CA1252907A - Secure data processing system architecture with format control - Google Patents
Secure data processing system architecture with format controlInfo
- Publication number
- CA1252907A CA1252907A CA000501435A CA501435A CA1252907A CA 1252907 A CA1252907 A CA 1252907A CA 000501435 A CA000501435 A CA 000501435A CA 501435 A CA501435 A CA 501435A CA 1252907 A CA1252907 A CA 1252907A
- Authority
- CA
- Canada
- Prior art keywords
- security
- data
- system files
- protected system
- protected
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/14—Protection against unauthorised use of memory or access to memory
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F13/00—Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2113—Multi-level security, e.g. mandatory access control
Abstract
ABSTRACT
Means and methods of securing protected system files in a data processing system are disclosed, wherein the information determining access rights of system users to the protected systems files remains at all times within a secure processor.
Provision is also made for allowing the display or labeling of protected data files only when markings consistent with the security level of such files are also displayed or included in the label. Furthermore, provision is also made for limiting the access rights of users to protected system files based on a comparison between the formats associated with said files and the function or subsystem performing operations on behalf of the users.
Means and methods of securing protected system files in a data processing system are disclosed, wherein the information determining access rights of system users to the protected systems files remains at all times within a secure processor.
Provision is also made for allowing the display or labeling of protected data files only when markings consistent with the security level of such files are also displayed or included in the label. Furthermore, provision is also made for limiting the access rights of users to protected system files based on a comparison between the formats associated with said files and the function or subsystem performing operations on behalf of the users.
Description
2~
~_ ~, Thi~ invention relate~ generally to data proc~3ing sy~tems which pos~ess ~y~tem file3. Such fil~ can be vlew~d a~ con~isting o~ one or more ~egment~, which in turn con~ist of fields, wherein segmen'cs, data objects, and ~i~lds are logical aggr~gate3 of information which may hava a variety o~
physlcal mani~estation~ ineluding the for~at o~ th~
data 9, Thi3 invent~ on relate~ particularly to secure data proces~ing sy~tems, in which acce~s or manipulation of da a ob~ac~s, and th~ lab~ling and display of data objects can be performed only by program~ executing on behalf of u~er ent$tie~ which po~8e88 au horization and only by programs which are p~rmitted 'co perform specific tasks. Authorization i~
determined by a ~ecurity psllcy, which include~ a et o~ pr~-exi~'cing relationship~ that exi~t between security attr~butes associated, at the tim~ acce~s or manipulation i8 attempte~ 9 with the a~ore~ald u~er entities and data ob jects . Such security attri~ute~
can, for example, repre~ent the degree of ~en~itivity Z5 of ir~formation contain~d iA th~ d~ta objec~ with which .
`a' ~2,~
one security attribute is associated and the degree of - trustworthiness of a user entity with which a second security attribute is associated. Those tasks which a program are permitted to perform are also determined by ~he security policy, by having the policy include a set of pre-existing relationships that exist ~etween programs or group~ of programs ~i.e., subsystems) which perform ~he task~, the formats of the data objects that tho~e programs (or groups of programs) may access, and the modes of access to the afore~aid data objects. 'A security policy, and a secure data processing system which enforces it, can be u~ed in - this case to mandate that sensitive information is accessed or manipulated only by appropriate programs - 15 executed on behalf of user entities which possess sufficient trustworthiness.
2. ~
It is known in related art to provide means whereby the modes or manners in which a program can acces~ or manipulate a data ob~ect can be restricted to a fixed set, as for example, permitting or denying of the ability to read (access~ information, write (enter) in~ormation, and/or other modes singly and in combination. An instance of quch a sat shall be referred to herein as an access right. In this technique, access rights are granted by programR for data objects under tbeir control, by setting values of fields within distinguished data objects, ~aid distinguished data ob~ects being differentiated from ordinary ones by being located within distinguished segments. The distinguished data objects are fetched by the data processing system prior to acc~ss or manipulatlon, and the data processing ~ystem will only perform the acce~s or manipulations permitted by the contents of their acce~s rights fieldsO The above technique suf~ers from two weaknesses. F~rst, the t existence of distinguished segments adds complication to the pro~rams executed by ~he data pro¢eC8ing system, because the programs must treat di~tinguished and ordinary segments in different ways. Second, programs are permitted to grant access without regard for the user entity on who~e behalf the program is : being executed, or any security attributes currently posses~ed by said user entity. Thus a user entity may -execute a program which grants an access right to another program executing on behalf of said u~er entity, which acces3 right i-~ not authorized by pre-existing security policy. I~ is further known within related art to permit only highly trusted ; ~s program~ to grant access rights. When a program executing on b-hslf o E a glven user entity wlshes a ,j ~2 ~
given access right to a given ordinary data object, said program invokes the highly trusted program, which obtain the current security attributes associated with the given user entity and the given ordinary data object and insures that an access right is granted which is authorized by the security policy. The above technique suffers from the weakness that the compromise of software programs, such as the highly trusted program described above, is known to be relatively ea~y to accomplish~ such compromise can go undetected, an~ demon~tration that a program has not 0 been compromised is known to be extremely difficult.
It is still urther known in related art to provide apparatus which is capable of recognizing distinguished data objects, thereby permitting the mixing of distinguished and ordinary data objec~s within segments, and to res rict the setting of acces~
rights to highly trusted program~ in the manner described above. This technique suffers from two weaknesses. First, the highly trusted program i9 subject to compromise as described above. Secondy even if the highly trusted program is not compromised, a program executing on behalf of one user entity may establish an access righ~ to some ordinary data object/ which acce~s right is unau~horized according to security policy~ Such compromise is effected by .
~æ.~
having the program obtain a distinguished data object whlch grants an access right to a given ordinary data object, said access right being authorized by security policy, and then having the program place said distinguished data object in a segment which can be accessed by a progr~m executing on behalf of a seco~d user entity, which second user entity has current security attributes different from the first user entity, and which second user entlty security attribu~es do not authorize, according to security policy, the a~cess right thereby obtained.
It is yet further known in the rela~ed art to provide, in addition to the mixing of distinguished and ordinary data o~iects in segments, and in addi~lon 15 to the providing of highly trusted software to set the values of dis~inguished data objects in th~ manner described above, apparatus which restricts the placement of distinguished data ob jects to segments which are accessed in common only by programs executing on behalf of user entities whose possible s~curity attribu~es would authorize, according to security policy, the access rights gran~ed by such distinyuished data objects~ The above technique suffers from three weaknesses. First, the highly trusted software is subject to compromise as described above. Second~ the restriction on the storage of . .
~2,~
distinguished data objects limits the activity of programs executing on behalf of user entities, and thereby reduces the effectiveness and efficiency of those programs. Third, the consequences of a malfunction in the apparatus which enforces such restriction is catastrophic, in that once a distinguished data object is placed in a segment to whioh access is freely shared, said di~tingui~hed data object can be moved and copied among segments in the data processing system in a manner impossible to trace and reverse. - t All of the aforementioned techniques suffer from the additional weaknes~ that a maliciou~ user entity may place in the system a program which can be executed on the behalf of an unsuspecting user entity. The malicious program may then use the access rights authorized to ~he unsuspect~ng user entity to copy information in a manner such that the malicious user entity would, in ef ect, obtain unauthorized accegs to data objects and such copying would not be detected by said unsuspecting user enti~y.
It is still ~urther known in the rela~ed art to permit only highly trusted programs to acces,s sy~tem files, and to require that programs executing on behalf o~ user entltie~ lnvoke said highly trusted program upon each attempt ~o access system files.
.
This technique suffers from three weaknesses. First, the highly trusted program is subject to compromise as describ~d above~ and the demonstration that the program has not be~n compromised is vir~ua}ly impossible, owing to the number of funct1ons performed by the program. Second, even if the highly trusted program is not subject to compromise, it is extermely difficult to demonstrate that access to system files cannot be gained by means outside said highly trust.`ed program. Third, the use of an intermediary program to perform accessès to system files severely degrades th~
performance of the programs which execute on behalf of user entities.
It is yet further known in the related art ~o permit ~sers to store a distinguished data object describing a seqment within other segmentsi the distinguished data object containing access rights information, and to permit users to retrieve the distingui6hed data obj~ct and subsequently to access the contents of the described segment in accordance with the access rights information retrieved from the distinguished data object. Th~ above technique suffers from the weakness that since the user's access rights ~or a segmen are determined when the 2s distingui~hed data object is con~tructed~ that user's access rights cannot effectively be revoked if the user can retain obsolete access rights for use after revocation.
A further weakness of these prior techniques is that one authorized by the security policy to access a data object may output such data in an unmarked format, then use or copy the data in contravention of the security statu~ of the data.
~,~
lo It is therefore an object of tha pre~ent invention to provide an architecture for a data processing system which is secure in the sen~e defined above.
It is a further object of the present 15 invention to provide said security without recourse to or reliance upon highly trusted complex software programs.
It is still anothar object of the present invention to pro~ide appaxatu~ which associates security attributes with user entities and data objects and which permit~ those security attrlbutes to vary in a controlled manner over time.
It is yet another object of the present invention to provide apparatus which guarantees that programs execu~ing on behalf of a user entiey can exercise only those acce~rights which ar~ consi~tent with limits set by a predefined security policy.
It is a still further object of the presen~
inven~ion to provide apparatus which guarantees that no program executing on behalf of a given user entity can, by abusiny access rights to data objects, perform operations unauthorized by a predefined security policy.
It is a yet further object to ac~omplish the aforementioned objects using technique which require minimal changes to software and programming practices lo in order for said software and programming practices to result in secure processing, by providing techniques which are exten~ions of and not restrictions to the techniques provided by nonsecure - computer architectures~ .
It is a fur~her objec~ of the invention to provide a data processing system wherein data ou~put therefrsm is displayed and labelled only in a manner consi~tent with ~he sensitivity of the data and ~he nature o~ the data display device.
It i a ~ur~her object of the invention to provide a data process1ng system wherein a user cannot - retaln obsolete access rights to protected system files or data.
~ The aforemention~d and other objects of the presen~ inven~ion are accomplished by including within the data processing system apparatus which can recognize distinguished data objects within qegments of the system files. Each said distinguished data object denotes a single data object. Before a program can access or manipulate a given data object in a given mode or manner, said program must make available to said apparatu~ a distinguished data object, the value of which denotes the given data object. Said apparatus will permi~ segments to contaln both distinguished ~ata objects and ordinary one~, and will impose no restriction~ on which segments can conta~n distinguished'data objects, other than tho~e t restrictions imposed by programs using the techniques provided by distinguished data object~. Said apparatus will permit the display vf labeled data objects only in a manner consistent with the security level of the data object and the nature o the display device on which the data object is displayed. Said apparatus will protect dis~inguished data objects from compromise or examination by restricting the operations which may be performed on them. Said appara~uæ will use the followlng technique to insure that a program executing on behalf of a given user entity cannot use distinguished data objects to directly or indirectly access or m~nipula~e ordinary data objects in modes or manners which are unauthori2ed by a pre-existing security policys th~
apparatus will associate a specific instance of security attributes with each data object. Such a specific in~tance shall be referred to herein as the security level of the data object. The apparatus will maintain at all times the security attributes associated with the user entity on who~e behalf the data processing system is currently executing a program. An instance of such security attribute~ in effect at the time an access or manipulation is to be per~ormed by a program shall be referred to herein as the current security context of the program. Acce s rights to protected ~ystem file~ or data will be retained at all times within a secure processor which can have data therein altered only by a director entity oÇ the data processing system. The apparatu~
will only permit a program to access, manipulate, display or label the data object denoted by a distinguished data obje~ in ~he mode or manner dePined by the pre-existing security policy for this speci~ic combination of program ~ecurity context and data object security levelO A~ a result, no program ever executed on behalf of a given user entity can, ei~her directly or indirec~ly, access, manipulate, display or label information contained in a data ob~ect in a manner or mode which is no~ authori~ed by the pre~existing security ~olicy.
.j ? ~ 7 Distinguished data objects may be included ln segments that are shared between processors, either along secure ~ransmission links or in an encrypted form, thereby providing uniformity of control of access by user entities on all data processing units in a distrlbuted system.
In accordance with the pxesent lnvention, there is provided a data processing system having protected system files, wherein each protected system file is associated with a data format and wherein said data processing system operates in response to programs or groups of programs which perform specific tasks, comprising: identification means for identi~ying a user interacting with said data processing system, said identification means relating preselected security at~ributes with said user; and secure processor, connected to said identification means, for storing, at least temporarily, a security policy and for processing data in accordance with said security policy, said security policy defining permissible access rights to said protected system files in terms of possible values of data formats, possible values of said preselected securi~y attributes and functions of said specific tasks, whereln data stored in said secure processor can be altered only by a dir,ector entity of said da~a processing system and retrieved only by portions of said secure processor, said secure processor having generating means for generatlng an access rights signal for any ona of sald protected system files, said access rights signal being de~ermined by a comparison of said security policy to said predetermlned security attributes, said data format assocla~ed wi~h said any one of said protected system files and any ~unctions to be per~ormed with or upon sald any one of said pro~ected system files.
~2~ 3Q~
6~159 869 In accorclance with the present invention, there is further provided a data processing system haviny protected system files, wherein each protected system file is associated wlth a security level and wherein said data processing system attempts to perform operations wi~h or upon said protected files in response to programs or groups o~ programs, comprising: identification means for identifying a user, said ident~fica~ion means relating preselected security attributes wi~h said user; secure processor, connected to said identification means, fQr storing, at least temporarily, a security policy and for processing da~a in accordance with said security policy in response to said programs, said security policy defining permissible access rights to said protected system files in terms of posslble values of said preselected security attrlbutes and possible ~alues of security levels, wherein da~a skored in said secure processor can be altered only by a director entity of said data processing sys~em and retrieved only by portionæ of said secure processor, said secure processor having generating means for generatlng an acaess rights slgnal for any one of said protected system ~iles, said access rights signal being determined by a compari~on of said se,curity policy to sald preselected security attributes and the security level associated with said any one of said pro~ected system files, and sald secure processor having prohibiting means, connected to said genera~ing means, for prohibiting said access rights signal from exiting said secure processor; and storaye means, connected to said secure processor, for storing sald protected system filesr access ~o protected system storage means being con~rolled by said secure processor.
12a 64159 8~9 In accordance with the present invention, there ls further provided a method of protecting system files in a data processing system, wherein each system file to be pro~ected iæ
associated with a security level and wherein said data processlng system at~empts to perform operations with or upon protected system files in response to programs or groups of programs, comprising: identifying a user, an identif~catlon relating preselected security attributes with said user;
storing, at least temporarily, a security poll.cy in a secure processor, said security policy defining permissible access rights for protected system files in terms of possible values of said preselected secu~ity attributes and possible values of security levels, and wherein data stored in said secure processor can be altered only by a direator entity of said data processing system and retrieved only by portions of said secure procesæor; processing protected system files in accordance with said security policy; and generating an access right signal for any one of protected sy~tem files, sald access rlghts slynal being determined by a comparison of said security policy to said preselected attributes and securi~y level associated with said any one of protected system files, an acces~ rights signal generating means belng a portion of said secure processor; and prohibiting said access rights signal from exitlng said secure processor.
In accordance with the present invention, there is further provided a method of protecting sys~em files in a data processing system, wherein each system file to be protected is associated with a data format and wherein said data processiny system opera~es in response to programs or groups of programs which perform speci~ic ~asks, comprising: idantifying a user interacting wi~h said data processing sys~e~, an identifica~ion 12b 64159-~69 relating preselected security attributes with said user;
storing, at leas~ temporarily, a security policy in a secure processor, said security policy defining permissible access rights to protected system files as a function of possible values of data formatsr possible values of said preselected security attributes and functions of specific tasks, wherein data stored in said secure processor can be altered only by a director entity of said data proc~ssing system and retrieved only by portions of said secure processor; processlng protected system files and said secure processor in accordance with said security policy; and generating an access rights signal for any one of protected system flles, said access rights signal being determined by a comparison of said security policy to said preselected security at~ributes, said data format associated wtth said any one of protected system files and any function to be performed with or upon said any one of protected system files.
These and other features of the inventlon will be understood upon reading of the following description along with the drawings.
BRIEF DESCRIPTION OF THE DRA~INGS
Figure 1 is, a diagram illustrating ho~ restrictions on the flow of ln~ormation can be mandated by a security policy which associates security attributes with user entities and data objects and controls modes and manners of access and manipulation by relationships between said attributes.
Figure lA is a diagram illustrating how restrictions on access to information can he mandated by an additional security policy which governs the manner in whlch specific subsystems may access information stored in specific formats.
l~c 6415~-~69 Figure 2 is a simplified block diagram of a typlcal data processing system.
Figure 3 is a block diagram of a data processing system illustrating the apparatus implementlng the instant invention.
12d - --13 ~
Figure 4 is a diagram illustrating the f ields of a distinguished da'ca object.
Yigure 5 i~ a diagram showing how distinguished data object~ can denote ove~lapping or 5 nested ordinary data objects.
Figure 6 is a diagram illu~trating how data objects are add~essed in a manner that enforces access ri~hts .
Figure 7 is a diagram that shows how a 1~ prQgram adds a data ob jact to the set of data ob jectq upon which it is working, in ~uch a manner that the pre-existing security policy is upheld.
Figure 8 is a diagram showing how acces~
rights are computed by a security policy unit.
lS ~
In all diagrams, detailed element numbers can re~er to elements of previou~ drawings.
Referring now to Figure 1~ the manner in which the flow of information between user entitie~
can be controlled by the level por ions of the security attributes associated with the user entities and the data obje~ts manipulated or accessed by those entities is illustrated~ The level portions of the seaurity attributes in this ex~mple ar~ partially ordered: A(2) is defined to be greater than A~l~ which is defined to be greater than A(O), B(2) is defined to ~e greater than B(l) which is defined to be greater than B(O), A(2) is defined to be greater than B(O), each attribute is defined to be equal to itself, and no other relations exist between the levèl portions of the a~tributes. The predefined security policy ic that a user enti~y may raad ( retrieve) in~ormation from a data object if and only i~ the current value in the level portion of the security attribute o~ the user en~ity is grea~er than or equal to the level portion of th~ security attribute of the data obje~t,~
and a user entity may write (enter~ information into data object if and only if the level portion of the security attribute of the data object is greater than or equal to the level portion of the security attribute currently associated with the user entityO
As indicated in the diagram, and with relation to user entities communicating by means of data obj~cts contained within sy tem files in the memory unit of computer~, memory space is available to any data processing user entity. ~ny user entity can access or manipulate any data object to which a conne~ing line exlsts in the diagram, ln the mode or manner shown on the label a~ached to ~he line. The lines accordingly define all the po~ible direc~ional pa~hs along which .
,~,9~.. ~
information can flow from user entity to user entity, given the example security attributes~ Thus one-way communication is po~sible from A(O) and A(1) to A(2), from B~O) and B(l) to B(2), and from B(O) to A(2), in many cases through a variety of data objects. In such a manner arbitrary information flows between user entities may be controlled in a manner not restricted to rigid relationY between those user entities, such as strict hierarchical orderin~. As an example, in modern corporate practice, the B(n) set of data objects could contain financial data of increasing ~en~itivity and the A(n) set of data objects could contain production data of lncreasing sensitivity.
Likewise, the B(n) set of user entities could be members of the ~inancîal staff of increasing rank and privilege and the A(n) set similarly members of tbe production staff. The information flow controls in the example diagram show a circumstance wherein infor~ation flows upwards only within each s~aff, the za highes~ ranking member of the production staff is able to examine but not alter low-sensitivity financial data ~uch as indlvidual invoice~, no other member~ of the production staff have any acces~ whatever to any financial data, and no members of the financial staff, no mat~er how hish ranking, have the ability to read production information~ It will be clear that the information flow restrictions are enforced solely by permitting or prohi~iting operations based on a comparison of the current security attribute of a user entity and those of a data object. Thus if a user entity ha~ a security attribute A~0) at the time access is attempted to a data object with security attribute ~(n), a comparison of attribu~e~ will yield a result of non compatibility. It will also be clear that although Figure 1 represents data objects as distinct entit'ies, in general, the data objects may b~
located anywhere within physical media~
Referring now to Figure lA, the manner in which access to information of specific ~ormat may be limited to subsystems performing specific tasks i5 illustrated. In this example, Fl, F2, and F3 are sets of data ob~ects, each set having a specific internal format; Sl and S2 are subsystems, comprised of hardware and software working in concert to perform a speci~ic ta~k~ A~ indicated in the diagram9 data in format Fl is generally available to numerous ~ub~ystems including Sl and S6; data in format F2 may only be manipulated by subsy~tem Sl; and data in forma~ F3 may only be used to communica~e between 25~ sub~ystem Sl and subsystem 520 ' '3 Thus format Fl may be the generally used format for data within the machine, such as encoded strings of characters. Format F2 may be the format of information which must remain incorruptible, such as the s~rings of characters (e.g., TOP SEC~ET, PROPRIETARY, etc.) used to mark output from the computer when it is displayed or produced in human readable form, an~ tables which define what - information must be marked in which manner. Format F3 may be ordinary information which is properly marked and formatted for display. t ~ Subsy~tem Sl would then be a subsy~tem whose task is to determine the proper marking and insert it in the proper location in the data as part of the task o~ formatting the data for output~ Subsystem S2 would be a subsystem whose ta~k it is to display the data on some appropriate device~
~ t will be cIear that the access restrictions shown in the example prevent malicious programs from subverting the in~ent of a predefined security policy by altPring the markings on information when it is displayed, e~g., by altering ~PROPRI~TARY" to "RELEP~SED FOR PUBLIC DIST~IBUTION. n Subgy~te~ Sl and S2 will have been shown ~o b~ ree from malicious intent by a process o~ stringent examination and 18- ~
test~ It will be clear to anyone well-ver~ed in the art of computer system design that such a proof of a restricted property is substantially simpler than the general proof that a subsystem does not in any way violate security policy. Subsystems Sl and S2 process special privilege only to the degree that they are allowed access to information of formats F2 and F3.
Any accesq which they make will also be constrained by ~he security levels of the information which is in the respec~ive formats, as shown in Figure 1. A mallcious program which is not part of subsystem Sl will not b~t able to access information of format F2 and will thereby be prevented from altering the definition of what information must be marked in what manner, or the nature of the markings. A malicious program which i not part of subsystem Sl will not be able to produce or modify information of format F3, and will there~ore be prevented from causing the display of improperly marked data~
It will fur~her be clear that this method of restricting access on the basis of predefined relations between data ~ormat and subsystems can be used to maintain the incorruptabilty of information ln circumstan~es other than tho~e shown in the example~
~_ ~, Thi~ invention relate~ generally to data proc~3ing sy~tems which pos~ess ~y~tem file3. Such fil~ can be vlew~d a~ con~isting o~ one or more ~egment~, which in turn con~ist of fields, wherein segmen'cs, data objects, and ~i~lds are logical aggr~gate3 of information which may hava a variety o~
physlcal mani~estation~ ineluding the for~at o~ th~
data 9, Thi3 invent~ on relate~ particularly to secure data proces~ing sy~tems, in which acce~s or manipulation of da a ob~ac~s, and th~ lab~ling and display of data objects can be performed only by program~ executing on behalf of u~er ent$tie~ which po~8e88 au horization and only by programs which are p~rmitted 'co perform specific tasks. Authorization i~
determined by a ~ecurity psllcy, which include~ a et o~ pr~-exi~'cing relationship~ that exi~t between security attr~butes associated, at the tim~ acce~s or manipulation i8 attempte~ 9 with the a~ore~ald u~er entities and data ob jects . Such security attri~ute~
can, for example, repre~ent the degree of ~en~itivity Z5 of ir~formation contain~d iA th~ d~ta objec~ with which .
`a' ~2,~
one security attribute is associated and the degree of - trustworthiness of a user entity with which a second security attribute is associated. Those tasks which a program are permitted to perform are also determined by ~he security policy, by having the policy include a set of pre-existing relationships that exist ~etween programs or group~ of programs ~i.e., subsystems) which perform ~he task~, the formats of the data objects that tho~e programs (or groups of programs) may access, and the modes of access to the afore~aid data objects. 'A security policy, and a secure data processing system which enforces it, can be u~ed in - this case to mandate that sensitive information is accessed or manipulated only by appropriate programs - 15 executed on behalf of user entities which possess sufficient trustworthiness.
2. ~
It is known in related art to provide means whereby the modes or manners in which a program can acces~ or manipulate a data ob~ect can be restricted to a fixed set, as for example, permitting or denying of the ability to read (access~ information, write (enter) in~ormation, and/or other modes singly and in combination. An instance of quch a sat shall be referred to herein as an access right. In this technique, access rights are granted by programR for data objects under tbeir control, by setting values of fields within distinguished data objects, ~aid distinguished data ob~ects being differentiated from ordinary ones by being located within distinguished segments. The distinguished data objects are fetched by the data processing system prior to acc~ss or manipulatlon, and the data processing ~ystem will only perform the acce~s or manipulations permitted by the contents of their acce~s rights fieldsO The above technique suf~ers from two weaknesses. F~rst, the t existence of distinguished segments adds complication to the pro~rams executed by ~he data pro¢eC8ing system, because the programs must treat di~tinguished and ordinary segments in different ways. Second, programs are permitted to grant access without regard for the user entity on who~e behalf the program is : being executed, or any security attributes currently posses~ed by said user entity. Thus a user entity may -execute a program which grants an access right to another program executing on behalf of said u~er entity, which acces3 right i-~ not authorized by pre-existing security policy. I~ is further known within related art to permit only highly trusted ; ~s program~ to grant access rights. When a program executing on b-hslf o E a glven user entity wlshes a ,j ~2 ~
given access right to a given ordinary data object, said program invokes the highly trusted program, which obtain the current security attributes associated with the given user entity and the given ordinary data object and insures that an access right is granted which is authorized by the security policy. The above technique suffers from the weakness that the compromise of software programs, such as the highly trusted program described above, is known to be relatively ea~y to accomplish~ such compromise can go undetected, an~ demon~tration that a program has not 0 been compromised is known to be extremely difficult.
It is still urther known in related art to provide apparatus which is capable of recognizing distinguished data objects, thereby permitting the mixing of distinguished and ordinary data objec~s within segments, and to res rict the setting of acces~
rights to highly trusted program~ in the manner described above. This technique suffers from two weaknesses. First, the highly trusted program i9 subject to compromise as described above. Secondy even if the highly trusted program is not compromised, a program executing on behalf of one user entity may establish an access righ~ to some ordinary data object/ which acce~s right is unau~horized according to security policy~ Such compromise is effected by .
~æ.~
having the program obtain a distinguished data object whlch grants an access right to a given ordinary data object, said access right being authorized by security policy, and then having the program place said distinguished data object in a segment which can be accessed by a progr~m executing on behalf of a seco~d user entity, which second user entity has current security attributes different from the first user entity, and which second user entlty security attribu~es do not authorize, according to security policy, the a~cess right thereby obtained.
It is yet further known in the rela~ed art to provide, in addition to the mixing of distinguished and ordinary data o~iects in segments, and in addi~lon 15 to the providing of highly trusted software to set the values of dis~inguished data objects in th~ manner described above, apparatus which restricts the placement of distinguished data ob jects to segments which are accessed in common only by programs executing on behalf of user entities whose possible s~curity attribu~es would authorize, according to security policy, the access rights gran~ed by such distinyuished data objects~ The above technique suffers from three weaknesses. First, the highly trusted software is subject to compromise as described above. Second~ the restriction on the storage of . .
~2,~
distinguished data objects limits the activity of programs executing on behalf of user entities, and thereby reduces the effectiveness and efficiency of those programs. Third, the consequences of a malfunction in the apparatus which enforces such restriction is catastrophic, in that once a distinguished data object is placed in a segment to whioh access is freely shared, said di~tingui~hed data object can be moved and copied among segments in the data processing system in a manner impossible to trace and reverse. - t All of the aforementioned techniques suffer from the additional weaknes~ that a maliciou~ user entity may place in the system a program which can be executed on the behalf of an unsuspecting user entity. The malicious program may then use the access rights authorized to ~he unsuspect~ng user entity to copy information in a manner such that the malicious user entity would, in ef ect, obtain unauthorized accegs to data objects and such copying would not be detected by said unsuspecting user enti~y.
It is still ~urther known in the rela~ed art to permit only highly trusted programs to acces,s sy~tem files, and to require that programs executing on behalf o~ user entltie~ lnvoke said highly trusted program upon each attempt ~o access system files.
.
This technique suffers from three weaknesses. First, the highly trusted program is subject to compromise as describ~d above~ and the demonstration that the program has not be~n compromised is vir~ua}ly impossible, owing to the number of funct1ons performed by the program. Second, even if the highly trusted program is not subject to compromise, it is extermely difficult to demonstrate that access to system files cannot be gained by means outside said highly trust.`ed program. Third, the use of an intermediary program to perform accessès to system files severely degrades th~
performance of the programs which execute on behalf of user entities.
It is yet further known in the related art ~o permit ~sers to store a distinguished data object describing a seqment within other segmentsi the distinguished data object containing access rights information, and to permit users to retrieve the distingui6hed data obj~ct and subsequently to access the contents of the described segment in accordance with the access rights information retrieved from the distinguished data object. Th~ above technique suffers from the weakness that since the user's access rights ~or a segmen are determined when the 2s distingui~hed data object is con~tructed~ that user's access rights cannot effectively be revoked if the user can retain obsolete access rights for use after revocation.
A further weakness of these prior techniques is that one authorized by the security policy to access a data object may output such data in an unmarked format, then use or copy the data in contravention of the security statu~ of the data.
~,~
lo It is therefore an object of tha pre~ent invention to provide an architecture for a data processing system which is secure in the sen~e defined above.
It is a further object of the present 15 invention to provide said security without recourse to or reliance upon highly trusted complex software programs.
It is still anothar object of the present invention to pro~ide appaxatu~ which associates security attributes with user entities and data objects and which permit~ those security attrlbutes to vary in a controlled manner over time.
It is yet another object of the present invention to provide apparatus which guarantees that programs execu~ing on behalf of a user entiey can exercise only those acce~rights which ar~ consi~tent with limits set by a predefined security policy.
It is a still further object of the presen~
inven~ion to provide apparatus which guarantees that no program executing on behalf of a given user entity can, by abusiny access rights to data objects, perform operations unauthorized by a predefined security policy.
It is a yet further object to ac~omplish the aforementioned objects using technique which require minimal changes to software and programming practices lo in order for said software and programming practices to result in secure processing, by providing techniques which are exten~ions of and not restrictions to the techniques provided by nonsecure - computer architectures~ .
It is a fur~her objec~ of the invention to provide a data processing system wherein data ou~put therefrsm is displayed and labelled only in a manner consi~tent with ~he sensitivity of the data and ~he nature o~ the data display device.
It i a ~ur~her object of the invention to provide a data process1ng system wherein a user cannot - retaln obsolete access rights to protected system files or data.
~ The aforemention~d and other objects of the presen~ inven~ion are accomplished by including within the data processing system apparatus which can recognize distinguished data objects within qegments of the system files. Each said distinguished data object denotes a single data object. Before a program can access or manipulate a given data object in a given mode or manner, said program must make available to said apparatu~ a distinguished data object, the value of which denotes the given data object. Said apparatus will permi~ segments to contaln both distinguished ~ata objects and ordinary one~, and will impose no restriction~ on which segments can conta~n distinguished'data objects, other than tho~e t restrictions imposed by programs using the techniques provided by distinguished data object~. Said apparatus will permit the display vf labeled data objects only in a manner consistent with the security level of the data object and the nature o the display device on which the data object is displayed. Said apparatus will protect dis~inguished data objects from compromise or examination by restricting the operations which may be performed on them. Said appara~uæ will use the followlng technique to insure that a program executing on behalf of a given user entity cannot use distinguished data objects to directly or indirectly access or m~nipula~e ordinary data objects in modes or manners which are unauthori2ed by a pre-existing security policys th~
apparatus will associate a specific instance of security attributes with each data object. Such a specific in~tance shall be referred to herein as the security level of the data object. The apparatus will maintain at all times the security attributes associated with the user entity on who~e behalf the data processing system is currently executing a program. An instance of such security attribute~ in effect at the time an access or manipulation is to be per~ormed by a program shall be referred to herein as the current security context of the program. Acce s rights to protected ~ystem file~ or data will be retained at all times within a secure processor which can have data therein altered only by a director entity oÇ the data processing system. The apparatu~
will only permit a program to access, manipulate, display or label the data object denoted by a distinguished data obje~ in ~he mode or manner dePined by the pre-existing security policy for this speci~ic combination of program ~ecurity context and data object security levelO A~ a result, no program ever executed on behalf of a given user entity can, ei~her directly or indirec~ly, access, manipulate, display or label information contained in a data ob~ect in a manner or mode which is no~ authori~ed by the pre~existing security ~olicy.
.j ? ~ 7 Distinguished data objects may be included ln segments that are shared between processors, either along secure ~ransmission links or in an encrypted form, thereby providing uniformity of control of access by user entities on all data processing units in a distrlbuted system.
In accordance with the pxesent lnvention, there is provided a data processing system having protected system files, wherein each protected system file is associated with a data format and wherein said data processing system operates in response to programs or groups of programs which perform specific tasks, comprising: identification means for identi~ying a user interacting with said data processing system, said identification means relating preselected security at~ributes with said user; and secure processor, connected to said identification means, for storing, at least temporarily, a security policy and for processing data in accordance with said security policy, said security policy defining permissible access rights to said protected system files in terms of possible values of data formats, possible values of said preselected securi~y attributes and functions of said specific tasks, whereln data stored in said secure processor can be altered only by a dir,ector entity of said da~a processing system and retrieved only by portions of said secure processor, said secure processor having generating means for generatlng an access rights signal for any ona of sald protected system files, said access rights signal being de~ermined by a comparison of said security policy to said predetermlned security attributes, said data format assocla~ed wi~h said any one of said protected system files and any ~unctions to be per~ormed with or upon sald any one of said pro~ected system files.
~2~ 3Q~
6~159 869 In accorclance with the present invention, there is further provided a data processing system haviny protected system files, wherein each protected system file is associated wlth a security level and wherein said data processing system attempts to perform operations wi~h or upon said protected files in response to programs or groups o~ programs, comprising: identification means for identifying a user, said ident~fica~ion means relating preselected security attributes wi~h said user; secure processor, connected to said identification means, fQr storing, at least temporarily, a security policy and for processing da~a in accordance with said security policy in response to said programs, said security policy defining permissible access rights to said protected system files in terms of posslble values of said preselected security attrlbutes and possible ~alues of security levels, wherein da~a skored in said secure processor can be altered only by a director entity of said data processing sys~em and retrieved only by portionæ of said secure processor, said secure processor having generating means for generatlng an acaess rights slgnal for any one of said protected system ~iles, said access rights signal being determined by a compari~on of said se,curity policy to sald preselected security attributes and the security level associated with said any one of said pro~ected system files, and sald secure processor having prohibiting means, connected to said genera~ing means, for prohibiting said access rights signal from exiting said secure processor; and storaye means, connected to said secure processor, for storing sald protected system filesr access ~o protected system storage means being con~rolled by said secure processor.
12a 64159 8~9 In accordance with the present invention, there ls further provided a method of protecting system files in a data processing system, wherein each system file to be pro~ected iæ
associated with a security level and wherein said data processlng system at~empts to perform operations with or upon protected system files in response to programs or groups of programs, comprising: identifying a user, an identif~catlon relating preselected security attributes with said user;
storing, at least temporarily, a security poll.cy in a secure processor, said security policy defining permissible access rights for protected system files in terms of possible values of said preselected secu~ity attributes and possible values of security levels, and wherein data stored in said secure processor can be altered only by a direator entity of said data processing system and retrieved only by portions of said secure procesæor; processing protected system files in accordance with said security policy; and generating an access right signal for any one of protected sy~tem files, sald access rlghts slynal being determined by a comparison of said security policy to said preselected attributes and securi~y level associated with said any one of protected system files, an acces~ rights signal generating means belng a portion of said secure processor; and prohibiting said access rights signal from exitlng said secure processor.
In accordance with the present invention, there is further provided a method of protecting sys~em files in a data processing system, wherein each system file to be protected is associated with a data format and wherein said data processiny system opera~es in response to programs or groups of programs which perform speci~ic ~asks, comprising: idantifying a user interacting wi~h said data processing sys~e~, an identifica~ion 12b 64159-~69 relating preselected security attributes with said user;
storing, at leas~ temporarily, a security policy in a secure processor, said security policy defining permissible access rights to protected system files as a function of possible values of data formatsr possible values of said preselected security attributes and functions of specific tasks, wherein data stored in said secure processor can be altered only by a director entity of said data proc~ssing system and retrieved only by portions of said secure processor; processlng protected system files and said secure processor in accordance with said security policy; and generating an access rights signal for any one of protected system flles, said access rights signal being determined by a comparison of said security policy to said preselected security at~ributes, said data format associated wtth said any one of protected system files and any function to be performed with or upon said any one of protected system files.
These and other features of the inventlon will be understood upon reading of the following description along with the drawings.
BRIEF DESCRIPTION OF THE DRA~INGS
Figure 1 is, a diagram illustrating ho~ restrictions on the flow of ln~ormation can be mandated by a security policy which associates security attributes with user entities and data objects and controls modes and manners of access and manipulation by relationships between said attributes.
Figure lA is a diagram illustrating how restrictions on access to information can he mandated by an additional security policy which governs the manner in whlch specific subsystems may access information stored in specific formats.
l~c 6415~-~69 Figure 2 is a simplified block diagram of a typlcal data processing system.
Figure 3 is a block diagram of a data processing system illustrating the apparatus implementlng the instant invention.
12d - --13 ~
Figure 4 is a diagram illustrating the f ields of a distinguished da'ca object.
Yigure 5 i~ a diagram showing how distinguished data object~ can denote ove~lapping or 5 nested ordinary data objects.
Figure 6 is a diagram illu~trating how data objects are add~essed in a manner that enforces access ri~hts .
Figure 7 is a diagram that shows how a 1~ prQgram adds a data ob jact to the set of data ob jectq upon which it is working, in ~uch a manner that the pre-existing security policy is upheld.
Figure 8 is a diagram showing how acces~
rights are computed by a security policy unit.
lS ~
In all diagrams, detailed element numbers can re~er to elements of previou~ drawings.
Referring now to Figure 1~ the manner in which the flow of information between user entitie~
can be controlled by the level por ions of the security attributes associated with the user entities and the data obje~ts manipulated or accessed by those entities is illustrated~ The level portions of the seaurity attributes in this ex~mple ar~ partially ordered: A(2) is defined to be greater than A~l~ which is defined to be greater than A(O), B(2) is defined to ~e greater than B(l) which is defined to be greater than B(O), A(2) is defined to be greater than B(O), each attribute is defined to be equal to itself, and no other relations exist between the levèl portions of the a~tributes. The predefined security policy ic that a user enti~y may raad ( retrieve) in~ormation from a data object if and only i~ the current value in the level portion of the security attribute o~ the user en~ity is grea~er than or equal to the level portion of th~ security attribute of the data obje~t,~
and a user entity may write (enter~ information into data object if and only if the level portion of the security attribute of the data object is greater than or equal to the level portion of the security attribute currently associated with the user entityO
As indicated in the diagram, and with relation to user entities communicating by means of data obj~cts contained within sy tem files in the memory unit of computer~, memory space is available to any data processing user entity. ~ny user entity can access or manipulate any data object to which a conne~ing line exlsts in the diagram, ln the mode or manner shown on the label a~ached to ~he line. The lines accordingly define all the po~ible direc~ional pa~hs along which .
,~,9~.. ~
information can flow from user entity to user entity, given the example security attributes~ Thus one-way communication is po~sible from A(O) and A(1) to A(2), from B~O) and B(l) to B(2), and from B(O) to A(2), in many cases through a variety of data objects. In such a manner arbitrary information flows between user entities may be controlled in a manner not restricted to rigid relationY between those user entities, such as strict hierarchical orderin~. As an example, in modern corporate practice, the B(n) set of data objects could contain financial data of increasing ~en~itivity and the A(n) set of data objects could contain production data of lncreasing sensitivity.
Likewise, the B(n) set of user entities could be members of the ~inancîal staff of increasing rank and privilege and the A(n) set similarly members of tbe production staff. The information flow controls in the example diagram show a circumstance wherein infor~ation flows upwards only within each s~aff, the za highes~ ranking member of the production staff is able to examine but not alter low-sensitivity financial data ~uch as indlvidual invoice~, no other member~ of the production staff have any acces~ whatever to any financial data, and no members of the financial staff, no mat~er how hish ranking, have the ability to read production information~ It will be clear that the information flow restrictions are enforced solely by permitting or prohi~iting operations based on a comparison of the current security attribute of a user entity and those of a data object. Thus if a user entity ha~ a security attribute A~0) at the time access is attempted to a data object with security attribute ~(n), a comparison of attribu~e~ will yield a result of non compatibility. It will also be clear that although Figure 1 represents data objects as distinct entit'ies, in general, the data objects may b~
located anywhere within physical media~
Referring now to Figure lA, the manner in which access to information of specific ~ormat may be limited to subsystems performing specific tasks i5 illustrated. In this example, Fl, F2, and F3 are sets of data ob~ects, each set having a specific internal format; Sl and S2 are subsystems, comprised of hardware and software working in concert to perform a speci~ic ta~k~ A~ indicated in the diagram9 data in format Fl is generally available to numerous ~ub~ystems including Sl and S6; data in format F2 may only be manipulated by subsy~tem Sl; and data in forma~ F3 may only be used to communica~e between 25~ sub~ystem Sl and subsystem 520 ' '3 Thus format Fl may be the generally used format for data within the machine, such as encoded strings of characters. Format F2 may be the format of information which must remain incorruptible, such as the s~rings of characters (e.g., TOP SEC~ET, PROPRIETARY, etc.) used to mark output from the computer when it is displayed or produced in human readable form, an~ tables which define what - information must be marked in which manner. Format F3 may be ordinary information which is properly marked and formatted for display. t ~ Subsy~tem Sl would then be a subsy~tem whose task is to determine the proper marking and insert it in the proper location in the data as part of the task o~ formatting the data for output~ Subsystem S2 would be a subsystem whose ta~k it is to display the data on some appropriate device~
~ t will be cIear that the access restrictions shown in the example prevent malicious programs from subverting the in~ent of a predefined security policy by altPring the markings on information when it is displayed, e~g., by altering ~PROPRI~TARY" to "RELEP~SED FOR PUBLIC DIST~IBUTION. n Subgy~te~ Sl and S2 will have been shown ~o b~ ree from malicious intent by a process o~ stringent examination and 18- ~
test~ It will be clear to anyone well-ver~ed in the art of computer system design that such a proof of a restricted property is substantially simpler than the general proof that a subsystem does not in any way violate security policy. Subsystems Sl and S2 process special privilege only to the degree that they are allowed access to information of formats F2 and F3.
Any accesq which they make will also be constrained by ~he security levels of the information which is in the respec~ive formats, as shown in Figure 1. A mallcious program which is not part of subsystem Sl will not b~t able to access information of format F2 and will thereby be prevented from altering the definition of what information must be marked in what manner, or the nature of the markings. A malicious program which i not part of subsystem Sl will not be able to produce or modify information of format F3, and will there~ore be prevented from causing the display of improperly marked data~
It will fur~her be clear that this method of restricting access on the basis of predefined relations between data ~ormat and subsystems can be used to maintain the incorruptabilty of information ln circumstan~es other than tho~e shown in the example~
3~
Referring now to Figure 2, a data processing system is seen to be comprised of a terminal 20, a processor 21 r and a memory 22. A user entity desirous - having a program executed on its be~alf by processor 21 must first identify itse}f by means of an elaborate login procedure using, for example, a password. A
further example involves the use of the terminal, wherein the identity Qf the terminal will automatically identify the user entity and de:Eine the security attributes of said user en ity. Once the user entity (o'r terminal) has been coupled to t pro~essor 21, said processor may execute programs on behalf of ~aid user en~ity, which programs may access or manipulate information in memory 22 in a variety of modes and manners.
Referring now to Figure 3, a schematic diagram of the principal components implementing the present invention is illustrated. Prscessor 21 o Figure 2 is composed o user entity identification apparatus 31, ordinary data object processing unit 32, and secure processor 33. User entity identification apparatus 31 maintains securi~y context register 331 by moni~oring the security attributes currently assocla~ed with the user entity who is communicating - 25 through terminal 20~o Figure 2, and by monitoring the subsystem which is currently'being executed by ordinary data processing unit 32. Secure processor 33 is composed of current security context register 331, security policy unit 332~ which stores the security policy and computes the allowed access modes for a user entity operating on an ordinary data object, data object characteristics table 333, which carries the address and other characteristics of every data object denoted by a distinguished data object. Secure processor 33 also includés program working set table 334, whlch contains the information necessary for a program to address tho~e ordinary data objects upon which it is currently working, and disting~ished data object processing unit 335, which perform~ the restricted set of opera~ions on distinguished dat~
- 15 objects. Secure processor 33 also includes memory address apparatu~ 336, which ~etches information ~rom and stores information into memory 22 of ~igure 2 and which include~ tag code recognition apparatus 336a, which apparatus insures that ordinary data processing unit 32 only processe3 ordinary data objects. The final component of secure processor 33 is encryption apparatus 337,, which may be included to ensure the secure transmisslon of segments containing dis~inguished data object~.
Secure processor 33 may be ac~essed, and data therein manipula~ed, only by a director en~ity o the data processing system (such as a security of~icer~.
~igure 3 depicts secure processor 33 as a distinct unit. ~owever, the functions of secure processor 33 could be distributed throughout the hardware and software of the data proce~sing system (e.g~, they could be implemented in a general purpose processing s~stem by software operating in specific modes).
Referring to Figure 4, a distinguished data object is shown along with the ordinary data objec~ it denotes. Distinguished data object 40 is composed`of data object identification number 401, which uniquely identifies the'ordinary data object 41~ miscellaneouse field 403, which may be used to cvntain information such as error checking and correcting codest current address 405, which locates the beginning of ordinary 15 data object 41 within memory 22 of ~igure 2, length 406, which defines the extent of and thus locat2s the end of ordinary data object 41 within memory 2~ of Figure 2, security level 407, which defines the security level o the information in ordinary data 20 object 41, ormat 409, which defines.the format of the ~ information in ordinary data objec~ 41, and other charac~eristics field 408, which contain~ other charac eris~ics of ordinary data objec~ 41, such as the manner in which information is encoded in it. In 25 the preferred embodiment, fields 40} and 403 occupy contiguous locations in memory 22 of ~igure 2 and have ~Lf~! ~
tag codeR associated with the physical media containing those locations, and fields 405, 406, and 407 are carried within data object characteristics table 333 of Figure 3 and located by means of data object identification number 4010 This organization yields the most efficient use of memory and increases the performance of the secure processor. Other organizations can be functionally equivalent, provided said organization permits field~ 403, 405, 406, 407, IO 408 and 409 to be made available to the secure processor given a value of field 401; nd provide~ t identification to di3tinguish the object containing field 401 and to protect it again t unauthorized access or manipulation.
Referring to Figure 5, the manner in which nested and overlapping ordinary data objects can be denoted by distinguished da~a object~ is illu~trated.
Three distinguished data objec~s ~0 of Figure 4 are shown in memory 22 of Fiyure 2. Each has a distinct data object identifier value 401 of Figure 4, and they therefore respectively d~note distinct ordinary data objects 50, 51, and 5~ The diagram shows how the fields 405 and 406 of ~igure 4 can assume values such th~t ordinary data obj~ct 51 is nested within ordlnary data object 50, and ordinary ~ata object 52 overlaps ordinary data object 50. It is al60 posslble that the I
' ~
values in fields 405 and 406 assume values such that all three distinguished data objects denote the dentical ordinary data object.
Re~erring to Figure 6, the manner in which addresses are computed and access rights checked is illuqtrated. An instructio~ 60 i~ composed of an opera~ion code S01, which defines the operation a program is to perform upon field 611 of ordinary data object 61 within memory 22 of Figure 2~ and address 602, which is the location of field 611 esp~ssed relative to t~e set of data object~ upon which the program is currently working. Address 602 i~
interpreted as containing fields 602a and 602b. Field 602a is interpreted as an index into program working lS set table 334 of Figure 3, which index locates program working set entry 62, whlch consists of data object identifier field 621, access right field 622, current addres~ field 623, and leng~h field 624. Field 602b is lnterpreted as an of~set within ordinary data object 61. Instruction 60 is transmitted to memory address apparatu3 336 of Figure 3.
: . Memory address apparatus 336 extracts field 602a and uses it to loca~e program working s~t entry 620 Memory address apparatus 336 compares access right 622 against operation 601 and ve~rifies ~hat the mode~ and manner~ of access~and manipulation required by operation 601 are permitted by access right 622.
If they are not, memory address apparatus 336 invokes an appropriate administrative program by such means as an interrupt. If the operation 601 and access right 5 622 are compatible, memory addre~s apparatus 336 then compares of~set field 602b again t length field 624 to verify that field 611 is indeed within ordinary data object 61. If it i~ not, memory address appara~us 336 invokes an appropriate administrati~e program by such means as an interrup~. If it i~, memory address apparatus 33~ àdds field 602b to field 623 in order tp - obtain the address of field 611, and, if a read i~
desired, transmit~ field 611 to the ordinary data : object processing uni 32 of Figure 3 or distinguished data objec~ processing unit 335 of Figure 3, depending on oper tion code 601. Tag code recognition apparatu3 336a of Figure 3 checks the tra~sfer to insure that no data stored in locations containing tag codes is transmi~ted to ordinary data object processor 32. It will be clear to those versed in th~ art how to modify this description if operation code 601 implies other mode~s) of a~cess to field 611.
Referring to Figure 7, the method by which a program add a data object to the ~et upon which it is currently working is illus~rated. A program ~ran~mits to secure proces or 33 of ~lgure 3 a rsquest to add desired data object 61 to said program's working set, in order that desired data object 61 may be accessed or manipulated in t~e manner described above. The request may be encoded in any combination of opera~ion codes, addresses, and field values which identify the request, denote a distin~uished data object 40 o~
Figure 4 which is contained in memory 22 of Figure 2 and which in turn denotes the de~ired data object 61 in memory 22, and identify a program workin~ set entry 62 of Figure 6, which entry i5 to be used by the program for subsequent reference to data obiect 61.
Distinguished data object proce~sor 3~5 of ~igure 3 fetches fields 401 and 403 from memory 22 using ~he steps described in reference o Figure 6~
Using the data object identification number 401, processor 33~ fetches the security lev~l 4U7 and data format 409 from data characteris~ic3 table 333, and the current security context from current security context regi~ter 331, said register 331 being continuously maintained by u~er entity identification apparatus 31, and sends those three values to the security policy unit 332~ The securi~y policy unit returns the correct valu~ of access right 622 which processor 335 place~ in entry 62. Processor 335 constructs the remainder o~ entry 62 in the manner shown, by moving field 401 ~o field 621, field 405 to ~ield 623~ and field 406 to field 623.
It will be clear to one well-versed in the art of computer systems design that the operations depicted in Figure 6 and those depicted in Figure 7, operating in concert, insure that every operation of the machine is in accord with the predefined security policy. Operation 601 in Figure 6 unavoidably encounters access right field 602 when attempting to generate an addre~s which is required to locate field 611 in order to access or manipulate the values it 10 contains. Access right ~ may only be set by secure processor 33 of Pigure 3O In setting these rights secure processor 33 unavoidably encounters security policy unit 332 which s~lects right~ based on th~
relationship, as defined by the Pxternal policy, between the current security context in register 331 and the security level and format of the content~ of field 611 carried in data characteristics table 333.
Thus there exists no w~y of accessing or manipulating the information in field 611 except through mechanisms which enforce the external policy~
Referring to Figure 8, the operation of the . security policy unit 332 is shown. Current security context ~31 is decomposed into its constituent parts-user entity attribute 3311 and subsystem 3312.
User entity attribute 3311 and securi~y level 407 arP
sent to attribute comparer ~321, which compute~ :
.
provisional acces~ right 3323. The computation of prov~sional access right 33~3 may be made by a number of means which ~orrectly reflect the intent of the predefined policy, including but not limited to comparisions of encoded values of user entity trustworthiness and data sensitivity, and/or matching of user names with lists of authorized users.
- Provisional access right 3323 is then validated by subsy~tem/format comparer 3322, which compares current lO subsystem 3312 and data object format 409 against a gable or other representation of allowed acceqses by specific subsystems to data of specific formats.
SubsystemJformat comparer 3322 then deletes from provisional acces~ right 3323 any mode or manner of access not allowed by the result of the aforementioned comparision, and produces the result as access right 622. Equivalen~ operat-ion of security policy unit 332 may be obtained by performing the operations of subsystemJ~ormat comparator 3322 and attribute compa,rer 3321 in different order, provided that access right 62~ contains no mode or manner of access denied by either the attribute comparison or the subsy~tem/format comparison, unless a~thorized in advance by an `appropriate authority ~e.g., a predefined program which can override the access right signal3~
,f3~
Access right 622 is generated only in response to attempts to add data object 6l to program working set entry 62. Theref~re access right 622 need not be and is not stored other than temporarily while S object 61 is included in working set table 3340 Note that access right 622 cannot leave secure processor 33. This restriction is enforced by the structure of memory addres~ apparatus 336, in which access righ~s signals are used to control the flow of data between memory 2~ and ordinary data object processiny unit 32, without sending the access rights information as t data. This structure is similar to the structure of : ~he access control portion of a contemporary memory ~: management unitO
Storage of acc~ss right signals only while the corresponding object is included in working set table 334 simplifies the problem of revoking access once granted. If access rights could be retained by a u~er in any memory object, said access right signals could be used to obtain acceqs to object 61 at a later time~ even though the user may no~ have retained a - working set table during the-en ire timè since the access right signals were obtainedO
The present invention, in effect, automatically revokes any outstanding access righ~s after the working set table is destroyed~ wh$ch might occur when a user terminates the session with the proces~or, or when a new working set table is initialized, which might occur when a user initiates a session with the processor. The fact that access right 6~2 cannot leave secure processor 33 prevents users from circumventing the revocation rul~s by storing obsolete access rights in protected ~ystem files.
In the preerred embodiment, distinguished d~ta objects are distinguished from ordinary data t objects by having tag codes associated with the physical media in which, at any given in~tant, the distlnguished data object is stoled. Distinguished I5 data objec~s may only be acted upon by special apparatu~. Distinguished data objects may be included as ~ields within ordinary data objects, in which ca~e they appear to the apparatus which processes ordinary da~a objects as forbidden flelds.
The apparatus which recognizes and acts upon distinguished data obj~ct~ is included in the data proce~sing system as a separa~e secure proce sing uni~
w~ th memory sub ject only to the control of the secure proces~ing unit. Prior to accessing or manipulating 25 an ordinary data~ ob jectg a prsgram executing on behalf of a user entity must transfer a distingui~hed data object to the secure processing unit 9 whereupon the secure processing unit extracts the current security context of the pro~ram, the security level of the ordinary data object denoted by that distinguished data object, and the format of the ordinary data object from the secure proces~ing u~it's memory, The secure pxocessing unit then determines what access rights are consistent with the predetermined security policy and the predetermined access relations between subsystem~ and formats. The secure processing unit t will permit the program to acces-q or manipulate the ordinary data obiect denoted by the distinguished data object only in those modes and manners consistent with said predetermin~d policy and predetermined acces~
relat ions .
~ istinguished data objects are created under two circumstances. In the first circumstance, a program transmits to the secure processing unit a request that a new ordinary data object be created.
The request must include the charac~eri~tics of the ordinary data object to be created, such as for example its size, the mann~r in which information is encoded in it, and where it should be located in the ~5 system files. The reques~ mu~t also include the security attributes and the format of the ordinary data object to be created. The secure processing unit places in its memory the characteristics of the ordinary data object, alloca~es space in an appropriate physical medium, and creates a new distinguished data object that denotes the new or~dinary data object. The secure proce~sing unit then transmits the new distinguished data object to the requesting program. In the second circumstance, a 10 program transmits a request to the secure processing ~nit that a distinguished data object be copiedO The~
re~uest must include a distinguished data ob~ect which i3 to be used as an originai~ The secure proc ssing unit returns the the new distinguished data object to the re~uesting program.
. The preferred embodiment achieves security by six techniques used in concert. Pirst, it collect~
all information into identifiable data objec~s.
Second, it r~quires that for every operation on a data 20 object the us~r process uses a distinguished data ob ject which denotes said dat~ ob jeG Third~ it is cognizant at all times of the security at~ributes of the user entity on whose behalf operations are being performed, inc}uding the identity of the subsystem in use. Fourth, it controls the manner in which distinguishe~ data objects may be used to access data objects by associating with every data object a set of security attributes and a format. Fifth, it selects modes and manners of access at the time distinguished data objects are used by an operation, such that the op~ration can access or manipulate data objects only in modes or manners which are authorized by a predefined security policy. Six~h, it collects all programs into subsystems and rest~ict3 the mode and manner of access by programs to ordinary data object~
by maintaining a predefined relation which defines t allowed access by programs in a subsystem to data objects based on the format of said data objects.
Operation of the first technique is made clear by refererlce to Figure 6. Information stored in m mory 22 of Flgure 2 can only be made aYailable to an operation 601 through local address 6Q2. Address 602 selects, by it very nature, a field 611 within a collection of fields, said collectiorl being data object 61. Thus all information which is acce~sible to an operation must be part of a da~a object.
Operatiorl of the second techn~que 1~ made clear by reference to Figures 6 and 7. A program accesses or manipulates information in a field by means of an inst uction S0 of Figure 6 whos~ local address 602 ~elects field 611. In order to perform the computation necessary to select ~ield 611, program working set entry 62 must be fetched. Program working set entry 62 is shown in Figure 7 to be derived from fields of distinguished data object 40 whose da~a object identification number 401 denotes dat~ ob~ect 61. Thus the act of addressing a field unavoidably involves the presentation of a distinguished data objec~ prior to the attempt to addressO
Operation of the third techniqu~ is by any appropriate organization of user entity identificatio~
apparatus 31 o~ Figure 3 and the communication be~ween it and current security context regist~r 331.
Apparatus 31, in conjunction with terminal 20 of Figure 2, can u~e any of a variety of means, such as passwords, secure and dedicated telephone llnes, callback, cryptographic seals, and others, singly and in combination~ in order to determine what set of attrlbutes to place initially in register 331. At the same time, program working set table 334 is inltialized by loading a set of entries 62 with acce~s right-q compatible with the conten~ of security cQntext registor 331. ~ur~ng pro~ram execution, the operation code 6O1J in conjunction with addres 602, may request a change from one subsys~em to another ~2~ ~
-3~-subsystem, which then causes a different program working set table 334 to be used in accessing field 611.
Operation of the fourth technique can be mzde clear by reference to Figure 4, in which it can be seen that security level field 407 and fsrmat field 409 are associated with the same data object identification number 401 which selects the current address of ordinary data object 41.
1~ Opera~ion of the fifth technique is made clear by reference to Figure 7. Use of a distinguished data object involves it~ being fetched by distinguished data objec processing unit 335 of Figure 3, and fields being moved from it to the 15 progràm working set entry 62. Once fetched, data object identifier 401 is available to obtain security level 407 from data object characteristlcs table 333 of Figure 3. Current security conte~t is always available to proces~ing unit 335 by its acc~s ng current security context register 331 of Figure 3.
~ence the use of a distinyuished data object unavoidably involves the comparison of data object security level with current security con~ex~, and hence the proper setting of access right field 522 of Figure 6 by security policy unit 33 of Figure 3.
Once set, access right fiel~ 622 i~ unavoidably - .
~ 7 encountered hy an operation seeking current address field 623 of Figure 6 in order to access field 611 of ~igure 6. The restriction in mode~ and manners of access is therefore uniformly enforced.
operation of the sixth technique can be mad~
clear by reference to Figur~ 8~ In the calculation of access right 622, of Figure 6, data object format 409 of Figure 4 and the subsystem component 3312 o~ the current security context register 331 o~ Figure 3 are compa~ed by the subRy~tem/~ormat comparer 3322 and the results of this comparison used to insure that all mode~ and manners of access granted by access righ~
622 are consistent with a predefined set o~ acce~s .~.
rights allowed by programs in subsystems to data of specific formats. By reference to Figure 6 it can be seen that access right field 622 is unavoidably encountered by operation 601 of any prsgram in the course of forming the current address 623 of field 611 to be operated upon. Thus the access right restrictions impose~ by sub~ys~em/format comparer 3322 of ~igure 8 are uni~ormly en~orced.
The melchanisms and techniques of this inven~ion can be em~odied iA a variety of ways, including, bu~ no~ limited to, the following two system configurations, These possible em~odiments can be ~nderstood with reerence to Figure 3. In the .
c first embodiment, the functions of the ordinary data object processing unit 32 are performed by a conventional processing unit, such as a microprocessor which provides signals concerning the types of acce s being requested in a memory access request. ~he ~unctions of ~he memory address appara~u~ 336 are performed by a hardware module poæitioned between the ordinary data object processing unit 32 and the bus which connects the proc~ssor to memory unit~ 22. The program workin~ set table would be contained leither within the module performing the functions of the memory address apparatus 335 or in a memory unit ea ily accessible from that unit, said memory unit being protected against attempts to access its contents from the ordinary data proces~or 32. The func ions of the distinguished data object proce~sing unit 335 could be implemented in a special hardware module attached to the memory bus or at~ach~d by means of a d~dica~ed connection to the memory address apparatus 336~ The memory unit~ ~2 would be mod~fied to include tags associated with each addressible entityl and to,communicate said tag values along with the contents of the addres~ible entities on the bus.
The memory address apparatus would examine the value of ~he tag field associated with incoming data, and would control the flow o~. such information o as to ~f'P~ 7 guarantee that the ordinary data object processing unit 32 is never sent the contents of any objec~
whose tag value indicates that it is co~tained within a distinguished data object.
In ~he second embodiment, the functions of the ordinary data object processing unit 32 are per~ormed by a conventional processor/ such a~ a minicomputer, and the functlons of the distinyulshed data object processing unit 335 are performed by a suitably progr~mmed microproce~or. Th~ memory address apparatus could be implemented a~ described above for the first embodiment. It is readily ~æ~by persons experienced in the art of comput~r systems design that other embodiments are possibla, including - 15 one in which a}l operations are performed in the same processing unit' w1th the tag valu~s of the operands ~erving to limit the functions which can be performed on those operands.
In either embodiment, the tag fields and 2~ there~ore ~he distinction between ordina~y and di~tin~uished data objects may be omitted. In the resulting embodiment, any data object of the proper size may be submitted to distinguished data object processing unit 335 and interpreted by said unit as a da~a object identification number 401 of Figure 4. It i~ clear to anyone w~ versed in the art o computer '~'f~ t' -3~-systems design that while such an embodiment may produce unanticipated results for operation~, all such results will be consistent with the predefined security policy and the predefined set of accesses allowed by subsystems to information of specific formats.
If the distinction between ordinary and distinguished datà objects is maintained through tagging, then distinguished data objects may be written more freely than ordinary data objects. In particular, it would be possible to permit distinguished data objects to be copi~d (which is a form of writing) into ordinary data objects in certain circums~ance~ under which the copying o ordinary inform~tion would be forbidden by the preexisting policy, in such a manner that visible information flows do not violate the preexisting policy. Allowing such operations permits a greater degree of freedom in the design o~ programs without compromi~ing security.
2Q It should be clear to one well versed in the art of computer system deslgn that the present invention, tho~gh described above or a processor having a single user terminal, can be effectively adapted to create a computer system having a multiplici~y of user terminals. As is known in related art, proce~sors can be switched among programs ~:x~
associat~d wi~h different u~ers providing that state information regarding a user' 5 program is saved when the program is switched out and reliably restored when the program is switched back in to the processor.
Adapting the above technique to the present invention requires that the state of a user program include tha contents of the current security context register 331 of Figure 3 and the content~ of the program working set table 334 of Figure 3.
It should also be clear to one well-versed in the art of computer system design that the operation of setting access right 622 may be p~rformed at any.
time prior to performing operation 601~ In general, the latee it is performed th~ more often it is performed. The more often it is performed, the longer the machine will take to execute a program comprised of sets of operations 601. The more often it is per~ormed, the more frequently data charac~eristics table 333 will be consulted~ and hence ~he more rapidly that changes to that table will be reflected ~ n the restrictions imposed on the behavior of programs. Ther,e accordingly exist a range o~
embodiments of this invention in which different tradeoffs are made between the performance of programs 25 and the timelines o~ the data security characteristics w~ich controls the accesses made by tho~e programs. A common case in which data access characteristics change is when the access granted to a user by name is granted or revoked. If access right 622 is recomputed for each operation 601, then the grant or revocation will be efectlve on the very next operationO If access right 622 is recomputed at some greater interval, then some number of operation~ 601 may execute under the control of an ob~ole~e value of field 622.
Many changes and modiication~ in the above-described embodiments of the invention can, of course, be carried out without departing from the scope thereof. Accordingly, the scope of the invention is to be limited only by the scope of th~
accompanying claims.
What is claimed is:
Referring now to Figure 2, a data processing system is seen to be comprised of a terminal 20, a processor 21 r and a memory 22. A user entity desirous - having a program executed on its be~alf by processor 21 must first identify itse}f by means of an elaborate login procedure using, for example, a password. A
further example involves the use of the terminal, wherein the identity Qf the terminal will automatically identify the user entity and de:Eine the security attributes of said user en ity. Once the user entity (o'r terminal) has been coupled to t pro~essor 21, said processor may execute programs on behalf of ~aid user en~ity, which programs may access or manipulate information in memory 22 in a variety of modes and manners.
Referring now to Figure 3, a schematic diagram of the principal components implementing the present invention is illustrated. Prscessor 21 o Figure 2 is composed o user entity identification apparatus 31, ordinary data object processing unit 32, and secure processor 33. User entity identification apparatus 31 maintains securi~y context register 331 by moni~oring the security attributes currently assocla~ed with the user entity who is communicating - 25 through terminal 20~o Figure 2, and by monitoring the subsystem which is currently'being executed by ordinary data processing unit 32. Secure processor 33 is composed of current security context register 331, security policy unit 332~ which stores the security policy and computes the allowed access modes for a user entity operating on an ordinary data object, data object characteristics table 333, which carries the address and other characteristics of every data object denoted by a distinguished data object. Secure processor 33 also includés program working set table 334, whlch contains the information necessary for a program to address tho~e ordinary data objects upon which it is currently working, and disting~ished data object processing unit 335, which perform~ the restricted set of opera~ions on distinguished dat~
- 15 objects. Secure processor 33 also includes memory address apparatu~ 336, which ~etches information ~rom and stores information into memory 22 of ~igure 2 and which include~ tag code recognition apparatus 336a, which apparatus insures that ordinary data processing unit 32 only processe3 ordinary data objects. The final component of secure processor 33 is encryption apparatus 337,, which may be included to ensure the secure transmisslon of segments containing dis~inguished data object~.
Secure processor 33 may be ac~essed, and data therein manipula~ed, only by a director en~ity o the data processing system (such as a security of~icer~.
~igure 3 depicts secure processor 33 as a distinct unit. ~owever, the functions of secure processor 33 could be distributed throughout the hardware and software of the data proce~sing system (e.g~, they could be implemented in a general purpose processing s~stem by software operating in specific modes).
Referring to Figure 4, a distinguished data object is shown along with the ordinary data objec~ it denotes. Distinguished data object 40 is composed`of data object identification number 401, which uniquely identifies the'ordinary data object 41~ miscellaneouse field 403, which may be used to cvntain information such as error checking and correcting codest current address 405, which locates the beginning of ordinary 15 data object 41 within memory 22 of ~igure 2, length 406, which defines the extent of and thus locat2s the end of ordinary data object 41 within memory 2~ of Figure 2, security level 407, which defines the security level o the information in ordinary data 20 object 41, ormat 409, which defines.the format of the ~ information in ordinary data objec~ 41, and other charac~eristics field 408, which contain~ other charac eris~ics of ordinary data objec~ 41, such as the manner in which information is encoded in it. In 25 the preferred embodiment, fields 40} and 403 occupy contiguous locations in memory 22 of ~igure 2 and have ~Lf~! ~
tag codeR associated with the physical media containing those locations, and fields 405, 406, and 407 are carried within data object characteristics table 333 of Figure 3 and located by means of data object identification number 4010 This organization yields the most efficient use of memory and increases the performance of the secure processor. Other organizations can be functionally equivalent, provided said organization permits field~ 403, 405, 406, 407, IO 408 and 409 to be made available to the secure processor given a value of field 401; nd provide~ t identification to di3tinguish the object containing field 401 and to protect it again t unauthorized access or manipulation.
Referring to Figure 5, the manner in which nested and overlapping ordinary data objects can be denoted by distinguished da~a object~ is illu~trated.
Three distinguished data objec~s ~0 of Figure 4 are shown in memory 22 of Fiyure 2. Each has a distinct data object identifier value 401 of Figure 4, and they therefore respectively d~note distinct ordinary data objects 50, 51, and 5~ The diagram shows how the fields 405 and 406 of ~igure 4 can assume values such th~t ordinary data obj~ct 51 is nested within ordlnary data object 50, and ordinary ~ata object 52 overlaps ordinary data object 50. It is al60 posslble that the I
' ~
values in fields 405 and 406 assume values such that all three distinguished data objects denote the dentical ordinary data object.
Re~erring to Figure 6, the manner in which addresses are computed and access rights checked is illuqtrated. An instructio~ 60 i~ composed of an opera~ion code S01, which defines the operation a program is to perform upon field 611 of ordinary data object 61 within memory 22 of Figure 2~ and address 602, which is the location of field 611 esp~ssed relative to t~e set of data object~ upon which the program is currently working. Address 602 i~
interpreted as containing fields 602a and 602b. Field 602a is interpreted as an index into program working lS set table 334 of Figure 3, which index locates program working set entry 62, whlch consists of data object identifier field 621, access right field 622, current addres~ field 623, and leng~h field 624. Field 602b is lnterpreted as an of~set within ordinary data object 61. Instruction 60 is transmitted to memory address apparatu3 336 of Figure 3.
: . Memory address apparatus 336 extracts field 602a and uses it to loca~e program working s~t entry 620 Memory address apparatus 336 compares access right 622 against operation 601 and ve~rifies ~hat the mode~ and manner~ of access~and manipulation required by operation 601 are permitted by access right 622.
If they are not, memory address apparatus 336 invokes an appropriate administrative program by such means as an interrupt. If the operation 601 and access right 5 622 are compatible, memory addre~s apparatus 336 then compares of~set field 602b again t length field 624 to verify that field 611 is indeed within ordinary data object 61. If it i~ not, memory address appara~us 336 invokes an appropriate administrati~e program by such means as an interrup~. If it i~, memory address apparatus 33~ àdds field 602b to field 623 in order tp - obtain the address of field 611, and, if a read i~
desired, transmit~ field 611 to the ordinary data : object processing uni 32 of Figure 3 or distinguished data objec~ processing unit 335 of Figure 3, depending on oper tion code 601. Tag code recognition apparatu3 336a of Figure 3 checks the tra~sfer to insure that no data stored in locations containing tag codes is transmi~ted to ordinary data object processor 32. It will be clear to those versed in th~ art how to modify this description if operation code 601 implies other mode~s) of a~cess to field 611.
Referring to Figure 7, the method by which a program add a data object to the ~et upon which it is currently working is illus~rated. A program ~ran~mits to secure proces or 33 of ~lgure 3 a rsquest to add desired data object 61 to said program's working set, in order that desired data object 61 may be accessed or manipulated in t~e manner described above. The request may be encoded in any combination of opera~ion codes, addresses, and field values which identify the request, denote a distin~uished data object 40 o~
Figure 4 which is contained in memory 22 of Figure 2 and which in turn denotes the de~ired data object 61 in memory 22, and identify a program workin~ set entry 62 of Figure 6, which entry i5 to be used by the program for subsequent reference to data obiect 61.
Distinguished data object proce~sor 3~5 of ~igure 3 fetches fields 401 and 403 from memory 22 using ~he steps described in reference o Figure 6~
Using the data object identification number 401, processor 33~ fetches the security lev~l 4U7 and data format 409 from data characteris~ic3 table 333, and the current security context from current security context regi~ter 331, said register 331 being continuously maintained by u~er entity identification apparatus 31, and sends those three values to the security policy unit 332~ The securi~y policy unit returns the correct valu~ of access right 622 which processor 335 place~ in entry 62. Processor 335 constructs the remainder o~ entry 62 in the manner shown, by moving field 401 ~o field 621, field 405 to ~ield 623~ and field 406 to field 623.
It will be clear to one well-versed in the art of computer systems design that the operations depicted in Figure 6 and those depicted in Figure 7, operating in concert, insure that every operation of the machine is in accord with the predefined security policy. Operation 601 in Figure 6 unavoidably encounters access right field 602 when attempting to generate an addre~s which is required to locate field 611 in order to access or manipulate the values it 10 contains. Access right ~ may only be set by secure processor 33 of Pigure 3O In setting these rights secure processor 33 unavoidably encounters security policy unit 332 which s~lects right~ based on th~
relationship, as defined by the Pxternal policy, between the current security context in register 331 and the security level and format of the content~ of field 611 carried in data characteristics table 333.
Thus there exists no w~y of accessing or manipulating the information in field 611 except through mechanisms which enforce the external policy~
Referring to Figure 8, the operation of the . security policy unit 332 is shown. Current security context ~31 is decomposed into its constituent parts-user entity attribute 3311 and subsystem 3312.
User entity attribute 3311 and securi~y level 407 arP
sent to attribute comparer ~321, which compute~ :
.
provisional acces~ right 3323. The computation of prov~sional access right 33~3 may be made by a number of means which ~orrectly reflect the intent of the predefined policy, including but not limited to comparisions of encoded values of user entity trustworthiness and data sensitivity, and/or matching of user names with lists of authorized users.
- Provisional access right 3323 is then validated by subsy~tem/format comparer 3322, which compares current lO subsystem 3312 and data object format 409 against a gable or other representation of allowed acceqses by specific subsystems to data of specific formats.
SubsystemJformat comparer 3322 then deletes from provisional acces~ right 3323 any mode or manner of access not allowed by the result of the aforementioned comparision, and produces the result as access right 622. Equivalen~ operat-ion of security policy unit 332 may be obtained by performing the operations of subsystemJ~ormat comparator 3322 and attribute compa,rer 3321 in different order, provided that access right 62~ contains no mode or manner of access denied by either the attribute comparison or the subsy~tem/format comparison, unless a~thorized in advance by an `appropriate authority ~e.g., a predefined program which can override the access right signal3~
,f3~
Access right 622 is generated only in response to attempts to add data object 6l to program working set entry 62. Theref~re access right 622 need not be and is not stored other than temporarily while S object 61 is included in working set table 3340 Note that access right 622 cannot leave secure processor 33. This restriction is enforced by the structure of memory addres~ apparatus 336, in which access righ~s signals are used to control the flow of data between memory 2~ and ordinary data object processiny unit 32, without sending the access rights information as t data. This structure is similar to the structure of : ~he access control portion of a contemporary memory ~: management unitO
Storage of acc~ss right signals only while the corresponding object is included in working set table 334 simplifies the problem of revoking access once granted. If access rights could be retained by a u~er in any memory object, said access right signals could be used to obtain acceqs to object 61 at a later time~ even though the user may no~ have retained a - working set table during the-en ire timè since the access right signals were obtainedO
The present invention, in effect, automatically revokes any outstanding access righ~s after the working set table is destroyed~ wh$ch might occur when a user terminates the session with the proces~or, or when a new working set table is initialized, which might occur when a user initiates a session with the processor. The fact that access right 6~2 cannot leave secure processor 33 prevents users from circumventing the revocation rul~s by storing obsolete access rights in protected ~ystem files.
In the preerred embodiment, distinguished d~ta objects are distinguished from ordinary data t objects by having tag codes associated with the physical media in which, at any given in~tant, the distlnguished data object is stoled. Distinguished I5 data objec~s may only be acted upon by special apparatu~. Distinguished data objects may be included as ~ields within ordinary data objects, in which ca~e they appear to the apparatus which processes ordinary da~a objects as forbidden flelds.
The apparatus which recognizes and acts upon distinguished data obj~ct~ is included in the data proce~sing system as a separa~e secure proce sing uni~
w~ th memory sub ject only to the control of the secure proces~ing unit. Prior to accessing or manipulating 25 an ordinary data~ ob jectg a prsgram executing on behalf of a user entity must transfer a distingui~hed data object to the secure processing unit 9 whereupon the secure processing unit extracts the current security context of the pro~ram, the security level of the ordinary data object denoted by that distinguished data object, and the format of the ordinary data object from the secure proces~ing u~it's memory, The secure pxocessing unit then determines what access rights are consistent with the predetermined security policy and the predetermined access relations between subsystem~ and formats. The secure processing unit t will permit the program to acces-q or manipulate the ordinary data obiect denoted by the distinguished data object only in those modes and manners consistent with said predetermin~d policy and predetermined acces~
relat ions .
~ istinguished data objects are created under two circumstances. In the first circumstance, a program transmits to the secure processing unit a request that a new ordinary data object be created.
The request must include the charac~eri~tics of the ordinary data object to be created, such as for example its size, the mann~r in which information is encoded in it, and where it should be located in the ~5 system files. The reques~ mu~t also include the security attributes and the format of the ordinary data object to be created. The secure processing unit places in its memory the characteristics of the ordinary data object, alloca~es space in an appropriate physical medium, and creates a new distinguished data object that denotes the new or~dinary data object. The secure proce~sing unit then transmits the new distinguished data object to the requesting program. In the second circumstance, a 10 program transmits a request to the secure processing ~nit that a distinguished data object be copiedO The~
re~uest must include a distinguished data ob~ect which i3 to be used as an originai~ The secure proc ssing unit returns the the new distinguished data object to the re~uesting program.
. The preferred embodiment achieves security by six techniques used in concert. Pirst, it collect~
all information into identifiable data objec~s.
Second, it r~quires that for every operation on a data 20 object the us~r process uses a distinguished data ob ject which denotes said dat~ ob jeG Third~ it is cognizant at all times of the security at~ributes of the user entity on whose behalf operations are being performed, inc}uding the identity of the subsystem in use. Fourth, it controls the manner in which distinguishe~ data objects may be used to access data objects by associating with every data object a set of security attributes and a format. Fifth, it selects modes and manners of access at the time distinguished data objects are used by an operation, such that the op~ration can access or manipulate data objects only in modes or manners which are authorized by a predefined security policy. Six~h, it collects all programs into subsystems and rest~ict3 the mode and manner of access by programs to ordinary data object~
by maintaining a predefined relation which defines t allowed access by programs in a subsystem to data objects based on the format of said data objects.
Operation of the first technique is made clear by refererlce to Figure 6. Information stored in m mory 22 of Flgure 2 can only be made aYailable to an operation 601 through local address 6Q2. Address 602 selects, by it very nature, a field 611 within a collection of fields, said collectiorl being data object 61. Thus all information which is acce~sible to an operation must be part of a da~a object.
Operatiorl of the second techn~que 1~ made clear by reference to Figures 6 and 7. A program accesses or manipulates information in a field by means of an inst uction S0 of Figure 6 whos~ local address 602 ~elects field 611. In order to perform the computation necessary to select ~ield 611, program working set entry 62 must be fetched. Program working set entry 62 is shown in Figure 7 to be derived from fields of distinguished data object 40 whose da~a object identification number 401 denotes dat~ ob~ect 61. Thus the act of addressing a field unavoidably involves the presentation of a distinguished data objec~ prior to the attempt to addressO
Operation of the third techniqu~ is by any appropriate organization of user entity identificatio~
apparatus 31 o~ Figure 3 and the communication be~ween it and current security context regist~r 331.
Apparatus 31, in conjunction with terminal 20 of Figure 2, can u~e any of a variety of means, such as passwords, secure and dedicated telephone llnes, callback, cryptographic seals, and others, singly and in combination~ in order to determine what set of attrlbutes to place initially in register 331. At the same time, program working set table 334 is inltialized by loading a set of entries 62 with acce~s right-q compatible with the conten~ of security cQntext registor 331. ~ur~ng pro~ram execution, the operation code 6O1J in conjunction with addres 602, may request a change from one subsys~em to another ~2~ ~
-3~-subsystem, which then causes a different program working set table 334 to be used in accessing field 611.
Operation of the fourth technique can be mzde clear by reference to Figure 4, in which it can be seen that security level field 407 and fsrmat field 409 are associated with the same data object identification number 401 which selects the current address of ordinary data object 41.
1~ Opera~ion of the fifth technique is made clear by reference to Figure 7. Use of a distinguished data object involves it~ being fetched by distinguished data objec processing unit 335 of Figure 3, and fields being moved from it to the 15 progràm working set entry 62. Once fetched, data object identifier 401 is available to obtain security level 407 from data object characteristlcs table 333 of Figure 3. Current security conte~t is always available to proces~ing unit 335 by its acc~s ng current security context register 331 of Figure 3.
~ence the use of a distinyuished data object unavoidably involves the comparison of data object security level with current security con~ex~, and hence the proper setting of access right field 522 of Figure 6 by security policy unit 33 of Figure 3.
Once set, access right fiel~ 622 i~ unavoidably - .
~ 7 encountered hy an operation seeking current address field 623 of Figure 6 in order to access field 611 of ~igure 6. The restriction in mode~ and manners of access is therefore uniformly enforced.
operation of the sixth technique can be mad~
clear by reference to Figur~ 8~ In the calculation of access right 622, of Figure 6, data object format 409 of Figure 4 and the subsystem component 3312 o~ the current security context register 331 o~ Figure 3 are compa~ed by the subRy~tem/~ormat comparer 3322 and the results of this comparison used to insure that all mode~ and manners of access granted by access righ~
622 are consistent with a predefined set o~ acce~s .~.
rights allowed by programs in subsystems to data of specific formats. By reference to Figure 6 it can be seen that access right field 622 is unavoidably encountered by operation 601 of any prsgram in the course of forming the current address 623 of field 611 to be operated upon. Thus the access right restrictions impose~ by sub~ys~em/format comparer 3322 of ~igure 8 are uni~ormly en~orced.
The melchanisms and techniques of this inven~ion can be em~odied iA a variety of ways, including, bu~ no~ limited to, the following two system configurations, These possible em~odiments can be ~nderstood with reerence to Figure 3. In the .
c first embodiment, the functions of the ordinary data object processing unit 32 are performed by a conventional processing unit, such as a microprocessor which provides signals concerning the types of acce s being requested in a memory access request. ~he ~unctions of ~he memory address appara~u~ 336 are performed by a hardware module poæitioned between the ordinary data object processing unit 32 and the bus which connects the proc~ssor to memory unit~ 22. The program workin~ set table would be contained leither within the module performing the functions of the memory address apparatus 335 or in a memory unit ea ily accessible from that unit, said memory unit being protected against attempts to access its contents from the ordinary data proces~or 32. The func ions of the distinguished data object proce~sing unit 335 could be implemented in a special hardware module attached to the memory bus or at~ach~d by means of a d~dica~ed connection to the memory address apparatus 336~ The memory unit~ ~2 would be mod~fied to include tags associated with each addressible entityl and to,communicate said tag values along with the contents of the addres~ible entities on the bus.
The memory address apparatus would examine the value of ~he tag field associated with incoming data, and would control the flow o~. such information o as to ~f'P~ 7 guarantee that the ordinary data object processing unit 32 is never sent the contents of any objec~
whose tag value indicates that it is co~tained within a distinguished data object.
In ~he second embodiment, the functions of the ordinary data object processing unit 32 are per~ormed by a conventional processor/ such a~ a minicomputer, and the functlons of the distinyulshed data object processing unit 335 are performed by a suitably progr~mmed microproce~or. Th~ memory address apparatus could be implemented a~ described above for the first embodiment. It is readily ~æ~by persons experienced in the art of comput~r systems design that other embodiments are possibla, including - 15 one in which a}l operations are performed in the same processing unit' w1th the tag valu~s of the operands ~erving to limit the functions which can be performed on those operands.
In either embodiment, the tag fields and 2~ there~ore ~he distinction between ordina~y and di~tin~uished data objects may be omitted. In the resulting embodiment, any data object of the proper size may be submitted to distinguished data object processing unit 335 and interpreted by said unit as a da~a object identification number 401 of Figure 4. It i~ clear to anyone w~ versed in the art o computer '~'f~ t' -3~-systems design that while such an embodiment may produce unanticipated results for operation~, all such results will be consistent with the predefined security policy and the predefined set of accesses allowed by subsystems to information of specific formats.
If the distinction between ordinary and distinguished datà objects is maintained through tagging, then distinguished data objects may be written more freely than ordinary data objects. In particular, it would be possible to permit distinguished data objects to be copi~d (which is a form of writing) into ordinary data objects in certain circums~ance~ under which the copying o ordinary inform~tion would be forbidden by the preexisting policy, in such a manner that visible information flows do not violate the preexisting policy. Allowing such operations permits a greater degree of freedom in the design o~ programs without compromi~ing security.
2Q It should be clear to one well versed in the art of computer system deslgn that the present invention, tho~gh described above or a processor having a single user terminal, can be effectively adapted to create a computer system having a multiplici~y of user terminals. As is known in related art, proce~sors can be switched among programs ~:x~
associat~d wi~h different u~ers providing that state information regarding a user' 5 program is saved when the program is switched out and reliably restored when the program is switched back in to the processor.
Adapting the above technique to the present invention requires that the state of a user program include tha contents of the current security context register 331 of Figure 3 and the content~ of the program working set table 334 of Figure 3.
It should also be clear to one well-versed in the art of computer system design that the operation of setting access right 622 may be p~rformed at any.
time prior to performing operation 601~ In general, the latee it is performed th~ more often it is performed. The more often it is performed, the longer the machine will take to execute a program comprised of sets of operations 601. The more often it is per~ormed, the more frequently data charac~eristics table 333 will be consulted~ and hence ~he more rapidly that changes to that table will be reflected ~ n the restrictions imposed on the behavior of programs. Ther,e accordingly exist a range o~
embodiments of this invention in which different tradeoffs are made between the performance of programs 25 and the timelines o~ the data security characteristics w~ich controls the accesses made by tho~e programs. A common case in which data access characteristics change is when the access granted to a user by name is granted or revoked. If access right 622 is recomputed for each operation 601, then the grant or revocation will be efectlve on the very next operationO If access right 622 is recomputed at some greater interval, then some number of operation~ 601 may execute under the control of an ob~ole~e value of field 622.
Many changes and modiication~ in the above-described embodiments of the invention can, of course, be carried out without departing from the scope thereof. Accordingly, the scope of the invention is to be limited only by the scope of th~
accompanying claims.
What is claimed is:
Claims (17)
PROPERTY OR PRIVILEGE IS CLAIMED ARE DEFINED AS FOLLOWS:
1. A data processing system having protected system files, wherein each protected system file is associated with a data format and wherein said data processing system operates in response to programs or groups of programs which perform specific tasks, comprising: identification means for identifying a user interacting with said data processing system, said identification means relating preselected security attributes with said user; and secure processor, connected to said identification means, for storing, at least temporarily, a security policy and for processing data in accordance with said security policy, said security policy defining permissible access rights to said protected system files in terms of possible values of data formats, possible values of said preselected security attributes and functions of said specific tasks, wherein data stored in said secure processor can be altered only by a director entity of said data processing system and retrieved only by portions of said secure processor, said secure processor having generating means for generating an access rights signal for any one of said protected system files, said access rights signal being determined by a comparison of said security policy to said predetermined security attributes, said data format associated with said any one of said protected system files and any functions to be performed with or upon said any one of said protected system files.
2. The data processing system of claim 1 further comprising, determining means, connected to said generating means, for determining permissible access to said any one of said protected system files each time a function attempts to access said any one of said protected system files by comparing said access rights signal to said function.
3. The data processing system of claim 2 further comprising: overriding means, connected to said determining means, for overriding said access right signal in response to selected of said programs or groups of programs.
4. The data processing system of claim 2 wherein, each of said protected system files is associated with a security level; said security policy further defines permissible access rights to said protected system files in terms of possible values of security levels; and said access rights generating means includes a comparison of said security policy to the security level associated with said any one of said protected system files.
5. The data processing system of claim 4 wherein said specific tasks include: outputting said protected system files, and labelling said protected system files when said protected system files are output.
6. A data processing system having protected system files, wherein each protected system file is associated with a security level and wherein said data processing system attempts to perform operations with or upon said protected files in response to programs or groups of programs, comprising:
identification means for identifying a user, said identification means relating preselected security attributes with said user; secure processor, connected to said identification means, for storing, at least temporarily, a security policy and for processing data in accordance with said security policy in response to said programs, said security policy defining permissible access rights to said protected system files in terms of possible values of said preselected security attributes and possible values of security levels, wherein data stored in said secure processor can be altered only by a director entity of said data processing system and retrieved only by portions of said secure processor, said secure processor having generating means for generating an access rights signal for any one of said protected system files; said access rights signal being determined by a comparison of said security policy to said preselected security attributes and the security level associated with said any one of said protected system files, and said secure processor having prohibiting means, connected to said generating means, for prohibiting said access rights signal from exiting said secure processor; and storage means, connected to said secure processor, for storing said protected system files, access to protected system storage means being controlled by said secure processor.
identification means for identifying a user, said identification means relating preselected security attributes with said user; secure processor, connected to said identification means, for storing, at least temporarily, a security policy and for processing data in accordance with said security policy in response to said programs, said security policy defining permissible access rights to said protected system files in terms of possible values of said preselected security attributes and possible values of security levels, wherein data stored in said secure processor can be altered only by a director entity of said data processing system and retrieved only by portions of said secure processor, said secure processor having generating means for generating an access rights signal for any one of said protected system files; said access rights signal being determined by a comparison of said security policy to said preselected security attributes and the security level associated with said any one of said protected system files, and said secure processor having prohibiting means, connected to said generating means, for prohibiting said access rights signal from exiting said secure processor; and storage means, connected to said secure processor, for storing said protected system files, access to protected system storage means being controlled by said secure processor.
7. The data processing system of claim 6 wherein: said protected system files are further associated with a data format; said program or groups of programs perform specific tasks; said security policy further defines permissible formats of said protected system files in terms of possible values of data formats, possible values of said preselected security attributes and functions of said specific tasks; and said access rights generating means includes a security attribute comparator and a format comparator, wherein said security attribute comparator compares said security policy to said security level associated with said any one of said protected system files and said preselected security attributes, and said format comparator compares said security policy to a data format associated with said any one of said protected system files and any functions to be performed with or upon said any one of said protected system files.
8. The data processing system of claim 7 further comprising: determining means, connected to said generating means, for determining permissible access to said any one of said protected system files each time a function attempts to access said any one of said protected system files by comparing said access rights signal to said function.
9. The data processing system of claim 8 further comprising: overriding means, connected to said determining means, for overriding said access right signal in response to selected of said programs or groups of programs.
10. The data processing system of claim 7 wherein: one and only one of said security attribute comparator or said formal comparator generates a provisional access rights signal, with another of said security attribute comparator or said formal comparator receiving and deleting from said provisional access rights signal any access right not permitted by a comparison with said security policy made in another comparator, so that said access rights signal is generated.
11. A method of protecting system files in a data processing system, wherein each system file to be protected is associated with a security level and wherein said data processing system attempts to perform operations with or upon protected system files in response to programs or groups of programs, comprising: identifying a user, an identification relating preselected security attributes with said user;
storing, at least temporarily, a security policy in a secure processor, said security policy defining permissible access rights for protected system files in terms of possible values of said preselected security attributes and possible values of security levels, and wherein data stored in said secure processor can be altered only by a director entity of said data processing system and retrieved only by portions of said secure processor; processing protected system files in accordance with said security policy; and generating an access right signal for any one of protected system files, said access rights signal being determined by a comparison of said security policy to said preselected attributes and security level associated with said any one of protected system files, an access rights signal generating means being a portion of said secure processor; and prohibiting said access rights signal from exiting said secure processor.
storing, at least temporarily, a security policy in a secure processor, said security policy defining permissible access rights for protected system files in terms of possible values of said preselected security attributes and possible values of security levels, and wherein data stored in said secure processor can be altered only by a director entity of said data processing system and retrieved only by portions of said secure processor; processing protected system files in accordance with said security policy; and generating an access right signal for any one of protected system files, said access rights signal being determined by a comparison of said security policy to said preselected attributes and security level associated with said any one of protected system files, an access rights signal generating means being a portion of said secure processor; and prohibiting said access rights signal from exiting said secure processor.
12. The method of claim 11 further including:determining permissible access to said any one of protected system files each time an operation attempts to access said any one of protected system files by comparing said access rights signal to said operation.
13. The method of claim 12 further including: overriding said access right signal in response to selected of said programs or groups of programs.
14. A method of protecting system files in a data processing system, wherein each system file to be protected is associated with a data format and wherein said data processing system operates in response to programs or groups of programs which perform specific tasks, comprising: identifying a user interacting with said data processing system, an identification relating preselected security attributes with said user;
storing, at least temporarily, a security policy in a secure processor, said security policy defining permissible access rights to protected system files as a function of possible values of data formats, possible values of said preselected security attributes and functions of specific tasks, wherein data stored in said secure processor can be altered only by a director entity of said data processing system and retrieved only by portions of said secure processor; processing protected system files and said secure processor in accordance with said security policy; and generating an access rights signal for any one of protected system files, said access rights signal being determined by a comparison of said security policy to said preselected security attributes, said data format associated with said any one of protected system files and any function to be performed with or upon said any one of protected system files.
storing, at least temporarily, a security policy in a secure processor, said security policy defining permissible access rights to protected system files as a function of possible values of data formats, possible values of said preselected security attributes and functions of specific tasks, wherein data stored in said secure processor can be altered only by a director entity of said data processing system and retrieved only by portions of said secure processor; processing protected system files and said secure processor in accordance with said security policy; and generating an access rights signal for any one of protected system files, said access rights signal being determined by a comparison of said security policy to said preselected security attributes, said data format associated with said any one of protected system files and any function to be performed with or upon said any one of protected system files.
15. The method of claim 14, further including:
determining permissible access to said any one of protected system files each time a function attempts to access said any one of protected system files by comparing said access rights signal to said function.
determining permissible access to said any one of protected system files each time a function attempts to access said any one of protected system files by comparing said access rights signal to said function.
16. The method of claim 15 further including: overriding said access right signal in response to selected of said programs or groups of programs.
17. The method of claim 15 wherein, said security policy further defines permissible access rights of protected system files in terms of possible values of security levels; and said generating includes a comparison of said security policy to a security level associated with said any one of protected system files in determining said access rights signal.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US703,638 | 1985-02-21 | ||
| US06/703,638 US4713753A (en) | 1985-02-21 | 1985-02-21 | Secure data processing system architecture with format control |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA1252907A true CA1252907A (en) | 1989-04-18 |
Family
ID=24826202
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA000501435A Expired CA1252907A (en) | 1985-02-21 | 1986-02-10 | Secure data processing system architecture with format control |
Country Status (7)
| Country | Link |
|---|---|
| US (1) | US4713753A (en) |
| EP (1) | EP0192243B1 (en) |
| JP (1) | JPH0812645B2 (en) |
| KR (1) | KR910005995B1 (en) |
| CA (1) | CA1252907A (en) |
| DE (1) | DE3689569T2 (en) |
| IL (1) | IL77504A (en) |
Families Citing this family (191)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4799258A (en) * | 1984-02-13 | 1989-01-17 | National Research Development Corporation | Apparatus and methods for granting access to computers |
| DK190784D0 (en) * | 1984-04-12 | 1984-04-12 | Pengeinst Koebe Kreditkort | METHOD AND APPARATUS FOR DATA TRANSMISSION |
| GB8619989D0 (en) * | 1986-08-16 | 1986-09-24 | Modray Ltd | Controlling length of time |
| US4977594A (en) * | 1986-10-14 | 1990-12-11 | Electronic Publishing Resources, Inc. | Database usage metering and protection system and method |
| US5050213A (en) * | 1986-10-14 | 1991-09-17 | Electronic Publishing Resources, Inc. | Database usage metering and protection system and method |
| WO1988003287A1 (en) * | 1986-10-24 | 1988-05-05 | Harcom Security Systems Corporation | Computer security system |
| US4951249A (en) * | 1986-10-24 | 1990-08-21 | Harcom Security Systems Corp. | Method and apparatus for controlled access to a computer system |
| US5361341A (en) * | 1987-10-02 | 1994-11-01 | Sgs-Thomson Microelectronics, S.A. | Device for enabling the use of the contents of memory areas of an electronic microprocessor system |
| US5075884A (en) * | 1987-12-23 | 1991-12-24 | Loral Aerospace Corp. | Multilevel secure workstation |
| JPH01175057A (en) * | 1987-12-28 | 1989-07-11 | Toshiba Corp | Dynamic control method for security |
| US4881179A (en) * | 1988-03-11 | 1989-11-14 | International Business Machines Corp. | Method for providing information security protocols to an electronic calendar |
| US4993030A (en) * | 1988-04-22 | 1991-02-12 | Amdahl Corporation | File system for a plurality of storage classes |
| US5101374A (en) * | 1988-05-19 | 1992-03-31 | The United States Of America As Represented By The Director Of The National Security Agency | Secure, fast storage and retrieval without interactive checking |
| US5235681A (en) * | 1988-06-22 | 1993-08-10 | Hitachi, Ltd. | Image filing system for protecting partial regions of image data of a document |
| US4924514A (en) * | 1988-08-26 | 1990-05-08 | International Business Machines Corporation | Personal identification number processing using control vectors |
| US4924515A (en) * | 1988-08-29 | 1990-05-08 | International Business Machines Coprporation | Secure management of keys using extended control vectors |
| US5313637A (en) * | 1988-11-29 | 1994-05-17 | Rose David K | Method and apparatus for validating authorization to access information in an information processing system |
| JPH02202642A (en) * | 1989-02-01 | 1990-08-10 | Toshiba Corp | Device for supervising program action |
| US4941175A (en) * | 1989-02-24 | 1990-07-10 | International Business Machines Corporation | Tamper-resistant method for authorizing access to data between a host and a predetermined number of attached workstations |
| JPH0820944B2 (en) * | 1989-03-20 | 1996-03-04 | 株式会社日立製作所 | Computerized information creation device |
| US5065429A (en) * | 1989-04-03 | 1991-11-12 | Lang Gerald S | Method and apparatus for protecting material on storage media |
| US5144659A (en) * | 1989-04-19 | 1992-09-01 | Richard P. Jones | Computer file protection system |
| US5187790A (en) * | 1989-06-29 | 1993-02-16 | Digital Equipment Corporation | Server impersonation of client processes in an object based computer operating system |
| JPH03209526A (en) * | 1989-10-23 | 1991-09-12 | Internatl Business Mach Corp <Ibm> | Object directional computor system |
| US5469556A (en) * | 1989-12-12 | 1995-11-21 | Harris Corporation | Resource access security system for controlling access to resources of a data processing system |
| GB9003112D0 (en) * | 1990-02-12 | 1990-04-11 | Int Computers Ltd | Access control mechanism |
| US5574912A (en) * | 1990-05-04 | 1996-11-12 | Digital Equipment Corporation | Lattice scheduler method for reducing the impact of covert-channel countermeasures |
| US5052040A (en) * | 1990-05-25 | 1991-09-24 | Micronyx, Inc. | Multiple user stored data cryptographic labeling system and method |
| GB2246457A (en) * | 1990-07-25 | 1992-01-29 | Bluetron Limited | Controlling access to stored data |
| US5077795A (en) * | 1990-09-28 | 1991-12-31 | Xerox Corporation | Security system for electronic printing systems |
| JPH04205043A (en) * | 1990-11-29 | 1992-07-27 | Mitsubishi Electric Corp | Semiconductor memory device |
| JPH05303531A (en) * | 1991-01-31 | 1993-11-16 | Fields Software Group Inc | Electronic system and method for processing format |
| US5504814A (en) * | 1991-07-10 | 1996-04-02 | Hughes Aircraft Company | Efficient security kernel for the 80960 extended architecture |
| US5475833A (en) * | 1991-09-04 | 1995-12-12 | International Business Machines Corporation | Database system for facilitating comparison of related information stored in a distributed resource |
| US5627967A (en) * | 1991-09-24 | 1997-05-06 | International Business Machines Corporation | Automated generation on file access control system commands in a data processing system with front end processing of a master list |
| US5210571A (en) * | 1991-09-26 | 1993-05-11 | Xerox Corporation | System for servicing electronic printers and printing systems |
| WO1993011480A1 (en) * | 1991-11-27 | 1993-06-10 | Intergraph Corporation | System and method for network license administration |
| US5301231A (en) * | 1992-02-12 | 1994-04-05 | International Business Machines Corporation | User defined function facility |
| US5276735A (en) * | 1992-04-17 | 1994-01-04 | Secure Computing Corporation | Data enclave and trusted path system |
| DE69316009T2 (en) * | 1992-06-12 | 1998-04-23 | Dow Chemical Co | SAFE FRONT END CONNECTION SYSTEM AND METHOD FOR PROCESS CONTROLLER |
| EP0645033B1 (en) * | 1992-06-12 | 1996-12-04 | The Dow Chemical Company | Intelligent process control communication system and method |
| US5596718A (en) * | 1992-07-10 | 1997-01-21 | Secure Computing Corporation | Secure computer network using trusted path subsystem which encrypts/decrypts and communicates with user through local workstation user I/O devices without utilizing workstation processor |
| US5428795A (en) * | 1992-07-31 | 1995-06-27 | International Business Machines Corporation | Method of and apparatus for providing automatic security control of distributions within a data processing system |
| US5446903A (en) * | 1993-05-04 | 1995-08-29 | International Business Machines Corporation | Method and apparatus for controlling access to data elements in a data processing system based on status of an industrial process by mapping user's security categories and industrial process steps |
| US5369702A (en) * | 1993-10-18 | 1994-11-29 | Tecsec Incorporated | Distributed cryptographic object method |
| US5680452A (en) * | 1993-10-18 | 1997-10-21 | Tecsec Inc. | Distributed cryptographic object method |
| US5469363A (en) * | 1994-05-19 | 1995-11-21 | Saliga; Thomas V. | Electronic tag with source certification capability |
| US5864683A (en) * | 1994-10-12 | 1999-01-26 | Secure Computing Corporartion | System for providing secure internetwork by connecting type enforcing secure computers to external network for limiting access to data based on user and process access rights |
| JPH08129507A (en) * | 1994-10-31 | 1996-05-21 | Ricoh Co Ltd | Information storage management system |
| US5742826A (en) * | 1994-11-09 | 1998-04-21 | International Business Machines Corporation | Object encapsulation protection apparatus |
| US6963859B2 (en) | 1994-11-23 | 2005-11-08 | Contentguard Holdings, Inc. | Content rendering repository |
| US7117180B1 (en) | 1994-11-23 | 2006-10-03 | Contentguard Holdings, Inc. | System for controlling the use of digital works using removable content repositories |
| JPH08263438A (en) | 1994-11-23 | 1996-10-11 | Xerox Corp | Distribution and use control system of digital work and access control method to digital work |
| US6865551B1 (en) | 1994-11-23 | 2005-03-08 | Contentguard Holdings, Inc. | Removable content repositories |
| SE504085C2 (en) * | 1995-02-01 | 1996-11-04 | Greg Benson | Methods and systems for managing data objects in accordance with predetermined conditions for users |
| US5943422A (en) | 1996-08-12 | 1999-08-24 | Intertrust Technologies Corp. | Steganographic techniques for securely delivering electronic digital rights management control information over insecure communication channels |
| US7095854B1 (en) * | 1995-02-13 | 2006-08-22 | Intertrust Technologies Corp. | Systems and methods for secure transaction management and electronic rights protection |
| US6157721A (en) | 1996-08-12 | 2000-12-05 | Intertrust Technologies Corp. | Systems and methods using cryptography to protect secure computing environments |
| US6948070B1 (en) * | 1995-02-13 | 2005-09-20 | Intertrust Technologies Corporation | Systems and methods for secure transaction management and electronic rights protection |
| US7133845B1 (en) * | 1995-02-13 | 2006-11-07 | Intertrust Technologies Corp. | System and methods for secure transaction management and electronic rights protection |
| US6658568B1 (en) | 1995-02-13 | 2003-12-02 | Intertrust Technologies Corporation | Trusted infrastructure support system, methods and techniques for secure electronic commerce transaction and rights management |
| US7133846B1 (en) | 1995-02-13 | 2006-11-07 | Intertrust Technologies Corp. | Digital certificate support system, methods and techniques for secure electronic commerce transaction and rights management |
| US5892900A (en) * | 1996-08-30 | 1999-04-06 | Intertrust Technologies Corp. | Systems and methods for secure transaction management and electronic rights protection |
| DE69637733D1 (en) * | 1995-02-13 | 2008-12-11 | Intertrust Tech Corp | SYSTEMS AND METHOD FOR SAFE TRANSMISSION |
| WO1996030840A1 (en) * | 1995-03-31 | 1996-10-03 | The Commonwealth Of Australia | Method and means for interconnecting different security level networks |
| US6011847A (en) * | 1995-06-01 | 2000-01-04 | Follendore, Iii; Roy D. | Cryptographic access and labeling system |
| US5819275A (en) * | 1995-06-07 | 1998-10-06 | Trusted Information Systems, Inc. | System and method for superimposing attributes on hierarchically organized file systems |
| US6047288A (en) * | 1995-07-20 | 2000-04-04 | Canon Kabushiki Kaisha | Group environment setting method and system thereof to provide an equivalent environment for plural participants |
| US5757924A (en) * | 1995-09-18 | 1998-05-26 | Digital Secured Networks Techolognies, Inc. | Network security device which performs MAC address translation without affecting the IP address |
| US5859966A (en) * | 1995-10-10 | 1999-01-12 | Data General Corporation | Security system for computer systems |
| US5898830A (en) | 1996-10-17 | 1999-04-27 | Network Engineering Software | Firewall providing enhanced network security and user transparency |
| US5826014A (en) * | 1996-02-06 | 1998-10-20 | Network Engineering Software | Firewall system for protecting network elements connected to a public network |
| US5913024A (en) * | 1996-02-09 | 1999-06-15 | Secure Computing Corporation | Secure server utilizing separate protocol stacks |
| US5867647A (en) * | 1996-02-09 | 1999-02-02 | Secure Computing Corporation | System and method for securing compiled program code |
| US5918018A (en) * | 1996-02-09 | 1999-06-29 | Secure Computing Corporation | System and method for achieving network separation |
| US20010011253A1 (en) * | 1998-08-04 | 2001-08-02 | Christopher D. Coley | Automated system for management of licensed software |
| US6263442B1 (en) * | 1996-05-30 | 2001-07-17 | Sun Microsystems, Inc. | System and method for securing a program's execution in a network environment |
| US5727145A (en) * | 1996-06-26 | 1998-03-10 | Sun Microsystems, Inc. | Mechanism for locating objects in a secure fashion |
| US7770230B2 (en) * | 2002-04-22 | 2010-08-03 | Arvato Digital Services Canada, Inc. | System for dynamically encrypting content for secure internet commerce and providing embedded fulfillment software |
| US7356847B2 (en) * | 1996-06-28 | 2008-04-08 | Protexis, Inc. | System for dynamically encrypting content for secure internet commerce and providing embedded fulfillment software |
| US7010697B2 (en) * | 1996-06-28 | 2006-03-07 | Protexis, Inc. | System for dynamically encrypting information for secure internet commerce and providing embedded fulfillment software |
| US5809145A (en) * | 1996-06-28 | 1998-09-15 | Paradata Systems Inc. | System for distributing digital information |
| US5987123A (en) * | 1996-07-03 | 1999-11-16 | Sun Microsystems, Incorporated | Secure file system |
| US6003084A (en) * | 1996-09-13 | 1999-12-14 | Secure Computing Corporation | Secure network proxy for connecting entities |
| US6072942A (en) * | 1996-09-18 | 2000-06-06 | Secure Computing Corporation | System and method of electronic mail filtering using interconnected nodes |
| US6144934A (en) * | 1996-09-18 | 2000-11-07 | Secure Computing Corporation | Binary filter using pattern recognition |
| US5950195A (en) * | 1996-09-18 | 1999-09-07 | Secure Computing Corporation | Generalized security policy management system and method |
| US5983350A (en) * | 1996-09-18 | 1999-11-09 | Secure Computing Corporation | Secure firewall supporting different levels of authentication based on address or encryption status |
| US5915087A (en) * | 1996-12-12 | 1999-06-22 | Secure Computing Corporation | Transparent security proxy for unreliable message exchange protocols |
| EP0951767A2 (en) | 1997-01-03 | 1999-10-27 | Fortress Technologies, Inc. | Improved network security device |
| US5968133A (en) * | 1997-01-10 | 1999-10-19 | Secure Computing Corporation | Enhanced security network time synchronization device and method |
| US7212632B2 (en) | 1998-02-13 | 2007-05-01 | Tecsec, Inc. | Cryptographic key split combiner |
| US6105132A (en) * | 1997-02-20 | 2000-08-15 | Novell, Inc. | Computer network graded authentication system and method |
| US5896499A (en) * | 1997-02-21 | 1999-04-20 | International Business Machines Corporation | Embedded security processor |
| US5920861A (en) * | 1997-02-25 | 1999-07-06 | Intertrust Technologies Corp. | Techniques for defining using and manipulating rights management data structures |
| US6233684B1 (en) | 1997-02-28 | 2001-05-15 | Contenaguard Holdings, Inc. | System for controlling the distribution and use of rendered digital works through watermaking |
| US6694433B1 (en) | 1997-05-08 | 2004-02-17 | Tecsec, Inc. | XML encryption scheme |
| TW393630B (en) * | 1997-07-24 | 2000-06-11 | Checkpoint Systems Inc | Protocol for storage and retrieval of data in an RFID tag which uses objects |
| GB2329497B (en) * | 1997-09-19 | 2001-01-31 | Ibm | Method for controlling access to electronically provided services and system for implementing such method |
| US6192408B1 (en) * | 1997-09-26 | 2001-02-20 | Emc Corporation | Network file server sharing local caches of file access information in data processors assigned to respective file systems |
| US6112181A (en) * | 1997-11-06 | 2000-08-29 | Intertrust Technologies Corporation | Systems and methods for matching, selecting, narrowcasting, and/or classifying based on rights management and/or other information |
| US7079653B2 (en) * | 1998-02-13 | 2006-07-18 | Tecsec, Inc. | Cryptographic key split binding process and apparatus |
| US7095852B2 (en) * | 1998-02-13 | 2006-08-22 | Tecsec, Inc. | Cryptographic key split binder for use with tagged data elements |
| US8077870B2 (en) * | 1998-02-13 | 2011-12-13 | Tecsec, Inc. | Cryptographic key split binder for use with tagged data elements |
| US6357010B1 (en) | 1998-02-17 | 2002-03-12 | Secure Computing Corporation | System and method for controlling access to documents stored on an internal network |
| US6321336B1 (en) | 1998-03-13 | 2001-11-20 | Secure Computing Corporation | System and method for redirecting network traffic to provide secure communication |
| US7233948B1 (en) | 1998-03-16 | 2007-06-19 | Intertrust Technologies Corp. | Methods and apparatus for persistent control and protection of content |
| US6182226B1 (en) | 1998-03-18 | 2001-01-30 | Secure Computing Corporation | System and method for controlling interactions between networks |
| US6453419B1 (en) | 1998-03-18 | 2002-09-17 | Secure Computing Corporation | System and method for implementing a security policy |
| US6160903A (en) * | 1998-04-24 | 2000-12-12 | Dew Engineering And Development Limited | Method of providing secure user access |
| WO1999059058A1 (en) * | 1998-05-14 | 1999-11-18 | Sega Enterprises, Ltd. | Information processor, information processing method, information recorded medium, and information processing system |
| US6223288B1 (en) | 1998-05-22 | 2001-04-24 | Protexis Inc. | System for persistently encrypting critical software file to prevent installation of software program on unauthorized computers |
| US7013305B2 (en) | 2001-10-01 | 2006-03-14 | International Business Machines Corporation | Managing the state of coupling facility structures, detecting by one or more systems coupled to the coupling facility, the suspended state of the duplexed command, detecting being independent of message exchange |
| AUPP660298A0 (en) * | 1998-10-20 | 1998-11-12 | Canon Kabushiki Kaisha | Apparatus and method for preventing disclosure of protected information |
| US7068787B1 (en) | 1998-10-23 | 2006-06-27 | Contentguard Holdings, Inc. | System and method for protection of digital works |
| US6937726B1 (en) | 1999-04-06 | 2005-08-30 | Contentguard Holdings, Inc. | System and method for protecting data files by periodically refreshing a decryption key |
| US7286665B1 (en) | 1999-04-06 | 2007-10-23 | Contentguard Holdings, Inc. | System and method for transferring the right to decode messages |
| US6859533B1 (en) | 1999-04-06 | 2005-02-22 | Contentguard Holdings, Inc. | System and method for transferring the right to decode messages in a symmetric encoding scheme |
| US7356688B1 (en) | 1999-04-06 | 2008-04-08 | Contentguard Holdings, Inc. | System and method for document distribution |
| US7243236B1 (en) | 1999-07-29 | 2007-07-10 | Intertrust Technologies Corp. | Systems and methods for using cryptography to protect secure and insecure computing environments |
| US6708276B1 (en) | 1999-08-03 | 2004-03-16 | International Business Machines Corporation | Architecture for denied permissions in Java |
| US6885748B1 (en) | 1999-10-23 | 2005-04-26 | Contentguard Holdings, Inc. | System and method for protection of digital works |
| JP2001219440A (en) * | 2000-02-09 | 2001-08-14 | Sony Disc Technology Inc | Multi-cavity molding apparatus and its molding method |
| JP3891539B2 (en) * | 2000-06-15 | 2007-03-14 | シャープ株式会社 | Semiconductor device and control device thereof |
| US20040073617A1 (en) | 2000-06-19 | 2004-04-15 | Milliken Walter Clark | Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail |
| US7350204B2 (en) * | 2000-07-24 | 2008-03-25 | Microsoft Corporation | Policies for secure software execution |
| US7257581B1 (en) | 2000-08-04 | 2007-08-14 | Guardian Networks, Llc | Storage, management and distribution of consumer information |
| US9928508B2 (en) | 2000-08-04 | 2018-03-27 | Intellectual Ventures I Llc | Single sign-on for access to a central data repository |
| US8566248B1 (en) | 2000-08-04 | 2013-10-22 | Grdn. Net Solutions, Llc | Initiation of an information transaction over a network via a wireless device |
| DE10038779A1 (en) * | 2000-08-09 | 2002-03-07 | Schneider Automation Gmbh | Method for transferring data into or from a control device such as a programmable logic controller and control device |
| US6931545B1 (en) | 2000-08-28 | 2005-08-16 | Contentguard Holdings, Inc. | Systems and methods for integrity certification and verification of content consumption environments |
| US7743259B2 (en) | 2000-08-28 | 2010-06-22 | Contentguard Holdings, Inc. | System and method for digital rights management using a standard rendering engine |
| US7073199B1 (en) | 2000-08-28 | 2006-07-04 | Contentguard Holdings, Inc. | Document distribution management method and apparatus using a standard rendering engine and a method and apparatus for controlling a standard rendering engine |
| US7412605B2 (en) | 2000-08-28 | 2008-08-12 | Contentguard Holdings, Inc. | Method and apparatus for variable encryption of data |
| US20030021417A1 (en) * | 2000-10-20 | 2003-01-30 | Ognjen Vasic | Hidden link dynamic key manager for use in computer systems with database structure for storage of encrypted data and method for storage and retrieval of encrypted data |
| US7362868B2 (en) * | 2000-10-20 | 2008-04-22 | Eruces, Inc. | Hidden link dynamic key manager for use in computer systems with database structure for storage of encrypted data and method for storage and retrieval of encrypted data |
| US7343324B2 (en) | 2000-11-03 | 2008-03-11 | Contentguard Holdings Inc. | Method, system, and computer readable medium for automatically publishing content |
| DE10058391C2 (en) * | 2000-11-24 | 2003-06-18 | Siemens Ag | Object processing device |
| US6912294B2 (en) | 2000-12-29 | 2005-06-28 | Contentguard Holdings, Inc. | Multi-stage watermarking process and system |
| WO2002057922A1 (en) | 2001-01-17 | 2002-07-25 | Contentguard Holdings, Inc. | Method and apparatus for managing digital content usage rights |
| US6754642B2 (en) | 2001-05-31 | 2004-06-22 | Contentguard Holdings, Inc. | Method and apparatus for dynamically assigning usage rights to digital works |
| US7774279B2 (en) | 2001-05-31 | 2010-08-10 | Contentguard Holdings, Inc. | Rights offering and granting |
| US7028009B2 (en) | 2001-01-17 | 2006-04-11 | Contentguardiholdings, Inc. | Method and apparatus for distributing enforceable property rights |
| US7206765B2 (en) | 2001-01-17 | 2007-04-17 | Contentguard Holdings, Inc. | System and method for supplying and managing usage rights based on rules |
| US8069116B2 (en) | 2001-01-17 | 2011-11-29 | Contentguard Holdings, Inc. | System and method for supplying and managing usage rights associated with an item repository |
| JP4089171B2 (en) * | 2001-04-24 | 2008-05-28 | 株式会社日立製作所 | Computer system |
| US6973445B2 (en) | 2001-05-31 | 2005-12-06 | Contentguard Holdings, Inc. | Demarcated digital content and method for creating and processing demarcated digital works |
| US8099364B2 (en) | 2001-05-31 | 2012-01-17 | Contentguard Holdings, Inc. | Digital rights management of content when content is a future live event |
| US6876984B2 (en) | 2001-05-31 | 2005-04-05 | Contentguard Holdings, Inc. | Method and apparatus for establishing usage rights for digital content to be created in the future |
| US8275716B2 (en) | 2001-05-31 | 2012-09-25 | Contentguard Holdings, Inc. | Method and system for subscription digital rights management |
| US8001053B2 (en) | 2001-05-31 | 2011-08-16 | Contentguard Holdings, Inc. | System and method for rights offering and granting using shared state variables |
| US8275709B2 (en) | 2001-05-31 | 2012-09-25 | Contentguard Holdings, Inc. | Digital rights management of content when content is a future live event |
| US7222104B2 (en) | 2001-05-31 | 2007-05-22 | Contentguard Holdings, Inc. | Method and apparatus for transferring usage rights and digital work having transferrable usage rights |
| US7152046B2 (en) | 2001-05-31 | 2006-12-19 | Contentguard Holdings, Inc. | Method and apparatus for tracking status of resource in a system for managing use of the resources |
| US6895503B2 (en) | 2001-05-31 | 2005-05-17 | Contentguard Holdings, Inc. | Method and apparatus for hierarchical assignment of rights to documents and documents having such rights |
| US7725401B2 (en) | 2001-05-31 | 2010-05-25 | Contentguard Holdings, Inc. | Method and apparatus for establishing usage rights for digital content to be created in the future |
| US6976009B2 (en) | 2001-05-31 | 2005-12-13 | Contentguard Holdings, Inc. | Method and apparatus for assigning consequential rights to documents and documents having such rights |
| AU2002312351B2 (en) * | 2001-06-07 | 2006-11-30 | Contentguard Holdings, Inc. | Method and apparatus managing the transfer of rights |
| US7774280B2 (en) * | 2001-06-07 | 2010-08-10 | Contentguard Holdings, Inc. | System and method for managing transfer of rights using shared state variables |
| KR20030096250A (en) | 2001-06-07 | 2003-12-24 | 콘텐트가드 홀딩즈 인코포레이티드 | Method and apparatus for supporting multiple trust zones in a digital rights management system |
| WO2002101494A2 (en) | 2001-06-07 | 2002-12-19 | Contentguard Holdings, Inc. | Protected content distribution system |
| WO2003034308A1 (en) * | 2001-10-15 | 2003-04-24 | Kent Ridge Digital Labs | Electronic document management system |
| CN100350343C (en) * | 2002-03-13 | 2007-11-21 | 松下电器产业株式会社 | Secure device |
| GB2386710A (en) * | 2002-03-18 | 2003-09-24 | Hewlett Packard Co | Controlling access to data or documents |
| WO2003104947A2 (en) | 2002-06-06 | 2003-12-18 | Hardt Dick C | Distributed hierarchical identity management |
| US7194626B2 (en) * | 2002-11-21 | 2007-03-20 | International Business Machines Corporation | Hardware-based secure code authentication |
| US8140824B2 (en) * | 2002-11-21 | 2012-03-20 | International Business Machines Corporation | Secure code authentication |
| US7171563B2 (en) * | 2003-05-15 | 2007-01-30 | International Business Machines Corporation | Method and system for ensuring security of code in a system on a chip |
| US7444668B2 (en) * | 2003-05-29 | 2008-10-28 | Freescale Semiconductor, Inc. | Method and apparatus for determining access permission |
| JP4624732B2 (en) * | 2003-07-16 | 2011-02-02 | パナソニック株式会社 | how to access |
| US7921299B1 (en) * | 2003-12-05 | 2011-04-05 | Microsoft Corporation | Partner sandboxing in a shared multi-tenant billing system |
| US8504704B2 (en) | 2004-06-16 | 2013-08-06 | Dormarke Assets Limited Liability Company | Distributed contact information management |
| US8527752B2 (en) | 2004-06-16 | 2013-09-03 | Dormarke Assets Limited Liability | Graduated authentication in an identity management system |
| US9245266B2 (en) | 2004-06-16 | 2016-01-26 | Callahan Cellular L.L.C. | Auditable privacy policies in a distributed hierarchical identity management system |
| US8321686B2 (en) | 2005-02-07 | 2012-11-27 | Sandisk Technologies Inc. | Secure memory card with life cycle phases |
| US8423788B2 (en) | 2005-02-07 | 2013-04-16 | Sandisk Technologies Inc. | Secure memory card with life cycle phases |
| US8108691B2 (en) | 2005-02-07 | 2012-01-31 | Sandisk Technologies Inc. | Methods used in a secure memory card with life cycle phases |
| US7743409B2 (en) | 2005-07-08 | 2010-06-22 | Sandisk Corporation | Methods used in a mass storage device with automated credentials loading |
| EP1760619A1 (en) * | 2005-08-19 | 2007-03-07 | STMicroelectronics Ltd. | System for restricting data access |
| US7934049B2 (en) | 2005-09-14 | 2011-04-26 | Sandisk Corporation | Methods used in a secure yet flexible system architecture for secure devices with flash mass storage memory |
| US8966284B2 (en) | 2005-09-14 | 2015-02-24 | Sandisk Technologies Inc. | Hardware driver integrity check of memory card controller firmware |
| US20070162390A1 (en) * | 2005-12-22 | 2007-07-12 | Macrovision Corporation | Techniques for distributing and monitoring content |
| US8423794B2 (en) | 2006-12-28 | 2013-04-16 | Sandisk Technologies Inc. | Method and apparatus for upgrading a memory card that has security mechanisms for preventing copying of secure content and applications |
| US8127133B2 (en) * | 2007-01-25 | 2012-02-28 | Microsoft Corporation | Labeling of data objects to apply and enforce policies |
| US8281143B1 (en) | 2008-09-29 | 2012-10-02 | Symantec Operating Corporation | Protecting against chosen plaintext attacks in untrusted storage environments that support data deduplication |
| US8504839B2 (en) * | 2008-10-27 | 2013-08-06 | Advanced Micro Devices, Inc. | Method, apparatus, and device for protecting against programming attacks and/or data corruption |
| US8479304B1 (en) * | 2009-03-31 | 2013-07-02 | Symantec Corporation | Selectively protecting against chosen plaintext attacks in untrusted storage environments that support data deduplication |
| KR102017828B1 (en) * | 2012-10-19 | 2019-09-03 | 삼성전자 주식회사 | Security management unit, host controller interface including the same, method for operating the host controller interface, and devices including the host controller interface |
| DE102017005975A1 (en) * | 2017-06-23 | 2018-12-27 | Stefan Andreas Widmann | Device and method for device-based detection of incompatible operand units in data processing units |
| DE102017005945A1 (en) * | 2017-06-23 | 2018-12-27 | Stefan Andreas Widmann | Device and method for device-specific restriction of the permissible operations on data in data processing units |
| US20210319683A1 (en) * | 2020-04-14 | 2021-10-14 | Goodrich Corporation | Real-time communication link with a cargo handling system |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4104721A (en) * | 1976-12-30 | 1978-08-01 | International Business Machines Corporation | Hierarchical security mechanism for dynamically assigning security levels to object programs |
| US4442484A (en) * | 1980-10-14 | 1984-04-10 | Intel Corporation | Microprocessor memory management and protection mechanism |
| JPS57195394A (en) * | 1981-05-23 | 1982-12-01 | Nippon Telegr & Teleph Corp <Ntt> | Memory protection system by processor |
| JPS57206977A (en) * | 1981-06-15 | 1982-12-18 | Fujitsu Ltd | Document processing system |
| EP0097258B1 (en) * | 1982-06-21 | 1990-03-14 | International Business Machines Corporation | Computing apparatus and method for operating the same |
| US4621321A (en) * | 1984-02-16 | 1986-11-04 | Honeywell Inc. | Secure data processing system architecture |
-
1985
- 1985-02-21 US US06/703,638 patent/US4713753A/en not_active Expired - Lifetime
-
1986
- 1986-01-02 IL IL77504A patent/IL77504A/en not_active IP Right Cessation
- 1986-02-10 CA CA000501435A patent/CA1252907A/en not_active Expired
- 1986-02-13 KR KR1019860001014A patent/KR910005995B1/en not_active IP Right Cessation
- 1986-02-18 EP EP86102096A patent/EP0192243B1/en not_active Expired - Lifetime
- 1986-02-18 DE DE86102096T patent/DE3689569T2/en not_active Expired - Fee Related
- 1986-02-20 JP JP61034038A patent/JPH0812645B2/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| DE3689569T2 (en) | 1994-05-11 |
| EP0192243A2 (en) | 1986-08-27 |
| KR910005995B1 (en) | 1991-08-09 |
| JPH0812645B2 (en) | 1996-02-07 |
| DE3689569D1 (en) | 1994-03-10 |
| EP0192243A3 (en) | 1989-07-19 |
| JPS61195443A (en) | 1986-08-29 |
| US4713753A (en) | 1987-12-15 |
| IL77504A (en) | 1989-08-15 |
| KR860006731A (en) | 1986-09-15 |
| EP0192243B1 (en) | 1994-01-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA1252907A (en) | Secure data processing system architecture with format control | |
| US4701840A (en) | Secure data processing system architecture | |
| US8402269B2 (en) | System and method for controlling exit of saved data from security zone | |
| KR100877650B1 (en) | Implementation and use of a pii data access control facility emlploying personally identifying information labels and purpose serving function sets | |
| US7290279B2 (en) | Access control method using token having security attributes in computer system | |
| US5870467A (en) | Method and apparatus for data input/output management suitable for protection of electronic writing data | |
| JP2739029B2 (en) | How to control access to data objects | |
| US5504814A (en) | Efficient security kernel for the 80960 extended architecture | |
| KR100596135B1 (en) | Control system for access classified by application in virtual disk and Controling method thereof | |
| JPH09319659A (en) | Security control method for computer system | |
| JPS63127335A (en) | Security system | |
| US20030005213A1 (en) | Memory apparatus, data-processing apparatus, and data-processing method | |
| KR100343069B1 (en) | Mandatory Object Access Control Method Using Multi-Level Security, and Computer Readable Recording Medium Having thereon Programmed Mandatory Object Access Control Method Using Multi-Level Security | |
| KR101227187B1 (en) | Output control system and method for the data in the secure zone | |
| JPH06175904A (en) | Access right setting device for file | |
| JPS62285161A (en) | Data protection system | |
| JPH08202659A (en) | Common information processing system | |
| Hu | The policy machine for universal access control | |
| RU2583757C2 (en) | System for session-based control of access to created files | |
| JPH0387945A (en) | File security control system | |
| JPH04100162A (en) | Prevention system for information file alteration | |
| Hsiao et al. | Operating system security a tutorial of current research | |
| JPH01213729A (en) | Exclusive control system for shared file | |
| Kraemer-Hervey | A Discussion of Security Requirements in an APSE | |
| Cristiá | System and security model of GIDIS Trusted Linux 0.1. 1 Z version |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| MKEX | Expiry |