COMPUTER SYSTEM ARCHITECTURE AND METHOD HAVING ISOLATED FILE SYSTEM MANAGEMENT FOR SECURE AND RELIABLE DATA PROCESSING

US 20080184218A1
Filed: 01/24/2008
Published: 07/31/2008
Est. Priority Date: 01/24/2007
Status: Active Grant

First Claim

Patent Images

1. A method for a computer or information appliance to securely manage file updates, the method comprising the computer-executed steps of:

a first processing environment retrieving a bootable disk image for a second processing environment from one of a plurality of data storages in the first processing environment;

the first processing environment sending such bootable disk image to the second processing environment through a first interface between the first and second processing environments;

the second processing environment storing the bootable disk image in a temporary data store in the second processing environment;

then following the completion of the booting of the second processing environment, the first processing environment limiting file requests by the second processing environment to the plurality of data storages through the first interface to only those requests required to complete booting; and

then the first processing environment managing non-booting requests by the second processing environment to the plurality of data storages through a second interface between the first and second processing environments.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System, method, computer, and computer program for secure data processing of potentially malicious code and documents or other data that may contain malicious code. System, method, computer for a secure and reliable computing environment to protect against data loss and/or corruption to provide secure and reliable data processing.

119 Citations

View as Search Results

37 Claims

1. A method for a computer or information appliance to securely manage file updates, the method comprising the computer-executed steps of:
- a first processing environment retrieving a bootable disk image for a second processing environment from one of a plurality of data storages in the first processing environment;
  
  the first processing environment sending such bootable disk image to the second processing environment through a first interface between the first and second processing environments;
  
  the second processing environment storing the bootable disk image in a temporary data store in the second processing environment;
  
  then following the completion of the booting of the second processing environment, the first processing environment limiting file requests by the second processing environment to the plurality of data storages through the first interface to only those requests required to complete booting; and
  
  then the first processing environment managing non-booting requests by the second processing environment to the plurality of data storages through a second interface between the first and second processing environments.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 29, 30)
- - 2. A method for a computer or information appliance to securely manage file updates as in claim 1, the method for a computer or information appliance to securely manage file updates further comprising the computer-executed step of creating the second processing environment from within the first processing environment.
  - 3. A method for a computer or information appliance to securely manage file updates as in claim 1, the method for a computer or information appliance to securely manage file updates further comprising the computer-executed step of selecting the second processing environment from a plurality of processing environments different from the first processing environment.
  - 4. A method for a computer or information appliance to securely manage file updates as in claim 1, wherein the second interface is a filter driver.
  - 5. A method for a computer or information appliance to securely manage file updates as in claim 1, wherein the step for managing file system requests from the second processing environment comprises:
    - providing the second processing environment a file system in the bootable disk image supplied by the first processing environment;
      
      storing the file system in a temporary data storage in the second processing environment;
      
      and upon receiving an request to process data in the file system in the second processing environment, processing the request on the temporary data storage in the second processing environment and providing the request to the first processing environment through the second interface.
  - 6. A method for a computer or information appliance to securely manage file updates as in claim 5, the method for a computer or information appliance to securely manage file updates further comprising the computer-executed step of:
    - the first processing environment monitoring events in the second processing environment;
      
      upon the occurrence of one or a plurality of events, the first processing environment receiving data from the second processing environment through the second interface;
      
      and performing data processing in the first processing environment using data received from the second processing environment.
  - 7. A method for a computer or information appliance to securely manage file updates as in claim 6, wherein prior to the step of performing data processing in the first processing environment, storing the data in a temporary data storage in the first processing environment and validating the received data with data stored in a nonvolatile data storage in the first processing environment.
  - 8. A method for a computer or information appliance to securely manage file updates as in claim 6, wherein prior to the step of performing data processing in the first processing environment, the method further comprising the computer-executed steps of:
    - the first processing environment providing the bootable disk image of the second processing environment to a third processing environment different from the second processing environment through a third interface between the first and third processing environments;
      
      the third processing environment booting from the bootable disk and establishing a fourth interface between the first and third processing environment;
      
      the first processing environment then providing the data received from the second processing environment to the third processing environment through the fourth interface;
      
      performing data processing in the third processing environment using the received data;
      
      and then the first processing environment receiving the processed data from the third processing environment through the fourth interface and storing the processed data in the first processing environment.
  - 29. A method for a computer or information appliance to securely manage file updates as in claim 1, the method for a computer or information appliance for secure user data processing further comprising the computer-executed steps of:
    - providing the second processing environment a plurality of peripheral devices;
      
      communicatively coupling the second processing environment to the plurality of peripheral devices;
      
      the first processing environment monitoring peripheral device events in the second processing environment;
      
      upon the monitoring by the first processing environment of a peripheral device activity in the second processing environment, performing data processing in the first processing environment, providing the processed data to the second processing environment, and displaying the data on an output peripheral device selected from the plurality of peripheral devices in the second processing environment.
  - 30. A method for a computer or information appliance to securely manage file updates as in claim 29, the method for a computer or information appliance for secure user data processing further comprising the computer-executed steps of:
    - receiving unknown data and source identification data for the unknown data in the second processing environment;
      
      providing the source identification data to the first processing environment from the second processing environment and storing source identification data in the first processing environment;
      
      communicatively coupling the first processing environment to a third processing environment;
      
      providing the source identification data to the third processing environment;
      
      and upon verifying the source identification data, the first processing environment receiving the unknown data from the second processing environment, the first processing environment providing the unknown data to the third processing environment, and the third processing environment storing and processing the data in the third processing environment.

9. A computer or information appliance adapted for securely managing file updates, the computer or information appliance comprising:
- means for retrieving, in a first processing environment, a bootable image for a second processing environment from one of a plurality of storage devices;
  
  a first interface between the first and second processing environments;
  
  a second interface between the first and second processing environments;
  
  means, in the first processing environment, for sending the bootable image to the second processing environment through the first interface;
  
  means, in the second processing environment, for storing the bootable image in a temporary data store;
  
  means, in the first processing environment, for limiting file requests by the second processing environment to the plurality of hard disk drives through the first interface to only those requests required to complete booting following the completion of the booting of the second processing environment; and
  
  means, in the first processing environment, for managing non-booting requests by the second processing environment to the plurality of hard disk drives through the second interface.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 26, 27, 28, 31)
- - 10. A computer or information appliance adapted for securely managing file updates as in claim 9, wherein the first interface is different from the second interface.
  - 11. A computer or information appliance adapted for securely managing file updates as in claim 9, wherein at least one of a plurality of data storages comprises a hard disk drive storage device.
  - 12. A computer or information appliance adapted for securely managing file updates as in claim 9, wherein the storage device comprises a hard disk drive storage device, and the image comprises a disk image.
  - 13. A computer or information appliance adapted for securely managing file updates as in claim 9, wherein the computer or information appliance is a computer.
  - 14. A computer or information appliance adapted for securely managing file updates as in claim 9, the computer or information appliance adapted for securely managing file updates further comprising a means for creating the second processing environment from within the first processing environment.
  - 15. A computer or information appliance adapted for securely managing file updates as in claim 9, the computer or information appliance adapted for securely managing file updates further comprising a means for selecting the second processing environment from a plurality of processing environments different from the first processing environment.
  - 16. A computer or information appliance adapted for securely managing file updates as in claim 9, wherein the second interface is a filter driver.
  - 17. A computer or information appliance adapted for securely managing file updates as in claim 9, the computer or information appliance further comprising:
    - means for providing the second processing environment a file system in the bootable disk image supplied by the first processing environment;
      
      means for storing the file system in a temporary data storage in the second processing environment;
      
      and means for processing the request on the temporary data storage in the second processing environment and for providing the request to the first processing environment through the second interface upon receiving an request to process data in the file system in the second processing environment.
  - 18. A computer or information appliance adapted for securely managing file updates as in claim 9, the computer or information appliance adapted for securely managing file updates further comprising:
    - means for the first processing environment monitoring events in the second processing environment;
      
      means for the first processing environment receiving data from the second processing environment through the second interface upon the occurrence of one or a plurality of events;
      
      and means for performing data processing in the first processing environment using data received from the second processing environment.
  - 19. A computer or information appliance adapted for securely managing file updates as in claim 18, the computer or information appliance adapted for securely managing file updates further comprising:
    - means for storing the data in a temporary data storage in the first processing environment and means for validating the received data with data stored in a nonvolatile data storage in the first processing environment.
  - 20. A computer or information appliance adapted for securely managing file updates as in claim 18, the computer or information appliance adapted for securely managing file updates further comprising:
    - a third processing environment different from the first and second processing environments;
      
      a third interface between the third processing environment and the first processing environment;
      
      a fourth interface between the third processing environment and the first processing environment;
      
      means for the first processing environment providing the bootable image of the second processing environment to a third processing environment through the third interface;
      
      means for the third processing environment booting from the bootable image;
      
      means for the first processing environment providing data received from the second processing environment via the second interface to the third processing environment via the fourth interface;
      
      means for performing data processing in the third processing environment using the received data;
      
      and means for the first processing environment receiving the processed data from the third processing environment through the fourth interface and for storing the processed data in the first processing environment.
  - 26. A computer or information appliance adapted for securely managing file updates as in claim 9, the computer or information appliance adapted for securely managing file updates further comprising:
    - a first encryption key and a second encryption key in the first processing environment;
      
      in the first processing environment, a first decryption key and second decryption key for decrypting data encrypted with the first and second encryption keys, respectively;
      
      means for storing the encryption keys in a data storage selected from the plurality of data storages;
      
      means for encrypting a first data using the first encryption key and for storing such first data in a third data storage selected from the plurality of data storages;
      
      means for encrypting a second data using the second encryption key and for storing such second data in a fourth data storage selected from the plurality of data storages;
      
      means for decrypting the first data using the first decryption key and for decrypting the second data using the second decryption key.
  - 27. A computer or information appliance adapted for securely managing file updates as in claim 26, wherein the first data storage is a data storage device different from the second data storage:
  - 28. A computer or information appliance adapted for securely managing file updates as in claim 26, wherein the first data storage is located in a different logical memory partition from the second data storage:
  - 31. A computer or information appliance adapted for securely managing file updates as in claim 9, the computer or information appliance adapted for securely managing file updates further comprising:
    - a plurality of peripheral devices communicatively coupled to the second processing environment;
      
      means for the first processing environment monitoring peripheral device events in the second processing environment;
      
      and means for performing data processing in the first processing environment upon the monitoring by the first processing environment of a peripheral device activity in the second processing environment, for the first processing environment providing the processed data to the second processing environment, and for the second processing environment displaying the data on an output peripheral device selected from the plurality of peripheral devices.

21. A method for a computer or information appliance to securely manage file updates, the method comprising the computer-executed steps of:
- providing an update data storage in a processing environment for storing a file update, such update data storage being different from a data storage for storing operating system and program application files;
  
  the processing environment receiving a file update and storing the file update in the update data storage;
  
  and upon verifying the file update with stored data on the update data storage, processing the update file on the data storage storing operating system and program application files.
- View Dependent Claims (22)
- - 22. A method for a computer or information appliance to securely manage file updates as in claim 21, where the step of verifying the file update comprises the computer-executed step of identifying the existence of another identical file update in the update data store.

23. A computer or information appliance for securely managing file updates, the computer or information appliance comprising:
- a processing environment communicatively coupled to a network;
  
  means for providing an update data storage in the processing environment for storing a file update, such update data storage being different from a data storage for storing operating system and program application files;
  
  means for the processing environment receiving a file update and storing the file update in the update data storage;
  
  means for verifying the file update with stored data on the update data storage;
  
  and means for processing the update file on the data storage storing operating system and program application files.
- View Dependent Claims (24)
- - 24. A computer or information appliance for securely managing file updates as in claim 23, wherein the means for verifying the file update further comprises means for identifying the existence of another identical file update in the update data store.

25. A method for a computer or information appliance to provide secure data processing, the method comprising the computer-executed steps of:
- providing a first encryption key and a second encryption key in a first data storage;
  
  providing a first decryption key and second decryption key for decrypting data encrypted with the first and second encryption keys, respectively, in a second data storage;
  
  encrypting a first data using the first encryption key and storing such first data in a third data storage;
  
  encrypting a second data using the second encryption key and storing such second data in a fourth data storage;
  
  then upon request to decrypt the first data or second data, using the first decryption key to decrypt the first data and using the second decryption key to decrypt the second data.

32. A method for a computer or information appliance to provide enhanced processing reliability, the method for a computer or information appliance to provide enhanced processing reliability comprising the computer-executed steps of:
- providing a processing environment being powered by a first power supply;
  
  providing a first data storage in the processing environment powered by the first power supply;
  
  providing a second data storage in the processing environment powered by a second power supply;
  
  storing data to the first data storage and the second data storage;
  
  the second power supply supplying power to the first data storage when a loss in power from the first power supply occurs;
  
  and upon the restoration of power to the first power supply, supplying power to the processing environment powered by the first power supply and then copying data stored in the second data storage to the first data storage.
- View Dependent Claims (33, 34)
- - 33. A method for a computer or information appliance to provide enhanced processing reliability as in claim 32, the method for a computer or information appliance to provide enhanced processing reliability further comprising:
    - providing a plurality of encrypted data storages in the processing environment;
      
      supplying power from the first power supply to a subsystem of the processing environment that does not include the plurality of encrypted data storages;
      
      supplying power from the second power supply to the plurality of encrypted data storages;
      
      and then upon a loss in power by the first power supply, supplying power from the second power supply to continue encryption of the encrypted data storages.
  - 34. A method for a computer or information appliance to provide enhanced processing reliability as in claim 32, the method for a computer or information appliance to provide enhanced processing reliability further comprising:
    - providing a third power supply, and upon an interruption in power from the first power supply, the third power supply supplying power to the processing environment for completing all processing activities and to shut down the processing environment properly.

35. A computer or information appliance providing enhanced processing reliability, the computer or information appliance providing enhanced processing reliability comprising:
- a first and second power supply;
  
  a processing environment being powered by a first power supply;
  
  a first data storage in the processing environment powered by the first power supply;
  
  a second data storage in the processing environment powered by a second power supply;
  
  means for storing data to the first data storage and the second data storage;
  
  mean for the second power supply supplying power to the first data storage when a loss in power from the first power supply occurs;
  
  and means for the first power supplying power to the processing environment and for copying data stored in the second data storage to the first data storage upon the restoration of power of the first power supply.
- View Dependent Claims (36, 37)
- - 36. A computer or information appliance providing enhanced processing reliability as in claim 35, the computer or information appliance providing enhanced processing reliability further comprising:
    - a plurality of encrypted data storages in the processing environment;
      
      means for supplying power from the first power supply to a subsystem of the processing environment that does not include the plurality of encrypted data storages;
      
      means for supplying power from the second power supply to the plurality of encrypted data storages;
      
      and means for supplying power from the second power supply for continuing encryption of the encrypted data storages upon a loss in power of the first power supply.
  - 37. A computer or information appliance providing enhanced processing reliability as in claim 35, the computer or information appliance providing enhanced processing reliability further comprising:
    - a third power supply, and means for the third power supply supplying power to the processing environment for completing all processing activities and to shut down the processing environment properly upon an interruption in power of the first power supply.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vir2us, Inc.
Original Assignee
Vir2us, Inc.
Inventors
Largman, Kenneth, More, Anthony, Macy, Kip, Bailey, Shannon

Granted Patent

US 8,775,369 B2
Time in Patent Office

Days
Field of Search
US Class Current

717/168
CPC Class Codes

G06F 21/575   Secure boot

G06F 8/60   Software deployment

G06F 8/65   Updates security arrangemen...

G06F 9/4411   Configuring for operating w...

COMPUTER SYSTEM ARCHITECTURE AND METHOD HAVING ISOLATED FILE SYSTEM MANAGEMENT FOR SECURE AND RELIABLE DATA PROCESSING

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

119 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

COMPUTER SYSTEM ARCHITECTURE AND METHOD HAVING ISOLATED FILE SYSTEM MANAGEMENT FOR SECURE AND RELIABLE DATA PROCESSING

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links