Trusted path mechanism for an operating system

US 4,918,653 A
Filed: 01/28/1988
Issued: 04/17/1990
Est. Priority Date: 01/28/1988
Status: Expired due to Fees

First Claim

Patent Images

1. A method in a UNIX-type operating system for creating, in response to a secure attention request signal from a Secure Attention Key, a trusted path between a terminal connected to a data processor running an init process under said operating system and a trusted shell portion of a trusted computing base in said data processor, comprising the steps of:

testing for the termination of an existing process running under the control of said init process;

executing a fork system call by said init process for a new child process when said existing process terminates due to said secure attention request signal from a Secure Attention Key;

changing the access mode of the terminal to be accessible by said init process;

revoking access to the terminal by all other processes except said init process;

executing an exec system call to overlay said trusted shell onto said new child process;

changing the access mode of the terminal to be accessible by said trusted shell.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The trusted path mechanism invention guarantees that data typed by a user on a terminal keyboard is protected from any intrusion by unauthorized programs. It allows a user to create a non-forgeable and non-penetrable communication path between the user'"'"'s terminal and the trusted operating system software. The user can create a trusted path by simply pressing a key, called the Secure Attention Key (SAK), on the terminal keyboard. This operation can be called when the user logs into the system in order to be sure that the user is communicating with the real login program and not a Trojan horse program masquerading as a login program, which could steal the user'"'"'s password. After the user establishes the trusted path, he can enter his critical data, such as a password, and can be sure that his critical data is not being stolen by an intruder'"'"'s program. Then, after the user logs out, he can be sure that the trusted path has actually logged him out of the system so that a Trojan horse program is not capable of continuing the session started by the user.

179 Citations

7 Claims

1. A method in a UNIX-type operating system for creating, in response to a secure attention request signal from a Secure Attention Key, a trusted path between a terminal connected to a data processor running an init process under said operating system and a trusted shell portion of a trusted computing base in said data processor, comprising the steps of:
- testing for the termination of an existing process running under the control of said init process;
  
  executing a fork system call by said init process for a new child process when said existing process terminates due to said secure attention request signal from a Secure Attention Key;
  
  changing the access mode of the terminal to be accessible by said init process;
  
  revoking access to the terminal by all other processes except said init process;
  
  executing an exec system call to overlay said trusted shell onto said new child process;
  
  changing the access mode of the terminal to be accessible by said trusted shell.

2. A method in a UNIX-like operating system for creating, in response to a secure attention request signal from a Secure Attention Key, a trusted path between a terminal connected to a data processor running a trusted init process under said operating system and a trusted shell portion of a trusted computing base in said data processor, comprising the steps of:
- waiting for the termination of an existing process running under the control of said trusted init process;
  
  executing a fork system call by said trusted init process to create a child process when said existing process terminates due to a secure attention request signal from a Secure Attention Key and said existing process was a getty or a login process, changing the access mode of said terminal to be accessible by said init process, revoking access to said terminal by all other processes except said init process, executing an exec system call to overlay a new getty process onto said new child process, and executing the new getty process;
  
  executing a fork system call by said trusted init process for a new child process when said existing process terminates due to a secure attention request signal from a Secure Attention Key and said existing process was a user process or a trusted shell, changing the access mode of said terminal to be accessible by said init process, revoking access to said terminal by all other processes except said init process, recording that said child is running a trusted shell, and executing an exec system call to overlay a trusted shell onto said child process, changing the access mode of the terminal to be accessible by said trusted shell, thereby establishing the trusted path;
  
  executing a fork system call by said trusted init process for a new child process when said existing process terminates due to a normal exit and said existing process was a trusted shell, recording that the new child process is running an untrusted process, executing an exec system call to overlay an untrusted process onto said new child process;
  
  executing a fork system call by said trusted init process for a new child process when said existing process terminates due to a normal exit and said existing process was an untrusted process, executing an exec system call to overlay a getty process onto said child process to provide a login function for a new session at said terminal.
- View Dependent Claims (3, 4, 5, 6)
- - 3. The method of claim 2 wherein the secure attention request is recognized by a UNIX-type operating system as an interrupt SIGSAK signal.
  - 4. The method of claim 3 wherein any user-defined key combination entered at said terminal can be employed as said secure attention request.
  - 5. The method of claim 4 wherein a timeout is established for the generation of a complete secure attention request sequence, whereby keys which are chosen can be used with the timeout as regular keys of said terminal.
  - 6. The method of claim 5 wherein the initial key is held in a line discipline driver and not sent to an application process until either the sequence breaks or the secure attention request timeout occurs, thereby avoiding emulation of a trusted path by unauthorized programs.

7. In a data processing system including a memory to which is connected a plurality of terminals, with at least one terminal including a keyboard having a Secure Attention Key, a method in a UNIX-type operating system for creating, in response to said Secure Attention Key, a trusted path between said terminal and a trusted shell portion of a trusted computing base which is a child process of an init process under said operating system, comprising the steps of:
- detecting said Secure Attention Key in a keyboard device driver connected to said keyboard;
  
  outputting from said keyboard device driver to a Secure Attention Key Signal Generator, information that said Secure Attention Key has been detected;
  
  outputting from said Secure Attention Key Generator a SIGSAK signal to all processes operating in a process group of said terminal, terminating all of said processes in said terminal process group;
  
  applying said SIGSAK signal to access authorization tables associated with all device drivers interfacing with said terminal, to deny access authorization to all processes in said data processing system except said init process;
  
  applying said SIGSAK signal to a file access table to remove all addressing information relating said device drivers interfacing with said terminal, to all processes in said data processing system except said init process;
  
  executing a fork system call by said init process for a new child process;
  
  executing an exec system call to overlay a trusted shell process onto said new child process, said trusted shell process having access authorization to said device drivers interfacing with said terminal and said trusted shell process having an addressing relationship defined in said file access table to said device drivers interfacing with said terminal;
  
  whereby a trusted path is established between said terminal and said trusted shell process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Luckenbaugh, Gary L., Johri, Abhai
Primary Examiner(s)
Eng, David Y.

Application Number

US07/149,446
Time in Patent Office

810 Days
Field of Search

364/200 MS File, 364/900 MS File, 364/300 MS File, 340/825.31
US Class Current

726/23
CPC Class Codes

G06F 21/31   User authentication

G06F 21/83   input devices, e.g. keyboar...

G06F 2211/009   Trust

G06F 9/468   Specific access rights for ...

G06F 9/4843   by program, e.g. task dispa...

Trusted path mechanism for an operating system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

179 Citations

7 Claims

Specification

Solutions

Use Cases

Quick Links

Trusted path mechanism for an operating system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

179 Citations

7 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links