( 19 ) United States
`(19) United States
`( 12 ) Patent Application Publication ( 10 ) Pub . No .: US 2020/0167463 A1
`(12) Patent Application Publication (10) Pub. No.: US 2020/0167463 Al
`( 43 ) Pub . Date :
`May 28 , 2020
`May 28, 2020
`Adams et al .
`Adams et al.
`(43) Pub. Date:
`
`US 20200167463A1
`
`IN
`
`( 54 ) OUT - OF - BAND CONTENT ANALYSIS
`(54) OUT-OF-BAND CONTENT ANALYSIS
`( 71 ) Applicant : HEWLETT PACKARD
`(71) Applicant: HEWLETT PACKARD
`ENTERPRISE DEVELOPMENT LP ,
`ENTERPRISE DEVELOPMENT LP,
`Houston , TX ( US )
`Houston, TX (US)
`( 72 ) Inventors : Aland Adams , Fort Collins , CO ( US ) ;
`Inventors: Aland Adams, Fort Collins, CO (US);
`(72)
`Bruce A. Lundeby , Fort Collins , CO
`Bruce A. Lundeby, Fort Collins, CO
`( US )
`(US)
`( 21 ) Appl . No .: 16 / 200,565
`(21) Appl. No.: 16/200,565
`( 22 )
`Filed :
`Nov. 26 , 2018
`(22) Filed:
`Nov. 26, 2018
`Publication Classification
`Publication Classification
`
`( 51 )
`Int . Ci .
`(51) Int. Cl.
`G06F 21/55
`G06F 21/55
`G06F 21/57
`G06F 21/57
`G06F 21/71
`G06F 21/71
`G06F 21/81
`G06F 21/81
`GO6F 13206
`G06F 1/3206
`
`( 2006.01 )
`(2006.01)
`( 2006.01 )
`(2006.01)
`( 2006.01 )
`(2006.01)
`( 2006.01 )
`(2006.01)
`( 2006.01 )
`(2006.01)
`
`( 52 ) U.S. CI .
`(52) U.S. Cl.
`CPC
`CPC
`
`G06F 21/552 ( 2013.01 ) ; G06F 21/57
` G06F 21/552 (2013.01); G06F 21/57
`( 2013.01 ) ; GO6F 1/3206 ( 2013.01 ) ; G06F
`(2013.01); G06F 1/3206 (2013.01); G06F
`21/81 ( 2013.01 ) ; G06F 21/71 ( 2013.01 )
`21/81 (2013.01); G06F 21/71 (2013.01)
`
`ABSTRACT
`ABSTRACT
`
`( 57 )
`(57)
`A method of validating content out - of - band for a computing
`A method of validating content out-of-band for a computing
`device having a processor capable of executing software
`device having a processor capable of executing software
`with a management controller separate from the processor of
`with a management controller separate from the processor of
`the computing device . The method includes identifying a
`the computing device. The method includes identifying a
`content to be deployed . The content resides on a storage
`content to be deployed. The content resides on a storage
`medium . The method further includes measuring the content
`medium. The method further includes measuring the content
`and establishing a content baseline for the content based on
`and establishing a content baseline for the content based on
`the measuring . Also , the method includes copying a
`the measuring. Also, the method includes copying a
`deployed content to a storage product to produce a copied
`deployed content to a storage product to produce a copied
`deployed content . The copied deployed content is compared
`deployed content. The copied deployed content is compared
`with the content baseline out - of - band while the deployed
`with the content baseline out-of-band while the deployed
`content is deployed . A difference is identified between the
`content is deployed. A difference is identified between the
`copied deployed content and the content baseline .
`copied deployed content and the content baseline.
`
`100
`100
`
`105 .
`105
`
`DATABASE
`DATABASE
`
`115
`115
`
`PROFILE ENGINE
`PROFILE ENGINE
`
`I
`PLAN ENGINE
` PLAN ENGINE
`
`120
`[,--- 120
`
`BUILD ENGINE „
`BUILD ENGINE
`
`---
`
`125
`125
`
`I- DEPLOY ENGINE [--'---
`
`DEPLOY ENGINE
`
`130
`130
`
`110
`110
`
`WIZ, Inc. EXHIBIT - 1099
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`Patent Application Publication May 28, 2020 Sheet 1 of 7
`
`US 2020/0167463 Al
`
`DATABASE
`
`PROFILE ENGINE
`
`- I PLAN ENGINE
`
`- I BUILD ENGINE
`
`DEPLOY ENGINE
`
`PROCESSOR
`
`FIG. 1
`
`115
`
`120
`
`125
`
`130
`
`110
`
`205
`
`215
`--------' 210
`-------' 220
`
`225
`
`230
`
`235
`
`200
`
`MEMORY
`
`PROFILE
`MODULE
`
`PLAN
`MODULE
`
`BUILD
`MODULE
`
`DEPLOY
`MODULE
`
`FIG. 2
`
`

`

`Patent Application Publication
`
`L JO Z WIN OZOZ `8Z SuN
`
`IV £9171,910/0Z0Z SR
`
`FIG. 3
`
`FRAMEWORK
`VERIFICATION
`
`320
`
`.........0"....
`
`144.40........
`
`ief
`
`*444.4.'"us
`
`11
`
`s*".........-
`
`IMAGE
`GOLDEN
`
`MEASURED
`
`VOLUME
`
`INSTALLED
`.......".d
`
`11461•0mr,
`
`VOLUME
`
`INSTALLED
`
`
`I,
`
`--
`
`VOLUME
`EMPTY
`
`..............
`
`#00..........
`
`................44,
`
`#00..........
`
`44,
`
`...r..........
`
`0.00......o...
`
`325
`
`315
`
`305
`
`300
`
`310 -----__________
`
`

`

`Patent Application Publication May 28, 2020 Sheet 3 of 7
`
`US 2020/0167463 Al
`
`430
`
`432-1
`
`432-2
`
`431
`
`453
`
`SERVER
`PROFILE
`
`SERVER
`PROFILE
`
`452-1
`
`452-2
`
`DEPLOYMENT
`PLAN 436
`
`
`
`
`
`GOLDEN
`IMAGE
`438
`
`444
`
`\446/
`
`450-1 450-2
`
`BUILD PLAN
`440
`
`PLAN SCRIPTS
`
`442 / _
`
`448
`
`VOLUME STORAGE
`
`DEPLOYMENT DEVICE
`
`443
`
`434
`
`433
`
`FIG. 4
`
`

`

`Patent Application Publication May 28, 2020 Sheet 4 of 7
`
`US 2020/0167463 Al
`
`530
`
`530
`
`SERVER
`PROFILES
`
`538
`
`585
`
`DEPLOYMENT
`PLAN
`
`GOLDEN
`IMAGE
`
`BUILD PLAN
`
`PLAN SCRIPTS
`
`ALERT &
`REMEDIATION
`
`590
`
`575
`
`VERIFIER
`
`VOLUME STORAGE
`
`595
`
`591
`
`570
`
`FIG. 5
`
`

`

`Patent Application Publication May 28, 2020 Sheet 5 of 7
`
`US 2020/0167463 Al
`
`630
`
`SERVER
`PROFILE
`
`DEPLOYMENT
`PLAN
`
`GOLDEN
`IMAGE
`
`BUILD PLAN
`640
`
`PLAN SCRIPTS
`642
`
`ALERT &
`REMEDIATION
`
`685
`
`644
`
`646
`
`698
`
`VERIFIER
`
`VOLUME STORAGE
`
`695
`
`670
`
`FIG. 6
`
`

`

`Patent Application Publication May 28, 2020 Sheet 6 of 7
`
`US 2020/0167463 Al
`
`700 d
`
`IDENTIFYING A CONTENT
`ON A STORAGE MEDIUM
`TO BE DEPLOYED
`
`4.
`
`705 --1
`
`MEASURING THE
`CONTENT
`
`710 N I
`
`715
`
`720
`
`1
`
`ESTABLISHING A DEPLOYED
`CONTENT BASELINE FOR THE
`CONTENT BASED ON THE
`MEASURING
`1
`COPYING A DEPLOYED
`CONTENT WITH A STORAGE
`PRODUCT TO PRODUCE A
`COPIED DEPLOYED CONTENT
`
`COMPARING THE COPIED
`DEPLOYED CONTENT WITH
`THE CONTENT BASELINE
`WHILE A DEPLOYED CONTENT
`IS ACTIVE
`
`4.
`
`725N
`
`IDENTIFYING A DIFFERENCE BETWEEN
`THE COPIED DEPLOYED CONTENT
`AND THE CONTENT BASELINE
`
`FIG. 7
`
`

`

`Patent Application Publication May 28, 2020 Sheet 7 of 7
`
`US 2020/0167463 Al
`
`825
`
`835
`
`830
`
`700d
`
`705d
`
`710\1
`
`7151
`
`720d
`
`IDENTIFY A CONTENT
`ON A STORAGE MEDIUM
`TO BE DEPLOYED
`,1r
`
`MEASURE THE
`CONTENT
`
`4r
`ESTABLISH A DEPLOYED
`CONTENT BASELINE FOR THE
`CONTENT BASED ON THE
`MEASURING
`I
`COPY A DEPLOYED
`CONTENT WITH A STORAGE
`PRODUCT TO PRODUCE A
`COPIED DEPLOYED CONTENT
`4
`COMPARE THE COPIED
`DEPLOYED CONTENT WITH
`THE CONTENT BASELINE
`WHILE A DEPLOYED CONTENT
`IS ACTIVE
`i
`
`725\1
`
`IDENTIFY A DIFFERENCE BETWEEN
`THE COPIED DEPLOYED CONTENT
`AND THE CONTENT BASELINE
`
`FIG. 8
`
`

`

`US 2020/0167463 Al
`
`1
`
`May 28, 2020
`
`OUT-OF-BAND CONTENT ANALYSIS
`
`BACKGROUND
`
`[0001] Computing systems, such as servers, run various
`operating systems and applications within their operating
`environment. Security applications are run on the computing
`systems to protect the computing environment from mali-
`cious software and other security risks. Workload on the
`computing systems as a result of running security applica-
`tions may influence the performance of the systems. Addi-
`tionally, repairing operating systems and applications that
`are affected by security threats further decreases system
`performance, as the systems may run remediation tools or
`otherwise take the systems out of operation until corrective
`action may be taken.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[0002] FIG. 1 is a schematic representation of an example
`system for hardware management according to one or more
`embodiments.
`[0003] FIG. 2 is a schematic representation of an example
`computing device for hardware management in accordance
`with one or more example embodiments.
`[0004] FIG. 3 is a diagram of an example system for
`hardware management in accordance with one or more
`example embodiments.
`[0005] FIG. 4 is a representation of a hardware manage-
`ment system in accordance with one or more example
`embodiments.
`[0006] FIG. 5 is a representation of a hardware manage-
`ment system having a verification framework in accordance
`with one or more example embodiments.
`[0007] FIG. 6 is a representation of a hardware manage-
`ment system having a verification framework in accordance
`with one or more example embodiments.
`[0008] FIG. 7 is a flow diagram of a method to validate
`content out-of-band in accordance with one or more
`example embodiments.
`[0009] FIG. 8 is an example computing device with a
`hardware processor and accessible machine-readable
`instructions in accordance with one or more example
`embodiments.
`
`DETAILED DESCRIPTION
`
`[0010] One or more examples are described in detail with
`reference to the accompanying figures. For consistency, like
`elements in the various figures are denoted by like reference
`numerals. In the following detailed description, specific
`details are set forth in order to provide a thorough under-
`standing of the subject matter claimed below. In other
`instances, well-known features to one of ordinary skill in the
`art having the benefit of this disclosure are not described to
`avoid obscuring the description of the claimed subject
`matter.
`Increasingly complex computer infrastructure is
`[0011]
`commonly used to perform computing tasks. Data centers
`are often used to host this computing infrastructure. Such
`data centers may include various electronic devices that
`make up the computing infrastructure. Examples of elec-
`tronic devices include compute platforms, such as servers,
`that may be used to process data. During the lifespan of
`computing systems, the computing systems may be affected
`by various internal or external security breaches. For
`
`example, compute platforms may be affected by malicious
`software, such as viruses, spyware, worms, and the like.
`[0012] To prevent malicious software from affecting a
`computing system, security tools are used to both prevent
`the installation of malicious software, as well as to remediate
`a system that is infected. Such security tools or security
`applications are run within the computing environment and
`thus affect the performance of the system. For example,
`running a security tool in the computing environment may
`decrease system performance due to the local resources
`required to run the security tool. Additionally, should a
`computing system be infected with malicious software, the
`security tool may use valuable system resources in an
`attempt to remediate the condition. The infected state of the
`computing system may impede security tool operation.
`Remediation is tool specific and cannot necessarily return an
`operating system and/or application environment to a prior,
`known good state.
`[0013] Furthermore, security tools require maintenance on
`a per compute system basis, thereby requiring ongoing
`updates that may require performance interruptions. For
`example, in order to update certain security tools, a com-
`puting system may require a re-boot, which takes the system
`offline, thereby decreasing performance and disrupting
`workloads.
`[0014] Running such security tools within the computing
`system environment is referred to as in-band because the
`management of the application is performed within the
`computing environment. Out-of-band management refers to
`management that is performed external to the computing
`environment and may include use of dedicated channels for
`managing devices as well as devices and applications exter-
`nal to the computing system. In certain examples, a base-
`board management controller ("BMC") may be used to
`implement out-of-band management. A BMC may include a
`specialized microcontroller that is embedded on the moth-
`erboard of a computing device, such as a server. The BMC
`may thus monitor the physical state of a compute device.
`Such out-of-band management may conserve system
`resources by performing specific tasks outside of the com-
`puting system environment. By removing workload detri-
`mental tasks out-of-band, increased system performance
`may be realized.
`[0015]
`Implementations of the present disclosure may
`provide methods and systems for moving network security
`applications out-of-band. Such out-of-band solutions may
`allow a computing environment to continue operating with-
`out experiencing the workload detrimental effects of in-band
`security tools. Additionally, out-of-band solutions may
`allow remediation that does not affect computing system
`performance. For example, an operating system or applica-
`tion may become infected with malicious software. Rather
`than run resource intensive remediation tools, the operating
`system or application may be replaced with a version of an
`operation system or application in a known good state.
`Because the operating system or application is in a known
`good state, the computing environment will be verifiably
`remediated, rather than relying on remediation tools that
`may or may not return the computing environment to a
`known good state. Additionally, analysis may be performed
`out-of-band, thereby preventing malicious software from
`fooling analysis tools.
`[0016] To validate content in a computing environment
`out-of-band, systems and methods disclosed herein identify
`
`

`

`US 2020/0167463 Al
`
`May 28, 2020
`
`2
`
`content, such as an operating system, an application stack,
`and the like, that is being prepared for deployment. The
`content is measured through analyzation to establish a
`content baseline. The content baseline refers to the known
`state of the content prior to deployment, and thus prior to
`potential exposure and susceptibility to malicious software.
`Once the content is deployed, the deployed content may be
`copied. When the content requires validation, exposure to
`malicious software is suspected, system performance is not
`as expected, or for various other reasons the content requires
`analysis, the copied deployed content may be compared with
`the content baseline.
`[0017] While the copied deployed content is compared to
`the content baseline, the content is still actively deployed on
`the computing system. In certain implementations, the con-
`tent may be actively provided or running, while in other
`implementations, the content may be actively deployed, but
`not currently in use. As such, performance of the system is
`not affected by the analysis. During the analysis, a difference
`may be identified between the copied deployed content and
`the content baseline. Identification of this difference may
`thereby allow remediation steps to be taken. For example,
`remediation may include running one or more remediation
`tools, replacing the content with content in a known good
`state, building new content, shutting down the deployed
`active content, or otherwise taking actions to correct an
`identified difference. In certain implementations the differ-
`ence between the copied deployed content and the content
`baseline may not require remediation, at which point the
`active content may be verified as being in a good state.
`[0018] Turning to FIG. 1, a schematic representation of an
`example system for hardware management according to one
`or more embodiments is shown. FIG. 1 shows a system 100
`that includes a database 105, and a hardware management
`system 110. Hardware management system 110, which may
`include management of virtual machines and software as
`well as physical computing resources, includes a number of
`engines, such as profile engine 115, plan engine 120, build
`engine 125, and deployment engine 130. Hardware man-
`agement system 110 may communicate with database 105
`through various wired or wireless connections. While hard-
`ware management system 110 is illustrated as including four
`engines, in other implementations a fewer or greater number
`of engines may be included that are capable of performing
`functions that will be described in detail below.
`[0019] The set of engines, i.e., profile engine 115, plan
`engine 120, build engine 125, and deployment engine 130
`can include a combination of hardware and programming
`that are configured to perform specific functions. Examples
`of functions that the set of engines may perform include
`generating a profile including a deployment plan for a
`computing device and generating a master volume based on
`the deployment plan, the master volume being stored in a
`volume storage. Other functions may include generating a
`copy of the master volume and providing a set of scripts to
`alter the copy of the master volume based on the deployment
`plan. Additional functions may include deploying the altered
`copy of the master volume to a computing device.
`[0020] Profile engine 115 may include hardware and/or
`programming in order to generate a profile including a
`deployment plan to a computing device. Generating a profile
`may include a selection of a set of configuration features for
`the computing device. In certain implementations profile
`115 engine may make configuration changes to the comput-
`
`ing device based on the profile. In certain implementations,
`the profile may be used to select or generate a corresponding
`deployment plan for generating an instruction volume that
`may be deployed to a computing device. The instruction
`volume may include boot instructions or run instructions
`that may be used to configure the computing device, oper-
`ating system, and/or applications.
`
`[0021] Plan engine 120 may include hardware and/or
`programming in order to generate a master volume based on
`the deployment plan. In certain examples, generating the
`master volume may include copying a golden image, e.g., a
`master image, a cache image, or any type of storable content,
`of a computing device. The golden image may include a set
`of default configuration settings and custom settings based
`on the deployment plan or generated profile. In certain
`implementations, the golden image may include a copy of a
`volume that was previously used by a computing device,
`while in other implementations the golden image may
`include an archive of files or instruction packages, such as
`software packages.
`
`[0022] A volume is a logical disk format that may be used
`in specific implementations. However, the approach may be
`generalized to include a content format that is able to support
`replication, such as formats and implementations supporting
`fast replication. For example, shared memory technologies
`using virtual memory access may be used. In such an
`approach, virtual memory architecture may provide a hier-
`archy of pointers that is able to quickly replicate content to
`different logical copies with separate access.
`
`[0023] The build engine 125 may include hardware and/or
`programming in order to generate a copy of the master
`volume and to provide a set of scripts to alter the copy of the
`master volume based on the deployment plan. The altered
`copy may include an operating system boot volume. In
`certain implementations the altered copy may include an
`operating system boot volume altered for used by a com-
`puting device, and in some implementations the altered copy
`may include secret or security content. Generating a copy of
`the master volume may include copying a set of settings to
`a second volume such as an instruction volume. The instruc-
`tion volume may be customized to include a set of altered
`settings. In certain implementations the set of settings may
`be altered through a set of executable scripts.
`
`[0024] The set of executable scripts may be applied to the
`instruction volume based on a set of configuration selec-
`tions. The configuration selections may be provided to a user
`through a user interface and/or computer program interface.
`The configuration selections may be based on a computing
`device type where the instruction volume is to be deployed.
`The configuration selections may further be based on a
`profile of the user. For example, a set of configuration
`selections may be presented to a user via a user interface to
`enable a user to select an option for each of the set of
`configuration selections.
`
`[0025] The deployment engine 130 may include hardware
`and/or programming in order to deploy the altered copy of
`the master volume to a computing device. Deploying the
`altered copy of the master volume may include deploying an
`instruction volume that includes a set of customized con-
`figuration selections. In some examples, deploying an
`instruction volume may include a boot volume and firmware
`configuration for the computing device. The boot volume
`
`

`

`
`
`US 2020/0167463 Al
`
`May 28, 2020
`
`3
`
`210
`
`125
`205
`gu
`and firmware confiration may be implemented by the
`
`
`
`
`
`
`devices. Further, memory may be fully or partially
`205.
`
`
`
`build engine via a set of scripts that alter the instruction
`
`
`
`integrated in the same apparatus as processor or it may
`200
`[0026]
`volume.
`
`
`be separate but accessible to that a and processor
`
`
`
`Computing device may be implemented on a participant
`
`In some examples, a BMC may be used to imple­
`
`
`
`
`device, on a server device, on a collection of server devices,
`
`
`
`ment services for a computing device. The BMC may be
`
`
`
`or a combination of the participant device and the server
`
`
`
`implemented using a separate processor from the processor
`[0031]
`210
`device.
`
`
`
`
`that is used to execute a high-level operating system. BMCs
`215.
`205
`
`
`
`
`can provide so-called "lights-out" functionality for comput­
`
`
`Memory may be in communication with pro­
`215
`
`
`
`ing devices. The lights out functionality may allow a user,
`
`
`
`cessor via a communication link (e.g., a path)
`
`
`
`such as a systems administrator, to perform management
`
`
`Communication link may be local or remote to a
`205.
`215
`
`
`operations on a computing device even if an operating
`
`
`machine ( e.g., a computing device) associated with proces­
`
`
`
`
`system is not installed or not functional on the computing
`
`
`
`sor Examples of a local communication link may
`210
`
`
`device. Moreover, in one example, the BMC may run on
`
`
`
`
`
`include an electronic bus internal to a machine (e.g., a
`
`
`auxiliary power, thus the computing device need not be
`
`
`
`computing device) where the memory is one of volatile,
`205
`
`
`powered on to an on state where control of the computing
`
`
`
`
`non-volatile, fixed, or removable storage medium in com­
`[0032]
`220,
`
`device is handed over to an operating system after boot. As
`
`
`
`munication with the processor via the electronic bus.
`225,
`230,
`
`
`
`examples, the BMC may provide so-called "out-of-band"
`
`
`
`
`A set of modules (e.g., profile module plan
`235)
`
`
`
`
`services, such as remote console access, remote reboot and
`
`
`
`module build module and deployment module
`205
`
`
`
`power management functionality, monitoring health of the
`
`
`
`
`may include CRI that when executed by the processor
`[0027]
`220,
`225,
`230,
`
`
`
`system, access to system logs, and the like.
`
`
`
`can perform functions. The set of modules ( e.g., profile
`235)
`
`
`
`
`
`
`As noted, in some instances, a BMC may enable module plan module build module and
`220
`
`
`
`
`
`
`
`lights-out management of computing device that provide deployment module may be sub-modules of other
`225
`
`
`
`
`
`remote management access ( e.g., system console access) modules. For example, the profile module and the plan
`
`
`
`
`
`
`
`
`regardless of whether the computing device is powered on, module may be sub-modules or contained within the
`220,
`225,
`
`
`
`
`
`
`
`whether a primary network subsystem hardware is function­same computing device. In another example, the set of
`230,
`235)
`
`
`
`
`
`
`
`
`ing, or whether an operating system is operating or even modules (e.g., profile module plan module build
`
`
`
`
`
`
`
`installed. A BMC may include an interface, such as a module and deployment module may include
`
`
`
`
`
`
`
`
`
`network interface, and/or serial interface that an adminis­individual modules at separate and distinct locations (e.g.,
`[0033]
`
`
`
`
`trator may use to remotely communicate with the BMC. In CRM, etc.).
`205
`
`
`
`some examples, the BMC may be included on a system
`Each of the set of modules may include instructions
`
`
`
`
`
`
`
`board of a server, in other examples a management control­
`
`
`
`that when executed by processor may function as a
`220
`
`
`
`
`ler can be included at another location, for example, a blade
`
`
`
`
`corresponding engine as described herein. For example, the
`[0028]
`2,
`205
`
`
`chassis to support multiple blade devices.
`
`
`
`profile module may include instructions that when
`115
`1.
`
`
`
`
`
`
`
`Turning to FIG. a schematic representation of an executed by processor may function as the profile
`[0034]
`3,
`
`
`
`example computing system for hardware management engine of FIG.
`200
`
`
`
`according to one or more embodiments is shown. The
`Turning to FIG. a schematic representation of
`
`
`
`
`
`
`
`computing device may use software, hardware, firm­
`
`
`
`
`capturing an image with verification measurements accord­
`300
`[0029]
`200
`
`
`ware, or logic to perform functions described herein.
`
`ing to one or more example embodiments is shown. In
`310.
`
`
`
`
`certain implementations an empty volume may be
`
`
`
`
`Computing device may include hardware and/
`300
`
`
`
`deployed within a hardware management system
`
`
`
`or programming instructions configured to share informa­
`205
`210
`
`
`
`Empty volume may be capable of receiving content
`
`
`
`tion. The hardware, for example, may include one or more
`
`
`
`provided by a user. Examples of content may include
`
`
`
`processors or memory (e.g., computer-readable
`205
`
`
`
`
`operating systems, applications, application stacks, media,
`
`
`medium (CRM), machine readable medium (MRM), data­
`210.
`[0035]
`
`
`
`
`or any other type of data capable of being stored thereon.
`
`
`
`
`base, etc.). Processors may include any set of processors
`205
`305
`
`
`
`
`capable of executing instructions stored by a memory
`
`
`
`
`A user may then install the desired content creating
`310.
`
`
`
`Processors may be implemented in a single device or
`
`
`
`
`an installed volume within hardware management sys­
`315.
`
`
`
`distributed across multiple devices. The program instruc­
`tem
`
`
`
`The user may then identify certain portions of the
`210
`
`
`
`tions (e.g., computer readable instructions (CRI)) may
`
`
`
`content to measure Measuring refers to generating
`205
`
`
`
`
`include instructions stored on the memory and execut­
`
`
`
`
`reference measurements that includes specific information
`
`
`
`able by the processors to implement a desired function
`
`
`
`
`
`contained in the content that a user may use to check the
`
`
`
`
`
`(e.g., generate an instruction volume by copying a master
`
`
`
`
`
`status of the content or specific aspects of the content. For
`
`
`
`volume, wherein the instruction volume is a computing
`
`
`
`example, the user may identify binary, script, config files,
`
`
`
`device image, execute a set of scripts to alter the instruction
`
`
`
`
`log files, directory listing, etc. for which the user would later
`
`
`
`
`volume based on a profile for a computing device, deploy
`
`
`be able to check in order to validate functionality of the
`315,
`gu
`
`
`
`
`the instruction volume to the computing device to confire
`
`
`
`
`content. In certain implementations, the user may specify
`
`
`
`
`the computing device based on the profile for the computing
`
`
`
`that the entire content should be measured while in
`315.
`[0030]
`210
`
`device, etc.).
`
`
`
`other implementations the user may only specify a portion of
`205.
`210
`
`
`
`the content to be measured The user may indicate the
`
`
`Memory may be in communication with a
`
`
`
`
`
`content to be measured directly through use of a user
`
`
`
`processors Memory may include any set of
`205.
`210
`
`
`
`
`interface. Additionally, the content to be measured may be
`
`
`
`memory components capable of storing instructions that can
`
`
`
`
`indicated by previously specified details or by eternally
`
`
`
`be executed by processor Memory may be a
`[0036]
`315,
`210
`
`
`
`provided details that the user references.
`
`
`non-transitory computer-readable media ("CRM") or
`
`
`After the user identifies the content to measure
`
`
`
`machine-readable media ("MRM"). Memory may also
`
`
`
`the measurements are created and loaded into a verification
`
`
`
`
`be integrated in a single device or distributed across multiple
`
`

`

`US 2020/0167463 Al
`
`May 28, 2020
`
`4
`
`framework database 320. The verification framework 320
`database may store the measurements until a user determines
`that validation of the content should be performed, at which
`time the verification framework database 320 may use or
`otherwise make the measurements available for hardware
`management system 310 to use in validating specified
`content. Verification framework database 320 may include
`several different functionalities. Verification framework
`database 320 may include a provisioning stage that provides
`a cryptographic identity to a platform with the assurance that
`it cannot be tampered with or impersonated. Verification
`framework database 320 may further include a registration
`state (not shown), which is a one-off operation used to
`register a platform with the verification framework 320
`appliance. Verification framework database 320 may also
`include an attestation stage (not shown), which is the con-
`tinuous operational process of the framework that periodi-
`cally verifies the state of each platform registered in the
`appliance. Furthermore, verification framework database
`320 may be loaded to indicate that incoming content is
`acceptable. For example, verification framework database
`320 may be loaded in anticipation of content that is repli-
`cated between multiple sites as a way of assuring that
`remediation has been achieved correctly and content has not
`otherwise been exposed to malicious software.
`[0037] Before or while the content is measured 315, a
`golden image 325 of the installed volume 305 is captured.
`The golden image 325 is a duplicate of the content on a
`specific installed volume 305. The golden image 325 is
`stored in hardware management system 110 and provides a
`known image of the content at the time the content was
`captured. As such, hardware management system 110 has an
`image of the content that is known to be operating with a
`good state, thereby providing a known baseline for the
`content. Because the content was measured 315 when the
`content was within the good state, the measurements may
`later be used to validate the state of the content.
`[0038] After deployment of the content, a user may want
`to validate the state of the content to determine if it is
`functioning properly or otherwise to identify if the content
`is infected with malicious software. The hardware manage-
`ment system 310 may then take a copy of the deployed
`content and compare the deployed content with the mea-
`surements that were taken when the golden image 325 was
`created. Differences between the deployed content and the
`baseline content may be identified. Certain differences may
`be expected, while other differences may not be expected. In
`a situation where the differences are expected, no action may
`be required, and the copy of the deployed content may be
`deleted. In the event a difference is identified, the verifica-
`tion framework 320 may be used to determine what the
`difference is and whether specific action should be taken.
`For example, if the identified difference is not substantial
`and/or is not otherwise effecting system performance the
`identified difference may be ignored. However, in other
`examples, the identified difference may cause decreased
`system performance, provide a potential security risk, or
`otherwise result in a condition that is not desirable. In such
`a situation, different remedies may be available.
`[0039] Examples of remedies may include shutting down
`operation of the computing system on which the content is
`disposed. The content may then be replaced with newly
`generated content based on the content saved as the golden
`image 325. For example, the golden image 325 may include
`
`a copy of an operating system. During validation of the
`operating system the hardware management system 310 may
`identify malicious software. The hardware management
`system 310 may inform a user that there is malicious
`software and the user may remove the installed operating
`system and replace the operating system with another oper-
`ating system created from the golden image 340.
`[0040]
`In other examples, the user may choose to reme-
`diate the issue using remediation tools. In such a situation,
`the remediation tools may be used on the copy of content
`when the content is not in use, thereby not wasting system
`resources. To remediate the issue, the copy of the deployed
`content may be remediated and upon completion, may be
`used to replace the deployed content that was still active as
`remediation occurred. In another example, the copy of the
`deployed content may be remediated and then the solution
`provided to the actively deployed content.
`[0041]
`In still other examples, remediation may result in
`hardware management system 310 automatically shutting
`down the computing device containing the content. In such
`a situation, the computing device may be turned off or taken
`offline without user