Secure data processing system architecture

US 4,701,840 A
Filed: 06/20/1986
Issued: 10/20/1987
Est. Priority Date: 02/16/1984
Status: Expired due to Term

First Claim

Patent Images

1. A data processing system for secure processing of data objects comprising:

memory means for storing ordinary data objects and distinguished data objects, a first field of each distinguished data object including a main memory location of an associated ordinary data object, a second field of said distinguished data object including access right data for said associated ordinary data object;

entry means for entering instructions by a user, said instructions having access right data associated therewith, said instructions including a operation field and a field for locating an associated ordinary data object;

first processing means, connected to said entry means and said memory means, for processing said ordinary data objects; and

second processing means, connected to said memory means, for processing said distinguished data objects, said second processing means including means responsive to an instruction for comparing access rights associated with said instruction with access rights of said distinguished data object associated with said ordinary data object.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data processing system having an architecture for protecting selected system files. The data processing unit includes a secure processing unit operating in a manner independent of the operation of the remainder of the data processing unit for storing and comparing system file attributes and user entity attributes. The comparison of attributes is performed in accordance with a table in the secure processing unit containing the security context. The secure processing unit alone is able to manipulate special data groups called distinguished data objects. The secure processing unit also manipulates a data object identifier that isolates the identification of the system files from the actual memory storage locations. Apparatus and method are also disclosed for providing secure creation of protected system files by in part eliminates interruption, the data processing system in the process. The architecture also facilitates secure transfer of files between data processing systems.

Citations

19 Claims

1. A data processing system for secure processing of data objects comprising:
- memory means for storing ordinary data objects and distinguished data objects, a first field of each distinguished data object including a main memory location of an associated ordinary data object, a second field of said distinguished data object including access right data for said associated ordinary data object;
  
  entry means for entering instructions by a user, said instructions having access right data associated therewith, said instructions including a operation field and a field for locating an associated ordinary data object;
  
  first processing means, connected to said entry means and said memory means, for processing said ordinary data objects; and
  
  second processing means, connected to said memory means, for processing said distinguished data objects, said second processing means including means responsive to an instruction for comparing access rights associated with said instruction with access rights of said distinguished data object associated with said ordinary data object.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The data processing system for secure processing of data objects of claim 1 further comprising:
    - retrieval means, connected to said memory means, said first processing means and said second processing means, rsponsive to said instructions for retrieving from said main memory distinguished data objects associated with the ordinary data objects of said instructions; and
      
      storage means in said second processing means for storing said retrieved distinguished data objects associated with said instructions.
  - 3. The data processing system for secure processing of data objects of claim 2 further comprising:
    - a security context table, connected to said second processing means, for determining relationships in said comparison of access rights of said user issuing said instructions and access rights of distinguished data objects associated with the ordinary data objects referenced by said instructions; and
      
      a characteristics table, connected to said second processing means, for determining access rights of data objects.
  - 4. The data procesing system for secure processing of data objects of claim 3 wherein said data objects include a tag field, said second processing means includes means responsive to said tag field of said data objects for preventing said distinguished data objects from entering said first processing means.
  - 5. The data processing system for secure processing of data objects to claim 4 further comprising:
    - user rights storage means in said second processing means for storing access rights data of said data processing system users; and
      
      identification means coupled to said user rights storage means for identifying said user, an identification of a user determining access rights of instructions entered by said identified user.
  - 6. The data processing system of claim 3 further comprising address means in said second processing means for combining said instruction location field and an associated distinguished data object field to determine an address of an associated ordinary data object.
  - 7. The data processing system of claim 6 wherein a field of an ordinary data object can be associated with at least one additional ordinary data object.

8. A data processing system for controlling manipulation of data fields comprising:
- memory means for storing ordinary data objects, said ordinary data objects including said data fields;
  
  distinguished data objects stored in said memory means, each of said distinguished data objects associated with a one of said ordinary data objects and having an address data field determining a memory means location for said associated ordinary data object, each of said distinguished data objects including an access rights data field determining conditions for manipulation of said related ordinary data object;
  
  entry means responsive to signals from a user for entering instructions in said data processing system;
  
  each user having access rights associated therewith;
  
  security context table means for determining relationships between access rights of an ordinary data object and acess rights of a user;
  
  comparison means coupled to said security context table means and responsive to an instruction for automatically comparing access rights of an ordinary data object associated with said instruction and access rights of an instruction user; and
  
  processing means, connected to said security context table, said entry means and said memory means, for executing an instruction when said comparison means provides a first result.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The data processing system for controlling manipulation of said data fields of claim 8 wherein said comparison means includes retrieval means for retrieving a distinguised data object associated with ordinary data object identified by an instruction, said comparison means further including a distinguished object storage means.
  - 10. The data processing system of claim 9 wherein said ordinary data objects and said distinguished data objects have a tag field, said tag determining when a data object is a distinguished data object, said data processing system further including data object identification means, connected to said processing means, for prevention unpermitted manipulation of said distinguished data objects.
  - 11. The data processing system for controlling manipulation of data fields of claim 10 further comprising user entity identification means coupled to said entry means for automatically determining access rights of a user.
  - 12. The data processing system for controlling manipulation of data fields of claim 11 wherein determination of a location of an instruction'"'"'s data field requires use of an associated distinguished data object stored in said distinguished object storage means.
  - 13. The data processing system for controlling manipulation of data fields of claim 12 wherein said processing means includes a first portion for processing data fields of said ordinary data objects and a second portion for processing data fields of said distinguished data objects.
  - 14. The data processing system for controlling manipulation of data fields of claim 13 wherein said second processing means portion can not be manipulated by said entry means.
  - 15. The data processing system of claim 14 wherein said comparison means further includes a characteristics table defining access rights of said data objects.

16. A data processing system for secure processing of data fields comprising:
- entry means for entering instructions in said data processing system, said entry means providing user data to said data processing system;
  
  ordinary data objects including data fields;
  
  distinguished data objects including control fields and an address of an associated ordinary data object;
  
  memory means for storing said ordinary data objects and said distinguished data objects;
  
  comparison means for comparing said user data with a distinguished data object associated with a data field referenced by an instruction of said user; and
  
  processing means, connected to said comparison means, said memory means and said entry means, for executing said instruction when said comparison means provides a first result.
- View Dependent Claims (17, 18, 19)
- - 17. The data processing system of claim 16 wherein said comparison means includes a security context table for determining permitted relationships between users and ordinary data objects.
  - 18. The data processing system of claim 17 wherein said distinguished data object has a tag field, said data processing system including identification means, connected to said processing means and to means for retrieving data from said memory means, for preventing manipulation of distinguished data objects.
  - 19. The data processing system of claim 18 wherein said comparison means includes data objects characteristics table for determining control fields of data objects.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Secure Computing Corporation (McAfee, LLC)
Original Assignee
Honeywell Incorporated (Honeywell International Inc.)
Inventors
Boebert, William E., Kain, Richard Y.
Primary Examiner(s)
Zache, Raulfe B.

Application Number

US06/876,540
Time in Patent Office

487 Days
Field of Search

364/200 MS File, 364/900 MS File
US Class Current

726/4
CPC Class Codes

G06F 12/1458   by checking the subject acc...

G06F 21/60   Protecting data

G06F 21/606   by securing the transmissio...

G06F 21/6209   to a single file or object,...

Y10S 707/99938   Concurrency, e.g. lock mana...

Y10S 707/99939   Privileged access

Secure data processing system architecture

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Secure data processing system architecture

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links