Search

CN-114503110-B - Method, apparatus and article of manufacture for data processing

CN114503110BCN 114503110 BCN114503110 BCN 114503110BCN-114503110-B

Abstract

Example methods, apparatus and/or articles of manufacture are disclosed that may be implemented, in whole or in part, using one or more processing devices to facilitate and/or support participation in computing activities by parties having limited mutual trust. In one embodiment, the computation may occur in a Secure Processing Environment (SPE) with one or more untrusted parties residing outside of the SPE.

Inventors

  • dominica. Philip Mulligan
  • Derek Del Miller
  • Shel bear

Assignees

  • 安谋知识产权有限公司

Dates

Publication Date
20260508
Application Date
20200903
Priority Date
20190912

Claims (20)

  1. 1. A method for data processing, the method comprising: Transmitting one or more messages to at least one program input provider entity, the one or more messages including a first cryptographic attribute of at least a portion of system code on at least one computing device, the system code including an implementation of a virtual machine capable of hosting a program to be provided by the at least one program input provider entity, and Receiving one or more messages transmitted from the at least one program input provider entity, the one or more messages comprising a program to be hosted by the virtual machine, the one or more messages having been transmitted by the at least one program input provider entity at least partially in response to a comparison of the first cryptographic attribute with a first cryptographic expression, Wherein the system code is to prevent the code of the program from being exposed outside of the secure processing environment SPE.
  2. 2. The method of claim 1, and further comprising: Transmitting one or more messages to at least one program input provider entity, the one or more messages including a second cryptographic attribute of at least a portion of code of a program to be executed by the virtual machine, and Receiving one or more messages transmitted from the at least one program input provider entity, the one or more messages including secret and/or proprietary parameters to be processed by the program, the one or more messages having been transmitted by the at least one program input provider entity at least partially in response to a comparison of the second cryptographic attribute with a second cryptographic expression, Wherein the virtual machine is to prevent execution of code of the program from revealing the secret and/or proprietary parameters outside the secure processing environment SPE.
  3. 3. The method of claim 2, and the method further comprises: Loading code of the program to be hosted by the virtual machine; Transmitting one or more messages to said at least one program input provider entity, said one or more messages comprising said second cryptographic expression of at least a portion of said code of said program to be executed by said virtual machine, and Signals and/or states representing the secret and/or proprietary parameters are obtained from one or more messages transmitted from the at least one program input provider entity, the one or more messages having been transmitted by the at least one program input provider entity at least partially in response to a comparison of the second cryptographic expression of the at least a portion of the code of the program loaded with the second cryptographic attribute.
  4. 4. The method of claim 1 or claim 2, and the method further comprises: the one or more messages transmitted from the at least one program input provider entity in a transport layer secure session are received.
  5. 5. The method of claim 1 or claim 2, wherein the virtual machine comprises a subset of the operating code of a compiler, the virtual machine omitting one or more of the operating code of the compiler based at least in part on at least one vulnerability of the at least one computing device to execute the omitted one or more operating code of the compiler.
  6. 6. The method of claim 1 or claim 2, and the method further comprises: transmitting one or more challenge messages to a secure enclave computing device embedded in the secure processing environment SPE, the one or more challenge messages including a challenge value, and One or more messages including the first cryptographic attribute are received from the secure enclave computing device, the one or more messages from the secure enclave computing device including the first cryptographic attribute having been transmitted at least in part in response to receiving the one or more challenge messages.
  7. 7. The method of claim 1 or claim 2, wherein the first cryptographic attribute comprises a cryptographic hash and/or hash digest of the at least a portion of the system code.
  8. 8. The method of claim 1 or claim 2, wherein the first cryptographic attribute is compared to the first cryptographic expression for confirming that a version of system code is installed in a secure processing environment to at least partially implement the virtual machine.
  9. 9. An apparatus for data processing, the apparatus comprising: transceiver apparatus for transmitting and receiving messages to and from a physical transmission medium, and One or more of the processors of the present invention, the one or more processors are configured to: Initiating, by the transceiver device, transmission of one or more messages to at least one program input provider entity, the one or more transmitted messages including a first cryptographic attribute of at least a portion of system code on the at least one computing device, the system code including an implementation of a virtual machine capable of hosting a program to be provided by the at least one program input provider entity, and Obtaining one or more messages received at the transceiver device and transmitted from the at least one program input provider entity, the one or more messages including signals and/or state representation code of a program to be hosted by the virtual machine, the one or more messages having been transmitted by the at least one program input provider entity at least partially in response to a comparison of the first cryptographic attribute with a first cryptographic expression, Wherein the system code is to prevent the code of the program from being exposed outside of the secure processing environment SPE.
  10. 10. The apparatus of claim 9, wherein the one or more processors are further to: Initiating, by the transceiver device, transmission of one or more messages to at least one program input provider entity, the one or more messages including a second cryptographic attribute of at least a portion of code of a program to be hosted by the virtual machine, and Obtaining one or more messages transmitted from the at least one program input provider entity and received at the transceiver device, the one or more messages including secret and/or proprietary parameters to be processed by the program executed by the virtual machine, the one or more messages having been transmitted by the at least one program input provider entity at least partially in response to a comparison of the second cryptographic attribute with a second cryptographic expression, Wherein the virtual machine is to prevent execution of code of the program from revealing the secret and/or proprietary parameters outside the secure processing environment SPE.
  11. 11. The apparatus of claim 10, wherein the one or more processors are further to: Loading code of the program to be hosted by the virtual machine and to be provided by the at least one program input provider entity; Initiating, by the transceiver device, transmission of one or more messages to the at least one program input provider entity, the one or more messages including the second cryptographic expression of at least a portion of the code of the program to be hosted by the virtual machine, and Signals and/or states representing secret and/or proprietary parameters are obtained from one or more messages received at the transceiver device and transmitted from the at least one program input provider entity, the one or more messages having been transmitted by the at least one program input provider entity at least partially in response to a comparison of the second cryptographic expression of the at least a portion of the code of the loaded program with a cryptographic value.
  12. 12. The apparatus of any of claims 9 to 11, wherein the one or more processors are further to: the one or more messages received at the transceiver device in a transport layer secure session and transmitted from the at least one program input provider entity are obtained.
  13. 13. The apparatus of any of claims 9 to 11, wherein the virtual machine comprises a subset of operation codes of a compiler, the virtual machine to omit one or more of the operation codes of the compiler based at least in part on at least one vulnerability of the at least one computing device to execute the omitted one or more operation codes of the compiler.
  14. 14. The apparatus of any of claims 9 to 11, wherein the one or more processors are further to: initiating transmission of one or more challenge messages to a secure enclave computing device embedded in the secure processing environment SPE, the one or more challenge messages including a challenge value, and Obtaining one or more messages received from the secure enclave computing device that include the first cryptographic attribute, the one or more messages from the secure enclave computing device that include the first cryptographic attribute having been transmitted at least in part in response to receiving the one or more challenge messages.
  15. 15. The apparatus according to any of claims 9 to 11, wherein the first cryptographic attribute comprises a cryptographic hash and/or a hash digest of the at least a portion of the system code.
  16. 16. The apparatus of any of claims 9 to 11, wherein the first cryptographic attribute is compared to the first cryptographic expression for confirming that a version of system code is installed in a secure processing environment to at least partially implement the virtual machine.
  17. 17. An article of manufacture for data processing, the article of manufacture comprising: a non-transitory storage medium comprising computer readable instructions stored thereon, the computer readable instructions executable by a computing device to: Initiating transmission of one or more messages to at least one program input provider entity, the one or more messages including a first cryptographic attribute of at least a portion of system code on the at least one computing device, the system code including an implementation of a virtual machine capable of hosting a program to be provided by the at least one program input provider entity, and Obtaining one or more messages received and transmitted from the at least one program input provider entity, the one or more messages including signals and/or state representation code of a program to be hosted by the virtual machine, the one or more messages having been transmitted by the at least one program input provider entity at least partially in response to a comparison of the first cryptographic attribute with a first cryptographic expression, Wherein the system code is to prevent the code of the program from being exposed outside of the secure processing environment SPE.
  18. 18. The article of manufacture of claim 17, wherein the instructions are further executable by the computing device to: Initiating, by the transceiver device, transmission of one or more messages to at least one program input provider entity, the one or more messages including a second cryptographic attribute of at least a portion of code of a program to be executed by the virtual machine, and Obtaining one or more messages transmitted from the at least one program input provider entity and received at the computing device, the one or more messages including secret and/or proprietary parameters to be processed by the program, the one or more messages having been transmitted by the at least one program input provider entity at least partially in response to a comparison of the second cryptographic attribute with a second cryptographic expression, Wherein the virtual machine is to prevent execution of code of the program from revealing the secret and/or proprietary parameters outside the secure processing environment SPE.
  19. 19. The article of manufacture of claim 17, wherein the instructions are further executable by the computing device to: Loading code of the program to be hosted by the virtual machine; Initiating transmission of one or more messages to the at least one program input provider entity, the one or more messages including a cryptographic expression of at least a portion of the code of the program to be hosted by the virtual machine, and Signals and/or states representing secret and/or proprietary parameters are obtained from one or more messages received from the at least one program input provider entity, the one or more messages having been transmitted by the at least one program input provider entity at least partially in response to a comparison of the cryptographic expression of the at least a portion of code of the program loaded with a cryptographic value.
  20. 20. The article of manufacture of any of claims 17 to 19, wherein the instructions are further executable by the computing device to: the one or more messages transmitted from the at least one program input provider entity in the transport layer secure session are obtained.

Description

Method, apparatus and article of manufacture for data processing Technical Field The present disclosure relates generally to computing resources that may be used to provide secure computing resources for computing clients. Background There are strong economic, practical and/or technical incentives to defer and/or delegate various computing aspects among parties. For example, such delegation of computing may include delegating computing to a "cloud" -where the cloud host acts as a delegator, providing computing services. Other examples may include, for example, a pedigree testing service (such as 23 andMe) that may provide computing services and/or perform calculations on genetic data extracted from a cheek swab provided by a customer, for example. As the number of software-based and/or computing-based services offered increases, the number of delegated computing must also increase. Disclosure of Invention According to a first aspect of the present disclosure there is provided a method for data processing, the method comprising transmitting one or more messages to at least one program input provider entity, the one or more messages comprising a first cryptographic attribute of at least a portion of system code on at least one computing device, the system code comprising an implementation of a virtual machine capable of hosting a program to be provided by the at least one program input provider entity, and receiving one or more messages transmitted from the at least one program input provider entity, the one or more messages comprising a program to be hosted by the virtual machine, the one or more messages having been transmitted by the at least one program input provider entity at least partially in response to a comparison of the first cryptographic attribute with a first cryptographic expression, wherein the system code is to prevent code of the program from being revealed outside of a secure processing environment, SPE. According to a second aspect of the present disclosure there is provided an apparatus for data processing comprising a transceiver device for transmitting messages to and receiving messages from a physical transmission medium, and one or more processors for initiating transmission of one or more messages to at least one program input provider entity through the transceiver device, the one or more transmitted messages including a first cryptographic attribute of at least a portion of system code on the at least one computing device, the system code including an implementation of a virtual machine capable of hosting a program to be provided by the at least one program input provider entity, and obtaining one or more messages received at the transceiver device and transmitted from the at least one program input provider entity, the one or more messages including a signal and/or state representative code to be hosted by the virtual machine, the one or more messages having been represented by the at least one program input provider entity in response to the at least one cryptographic attribute expressing the program code to be compared to a secure environment in which the cryptographic attribute is not to be used by the at least one SPE code. According to a third aspect of the present disclosure there is provided an article of manufacture for data processing comprising a non-transitory storage medium including computer readable instructions stored thereon that are executable by a computing device to initiate transmission of one or more messages to at least one program input provider entity, the one or more messages including a first cryptographic attribute of at least a portion of system code on the at least one computing device, the system code including an implementation of a virtual machine, the virtual machine being capable of hosting a program to be provided by the at least one program input provider entity, and to obtain one or more messages received and transmitted from the at least one program input provider entity, the one or more messages including signals and/or state representative code of a program to be hosted by the virtual machine, the one or more messages having been transmitted by the at least one program input provider entity in response at least in part to a comparison of the first cryptographic attribute with a first cryptographic expression, wherein the system code is for preventing the system code from being exposed to a secure environment. Drawings The claimed subject matter is particularly pointed out and distinctly claimed in the concluding portion of the specification. However, as to organization and/or method of operation, together with objects, features, and/or advantages thereof, may best be understood by reference to the following detailed description when read with the accompanying drawings in which: FIG. 1 is a schematic diagram of an exemplary system for computing resources of a client, according to an embodiment; FIGS. 2-4 are message flow diagrams of exemplar