optionally include wherein the deprivation token comprises a vulnerability identifier (ID), a valid time, one or more feature IDs, and a digital signature.
- In Example 24, the subject matter of claim 20 can optionally include instructions that, when executed, cause at least one processor to digitally signing the deprivation token prior to publishing the derivation token.
- In Example 25, the subject matter of claim 20 can optionally include wherein the deprivation token comprises an enablement field to cause re-enabling of a previously disabled selected one or more features on the computing system.
- The foregoing description and drawings are to be regarded in an illustrative rather than a restrictive sense. Persons skilled in the art will understand that various modifications and changes may be made to the embodiments described herein without departing from the broader spirit and scope of the features set forth in the appended claims.
Claims (25)
1. An apparatus comprising:
a processing device; and
a memory device coupled to the processing device, the memory device having instructions stored thereon that, in response to execution by the processing device, cause the processing device to:
generate a deprivation token to cause disabling of a selected one or more features of a component of a computing system to prevent an exploit of a vulnerability affecting the selected one or more features; and
publish the derivation token to at least one of a computing system manufacturer computing system and an enterprise information technology (IT) computing system.
2. The apparatus of claim 1 , comprising instructions stored in the memory device that, in response to execution by the processing device, cause the processing device to:
distribute the derivation token to the computing system.
3. The apparatus of claim 1 , wherein the computing system comprises at least one of an affected enterprise computing system and a personal computing system.
4. The apparatus of claim 1 , comprising instructions stored in the memory device that, in response to execution by the processing device, cause the processing device to determine the selected one or more features that can be disabled, without causing the computing system to malfunction, at a time of design or manufacturing of the component.
5. The apparatus of claim 1 , comprising instructions stored in the memory device that, in response to execution by the processing device, cause the processing device to determine if the vulnerability exists for the selected one or more features.
6. The apparatus of claim 1 , wherein the deprivation token comprises a vulnerability identifier (ID), a valid time, one or more feature IDs, and a digital signature.
7. The apparatus of claim 6 , comprising instructions stored in the memory device that, in response to execution by the processing device, cause the processing device to digitally sign the deprivation token prior to publishing the derivation token.
8. The apparatus of claim 6 , wherein the deprivation token comprises an enablement field to cause re-enabling of a previously disabled selected one or more features on the computing system.
9. The apparatus of claim 6 , wherein the valid time to cause disabling of the selected one or more features for a specified time period.
10. The apparatus of claim 1 , wherein the component comprises a processor and the feature is a hardware capability of the processor.
11. The apparatus of claim 1 , comprising including the deprivation token in a firmware update to the computing system.
12. A computer-implemented method comprising:
generating a deprivation token to cause disabling of a selected one or more features of a component of a computing system to prevent an exploit of a vulnerability affecting the selected one or more features; and
publishing the derivation token to at least one of a computing system manufacturer computing system and an enterprise information technology (IT) computing system.
13. The computer-implemented method of claim 12 , comprising distributing the derivation token to the computing system.
14. The computer-implemented method of claim 12 , comprising determining the selected one or more features that can be disabled, without causing the computing system to malfunction, at a time of design or manufacturing of the component.
15. The computer-implemented method of claim 12 , comprising determining if the vulnerability exists for the selected one or more features.
16. The computer-implemented method of claim 12 , wherein the deprivation token comprises a vulnerability identifier (ID), a valid time, one or more feature IDs, and a digital signature.
17. The computer-implemented method of claim 16 , comprising digitally signing the deprivation token prior to publishing the derivation token.
18. (canceled)
19. (canceled)
20. At least one non-transitory machine-readable storage medium comprising instructions that, when executed, cause at least one processor to:
generate a deprivation token to cause disabling of a selected one or more features of a component of a computing system to prevent an exploit of a vulnerability affecting the selected one or more features; and
publish the derivation token to at least one of a computing system manufacturer computing system and an enterprise information technology (IT) computing system.
21. The at least one non-transitory machine-readable storage medium of claim 20 comprising instructions that, when executed, cause at least one processor to distribute the derivation token to the computing system.
22. The at least one non-transitory machine-readable storage medium of claim 20 comprising instructions that, when executed, cause at least one processor to determine the selected one or more features that can be disabled, without causing the computing system to malfunction, at a time of design or manufacturing of the component.
23. (canceled)
24. (canceled)
25. (canceled)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US18/068,672 US20230216878A1 (en) | 2020-12-23 | 2022-12-20 | Threat prevention by selective feature deprivation |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US17/132,531 US11570199B2 (en) | 2020-12-23 | 2020-12-23 | Threat prevention by selective feature deprivation |
US18/068,672 US20230216878A1 (en) | 2020-12-23 | 2022-12-20 | Threat prevention by selective feature deprivation |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/132,531 Continuation US11570199B2 (en) | 2020-12-23 | 2020-12-23 | Threat prevention by selective feature deprivation |
Publications (1)
Publication Number | Publication Date |
---|---|
US20230216878A1 true US20230216878A1 (en) | 2023-07-06 |
Family
ID=75491701
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/132,531 Active 2041-06-15 US11570199B2 (en) | 2020-12-23 | 2020-12-23 | Threat prevention by selective feature deprivation |
US18/068,672 Pending US20230216878A1 (en) | 2020-12-23 | 2022-12-20 | Threat prevention by selective feature deprivation |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/132,531 Active 2041-06-15 US11570199B2 (en) | 2020-12-23 | 2020-12-23 | Threat prevention by selective feature deprivation |
Country Status (2)
Country | Link |
---|---|
US (2) | US11570199B2 (en) |
EP (1) | EP4020283A1 (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11570199B2 (en) | 2020-12-23 | 2023-01-31 | Intel Corporation | Threat prevention by selective feature deprivation |
Family Cites Families (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030120938A1 (en) * | 2001-11-27 | 2003-06-26 | Miki Mullor | Method of securing software against reverse engineering |
US8561190B2 (en) | 2005-05-16 | 2013-10-15 | Microsoft Corporation | System and method of opportunistically protecting a computer from malware |
US20140089120A1 (en) * | 2005-10-06 | 2014-03-27 | C-Sam, Inc. | Aggregating multiple transaction protocols for transacting between a plurality of distinct payment acquiring devices and a transaction acquirer |
US9177154B2 (en) | 2010-10-18 | 2015-11-03 | Todd Wolff | Remediation of computer security vulnerabilities |
US9047489B2 (en) * | 2011-11-14 | 2015-06-02 | Wave Systems Corp. | Security systems and methods for social networking |
WO2016068974A1 (en) * | 2014-10-31 | 2016-05-06 | Hewlett Packard Enterprise Development Lp | System and method for vulnerability remediation verification |
US20160321752A1 (en) * | 2015-05-01 | 2016-11-03 | Medici, Inc. | Digitally Encrypted Securities Platform, Along With Methods And Systems For The Same |
US10063409B2 (en) * | 2015-11-16 | 2018-08-28 | International Business Machines Corporation | Management of computing machines with dynamic update of applicability rules |
US11120450B1 (en) * | 2016-05-11 | 2021-09-14 | United Services Automobile Association (Usaa) | Dynamic risk assessment for security features |
US10019558B2 (en) * | 2016-05-18 | 2018-07-10 | Adobe Systems Incorporated | Controlling licensable features of software using access tokens |
EP3373180A1 (en) * | 2017-03-09 | 2018-09-12 | Siemens Aktiengesellschaft | Method and computer including protection against cyber criminal threats |
US20190007212A1 (en) * | 2017-06-30 | 2019-01-03 | Intel Corporation | Secure unlock systems for locked devices |
US20190306173A1 (en) * | 2018-04-02 | 2019-10-03 | Ca, Inc. | Alert smart contracts configured to manage and respond to alerts related to code |
US20200349625A1 (en) * | 2019-05-05 | 2020-11-05 | Microsoft Technology Licensing, Llc | Monetizable template for asset token |
US11381589B2 (en) * | 2019-10-11 | 2022-07-05 | Secureworks Corp. | Systems and methods for distributed extended common vulnerabilities and exposures data management |
WO2021102077A1 (en) * | 2019-11-19 | 2021-05-27 | NetWolves Network Services, LLC | Centralized analytical monitoring of ip connected devices |
US11568057B2 (en) * | 2019-11-27 | 2023-01-31 | Accenture Global Solutions Limited | Systems and methods for triaging software vulnerabilities |
US11936664B2 (en) * | 2020-03-14 | 2024-03-19 | Microsoft Technology Licensing, Llc | Identity attack detection and blocking |
US11861013B2 (en) * | 2020-09-28 | 2024-01-02 | Accenture Global Solutions Limited | Systems and methods for triaging software vulnerabilities |
US11570199B2 (en) | 2020-12-23 | 2023-01-31 | Intel Corporation | Threat prevention by selective feature deprivation |
-
2020
- 2020-12-23 US US17/132,531 patent/US11570199B2/en active Active
-
2021
- 2021-09-02 EP EP21194560.5A patent/EP4020283A1/en active Pending
-
2022
- 2022-12-20 US US18/068,672 patent/US20230216878A1/en active Pending
Also Published As
Publication number | Publication date |
---|---|
EP4020283A1 (en) | 2022-06-29 |
US11570199B2 (en) | 2023-01-31 |
US20210120028A1 (en) | 2021-04-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10489583B2 (en) | Detecting malicious files | |
US11288124B2 (en) | Methods and apparatus for in-field mitigation of firmware failures | |
US8578174B2 (en) | Event log authentication using secure components | |
US11575708B2 (en) | Icon based phishing detection | |
CN107533622A (en) | Credible binary file translation | |
US8433906B2 (en) | Method and system for microlocking web content | |
CN107567699A (en) | Real-time mobile security situation | |
CN107533608A (en) | Credible renewal | |
US11418333B2 (en) | System and method for trusted control flow enforcement using derived encryption keys | |
US11528291B2 (en) | Methods and apparatus for defending against exploitation of vulnerable software | |
US20220006637A1 (en) | File system supporting remote attestation-based secrets | |
US9659171B2 (en) | Systems and methods for detecting tampering of an information handling system | |
US20230216878A1 (en) | Threat prevention by selective feature deprivation | |
CN113886825A (en) | Code detection method, device, system, equipment and storage medium | |
US20130124846A1 (en) | External boot device, program product, external boot method, and network communication system | |
US9064134B1 (en) | Method and apparatus for mitigating software vulnerabilities | |
US12118074B2 (en) | Methods and apparatus to generate dynamic password update notifications | |
CN113987471A (en) | Executable file execution method and device, electronic equipment and computer readable medium | |
US20240070274A1 (en) | Methods and apparatus to mitigate firmware malware | |
CN104484198A (en) | Method and device for setting up application | |
US12093382B2 (en) | Methods and apparatus to implement a deterministic indicator and confidence scoring model | |
US20240111869A1 (en) | Methods and apparatus to disable select processes for malware prevention | |
US11966477B2 (en) | Methods and apparatus for generic process chain entity mapping | |
US20230130746A1 (en) | Methods and apparatus for container attestation in client-based workloads | |
US20230402077A1 (en) | Message authentication galois integrity and correction (magic) for lightweight row hammer mitigation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE AFTER FINAL ACTION FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: ADVISORY ACTION MAILED |