Patents by Inventor Heiko Carstens
Heiko Carstens has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11403409Abstract: An example computer-implemented method includes presenting, by a hardware control of a computing system, an exception to an untrusted entity when the untrusted entity accesses a secure page stored in a memory of the computing system, the exception preventing the untrusted entity from accessing the secure page. The method further includes, in response to the exception, issuing, by the untrusted entity, an export call routine. The method further includes executing, by a secure interface control of the computing system, the export call routine.Type: GrantFiled: March 8, 2019Date of Patent: August 2, 2022Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Jonathan D. Bradbury, Martin Schwidefsky, Christian Borntraeger, Lisa Cranton Heller, Heiko Carstens, Fadi Y. Busaba
-
Patent number: 11347869Abstract: A method is provided. The method is implemented by a secure interface control of a computer that prevents unauthorized accesses to locations in a memory of the computer. The secure interface control determines that a host absolute page is not previously mapped to a virtual page in accordance with securing the host absolute page and a host virtual page is not already mapped to an absolute page in accordance with securing the host absolute page.Type: GrantFiled: March 8, 2019Date of Patent: May 31, 2022Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Martin Schwidefsky, Heiko Carstens, Jonathan D. Bradbury, Lisa Cranton Heller
-
Patent number: 11308229Abstract: An example computer-implemented method includes presenting, by a hardware control of a computing system, an exception to an untrusted entity when the untrusted entity accesses a secure page stored in a memory of the computing system, the exception preventing the untrusted entity from accessing the secure page. The method further includes, in response to the exception, issuing, by the untrusted entity, an export call routine. The method further includes executing, by a secure interface control of the computing system, the export call routine.Type: GrantFiled: March 8, 2019Date of Patent: April 19, 2022Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Jonathan D. Bradbury, Martin Schwidefsky, Christian Borntraeger, Lisa Cranton Heller, Heiko Carstens, Fadi Y. Busaba
-
Patent number: 11206128Abstract: According to one or more embodiments of the present invention, a computer implemented method includes computing a hash value of a page of memory of a computer system and comparing the hash value with a previously computed hash value of the page. A per-encryption value per page can be used in encrypting the page based on determining that the hash value matches the previously computed hash value. A modified value of the per-encryption value per page can be used in encrypting the page based on determining that the hash value mismatches the previously computed hash value.Type: GrantFiled: March 8, 2019Date of Patent: December 21, 2021Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Jonathan D. Bradbury, Christian Borntraeger, Heiko Carstens, Martin Schwidefsky, Reinhard Theodor Buendgen
-
Publication number: 20200287709Abstract: According to one or more embodiments of the present invention, a computer implemented method includes computing a hash value of a page of memory of a computer system and comparing the hash value with a previously computed hash value of the page. A per-encryption value per page can be used in encrypting the page based on determining that the hash value matches the previously computed hash value. A modified value of the per-encryption value per page can be used in encrypting the page based on determining that the hash value mismatches the previously computed hash value.Type: ApplicationFiled: March 8, 2019Publication date: September 10, 2020Inventors: Jonathan D. Bradbury, Christian Borntraeger, Heiko Carstens, Martin Schwidefsky, Reinhard Theodor Buendgen
-
Publication number: 20200285762Abstract: An example computer-implemented method includes presenting, by a hardware control of a computing system, an exception to an untrusted entity when the untrusted entity accesses a secure page stored in a memory of the computing system, the exception preventing the untrusted entity from accessing the secure page. The method further includes, in response to the exception, issuing, by the untrusted entity, an export call routine. The method further includes executing, by a secure interface control of the computing system, the export call routine.Type: ApplicationFiled: March 8, 2019Publication date: September 10, 2020Inventors: Jonathan D. Bradbury, Martin Schwidefsky, Christian Borntraeger, Lisa Cranton Heller, Heiko Carstens, Fadi Y. Busaba
-
Publication number: 20200285758Abstract: A method is provided. The method is implemented by a secure interface control of a computer that prevents unauthorized accesses to locations in a memory of the computer. The secure interface control determines that a host absolute page is not previously mapped to a virtual page in accordance with securing the host absolute page and a host virtual page is not already mapped to an absolute page in accordance with securing the host absolute page.Type: ApplicationFiled: March 8, 2019Publication date: September 10, 2020Inventors: Martin Schwidefsky, Heiko Carstens, Jonathan D. Bradbury, Lisa Cranton Heller
-
Patent number: 10547595Abstract: A method includes a trusted component of a host computing system, obtaining, from a client, via a hypervisor of the host, a request to run an instance of a guest image within the hypervisor. The request includes a unique identifier of the guest image, contents of the guest image, and a communication key. The request is encrypted with a request key accessible to the owner and the trusted component and not accessible to the hypervisor. The trusted component generates an authorization request to an authorizing entity of the client requesting authorization for the hypervisor to run the instance. The authorization request includes the unique identifier, a use counter, and a unique challenge. The trusted component encrypts the authorization request with the communication key and communicates the authorization request to the authorizing entity, via the hypervisor.Type: GrantFiled: October 29, 2018Date of Patent: January 28, 2020Assignee: International Business Machines CorporationInventors: Utz Bacher, Reinhard T. Buendgen, Heiko Carstens, Dominik Dingel
-
Patent number: 10366227Abstract: A trusted component commences a debugging session, based on determining that debugging of a virtual machine is to be initiated. The commencing of the debugging session includes generating encryption information to be provided to a client for which debugging is to be performed. The encryption information includes a key that is encrypted and to be used to encrypt a debug request to debug the virtual machine. The trusted component obtains an encrypted debug request indicating one or more operations to be performed to debug the virtual machine. The one or more operations are performed by the trusted component to obtain debugging results for the virtual machine.Type: GrantFiled: November 15, 2016Date of Patent: July 30, 2019Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Utz Bacher, Reinhard T. Buendgen, Heiko Carstens, Dominik Dingel
-
Publication number: 20190215161Abstract: A method for generating a dump comprising data generated by a virtual system in a computing environment is depicted. The method comprises: initiating a dump process for dumping data generated by the virtual system and stored in guest memory; sending a dump request for the data from the virtual machine monitor to the trusted component; in response to receiving the dump request, generating a symmetric dump generating key; reading the data from the guest memory; encrypting the data with the symmetric dump generating key; encrypting the symmetric dump generating key with the public cryptographic key of the client system; providing the encrypted dump data and the encrypted symmetric dump generating key to the virtual machine monitor; generating a dump comprising the encrypted dump data and the encrypted symmetric dump generating key; and providing the dump to the client system.Type: ApplicationFiled: March 15, 2019Publication date: July 11, 2019Inventors: Utz Bacher, Reinhard T. Buendgen, Heiko Carstens, Dominik Dingel
-
Patent number: 10270596Abstract: A method for generating a dump comprising data generated by a virtual system in a computing environment is depicted. The method comprises: initiating a dump process for dumping data generated by the virtual system and stored in guest memory; sending a dump request for the data from the virtual machine monitor to the trusted component; in response to receiving the dump request, generating a symmetric dump generating key; reading the data from the guest memory; encrypting the data with the symmetric dump generating key; encrypting the symmetric dump generating key with the public cryptographic key of the client system; providing the encrypted dump data and the encrypted symmetric dump generating key to the virtual machine monitor; generating a dump comprising the encrypted dump data and the encrypted symmetric dump generating key; and providing the dump to the client system.Type: GrantFiled: September 16, 2016Date of Patent: April 23, 2019Assignee: INTERNATIONAL BUSINESS MACHNINES CORPORATIONInventors: Utz Bacher, Reinhard T. Buendgen, Heiko Carstens, Dominik Dingel
-
Publication number: 20190104115Abstract: A method includes a trusted component of a host computing system, obtaining, from a client, via a hypervisor of the host, a request to run an instance of a guest image within the hypervisor. The request includes a unique identifier of the guest image, contents of the guest image, and a communication key. The request is encrypted with a request key accessible to the owner and the trusted component and not accessible to the hypervisor. The trusted component generates an authorization request to an authorizing entity of the client requesting authorization for the hypervisor to run the instance. The authorization request includes the unique identifier, a use counter, and a unique challenge. The trusted component encrypts the authorization request with the communication key and communicates the authorization request to the authorizing entity, via the hypervisor.Type: ApplicationFiled: October 29, 2018Publication date: April 4, 2019Inventors: Utz Bacher, Reinhard T. Buendgen, Heiko Carstens, Dominik Dingel
-
Patent number: 10237245Abstract: A method includes a trusted component of a host computing system, obtaining, from a client, via a hypervisor of the host, a request to run an instance of a guest image within the hypervisor. The request includes a unique identifier of the guest image, contents of the guest image, and a communication key. The request is encrypted with a request key accessible to the owner and the trusted component and not accessible to the hypervisor. The trusted component generates an authorization request to an authorizing entity of the client requesting authorization for the hypervisor to run the instance. The authorization request includes the unique identifier, a use counter, and a unique challenge. The trusted component encrypts the authorization request with the communication key and communicates the authorization request to the authorizing entity, via the hypervisor.Type: GrantFiled: July 15, 2016Date of Patent: March 19, 2019Assignee: International Business Machines CorporationInventors: Utz Bacher, Reinhard T. Buendgen, Heiko Carstens, Dominik Dingel
-
Patent number: 10083128Abstract: A method for generating a dump comprising data generated by a virtual system in a computing environment is depicted. The method comprises: initiating a dump process for dumping data generated by the virtual system and stored in guest memory; sending a dump request for the data from the virtual machine monitor to the trusted component; in response to receiving the dump request, generating a symmetric dump generating key; reading the data from the guest memory; encrypting the data with the symmetric dump generating key; encrypting the symmetric dump generating key with the public cryptographic key of the client system; providing the encrypted dump data and the encrypted symmetric dump generating key to the virtual machine monitor; generating a dump comprising the encrypted dump data and the encrypted symmetric dump generating key; and providing the dump to the client system.Type: GrantFiled: February 19, 2018Date of Patent: September 25, 2018Assignee: International Business Machines CorporationInventors: Utz Bacher, Reinhard T. Buendgen, Heiko Carstens, Dominik Dingel
-
Publication number: 20180150409Abstract: A method for generating a dump comprising data generated by a virtual system in a computing environment is depicted. The method comprises: initiating a dump process for dumping data generated by the virtual system and stored in guest memory; sending a dump request for the data from the virtual machine monitor to the trusted component; in response to receiving the dump request, generating a symmetric dump generating key; reading the data from the guest memory; encrypting the data with the symmetric dump generating key; encrypting the symmetric dump generating key with the public cryptographic key of the client system; providing the encrypted dump data and the encrypted symmetric dump generating key to the virtual machine monitor; generating a dump comprising the encrypted dump data and the encrypted symmetric dump generating key; and providing the dump to the client system.Type: ApplicationFiled: February 19, 2018Publication date: May 31, 2018Inventors: Utz Bacher, Reinhard T. Buendgen, Heiko Carstens, Dominik Dingel
-
Publication number: 20180137273Abstract: A trusted component commences a debugging session, based on determining that debugging of a virtual machine is to be initiated. The commencing of the debugging session includes generating encryption information to be provided to a client for which debugging is to be performed. The encryption information includes a key that is encrypted and to be used to encrypt a debug request to debug the virtual machine. The trusted component obtains an encrypted debug request indicating one or more operations to be performed to debug the virtual machine. The one or more operations are performed by the trusted component to obtain debugging results for the virtual machine.Type: ApplicationFiled: November 15, 2016Publication date: May 17, 2018Inventors: Utz Bacher, Reinhard T. Buendgen, Heiko Carstens, Dominik Dingel
-
Publication number: 20180081824Abstract: A method for generating a dump comprising data generated by a virtual system in a computing environment is depicted. The method comprises: initiating a dump process for dumping data generated by the virtual system and stored in guest memory; sending a dump request for the data from the virtual machine monitor to the trusted component; in response to receiving the dump request, generating a symmetric dump generating key; reading the data from the guest memory; encrypting the data with the symmetric dump generating key; encrypting the symmetric dump generating key with the public cryptographic key of the client system; providing the encrypted dump data and the encrypted symmetric dump generating key to the virtual machine monitor; generating a dump comprising the encrypted dump data and the encrypted symmetric dump generating key; and providing the dump to the client system.Type: ApplicationFiled: September 16, 2016Publication date: March 22, 2018Inventors: Utz Bacher, Reinhard T. Buendgen, Heiko Carstens, Dominik Dingel
-
Publication number: 20180019979Abstract: A method includes a trusted component of a host computing system, obtaining, from a client, via a hypervisor of the host, a request to run an instance of a guest image within the hypervisor. The request includes a unique identifier of the guest image, contents of the guest image, and a communication key. The request is encrypted with a request key accessible to the owner and the trusted component and not accessible to the hypervisor. The trusted component generates an authorization request to an authorizing entity of the client requesting authorization for the hypervisor to run the instance. The authorization request includes the unique identifier, a use counter, and a unique challenge. The trusted component encrypts the authorization request with the communication key and communicates the authorization request to the authorizing entity, via the hypervisor.Type: ApplicationFiled: July 15, 2016Publication date: January 18, 2018Inventors: Utz Bacher, Reinhard T. Buendgen, Heiko Carstens, Dominik Dingel
-
Patent number: 9720723Abstract: A computer-implemented method includes receiving a definition of a source guest memory area for utilization by a virtual machine on a source system, wherein the source system includes a source trusted firmware and a source hypervisor. The method restricts write access to the source guest memory area of the virtual machine. The method receives repeatedly a source guest memory page location, content for each of a plurality of source guest memory pages, and an integrity value for each of a plurality of source guest memory page locations. The method receives a global integrity value for integrity values associated with the plurality of source guest memory page locations, wherein a latest integrity values for each of the plurality of source guest memory page locations is utilized. Subsequent to verifying the global integrity value, the method initializes the virtual machine on the source hypervisor.Type: GrantFiled: October 22, 2015Date of Patent: August 1, 2017Assignee: International Business Machines CorporationInventors: Utz Bacher, Reinhard T. Buendgen, Heiko Carstens, Dominik Dingel
-
Patent number: 9720721Abstract: A computer-implemented method includes receiving a definition of a source guest memory area for utilization by a virtual machine on a source system, wherein the source system includes a source trusted firmware and a source hypervisor. The method restricts write access to the source guest memory area of the virtual machine. The method receives repeatedly a source guest memory page location, content for each of a plurality of source guest memory pages, and an integrity value for each of a plurality of source guest memory page locations. The method receives a global integrity value for integrity values associated with the plurality of source guest memory page locations, wherein a latest integrity values for each of the plurality of source guest memory page locations is utilized. Subsequent to verifying the global integrity value, the method initializes the virtual machine on the source hypervisor.Type: GrantFiled: July 1, 2015Date of Patent: August 1, 2017Assignee: International Business Machines CorporationInventors: Utz Bacher, Reinhard T. Buendgen, Heiko Carstens, Dominik Dingel