US007571475 B2
`
`(12) United States Patent
`M00n
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7,571.475 B2
`Aug. 4, 2009
`
`(54) METHOD AND ELECTRONIC DEVICE FOR
`TRIGGERING ZEROIZATION IN AN
`ELECTRONIC DEVICE
`
`(*) Notice:
`
`(75) Inventor: Billy G. Moon, Cary, NC (US)
`(73) Assignee: Cisco Technology, Inc., San Jose, CA
`(US)
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 849 days.
`(21) Appl. No.: 11/099,877
`(22) Filed:
`Apr. 5, 2005
`
`(65)
`
`Prior Publication Data
`US 2006/0225142 A1
`Oct. 5, 2006
`
`(51) Int. Cl.
`(2006.01)
`G06F II/00
`(52) U.S. Cl. ........................................................ 726/22
`(58) Field of Classification Search ................... 726/22,
`726/23, 24, 34, 25, 26; 713/164, 188, 189,
`713/193
`See application file for complete search history.
`References Cited
`U.S. PATENT DOCUMENTS
`
`(56)
`
`6,292,898 B1* 9/2001 Sutherland ................... T26/34
`6,347,375 B1* 2/2002 Reinert et al. ................. T26/24
`6,931,552 B2 * 8/2005 Pritchard et al. .............. T26/34
`7,484.247 B2 *
`1/2009 Rozman et al. .....
`... 726/34
`2002/0166061 A1* 11/2002 Falik et al. .................. T13/200
`2005/0033980 A1
`2/2005 Willman et al. ............. T13/200
`
`OTHER PUBLICATIONS
`
`Cisco Systems, Zeroization, 2005, pp. 1-5.*
`Cerberus Systems, Inc., National Institute of Standards and Technol
`ogy, “Implementation Guidance for FIPS PUB 140-1, continued,
`PART 2 (sections 1-4)”. 15 pages.
`Lock-Out, Lock Out Products, “Why Button'. Copyright (C) 2000
`2004, 2 pages.
`Legacy Marketplace, LLC and Security Solutions, LLC, "My Secure
`PC', 3 pages.
`Communications Security Establishment (CSE) and National Insti
`tute of Standards and Technology (NIST), “Research in Motion:
`BlackBerry Cryptographic Kernel Policies”. Copyright (C) 2000
`(Research in Motion Limited (RIM), 6 pages.
`Federal Information Processing Standards Publication 140-1. “Secu
`rity Requirements for Cryptographic Modules', Jan. 11, 1994, 45
`pageS.
`Virus.org Hosted by Wizards Ltd., “Scan design called portal for
`hackers”. Copyright (C) 1997-2005, 3 pages.
`* cited by examiner
`Primary Examiner Beemnet W Dada
`(74) Attorney, Agent, or Firm Trellis IP Law Group, PC
`
`(57)
`
`ABSTRACT
`
`A method and apparatus for initiating a Zeroization process in
`an electronic device is provided. Diagnostic information is
`provided by a plurality of sub-systems such that when one or
`more conditions are detected that are expected to cause the
`electronic device to experience a failure in the near future or
`if the electronic device appears to have been compromised,
`then the Zeroization process is triggered.
`
`20 Claims, 3 Drawing Sheets
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Detect failure or impending failure
`Condition
`
`Initiate zeroization process
`
`Re-boot device
`
`Establish secure link to obtain
`Configuration and other sensitive
`information
`
`
`
`2O2
`
`204
`
`2O6
`
`APPLE 1008
`
`1
`
`

`

`U.S. Patent
`
`Aug. 4, 2009
`
`Sheet 1 of 3
`
`US 7,571.475 B2
`
`Monitor selected operating conditions
`
`Configure trigger points to determine the
`activation of the zeroization process
`
`Monitor diagnostic information from Sub
`Systems
`
`Trigger zeroization when a threshold has
`been exceeded
`
`Trigger zeroization when Boolean
`combination of thresholds are exceeded
`
`102
`
`104
`
`106
`
`108
`
`110
`
`Trigger zeroization if failure is impending
`
`112
`
`Trigger zeroization if over-ride button
`activated
`
`114
`
`FIGURE
`
`2
`
`

`

`U.S. Patent
`
`Aug. 4, 2009
`
`Sheet 2 of 3
`
`US 7,571.475 B2
`
`
`
`
`
`
`
`Detect failure or impending failure
`Condition
`
`initiate zeroization process
`
`
`
`Re-
`
`o
`
`Establish secure link to obtain
`Configuration and other sensitive
`information
`
`2O2
`
`204
`
`208
`
`
`
`
`
`
`
`
`
`Sub
`systems
`308
`
`
`
`
`
`Diagnostic
`
`SeSOS
`3O6
`
`Sub
`systems
`308
`
`
`
`Administrator
`interface 402
`
`FIGURE 2
`
`
`
`. Sensor
`
`Monitor
`304
`
`FIGURE 4
`
`3
`
`

`

`U.S. Patent
`
`Aug. 4, 2009
`
`Sheet 3 of 3
`
`US 7,571.475 B2
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Sensitive
`Information
`Storage
`Sub-
`Systems
`308
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Watchdog hit --> trigger 8 s:
`
`
`
`Sensor
`Monitor 304
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Memory X% full --> trigger 1 H
`isk X
`--> trigger 2
`D % full
`Disk check detects x corrupt
`files --> trigger 3
`I2C bus failure --> trigger 4
`SPI 1 bus failure --> trigger 5
`SPI 2 bus failure --> trigger 6
`Bluetooth failure --> trigger 7
`
`Battery LTx volts --> trigger 9
`Temp. GTX degrees --> trigger
`10
`Motion stopped for x secs. &
`failure to clear --> trigger 11
`M
`faul
`12
`t --> trl
`
`TET 2 gger
`Process fault --> trigger 13
`USB failure --> trigger 14
`GPS failure --> trigger 15
`GPS coordinates out of bounds
`--> trigger 16
`PC-CARD failure --> trigger
`18
`x log in failures --> trigger 19
`X Spurious interrupts --> trigger
`20
`x time elaspsed --> trigger 21
`
`arson-ins.
`list
`
`FIGURE
`
`4
`
`

`

`US 7,571.475 B2
`
`1.
`METHOD AND ELECTRONIC DEVICE FOR
`TRIGGERING ZEROIZATION IN AN
`ELECTRONIC DEVICE
`
`BACKGROUND AND SUMMARY OF THE
`INVENTION
`
`5
`
`2
`The foregoing and additional features and advantages of
`this invention will become apparent from the detailed
`description and review of the associated drawing figures that
`follow.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. 1 illustrates a method for initiating Zeroization in an
`electronic device, in accordance with an embodiment of the
`invention.
`FIG. 2 illustrates a method for triggering Zeroization in an
`electronic device, in accordance with an embodiment of the
`invention.
`FIG. 3 is a block diagram of an electronic device for trig
`gering Zeroization in an electronic device, in accordance with
`an embodiment of the invention.
`FIG. 4 is a block diagram of an electronic device for trig
`gering Zeroization in an electronic device, in accordance with
`another embodiment of the invention.
`
`DETAILED DESCRIPTION OF EMBODIMENTS
`OF THE INVENTION
`
`In the description herein for embodiments of the present
`invention, numerous specific details are provided. Such as
`examples of components and/or methods, to provide a thor
`ough understanding of embodiments of the present invention.
`One skilled in the relevantart will recognize, however, that an
`embodiment of the invention can be practiced without one or
`more of the specific details, or with other electronic device,
`systems, assemblies, methods, components, parts, and/or the
`like. In other instances, well-known structures, materials, or
`operations are not specifically shown or described in detail to
`avoid obscuring aspects of embodiments of the present inven
`tion.
`Various embodiments of the invention provide a method
`and system for triggering Zeroization in an electronic device.
`The electronic device may be a mobile or personal router,
`cellular telephone phone, radio transmitter or receiver, por
`table computing device such as a PDA or notebook, or other
`devices where mission critical sensitive information may be
`stored in electronic form. As used herein sensitive informa
`tion refers to information whose unauthorized disclosure
`could endanger national, state or corporate security or the
`well-being of the user of electronic device and which is
`intended to be kept from knowledge or unauthorized viewing.
`To illustrate, sensitive information may be the hardware con
`figuration for a mobile network device or private keys used for
`an encryption device. Yet another example of sensitive infor
`mation may be photographs or telephone numbers stored on a
`personal cellular telephone or confidential corporate informa
`tion stored in the memory of a notebook computer or other
`portable personal computing device. Zeroization generally
`refers to deletion of hardware configurations, Field-Program
`mable Gate Array (FPGA) images, and information stored in
`main memory, cache memories, flash memory, Non-Volatile
`Random Access Memory (NVRAM) and other memories or
`locations that may contain sensitive information. Unless oth
`erwise noted, the phrase “sensitive information' includes and
`encompasses hardware configurations and FPGA images as
`well as proprietary and confidential information stored in an
`electronic or magnetic fashion regardless of whether the Stor
`age medium is semiconductor, magnetic, optical or other. The
`purpose of the Zeroization process is to make Sure that Such
`sensitive information is not forensically recoverable. In order
`to achieve Zeroization, various well-known Scrubbing tech
`niques may be used to delete or remove the sensitive infor
`
`10
`
`15
`
`Embodiments of this invention relate in general to elec
`tronic devices. More specifically, embodiments of this inven
`tion relate to electronic devices that require Zeroization to
`protect stored sensitive information from being wrongfully
`acquired.
`In mission critical electronic devices Zeroization is
`executed to delete potentially sensitive or sensitive informa
`tion from the memory before the device falls into the wrong
`hands or more specifically into the control of someone who
`should not have access to the information. While the Zeroiza
`tion capability is a necessity for electronic devices used by the
`military, homeland security or state and local police depart
`ments, such capability is also desirable for private security
`guards, corporate executives or others who wish to protect
`information stored in their electronic device.
`Zeroization is a process of Scrubbing memory to remove
`sensitive information stored in an electronic device. The
`memory scrubbing process includes any device or location
`where sensitive data may be stored.
`Activation of a key or a button on the faceplate of the
`electronic device by an operator typically triggers, or ini
`tiates, the Zeroization process. In other prior art electronic
`devices, Zeroization occurs when the operator types in a spe
`cial code. However, if an operator is unable to activate the key
`or button or is, for Some reason, incapacitated and unable to
`enter the code, the sensitive information may be needlessly
`exposed. In other instances, even if the operator is able to
`manually initiate the Zeroization process, the electronic
`device may be fully or partially inoperable thereby making it
`impossible to initiate the Zeroization process. Clearly, there is
`a need to ensure that Zeroization is not dependant on an
`operator to initiate the Zeroization process.
`In still other prior art devices, the Zeroization process is
`initiated when the outer case of the electronic device is tam
`pered with or when the temperature exceeds a selected tem
`45
`perature. In Such devices, simply removing the power before
`beginning the forensic recovery of the sensitive information
`may defeat the Zeroization mechanism. The ability for some
`one to open a module’s cover and access sensitive informa
`tion in memory before Zeroization depends heavily on the
`design and configuration and the time between tamper detec
`tion and Zeroization can be on the order of a few milliseconds
`to several seconds. Thus, the immediate Zeroization of sensi
`tive information means that upon detection of tampering, the
`electronic device must drop everything and perform
`Zeroization. However, by the time tamper detection occurs, it
`may already be too late to enter the state where Zeroization
`takes place. What is needed is an automated mechanism that
`monitors the condition of the electronic device and initiates
`the Zeroization process in anticipation of a trigger condition
`without operator intervention so that critical sensitive infor
`mation is not exposed.
`To overcome these disadvantages of the prior art, the
`present invention determines if a trigger condition has
`occurred or is about to occur and then initiates a Zeroization
`process to remove sensitive information before the electronic
`device failure would prohibit Zeroization.
`
`25
`
`30
`
`35
`
`40
`
`50
`
`55
`
`60
`
`65
`
`5
`
`

`

`US 7,571.475 B2
`
`10
`
`15
`
`25
`
`30
`
`35
`
`3
`mation. For example, with magnetic memory, it may be nec
`essary to write a pattern of all 1s and then all O’s to the
`memory to clean out residual information retained in the
`magnetic storage medium. Or with semiconductor memory, a
`high Voltage may be written to each memory location. In
`Some cases, it may be necessary to access special circuits
`adapted to perform the Zeroization process such as, by way of
`example, an erase control line that causes a bulk erase of a
`sector in a memory device.
`FIG. 1 illustrates a method for initiating Zeroization in an
`electronic device, in accordance with an embodiment of the
`invention. At step 102, selected operating conditions of the
`electronic device are monitored. The operating conditions are
`selected based on the type of electronic device, the nature of
`information stored therein and the nature of the mission.
`Typically, the monitored operating conditions are selected
`prior to start of each mission or when the electronic device is
`initially put into service.
`Once one or more of the operating conditions are selected,
`trigger points must be set that determine the activation of the
`Zeroization process as indicated at step 104. Determining the
`trigger points allows the monitoring process to be uniquely
`configured based on the functions performed by the elec
`tronic device, the sensitivity of the information stored in the
`device and the level of security required for each mission. To
`illustrate, if the electronic device is a personal router worn by
`a soldier during battle, the configuration and communication
`codes stored in an FPGA or NVRAM would constitute a
`significant breach of security if the Solider is incapacitated
`and the enemy acquired the intact router. Thus, if motion
`ceased for a certain length of time, for example six minutes,
`the electronic device would need to automatically initiate the
`Zeroization process. In contrast, if the electronic device is a
`personal cell phone containing a telephone and address list,
`the lack of motion may not be critical and may not even be a
`monitored operating condition.
`In other instances, the monitoring process may be config
`ured to consider two or more operating conditions using
`Boolean logic to determine when it is necessary to initiate the
`Zeroization process. Returning to the example of the soldiers
`40
`personal router, assume that motion has stopped but the GPS
`coordinates match the location of a forward operating base
`where the solider is expected to remove the personal router
`while he showers and sleeps. Thus, the fact that the personal
`router is no longer being worn by the solider, the fact that
`there is no detected motion for a certain length of time will not
`alone trigger the Zeroization process.
`When the mission or actual use of the device begins, the
`monitoring process is activated as indicated at Step 106. The
`monitoring process involves the receipt of diagnostic infor
`mation from various Subsystems in the electronic device.
`Each diagnostic test returns a value that is compared to a
`pre-determined threshold. When it is determined at step 108
`that a trigger condition has occurred because a threshold has
`been exceeded, the Zeroization process is triggered in the
`electronic device. In other instances, a selected combination
`of thresholds must be exceeded nearly simultaneously before
`the Zeroization process would be triggered as indicated at Step
`110. In still other instances, the diagnostic tests could return
`values that are indicative of an impending failure or occur
`ance of a trigger event and that the Zeroization process should
`be initiated as a proactive measure as indicated at step 112. In
`still other embodiments, the Zeroization is initiated in
`response to the button being pushed or the key code being
`entered even if the monitoring process does not iindicate a
`trigger condition or an impending trigger or failure as indi
`cated at step 114.
`
`50
`
`45
`
`55
`
`60
`
`65
`
`4
`FIG. 2 illustrates a method for recovering from an autono
`mously initiated Zeroization process in an electronic device,
`in accordance with an embodiment of the invention. Recov
`ery is necessary in several instances but for certain missions,
`it is critical that electronic devices that have been scrubbed
`can, at Some later time, be re-initialized and returned to ser
`vice. To illustrate the scenario where re-initialization may
`occur, consider the example where the electronic device
`includes a GPS unit and the enemy is jamming the GPS signal
`causing the coordinates to be incorrectly read. If an ordinance
`delivery vehicle uses the GPS coordinates, the wrong coor
`dinates could cause the munitions to explode at the wrong
`location or at the wrong time. This would be an undesirable
`fault condition. Thus, when jamming (or Some other failure
`condition) is detected as indicated at step 202, the Zeroization
`process is initiated at step 204 to scrub sensitive information
`from the electronic device. Ifat some future time the jamming
`(or other trigger condition) is alleviated, the electronic device
`may be rebooted as indicated at step 206. During the re-boot
`process, the electronic device may establish a secure
`encrypted connection to receive the sensitive information as
`indicated at step 208.
`FIG. 3 illustrates an electronic device 300 that includes a
`Zeroization circuit 302, a monitor 304, a plurality of sensors
`306 and storage sub-systems 308 of electronic device 300
`where sensitive information is stored or retained. In one
`embodiment, monitor 304 comprises an address space that
`receives interrupts from any sensor whenever an alert is gen
`erated. To ensure that the Zeroization process is initiated
`immediately after the interrupt is generated, Zeroization cir
`cuit 302 scans the address space of monitor 304 to determine
`if the Zeroization process should be initiated. In operation,
`monitor 304 receives input from sensors 306 and, whenevera
`sensor indicates a problem, monitor 304 activates Zeroization
`circuit 302 to zero out storage locations in sub-systems 308
`where sensitive information is otherwise stored during nor
`mal operation of electronic device 300.
`Sub-systems 308 includebutare not limited to: magnetic or
`optical storage devices such as a disk drive, Field-Program
`mable Gate Arrays, main memory, RAM, ROM, flash
`memory, cache memories, flash memory, Non-volatile Ran
`dom. Access Memory (NVRAM), Bluetooth and other sub
`systems that may store sensitive information. In general, sen
`sitive information may be stored in any computer readable
`medium associated with a sub-system 308.
`Each of the plurality of sensors 306 comprises a trigger that
`can start the Zeroization process either alone or in combina
`tion with other triggers. In one embodiment of the invention,
`one sensor, trigger 1, indicates when a RAM memory Sub
`system approaches full utilization. For example, if memory is
`95% full, then trigger 1 will generate an interrupt to monitor
`304. This interrupt is generated because an electronic device
`that does not have free memory will operate very slowly due
`to memory contention issues and the need to Swap instruc
`tions from slow memory to cache or RAM for execution by
`the processor. If the processor is operating too slowly, it is an
`indication that the electronic device is not operating correctly
`and that is likely due to an intrusion or other attack. Thus,
`even though the electronic device is operating, albeit in a
`crippled manner, in some mission environments, Zeroization
`may be desired because of the potential for a security breach
`to occur is high and the ability of the electronic device to
`respond is low.
`Another sensor, trigger 2, monitors a disk storage Sub
`system. If the disk storage Sub-system approaches capacity, it
`is an indication of an impending problem. Again, even though
`the electronic device is operating, in Some mission environ
`
`6
`
`

`

`US 7,571.475 B2
`
`5
`
`10
`
`15
`
`30
`
`35
`
`40
`
`25
`
`5
`ments Zeroization may be desired. A sensor, trigger 3, also
`monitors the disk storage Sub-system for corrupt files
`because, if corrupt files reach a threshold, it may be an indi
`cation that the security of the electronic device has been
`breached. Thus, Zeroization occurs whenever the number of
`corrupt files exceeds a selected threshold. Other memory
`sensors, trigger 12, may monitor for memory faults.
`In a typical electronic device, a number ofbuses are used to
`transfer information between Sub-systems. Accordingly, a
`number of bus monitor sensors are employed to monitor bus
`activity. Thus, one trigger condition may occur when the main
`processor loses contact with one or more sub-systems due to
`a bus failure. Another trigger condition may occur when
`communications between two Sub-systems are degraded due
`to unexpected bus congestion thereby rendering efficient
`operation impossible. The bus failure may be an Inter Inte
`grated Circuit (12C) bus failure or fault, trigger 4, a Serial
`Peripheral Interface (SPI) bus 1 failure or fault, trigger 5, SPI
`bus 2 failure or fault, trigger 6, and/or a Universal Serial Bus
`(USB) failure or fault, trigger 14. The bus sensor monitors the
`overall bus utilization on each channel or bus. This monitor
`may be executed as part of the main processor or a dedicated
`diagnostic processor.
`Other sensors are targeted to monitoring various hardware
`Sub-systems. Accordingly, one such sensor, trigger 7, moni
`tors the Bluetooth networkfor failure or fault. Another sensor,
`trigger 18, monitors any PC-card failures or faults, while
`other sensors, triggers 15 and 16, monitor the GPS unit for
`failure or faults with the Sub-system or erroneous readings
`where the coordinates that are out of expected bounds,
`respectively. Battery sensor, trigger 9, monitors the systems
`power sources for a drop in voltage below a set limit and a
`temperature sensor, trigger 10, monitors for a rise in ambient
`temperature above a selected temperature. Both limits should
`be set at a level that allows the electronic device to complete
`the Zeroization process even if the voltages further declines or
`the temperature continues to increase.
`Certain trigger conditions may occur when a watchdog
`timer, trigger 8, is hit. In many electronic devices, one or more
`Sub-systems as well as the main processor may have dedi
`cated timers that guard against certain types of system hangs.
`Clearly, if the electronic device was hanging, the system may
`not be able to timely initiate the Zeroization process. The
`watchdog timers are periodically reset but if the timer is not
`timely reset, an interrupt is generated at monitor 304.
`Certain other trigger condition during operation of the
`electronic device that may result in a number of unexpected
`failure log entries being generated. A sensor, trigger 19, moni
`tors the log and generates an interrupt when the number of
`failures exceeds a preset log limit. Yet another sensor, trigger
`20, monitors the number of spurious interrupts during the
`operation of the electronic device and when the number
`exceeds a selected threshold interrupt, an interrupt it gener
`ated.
`An accelerometer sensor, trigger 11, monitors motion of
`55
`electronic device 300. If there is no motion for an extended
`period of time and a there is a failure to enter an all clear
`signal, the trigger generates an interrupt to monitor 304. Trig
`ger 11 is referred to as a man down trigger because the lack
`of motion would indicate that the wearer or operator has
`become incapacitated or killed.
`Time elapsed sensor, trigger 21, monitors a clock and sends
`an interrupt to monitor when the time has elapsed indicating
`that the mission is complete. Thus, a monitoring device may
`monitor a location for a number of days at the end of which,
`the time elapsed sensor triggers the Zeroization process ren
`dering the device useless should it be subsequently found.
`
`45
`
`50
`
`60
`
`65
`
`6
`Tamper sensor, trigger 22, monitors the enclosure in which
`the electronic device is housed and if forced entry is detected,
`an interrupt is generated for monitor 304. A variety of sensors
`are well known in the art and may be utilized to perform the
`functions described above. Although the illustrated embodi
`ment includes 22 triggers, it is to be understood that some
`electronic device may have more triggers and some electronic
`devices require fewer triggers depending on the application.
`Further, the sensors illustrated are typical for, by way of
`example, a mobile router, while other devices may include
`other types of sensors.
`During operation, when monitor 304 receives a signal from
`at least one of the plurality of sensors 306, a signal is gener
`ated and applied to activate Zeroization circuit 302. Zeroiza
`tion circuit 302 is preferably a hardware device that receives
`trigger information and activates the Scrubbing circuits for
`each sub-system 308. In one embodiment, Zeroization circuit
`302 is a hardware element that does not require extraneous
`code to execute the Zeroization process. Specifically, Zeroiza
`tion circuit 302 comprises a 22 input logic OR gate that takes
`all 22 bits of memory from monitor 304 and activates the
`scrubbing circuit in response to any one sensor indicating a
`problem. In other embodiments, Zeroization circuit 302 com
`prises an n-level deep logic circuit that comprises a plurality
`of OR, NOR, AND and NAND gates that are combined to
`form complex Boolean equations that determine when to
`active Zeroization circuit 302. In still other embodiments,
`Zeroization comprises a set of instructions stored in a pro
`tected portion of flash memory or other non-volatile memory.
`When an interrupt is generated, execution of the main pro
`cessor jumps to the instructions in the protected portion.
`These instructions cause each of the sub-systems 308 to ini
`tiate hardware dependent Zeroization algorithms. In one
`embodiment, Zeroization circuit 302 comprises logic that is
`activated whenever a selected address space within monitor
`304 has a non-zero value. The computer program that imple
`ments the Zeroization process may include Boolean operators
`to enable rather complex combinations of triggers that would
`initiate the Zeroization process.
`Electronic device 300 further includes a panic button 310
`that may be located on the faceplate of the router. In various
`embodiments of the invention, panic button 310 may be a
`push button switch attached to the auxiliary port of a
`mobile router. Panic button 310 may be used to override the
`autonomic determination algorithm and allow human inter
`vention to initiate the Zeroization process. By way of
`example, if a military vehicle were to be abandoned, the
`operator could Zero out the Sub-systems to avoid sensitive
`information from being divulged to the enemy as they were
`exiting the vehicle.
`As shown in FIG. 4, an administrator may configure the
`Zeroization triggering thresholds using an administratorinter
`face 402. Typically, these thresholds are set once by an admin
`istrator with pre-existing authority to configure electronic
`device 300. Alternatively, the administrator may configure
`the trigger points based on each specific mission and the
`sensitivity of the mission. Administrator interface 402 is
`linked to electronic device 300 by a communication device
`404 and a cryptographic device 406 that cooperate to estab
`lish a secure communication link for the transmission of
`encrypted information. Preferably, communication device
`404 is a wireless communication device Such as a radio or
`satellite or cellular telephone.
`In the event that the Zeroization process occurs, communi
`cation device 404 is used to establish a secure communication
`link for the transfer of encrypted information to re-initialize
`the electronic device. To illustrate use of the embodiment
`
`7
`
`

`

`7
`shown in FIG.4, consider the example where the electronic
`device is a personal router worn by a soldier during battle, the
`configuration and communication codes for the routers
`operations are stored in an FPGA and NVRAM. If the enemy
`was to obtain a router with the network configuration and
`communication codes intact, it would constitute a significant
`breach of security because the enemy would then be able to
`eavesdrop on encrypted communications. Because of this
`risk, if one or more of the sensors were to trigger the Zeroiza
`tion process, sensitive information stored in sub-system 308
`would be immediately scrubbed. For example, if the GPS
`coordinates were to Suddenly change to fall outside of an
`expected location, then the router's configuration and other
`sensitive information would be scrubbed. The router would
`still be a functioning device because the operating system and
`other non-critical software parameters would still enable the
`machine to function at some level. When the soldier returns to
`base camp, it would be a simple matter for the administrator
`to re-set the router configuration.
`The present invention provides an electronic device 300
`that is adapted to determine in an autonomic manner whether
`a trigger condition is impending or has occurred. By trigger
`ing the Zeroization process before a failure renders the device
`inoperable, the likelihood that the Zeroization process will
`Succeed. Embodiments of the invention have the advantage
`that Zeroization is triggered on an electronic device before a
`total failure of a platform of the electronic device or complete
`failure of the electronic device. This results in carrying out the
`Zeroization process more efficiently and effectively.
`Although the invention has been discussed with respect to
`specific embodiments thereof, these embodiments are merely
`illustrative, and not restrictive, of the invention. The invention
`can operate between any two processes or entities including
`users, devices, functional systems, or combinations of hard
`ware and software. Peer-to-peer networks and any other net
`works or systems where the roles of client and server are
`Switched, change dynamically, or are not even present, are
`within the scope of the invention.
`Any Suitable programming language can be used to imple
`ment the routines of the invention including C, C++, Java,
`assembly language, etc. Different programming techniques
`Such as procedural or object oriented can be employed. The
`routines can execute on a single processing device or multiple
`processors. Although the steps, operations, or computations
`may be presented in a specific order, this order may be
`changed in different embodiments. In some embodiments,
`multiple steps shown sequentially in this specification can be
`performed at the same time. The sequence of operations
`described herein can be interrupted, suspended, or otherwise
`controlled by another process. Such as an operating system,
`kernel, etc. The routines can operate in an operating system
`environment or as stand-alone routines occupying all, or a
`Substantial part, of the system processing.
`In the description herein for embodiments of the invention,
`numerous specific details are provided. Such as examples of
`components and/or methods, to provide a thorough under
`standing of embodiments of the invention. One skilled in the
`relevant art will recognize, however, that an embodiment of
`the invention can be practiced without one or more of the
`specific details, or with other electronic device, systems,
`assemblies, methods, components, materials, parts, and/or
`the like. In other instances, well-known structures, materials,
`or operations are not specifically shown or described in detail
`to avoid obscuring aspects of embodiments of the invention.
`A processor for purposes of embodiments of the inven
`tion may include any processor- or CPU-containing device,
`Such as a mainframe computer, personal computer, laptop,
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`US 7,571.475 B2
`
`5
`
`10
`
`15
`
`8
`notebook, microcomputer, server, personal data manager or
`PIM (also referred to as a personal information manager),
`Smart cellular or other phone, so-called Smart card, set-top
`box, or any of the like. A computer program may include any
`Suitable locally or remotely executable program or sequence
`of coded instructions, which are to be inserted into a com
`puter, well known to those skilled in the art to activate the
`Zeroization process or as part of the Zeroization process.
`Stated more specifically, a computer program includes an
`organized list of instructions that, when executed, causes the
`computer to behave in a p