Data accessibility control

US 10,592,680 B2
Filed: 10/31/2014
Issued: 03/17/2020
Est. Priority Date: 11/08/2013
Status: Active Grant

First Claim

Patent Images

1. A method of controlling the accessibility of data to a computer processor configured to context switch between a user context and a secure context, the method comprising:

obtaining an identifier;

determining dependent on the identifier, in the secure context, whether to make data accessible in the user context; and

,in the event that it is determined to make data accessible, controlling a map of data storage to provide access to the data in the user context according to a selected map, wherein controlling a map of data storage comprises choosing between at least two pre-stored maps of the data storage based on the identifier to choose the selected map, wherein each said map of data storage comprises an association between a plurality of file names and a corresponding plurality of storage addresses;

wherein the selected map is made available to applications in the user context to enable the applications to use the selected map to request access to data identified by the map,wherein in the event that data requested by the applications comprises encrypted data, the encrypted data is decrypted in the secure context to provide unencrypted data to the applications in the user context.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer implemented method and apparatus for controlling the accessibility of data on a data storage 9 comprises obtaining an identifier, and determining dependent on the identifier, in a secure context 5 of a computer processor 1, whether to make data accessible in a user context 3. In the event that data is to be made accessible, access is provided to the data in the user context 3.

Citations

16 Claims

1. A method of controlling the accessibility of data to a computer processor configured to context switch between a user context and a secure context, the method comprising:
- obtaining an identifier;
  
  determining dependent on the identifier, in the secure context, whether to make data accessible in the user context; and
  
  ,in the event that it is determined to make data accessible, controlling a map of data storage to provide access to the data in the user context according to a selected map, wherein controlling a map of data storage comprises choosing between at least two pre-stored maps of the data storage based on the identifier to choose the selected map, wherein each said map of data storage comprises an association between a plurality of file names and a corresponding plurality of storage addresses;
  
  wherein the selected map is made available to applications in the user context to enable the applications to use the selected map to request access to data identified by the map,wherein in the event that data requested by the applications comprises encrypted data, the encrypted data is decrypted in the secure context to provide unencrypted data to the applications in the user context.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 wherein determining dependent on the identifier comprises passing the identifier to a security controller operating in the secure context of the computer processor, and the security controller determining dependent on the identifier, in the secure context, whether to make data accessible in the user context.
  - 3. The method of claim 1 wherein data is selected in the secure context.
  - 4. The method of claim 1 wherein obtaining the identifier comprises obtaining the identifier in the user context and passing the identifier from the user context to the secure context.
  - 5. The method of claim 1 wherein obtaining the identifier comprises obtaining the identifier in the secure context.
  - 6. The method of claim 1 wherein the identifier is verified in the secure context.
  - 7. The method of claim 1 wherein the processor has a core configured to provide a secure context virtual core and a user context virtual core, and the secure context operates in the secure context virtual core and the user context operates in the user context virtual core.
  - 8. The method of claim 1 wherein hardware and/or software resources are partitioned between the secure context and the user context.
  - 9. The method of claim 1 comprising sending a first network message based on the identifier from the processor operating in the secure context to a remote device, wherein determining dependent on the identifier comprises determining based on a second network message received from the remote device.
  - 10. The method of claim 1 wherein the identifier comprises at least one of:
    - time information, GPS information, host computer information, a MAC address, an IP address, a wireless network ID, SSID, GSM cell, GSM data, a user identifier indicating a user currently operating the host computer, and one or more unique identifiers to prevent spoofing or false reporting from the host computer.
  - 11. The method of claim 1 wherein a weighting is applied to the identifier dependent on the source of the identifier, the weighted identifier being used to determine the accessibility of the data.
  - 12. The method of claim 11 wherein the weighting is determined by a lookup table indicating the weighting to apply to an identifier based on its source.
  - 13. The method of claim 1, wherein controlling a map of data storage comprises controlling an association between file names and addresses which comprises changing the directory structure of the data storage.

14. A method of controlling the accessibility of data to a computer processor, the method comprising:
- obtaining an identifier;
  
  passing the identifier to a security controller operating in the computer processor;
  
  the security controller determining dependent on the identifier, whether to make data accessible; and
  
  dependent on the determination of the identifier, the security controller controlling the accessibility of data on a data storage coupled to the processor by controlling a map of the data storage, wherein controlling a map of data storage comprises choosing between at least two pre-stored maps of the data storage based on the identifier wherein each said map of data storage comprises an association between a plurality of file names and a corresponding plurality of storage addresses;
  
  wherein the selected map is made available to user applications to enable the user applications to use the selected map to request access to data identified by the map,wherein in the event that data requested by the applications comprises encrypted data, the encrypted data is decrypted by the security controller to provide unencrypted data to the user applications.
- View Dependent Claims (15)
- - 15. The method of claim 14 comprising sending a first network message based on the identifier to a remote device, wherein determining dependent on the identifier comprises determining based on a second network message received from the remote device.

16. A non-transitory computer readable storage medium comprising a program for a computer configured to cause a processor toobtain an identifier;
- determine dependent on the identifier, in the secure context, whether to make data accessible in the user context; and
  
  ,in the event that it is determined to make data accessible, control a map of data storage to provide access to the data in the user context, wherein controlling a map of data storage comprises choosing between at least two pre-stored maps of the data storage based on the identifier wherein each said map of data storage comprises an association between a plurality of file names and a corresponding plurality of storage addresses;
  
  wherein the selected map is made available to user applications to enable the user applications to use the selected map to request access to data identified by the map,wherein in the event that data requested by the applications comprises encrypted data, the encrypted data is decrypted by the security controller to provide unencrypted data to the user applications.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Exacttrak Limited
Original Assignee
Exacttrak Limited
Inventors
Shaw, Norman, Pragnell, John
Primary Examiner(s)
Lwin, Maung T
Assistant Examiner(s)
Bucknor, Olanrewaju J.

Application Number

US15/035,235
Publication Number

US 20160292444A1
Time in Patent Office

1,964 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 16/2272   Management thereof

G06F 21/10   Protecting distributed prog...

G06F 21/6218   to a system of files or obj...

G06F 21/74   operating in dual or compar...

Data accessibility control

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Data accessibility control

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links