`
`(12) United States Patent
`M00n
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7,571.475 B2
`Aug. 4, 2009
`
`(54) METHOD AND ELECTRONIC DEVICE FOR
`TRIGGERING ZEROIZATION IN AN
`ELECTRONIC DEVICE
`
`(*) Notice:
`
`(75) Inventor: Billy G. Moon, Cary, NC (US)
`(73) Assignee: Cisco Technology, Inc., San Jose, CA
`(US)
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 849 days.
`(21) Appl. No.: 11/099,877
`(22) Filed:
`Apr. 5, 2005
`
`(65)
`
`Prior Publication Data
`US 2006/0225142 A1
`Oct. 5, 2006
`
`(51) Int. Cl.
`(2006.01)
`G06F II/00
`(52) U.S. Cl. ........................................................ 726/22
`(58) Field of Classification Search ................... 726/22,
`726/23, 24, 34, 25, 26; 713/164, 188, 189,
`713/193
`See application file for complete search history.
`References Cited
`U.S. PATENT DOCUMENTS
`
`(56)
`
`6,292,898 B1* 9/2001 Sutherland ................... T26/34
`6,347,375 B1* 2/2002 Reinert et al. ................. T26/24
`6,931,552 B2 * 8/2005 Pritchard et al. .............. T26/34
`7,484.247 B2 *
`1/2009 Rozman et al. .....
`... 726/34
`2002/0166061 A1* 11/2002 Falik et al. .................. T13/200
`2005/0033980 A1
`2/2005 Willman et al. ............. T13/200
`
`OTHER PUBLICATIONS
`
`Cisco Systems, Zeroization, 2005, pp. 1-5.*
`Cerberus Systems, Inc., National Institute of Standards and Technol
`ogy, “Implementation Guidance for FIPS PUB 140-1, continued,
`PART 2 (sections 1-4)”. 15 pages.
`Lock-Out, Lock Out Products, “Why Button'. Copyright (C) 2000
`2004, 2 pages.
`Legacy Marketplace, LLC and Security Solutions, LLC, "My Secure
`PC', 3 pages.
`Communications Security Establishment (CSE) and National Insti
`tute of Standards and Technology (NIST), “Research in Motion:
`BlackBerry Cryptographic Kernel Policies”. Copyright (C) 2000
`(Research in Motion Limited (RIM), 6 pages.
`Federal Information Processing Standards Publication 140-1. “Secu
`rity Requirements for Cryptographic Modules', Jan. 11, 1994, 45
`pageS.
`Virus.org Hosted by Wizards Ltd., “Scan design called portal for
`hackers”. Copyright (C) 1997-2005, 3 pages.
`* cited by examiner
`Primary Examiner Beemnet W Dada
`(74) Attorney, Agent, or Firm Trellis IP Law Group, PC
`
`(57)
`
`ABSTRACT
`
`A method and apparatus for initiating a Zeroization process in
`an electronic device is provided. Diagnostic information is
`provided by a plurality of sub-systems such that when one or
`more conditions are detected that are expected to cause the
`electronic device to experience a failure in the near future or
`if the electronic device appears to have been compromised,
`then the Zeroization process is triggered.
`
`20 Claims, 3 Drawing Sheets
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Detect failure or impending failure
`Condition
`
`Initiate zeroization process
`
`Re-boot device
`
`Establish secure link to obtain
`Configuration and other sensitive
`information
`
`
`
`2O2
`
`204
`
`2O6
`
`APPLE 1008
`
`1
`
`
`
`U.S. Patent
`
`Aug. 4, 2009
`
`Sheet 1 of 3
`
`US 7,571.475 B2
`
`Monitor selected operating conditions
`
`Configure trigger points to determine the
`activation of the zeroization process
`
`Monitor diagnostic information from Sub
`Systems
`
`Trigger zeroization when a threshold has
`been exceeded
`
`Trigger zeroization when Boolean
`combination of thresholds are exceeded
`
`102
`
`104
`
`106
`
`108
`
`110
`
`Trigger zeroization if failure is impending
`
`112
`
`Trigger zeroization if over-ride button
`activated
`
`114
`
`FIGURE
`
`2
`
`
`
`U.S. Patent
`
`Aug. 4, 2009
`
`Sheet 2 of 3
`
`US 7,571.475 B2
`
`
`
`
`
`
`
`Detect failure or impending failure
`Condition
`
`initiate zeroization process
`
`
`
`Re-
`
`o
`
`Establish secure link to obtain
`Configuration and other sensitive
`information
`
`2O2
`
`204
`
`208
`
`
`
`
`
`
`
`
`
`Sub
`systems
`308
`
`
`
`
`
`Diagnostic
`
`SeSOS
`3O6
`
`Sub
`systems
`308
`
`
`
`Administrator
`interface 402
`
`FIGURE 2
`
`
`
`. Sensor
`
`Monitor
`304
`
`FIGURE 4
`
`3
`
`
`
`U.S. Patent
`
`Aug. 4, 2009
`
`Sheet 3 of 3
`
`US 7,571.475 B2
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Sensitive
`Information
`Storage
`Sub-
`Systems
`308
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Watchdog hit --> trigger 8 s:
`
`
`
`Sensor
`Monitor 304
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Memory X% full --> trigger 1 H
`isk X
`--> trigger 2
`D % full
`Disk check detects x corrupt
`files --> trigger 3
`I2C bus failure --> trigger 4
`SPI 1 bus failure --> trigger 5
`SPI 2 bus failure --> trigger 6
`Bluetooth failure --> trigger 7
`
`Battery LTx volts --> trigger 9
`Temp. GTX degrees --> trigger
`10
`Motion stopped for x secs. &
`failure to clear --> trigger 11
`M
`faul
`12
`t --> trl
`
`TET 2 gger
`Process fault --> trigger 13
`USB failure --> trigger 14
`GPS failure --> trigger 15
`GPS coordinates out of bounds
`--> trigger 16
`PC-CARD failure --> trigger
`18
`x log in failures --> trigger 19
`X Spurious interrupts --> trigger
`20
`x time elaspsed --> trigger 21
`
`arson-ins.
`list
`
`FIGURE
`
`4
`
`
`
`US 7,571.475 B2
`
`1.
`METHOD AND ELECTRONIC DEVICE FOR
`TRIGGERING ZEROIZATION IN AN
`ELECTRONIC DEVICE
`
`BACKGROUND AND SUMMARY OF THE
`INVENTION
`
`5
`
`2
`The foregoing and additional features and advantages of
`this invention will become apparent from the detailed
`description and review of the associated drawing figures that
`follow.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. 1 illustrates a method for initiating Zeroization in an
`electronic device, in accordance with an embodiment of the
`invention.
`FIG. 2 illustrates a method for triggering Zeroization in an
`electronic device, in accordance with an embodiment of the
`invention.
`FIG. 3 is a block diagram of an electronic device for trig
`gering Zeroization in an electronic device, in accordance with
`an embodiment of the invention.
`FIG. 4 is a block diagram of an electronic device for trig
`gering Zeroization in an electronic device, in accordance with
`another embodiment of the invention.
`
`DETAILED DESCRIPTION OF EMBODIMENTS
`OF THE INVENTION
`
`In the description herein for embodiments of the present
`invention, numerous specific details are provided. Such as
`examples of components and/or methods, to provide a thor
`ough understanding of embodiments of the present invention.
`One skilled in the relevantart will recognize, however, that an
`embodiment of the invention can be practiced without one or
`more of the specific details, or with other electronic device,
`systems, assemblies, methods, components, parts, and/or the
`like. In other instances, well-known structures, materials, or
`operations are not specifically shown or described in detail to
`avoid obscuring aspects of embodiments of the present inven
`tion.
`Various embodiments of the invention provide a method
`and system for triggering Zeroization in an electronic device.
`The electronic device may be a mobile or personal router,
`cellular telephone phone, radio transmitter or receiver, por
`table computing device such as a PDA or notebook, or other
`devices where mission critical sensitive information may be
`stored in electronic form. As used herein sensitive informa
`tion refers to information whose unauthorized disclosure
`could endanger national, state or corporate security or the
`well-being of the user of electronic device and which is
`intended to be kept from knowledge or unauthorized viewing.
`To illustrate, sensitive information may be the hardware con
`figuration for a mobile network device or private keys used for
`an encryption device. Yet another example of sensitive infor
`mation may be photographs or telephone numbers stored on a
`personal cellular telephone or confidential corporate informa
`tion stored in the memory of a notebook computer or other
`portable personal computing device. Zeroization generally
`refers to deletion of hardware configurations, Field-Program
`mable Gate Array (FPGA) images, and information stored in
`main memory, cache memories, flash memory, Non-Volatile
`Random Access Memory (NVRAM) and other memories or
`locations that may contain sensitive information. Unless oth
`erwise noted, the phrase “sensitive information' includes and
`encompasses hardware configurations and FPGA images as
`well as proprietary and confidential information stored in an
`electronic or magnetic fashion regardless of whether the Stor
`age medium is semiconductor, magnetic, optical or other. The
`purpose of the Zeroization process is to make Sure that Such
`sensitive information is not forensically recoverable. In order
`to achieve Zeroization, various well-known Scrubbing tech
`niques may be used to delete or remove the sensitive infor
`
`10
`
`15
`
`Embodiments of this invention relate in general to elec
`tronic devices. More specifically, embodiments of this inven
`tion relate to electronic devices that require Zeroization to
`protect stored sensitive information from being wrongfully
`acquired.
`In mission critical electronic devices Zeroization is
`executed to delete potentially sensitive or sensitive informa
`tion from the memory before the device falls into the wrong
`hands or more specifically into the control of someone who
`should not have access to the information. While the Zeroiza
`tion capability is a necessity for electronic devices used by the
`military, homeland security or state and local police depart
`ments, such capability is also desirable for private security
`guards, corporate executives or others who wish to protect
`information stored in their electronic device.
`Zeroization is a process of Scrubbing memory to remove
`sensitive information stored in an electronic device. The
`memory scrubbing process includes any device or location
`where sensitive data may be stored.
`Activation of a key or a button on the faceplate of the
`electronic device by an operator typically triggers, or ini
`tiates, the Zeroization process. In other prior art electronic
`devices, Zeroization occurs when the operator types in a spe
`cial code. However, if an operator is unable to activate the key
`or button or is, for Some reason, incapacitated and unable to
`enter the code, the sensitive information may be needlessly
`exposed. In other instances, even if the operator is able to
`manually initiate the Zeroization process, the electronic
`device may be fully or partially inoperable thereby making it
`impossible to initiate the Zeroization process. Clearly, there is
`a need to ensure that Zeroization is not dependant on an
`operator to initiate the Zeroization process.
`In still other prior art devices, the Zeroization process is
`initiated when the outer case of the electronic device is tam
`pered with or when the temperature exceeds a selected tem
`45
`perature. In Such devices, simply removing the power before
`beginning the forensic recovery of the sensitive information
`may defeat the Zeroization mechanism. The ability for some
`one to open a module’s cover and access sensitive informa
`tion in memory before Zeroization depends heavily on the
`design and configuration and the time between tamper detec
`tion and Zeroization can be on the order of a few milliseconds
`to several seconds. Thus, the immediate Zeroization of sensi
`tive information means that upon detection of tampering, the
`electronic device must drop everything and perform
`Zeroization. However, by the time tamper detection occurs, it
`may already be too late to enter the state where Zeroization
`takes place. What is needed is an automated mechanism that
`monitors the condition of the electronic device and initiates
`the Zeroization process in anticipation of a trigger condition
`without operator intervention so that critical sensitive infor
`mation is not exposed.
`To overcome these disadvantages of the prior art, the
`present invention determines if a trigger condition has
`occurred or is about to occur and then initiates a Zeroization
`process to remove sensitive information before the electronic
`device failure would prohibit Zeroization.
`
`25
`
`30
`
`35
`
`40
`
`50
`
`55
`
`60
`
`65
`
`5
`
`
`
`US 7,571.475 B2
`
`10
`
`15
`
`25
`
`30
`
`35
`
`3
`mation. For example, with magnetic memory, it may be nec
`essary to write a pattern of all 1s and then all O’s to the
`memory to clean out residual information retained in the
`magnetic storage medium. Or with semiconductor memory, a
`high Voltage may be written to each memory location. In
`Some cases, it may be necessary to access special circuits
`adapted to perform the Zeroization process such as, by way of
`example, an erase control line that causes a bulk erase of a
`sector in a memory device.
`FIG. 1 illustrates a method for initiating Zeroization in an
`electronic device, in accordance with an embodiment of the
`invention. At step 102, selected operating conditions of the
`electronic device are monitored. The operating conditions are
`selected based on the type of electronic device, the nature of
`information stored therein and the nature of the mission.
`Typically, the monitored operating conditions are selected
`prior to start of each mission or when the electronic device is
`initially put into service.
`Once one or more of the operating conditions are selected,
`trigger points must be set that determine the activation of the
`Zeroization process as indicated at step 104. Determining the
`trigger points allows the monitoring process to be uniquely
`configured based on the functions performed by the elec
`tronic device, the sensitivity of the information stored in the
`device and the level of security required for each mission. To
`illustrate, if the electronic device is a personal router worn by
`a soldier during battle, the configuration and communication
`codes stored in an FPGA or NVRAM would constitute a
`significant breach of security if the Solider is incapacitated
`and the enemy acquired the intact router. Thus, if motion
`ceased for a certain length of time, for example six minutes,
`the electronic device would need to automatically initiate the
`Zeroization process. In contrast, if the electronic device is a
`personal cell phone containing a telephone and address list,
`the lack of motion may not be critical and may not even be a
`monitored operating condition.
`In other instances, the monitoring process may be config
`ured to consider two or more operating conditions using
`Boolean logic to determine when it is necessary to initiate the
`Zeroization process. Returning to the example of the soldiers
`40
`personal router, assume that motion has stopped but the GPS
`coordinates match the location of a forward operating base
`where the solider is expected to remove the personal router
`while he showers and sleeps. Thus, the fact that the personal
`router is no longer being worn by the solider, the fact that
`there is no detected motion for a certain length of time will not
`alone trigger the Zeroization process.
`When the mission or actual use of the device begins, the
`monitoring process is activated as indicated at Step 106. The
`monitoring process involves the receipt of diagnostic infor
`mation from various Subsystems in the electronic device.
`Each diagnostic test returns a value that is compared to a
`pre-determined threshold. When it is determined at step 108
`that a trigger condition has occurred because a threshold has
`been exceeded, the Zeroization process is triggered in the
`electronic device. In other instances, a selected combination
`of thresholds must be exceeded nearly simultaneously before
`the Zeroization process would be triggered as indicated at Step
`110. In still other instances, the diagnostic tests could return
`values that are indicative of an impending failure or occur
`ance of a trigger event and that the Zeroization process should
`be initiated as a proactive measure as indicated at step 112. In
`still other embodiments, the Zeroization is initiated in
`response to the button being pushed or the key code being
`entered even if the monitoring process does not iindicate a
`trigger condition or an impending trigger or failure as indi
`cated at step 114.
`
`50
`
`45
`
`55
`
`60
`
`65
`
`4
`FIG. 2 illustrates a method for recovering from an autono
`mously initiated Zeroization process in an electronic device,
`in accordance with an embodiment of the invention. Recov
`ery is necessary in several instances but for certain missions,
`it is critical that electronic devices that have been scrubbed
`can, at Some later time, be re-initialized and returned to ser
`vice. To illustrate the scenario where re-initialization may
`occur, consider the example where the electronic device
`includes a GPS unit and the enemy is jamming the GPS signal
`causing the coordinates to be incorrectly read. If an ordinance
`delivery vehicle uses the GPS coordinates, the wrong coor
`dinates could cause the munitions to explode at the wrong
`location or at the wrong time. This would be an undesirable
`fault condition. Thus, when jamming (or Some other failure
`condition) is detected as indicated at step 202, the Zeroization
`process is initiated at step 204 to scrub sensitive information
`from the electronic device. Ifat some future time the jamming
`(or other trigger condition) is alleviated, the electronic device
`may be rebooted as indicated at step 206. During the re-boot
`process, the electronic device may establish a secure
`encrypted connection to receive the sensitive information as
`indicated at step 208.
`FIG. 3 illustrates an electronic device 300 that includes a
`Zeroization circuit 302, a monitor 304, a plurality of sensors
`306 and storage sub-systems 308 of electronic device 300
`where sensitive information is stored or retained. In one
`embodiment, monitor 304 comprises an address space that
`receives interrupts from any sensor whenever an alert is gen
`erated. To ensure that the Zeroization process is initiated
`immediately after the interrupt is generated, Zeroization cir
`cuit 302 scans the address space of monitor 304 to determine
`if the Zeroization process should be initiated. In operation,
`monitor 304 receives input from sensors 306 and, whenevera
`sensor indicates a problem, monitor 304 activates Zeroization
`circuit 302 to zero out storage locations in sub-systems 308
`where sensitive information is otherwise stored during nor
`mal operation of electronic device 300.
`Sub-systems 308 includebutare not limited to: magnetic or
`optical storage devices such as a disk drive, Field-Program
`mable Gate Arrays, main memory, RAM, ROM, flash
`memory, cache memories, flash memory, Non-volatile Ran
`dom. Access Memory (NVRAM), Bluetooth and other sub
`systems that may store sensitive information. In general, sen
`sitive information may be stored in any computer readable
`medium associated with a sub-system 308.
`Each of the plurality of sensors 306 comprises a trigger that
`can start the Zeroization process either alone or in combina
`tion with other triggers. In one embodiment of the invention,
`one sensor, trigger 1, indicates when a RAM memory Sub
`system approaches full utilization. For example, if memory is
`95% full, then trigger 1 will generate an interrupt to monitor
`304. This interrupt is generated because an electronic device
`that does not have free memory will operate very slowly due
`to memory contention issues and the need to Swap instruc
`tions from slow memory to cache or RAM for execution by
`the processor. If the processor is operating too slowly, it is an
`indication that the electronic device is not operating correctly
`and that is likely due to an intrusion or other attack. Thus,
`even though the electronic device is operating, albeit in a
`crippled manner, in some mission environments, Zeroization
`may be desired because of the potential for a security breach
`to occur is high and the ability of the electronic device to
`respond is low.
`Another sensor, trigger 2, monitors a disk storage Sub
`system. If the disk storage Sub-system approaches capacity, it
`is an indication of an impending problem. Again, even though
`the electronic device is operating, in Some mission environ
`
`6
`
`
`
`US 7,571.475 B2
`
`5
`
`10
`
`15
`
`30
`
`35
`
`40
`
`25
`
`5
`ments Zeroization may be desired. A sensor, trigger 3, also
`monitors the disk storage Sub-system for corrupt files
`because, if corrupt files reach a threshold, it may be an indi
`cation that the security of the electronic device has been
`breached. Thus, Zeroization occurs whenever the number of
`corrupt files exceeds a selected threshold. Other memory
`sensors, trigger 12, may monitor for memory faults.
`In a typical electronic device, a number ofbuses are used to
`transfer information between Sub-systems. Accordingly, a
`number of bus monitor sensors are employed to monitor bus
`activity. Thus, one trigger condition may occur when the main
`processor loses contact with one or more sub-systems due to
`a bus failure. Another trigger condition may occur when
`communications between two Sub-systems are degraded due
`to unexpected bus congestion thereby rendering efficient
`operation impossible. The bus failure may be an Inter Inte
`grated Circuit (12C) bus failure or fault, trigger 4, a Serial
`Peripheral Interface (SPI) bus 1 failure or fault, trigger 5, SPI
`bus 2 failure or fault, trigger 6, and/or a Universal Serial Bus
`(USB) failure or fault, trigger 14. The bus sensor monitors the
`overall bus utilization on each channel or bus. This monitor
`may be executed as part of the main processor or a dedicated
`diagnostic processor.
`Other sensors are targeted to monitoring various hardware
`Sub-systems. Accordingly, one such sensor, trigger 7, moni
`tors the Bluetooth networkfor failure or fault. Another sensor,
`trigger 18, monitors any PC-card failures or faults, while
`other sensors, triggers 15 and 16, monitor the GPS unit for
`failure or faults with the Sub-system or erroneous readings
`where the coordinates that are out of expected bounds,
`respectively. Battery sensor, trigger 9, monitors the systems
`power sources for a drop in voltage below a set limit and a
`temperature sensor, trigger 10, monitors for a rise in ambient
`temperature above a selected temperature. Both limits should
`be set at a level that allows the electronic device to complete
`the Zeroization process even if the voltages further declines or
`the temperature continues to increase.
`Certain trigger conditions may occur when a watchdog
`timer, trigger 8, is hit. In many electronic devices, one or more
`Sub-systems as well as the main processor may have dedi
`cated timers that guard against certain types of system hangs.
`Clearly, if the electronic device was hanging, the system may
`not be able to timely initiate the Zeroization process. The
`watchdog timers are periodically reset but if the timer is not
`timely reset, an interrupt is generated at monitor 304.
`Certain other trigger condition during operation of the
`electronic device that may result in a number of unexpected
`failure log entries being generated. A sensor, trigger 19, moni
`tors the log and generates an interrupt when the number of
`failures exceeds a preset log limit. Yet another sensor, trigger
`20, monitors the number of spurious interrupts during the
`operation of the electronic device and when the number
`exceeds a selected threshold interrupt, an interrupt it gener
`ated.
`An accelerometer sensor, trigger 11, monitors motion of
`55
`electronic device 300. If there is no motion for an extended
`period of time and a there is a failure to enter an all clear
`signal, the trigger generates an interrupt to monitor 304. Trig
`ger 11 is referred to as a man down trigger because the lack
`of motion would indicate that the wearer or operator has
`become incapacitated or killed.
`Time elapsed sensor, trigger 21, monitors a clock and sends
`an interrupt to monitor when the time has elapsed indicating
`that the mission is complete. Thus, a monitoring device may
`monitor a location for a number of days at the end of which,
`the time elapsed sensor triggers the Zeroization process ren
`dering the device useless should it be subsequently found.
`
`45
`
`50
`
`60
`
`65
`
`6
`Tamper sensor, trigger 22, monitors the enclosure in which
`the electronic device is housed and if forced entry is detected,
`an interrupt is generated for monitor 304. A variety of sensors
`are well known in the art and may be utilized to perform the
`functions described above. Although the illustrated embodi
`ment includes 22 triggers, it is to be understood that some
`electronic device may have more triggers and some electronic
`devices require fewer triggers depending on the application.
`Further, the sensors illustrated are typical for, by way of
`example, a mobile router, while other devices may include
`other types of sensors.
`During operation, when monitor 304 receives a signal from
`at least one of the plurality of sensors 306, a signal is gener
`ated and applied to activate Zeroization circuit 302. Zeroiza
`tion circuit 302 is preferably a hardware device that receives
`trigger information and activates the Scrubbing circuits for
`each sub-system 308. In one embodiment, Zeroization circuit
`302 is a hardware element that does not require extraneous
`code to execute the Zeroization process. Specifically, Zeroiza
`tion circuit 302 comprises a 22 input logic OR gate that takes
`all 22 bits of memory from monitor 304 and activates the
`scrubbing circuit in response to any one sensor indicating a
`problem. In other embodiments, Zeroization circuit 302 com
`prises an n-level deep logic circuit that comprises a plurality
`of OR, NOR, AND and NAND gates that are combined to
`form complex Boolean equations that determine when to
`active Zeroization circuit 302. In still other embodiments,
`Zeroization comprises a set of instructions stored in a pro
`tected portion of flash memory or other non-volatile memory.
`When an interrupt is generated, execution of the main pro
`cessor jumps to the instructions in the protected portion.
`These instructions cause each of the sub-systems 308 to ini
`tiate hardware dependent Zeroization algorithms. In one
`embodiment, Zeroization circuit 302 comprises logic that is
`activated whenever a selected address space within monitor
`304 has a non-zero value. The computer program that imple
`ments the Zeroization process may include Boolean operators
`to enable rather complex combinations of triggers that would
`initiate the Zeroization process.
`Electronic device 300 further includes a panic button 310
`that may be located on the faceplate of the router. In various
`embodiments of the invention, panic button 310 may be a
`push button switch attached to the auxiliary port of a
`mobile router. Panic button 310 may be used to override the
`autonomic determination algorithm and allow human inter
`vention to initiate the Zeroization process. By way of
`example, if a military vehicle were to be abandoned, the
`operator could Zero out the Sub-systems to avoid sensitive
`information from being divulged to the enemy as they were
`exiting the vehicle.
`As shown in FIG. 4, an administrator may configure the
`Zeroization triggering thresholds using an administratorinter
`face 402. Typically, these thresholds are set once by an admin
`istrator with pre-existing authority to configure electronic
`device 300. Alternatively, the administrator may configure
`the trigger points based on each specific mission and the
`sensitivity of the mission. Administrator interface 402 is
`linked to electronic device 300 by a communication device
`404 and a cryptographic device 406 that cooperate to estab
`lish a secure communication link for the transmission of
`encrypted information. Preferably, communication device
`404 is a wireless communication device Such as a radio or
`satellite or cellular telephone.
`In the event that the Zeroization process occurs, communi
`cation device 404 is used to establish a secure communication
`link for the transfer of encrypted information to re-initialize
`the electronic device. To illustrate use of the embodiment
`
`7
`
`
`
`7
`shown in FIG.4, consider the example where the electronic
`device is a personal router worn by a soldier during battle, the
`configuration and communication codes for the routers
`operations are stored in an FPGA and NVRAM. If the enemy
`was to obtain a router with the network configuration and
`communication codes intact, it would constitute a significant
`breach of security because the enemy would then be able to
`eavesdrop on encrypted communications. Because of this
`risk, if one or more of the sensors were to trigger the Zeroiza
`tion process, sensitive information stored in sub-system 308
`would be immediately scrubbed. For example, if the GPS
`coordinates were to Suddenly change to fall outside of an
`expected location, then the router's configuration and other
`sensitive information would be scrubbed. The router would
`still be a functioning device because the operating system and
`other non-critical software parameters would still enable the
`machine to function at some level. When the soldier returns to
`base camp, it would be a simple matter for the administrator
`to re-set the router configuration.
`The present invention provides an electronic device 300
`that is adapted to determine in an autonomic manner whether
`a trigger condition is impending or has occurred. By trigger
`ing the Zeroization process before a failure renders the device
`inoperable, the likelihood that the Zeroization process will
`Succeed. Embodiments of the invention have the advantage
`that Zeroization is triggered on an electronic device before a
`total failure of a platform of the electronic device or complete
`failure of the electronic device. This results in carrying out the
`Zeroization process more efficiently and effectively.
`Although the invention has been discussed with respect to
`specific embodiments thereof, these embodiments are merely
`illustrative, and not restrictive, of the invention. The invention
`can operate between any two processes or entities including
`users, devices, functional systems, or combinations of hard
`ware and software. Peer-to-peer networks and any other net
`works or systems where the roles of client and server are
`Switched, change dynamically, or are not even present, are
`within the scope of the invention.
`Any Suitable programming language can be used to imple
`ment the routines of the invention including C, C++, Java,
`assembly language, etc. Different programming techniques
`Such as procedural or object oriented can be employed. The
`routines can execute on a single processing device or multiple
`processors. Although the steps, operations, or computations
`may be presented in a specific order, this order may be
`changed in different embodiments. In some embodiments,
`multiple steps shown sequentially in this specification can be
`performed at the same time. The sequence of operations
`described herein can be interrupted, suspended, or otherwise
`controlled by another process. Such as an operating system,
`kernel, etc. The routines can operate in an operating system
`environment or as stand-alone routines occupying all, or a
`Substantial part, of the system processing.
`In the description herein for embodiments of the invention,
`numerous specific details are provided. Such as examples of
`components and/or methods, to provide a thorough under
`standing of embodiments of the invention. One skilled in the
`relevant art will recognize, however, that an embodiment of
`the invention can be practiced without one or more of the
`specific details, or with other electronic device, systems,
`assemblies, methods, components, materials, parts, and/or
`the like. In other instances, well-known structures, materials,
`or operations are not specifically shown or described in detail
`to avoid obscuring aspects of embodiments of the invention.
`A processor for purposes of embodiments of the inven
`tion may include any processor- or CPU-containing device,
`Such as a mainframe computer, personal computer, laptop,
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`US 7,571.475 B2
`
`5
`
`10
`
`15
`
`8
`notebook, microcomputer, server, personal data manager or
`PIM (also referred to as a personal information manager),
`Smart cellular or other phone, so-called Smart card, set-top
`box, or any of the like. A computer program may include any
`Suitable locally or remotely executable program or sequence
`of coded instructions, which are to be inserted into a com
`puter, well known to those skilled in the art to activate the
`Zeroization process or as part of the Zeroization process.
`Stated more specifically, a computer program includes an
`organized list of instructions that, when executed, causes the
`computer to behave in a p
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ ChargeStill Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site