METHODS AND SYSTEMS FOR ACHIEVING HIGH ASSURANCE COMPUTING USING LOW ASSURANCE OPERATING SYSTEMS AND PROCESSES
First Claim
Patent Images
1. A method for operating a computing system comprising the steps of:
- booting a high assurance kernel;
partitioning available memory so as to allocate and isolate respective specific regions of memory for at least one computer program and at least one security process;
inspecting with said security process incoming network data intended for the computer program;
delivering inspected said incoming network data to the intended computer program;
inspecting with said security process outgoing network data from the computer program; and
delivering inspected said outgoing network data to an intended device.
1 Assignment
0 Petitions
Accused Products
Abstract
A computing system contains and uses a partitioning microkernel (PMK) or equivalent means for imposing memory partitioning and isolation prior to exposing data to a target operating system or process, and conducts continuing memory management whereby data is validated by security checks before or between sequential processing steps. The PMK may be used in conjunction with an Object Request Broker.
51 Citations
23 Claims
-
1. A method for operating a computing system comprising the steps of:
-
booting a high assurance kernel; partitioning available memory so as to allocate and isolate respective specific regions of memory for at least one computer program and at least one security process; inspecting with said security process incoming network data intended for the computer program; delivering inspected said incoming network data to the intended computer program; inspecting with said security process outgoing network data from the computer program; and delivering inspected said outgoing network data to an intended device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for operating a computing system comprising the steps of:
-
booting a high assurance kernel; partitioning available memory so as to allocate and isolate respective specific areas of memory for at least each of a computer program and a security process; restricting access by the computer program to the area of memory of the security process; imposing a data flow requiring incoming data to be subjected to the security process before being delivered to the computer program; inspecting with said security process incoming network data intended for the computer program; delivering inspected said incoming network data to the computer program; inspecting with said security process outgoing network data from the computer program; delivering inspected said outgoing network data to an intended device; said security process comprising any of firewall, virus and malware checking processes, said inspecting the incoming network data comprising conducting firewall, virus and malware checks on the incoming network data; conducting virus checking on incoming and outgoing file data within said security process;
conducting an encryption/decryption process on said incoming and outgoing file data within said security process;inspecting with said security process the specific area of memory allocated to the computer program for anomalies in the computer program. - View Dependent Claims (10)
-
-
11. A computing system comprising:
-
a high assurance kernel; an operating system; a security process; and a network interface device; said high assurance kernel configured to upon being booted, impose a partitioning and management of memory and a sequencing of operation among said operating system and said security process whereby security checks are conducted on data by said security process prior to the data being made accessible for a next processing step within the computing system. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A device for providing a blended protection scheme for a high assurance communication device comprising:
-
a reconfigurable firewall and packet inspection device for enforcing isolation and separation between a communication device'"'"'s CPUs, memory, and the communication device, where the reconfigurable firewall is implemented on an integrated chip or motherboard chipset; and a protected CPU adapted to mange security functions and to reconfigure the reconfigurable firewall. - View Dependent Claims (21, 22)
-
-
23. A method for high assurance packet data processing in a computer system, comprising the steps:
-
(1) delivering an arriving packet of data to a security process; (2) verifying the security of the packet data, and if not verified then dropping the packet; (3) checking the packet data for encryption, and if not encrypted then delivering it to a contained operating system for processing; (4) checking the packet data for a match to decryption rules, and if not matched then dropping the packet; (5) decrypting the packet data and returning to step (2).
-
Specification