Secure data processing system architecture
First Claim
1. A data processing system having protected system files, said data processing system comprising:
- memory means for storing logic signal groups;
processing means for manipulating logic signal groups in said memory means in accordance with instruction signal groups;
interaction means for permitting a user to enter instruction signal groups for said processing means;
indentification means coupled to said interaction means for relating preselected attributes with said user;
address means coupled to said interaction means for retrieving a logic signal group associated with an instruction signal group, said address means also for associating preestablished attributes with said associated logic signal group; and
comparison means coupled to said address means and to said identification means for comparing said preselected attributes with said preestablished attributes, said comparison means preventing said associated logic signal group from being manipulated by said processing.
7 Assignments
0 Petitions
Accused Products
Abstract
A data processing system having an architecture for protecting selected system files. The data processing unit includes a secure processing unit operating in a manner independent of the operation of the remainder of the data processing unit for storing and comparing system file attributes and user entity attributes. The comparison of attributes is performed in accordance with a table in the secure processing unit containing the security context. The secure processing unit alone is able to manipulate special data groups called distinguished data objects. The secure processing unti also manipulates a data object identifier that isolates the indentification of the system files from the actual memory storage locations. Apparatus and method are also disclosed for providing secure creation of protected system files that in part eliminates interruption of the data processing system in the process. The architecture also facilitates secure transfer of files between data processing systems.
-
Citations
24 Claims
-
1. A data processing system having protected system files, said data processing system comprising:
-
memory means for storing logic signal groups; processing means for manipulating logic signal groups in said memory means in accordance with instruction signal groups; interaction means for permitting a user to enter instruction signal groups for said processing means; indentification means coupled to said interaction means for relating preselected attributes with said user; address means coupled to said interaction means for retrieving a logic signal group associated with an instruction signal group, said address means also for associating preestablished attributes with said associated logic signal group; and comparison means coupled to said address means and to said identification means for comparing said preselected attributes with said preestablished attributes, said comparison means preventing said associated logic signal group from being manipulated by said processing. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A data processing system for creating a protected system file in response to a selected user instruction signal group, said data processing system comprising:
-
memory means for storing logic signal groups; processing means for manipulating logic signal groups from said memory means in accordance with instruction signal groups; interaction means for permitting a user to interact with said data processing unit; first identification means coupled to said interaction means for identifying attributes associated with said user applying said selected user instruction signal group to said data processing system; second identification means coupled to said interaction means for identifying attributes associated with logic signal groups to be included in said protected system file; comparison means for comparing said user attributes and said logic signal group attributes, said comparison means creating a file associated with said protected system file for controlling future use of said protected system file, said comparison means using said created file to determine when said user attributes and said protected file systems have a predefined relationship. - View Dependent Claims (8)
-
-
9. Apparatus for transferring protected system files from a first data processing system to a second data processing system, wherein said first and said second data processing systems have secure processing portions unavailable to control by a remainder of said data processing system for controlling manipulation of said protected sytem files, said apparatus comprising:
-
means for storing said protected system files and intermediate logic signal groups associated with each of said protected system files, said intermediate signal groups capable of being processed only by said secure processing portion, said intermediate logic signal groups including attributes associated with said associated protected system files and an address of said associated protected system file, said logic signal groups further including a field indicative of intermediate logic signal groups and an identifier field indicative of availability of said protected system files to manipulation by users of said data processing systems; means for encrypting said intermediate logic signal groups at said data processing system; means for decrypting said intermediate logic signal groups at said second data processing unit; and means for identifying said indicative field in said second data processing system, wherein said intermediate logic signal groups transferred to said second data processing system can be processed only by said secure processing portion.
-
-
10. A data processing system for providing protected system filed comprising:
-
memory means for storing data objects and distinguished data objects; interaction means for permitting a user entity to interact with said data processing system;
user entity identification means coupled to said interaction means for identifying user entities interacting with said data processing system;data object processing unit coupled to said interaction means and to said memory means for manipulating said data object; and secure processing means operating automatically in response to signals from a remainder of said data processing unit, said secure processor unit comprising; a current security context register coupled to user entity identification means for identifying attributes associated with said user entities; security context table for specifying relationships between said user entity attributes and attributes of said protected system file, wherein said protected system files include data objects; data object characteristics table for specifying an memory address and other characteristics of said protected system file data objects; a distinguished data object processing unit and associated program working set table for determining addresses of data objects currently under program execution, said distinguished data object processing unit also determining when said user entity attributes and said system file attributes have a predetermined relationship; and a memory address apparatus coupled to said distinguished data object processing unit for transferring data objects and distinguished data objects between said memory and said data processing system, said memory address apparatus including recognition apparatus for identifying said distinguished data objects, said memory address apparatus transferring data objects to said data object processing unit when said predetermined relationship is present.
-
-
11. A data processing system with protected system files, said data processing system comprising:
-
a memory unit for storing data objects and security data objects; data object processsing means for processing said data objects stored in said memory unit; user input means for identifying attributes of a user entering instructions in said data processing system; system file identification means coupled to said user input means for identifying a data object identification field related to a system file requested by a user instruction, said system file associated with data objects; retrieving means coupled to said system file identification means and responsive to said data object identification field for retrieving a security data object from said memory unit, said security data object containing attributes and memory unit address of said instruction system file; security context table for defining relationships between attributes of a user and attributes associated with said system file; and processor means coupled to said security context table and to said retrieving means for comparing said user attributes and system file attributes in accordance with said security context table, said processor means permitting said data object processing means to execute said instruction when said comparison has a first value. - View Dependent Claims (12)
-
-
13. A data processing system for creation of protected system files, said data processing system comprising:
-
processing means responsive to user entity instructions for manipulating system file in accordance with said user instructions; input means responsive to an instruction requesting creation of a protected system file for determining desired activity parameters of said requested protected system file; identification means for determining an identification of a user entity providing said instruction requesting creation of said protected system file; user entity parameter table coupled to said identification means for providing data signals representing activity parameters associated with said user entity, said user entity parameter table unavailable to control by said data processing system; and secure processing means for comparing said desired system file activity parameters and said user entity activity parameters, said processor means permitting creation of said protected system file when said user entity and said system file activity has a predetermined context relationship, said secure processing means storing a security file in a data processing system memory having protected system file activity parameters, said secure processing means providing an entry in a table with an address of said stored security file. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. A data processing system having protected system files, said data processing system comprising:
-
a memory unit for storing ordinary data objects and special data objects, wherein a system file has at least one identifying data group associated therewith, said special data objects including an identifying data group, said special data object further including address groups for identifying ordinary data groups associated with said protected system file; processing means for processing ordinary data groups in response to instructions by a user entity; input unit for identifying said user entity applying instructions to said data processing system; user entity parameter table coupled to said input unit for defining parameters associated with said user entity; activity parameter table for defining parameters associated with said identifying data groups; context table for defining permitted relationships between said user entity parameters and said activity parameters; and secure processing means for providing an identifying data group for a protected system file requested by a user entity, said secure processing means permitting execution of an instruction from a user entity when said secure processing means determines that said user entity parameters and said activity parameters have a permitted relationship as defined by said context table. - View Dependent Claims (21, 22, 23)
-
-
24. The method of providing for the security of logic signal groups against unauthorized access in a data processing system comprising the stpes of:
-
collecting all logic signal groups into identifiable logic signal units; associating with each of said said identifiable logic signal units a distinguished logic signal unit, wherein said distinguished logic signal unit defines access rights required to access said associated identifiable logic signal unit; associating with each user of said data processing system access rights; comparing said access rights required to access a selected identifiable logic signal unit with access rights of a user requesting access to said selected identifiable logic signal unit; and creating said access rights required to access on identifiable logic signal unit in said associated distinguished logic signal group when said distinguished logic signal unit is formed, said access rights selected to implement a predefined policy for security of said identificable logic signal group.
-
Specification