Hacking-resistant computer design
First Claim
1. A computer system comprising:
- at least one CPU;
a bus;
at least one I/O module configured to connect to a network through the bus;
at least one memory module, comprising;
at least one memory address range for program code, configured by hardware circuitry, wherein the program code comprises computer-executable code; and
at least one memory address range for other data, wherein the other data comprises data read from the network;
wherein the at least one CPU is hardware-configured to execute only the computer-executable code in the memory address range for program code;
wherein the computer system is configured to execute a pull command through the bus to read the other data from the network and write the other data only to the at least one memory address range for other data;
wherein the computer system is configured to execute a push command through the bus to send data to the network;
wherein the bus is configured not to accept a push command from the network or a pull command from the network; and
wherein the hardware circuitry of the bus is configured to not permit the network to access the at least one memory module through the bus.
3 Assignments
0 Petitions
Accused Products
Abstract
A computer architecture is disclosed for implementing a hacking-resistant computing device. The computing device, which could be a mainframe computer, personal computer, smartphone, or any other computing device suitable for network communication, comprises a first partition and a second partition. The second partition can communicate over a network such as the Internet. In contrast, the first partition cannot connect to the Internet, and can directly communicate only with the second partition or with input/output devices directly connected to the first partition. Further, the first partition segments its memory addressing for program code and hardware-protects it from alteration. The second partition is hardware-limited from reading or writing to the memory addressing of the first partition. As a result, the critical data files and program code stored on the first partition are protected from malicious code affecting the second partition.
-
Citations
22 Claims
-
1. A computer system comprising:
-
at least one CPU; a bus; at least one I/O module configured to connect to a network through the bus; at least one memory module, comprising; at least one memory address range for program code, configured by hardware circuitry, wherein the program code comprises computer-executable code; and at least one memory address range for other data, wherein the other data comprises data read from the network; wherein the at least one CPU is hardware-configured to execute only the computer-executable code in the memory address range for program code; wherein the computer system is configured to execute a pull command through the bus to read the other data from the network and write the other data only to the at least one memory address range for other data; wherein the computer system is configured to execute a push command through the bus to send data to the network; wherein the bus is configured not to accept a push command from the network or a pull command from the network; and wherein the hardware circuitry of the bus is configured to not permit the network to access the at least one memory module through the bus.
-
-
2. The computer system of claim 1, wherein the bus is configured to connect to the network through a wired connection.
-
3. The computer system of claim 1, wherein the bus is configured to connect to the network through a wireless connection.
-
4. The computer system of claim 1, wherein the network is the Internet.
-
5. The computer system of claim 1, wherein the network comprises one or more computers connected to the bus.
-
6. The computer system of claim 1, wherein the bus is housed in a physically distinct unit connected to the at least one CPU.
-
7. The computer system of claim 1, wherein the hardware circuitry comprises at least one field-programmable gate array.
-
8. The computer system of claim 1, comprising:
-
a physical switch configured to be turned on or off; wherein the first CPU is configured to modify data stored in the at least one memory address range for program code only when the physical switch is on.
-
-
9. The computer system of claim 8,
wherein the memory address range for program code comprises control data; - and
wherein the control data can be modified only when the at least one physical switch is on.
- and
-
10. The computer system of claim 1, comprising:
-
a physical switch which can be turned on or off; wherein the first CPU is configured to modify data stored in the at least one memory address range for program code only when the physical switch is on; and wherein, while the physical switch is on, the system is disabled from executing a push command or a pull command.
-
-
11. The computer system of claim 10,
wherein the memory address range for program code comprises control data; - and
wherein the control data can be modified only when the at least one physical switch is on.
- and
-
12. The computer system of claim 1, wherein the first memory module comprises:
-
a first memory unit comprising the at least one memory address range for program code; and a second memory unit for the other data.
-
-
13. The computer system of claim 12, comprising:
-
a physical switch configured to be turned on or off; wherein the first CPU is configured to modify data stored in the at least one memory address range for program code only when the physical switch is on.
-
-
14. The computer system of claim 12,
wherein the memory address range for program code comprises control data; - and
wherein the control data can be modified only when the at least one physical switch is on.
- and
-
15. The computer system of claim 12, comprising:
-
a physical switch which can be turned on or off; wherein the first CPU is configured to modify data stored in the at least one memory address range for program code only when the physical switch is on; and wherein, while the physical switch is on, the system is disabled from executing a push command or a pull command.
-
-
16. The computer system of claim 12, wherein the bus is housed in a physically distinct unit connected to the at least one CPU.
-
17. The computer system of claim 12, wherein the hardware circuitry comprises at least one field-programmable gate array.
-
18. The computer system of claim 12, wherein data in the at least one memory address range for program code is loaded in the process of manufacture.
-
19. The computer system of claim 18, wherein the data in the at least one memory address range for program code is permanently restricted from alteration by hardware circuitry.
-
20. The computer system of claim 18, wherein data in the at least one memory address range for program code can be modified only when a separate device is directly connected to the at least one CPU.
-
21. A computer system comprising:
-
a first partition and a second partition communicatively coupled through a bus; the first partition comprising; a first CPU, and a first memory module, comprising; a first memory unit comprising at least one memory address range for program code, wherein the program code comprises computer-executable code, wherein the at least one memory address range for program code is configured by hardware circuitry, and wherein data in the at least one memory address range for program code is loaded in the process of manufacture and is permanently restricted from alteration by hardware circuitry; a second memory unit comprising at least one memory address range for other data, comprising data read from the second partition; and wherein the first CPU is hardware-configured to execute only the computer-executable code in the memory address range for program code; the second partition comprising; a second CPU, a second memory module, and at least one communication module configured to couple to a network; wherein the first CPU can read from the second memory module only into the at least one memory address range for other data; wherein the first CPU can write to the second memory module; and wherein the second CPU is restricted from accessing the first memory module.
-
-
22. A computer system comprising:
-
a first partition and a second partition communicatively coupled through a bus; the first partition comprising; a first CPU, and a first memory module, comprising; a first memory unit comprising at least one memory address range for program code, wherein the program code comprises computer-executable code, wherein the at least one memory address range for program code is configured by hardware circuitry, and wherein data in the at least one memory address range for program code is loaded in the process of manufacture and can be modified only when a separate device is directly connected to the first partition; a second memory unit comprising at least one memory address range for other data, comprising data read from the second partition; and wherein the first CPU is hardware-configured to execute only the computer-executable code in the memory address range for program code; the second partition comprising; a second CPU, a second memory module, and at least one communication module configured to couple to a network; wherein the first CPU can read from the second memory module only into the at least one memory address range for other data; wherein the first CPU can write to the second memory module; and wherein the second CPU is restricted from accessing the first memory module.
-
Specification