Hacking-resistant computer design

US 10,002,245 B2
Filed: 01/05/2017
Issued: 06/19/2018
Est. Priority Date: 08/31/2015
Status: Active Grant

First Claim

Patent Images

1. A computer system comprising:

a first partition and a second partition;

the first partition comprising;

a first CPU,a first memory module comprising;

at least one memory address range for program code, wherein the program code comprises computer-executable code, and wherein the memory address range for program code is hardware-protected from alteration by a hardware switch;

at least one memory address range for first partition data; and

at least one memory address range for data read from the second partition; and

wherein the first CPU is hardware-configured to execute only the computer-executable code in the memory address range for program code; and

the second partition comprising;

a second CPU,a second memory module, andat least one communication module configured to couple to a network; and

wherein the first CPU is configured to access the second memory module;

wherein the first CPU is configured to read data from the second partition into only the at least one memory address range for data read from the second partition; and

wherein the second CPU is restricted from accessing the first CPU or the first memory module.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer architecture is disclosed for implementing a hacking-resistant computing device. The computing device, which could be a mainframe computer, personal computer, smartphone, or any other computing device suitable for network communication, comprises a first partition and a second partition. The second partition can communicate over a network such as the Internet. In contrast, the first partition cannot connect to the Internet, and can directly communicate only with the second partition or with input/output devices directly connected to the first partition. Further, the first partition segments its memory addressing for program code and hardware-protects it from alteration. The second partition is hardware-limited from reading or writing to the memory addressing of the first partition. As a result, the critical data files and program code stored on the first partition are protected from malicious code affecting the second partition.

31 Citations

View as Search Results

36 Claims

1. A computer system comprising:
- a first partition and a second partition;
  
  the first partition comprising;
  
  a first CPU,a first memory module comprising;
  
  at least one memory address range for program code, wherein the program code comprises computer-executable code, and wherein the memory address range for program code is hardware-protected from alteration by a hardware switch;
  
  at least one memory address range for first partition data; and
  
  at least one memory address range for data read from the second partition; and
  
  wherein the first CPU is hardware-configured to execute only the computer-executable code in the memory address range for program code; and
  
  the second partition comprising;
  
  a second CPU,a second memory module, andat least one communication module configured to couple to a network; and
  
  wherein the first CPU is configured to access the second memory module;
  
  wherein the first CPU is configured to read data from the second partition into only the at least one memory address range for data read from the second partition; and
  
  wherein the second CPU is restricted from accessing the first CPU or the first memory module.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The computer system of claim 1, wherein the at least one memory address range for program code is configured by hardware circuitry.
  - 3. The computer system of claim 2, wherein the hardware circuitry comprises at least one field-programmable gate array.
  - 4. The computer system of claim 1, wherein the first memory module comprises:
    - a first memory unit comprising the at least one memory address range for program code;
      
      a second memory unit comprising the at least one memory address range for first partition data; and
      
      a third memory unit comprising the at least one memory address range for data read from the second partition.
  - 5. The computer system of claim 1, wherein the program code comprises an operating system.
  - 6. The computer system of claim 1, comprising at least one data store.
  - 7. The computer system of claim 1,wherein the ability of the first CPU to access the second memory module is implemented by hardware circuitry;
    - andwherein the restriction on the second partition from accessing the first CPU or the first memory module is implemented by hardware circuitry.
  - 8. The computer system of claim 1, wherein a hardware feature, utilizing an external device connected directly to the first partition, is configured to enable a user to command the first CPU to take control of an input/output device of the second partition.
  - 9. The computer system of claim 1, further comprising:
    - a bus,wherein the first partition is interconnected to the second partition through the bus;
      
      wherein the first CPU is configured to execute a pull command through the bus to read the data from the second partition and write the data only to the at least one memory address range for data read from the second partition;
      
      wherein the first CPU is configured to execute a push command through the bus to write data to the second partition;
      
      wherein the first partition cannot accept a push command from the second partition or a pull command from the second partition; and
      
      wherein the restriction on the second partition from accessing the first CPU or the first memory module is implemented by hardware circuitry.
  - 10. The computer system of claim 1, wherein the hardware switch comprises at least one external physical switch which is configured to be turned on or off, wherein the first CPU can modify data stored in the at least one memory address range for program code only when the external physical switch is on.
  - 11. The computer system of claim 1, comprising:
    - at least one external physical switch which is configured to be turned on or off;
      
      wherein the first CPU is configured to modify contents of the at least one memory address range for program code only when the external physical switch is on; and
      
      wherein, when the external physical switch is on, the first CPU is disabled from reading from or writing to the second partition.
  - 12. The computer system of claim 1, wherein:
    - the ability of the first CPU to access the second memory module is implemented in a virtual partition configuration; and
      
      the restriction on the second CPU from accessing the first CPU or the first memory module is implemented in a virtual partition configuration.
  - 13. The computer system of claim 1,wherein the first partition comprises at least one input/output module;
    - andwherein a plurality of input/output devices are coupled to at least one input/output module.
  - 14. The computer system of claim 1, further comprising a chip comprising the first partition and the second partition.
  - 15. The computer system of claim 1, further comprising a first chip comprising the first partition and a second chip comprising the second partition.
  - 16. The computer system of claim 1, wherein a hardware feature, utilizing an external device connected directly to the first partition, is configured to enable the first CPU to write data to the second partition from the at least one memory address range for program code, the at least one memory address range for first partition data, or the at least one memory address range for data read from the second partition.
  - 17. The computer system of claim 1, wherein:
    - the first partition comprises one or more virtual sub-partitions; and
      
      the second partition comprises one or more virtual sub-partitions.
  - 18. The computer system of claim 1:
    - wherein the restriction on writing to the at least one memory address range for program code is implemented in a virtual partition configuration;
      
      wherein the virtual partition configuration is configured to turn on or off the restriction; and
      
      wherein, through the virtual partition configuration, the first CPU is configured to be disabled from reading from or writing to the second partition.

19. A computer system comprising:
- a first partition comprising;
  
  a first CPU; and
  
  a first memory module comprising;
  
  a first memory address range, wherein the first memory address range comprises program code, wherein the program code comprises computer-executable code, and wherein the program code is hardware-protected from alteration by a hardware switch; and
  
  a second memory address range;
  
  wherein the first CPU is hardware-configured to execute only the computer-executable code in the first memory address range; and
  
  a second partition comprising;
  
  a second CPU;
  
  a second memory module; and
  
  at least one communication module configured to couple to a network; and
  
  wherein the first CPU is configured to access the second memory module;
  
  wherein the first CPU is configured to read data from the second partition into only the second memory address range; and
  
  wherein the second CPU is restricted from accessing the first CPU or the first memory module.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 20. The computer system of claim 19, wherein the first memory address range is configured by hardware circuitry.
  - 21. The computer system of claim 20, wherein the hardware circuitry comprises at least one field-programmable gate array.
  - 22. The computer system of claim 19, wherein the first memory module comprises:
    - a first memory unit comprising the first memory address range; and
      
      a second memory unit comprising the second memory address range.
  - 23. The computer system of claim 19, wherein the program code comprises an operating system.
  - 24. The computer system of claim 19, comprising at least one data store.
  - 25. The computer system of claim 19,wherein the ability of the first CPU to access the second memory module is implemented by hardware circuitry;
    - andwherein the restriction on the second partition from accessing the first CPU or the first memory module is implemented by hardware circuitry.
  - 26. The computer system of claim 19, wherein a hardware feature, utilizing an external device connected directly to the first partition, is configured to enable a user to command the first CPU to take control of an input/output device of the second partition.
  - 27. The computer system of claim 19, further comprising:
    - a bus,wherein the first partition is interconnected to the second partition through the bus;
      
      wherein the first CPU is configured to execute a pull command through the bus to read the data from the second partition and write the data only to the second memory address range;
      
      wherein the first CPU is configured to execute a push command through the bus to write data to the second partition;
      
      wherein the first partition cannot accept a push command from the second partition or a pull command from the second partition; and
      
      wherein the restriction on the second partition from accessing the first CPU or the first memory module is implemented by hardware circuitry.
  - 28. The computer system of claim 19, wherein the hardware switch comprises at least one external physical switch which is configured to be turned on or off, wherein the first CPU is configured to modify data stored in the first memory address range only when the external physical switch is on.
  - 29. The computer system of claim 19, comprising:
    - at least one external physical switch which is configured to be turned on or off;
      
      wherein the first CPU is configured to modify contents of first memory address range only when the external physical switch is on; and
      
      wherein, when the external physical switch is on, the first CPU is disabled from reading from or writing to the second partition.
  - 30. The computer system of claim 19, wherein:
    - the ability of the first CPU to access the second memory module is implemented in a virtual partition configuration; and
      
      the restriction on the second CPU from accessing the first CPU or the first memory module is implemented in a virtual partition configuration.
  - 31. The computer system of claim 19,wherein the first partition comprises at least one input/output module;
    - andwherein a plurality of input/output devices are coupled to at least one input/output module.
  - 32. The computer system of claim 19, further comprising a chip comprising the first partition and the second partition.
  - 33. The computer system of claim 19, further comprising a first chip comprising the first partition and a second chip comprising the second partition.
  - 34. The computer system of claim 19, wherein a hardware feature, utilizing an external device connected directly to the first partition, is configured to enable the first CPU to write data to the second partition from the first memory module.
  - 35. The computer system of claim 19, wherein:
    - the first partition comprises one or more virtual sub-partitions; and
      
      the second partition comprises one or more virtual sub-partitions.
  - 36. The computer system of claim 19:
    - wherein the restriction on writing to the first memory address range is implemented in a virtual partition configuration;
      
      wherein the virtual partition configuration is configured to turn on or off the restriction; and
      
      wherein, through the virtual partition configuration, the first CPU is configured to be enabled or disabled from reading from or writing to the second partition.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pathguard Incorporated
Original Assignee
Newman H-R Computer Design, LLC
Inventors
Newman, Frank N., Newman, Dan
Primary Examiner(s)
Li, Meng

Application Number

US15/399,654
Publication Number

US 20170235944A1
Time in Patent Office

530 Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/1433   for a module or a part of a...

G06F 12/1441   for a range

G06F 21/50   Monitoring users, programs ...

G06F 21/53   by executing in a restricte...

G06F 21/71   to assure secure computing ...

G06F 21/79   in semiconductor storage me...

G06F 2212/1052   Security improvement

G06F 2221/031   Protect user input by softw...

G06F 2221/032   Protect output to user by s...

G06F 2221/034   Test or assess a computer o...

G06F 3/0619   in relation to data integri...

G06F 3/0644   Management of space entitie...

G06F 3/0659   Command handling arrangemen...

H04L 63/10   for controlling access to d...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

Hacking-resistant computer design

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

31 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Hacking-resistant computer design

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links