Computer security system
First Claim
1. In a capability based data processing system having at least one central processing unit, memory means and a multiplicity of keys, each key providing authority to its holder to use a specified portion of said system'"'"'s resources, an arrangement comprising:
- a plurality of domains for performing predefined processes, each including means for holding a plurality of keys; and
kernel means coupled to said domains for providing said domains with a predefined set of kernel functions, said kernel means having the exclusive means for creating keys and the exclusive means for resolving the authority conveyed by each said key;
whereina plurality of said domains comprise factories for creating factory products comprising new domains for performing specified tasks;
a multiplicity of said keys are non-sensory keys, which convey the authority to directly or indirectly cause data to be transmitted to, or changed within, a domain other than the domain invoking said key; and
predefined ones of said kernel functions allow a requestor domain with a key to a specified one of said factories to determine whether said specified factory has any non-sensory keys not included in a first predefined set of keys;
whereby a requestor domain can determine if use of a specified factory could compromise the confidentiality of data provided by said requestor domain to said factory.
4 Assignments
0 Petitions
Accused Products
Abstract
A capability based computer system includes means, called a factory, for allowing two domains to share resources in a secure manner. Factories are special domains which, in combination with corresponding kernel functions, allow a first domain (called a builder domain) to install a program and other components in a factory for use by other domains, and then to seal the factory, thereby leaving the builder domain with no keys to the factory except a special type of entry key called a requestor key.
The holders of requestor keys can use the program in the factory by invoking the requestor key. This causes the factory to set up a new special domain for the requestor which allows the requestor to use the program in the factory to process data without being able to inspect the program. Further, the factory mechanism includes means for the requestor to confirm that the factory includes no keys which could compromise the confidentiality of the requestor'"'"'s data.
A second aspect of the present invention is the ability to provide different memory fault resolution mechanisms (called segment keeper domains) for different memory segments.
-
Citations
39 Claims
-
1. In a capability based data processing system having at least one central processing unit, memory means and a multiplicity of keys, each key providing authority to its holder to use a specified portion of said system'"'"'s resources, an arrangement comprising:
-
a plurality of domains for performing predefined processes, each including means for holding a plurality of keys; and kernel means coupled to said domains for providing said domains with a predefined set of kernel functions, said kernel means having the exclusive means for creating keys and the exclusive means for resolving the authority conveyed by each said key; wherein a plurality of said domains comprise factories for creating factory products comprising new domains for performing specified tasks; a multiplicity of said keys are non-sensory keys, which convey the authority to directly or indirectly cause data to be transmitted to, or changed within, a domain other than the domain invoking said key; and predefined ones of said kernel functions allow a requestor domain with a key to a specified one of said factories to determine whether said specified factory has any non-sensory keys not included in a first predefined set of keys; whereby a requestor domain can determine if use of a specified factory could compromise the confidentiality of data provided by said requestor domain to said factory. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. In a capability based data processing system having at least one central processing unit, memory means and a multiplicity of keys, each key providing authority to its holder to use a specified portion of said system'"'"'s resources, an arrangement comprising:
-
a plurality of domains for performing predefined processes, each including means for holding a plurality of keys; and kernel means coupled to said domains for providing said domains with a predefined set of kernel functions, said kernel means having the exclusive means for creating keys and the exclusive means for resolving the authority conveyed by each said key; wherein a plurality of said domains comprise segment keepers; said memory means includes a multiplicity of nodes for holding said keys; and
a multiplicity of memory segments for storing data;a plurality of said nodes are segment nodes, each segment node defining a memory segment of a specified size; a plurality of said keys are memory keys; a plurality of said memory keys are page keys, each said page key providing access to a page of memory, each said page comprising a preselected number of basic memory storage units; a plurality of said memory keys are segmode keys, each said segmode key providing access to a segment node having a plurality of slots for holding memory keys; a plurality of said domains each have means for defining a memory tree defining the virtual address space of said domain; each said memory tree includes at least one memory key; each said memory tree which includes more than one memory key includes at least one segmode key and at least one segment node; a plurality of said segment nodes each include means for specifying a segment keeper to be called by said kernel means upon the occurrence of memory faults in the memory segment defined by said segment node, said segment keeper comprising a domain having means for resolving memory faults and for restarting the domain wherein the fault occurred. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
-
-
31. In a capability based computer system,
first means serving as a factory for accepting a specific software program and using that program to process data; - and
second means serving as a requestor for providing data to said factory and requesting that said data be processed in accord with said software program; wherein said first and second means cooperate with one another such that the requestor can determine in advance, without inspection of said software program, that the data being processed and the processed data will be made available only to said requestor and such that said software program is not available to said requestor.
- and
-
32. In a computer system having at least one central processing unit, memory means and a multiplicity of domains for performing predefined processes,
a plurality of first domains for running corresponding predefined software programs; - and
a plurality of segment keeper domains for running a corresponding specific software program when one of said first domains suffers a memory fault; wherein said memory means includes a multiplicity of memory segments; a multiplicity of said memory segments include means for specifying the segment keeper domain to be used upon the occurrence of a memory fault in said memory segment.
- and
-
33. In a capability based computer system having a first means serving as a factory and second means serving as a requestor, a method comprising the steps of:
-
(a) verifying that said first means is capable of sending either data or processed data only to the provider of said data; (b) accepting data from said requestor for processing by said first means in accord with a specific software program; (c) processing said data; and (d) returning the processed data to said requestor;
wherein said step (a) is performed without inspection of said specific software program.
-
-
34. In a computer system having at least one central processing unit, memory means, a kernel, a plurality of domains, each domain comprising at least one node, each node providing slots for a plurality for keys, each key providing a token of authority to use a specified portion of said system'"'"'s resources;
-
a method of securing the integrity of the data and the processes therein, the steps of the method comprising; (a) filtering all uses of keys through said kernel, said kernel having the exclusive means for creating said keys and the exclusive means for resolving the authority conveyed by each said key, whereby domains can only indirectly manipulate and obtain keys through the invocation of said kernel functions; (b) responding to the invocation by a (builder) domain of a first (factory creator entry) key by creating a factory and returning to the builder a builder'"'"'s key; (c) responding to the invocation by a builder of a builder'"'"'s key corresponding to a specified factory, using a predefined parameter value, by installing in said factory a specified key as a specified component of said factory; (d) responding to the invocation by a builder of a builder'"'"'s key corresponding to a specified factory, using a predefined parameter value, by sealing said factory, thereby preventing the installation of any additional non-sensory keys in said factory; (e) responding to the invocation by a (requestor) domain of a second (requestor'"'"'s) key corresponding to a specified factory, using a first parameter value, by producing a predefined factory product, said factory product comprising a domain or a predefined memory structure having access to at least certain ones of the components installed in said factory; and (f) responding to the invocation by a requestor of a requestor'"'"'s key corresponding to a specified factory, using a second parameter value, by determining whether a specified factory has the ability to invoke, directly or indirectly, any non-sensory keys which are not included in a first predefined set, and returning to the requestor a parameter indicative of whether said factory has any such non-sensory keys. - View Dependent Claims (35, 36)
-
-
37. In a capability based data processing system having at least one central processing unit and memory means, said memory means including
a multiplicity of memory segments; - and
means for holding a multiplicity of keys, each said key providing authority to its holder to use a specified portion of said system'"'"'s resources; an arrangement comprising; a plurality of domains for performing predefined processes, each including means for holding a plurality of keys; and kernel means coupled to said domains for providing said domains with a predefined set of kernel functions, said kernel means having the exclusive means for creating keys and the exclusive means for resolving the authority conveyed by each said key; wherein a plurality of said domains comprise factories for creating factory products comprising new domains for performing specified tasks; a multiplicity of said keys are non-sensory keys, which convey the authority to directly or indirectly cause data to be transmitted to, or changed within, a domain other than the domain invoking said key; a multiplicity of said keys are sensory keys, which convey the authority to directly or indirectly, sense or copy, data values or keys within specified objects in said system; said arrangement includes factory setup means for a builder domain to install a software program and keys in a specified factory and to thereafter retain no keys which would provide access to the factory products produced by said specified factory; and predefined ones of said kernel functions allow a requestor domain with a key to a specified one of said factories to determine whether said specified factory has any non-sensory keys not included in a first predefined set of keys; whereby a requestor domain can determine if use of a specified factory could compromise the confidentiality of data provided by said requestor domain to said factory.
- and
-
38. In a computer system having a multiplicity of domains for running specific software programs and memory means including a multiplicity of memory segments, a method comprising the steps of:
-
(a) defining for each of a multiplicity of said memory segments a segment keeper domain, including a predefined memory fault resolution software program, for resolving memory faults occurring in said memory segment; (b) running in each of a plurality of said domains a process in accord with a corresponding specific software program; (c) upon the occurrence of a memory fault in any of said plurality of domains during the operation of said running step, transferring the process from the domain in which said memory fault occurred to the segment keeper domain corresponding to the memory segment in which said memory fault occurred for running in accord with the memory fault resolution software program therein; whereby said memory fault can be resolved and the process returned to the domain in which said memory fault occurred; and the method of memory fault resolution can differ in accordance with the memory segment in which the memory fault occurs.
-
-
39. In a computer system having at least one central processing unit, a multiplicity of domains for performing predefined processes, and memory means including a multiplicity of memory segments, a method comprising the steps of:
-
running a process in accord with predefined software programs in each of a plurality of first domains; and upon the occurrence of a memory fault in one of said first domains, transferring said process to another of said multiplicity of domains, selected in accord with the memory segment in which the memory fault occurred, for running a corresponding specific software program; whereby said memory fault can be resolved and the process returned to the domain in which said memory fault occurred; and the method of memory fault resolution can differ in accordance with the memory segment in which the memory fault occurs.
-
Specification