One aspect of a computer security system is the ability to protect the secrecy of data. Data may be protected by encryption, and a computer security system that is functioning correctly should prevent the data from appearing in clear (unencrypted) format outside of a trusted space.
One way to implement this type of data protection is to provide a trusted operating environment, in which trusted programs (or “agents”) can run, and also to provide a data sealing facility that allows data to be sealed to a trusted agent. An agent running in the trusted environment can seal data to itself, and the trusted environment will refuse to unseal the data for anyone other than the agent to whom the data is sealed. Additionally, the operating environment may use tamper-resistance and isolation mechanisms to resist circumvention of the seal. Thus, sealed data is protected to the extent that: (1) the environment that provides the sealing facility can be trusted to prevent the seal from being broken, and (2) the agent to whom the data is sealed can be trusted to protect the data from misuse when the data is unsealed.
A problem with the above-described sealing mechanism is that the sealing facility can only be used by a trusted agent. Thus, any software object that wishes to protect data (e.g., a file) with the trusted environment's sealing facility must have (or be) a trusted agent that runs in the trusted environment, and that contains the functionality to interact with the sealing facility to manage the storage and sealing of files. This fact is particularly problematic for legacy applications (e.g., word processors or spreadsheets that are designed to run under traditional, non-secure operating systems), since these programs generally cannot run in the trusted environment (which typically runs only small programs whose behavior is provably predictable and trustworthy). A non-secure application can be written to have a specialized trusted agent that it cooperates with for security-related functions; however, legacy applications—particularly those whose implementation predates a particular secure computing platform—generally do not have trusted agents. Additionally, even for applications designed with trusted computing in mind, it is cumbersome for each such application to include functionality to manage sealed files. It would be preferable to provide a general facility that uses the sealing functionality of a trusted environment to protect and manage, where the facility can be used by a wide variety of software object (e.g., legacy applications, operating systems, virtual machines, etc.).
In view of the foregoing, there is a need for a mechanism that overcomes the drawbacks of the prior art.