CA1227885A - Secure data processing system architecture - Google Patents
Secure data processing system architectureInfo
- Publication number
- CA1227885A CA1227885A CA000473843A CA473843A CA1227885A CA 1227885 A CA1227885 A CA 1227885A CA 000473843 A CA000473843 A CA 000473843A CA 473843 A CA473843 A CA 473843A CA 1227885 A CA1227885 A CA 1227885A
- Authority
- CA
- Canada
- Prior art keywords
- data
- data processing
- processing system
- attributes
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
-
- G—PHYSICS
- G11—INFORMATION STORAGE
- G11B—INFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
- G11B7/00—Recording or reproducing by optical means, e.g. recording using a thermal beam of optical radiation by modifying optical properties or the physical structure, reproducing using an optical beam at lower power by sensing optical properties; Record carriers therefor
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/14—Protection against unauthorised use of memory or access to memory
- G06F12/1458—Protection against unauthorised use of memory or access to memory by checking the subject access rights
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y10—TECHNICAL SUBJECTS COVERED BY FORMER USPC
- Y10S—TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y10S707/00—Data processing: database and file management or data structures
- Y10S707/99931—Database or file accessing
- Y10S707/99938—Concurrency, e.g. lock management in shared database
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y10—TECHNICAL SUBJECTS COVERED BY FORMER USPC
- Y10S—TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y10S707/00—Data processing: database and file management or data structures
- Y10S707/99931—Database or file accessing
- Y10S707/99939—Privileged access
Abstract
ABSTRACT
A data processing system having an architecture for protecting selected system files. The data processing unit includes a secure processing unit operating in a manner independent of the operation of the remainder of the data processing unit for storing and comparing system file attributes and user entity attri-butes. The comparison of attributes is performed in accordance with a table in the secure processing unit containing the security context. The secure processing unit alone is able to manipulate special data groups called distinguished data objects. The secure processing unit also manipulates a data object identifier that iso-lates the identification of the system files from the actual memory storage locations. Apparatus and method are also disclosed for providing secure creation of pro-tected system files by in part eliminates interruption, the data processing system in the process. The architec-ture also facilitates secure transfer of files between data processing systems.
A data processing system having an architecture for protecting selected system files. The data processing unit includes a secure processing unit operating in a manner independent of the operation of the remainder of the data processing unit for storing and comparing system file attributes and user entity attri-butes. The comparison of attributes is performed in accordance with a table in the secure processing unit containing the security context. The secure processing unit alone is able to manipulate special data groups called distinguished data objects. The secure processing unit also manipulates a data object identifier that iso-lates the identification of the system files from the actual memory storage locations. Apparatus and method are also disclosed for providing secure creation of pro-tected system files by in part eliminates interruption, the data processing system in the process. The architec-ture also facilitates secure transfer of files between data processing systems.
Description
SECURE DATA PROCESSING SYSTEM ARCHITECTURE
BACKGROUND OF THE INVENTION
I Field of the Invention This invention relates generally to data processing systems which possess system files. Such files can be viewed as consisting of one or more segments, which in turn consist of one or more data objects, which in turn consist of fields, wherein segments, data objects, and fields are logical agree-gates of information which may have a variety of physical manifestations. This invention relates particularly to secure data processing systems in which access or manipulation of data objects can be performed only by programs executing on behalf of user entities which possess authorization. Authorization is determined by a security policy, which is a set of pro-existing relationships that exist between security attributes associated, at the time access or manipulation is attempted, with the aforesaid user entities and data objects, Such security attributes can, for example, represent the degree of sensitivity of information contained in the data object with which one security attribute is associated and the degree of trustworthiness of a user entity with which a second security attribute is associated. A security policy, and a secure data processing system which enforces it, can be used in this case to mandate that sensitive information is accessed or manipulated only by program executed on behalf of user entities which posses sufficient trust-worthiness.
BACKGROUND OF THE INVENTION
I Field of the Invention This invention relates generally to data processing systems which possess system files. Such files can be viewed as consisting of one or more segments, which in turn consist of one or more data objects, which in turn consist of fields, wherein segments, data objects, and fields are logical agree-gates of information which may have a variety of physical manifestations. This invention relates particularly to secure data processing systems in which access or manipulation of data objects can be performed only by programs executing on behalf of user entities which possess authorization. Authorization is determined by a security policy, which is a set of pro-existing relationships that exist between security attributes associated, at the time access or manipulation is attempted, with the aforesaid user entities and data objects, Such security attributes can, for example, represent the degree of sensitivity of information contained in the data object with which one security attribute is associated and the degree of trustworthiness of a user entity with which a second security attribute is associated. A security policy, and a secure data processing system which enforces it, can be used in this case to mandate that sensitive information is accessed or manipulated only by program executed on behalf of user entities which posses sufficient trust-worthiness.
2. Description of the Related Art It is known in related art to provide means whereby the modes or manners in which a program can access or manipulate a data object can be restricted to a fixed set, as for example, permitting or denying of the ability to read (access) information, write (enter) information, and/or other modes singly and in combine-lion. An instance of such a set shall be referred to herein as an access right. In this technique, access rights are granted by programs for data objects under their control, by setting value of fields within destiny-gushed data objects, said distinguished data objects being differentiated from ordinary ones by being located within distinguished segments. The distinguished data objects are fetched by the data processing system prior to access or manipulation, and the data processing system will only perform the access or manipulations permitted by the contents of their access rights fields. The above technique suffers from two weaknesses. First, the exist thence of distinguished segments adds complication to the programs executed by the data processing system, because the programs must treat distinguished and ordinary sex-mints in different ways. Second, programs are permitted to grant access without regard for the user entity on whose behalf the program is being executed, or any sect-ritzy attributes currently possessed by said user entity.
Thus a user entity may execute a program which grants an access right to another program executing on behalf of said user entity, which access right it not authorized by preexisting security policy. It is further known within related art to permit only highly trusted programs to grant access rights. When a program executing on behalf of a given user entity wishes a given access right Jo a given ordinary data object, said program invokes the highly trusted program, which obtains the current secure-try attributes associated with the given user entity and the given ordinary date object and insures that an access right is granted which is authorized by the security pot-icy. The above technique suffers from the weakness that the compromise of software programs, such as the highly trusted program described above, is known to be relative-lye easy to accomplish, such compromise can go undetected, and demonstration that a program has not been compromised is known to be extremely difficult It is still further known in related art to provide apparatus which is capable of recognizing destiny-gushed data objects, thereby permitting the mixing of distinguished and ordinary data objects within segments, and to restrict the setting of access right to highly trusted programs in the manner described above. This technique suffers from two weaknesses. First, the highly trusted program is subject to compromise as described above. Second, even if the highly trusted program is not compromised, a program executing on behalf of one user entity may establish an access right to some ordinary data object, which access right is unauthorized according to security policy. Such compromise is effected by having the program obtain a distinguished data object which grants an access right to a given ordinary data object, said access right being authorized by security policy, and then having the program place said destiny-gushed data object in a segment which can be accessed by a program executing on behalf of a second user entity, which second user entity has current security attributes different from the first user entity, and which second user entity security attributes do not authorize, according to security policy, the access right thereby obtained.
It is yet further known in the related art to -provide, in addition to the mixing of distinguished and ordinary iota objects in segments, and in addition to the providing of highly trusted software to set the values of distinguished data objects in the manner described above, apparatus which restricts the placement of distinguished data objects to segments which are accessed in common only by programs executing on behalf of user entities whose possible security attributes would authorize, according to security policy, the access rights granted by such distinguished data object The above technique suffer from three weaknesses. First, the highly trusted software is subject to compromise as described above.
Second, the restriction on the storage of distinguished data objects limit the activity of program executing on behalf of user entities, and thereby reduces the effect tiveness and efficiency of those programs. Third, the consequences of a malfunction in the apparatus which enforces such restriction is catastrophic, in that once a distinguished data object it placed in a segment to which access is freely shared, said distinguished data object can be moved and copied among segments in the data processing system in a manner impossible to trace and reverse.
All of the aforementioned techniques suffer from the additional weakness that a malicious user entity may place in the system a program which can be executed on the behalf of an unsuspecting user entity. The melt-pious program may then use the access rights authorized to the unsuspecting user entity to copy information in a I
manner such that the malicious user entity would, in effect, obtain unauthorized access to data object and such copying would not be detected by said unsuspecting user entity.
It is still further known in the related art to permit only highly trusted programs to access system files, and to require that programs executing on behalf of user entities invoke said highly trusted program upon each attempt to access system files. this technique surf-' lens from three weaknesses. First, the highly trusted program is subject to compromise as described above, and the demonstration that the program has not been compromised is virtually impossible, owing to the number of functions performed by the program. Second, even if the highly trusted program is not subject to compromise, it is extremely difficult to demonstrate that access to system files cannot be gained by means outside said high-lye trusted program. Third, the use of an intermediary program to perform accesses to system files severely degrades the performance of the programs which execute on behalf of user entities.
SUMMARY
It is therefore an object of the present invention to provide an architecture for a data processing system which is secure in the sense defined above.
~%~
It it a further object of the present invention to provide said security without recourse to or reliance upon highly trusted software programs.
It is still another object of the present invention to provide apparatus which associates security attributes with user antitieq and data objects and which permits those security attributes to vary in a controlled manner over time.
It is yet another object of the present invent lion to provide apparatus which guarantees that program executing on behalf of a user entity can exercise only those access rights which are consistent with limits set by a redefined security policy.
It it a still further object of the present invention to provide apparatus which guarantees that no program executing on behalf of a given user entity can, by abusing access rights to data objects, perform operations unauthorized by a redefined security policy.
It is a yet further object to accomplish the aforementioned objects using techniques which require minimal changes to software and programming practices in order for said software and programming practices to result in secure processing, by providing techniques which are extensions of and not restrictions to the tech-piques provided by non secure computer architectures.
I
The aforementioned and other objects of the present invention are accomplished by including within the data processing system apparatus which can recognize distinguished data objects within segments of the system files. Said distinguished data objects contain fields whose values denote a data object and grant an access right to the denoted data object Before a program can access or manipulate a given data object in a given mode or manner, said program must make available to said apparatus a distinguished data object, the values of whose fields denote the given data object and grant an access right which includes the modes and manners to be exercised by the program. Said apparatus will permit segments to contain both distinguished data objects and lo ordinary ones, and will impose no restrictions on which segments can contain a distinguished data objects, other than those restriction imposed by programs using the techniques provided by distinguished data objects. Said apparatus will protect distinguished data objects from pa compromise or examination by restricting the operations which may be performed on them. Said apparatus will use two techniques to insure that a program executing on behalf of a given user entity cannot use distinguished data objects to directly or indirectly access or manipu-late ordln~ry date objects in modes or manners which are unauthorized by a preaccepting security policy. First, Jo I
the apparatus will associate a pesky instance of user entity security attributes with each distinguished data object. Such a specific instance shall be referred to herein as the required security context of the destiny-gushed data object. The apparatus will maintain at all times the security attributes associated with the user entity on whose behalf the data processing system is cur-gently executing a program. An instance of such security attributes in effect at the time an acceqq or monopoly-lion is to be performed by a program shall be referred to herein as the current security context of the program.
The apparatus will not permit a program to access or manipulate the data object denoted by the distinguished data object in the mode or manner granted by the destiny-gushed data object, unless the current security context of the program is consistent with the required security context of the distinguished data object. Second, said apparatus will control the creation of distinguished data objects and the association of required security contexts with them, so that the effect of the first techniques described above is to guarantee that no program ever executed on behalf of a given user entity can, either directly or indirectly, access or manipulate information contained in a data object in a manner o-r mode which is not authorized by the preexisting security policy.
Distinguished data objects may be included in segments that are shared between processors, either along secure trays-mission links or in an encrypted form, thereby providing uniform-fly of control of access by user entities of the data processing units in a distributed system.
In accordance with the present invention, there is provided a data processing system having protected system files, said data processing system comprising:
memory means for storing logic signal groups;
processing means for manipulating logic signal groups in said memory means in accordance with instruction signal groups;
interaction means for permitting a user to enter instruct-ion signal groups for said processing means;
identification means coupled to said interaction means for relating preselected attributes with said user;
address means coupled to said interacting means for retrieve in a logic signal group associated with an instruction signal group, said address means also for associating preestablished attributes with said associated logic signal group;
and comparison means coupled to said address means and to said identification means for comparing said preselected attrib-vies with said preestablished attributes, said comparison means preventing said associated logic signal group from being manic-slated by said processing means unless said preselected and said preestablished attributes have a predetermined relationship.
In accordance with another aspect of the invention, there is provided a data processing system for creating a pro-tooted system file in response to a selected user instruction signal group, said data processing system comprising:
- lo -memory means for storing logic signal groups;
processing means for manipulating logic signal groups from said memory means in accordance with instruction signal groups;
interaction means for permitting a user to interact with said data processing unit;
first identification means coupled to said interaction means for identifying attributes associated with said user applying said selected user instruction signal group to said data process-in system;
second identification means coupled to said interaction means for identifying attributes associated with logic signal groups to be included in said protected system file;
comparison means for comparing said user attributes and said logic signal group attributes, said comparison means creating a file associated with said protected system file for controlling future use of said protected system file, said comparison means using said created file to determine when said user attributes and said protected file systems have a redefined relationship.
In accordance with another aspect of the invention, there is provided apparatus for transferring protected system files from a first data processing system to a second data pro-cussing system, wherein said first and second data processing systems have secure processing portions unavailable to control by a remainder of said data processing system for controlling manipulation of said protected system files, said apparatus come prosing:
means for storing said protected system files and interred-tale logic signal groups associated with each of said protected system files, said intermediate signal groups capable of being processed only by said secure processing portion, said interred-tale logic signal groups including attributes associated with I
- lob -said associated protected system files and an address of said associated protected system file, said logic signal groups, fur-then including a field indicative of intermediate logic signal groups and an identifier field indicative of availability of said protected system files to manipulation by users of said data processing systems;
means for encrypting said intermediate logic signal groups at said first data processing system;
means for decrypting said intermediate logic signal groups 0 at said second data processing unit; and means for identifying said indicative field in said second data processing system, wherein said intermediate logic signal groups transferred to said second data processing system can be processed only by said secure processing portion.
In accordance with another aspect of the invention, there is provided a data processing system for providing protege-ted system files comprising:
memory means for storing data objects and distinguished data objects;
interaction means for permitting a user entity to interact with said data processing system; user entity identification means coupled to said interaction means for identifying user en-lilies interacting with said data processing system;
data object processing unit coupled to said interaction means and to said memory means for manipulating said data objects;
and secure processing means operating automatically in response to signals from a remainder of said data processing unit, said secure processor unit comprising:
- lo -a current security context register coupled to user entity identification means for identifying attributes associated with said user entities;
security context table for specifying relationships between said user entity attributes and attributes of said protected soys-them file, wherein said protected system files include data objects;
data object characteristics table for specifying a memory ad-dress and other characteristics of said protected system file data objects;
a distinguished data object processing unit and associated program working set table for determining addresses of data objects currently under program execution, said distinguished data object processing unit also determining when said user entity attributes and said system file attributes have predetermined relationship;
and a memory address apparatus coupled to said distinguished data object processing unit for transferring data objects and destiny-gushed data objects between said memory and said data processing system, said memory address apparatus including recognition appear-anus for identifying said distinguished data objects, said memory address apparatus transferring data objects to said data object processing unit when said predetermined relationship is present.
In accordance with another aspect of the invention, there is provided a data processing system with protected system files, said data processing system comprising:
a memory unit for storing data objects and security data ox-jets;
data object processing means for processing said data objects stored in said memory unit;
user input means for identifying attributes of a user enter-in instructions in said data processing system;
- lo -system file identification means coupled to said user input means for identifying a data object identification field related to a system file requested by a user instruction, said system file associated with data objects;
retrieving means coupled to said system file identification means and responsive to said data object identification field for retrieving a security data object from said memory unit, said so-curtly data object containing attributes and memory unit address of said instruction system file;
security context table for defining relationships between attributes of a user and attributes associated with said system file; and processor means coupled to said security context table and to said retrieving means for comparing said user attributes and system file attributes in accordance with said security context table, said processor means permitting said data object process-in means to execute said instruction when said comparison has a first value.
In accordance with another aspect of the invention, there is provide a data processing system for creation of pro-tooted system files, said data processing system comprising:
processing means responsive to user entity instructions for manipulating system file in accordance with said user in-structions;
input means responsive to an instruction requesting area-lion of a protected system file for determining desired activity parameters of said requested protected system file;
identification means for determining an identification of a user entity providing said instruction requesting creation of said 0 protected system file;
user entity parameter table coupled to said identification means for providing data signals representing activity parameters associated with said user entity, said user entity parameter table - lye -unavailable to control by said data processing system; and secure processing means for comparing said desired system file activity parameters and said user entity activity parameters, said processor means permitting creation of said protected system file when said user entity and said system file activity has a predetermined context relationship, said secure processing means storing a security file in a data processing system memory having protected system file activity parameters, said secure processing means providing an entry in a table with an address of said stored security file.
In accordance with another aspect of the invention, there is provided a data processing system having protected system files, said data processing system comprising:
a memory unit for storing ordinary data objects and special data objects, wherein a system file has at least one identifying data group associated therewith, said special data objects include in an identifying data group, said special data object further including address groups for identifying ordinary data groups associated with said protected system file;
processing means for processing ordinary data groups in rest posse to instructions by a user entity;
input unit for identifying said user entity applying instruct lions to said data processing system;
user entity parameter table coupled to said input unit for defining parameters associated with said user entity;
activity parameter table for defining parameters associated with said identifying data groups;
context table for defining permitted relationships between said user entity parameters and said activity parameters; and - EYE -secure processing means for providing an identifying data group for a protected system file requested by a user entity, said secure processing means permitting execution of an instruct lion from a user entity when said secure processing means deter-mines that said user entity parameters and said activity pane-meters have a permitted relationship as defined by said context table.
In accordance with the present invention, there is provided the method of providing for the security of logic sign net groups against unauthorized access in a data processing soys-them comprising -the steps of:
collecting all logic signal groups into identifiable logic signal units;
associating with each of said identifiable logic signal units a distinguished logic signal unit, wherein said destiny-gushed logic signal unit defines access rights required to act cuss said associated identifiable logic signal unit;
associating with each user of said data processing system access rights;
comparing said access rights required to access a selected identifiable logic signal unit with access rights of a user no-questing access to said selected identifiable logic signal unit;
and creating said access rights required to access an identi-liable logic signal unit in said associated distinguished logic signal group when said distinguished logic signal unit is form-Ed said access rights selected to implement a redefined policy for security of said identifiable logic signal group.
I
- 10g -These and other features of the invention will be us-derstood upon reading of the following description along with the drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 is a diagram illustrating how restrictions on the flow of information can be mandated by a security policy which associates security attributes with user entities and data objects and controls modes and manners of access and manipulation by relationships between said attributes.
Figure 2 is a simplified block diagram of a typical data processing system.
Figure 3 is a block diagram of a data processing system illustrating the apparatus implementing the instant invention.
Figure 4 is a diagram illustrating the fields of a disk tinguished data object.
Figure 5 is a diagram showing how distinguished data objects can denote overlapping or nested ordinary data objects.
Figure 6 is a diagram illustrating how data objects are addressed in a manner that enforces access rights.
Figure 7 is a diagram that show how a program adds a data object to the set of data objects upon which it is working.
Figure it a diagram illustrating how a second distinguished data object is created from a first destiny-gushed data object in a manner that insures that the second distinguished data object grant an access right which is authorized by the preexisting policy.
Figure 9 is a diagram showing how a copy of a distinguished data object is made in a manner that injures that the access right granted by the second disk tinguished data object is authorized by the predetermined policy.
DETAILED DESCRIPTION OF THE DRAWINGS
In all diagrams, detailed element numbers can refer to elements of previous drawings.
Referring now to Figure 1, the manner in which the flow of information between user entities can be controlled by security attributes associated with the user entities and the data objects manipulated or accessed by those entities is illustrated. The security attributes in this example are partially ordered: A
is defined to be greater than A which it defined to be greater than A By is defined to be greater than By which is defined to be greater than By A is defined to be greater than By each attribute it defined to be equal to itself, and no other relation exist between the attributes. The redefined security policy is that a user entity may read (retrieve) informal lion from a data object if and only if the current sect-ritzy attribute of the user entity is greater than or equal to the security attribute of the data object, and a user entity may write (enter) information into a data object if and only if the security attribute of the data object is greater than oracle to the security attribute currently associated with the user entity. As indicated in the diagram, and with relation to user entities communicating by means of data objects contained within system files in the memory unit of computers, memory space is available to any data processing user entity.
Any user entity can access or manipulate any date object to which a connecting line exists in the diagram, in the mode or manner shown on the label attached to the line.
The links accordingly define all the possible directional paths along which information can flow from user entity 2'7'~
to user entity, given the example security attributes.
Thus one-way communication is possible from A and A
to A from I and By to By and from By to A in many cases through a variety of data objects.
In such a manner arbitrary information flows between user entities may be controlled in a manner not restricted to rigid relations between those user entities, such as strict hierarchical ordering. As an example, in modern corporate practice, the I set of data objects could lo contain financial data of increasing sensitivity and the A set of data objects could contain production data of increasing sensitivity. Likewise, the By set of user entities could be members of the financial staff of increasing rank and privilege and the A set similarly members of the production staff. The information flow controls in the example diagram show a circumstance wherein information flows upward only within each staff, the highest ranking member of the production staff is able to examine but not alter low-sensitivity financial Z0 data such as individual invoices, no other members of the production staff have any access whatever to any linen-coal data, and no member of the financial staff, no mat-ton how high ranking, have any access to production information. It will be clear that the information flow Z5 restrictions are enforced solely by permitting or prohibiting operations based on a comparison of the cur-rent security attributes of a user entity and those of a data object. Thus if a user entity has a security Atari-byte Atop at the time access is attempted to a data object with security attribute By a comparison of attributes will yield a result of non-compatibility. It will also be clear that although Figure 1 represents data objects as distinct entities, in general, the data objects may be located anywhere within physical media.
Referring now to Figure 2, a data processing system is seen to be comprised of a terminal 20, a pro-censor I and a memory 22. A user entity desirous having a program executed on it-s behalf by processor 21 must first identify itself by means of an elaborate loin procedure using, for example, a password. A further example involves the use of the terminal, wherein the identity of the terminal will automatically identify the user entity and define the security attributes of said user entity. Once the user entity (or terminal) has been coupled to processor 21, said processor may execute pro-grams on behalf of said user entity, which programs may access or manipulate information in memory 22 in a van-eta of modes and manners.
Referring now to Figure 3, a schematic diagram of the principal components implementing the present invention is illustrated. Processor 21 of Figure 2 is composed of user entity identification apparatus 31, do I
ordinary data object processing unit 32, and secure pro-censor 33. Secure processor 33 it composed of current security context register 331, which carries the security attributes currently associated with the user entity who is communicating through terminal 20 of Figure 2, required security context table 332, which carries the required security context associated with every destiny-gushed data object, data object characteristics table 333, which carries the address and other characteristics of every data object denoted by a distinguished data object. Secure processor 33 also includes program work-in set table 334, which contains the information nieces-spry for a program to address those ordinary data objects upon which it is currently working, and distinguished data object processing unit 335, which performs the restricted set of operations on distinguished data objects. Secure processor 33 also includes memory address apparatus 336, which fetches information from and stores information into memory 22 of Figure 2 and which includes tag code recognition apparatus aye, which apparatus insures that ordinary data processing unit 32 only processes ordinary data objects. The final combo-next of secure processor 33 is encryption apparatus 337, which may be included to ensure the secure transmission of segments containing distinguished data objects.
Referring to Figure 4, a distinguished data object is shown along with the ordinary data object it denotes. Distinguished data object 40 is composed of data object identification number 401, which uniquely identifies the ordinary data object 41, access right 402, which defines a set of allowed modes and manners of access and manipulation which may be performed by a pro-gram upon ordinary data object 41, miscellaneous field 403, which may be used to contain information such as lo error checking and correcting code, required security context 404, which defines the required security context associated with distinguished data object 40 as defined previously, current address 405, which locate the beginning of ordinary data object 41 within memory 22 of lo Figure 2, length 406, which defines the extent of and thus locates the end of ordinary data object 41 within memory 22 of Figure 2, and other characteristics field 407, which contains other characteristics of ordinary data object 41, such as the manner in which information is encoded in it. In the preferred embodiment, fields 401, 402, and 403 occupy contiguous locations in memory 22 of Figure 2 and have tag codes associated with the physical media containing those locations, field 404 is carried within the required security context table 332 ox Figure 3 and located by means of the data object identi-ligation number 401, and fields 405, 406, and 407 are carried within data object characteristics table 333 of Figure 3 and located by means of data object identifica-lion number 401. This organization yields the most effi-client use of memory and increases the performance of the secure processor. Other organizations can be functionally equivalent, provided said organization per-mitt fields 402, 403, 404, 405, 406, and 407 to be made available to the secure processor given a value of field 401, and provides identification to distinguish the object containing field 401 and to protect it against unauthorized access or manipulation.
Referring to Figure 5, the manner in which nested and overlapping ordinary data objects can be denoted by distinguished data objects is illustrated.
Three distinguished data objects 40 of Figure 4 are shown in Emory 22 of Figure 2. Each has a distinct data object identifier value 401 of Figure 4, and each therefore denotes distinct ordinary data objects 50, 51, and 52. The diagram shows how the fields 405 and 406 of Figure 4 can assure value such that ordinary data object 51 is nested within ordinary data object 50, and ordinary data object 52 overlaps ordinary data object 50. It is alto possible that the values in fields 405 and 406 assume values such that all three distinguished data objects denote the identical ordinary data object.
Referring to Figure 6, the manner in which addresses are computed and access rights checlced is illustrated. An instruction 60 is composed of an operation code 601, which defines the operation a program is to perform upon field 611 of ordinary data object 61 within memory 22 of Figure 2, and address 602, which is the location of field 611 expressed relative to the set of data objects upon which the program is currently work-in. Address 602 is interpreted a containing fields lo aye and 602b. Field aye is interpreted as an index into program working set table 334 of Figure 3, which index locates program working set entry 62, which con-sits of data object identifier field 621, access right field 622, current address field 623, and length field 62~. Field 602b is interpreted as an offset within oared-nary data object 61. Instruction 601 is transmitted to memory address apparatus 336 of Figure 3. Memory address apparatus 336 extracts field aye and uses it to locate program working set entry 62. Memory address apparatus 336 compares access right 622 against operation 601 and verifies that the modes and manners ox access and manipu-lotion required by operation 601 are permitted by access right 622. If they are not, memory address apparatus 336 invokes an appropriate administrative program by such means as an interrupt. If the operation 601 and access right 622 are compatible, memory address apparatus 336 I
then compares offset field 602b against length field 62 to verify that field 611 it indeed within ordinary data object 61. If it is not, memory address apparatus 336 invokes an appropriate administrative program by such means as an interrupt. If it it memory address apparatus 336 adds field 602b to field 623 in order to obtain the address ox field 611, and transmits field 611 to the ordinary data object processing unit 32 of Figure
Thus a user entity may execute a program which grants an access right to another program executing on behalf of said user entity, which access right it not authorized by preexisting security policy. It is further known within related art to permit only highly trusted programs to grant access rights. When a program executing on behalf of a given user entity wishes a given access right Jo a given ordinary data object, said program invokes the highly trusted program, which obtains the current secure-try attributes associated with the given user entity and the given ordinary date object and insures that an access right is granted which is authorized by the security pot-icy. The above technique suffers from the weakness that the compromise of software programs, such as the highly trusted program described above, is known to be relative-lye easy to accomplish, such compromise can go undetected, and demonstration that a program has not been compromised is known to be extremely difficult It is still further known in related art to provide apparatus which is capable of recognizing destiny-gushed data objects, thereby permitting the mixing of distinguished and ordinary data objects within segments, and to restrict the setting of access right to highly trusted programs in the manner described above. This technique suffers from two weaknesses. First, the highly trusted program is subject to compromise as described above. Second, even if the highly trusted program is not compromised, a program executing on behalf of one user entity may establish an access right to some ordinary data object, which access right is unauthorized according to security policy. Such compromise is effected by having the program obtain a distinguished data object which grants an access right to a given ordinary data object, said access right being authorized by security policy, and then having the program place said destiny-gushed data object in a segment which can be accessed by a program executing on behalf of a second user entity, which second user entity has current security attributes different from the first user entity, and which second user entity security attributes do not authorize, according to security policy, the access right thereby obtained.
It is yet further known in the related art to -provide, in addition to the mixing of distinguished and ordinary iota objects in segments, and in addition to the providing of highly trusted software to set the values of distinguished data objects in the manner described above, apparatus which restricts the placement of distinguished data objects to segments which are accessed in common only by programs executing on behalf of user entities whose possible security attributes would authorize, according to security policy, the access rights granted by such distinguished data object The above technique suffer from three weaknesses. First, the highly trusted software is subject to compromise as described above.
Second, the restriction on the storage of distinguished data objects limit the activity of program executing on behalf of user entities, and thereby reduces the effect tiveness and efficiency of those programs. Third, the consequences of a malfunction in the apparatus which enforces such restriction is catastrophic, in that once a distinguished data object it placed in a segment to which access is freely shared, said distinguished data object can be moved and copied among segments in the data processing system in a manner impossible to trace and reverse.
All of the aforementioned techniques suffer from the additional weakness that a malicious user entity may place in the system a program which can be executed on the behalf of an unsuspecting user entity. The melt-pious program may then use the access rights authorized to the unsuspecting user entity to copy information in a I
manner such that the malicious user entity would, in effect, obtain unauthorized access to data object and such copying would not be detected by said unsuspecting user entity.
It is still further known in the related art to permit only highly trusted programs to access system files, and to require that programs executing on behalf of user entities invoke said highly trusted program upon each attempt to access system files. this technique surf-' lens from three weaknesses. First, the highly trusted program is subject to compromise as described above, and the demonstration that the program has not been compromised is virtually impossible, owing to the number of functions performed by the program. Second, even if the highly trusted program is not subject to compromise, it is extremely difficult to demonstrate that access to system files cannot be gained by means outside said high-lye trusted program. Third, the use of an intermediary program to perform accesses to system files severely degrades the performance of the programs which execute on behalf of user entities.
SUMMARY
It is therefore an object of the present invention to provide an architecture for a data processing system which is secure in the sense defined above.
~%~
It it a further object of the present invention to provide said security without recourse to or reliance upon highly trusted software programs.
It is still another object of the present invention to provide apparatus which associates security attributes with user antitieq and data objects and which permits those security attributes to vary in a controlled manner over time.
It is yet another object of the present invent lion to provide apparatus which guarantees that program executing on behalf of a user entity can exercise only those access rights which are consistent with limits set by a redefined security policy.
It it a still further object of the present invention to provide apparatus which guarantees that no program executing on behalf of a given user entity can, by abusing access rights to data objects, perform operations unauthorized by a redefined security policy.
It is a yet further object to accomplish the aforementioned objects using techniques which require minimal changes to software and programming practices in order for said software and programming practices to result in secure processing, by providing techniques which are extensions of and not restrictions to the tech-piques provided by non secure computer architectures.
I
The aforementioned and other objects of the present invention are accomplished by including within the data processing system apparatus which can recognize distinguished data objects within segments of the system files. Said distinguished data objects contain fields whose values denote a data object and grant an access right to the denoted data object Before a program can access or manipulate a given data object in a given mode or manner, said program must make available to said apparatus a distinguished data object, the values of whose fields denote the given data object and grant an access right which includes the modes and manners to be exercised by the program. Said apparatus will permit segments to contain both distinguished data objects and lo ordinary ones, and will impose no restrictions on which segments can contain a distinguished data objects, other than those restriction imposed by programs using the techniques provided by distinguished data objects. Said apparatus will protect distinguished data objects from pa compromise or examination by restricting the operations which may be performed on them. Said apparatus will use two techniques to insure that a program executing on behalf of a given user entity cannot use distinguished data objects to directly or indirectly access or manipu-late ordln~ry date objects in modes or manners which are unauthorized by a preaccepting security policy. First, Jo I
the apparatus will associate a pesky instance of user entity security attributes with each distinguished data object. Such a specific instance shall be referred to herein as the required security context of the destiny-gushed data object. The apparatus will maintain at all times the security attributes associated with the user entity on whose behalf the data processing system is cur-gently executing a program. An instance of such security attributes in effect at the time an acceqq or monopoly-lion is to be performed by a program shall be referred to herein as the current security context of the program.
The apparatus will not permit a program to access or manipulate the data object denoted by the distinguished data object in the mode or manner granted by the destiny-gushed data object, unless the current security context of the program is consistent with the required security context of the distinguished data object. Second, said apparatus will control the creation of distinguished data objects and the association of required security contexts with them, so that the effect of the first techniques described above is to guarantee that no program ever executed on behalf of a given user entity can, either directly or indirectly, access or manipulate information contained in a data object in a manner o-r mode which is not authorized by the preexisting security policy.
Distinguished data objects may be included in segments that are shared between processors, either along secure trays-mission links or in an encrypted form, thereby providing uniform-fly of control of access by user entities of the data processing units in a distributed system.
In accordance with the present invention, there is provided a data processing system having protected system files, said data processing system comprising:
memory means for storing logic signal groups;
processing means for manipulating logic signal groups in said memory means in accordance with instruction signal groups;
interaction means for permitting a user to enter instruct-ion signal groups for said processing means;
identification means coupled to said interaction means for relating preselected attributes with said user;
address means coupled to said interacting means for retrieve in a logic signal group associated with an instruction signal group, said address means also for associating preestablished attributes with said associated logic signal group;
and comparison means coupled to said address means and to said identification means for comparing said preselected attrib-vies with said preestablished attributes, said comparison means preventing said associated logic signal group from being manic-slated by said processing means unless said preselected and said preestablished attributes have a predetermined relationship.
In accordance with another aspect of the invention, there is provided a data processing system for creating a pro-tooted system file in response to a selected user instruction signal group, said data processing system comprising:
- lo -memory means for storing logic signal groups;
processing means for manipulating logic signal groups from said memory means in accordance with instruction signal groups;
interaction means for permitting a user to interact with said data processing unit;
first identification means coupled to said interaction means for identifying attributes associated with said user applying said selected user instruction signal group to said data process-in system;
second identification means coupled to said interaction means for identifying attributes associated with logic signal groups to be included in said protected system file;
comparison means for comparing said user attributes and said logic signal group attributes, said comparison means creating a file associated with said protected system file for controlling future use of said protected system file, said comparison means using said created file to determine when said user attributes and said protected file systems have a redefined relationship.
In accordance with another aspect of the invention, there is provided apparatus for transferring protected system files from a first data processing system to a second data pro-cussing system, wherein said first and second data processing systems have secure processing portions unavailable to control by a remainder of said data processing system for controlling manipulation of said protected system files, said apparatus come prosing:
means for storing said protected system files and interred-tale logic signal groups associated with each of said protected system files, said intermediate signal groups capable of being processed only by said secure processing portion, said interred-tale logic signal groups including attributes associated with I
- lob -said associated protected system files and an address of said associated protected system file, said logic signal groups, fur-then including a field indicative of intermediate logic signal groups and an identifier field indicative of availability of said protected system files to manipulation by users of said data processing systems;
means for encrypting said intermediate logic signal groups at said first data processing system;
means for decrypting said intermediate logic signal groups 0 at said second data processing unit; and means for identifying said indicative field in said second data processing system, wherein said intermediate logic signal groups transferred to said second data processing system can be processed only by said secure processing portion.
In accordance with another aspect of the invention, there is provided a data processing system for providing protege-ted system files comprising:
memory means for storing data objects and distinguished data objects;
interaction means for permitting a user entity to interact with said data processing system; user entity identification means coupled to said interaction means for identifying user en-lilies interacting with said data processing system;
data object processing unit coupled to said interaction means and to said memory means for manipulating said data objects;
and secure processing means operating automatically in response to signals from a remainder of said data processing unit, said secure processor unit comprising:
- lo -a current security context register coupled to user entity identification means for identifying attributes associated with said user entities;
security context table for specifying relationships between said user entity attributes and attributes of said protected soys-them file, wherein said protected system files include data objects;
data object characteristics table for specifying a memory ad-dress and other characteristics of said protected system file data objects;
a distinguished data object processing unit and associated program working set table for determining addresses of data objects currently under program execution, said distinguished data object processing unit also determining when said user entity attributes and said system file attributes have predetermined relationship;
and a memory address apparatus coupled to said distinguished data object processing unit for transferring data objects and destiny-gushed data objects between said memory and said data processing system, said memory address apparatus including recognition appear-anus for identifying said distinguished data objects, said memory address apparatus transferring data objects to said data object processing unit when said predetermined relationship is present.
In accordance with another aspect of the invention, there is provided a data processing system with protected system files, said data processing system comprising:
a memory unit for storing data objects and security data ox-jets;
data object processing means for processing said data objects stored in said memory unit;
user input means for identifying attributes of a user enter-in instructions in said data processing system;
- lo -system file identification means coupled to said user input means for identifying a data object identification field related to a system file requested by a user instruction, said system file associated with data objects;
retrieving means coupled to said system file identification means and responsive to said data object identification field for retrieving a security data object from said memory unit, said so-curtly data object containing attributes and memory unit address of said instruction system file;
security context table for defining relationships between attributes of a user and attributes associated with said system file; and processor means coupled to said security context table and to said retrieving means for comparing said user attributes and system file attributes in accordance with said security context table, said processor means permitting said data object process-in means to execute said instruction when said comparison has a first value.
In accordance with another aspect of the invention, there is provide a data processing system for creation of pro-tooted system files, said data processing system comprising:
processing means responsive to user entity instructions for manipulating system file in accordance with said user in-structions;
input means responsive to an instruction requesting area-lion of a protected system file for determining desired activity parameters of said requested protected system file;
identification means for determining an identification of a user entity providing said instruction requesting creation of said 0 protected system file;
user entity parameter table coupled to said identification means for providing data signals representing activity parameters associated with said user entity, said user entity parameter table - lye -unavailable to control by said data processing system; and secure processing means for comparing said desired system file activity parameters and said user entity activity parameters, said processor means permitting creation of said protected system file when said user entity and said system file activity has a predetermined context relationship, said secure processing means storing a security file in a data processing system memory having protected system file activity parameters, said secure processing means providing an entry in a table with an address of said stored security file.
In accordance with another aspect of the invention, there is provided a data processing system having protected system files, said data processing system comprising:
a memory unit for storing ordinary data objects and special data objects, wherein a system file has at least one identifying data group associated therewith, said special data objects include in an identifying data group, said special data object further including address groups for identifying ordinary data groups associated with said protected system file;
processing means for processing ordinary data groups in rest posse to instructions by a user entity;
input unit for identifying said user entity applying instruct lions to said data processing system;
user entity parameter table coupled to said input unit for defining parameters associated with said user entity;
activity parameter table for defining parameters associated with said identifying data groups;
context table for defining permitted relationships between said user entity parameters and said activity parameters; and - EYE -secure processing means for providing an identifying data group for a protected system file requested by a user entity, said secure processing means permitting execution of an instruct lion from a user entity when said secure processing means deter-mines that said user entity parameters and said activity pane-meters have a permitted relationship as defined by said context table.
In accordance with the present invention, there is provided the method of providing for the security of logic sign net groups against unauthorized access in a data processing soys-them comprising -the steps of:
collecting all logic signal groups into identifiable logic signal units;
associating with each of said identifiable logic signal units a distinguished logic signal unit, wherein said destiny-gushed logic signal unit defines access rights required to act cuss said associated identifiable logic signal unit;
associating with each user of said data processing system access rights;
comparing said access rights required to access a selected identifiable logic signal unit with access rights of a user no-questing access to said selected identifiable logic signal unit;
and creating said access rights required to access an identi-liable logic signal unit in said associated distinguished logic signal group when said distinguished logic signal unit is form-Ed said access rights selected to implement a redefined policy for security of said identifiable logic signal group.
I
- 10g -These and other features of the invention will be us-derstood upon reading of the following description along with the drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 is a diagram illustrating how restrictions on the flow of information can be mandated by a security policy which associates security attributes with user entities and data objects and controls modes and manners of access and manipulation by relationships between said attributes.
Figure 2 is a simplified block diagram of a typical data processing system.
Figure 3 is a block diagram of a data processing system illustrating the apparatus implementing the instant invention.
Figure 4 is a diagram illustrating the fields of a disk tinguished data object.
Figure 5 is a diagram showing how distinguished data objects can denote overlapping or nested ordinary data objects.
Figure 6 is a diagram illustrating how data objects are addressed in a manner that enforces access rights.
Figure 7 is a diagram that show how a program adds a data object to the set of data objects upon which it is working.
Figure it a diagram illustrating how a second distinguished data object is created from a first destiny-gushed data object in a manner that insures that the second distinguished data object grant an access right which is authorized by the preexisting policy.
Figure 9 is a diagram showing how a copy of a distinguished data object is made in a manner that injures that the access right granted by the second disk tinguished data object is authorized by the predetermined policy.
DETAILED DESCRIPTION OF THE DRAWINGS
In all diagrams, detailed element numbers can refer to elements of previous drawings.
Referring now to Figure 1, the manner in which the flow of information between user entities can be controlled by security attributes associated with the user entities and the data objects manipulated or accessed by those entities is illustrated. The security attributes in this example are partially ordered: A
is defined to be greater than A which it defined to be greater than A By is defined to be greater than By which is defined to be greater than By A is defined to be greater than By each attribute it defined to be equal to itself, and no other relation exist between the attributes. The redefined security policy is that a user entity may read (retrieve) informal lion from a data object if and only if the current sect-ritzy attribute of the user entity is greater than or equal to the security attribute of the data object, and a user entity may write (enter) information into a data object if and only if the security attribute of the data object is greater than oracle to the security attribute currently associated with the user entity. As indicated in the diagram, and with relation to user entities communicating by means of data objects contained within system files in the memory unit of computers, memory space is available to any data processing user entity.
Any user entity can access or manipulate any date object to which a connecting line exists in the diagram, in the mode or manner shown on the label attached to the line.
The links accordingly define all the possible directional paths along which information can flow from user entity 2'7'~
to user entity, given the example security attributes.
Thus one-way communication is possible from A and A
to A from I and By to By and from By to A in many cases through a variety of data objects.
In such a manner arbitrary information flows between user entities may be controlled in a manner not restricted to rigid relations between those user entities, such as strict hierarchical ordering. As an example, in modern corporate practice, the I set of data objects could lo contain financial data of increasing sensitivity and the A set of data objects could contain production data of increasing sensitivity. Likewise, the By set of user entities could be members of the financial staff of increasing rank and privilege and the A set similarly members of the production staff. The information flow controls in the example diagram show a circumstance wherein information flows upward only within each staff, the highest ranking member of the production staff is able to examine but not alter low-sensitivity financial Z0 data such as individual invoices, no other members of the production staff have any access whatever to any linen-coal data, and no member of the financial staff, no mat-ton how high ranking, have any access to production information. It will be clear that the information flow Z5 restrictions are enforced solely by permitting or prohibiting operations based on a comparison of the cur-rent security attributes of a user entity and those of a data object. Thus if a user entity has a security Atari-byte Atop at the time access is attempted to a data object with security attribute By a comparison of attributes will yield a result of non-compatibility. It will also be clear that although Figure 1 represents data objects as distinct entities, in general, the data objects may be located anywhere within physical media.
Referring now to Figure 2, a data processing system is seen to be comprised of a terminal 20, a pro-censor I and a memory 22. A user entity desirous having a program executed on it-s behalf by processor 21 must first identify itself by means of an elaborate loin procedure using, for example, a password. A further example involves the use of the terminal, wherein the identity of the terminal will automatically identify the user entity and define the security attributes of said user entity. Once the user entity (or terminal) has been coupled to processor 21, said processor may execute pro-grams on behalf of said user entity, which programs may access or manipulate information in memory 22 in a van-eta of modes and manners.
Referring now to Figure 3, a schematic diagram of the principal components implementing the present invention is illustrated. Processor 21 of Figure 2 is composed of user entity identification apparatus 31, do I
ordinary data object processing unit 32, and secure pro-censor 33. Secure processor 33 it composed of current security context register 331, which carries the security attributes currently associated with the user entity who is communicating through terminal 20 of Figure 2, required security context table 332, which carries the required security context associated with every destiny-gushed data object, data object characteristics table 333, which carries the address and other characteristics of every data object denoted by a distinguished data object. Secure processor 33 also includes program work-in set table 334, which contains the information nieces-spry for a program to address those ordinary data objects upon which it is currently working, and distinguished data object processing unit 335, which performs the restricted set of operations on distinguished data objects. Secure processor 33 also includes memory address apparatus 336, which fetches information from and stores information into memory 22 of Figure 2 and which includes tag code recognition apparatus aye, which apparatus insures that ordinary data processing unit 32 only processes ordinary data objects. The final combo-next of secure processor 33 is encryption apparatus 337, which may be included to ensure the secure transmission of segments containing distinguished data objects.
Referring to Figure 4, a distinguished data object is shown along with the ordinary data object it denotes. Distinguished data object 40 is composed of data object identification number 401, which uniquely identifies the ordinary data object 41, access right 402, which defines a set of allowed modes and manners of access and manipulation which may be performed by a pro-gram upon ordinary data object 41, miscellaneous field 403, which may be used to contain information such as lo error checking and correcting code, required security context 404, which defines the required security context associated with distinguished data object 40 as defined previously, current address 405, which locate the beginning of ordinary data object 41 within memory 22 of lo Figure 2, length 406, which defines the extent of and thus locates the end of ordinary data object 41 within memory 22 of Figure 2, and other characteristics field 407, which contains other characteristics of ordinary data object 41, such as the manner in which information is encoded in it. In the preferred embodiment, fields 401, 402, and 403 occupy contiguous locations in memory 22 of Figure 2 and have tag codes associated with the physical media containing those locations, field 404 is carried within the required security context table 332 ox Figure 3 and located by means of the data object identi-ligation number 401, and fields 405, 406, and 407 are carried within data object characteristics table 333 of Figure 3 and located by means of data object identifica-lion number 401. This organization yields the most effi-client use of memory and increases the performance of the secure processor. Other organizations can be functionally equivalent, provided said organization per-mitt fields 402, 403, 404, 405, 406, and 407 to be made available to the secure processor given a value of field 401, and provides identification to distinguish the object containing field 401 and to protect it against unauthorized access or manipulation.
Referring to Figure 5, the manner in which nested and overlapping ordinary data objects can be denoted by distinguished data objects is illustrated.
Three distinguished data objects 40 of Figure 4 are shown in Emory 22 of Figure 2. Each has a distinct data object identifier value 401 of Figure 4, and each therefore denotes distinct ordinary data objects 50, 51, and 52. The diagram shows how the fields 405 and 406 of Figure 4 can assure value such that ordinary data object 51 is nested within ordinary data object 50, and ordinary data object 52 overlaps ordinary data object 50. It is alto possible that the values in fields 405 and 406 assume values such that all three distinguished data objects denote the identical ordinary data object.
Referring to Figure 6, the manner in which addresses are computed and access rights checlced is illustrated. An instruction 60 is composed of an operation code 601, which defines the operation a program is to perform upon field 611 of ordinary data object 61 within memory 22 of Figure 2, and address 602, which is the location of field 611 expressed relative to the set of data objects upon which the program is currently work-in. Address 602 is interpreted a containing fields lo aye and 602b. Field aye is interpreted as an index into program working set table 334 of Figure 3, which index locates program working set entry 62, which con-sits of data object identifier field 621, access right field 622, current address field 623, and length field 62~. Field 602b is interpreted as an offset within oared-nary data object 61. Instruction 601 is transmitted to memory address apparatus 336 of Figure 3. Memory address apparatus 336 extracts field aye and uses it to locate program working set entry 62. Memory address apparatus 336 compares access right 622 against operation 601 and verifies that the modes and manners ox access and manipu-lotion required by operation 601 are permitted by access right 622. If they are not, memory address apparatus 336 invokes an appropriate administrative program by such means as an interrupt. If the operation 601 and access right 622 are compatible, memory address apparatus 336 I
then compares offset field 602b against length field 62 to verify that field 611 it indeed within ordinary data object 61. If it is not, memory address apparatus 336 invokes an appropriate administrative program by such means as an interrupt. If it it memory address apparatus 336 adds field 602b to field 623 in order to obtain the address ox field 611, and transmits field 611 to the ordinary data object processing unit 32 of Figure
3 or distinguished data object processing unit 335 of lo Figure 3, depending on operation code 601. Tag code fee-ignition apparatus aye of Figure 3 checks the transfer to insure that no data stored in locations containing tag codes is transmitted to ordinary data object processor 32.
Referring to Figure 7, the method by which pro-gram adds a data object to the set upon which it is cur-gently working is illustrated. A program transmits to secure processor 33 of Figure 3 a request to add a data object to said program's working set. The request may be encoded in any combination of operation codes, addresses, and field values which identify the request, denote a distinguished data object Tao of Figure 4 which is con-twined in memory 22 of Figure 2 and which in turn denotes the desired data object I in memory 22,- and identity a program worlcing set entry 62 of Figure 2, which entry is to be used by the program for subsequent reference to I, J Ed 7~3 data object 61. Distinguished data object processor 335 of Figure 3 fetches fields 401 and 402 from memory 22 using the steps described in reference to Figure 6.
Using the data object identification number 401, process son 335 fetches required security context 404 from required security context table 332, and compares required security context 404 with the current security context stored in current security context register 331 of Figure 3, said register 331 being continuously 10 maintained to reflect the current status by user entity identification apparatus 31. If the required and current contexts are not compatible as defined by the redefined security policy, processor 335 prevents any access by the program to data object 61, either by not constructing 15 entry 62 or by constructing an entry 62 containing an access right field 622 which grants no access whatever.
If the required and current contexts are compatible, pro-censor 335 construct entry 62 in the manner shown, by moving field 401 to field 621, field 402 to yield 622, 20 field 405 to field 623, and field 406 to field 624. In the preferred embodiment the move from field 402 to field 622 is a simple copy, in order to maximize the speed of this operation. It is possible, and equivalent, to come pare fields 404 and ~31 at the time of the move, and 25 alter the value of field 622 to guarantee that the access right granted by field 622 it authorized by the redefined security policy.
Referring to Figure 8, the technique by which a distinguished data object it made from an existing disk tinguished data object in a manner that maintains secure-try it illustrated. A program transmits to secure process son 33 of Figure 3 a request to create a new Dayton-gushed data object. The request may be encoded in any combination of operation code, addresses, and fields which identify the request, denote a parent distinguished data object 40p with fields 401p, 402p, 404p, 405p, and 406p related and containing information as described for corresponding fields in Figure 4, define the required security context value RSCc to be associated with the new data object, define the origin and length of the new data object relative to the parent data object, and denotes a location for the resulting child destiny-gushed data object 40c which has fields 401c, 402c, 404c, 405c, and 406c as described for corresponding fields in Figure 4. Distinguished data object processing unit 335 of Figure 3 fetches parent distinguished data object 40p and extracts from field 401p the value of the data object identifier DOIDp which denotes data object I
in memory 22 of Figure 2 and extracts access right value Asp from field 402p. Using the value DOIDp, processor 355 locates field 404p from within table 332 and field - 405p and 406p from table 333. Processor 335 then con-struts the child distinguished data object 40p by generating a new data object identifier value Diode and placing it in field 401c, taking the value RSCc from the request and placing it in field 40~c, and moving values of current address Cap and length Lo from fields 405p and 406p to fields 405c and 406c. Processor 355 then come pares the value of required security context RSCp associated with the parent distinguished data object with the value R~Cc requested for the child, and modifies par-en access right Asp to obtain child access right Arc, said modification being performed in such a way to guard ante what, if value Asp granted rights authorized by redefined security policy for user entities with secure-try attribute value RSCp, then value Asp will grant rights authorized by redefined security policy for user entities with security attribute value RSCc. Processor 335 then places value Arc in field 402c, place values in other fields associated with the child distinguished data I object, and signals completion. The result is a new disk tinguished data object which denotes the same information as the old, but denotes it using a different data object identifier and grants access to it which may be exercised in a different security context.
Referring to Figure 9, the manner by which a duplicate is made of an original data object is illustrated. A program transmits to secure processor 33 of Figure 3 a request to duplicate a distinguished data object. The request may be encoded in any combination of operation codes, addresses, and fields which denote an S original distinguished data object 400 with fields 4010 and 4020 related and containing information as described for Figure 4, denote a location for the duplicate 40d of original 400, and define a requested access right Art.
Distinguished data object processor 335 of Figure 3 fetches all fields contained within and associated with original 400 and moves all but the value contained in field 4020 to the corresponding fields contained within and associated with duplicate 40d. Processor 335 come pares the requested access right value Art with the value lo Art from field 4020 to insure that Art grants modes and manners of access which are not greater than those granted by Art. If they are not greater, processor 335 places Art in field 402d if they are greater, processor 335 takes appropriate action, such as aborting the operation or placing Art in field 402d. Processor 355 then signals completion. The result it a new destiny-gushed data object which denotes the same information as the original, denotes it using the same data object identifier, grants no greater access, and said access can be exercise from within the same security context.
OPERATION OF THE PREFERRED EMBODIMENT
In the preferred embodiment, distinguished data objects are distinguished from ordinary data objects ho having tag codes associated with the physical media in which, at any given instant, the distinguished data object is stored.. Distinguished data objects may only be acted upon by special apparatus. Distinguished data objects may be included as fields within ordinary data objects, in which case they appear to the apparatus which processes ordinary data objects as forbidden fields.
The apparatus which recognizes and acts upon distinguished data objects is included in the data processing systems aspirate secure processing unit with memory. subject only to the control of the secure processing unit Prior to accessing or manipulating an ordinary data object, a program executing on behalf of a user entity must transfer a distinguished data object to the secure processing unit, whereupon the secure processing unit extracts the current security context of the program and the required security context of that particular distinguished data object from the secure processing unit's memory, and determines whether the security contexts exist in the proper relationship. If and only if the security contexts exist in the proper relationship will the secure processing unit permit the program to access or manipulate the ordinary data object denoted by the distinguished data object in the modes and manners granted by said distinguished data object.
Distinguished data objects are created under three circumstances. In the first circumstance, a pro-gram transmits to the secure processing unit a request that a new ordinary data object be created. The request must include the characteristics ox the ordinary data object to be created, such as for example its size, the manner in which information is encoded in it, and where it should be located in the system files. The request must also include the security attributes of the ordinary data object to be created The secure processing unit places in its memory the characteristics ox the ordinary data object, Alec space in an appropriate physical medium, and creates a new distinguished data object that denotes the new ordinary data object. The secure processing unit associates with the new distinguished data object a required security context equal to the security attributes requested for the ordinary data object and stores that required context in its memory.
The secure processing unit sets the access right filed of the new distinguished data object to grant an initial access right which is guaranteed to be authorized by the redefined security policy. The secure processing unit then transmits the new distinguished data object to the requesting program. In the second circumstance, a pro-gram transmits to the secure processing unit a r&quest that a new distinguished data object be created. The request must include an existing distinguished data object which denotes the same ordinary data object that the new distinguished data object is to denote, and the required security context to be associated with the new distinguished data object. The secure processing unit creates a new distinguished data object which denotes the same ordinary data object as the existing distinguished data object. The secure processing unit associate the requested required security context with the new destiny-gushed data object and stores that context in it memo-rye The secure processing unit sets the new destiny-gushed data object to grant an access right which is guaranteed to be authorized by the redefined security policy for programs whose current security context are equal to the required security context associated with the new distinguished data object. The new distinguished data object is then transmitted to the requesting pro-gram. In the third circumstance, a program transmits a request to the secure processing unit that a destiny-gushed data object be copied. The request must include a distinguished data object which it to be used as an original, and optionally an access right to be placed in the new distinguished data object. The secure processing unit verifies that the requested access right grants a set of modes and manners of access and manipulation which are at most equal to those granted by the access right in the original distinguished data object. Since the access right in the original distinguished data object has been guaranteed to be authorized by the predetermined security policy, a access right which is lesser or equal in the above mentioned sense is also guaranteed to be authorized.
The secure processing unit associates the same required security context with the new distinguished data object as way associated with the old and returns the the new distinguished data object to the requesting program.
- The preferred embodiment achieves security by five techniques used in concert. First, it collects all information into identifiable data objects. Second, it requires that for every operation on a data object the user process uses a distinguished data object which grants a compatible access right to said data object.
Third, it is cognizant at all times of the security attributes of the user entity on whose behalf operations are being performed. Fourth, it restricts the use of distinguished data objects to access data objects by associating with every distinguished data object a set of security attributes which a user entity must possess at the time that distinguished data object is used. Fifth, it associates said security attributes with distinguished data objects at the time said distinguished data objects are created in a manner such that the access right granted by a distinguished data object can only be used to access or manipulate data objects in modes or manners which are authorized by a redefined security policy.
Operation of the first technique is made clear by reference to Figure 6. Information stored in memory 22 of Figure 2 can only be made available to an operation 601 through local address 602. Address 602 selects, by its very nature, a field 611 within a collection of fields, said collection being data object 61. Thus all information which is accessible to an operation must be part of a data object.
operation of the second technique is made clear by reference to Figures 6 and 7. A program accesses or manipulates information in a field by means of an instruction 60 of Figure 6 whose local address 602 selects field 611. In order to perform the computation necessary to select field 611, program working set entry 62 must be fetched. In the course of said fetch, access right yield 622 is encountered and compared for compute-ability with operation 601. Access right field 622 is shown in Figure 7 to be derived from the access right field 402 of distinguished data object 40 whose data object identification number 401 denotes data object 61.
Thus the act I addressing a field unavoidably involves the use of a distinguished data object which grants access to the data object containing that field.
Operation of the third technique is by any appropriate organization of user entity identification apparatus 31 of Figure 3 and the communication between it and current security context register 331. Apparatus 31, in conjunction with terminal 20 of Figure 2, can use any of a variety of means, such as passwords, secure and dedicated telephone lines, callback, cryptographic seals, and others, singly and in combination, in order to deter-mine what set of attributes to place in register 331.
Operation of the fourth technique is made clear by reference to Figure 7. Use of a distinguished data object involves its being fetched by distinguished data object processing unit 335 of Figure 3, and fields being moved from it to the program working set entry 62. Once fetched, data object identifier 401 is available to obtain required security context 404 from required sect-ritzy context table 332 of Figure 3. Current security context is always available to processing unit 335 by its accessing current security context register 331 of Figure 3. Hence the use of a distinguished data object unweaved-ably involves the comparison of required security context with current security context, and hence the enforcement of the restriction that a distinguished data object can be used to grant access only to programs executing on behalf of user entities which user entities currently possess the security attributes to which use of the aforesaid distinguished data object is limited.
Operation of the fifth technique can be invoked in three circumstances. The first circumstance is when a data object is newly created. Operation in this circumstance is made clear by reference to Figure 4. A program trays-mitt to the secure processor 33 of Figure 3 a request to create a new data object 41. This request can be encoded in any combination of operation codes, addresses, and fields that define the characteristics of the ordinary data object 41 such as its length, and gives the required security context to be associated with the distinguished data object 40, which distinguished data object it created at the same time as the ordinary data object to which the distinguished data object will permit access in accordance with the preexisting policy. Distinguished data object processing unit 335 will cause the allocation of space for the new data object 41, initialize that space according to a conventional value, and place a is-tinguished data object 41 in a location specified as an operand. The executing program can subsequently write data into the new object using the distinguished data object 41. The second circumstance occurs when a program transmits a request to the secure processor 33 to create another distinguished data object which permit access to a preexisting ordinary data object, or a portion there-of. This situation was described in conjunction with Figure I. The third circumstance occurs when a program transmit a request to the secure processor 33 to copy a distinguished data object. This circumstance also was described in detail in conjunction with Figure 8.
The mechanisms and techniques of this invention can be embodied in a variety of ways, including, but not limited to, the following two system configurations.
These possible embodiments can be understood with refer-once to Figure 3. In the first embodiment, the functions of the ordinary data object processing unit 32 are per-- formed by a conventional processing unit, such as a microprocessor which provides signals concerning the types of access being requested in a memory access request. The functions of the memory address apparatus 336 are performed by a hardware module positioned between the ordinary data object processing unit 32 and the bus which connects the processor to memory units 22. The program working set table would be contained either within the module performing the functions of the memory address apparatus 336 or in a memory unit easily access-bye from that unit, said memory unit being protected against attempts to access its contents from the ordinary data processor 32. The functions of the distinguished data object processing unit 335 could be implemented in a special hardware module attached to the memory bus or attached by means of a dedicated connection to the memory address apparatus 33~. The memory units 22 would be modified to include tags associated with each addressable entity, and to communicate said tag values along with the contents of the addressable entities on the bus. The memory address apparatus would examine the value of the tag field associated with incoming data and would con-trot the flow of such information so as to guarantee that the ordinary data object processing unit 32 is never sent the contents of any object whose tag value indicates that it it contained within a distinguished data object.
In the second embodiment, the functions of the ordinary data object processing unit 32 are performed by a conventional processor, such as a minicomputer, and the functions of the distinguished data object processing unit 335 are performed by a suitably programmed micro-processor. The memory address apparatus could be implemented as described above for the first embodiment.
It it readily seem by persons experienced in the art of computer systems design that other embodiments are posse-blew including one in which all operations are performed in the same processing unit, with the tag values of the operands serving to limit the functions which can be per-formed on those operands.
It should be clear to one well-versed in the art of computer system design that the present invention, though described above for a processor having a single user terminal can be effectively adapted to create a computer system having a multiplicity of user terminals.
As is known in related art, processors can be switched among programs associated with different users providing that state information regarding a user's program is saved when the program it switched out and reliably restored when the program is switched back in to the pro-censor. Adapting the above technique to the present invention require that the state of a user program include the contents of the current security context fog-issuer 331 of Figure 3 and the contents of the program working set table 334 of Figure 3.
Many changes and modifications in the above-described embodiment of the invention can, of course, be carried out without departing from the scope thereof.
Accordingly, the scope of the invention is to he limited only by the scope of the accompanying claims.
await is claimed is:
Referring to Figure 7, the method by which pro-gram adds a data object to the set upon which it is cur-gently working is illustrated. A program transmits to secure processor 33 of Figure 3 a request to add a data object to said program's working set. The request may be encoded in any combination of operation codes, addresses, and field values which identify the request, denote a distinguished data object Tao of Figure 4 which is con-twined in memory 22 of Figure 2 and which in turn denotes the desired data object I in memory 22,- and identity a program worlcing set entry 62 of Figure 2, which entry is to be used by the program for subsequent reference to I, J Ed 7~3 data object 61. Distinguished data object processor 335 of Figure 3 fetches fields 401 and 402 from memory 22 using the steps described in reference to Figure 6.
Using the data object identification number 401, process son 335 fetches required security context 404 from required security context table 332, and compares required security context 404 with the current security context stored in current security context register 331 of Figure 3, said register 331 being continuously 10 maintained to reflect the current status by user entity identification apparatus 31. If the required and current contexts are not compatible as defined by the redefined security policy, processor 335 prevents any access by the program to data object 61, either by not constructing 15 entry 62 or by constructing an entry 62 containing an access right field 622 which grants no access whatever.
If the required and current contexts are compatible, pro-censor 335 construct entry 62 in the manner shown, by moving field 401 to field 621, field 402 to yield 622, 20 field 405 to field 623, and field 406 to field 624. In the preferred embodiment the move from field 402 to field 622 is a simple copy, in order to maximize the speed of this operation. It is possible, and equivalent, to come pare fields 404 and ~31 at the time of the move, and 25 alter the value of field 622 to guarantee that the access right granted by field 622 it authorized by the redefined security policy.
Referring to Figure 8, the technique by which a distinguished data object it made from an existing disk tinguished data object in a manner that maintains secure-try it illustrated. A program transmits to secure process son 33 of Figure 3 a request to create a new Dayton-gushed data object. The request may be encoded in any combination of operation code, addresses, and fields which identify the request, denote a parent distinguished data object 40p with fields 401p, 402p, 404p, 405p, and 406p related and containing information as described for corresponding fields in Figure 4, define the required security context value RSCc to be associated with the new data object, define the origin and length of the new data object relative to the parent data object, and denotes a location for the resulting child destiny-gushed data object 40c which has fields 401c, 402c, 404c, 405c, and 406c as described for corresponding fields in Figure 4. Distinguished data object processing unit 335 of Figure 3 fetches parent distinguished data object 40p and extracts from field 401p the value of the data object identifier DOIDp which denotes data object I
in memory 22 of Figure 2 and extracts access right value Asp from field 402p. Using the value DOIDp, processor 355 locates field 404p from within table 332 and field - 405p and 406p from table 333. Processor 335 then con-struts the child distinguished data object 40p by generating a new data object identifier value Diode and placing it in field 401c, taking the value RSCc from the request and placing it in field 40~c, and moving values of current address Cap and length Lo from fields 405p and 406p to fields 405c and 406c. Processor 355 then come pares the value of required security context RSCp associated with the parent distinguished data object with the value R~Cc requested for the child, and modifies par-en access right Asp to obtain child access right Arc, said modification being performed in such a way to guard ante what, if value Asp granted rights authorized by redefined security policy for user entities with secure-try attribute value RSCp, then value Asp will grant rights authorized by redefined security policy for user entities with security attribute value RSCc. Processor 335 then places value Arc in field 402c, place values in other fields associated with the child distinguished data I object, and signals completion. The result is a new disk tinguished data object which denotes the same information as the old, but denotes it using a different data object identifier and grants access to it which may be exercised in a different security context.
Referring to Figure 9, the manner by which a duplicate is made of an original data object is illustrated. A program transmits to secure processor 33 of Figure 3 a request to duplicate a distinguished data object. The request may be encoded in any combination of operation codes, addresses, and fields which denote an S original distinguished data object 400 with fields 4010 and 4020 related and containing information as described for Figure 4, denote a location for the duplicate 40d of original 400, and define a requested access right Art.
Distinguished data object processor 335 of Figure 3 fetches all fields contained within and associated with original 400 and moves all but the value contained in field 4020 to the corresponding fields contained within and associated with duplicate 40d. Processor 335 come pares the requested access right value Art with the value lo Art from field 4020 to insure that Art grants modes and manners of access which are not greater than those granted by Art. If they are not greater, processor 335 places Art in field 402d if they are greater, processor 335 takes appropriate action, such as aborting the operation or placing Art in field 402d. Processor 355 then signals completion. The result it a new destiny-gushed data object which denotes the same information as the original, denotes it using the same data object identifier, grants no greater access, and said access can be exercise from within the same security context.
OPERATION OF THE PREFERRED EMBODIMENT
In the preferred embodiment, distinguished data objects are distinguished from ordinary data objects ho having tag codes associated with the physical media in which, at any given instant, the distinguished data object is stored.. Distinguished data objects may only be acted upon by special apparatus. Distinguished data objects may be included as fields within ordinary data objects, in which case they appear to the apparatus which processes ordinary data objects as forbidden fields.
The apparatus which recognizes and acts upon distinguished data objects is included in the data processing systems aspirate secure processing unit with memory. subject only to the control of the secure processing unit Prior to accessing or manipulating an ordinary data object, a program executing on behalf of a user entity must transfer a distinguished data object to the secure processing unit, whereupon the secure processing unit extracts the current security context of the program and the required security context of that particular distinguished data object from the secure processing unit's memory, and determines whether the security contexts exist in the proper relationship. If and only if the security contexts exist in the proper relationship will the secure processing unit permit the program to access or manipulate the ordinary data object denoted by the distinguished data object in the modes and manners granted by said distinguished data object.
Distinguished data objects are created under three circumstances. In the first circumstance, a pro-gram transmits to the secure processing unit a request that a new ordinary data object be created. The request must include the characteristics ox the ordinary data object to be created, such as for example its size, the manner in which information is encoded in it, and where it should be located in the system files. The request must also include the security attributes of the ordinary data object to be created The secure processing unit places in its memory the characteristics ox the ordinary data object, Alec space in an appropriate physical medium, and creates a new distinguished data object that denotes the new ordinary data object. The secure processing unit associates with the new distinguished data object a required security context equal to the security attributes requested for the ordinary data object and stores that required context in its memory.
The secure processing unit sets the access right filed of the new distinguished data object to grant an initial access right which is guaranteed to be authorized by the redefined security policy. The secure processing unit then transmits the new distinguished data object to the requesting program. In the second circumstance, a pro-gram transmits to the secure processing unit a r&quest that a new distinguished data object be created. The request must include an existing distinguished data object which denotes the same ordinary data object that the new distinguished data object is to denote, and the required security context to be associated with the new distinguished data object. The secure processing unit creates a new distinguished data object which denotes the same ordinary data object as the existing distinguished data object. The secure processing unit associate the requested required security context with the new destiny-gushed data object and stores that context in it memo-rye The secure processing unit sets the new destiny-gushed data object to grant an access right which is guaranteed to be authorized by the redefined security policy for programs whose current security context are equal to the required security context associated with the new distinguished data object. The new distinguished data object is then transmitted to the requesting pro-gram. In the third circumstance, a program transmits a request to the secure processing unit that a destiny-gushed data object be copied. The request must include a distinguished data object which it to be used as an original, and optionally an access right to be placed in the new distinguished data object. The secure processing unit verifies that the requested access right grants a set of modes and manners of access and manipulation which are at most equal to those granted by the access right in the original distinguished data object. Since the access right in the original distinguished data object has been guaranteed to be authorized by the predetermined security policy, a access right which is lesser or equal in the above mentioned sense is also guaranteed to be authorized.
The secure processing unit associates the same required security context with the new distinguished data object as way associated with the old and returns the the new distinguished data object to the requesting program.
- The preferred embodiment achieves security by five techniques used in concert. First, it collects all information into identifiable data objects. Second, it requires that for every operation on a data object the user process uses a distinguished data object which grants a compatible access right to said data object.
Third, it is cognizant at all times of the security attributes of the user entity on whose behalf operations are being performed. Fourth, it restricts the use of distinguished data objects to access data objects by associating with every distinguished data object a set of security attributes which a user entity must possess at the time that distinguished data object is used. Fifth, it associates said security attributes with distinguished data objects at the time said distinguished data objects are created in a manner such that the access right granted by a distinguished data object can only be used to access or manipulate data objects in modes or manners which are authorized by a redefined security policy.
Operation of the first technique is made clear by reference to Figure 6. Information stored in memory 22 of Figure 2 can only be made available to an operation 601 through local address 602. Address 602 selects, by its very nature, a field 611 within a collection of fields, said collection being data object 61. Thus all information which is accessible to an operation must be part of a data object.
operation of the second technique is made clear by reference to Figures 6 and 7. A program accesses or manipulates information in a field by means of an instruction 60 of Figure 6 whose local address 602 selects field 611. In order to perform the computation necessary to select field 611, program working set entry 62 must be fetched. In the course of said fetch, access right yield 622 is encountered and compared for compute-ability with operation 601. Access right field 622 is shown in Figure 7 to be derived from the access right field 402 of distinguished data object 40 whose data object identification number 401 denotes data object 61.
Thus the act I addressing a field unavoidably involves the use of a distinguished data object which grants access to the data object containing that field.
Operation of the third technique is by any appropriate organization of user entity identification apparatus 31 of Figure 3 and the communication between it and current security context register 331. Apparatus 31, in conjunction with terminal 20 of Figure 2, can use any of a variety of means, such as passwords, secure and dedicated telephone lines, callback, cryptographic seals, and others, singly and in combination, in order to deter-mine what set of attributes to place in register 331.
Operation of the fourth technique is made clear by reference to Figure 7. Use of a distinguished data object involves its being fetched by distinguished data object processing unit 335 of Figure 3, and fields being moved from it to the program working set entry 62. Once fetched, data object identifier 401 is available to obtain required security context 404 from required sect-ritzy context table 332 of Figure 3. Current security context is always available to processing unit 335 by its accessing current security context register 331 of Figure 3. Hence the use of a distinguished data object unweaved-ably involves the comparison of required security context with current security context, and hence the enforcement of the restriction that a distinguished data object can be used to grant access only to programs executing on behalf of user entities which user entities currently possess the security attributes to which use of the aforesaid distinguished data object is limited.
Operation of the fifth technique can be invoked in three circumstances. The first circumstance is when a data object is newly created. Operation in this circumstance is made clear by reference to Figure 4. A program trays-mitt to the secure processor 33 of Figure 3 a request to create a new data object 41. This request can be encoded in any combination of operation codes, addresses, and fields that define the characteristics of the ordinary data object 41 such as its length, and gives the required security context to be associated with the distinguished data object 40, which distinguished data object it created at the same time as the ordinary data object to which the distinguished data object will permit access in accordance with the preexisting policy. Distinguished data object processing unit 335 will cause the allocation of space for the new data object 41, initialize that space according to a conventional value, and place a is-tinguished data object 41 in a location specified as an operand. The executing program can subsequently write data into the new object using the distinguished data object 41. The second circumstance occurs when a program transmits a request to the secure processor 33 to create another distinguished data object which permit access to a preexisting ordinary data object, or a portion there-of. This situation was described in conjunction with Figure I. The third circumstance occurs when a program transmit a request to the secure processor 33 to copy a distinguished data object. This circumstance also was described in detail in conjunction with Figure 8.
The mechanisms and techniques of this invention can be embodied in a variety of ways, including, but not limited to, the following two system configurations.
These possible embodiments can be understood with refer-once to Figure 3. In the first embodiment, the functions of the ordinary data object processing unit 32 are per-- formed by a conventional processing unit, such as a microprocessor which provides signals concerning the types of access being requested in a memory access request. The functions of the memory address apparatus 336 are performed by a hardware module positioned between the ordinary data object processing unit 32 and the bus which connects the processor to memory units 22. The program working set table would be contained either within the module performing the functions of the memory address apparatus 336 or in a memory unit easily access-bye from that unit, said memory unit being protected against attempts to access its contents from the ordinary data processor 32. The functions of the distinguished data object processing unit 335 could be implemented in a special hardware module attached to the memory bus or attached by means of a dedicated connection to the memory address apparatus 33~. The memory units 22 would be modified to include tags associated with each addressable entity, and to communicate said tag values along with the contents of the addressable entities on the bus. The memory address apparatus would examine the value of the tag field associated with incoming data and would con-trot the flow of such information so as to guarantee that the ordinary data object processing unit 32 is never sent the contents of any object whose tag value indicates that it it contained within a distinguished data object.
In the second embodiment, the functions of the ordinary data object processing unit 32 are performed by a conventional processor, such as a minicomputer, and the functions of the distinguished data object processing unit 335 are performed by a suitably programmed micro-processor. The memory address apparatus could be implemented as described above for the first embodiment.
It it readily seem by persons experienced in the art of computer systems design that other embodiments are posse-blew including one in which all operations are performed in the same processing unit, with the tag values of the operands serving to limit the functions which can be per-formed on those operands.
It should be clear to one well-versed in the art of computer system design that the present invention, though described above for a processor having a single user terminal can be effectively adapted to create a computer system having a multiplicity of user terminals.
As is known in related art, processors can be switched among programs associated with different users providing that state information regarding a user's program is saved when the program it switched out and reliably restored when the program is switched back in to the pro-censor. Adapting the above technique to the present invention require that the state of a user program include the contents of the current security context fog-issuer 331 of Figure 3 and the contents of the program working set table 334 of Figure 3.
Many changes and modifications in the above-described embodiment of the invention can, of course, be carried out without departing from the scope thereof.
Accordingly, the scope of the invention is to he limited only by the scope of the accompanying claims.
await is claimed is:
Claims (24)
PROPERTY OR PRIVILEGE IS CLAIMED ARE DEFINED AS FOLLOWS:
1. A data processing system having protected system files, said data processing system comprising:
memory means for storing logic signal groups;
processing means for manipulating logic signal groups in said memory means in accordance with instruction signal groups;
interaction means for permitting a user to enter instruction signal groups for said processing means;
identification means coupled to said interaction means for relating preselected attributes with said user;
address means coupled to said interaction means for retriev-ing a logic signal group associated with an instruction signal group, said address means also for associating preestablished attributes with said associated logic signal group; and comparison means coupled to said address means and to said identification means for comparing said preselected attributes with said preestablished attributes, said comparison means pre-venting said associated logic signal group from being manipulated by said processing means unless said preselected and said pre-established attributes have a predeterming relationship.
memory means for storing logic signal groups;
processing means for manipulating logic signal groups in said memory means in accordance with instruction signal groups;
interaction means for permitting a user to enter instruction signal groups for said processing means;
identification means coupled to said interaction means for relating preselected attributes with said user;
address means coupled to said interaction means for retriev-ing a logic signal group associated with an instruction signal group, said address means also for associating preestablished attributes with said associated logic signal group; and comparison means coupled to said address means and to said identification means for comparing said preselected attributes with said preestablished attributes, said comparison means pre-venting said associated logic signal group from being manipulated by said processing means unless said preselected and said pre-established attributes have a predeterming relationship.
2. The data processing system of Claim 1 wherein said pre-selected attributes define access rights of said user, and pre-established attributes define access rights needed to manipulate one of said protected system files.
3. The data processing system of Claim 1 wherein first data groups and other data groups stored in said memory means of said data processing system can be intermingled in physical locations of said memory means.
4. The data processing system of Claim 1 wherein said preselected attributes are stored in a portion of said data processing system that can be altered only by a director entity of said data processing system and can be retrieved only by said comparison means.
5. The data processing system of Claim 1 wherein said comparison means operates in response to a table defining all relationships between said preselected attributes and said pre-established attributes, said relationship table capable of being changed only by a director entity for said data processing sys-tem.
6. The data processing system of Claim 1 wherein said comparison means operates independently of any user.
7. A data processing system for creating a protected sys-tem file in response to a selected user instruction signal group, said data processing system comprising:
memory means for storing logic signal groups;
processing means for manipulating logic signal groups from said memory means in accordance with instruction signal groups;
interaction means for permitting a user to interact with said data processing unit;
first identification means coupled to said interaction means for identifying attributes associated with said user applying said selected user instruction signal group to said data proces-sing system;
second identification means coupled to said interaction means for identifying attributes associated with logic signal groups to be included in said protected system file;
comparison means for comparing said user attributes and said logic signal group attributes, said comparison means creating a file associated with said protected system file for controlling future use of said protected system file, said comparison means using said created file to determine when said user attributes and said protected file systems have a predefined relationship.
memory means for storing logic signal groups;
processing means for manipulating logic signal groups from said memory means in accordance with instruction signal groups;
interaction means for permitting a user to interact with said data processing unit;
first identification means coupled to said interaction means for identifying attributes associated with said user applying said selected user instruction signal group to said data proces-sing system;
second identification means coupled to said interaction means for identifying attributes associated with logic signal groups to be included in said protected system file;
comparison means for comparing said user attributes and said logic signal group attributes, said comparison means creating a file associated with said protected system file for controlling future use of said protected system file, said comparison means using said created file to determine when said user attributes and said protected file systems have a predefined relationship.
8. The data processing system for creating a protected sys-tem file of claim 7 further comprising third identification means coupled to said comparison means for identifying attributes of a pre-existing protected system file to be incorporated into said protected system file, wherein said comparison means compares said user attributes, said protected system file attributes, and said pre-existing protected file attributes, said comparison means permitting creation of said protected system file when said attrib-utes have a predetermined relationship.
9. Apparatus for transferring protected system files from a first data processing system to a second data processing system, wherein said first and said second data processing systems have secure processing portions unavailable to control by a remainder of said data processing system for controlling manipulation of said protected system files, said apparatus comprising:
means for storing said protected system files and intermediate logic signal groups associated with each of said protected system files, said intermediate signal groups capable of being processed only by said secure processing portion, said intermediate logic signal groups including attributes associated with said associated protected system files, and an address of said associated pro-tected system file, said logic signal groups further including field indicative of intermediate logic signal groups and an identifier field indicative of availability of said protected system files to manipulation by users of said data processing systems;
means for encrypting said intermediate logic signal groups at said first data processing system;
means for decrypting said intermediate logic signal groups at said second data processing unit; and means for identifying said indicative field in said second data processing system, wherein said intermediate logic signal groups transferred to said second data processing system can be processed only by said secure processing portion.
means for storing said protected system files and intermediate logic signal groups associated with each of said protected system files, said intermediate signal groups capable of being processed only by said secure processing portion, said intermediate logic signal groups including attributes associated with said associated protected system files, and an address of said associated pro-tected system file, said logic signal groups further including field indicative of intermediate logic signal groups and an identifier field indicative of availability of said protected system files to manipulation by users of said data processing systems;
means for encrypting said intermediate logic signal groups at said first data processing system;
means for decrypting said intermediate logic signal groups at said second data processing unit; and means for identifying said indicative field in said second data processing system, wherein said intermediate logic signal groups transferred to said second data processing system can be processed only by said secure processing portion.
10. A data processing system for providing protected system files comprising:
memory means for storing data objects and distinguished data objects;
interaction means for permitting a user entity to interact with said data processing system; user entity identification means coupled to said interaction means for identifying user en-tities interacting with said data processing system;
data object processing unit coupled to said interaction means and to said memory means for manipulating said data objects; and secure processing means operating automatically in response to signals from a remainder of said data processing unit, said secure processor unit comprising:
a current security context register coupled to user entity identification means for identifying attributes associated with said user entities;
security context table for specifying relationships between said user entity attributes and attributes of said protected sys-tem file, wherein said protected system files include data objects;
data object characteristics table for specifying a memory address and other characteristics of said protected system file data objects;
a distinguished data object processing unit and associated program working set table for determining addresses of data ob-jects currently under program execution, said distinguished data object processing unit also determining when said user entity attributes and said system file attributes have a predetermined relationship; and a memory address apparatus coupled to said distinguished data object processing unit for transferring data objects and distinguished data objects between said memory and said data processing system, said memory address apparatus including rec-ognition apparatus for identifying said distinguished data ob-jects, said memory address apparatus transferring data objects to said data object processing unit when said predetermined re-lationship is present.
memory means for storing data objects and distinguished data objects;
interaction means for permitting a user entity to interact with said data processing system; user entity identification means coupled to said interaction means for identifying user en-tities interacting with said data processing system;
data object processing unit coupled to said interaction means and to said memory means for manipulating said data objects; and secure processing means operating automatically in response to signals from a remainder of said data processing unit, said secure processor unit comprising:
a current security context register coupled to user entity identification means for identifying attributes associated with said user entities;
security context table for specifying relationships between said user entity attributes and attributes of said protected sys-tem file, wherein said protected system files include data objects;
data object characteristics table for specifying a memory address and other characteristics of said protected system file data objects;
a distinguished data object processing unit and associated program working set table for determining addresses of data ob-jects currently under program execution, said distinguished data object processing unit also determining when said user entity attributes and said system file attributes have a predetermined relationship; and a memory address apparatus coupled to said distinguished data object processing unit for transferring data objects and distinguished data objects between said memory and said data processing system, said memory address apparatus including rec-ognition apparatus for identifying said distinguished data ob-jects, said memory address apparatus transferring data objects to said data object processing unit when said predetermined re-lationship is present.
11. A data processing system with protected system files, said data processing system comprising:
a memory unit for storing data objects and security data objects;
data object processing means for processing said data ob-jects stored in said memory unit;
user input means for identifying attributes of a user enter-ing instructions in said data processing system;
system file identification means coupled to said user input means for identifying a data object identification field related to a system file requested by a user instruction, said system file associated with data objects;
retrieving means coupled to said system file identification means and responsive to said data object identification field for retrieving a security data object from said memory unit, said security data object containing attributes and memory unit add-ress of said instruction system file;
security context table for defining relationships between attributes of a user and attributes associated with said system file; and processor means coupled to said security context table and to said retrieving means for comparing said user attributes and system file attributes in accordance with said security context table, said processor means permitting said data object proces-sing means to execute said instruction when said comparison has a first value.
a memory unit for storing data objects and security data objects;
data object processing means for processing said data ob-jects stored in said memory unit;
user input means for identifying attributes of a user enter-ing instructions in said data processing system;
system file identification means coupled to said user input means for identifying a data object identification field related to a system file requested by a user instruction, said system file associated with data objects;
retrieving means coupled to said system file identification means and responsive to said data object identification field for retrieving a security data object from said memory unit, said security data object containing attributes and memory unit add-ress of said instruction system file;
security context table for defining relationships between attributes of a user and attributes associated with said system file; and processor means coupled to said security context table and to said retrieving means for comparing said user attributes and system file attributes in accordance with said security context table, said processor means permitting said data object proces-sing means to execute said instruction when said comparison has a first value.
12. The data processing system of Claim 11 further includ-ing a data object identification field table for storing at least a portion of said retrieved security object, wherein said system file attributes are associated with said data object iden-tification field.
13. A data processing system for creation of protected sys-tem files, said data processing system comprising:
processing means responsive to user entity instructions for manipulating system file in accordance with said user instructions;
input means responsive to an instruction requesting creation of a protected system file for determing desired activity para-meters of said requested protected system file;
identification means for determining an identification of a user entity providing said instruction requesting creation of said protected system file;
user entity parameter table coupled to said identification means for providing data signals representing activity parameters associated with said user entity, said user entity parameter table unavailable to control by said data processing system; and secure processing means for comparing said desired system file activity parameters and said user entity activity parameters, said processor means permitting creation of said protected system file when said user entity and said system file activity has a predetermined context relationship, said secure processing means storing a security file in a data processing system memory having protected system file activity parameters, said secure processing means providing an entry in a table with an address of said stored security file.
processing means responsive to user entity instructions for manipulating system file in accordance with said user instructions;
input means responsive to an instruction requesting creation of a protected system file for determing desired activity para-meters of said requested protected system file;
identification means for determining an identification of a user entity providing said instruction requesting creation of said protected system file;
user entity parameter table coupled to said identification means for providing data signals representing activity parameters associated with said user entity, said user entity parameter table unavailable to control by said data processing system; and secure processing means for comparing said desired system file activity parameters and said user entity activity parameters, said processor means permitting creation of said protected system file when said user entity and said system file activity has a predetermined context relationship, said secure processing means storing a security file in a data processing system memory having protected system file activity parameters, said secure processing means providing an entry in a table with an address of said stored security file.
14. The data processing system of Claim 13 further includ-ing a context table coupled to secure processing means and un-available to control of said data processing system, said context table including data defining permitted and unpermitted activity relationships between said user entity and said protected system files and determines said predetermined context relationship.
15. The data processing system of Claim 13 wherein said requested protected system file includes data from an existing protected system file; said data processor system further includ-ing a table storing activity parameters of protected system files;
said activity parameter table unavailable to control by said pro-cessing means, said secure processing means comparing said exist-ing system file activity parameters and said user entity activity parameters with said desired activity parameters; said requested protected system file being created when said activity parameters have said predetermined context relationship.
said activity parameter table unavailable to control by said pro-cessing means, said secure processing means comparing said exist-ing system file activity parameters and said user entity activity parameters with said desired activity parameters; said requested protected system file being created when said activity parameters have said predetermined context relationship.
16. The data processing system of Claim 15 further including a context table coupled to said secure processing means and un-available to control of said data processing system, said con-text table including data defining permitted and unpermitted act-ivity relationships between said user entity and said protected system files.
17. The data processing unit of Claim 13 wherein said se-cure processing means implements said comparing operation inde-pendent of control of a remainder of said data processing system.
18. The data processing system of Claim 17 wherein said requested protected system file includes at least portions from an existing protected system file; said data processing system further including a table unavailable to control by said proces-sing means for storing activity parameters of protected system files; said secure processing means comparing said existing sys-tem file activity parameters and said user entity activity par-ameters with said desired protected system file parameters, said requested protected system file being created when said activity parameters have said predetermined context relationship.
19. The data processing system of Claim 18 further includ-ing a context table coupled to said secure processing unit and unavailable to control of said data processing system, said con-text table including data defining permitted and unpermitted act-ivity relationships between said user entity and said protected system files.
20. A data processing system having protected system files, said data processing system comprising:
a memory unit for storing ordinary data objects and special data objects, wherein a system file has at least one identifying data group associated therewith, said special data objects including an identifying data group, said special data object further including address groups for identifying ordinary data groups associated with said protected system file;
processing means for processing ordinary data groups in response to instructions by a user entity;
input unit for identifying said user entity applying instructions to said data processing system;
user entity parameter table coupled to said input unit for defining parameters associated with said user entity;
activity parameter table for defining parameters asso-ciated with said identifying data groups;
context table for defining permitted relationships :
between said user entity parameters and said activity parameters;
and secure processing means for providing an identifying data group for a protected system file requested by a user entity, said secure processing means permitting execution of an instruc-tion from a user entity when said secure processing means deter-mines that said user entity parameters and said activity para-meters have a permitted relationship as defined by said context table.
a memory unit for storing ordinary data objects and special data objects, wherein a system file has at least one identifying data group associated therewith, said special data objects including an identifying data group, said special data object further including address groups for identifying ordinary data groups associated with said protected system file;
processing means for processing ordinary data groups in response to instructions by a user entity;
input unit for identifying said user entity applying instructions to said data processing system;
user entity parameter table coupled to said input unit for defining parameters associated with said user entity;
activity parameter table for defining parameters asso-ciated with said identifying data groups;
context table for defining permitted relationships :
between said user entity parameters and said activity parameters;
and secure processing means for providing an identifying data group for a protected system file requested by a user entity, said secure processing means permitting execution of an instruc-tion from a user entity when said secure processing means deter-mines that said user entity parameters and said activity para-meters have a permitted relationship as defined by said context table.
21. The data processing system of Claim 20 wherein instruc-tion execution is permitted by permitting retrieval of an ordi-nary data object specified by said associated special data object.
22. The data processing system of Claim 20 wherein said user entity parameter table, said activity parameter table, said context table, and said secure processor means are isolated from control of said user entity.
23. The data processing system of Claim 22 wherein instruc-tion execution is permitted by permitting retrieval of an ordin-ary data object specified by said associated special data object.
24. The method of providing for the security of logic signal groups against unauthorized access in a data processing system comprising the steps of:
collecting all logic signal groups into identifiable logic signal units;
associating with each of said identifiable logic signal units a distinguished logic signal unit, wherein said distingui-shed logic signal unit defines access rights required to access said associated identifiable logic signal unit;
associating with each user of said data processing system access rights;
comparing said access rights required to access a selec-ted identifiable logic signal unit with access rights of a user requesting access to said selected identifiable logic signal unit; and creating said access rights required to access an iden-tifiable logic signal unit in said associated distinguished logic signal group when said distinguished logic signal unit is formed, said access rights selected to implement a predefined policy for security of said identifiable logic signal group.
collecting all logic signal groups into identifiable logic signal units;
associating with each of said identifiable logic signal units a distinguished logic signal unit, wherein said distingui-shed logic signal unit defines access rights required to access said associated identifiable logic signal unit;
associating with each user of said data processing system access rights;
comparing said access rights required to access a selec-ted identifiable logic signal unit with access rights of a user requesting access to said selected identifiable logic signal unit; and creating said access rights required to access an iden-tifiable logic signal unit in said associated distinguished logic signal group when said distinguished logic signal unit is formed, said access rights selected to implement a predefined policy for security of said identifiable logic signal group.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US06/580,910 US4621321A (en) | 1984-02-16 | 1984-02-16 | Secure data processing system architecture |
| US580,910 | 1984-02-16 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA1227885A true CA1227885A (en) | 1987-10-06 |
Family
ID=24323097
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA000473843A Expired CA1227885A (en) | 1984-02-16 | 1985-02-08 | Secure data processing system architecture |
Country Status (7)
| Country | Link |
|---|---|
| US (2) | US4621321A (en) |
| EP (1) | EP0152900B1 (en) |
| JP (1) | JPS60189554A (en) |
| KR (1) | KR920005231B1 (en) |
| CA (1) | CA1227885A (en) |
| DE (1) | DE3586912T2 (en) |
| IL (1) | IL74315A (en) |
Families Citing this family (141)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4862410A (en) * | 1985-01-31 | 1989-08-29 | Canon Kabushiki Kaisha | Word processor permitting modification or addition of data in response to particular indentation of data |
| US4713753A (en) * | 1985-02-21 | 1987-12-15 | Honeywell Inc. | Secure data processing system architecture with format control |
| AT390148B (en) * | 1985-08-22 | 1990-03-26 | Novomatic Automatenindustrie U | ARRANGEMENT FOR DECRYLING COMMANDS |
| US4714992A (en) * | 1985-11-26 | 1987-12-22 | International Business Machines Corporation | Communication for version management in a distributed information service |
| GB2188758A (en) * | 1986-04-04 | 1987-10-07 | Philip Hall Bertenshaw | Secure data transmission system |
| US5109413A (en) * | 1986-11-05 | 1992-04-28 | International Business Machines Corporation | Manipulating rights-to-execute in connection with a software copy protection mechanism |
| US4916738A (en) * | 1986-11-05 | 1990-04-10 | International Business Machines Corp. | Remote access terminal security |
| US5146575A (en) * | 1986-11-05 | 1992-09-08 | International Business Machines Corp. | Implementing privilege on microprocessor systems for use in software asset protection |
| US4817140A (en) * | 1986-11-05 | 1989-03-28 | International Business Machines Corp. | Software protection system using a single-key cryptosystem, a hardware-based authorization system and a secure coprocessor |
| US5202971A (en) * | 1987-02-13 | 1993-04-13 | International Business Machines Corporation | System for file and record locking between nodes in a distributed data processing environment maintaining one copy of each file lock |
| CA1331802C (en) * | 1987-08-21 | 1994-08-30 | Klaus Kuhlmann | Modularly structured digital communications system having operations-oriented and security-oriented components |
| US5140684A (en) * | 1987-09-30 | 1992-08-18 | Mitsubishi Denki Kabushiki Kaisha | Access privilege-checking apparatus and method |
| NZ226733A (en) * | 1987-12-21 | 1990-05-28 | Honeywell Bull | Coupling incompatible cpu to data processing system |
| NL8801275A (en) * | 1988-05-18 | 1989-12-18 | Philips Nv | RECORDING SYSTEM AND REGISTRATION CARRIER AND WRITING DEVICE FOR APPLICATION IN THE SYSTEM. |
| US4885789A (en) * | 1988-02-01 | 1989-12-05 | International Business Machines Corporation | Remote trusted path mechanism for telnet |
| US4993030A (en) * | 1988-04-22 | 1991-02-12 | Amdahl Corporation | File system for a plurality of storage classes |
| AU3594189A (en) * | 1988-06-21 | 1990-01-04 | Amdahl Corporation | Controlling the initiation of logical systems in a data processing system with logical processor facility |
| US5235681A (en) * | 1988-06-22 | 1993-08-10 | Hitachi, Ltd. | Image filing system for protecting partial regions of image data of a document |
| AU4622289A (en) * | 1988-11-04 | 1990-05-28 | Lama Systems Inc. | Personal computer access control system |
| US5265221A (en) * | 1989-03-20 | 1993-11-23 | Tandem Computers | Access restriction facility method and apparatus |
| EP0398645B1 (en) * | 1989-05-15 | 1997-08-06 | International Business Machines Corporation | System for controlling access privileges |
| US5113519A (en) * | 1989-05-15 | 1992-05-12 | International Business Machines Corporation | Maintenance of file attributes in a distributed data processing system |
| US5129084A (en) * | 1989-06-29 | 1992-07-07 | Digital Equipment Corporation | Object container transfer system and method in an object based computer operating system |
| US5187790A (en) * | 1989-06-29 | 1993-02-16 | Digital Equipment Corporation | Server impersonation of client processes in an object based computer operating system |
| US5057996A (en) * | 1989-06-29 | 1991-10-15 | Digital Equipment Corporation | Waitable object creation system and method in an object based computer operating system |
| US5297283A (en) * | 1989-06-29 | 1994-03-22 | Digital Equipment Corporation | Object transferring system and method in an object based computer operating system |
| US5129083A (en) * | 1989-06-29 | 1992-07-07 | Digital Equipment Corporation | Conditional object creating system having different object pointers for accessing a set of data structure objects |
| US5136712A (en) * | 1989-06-29 | 1992-08-04 | Digital Equipment Corporation | Temporary object handling system and method in an object based computer operating system |
| JPH0388052A (en) * | 1989-08-31 | 1991-04-12 | Toshiba Corp | Secrecy protection processing system |
| US5075848A (en) * | 1989-12-22 | 1991-12-24 | Intel Corporation | Object lifetime control in an object-oriented memory protection mechanism |
| GB9003112D0 (en) * | 1990-02-12 | 1990-04-11 | Int Computers Ltd | Access control mechanism |
| US6507909B1 (en) * | 1990-02-13 | 2003-01-14 | Compaq Information Technologies Group, L.P. | Method for executing trusted-path commands |
| US5574912A (en) * | 1990-05-04 | 1996-11-12 | Digital Equipment Corporation | Lattice scheduler method for reducing the impact of covert-channel countermeasures |
| US5265206A (en) * | 1990-10-23 | 1993-11-23 | International Business Machines Corporation | System and method for implementing a messenger and object manager in an object oriented programming environment |
| US5291593A (en) * | 1990-10-24 | 1994-03-01 | International Business Machines Corp. | System for persistent and delayed allocation object reference in an object oriented environment |
| US5475833A (en) * | 1991-09-04 | 1995-12-12 | International Business Machines Corporation | Database system for facilitating comparison of related information stored in a distributed resource |
| US5627967A (en) * | 1991-09-24 | 1997-05-06 | International Business Machines Corporation | Automated generation on file access control system commands in a data processing system with front end processing of a master list |
| US5301231A (en) * | 1992-02-12 | 1994-04-05 | International Business Machines Corporation | User defined function facility |
| US5596718A (en) * | 1992-07-10 | 1997-01-21 | Secure Computing Corporation | Secure computer network using trusted path subsystem which encrypts/decrypts and communicates with user through local workstation user I/O devices without utilizing workstation processor |
| US5428795A (en) * | 1992-07-31 | 1995-06-27 | International Business Machines Corporation | Method of and apparatus for providing automatic security control of distributions within a data processing system |
| DE69403367T2 (en) * | 1993-03-09 | 1997-10-09 | Toshiba Kawasaki Kk | Method and device for traversing objects which are suitable for a structured memory made of connected objects |
| US5521323A (en) * | 1993-05-21 | 1996-05-28 | Coda Music Technologies, Inc. | Real-time performance score matching |
| US5585585A (en) * | 1993-05-21 | 1996-12-17 | Coda Music Technology, Inc. | Automated accompaniment apparatus and method |
| US5572711A (en) * | 1993-09-28 | 1996-11-05 | Bull Hn Information Systems Inc. | Mechanism for linking together the files of emulated and host system for access by emulated system users |
| US5720033A (en) * | 1994-06-30 | 1998-02-17 | Lucent Technologies Inc. | Security platform and method using object oriented rules for computer-based systems using UNIX-line operating systems |
| US5864683A (en) | 1994-10-12 | 1999-01-26 | Secure Computing Corporartion | System for providing secure internetwork by connecting type enforcing secure computers to external network for limiting access to data based on user and process access rights |
| US6963859B2 (en) | 1994-11-23 | 2005-11-08 | Contentguard Holdings, Inc. | Content rendering repository |
| JPH08263438A (en) | 1994-11-23 | 1996-10-11 | Xerox Corp | Distribution and use control system of digital work and access control method to digital work |
| KR100268693B1 (en) * | 1995-02-08 | 2000-10-16 | 이리마지리 쇼우이치로 | Information processor having security check function |
| US7133846B1 (en) | 1995-02-13 | 2006-11-07 | Intertrust Technologies Corp. | Digital certificate support system, methods and techniques for secure electronic commerce transaction and rights management |
| US6658568B1 (en) | 1995-02-13 | 2003-12-02 | Intertrust Technologies Corporation | Trusted infrastructure support system, methods and techniques for secure electronic commerce transaction and rights management |
| US5689705A (en) * | 1995-02-13 | 1997-11-18 | Pulte Home Corporation | System for facilitating home construction and sales |
| US5943422A (en) | 1996-08-12 | 1999-08-24 | Intertrust Technologies Corp. | Steganographic techniques for securely delivering electronic digital rights management control information over insecure communication channels |
| WO1996027155A2 (en) | 1995-02-13 | 1996-09-06 | Electronic Publishing Resources, Inc. | Systems and methods for secure transaction management and electronic rights protection |
| US6948070B1 (en) | 1995-02-13 | 2005-09-20 | Intertrust Technologies Corporation | Systems and methods for secure transaction management and electronic rights protection |
| US6157721A (en) | 1996-08-12 | 2000-12-05 | Intertrust Technologies Corp. | Systems and methods using cryptography to protect secure computing environments |
| US5892900A (en) | 1996-08-30 | 1999-04-06 | Intertrust Technologies Corp. | Systems and methods for secure transaction management and electronic rights protection |
| US5819275A (en) * | 1995-06-07 | 1998-10-06 | Trusted Information Systems, Inc. | System and method for superimposing attributes on hierarchically organized file systems |
| GB2301912A (en) * | 1995-06-09 | 1996-12-18 | Ibm | Security for computer system resources |
| US5757924A (en) * | 1995-09-18 | 1998-05-26 | Digital Secured Networks Techolognies, Inc. | Network security device which performs MAC address translation without affecting the IP address |
| US5899987A (en) * | 1995-10-03 | 1999-05-04 | Memco Software Ltd. | Apparatus for and method of providing user exits on an operating system platform |
| US5867647A (en) * | 1996-02-09 | 1999-02-02 | Secure Computing Corporation | System and method for securing compiled program code |
| US5913024A (en) | 1996-02-09 | 1999-06-15 | Secure Computing Corporation | Secure server utilizing separate protocol stacks |
| US5918018A (en) * | 1996-02-09 | 1999-06-29 | Secure Computing Corporation | System and method for achieving network separation |
| US5826010A (en) * | 1996-02-12 | 1998-10-20 | Banyan Systems, Inc. | Predefined access rights for undefined attributes in a naming service |
| US5883956A (en) * | 1996-03-28 | 1999-03-16 | National Semiconductor Corporation | Dynamic configuration of a secure processing unit for operations in various environments |
| US5693903A (en) * | 1996-04-04 | 1997-12-02 | Coda Music Technology, Inc. | Apparatus and method for analyzing vocal audio data to provide accompaniment to a vocalist |
| US6003084A (en) * | 1996-09-13 | 1999-12-14 | Secure Computing Corporation | Secure network proxy for connecting entities |
| US5950195A (en) * | 1996-09-18 | 1999-09-07 | Secure Computing Corporation | Generalized security policy management system and method |
| US6144934A (en) * | 1996-09-18 | 2000-11-07 | Secure Computing Corporation | Binary filter using pattern recognition |
| US5983350A (en) * | 1996-09-18 | 1999-11-09 | Secure Computing Corporation | Secure firewall supporting different levels of authentication based on address or encryption status |
| US6072942A (en) * | 1996-09-18 | 2000-06-06 | Secure Computing Corporation | System and method of electronic mail filtering using interconnected nodes |
| US5952597A (en) * | 1996-10-25 | 1999-09-14 | Timewarp Technologies, Ltd. | Method and apparatus for real-time correlation of a performance to a musical score |
| US5915087A (en) * | 1996-12-12 | 1999-06-22 | Secure Computing Corporation | Transparent security proxy for unreliable message exchange protocols |
| EP0951767A2 (en) | 1997-01-03 | 1999-10-27 | Fortress Technologies, Inc. | Improved network security device |
| US5968133A (en) * | 1997-01-10 | 1999-10-19 | Secure Computing Corporation | Enhanced security network time synchronization device and method |
| US6105132A (en) * | 1997-02-20 | 2000-08-15 | Novell, Inc. | Computer network graded authentication system and method |
| US6233684B1 (en) | 1997-02-28 | 2001-05-15 | Contenaguard Holdings, Inc. | System for controlling the distribution and use of rendered digital works through watermaking |
| US6609100B2 (en) | 1997-03-07 | 2003-08-19 | Lockhead Martin Corporation | Program planning management system |
| US6166314A (en) * | 1997-06-19 | 2000-12-26 | Time Warp Technologies, Ltd. | Method and apparatus for real-time correlation of a performance to a musical score |
| US6141658A (en) * | 1997-09-10 | 2000-10-31 | Clear With Computers, Inc. | Computer system and method for managing sales information |
| US5908996A (en) * | 1997-10-24 | 1999-06-01 | Timewarp Technologies Ltd | Device for controlling a musical performance |
| US6202066B1 (en) | 1997-11-19 | 2001-03-13 | The United States Of America As Represented By The Secretary Of Commerce | Implementation of role/group permission association using object access type |
| US6357010B1 (en) | 1998-02-17 | 2002-03-12 | Secure Computing Corporation | System and method for controlling access to documents stored on an internal network |
| US6321336B1 (en) | 1998-03-13 | 2001-11-20 | Secure Computing Corporation | System and method for redirecting network traffic to provide secure communication |
| US6182226B1 (en) | 1998-03-18 | 2001-01-30 | Secure Computing Corporation | System and method for controlling interactions between networks |
| US6453419B1 (en) | 1998-03-18 | 2002-09-17 | Secure Computing Corporation | System and method for implementing a security policy |
| US6870546B1 (en) * | 1998-06-01 | 2005-03-22 | Autodesk, Inc. | Protectable expressions in objects having authorable behaviors and appearances |
| US7013305B2 (en) | 2001-10-01 | 2006-03-14 | International Business Machines Corporation | Managing the state of coupling facility structures, detecting by one or more systems coupled to the coupling facility, the suspended state of the duplexed command, detecting being independent of message exchange |
| TW451143B (en) * | 1998-11-05 | 2001-08-21 | Ecomagents Inc | Method for controlling access to information |
| US6708272B1 (en) | 1999-05-20 | 2004-03-16 | Storage Technology Corporation | Information encryption system and method |
| JP2001075565A (en) | 1999-09-07 | 2001-03-23 | Roland Corp | Electronic musical instrument |
| WO2001025937A1 (en) * | 1999-10-01 | 2001-04-12 | Infraworks Corporation | Network/tdi blocking method and system |
| JP2001125568A (en) | 1999-10-28 | 2001-05-11 | Roland Corp | Electronic musical instrument |
| US7143294B1 (en) * | 1999-10-29 | 2006-11-28 | Broadcom Corporation | Apparatus and method for secure field upgradability with unpredictable ciphertext |
| US20040073617A1 (en) | 2000-06-19 | 2004-04-15 | Milliken Walter Clark | Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail |
| US7603319B2 (en) | 2000-08-28 | 2009-10-13 | Contentguard Holdings, Inc. | Method and apparatus for preserving customer identity in on-line transactions |
| US7743259B2 (en) * | 2000-08-28 | 2010-06-22 | Contentguard Holdings, Inc. | System and method for digital rights management using a standard rendering engine |
| US6804784B1 (en) | 2000-09-29 | 2004-10-12 | Infraworks Corporation | Back-channeling in a memory vault system |
| US7343324B2 (en) | 2000-11-03 | 2008-03-11 | Contentguard Holdings Inc. | Method, system, and computer readable medium for automatically publishing content |
| US20020099666A1 (en) * | 2000-11-22 | 2002-07-25 | Dryer Joseph E. | System for maintaining the security of client files |
| US6912294B2 (en) | 2000-12-29 | 2005-06-28 | Contentguard Holdings, Inc. | Multi-stage watermarking process and system |
| US8069116B2 (en) | 2001-01-17 | 2011-11-29 | Contentguard Holdings, Inc. | System and method for supplying and managing usage rights associated with an item repository |
| US7028009B2 (en) | 2001-01-17 | 2006-04-11 | Contentguardiholdings, Inc. | Method and apparatus for distributing enforceable property rights |
| US7774279B2 (en) | 2001-05-31 | 2010-08-10 | Contentguard Holdings, Inc. | Rights offering and granting |
| US20040039704A1 (en) * | 2001-01-17 | 2004-02-26 | Contentguard Holdings, Inc. | System and method for supplying and managing usage rights of users and suppliers of items |
| JP4109873B2 (en) * | 2001-02-28 | 2008-07-02 | キヤノン株式会社 | Probe design method and information processing apparatus |
| US8275709B2 (en) | 2001-05-31 | 2012-09-25 | Contentguard Holdings, Inc. | Digital rights management of content when content is a future live event |
| US8099364B2 (en) | 2001-05-31 | 2012-01-17 | Contentguard Holdings, Inc. | Digital rights management of content when content is a future live event |
| US8275716B2 (en) | 2001-05-31 | 2012-09-25 | Contentguard Holdings, Inc. | Method and system for subscription digital rights management |
| US8001053B2 (en) | 2001-05-31 | 2011-08-16 | Contentguard Holdings, Inc. | System and method for rights offering and granting using shared state variables |
| US7725401B2 (en) | 2001-05-31 | 2010-05-25 | Contentguard Holdings, Inc. | Method and apparatus for establishing usage rights for digital content to be created in the future |
| US6876984B2 (en) | 2001-05-31 | 2005-04-05 | Contentguard Holdings, Inc. | Method and apparatus for establishing usage rights for digital content to be created in the future |
| US6895503B2 (en) | 2001-05-31 | 2005-05-17 | Contentguard Holdings, Inc. | Method and apparatus for hierarchical assignment of rights to documents and documents having such rights |
| JP2004530222A (en) | 2001-06-07 | 2004-09-30 | コンテントガード ホールディングズ インコーポレイテッド | Method and apparatus for supporting multiple zones of trust in a digital rights management system |
| US7774280B2 (en) * | 2001-06-07 | 2010-08-10 | Contentguard Holdings, Inc. | System and method for managing transfer of rights using shared state variables |
| WO2003007213A1 (en) * | 2001-06-07 | 2003-01-23 | Contentguard Holdings, Inc. | Method and apparatus managing the transfer of rights |
| EP1485833A4 (en) * | 2001-11-20 | 2005-10-12 | Contentguard Holdings Inc | An extensible rights expression processing system |
| US7974923B2 (en) * | 2001-11-20 | 2011-07-05 | Contentguard Holdings, Inc. | Extensible rights expression processing system |
| US7840488B2 (en) * | 2001-11-20 | 2010-11-23 | Contentguard Holdings, Inc. | System and method for granting access to an item or permission to use an item based on configurable conditions |
| AU2003220269A1 (en) | 2002-03-14 | 2003-09-29 | Contentguard Holdings, Inc. | Method and apparatus for processing usage rights expressions |
| US7805371B2 (en) * | 2002-03-14 | 2010-09-28 | Contentguard Holdings, Inc. | Rights expression profile system and method |
| US8543511B2 (en) * | 2002-04-29 | 2013-09-24 | Contentguard Holdings, Inc. | System and method for specifying and processing legality expressions |
| US20030226014A1 (en) * | 2002-05-31 | 2003-12-04 | Schmidt Rodney W. | Trusted client utilizing security kernel under secure execution mode |
| US7266658B2 (en) * | 2002-09-12 | 2007-09-04 | International Business Machines Corporation | System, method, and computer program product for prohibiting unauthorized access to protected memory regions |
| GB2397665A (en) * | 2003-01-27 | 2004-07-28 | Hewlett Packard Co | Operating system data management |
| US7685642B2 (en) * | 2003-06-26 | 2010-03-23 | Contentguard Holdings, Inc. | System and method for controlling rights expressions by stakeholders of an item |
| JP4624732B2 (en) * | 2003-07-16 | 2011-02-02 | パナソニック株式会社 | how to access |
| US20060078126A1 (en) * | 2004-10-08 | 2006-04-13 | Philip Cacayorin | Floating vector scrambling methods and apparatus |
| US20060107326A1 (en) * | 2004-11-12 | 2006-05-18 | Demartini Thomas | Method, system, and device for verifying authorized issuance of a rights expression |
| US8660961B2 (en) | 2004-11-18 | 2014-02-25 | Contentguard Holdings, Inc. | Method, system, and device for license-centric content consumption |
| US20060112015A1 (en) * | 2004-11-24 | 2006-05-25 | Contentguard Holdings, Inc. | Method, system, and device for handling creation of derivative works and for adapting rights to derivative works |
| US20060117004A1 (en) * | 2004-11-30 | 2006-06-01 | Hunt Charles L | System and method for contextually understanding and analyzing system use and misuse |
| US8261058B2 (en) * | 2005-03-16 | 2012-09-04 | Dt Labs, Llc | System, method and apparatus for electronically protecting data and digital content |
| US20060248573A1 (en) * | 2005-04-28 | 2006-11-02 | Content Guard Holdings, Inc. | System and method for developing and using trusted policy based on a social model |
| US8082451B2 (en) * | 2005-09-12 | 2011-12-20 | Nokia Corporation | Data access control |
| WO2007041170A2 (en) * | 2005-09-29 | 2007-04-12 | Contentguard Holdings, Inc. | System for digital rights management using advanced copy with issue rights and managed copy tokens |
| US7720767B2 (en) | 2005-10-24 | 2010-05-18 | Contentguard Holdings, Inc. | Method and system to support dynamic rights and resources sharing |
| US20070124554A1 (en) * | 2005-10-28 | 2007-05-31 | Honeywell International Inc. | Global memory for a rapidio network |
| US7877409B2 (en) * | 2005-12-29 | 2011-01-25 | Nextlabs, Inc. | Preventing conflicts of interests between two or more groups using applications |
| US8825598B2 (en) * | 2010-06-16 | 2014-09-02 | Apple Inc. | Media file synchronization |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR2258112A5 (en) * | 1973-11-30 | 1975-08-08 | Honeywell Bull Soc Ind | |
| US4227253A (en) * | 1977-12-05 | 1980-10-07 | International Business Machines Corporation | Cryptographic communication security for multiple domain networks |
| US4442484A (en) * | 1980-10-14 | 1984-04-10 | Intel Corporation | Microprocessor memory management and protection mechanism |
| JPS57113494A (en) * | 1980-12-31 | 1982-07-14 | Fujitsu Ltd | Secret security device |
| US4575797A (en) * | 1981-05-22 | 1986-03-11 | Data General Corporation | Digital data processing system incorporating object-based addressing and capable of executing instructions belonging to several instruction sets |
| JPS57206977A (en) * | 1981-06-15 | 1982-12-18 | Fujitsu Ltd | Document processing system |
| JPS595495A (en) * | 1982-06-30 | 1984-01-12 | Fujitsu Ltd | Storage area protecting system |
-
1984
- 1984-02-16 US US06/580,910 patent/US4621321A/en not_active Expired - Lifetime
-
1985
- 1985-02-08 CA CA000473843A patent/CA1227885A/en not_active Expired
- 1985-02-11 IL IL74315A patent/IL74315A/en not_active IP Right Cessation
- 1985-02-13 EP EP85101511A patent/EP0152900B1/en not_active Expired - Lifetime
- 1985-02-13 DE DE8585101511T patent/DE3586912T2/en not_active Expired - Fee Related
- 1985-02-15 JP JP60028150A patent/JPS60189554A/en active Pending
- 1985-02-16 KR KR1019850000963A patent/KR920005231B1/en not_active IP Right Cessation
-
1986
- 1986-06-20 US US06/876,540 patent/US4701840A/en not_active Expired - Lifetime
Also Published As
| Publication number | Publication date |
|---|---|
| KR920005231B1 (en) | 1992-06-29 |
| IL74315A (en) | 1988-12-30 |
| DE3586912T2 (en) | 1993-04-29 |
| EP0152900B1 (en) | 1992-12-23 |
| KR850006738A (en) | 1985-10-16 |
| DE3586912D1 (en) | 1993-02-04 |
| US4701840A (en) | 1987-10-20 |
| EP0152900A2 (en) | 1985-08-28 |
| JPS60189554A (en) | 1985-09-27 |
| US4621321A (en) | 1986-11-04 |
| IL74315A0 (en) | 1985-05-31 |
| EP0152900A3 (en) | 1989-07-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA1227885A (en) | Secure data processing system architecture | |
| EP0192243B1 (en) | Method of protecting system files and data processing unit for implementing said method | |
| US4926476A (en) | Method and apparatus for secure execution of untrusted software | |
| KR100877650B1 (en) | Implementation and use of a pii data access control facility emlploying personally identifying information labels and purpose serving function sets | |
| US7290279B2 (en) | Access control method using token having security attributes in computer system | |
| CN101281506B (en) | Memory domain based security control within data processing system | |
| TWI249111B (en) | Row-level security in a relational database management system | |
| JP2739029B2 (en) | How to control access to data objects | |
| US8402269B2 (en) | System and method for controlling exit of saved data from security zone | |
| EP0803101B1 (en) | A mechanism for linking together the files of emulated and host system for access by emulated system users | |
| US5822771A (en) | System for management of software employing memory for processing unit with regulatory information, for limiting amount of use and number of backup copies of software | |
| KR100596135B1 (en) | Control system for access classified by application in virtual disk and Controling method thereof | |
| CN103890852A (en) | Access to memory region including confidential information | |
| JPH09319659A (en) | Security control method for computer system | |
| JP2002351661A (en) | Method and system for architecting secure solution | |
| US20100088770A1 (en) | Device and method for disjointed computing | |
| Dannenberg | Resource sharing in a network of personal computers | |
| RU2134931C1 (en) | Method of obtaining access to objects in operating system | |
| Heinrich | The network security center: a system level approach to computer network security | |
| Langmead | Comparative Evaluation of Access Control Models | |
| Stork | Downgrading in a Secure Multilevel Computer System: The Formulary Concept | |
| Bergart | An Annotated and Cross-Referenced Bibliography on Computer Security and Access Control in Computer Systems. | |
| Pieprzyk et al. | Access Control | |
| Marin | SELinux policy management framework for HIS | |
| Schiller et al. | Design and Abstract Specification of a Multics Security Kernel. Volume 1 |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| MKEX | Expiry |