Patents by Inventor Virgil D. Gligor
Virgil D. Gligor has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20220108006Abstract: A method and apparatus for establishing a software root of trust (RoT) ensures that the state of an untrusted computer system contains all and only content chosen by an external verifier and the system code begins execution in that state, or that the verifier discovers the existence of unaccounted for content. The method enables program booting into computer system states that are free of persistent malware such that an adversary cannot retain undetected control of an untrusted system.Type: ApplicationFiled: January 24, 2020Publication date: April 7, 2022Inventors: Virgil D. GLIGOR, Shan Leung WOO
-
Patent number: 11200350Abstract: This invention provides a method for providing trusted display to security sensitive applications on untrusted computing platforms. This invention has a minimal trusted code base and maintains full compatibility with the computing platforms, including their software and hardware. The core of the invention is a GPU separation kernel that (1) defines different types of GPU objects, (2) mediates access to security-sensitive GPU objects, and (3) emulates accesses to security-sensitive GPU objects whenever required by computing platform compatibility.Type: GrantFiled: July 23, 2020Date of Patent: December 14, 2021Assignee: CARNEGIE MELLON UNIVERSITYInventors: Virgil D. Gligor, Zongwei Zhou, Miao Yu
-
Publication number: 20200356703Abstract: This invention provides a method for providing trusted display to security sensitive applications on untrusted computing platforms. This invention has a minimal trusted code base and maintains full compatibility with the computing platforms, including their software and hardware. The core of the invention is a GPU separation kernel that (1) defines different types of GPU objects, (2) mediates access to security-sensitive GPU objects, and (3) emulates accesses to security-sensitive GPU objects whenever required by computing platform compatibility.Type: ApplicationFiled: July 23, 2020Publication date: November 12, 2020Inventors: Virgil D. Gligor, Zongwei Zhou, Miao Yu
-
Patent number: 10769312Abstract: This invention provides a method for providing trusted display to security sensitive applications on untrusted computing platforms. This invention has a minimal trusted code base and maintains full compatibility with the computing platforms, including their software and hardware. The core of our invention is a GPU separation kernel that (1) defines different types of GPU objects, (2) mediates access to security-sensitive GPU objects, and (3) emulates accesses to security-sensitive GPU objects whenever required by computing platform compatibility.Type: GrantFiled: October 6, 2016Date of Patent: September 8, 2020Assignee: CARNEGIE MELLON UNIVERSITYInventors: Virgil D. Gligor, Zongwei Zhou, Miao Yu
-
Publication number: 20190116159Abstract: A method of transmitting data over a computer network includes, at an originating terminal connected to the computer network, receiving a stream of data and inserting a first level packet payload containing an at least one dummy data. The method includes, identifying a network destination address for the stream of data. Further, the method includes, forming a first level packet including the first level packet payload and a first level header containing data representing the network destination address. The method further includes, encrypting at least a portion of the first level packet to form a second level packet payload. The method further includes, forming a second level packet including the second level packet payload and a second layer header containing a router address of an intermediate router connecting the originating terminal to the network destination address. The method further includes, sending the second level packet to the intermediate router at the router address.Type: ApplicationFiled: October 24, 2016Publication date: April 18, 2019Inventors: Edmund Colby Munger, Vincent J. Sabio, Robert Dunham Short, III, Virgil D. Gligor
-
Patent number: 10235515Abstract: A computing platform for on-demand I/O channels, which enable secure application to dynamically connect to diverse peripheral devices of untrusted commodity OSes.Type: GrantFiled: May 15, 2015Date of Patent: March 19, 2019Assignee: CARNEGIE MELLON UNIVERSITYInventors: Virgil D Gligor, Zongwei Zhou, Miao Yu
-
Publication number: 20190012489Abstract: This invention provides a method for providing trusted display to security sensitive applications on untrusted computing platforms. This invention has a minimal trusted code base and maintains full compatibility with the computing platforms, including their software and hardware. The core of our invention is a GPU separation kernel that (1) defines different types of GPU objects, (2) mediates access to security-sensitive GPU objects, and (3) emulates accesses to security-sensitive GPU objects whenever required by computing platform compatibility.Type: ApplicationFiled: October 6, 2016Publication date: January 10, 2019Applicant: CARNEGIE MELLON UNIVERSITYInventors: Virgil D. Gligor, Zongwei Zhou, Miao Yu
-
Publication number: 20180115529Abstract: A method of transmitting data over a computer network includes, at an originating terminal connected to the computer network, receiving a stream of data and inserting a first level packet payload containing an at least one dummy data. The method includes, identifying a network destination address for the stream of data. Further, the method includes, forming a first level packet including the first level packet payload and a first level header containing data representing the network destination address. The method further includes, encrypting at least a portion of the first level packet to form a second level packet payload. The method further includes, forming a second level packet including the second level packet payload and a second layer header containing a router address of an intermediate router connecting the originating terminal to the network destination address. The method further includes, sending the second level packet to the intermediate router at the router address.Type: ApplicationFiled: October 24, 2016Publication date: April 26, 2018Inventors: Edmund Colby Munger, Vincent J. Sabio, Robert Dunham Short, III, Virgil D. Gligor
-
Publication number: 20170177854Abstract: A computing platform for on-demand I/O channels, which enable secure application to dynamically connect to diverse peripheral devices of untrusted commodity OSesType: ApplicationFiled: May 15, 2015Publication date: June 22, 2017Inventors: Virgil D Gligor, Zongwei Zhou, Miao Yu
-
Patent number: 9479426Abstract: A plurality of computer nodes communicates using seemingly random IP source and destination addresses and (optionally) a seemingly random discriminator field. Data packets matching criteria defined by a moving window of valid addresses are accepted for further processing, while those that do not meet the criteria are rejected. In addition to “hopping” of IP addresses and discriminator fields, hardware addresses such as Media Access Control addresses can be hopped. The hopped addresses are generated by random number generators having non-repeating sequence lengths that are easily determined a-priori, which can quickly jump ahead in sequence by an arbitrary number of random steps and which have the property that future random numbers are difficult to guess without knowing the random number generator's parameters. Synchronization techniques can be used to re-establish synchronization between sending and receiving nodes.Type: GrantFiled: May 18, 2012Date of Patent: October 25, 2016Assignee: VIRNETZ, INC.Inventors: Edmund Colby Munger, Vincent J. Sabio, Robert Dunham Short, III, Virgil D. Gligor, Douglas Charles Schmidt
-
Patent number: 8874771Abstract: A plurality of computer nodes communicates using seemingly random IP source and destination addresses and (optionally) a seemingly random discriminator field. Data packets matching criteria defined by a moving window of valid addresses are accepted for further processing, while those that do not meet the criteria are rejected. In addition to “hopping” of IP addresses and discriminator fields, hardware addresses such as Media Access Control addresses can be hopped. The hopped addresses are generated by random number generators having non-repeating sequence lengths that are easily determined a-priori, which can quickly jump ahead in sequence by an arbitrary number of random steps and which have the property that future random numbers are difficult to guess without knowing the random number generator's parameters. Synchronization techniques can be used to re-establish synchronization between sending and receiving nodes.Type: GrantFiled: August 16, 2007Date of Patent: October 28, 2014Assignee: VirnetX, Inc.Inventors: Edmund Colby Munger, Vincent J. Sabio, Robert Dunham Short, III, Virgil D. Gligor
-
Patent number: 8832778Abstract: An apparatus and method for establishing a trusted path between a user interface and a trusted executable, wherein the trusted path includes a hypervisor and a driver shim. The method includes measuring an identity of the hypervisor; comparing the measurement of the identity of the hypervisor with a policy for the hypervisor; measuring an identity of the driver shim; comparing the measurement of the identity of the driver shim with a policy for the driver shim; measuring an identity of the user interface; comparing the measurement of the identity of the user interface with a policy for the user interface; and providing a human-perceptible indication of whether the identity of the hypervisor, the identity of the driver shim, and the identity of the user interface correspond with the policy for the hypervisor, the policy for the driver shim, and the policy for the user interface, respectively.Type: GrantFiled: June 29, 2010Date of Patent: September 9, 2014Assignee: Carnegie Mellon UniversityInventors: Jonathan M. McCune, Adrian M. Perrig, Anupam Datta, Virgil D. Gligor, Ning Qu
-
Publication number: 20130219174Abstract: A plurality of computer nodes communicates using seemingly random IP source and destination addresses and (optionally) a seemingly random discriminator field. Data packets matching criteria defined by a moving window of valid addresses are accepted for further processing, while those that do not meet the criteria are rejected. In addition to “hopping” of IP addresses and discriminator fields, hardware addresses such as Media Access Control addresses can be hopped. The hopped addresses are generated by random number generators having non-repeating sequence lengths that are easily determined a-priori, which can quickly jump ahead in sequence by an arbitrary number of random steps and which have the property that future random numbers are difficult to guess without knowing the random number generator's parameters. Synchronization techniques can be used to re-establish synchronization between sending and receiving nodes.Type: ApplicationFiled: September 14, 2012Publication date: August 22, 2013Applicant: Virnetx, INC.Inventors: Edmund Colby Munger, Vincent J. Sabio, Robert Dunham Short, III, Virgil D. Gligor, Douglas Charles Schmidt
-
Patent number: 8461963Abstract: An access authorization method and apparatus for a wireless sensor network comprises at least a base station and a wireless sensor network formed by a plurality of sensor nodes. After having obtained an access authorization of a user, the at least a base station issues a request message to a target sensor node in the wireless sensor network. The target sensor node requests at least a controlling node in the wireless sensor network for sensing data sensed by the at least a controlling node, and checks if the sensing data meets the requirements of the access authorization of the user. Whether the target sensor node responds with the required multimedia or not is based on the checking result.Type: GrantFiled: January 6, 2010Date of Patent: June 11, 2013Assignees: Industrial Technology Research Institute, Carnegie Mellon UniversityInventors: Lee-Chun Ko, Virgil D. Gligor, Hayan Lee
-
Publication number: 20130091354Abstract: A plurality of computer nodes communicates using seemingly random IP source and destination addresses and (optionally) a seemingly random discriminator field. Data packets matching criteria defined by a moving window of valid addresses are accepted for further processing, while those that do not meet the criteria are rejected. In addition to “hopping” of IP addresses and discriminator fields, hardware addresses such as Media Access Control addresses can be hopped. The hopped addresses are generated by random number generators having non-repeating sequence lengths that are easily determined a-priori, which can quickly jump ahead in sequence by an arbitrary number of random steps and which have the property that future random numbers are difficult to guess without knowing the random number generator's parameters. Synchronization techniques can be used to re-establish synchronization between sending and receiving nodes.Type: ApplicationFiled: May 18, 2012Publication date: April 11, 2013Applicant: VIRNETX, INC.Inventors: Edmund Colby Munger, Vincent J. Sabio, Robert Dunham Short, III, Virgil D. Gligor, Douglas Charles Schmidt
-
Publication number: 20130067222Abstract: A plurality of computer nodes communicates using seemingly random IP source and destination addresses and (optionally) a seemingly random discriminator field. Data packets matching criteria defined by a moving window of valid addresses are accepted for further processing, while those that do not meet the criteria are rejected. In addition to “hopping” of IP addresses and discriminator fields, hardware addresses such as Media Access Control addresses can be hopped. The hopped addresses are generated by random number generators having non-repeating sequence lengths that are easily determined a-priori, which can quickly jump ahead in sequence by an arbitrary number of random steps and which have the property that future random numbers are difficult to guess without knowing the random number generator's parameters. Synchronization techniques can be used to re-establish synchronization between sending and receiving nodes.Type: ApplicationFiled: September 14, 2012Publication date: March 14, 2013Applicant: VIRNETX, INC.Inventors: Edmund Colby Munger, Vincent J. Sabio, Robert Dunham Short, III, Virgil D. Gligor, Douglas Charles Schmidt
-
Publication number: 20120198514Abstract: An apparatus and method for establishing a trusted path between a user interface and a trusted executable, wherein the trusted path includes a hypervisor and a driver shim. The method includes measuring an identity of the hypervisor; comparing the measurement of the identity of the hypervisor with a policy for the hypervisor; measuring an identity of the driver shim; comparing the measurement of the identity of the driver shim with a policy for the driver shim; measuring an identity of the user interface; comparing the measurement of the identity of the user interface with a policy for the user interface; and providing a human-perceptible indication of whether the identity of the hypervisor, the identity of the driver shim, and the identity of the user interface correspond with the policy for the hypervisor, the policy for the driver shim, and the policy for the user interface, respectively.Type: ApplicationFiled: June 29, 2010Publication date: August 2, 2012Applicant: CARNEGIE MELLON UNIVERSITYInventors: Jonathan M. McCune, Adrian M. Perrig, Anupam Datta, Virgil D. Gligor, Ning Qu
-
Publication number: 20110307693Abstract: A plurality of computer nodes communicates using seemingly random IP source and destination addresses and (optionally) a seemingly random discriminator field. Data packets matching criteria defined by a moving window of valid addresses are accepted for further processing, while those that do not meet the criteria are rejected. In addition to “hopping” of IP addresses and discriminator fields, hardware addresses such as Media Access Control addresses can be hopped. The hopped addresses are generated by random number generators having non-repeating sequence lengths that are easily determined a-priori, which can quickly jump ahead in sequence by an arbitrary number of random steps and which have the property that future random numbers are difficult to guess without knowing the random number generator's parameters. Synchronization techniques can be used to re-establish synchronization between sending and receiving nodes.Type: ApplicationFiled: June 7, 2011Publication date: December 15, 2011Applicant: VIRNETX, INC.Inventors: Edmund Colby Munger, Vincent J. Sabio, Robert Dunham Short, III, Virgil D. Gligor, Douglas Charles Schmidt
-
Publication number: 20110238993Abstract: A plurality of computer nodes communicates using seemingly random IP source and destination addresses and (optionally) a seemingly random discriminator field. Data packets matching criteria defined by a moving window of valid addresses are accepted for further processing, while those that do not meet the criteria are rejected. In addition to “hopping” of IP addresses and discriminator fields, hardware addresses such as Media Access Control addresses can be hopped. The hopped addresses are generated by random number generators having non-repeating sequence lengths that are easily determined a-priori, which can quickly jump ahead in sequence by an arbitrary number of random steps and which have the property that future random numbers are difficult to guess without knowing the random number generator's parameters. Synchronization techniques can be used to re-establish synchronization between sending and receiving nodes.Type: ApplicationFiled: June 6, 2011Publication date: September 29, 2011Applicant: VIRNETX, INC.Inventors: Edmund Colby Munger, Vincent J. Sabio, Robert Dunham Short, III, Virgil D. Gligor, Douglas Charles Schmidt
-
Patent number: 7996539Abstract: A plurality of computer nodes communicates using seemingly random IP source and destination addresses and (optionally) a seemingly random discriminator field. Data packets matching criteria defined by a moving window of valid addresses are accepted for further processing, while those that do not meet the criteria are rejected. In addition to “hopping” of IP addresses and discriminator fields, hardware addresses such as Media Access Control addresses can be hopped. The hopped addresses are generated by random number generators having non-repeating sequence lengths that are easily determined a-priori, which can quickly jump ahead in sequence by an arbitrary number of random steps and which have the property that future random numbers are difficult to guess without knowing the random number generator's parameters. Synchronization techniques can be used to re-establish synchronization between sending and receiving nodes.Type: GrantFiled: December 13, 2005Date of Patent: August 9, 2011Assignee: Virnetx, Inc.Inventors: Edmund Colby Munger, Vincent J. Sabio, Robert Dunham Short, III, Virgil D. Gligor, Douglas Charles Schmidt