Trusted path mechanism for an operating system
First Claim
1. A method in a UNIX-type operating system for creating, in response to a secure attention request signal from a Secure Attention Key, a trusted path between a terminal connected to a data processor running an init process under said operating system and a trusted shell portion of a trusted computing base in said data processor, comprising the steps of:
- testing for the termination of an existing process running under the control of said init process;
executing a fork system call by said init process for a new child process when said existing process terminates due to said secure attention request signal from a Secure Attention Key;
changing the access mode of the terminal to be accessible by said init process;
revoking access to the terminal by all other processes except said init process;
executing an exec system call to overlay said trusted shell onto said new child process;
changing the access mode of the terminal to be accessible by said trusted shell.
1 Assignment
0 Petitions
Accused Products
Abstract
The trusted path mechanism invention guarantees that data typed by a user on a terminal keyboard is protected from any intrusion by unauthorized programs. It allows a user to create a non-forgeable and non-penetrable communication path between the user'"'"'s terminal and the trusted operating system software. The user can create a trusted path by simply pressing a key, called the Secure Attention Key (SAK), on the terminal keyboard. This operation can be called when the user logs into the system in order to be sure that the user is communicating with the real login program and not a Trojan horse program masquerading as a login program, which could steal the user'"'"'s password. After the user establishes the trusted path, he can enter his critical data, such as a password, and can be sure that his critical data is not being stolen by an intruder'"'"'s program. Then, after the user logs out, he can be sure that the trusted path has actually logged him out of the system so that a Trojan horse program is not capable of continuing the session started by the user.
179 Citations
7 Claims
-
1. A method in a UNIX-type operating system for creating, in response to a secure attention request signal from a Secure Attention Key, a trusted path between a terminal connected to a data processor running an init process under said operating system and a trusted shell portion of a trusted computing base in said data processor, comprising the steps of:
-
testing for the termination of an existing process running under the control of said init process; executing a fork system call by said init process for a new child process when said existing process terminates due to said secure attention request signal from a Secure Attention Key; changing the access mode of the terminal to be accessible by said init process; revoking access to the terminal by all other processes except said init process; executing an exec system call to overlay said trusted shell onto said new child process; changing the access mode of the terminal to be accessible by said trusted shell.
-
-
2. A method in a UNIX-like operating system for creating, in response to a secure attention request signal from a Secure Attention Key, a trusted path between a terminal connected to a data processor running a trusted init process under said operating system and a trusted shell portion of a trusted computing base in said data processor, comprising the steps of:
-
waiting for the termination of an existing process running under the control of said trusted init process; executing a fork system call by said trusted init process to create a child process when said existing process terminates due to a secure attention request signal from a Secure Attention Key and said existing process was a getty or a login process, changing the access mode of said terminal to be accessible by said init process, revoking access to said terminal by all other processes except said init process, executing an exec system call to overlay a new getty process onto said new child process, and executing the new getty process; executing a fork system call by said trusted init process for a new child process when said existing process terminates due to a secure attention request signal from a Secure Attention Key and said existing process was a user process or a trusted shell, changing the access mode of said terminal to be accessible by said init process, revoking access to said terminal by all other processes except said init process, recording that said child is running a trusted shell, and executing an exec system call to overlay a trusted shell onto said child process, changing the access mode of the terminal to be accessible by said trusted shell, thereby establishing the trusted path; executing a fork system call by said trusted init process for a new child process when said existing process terminates due to a normal exit and said existing process was a trusted shell, recording that the new child process is running an untrusted process, executing an exec system call to overlay an untrusted process onto said new child process; executing a fork system call by said trusted init process for a new child process when said existing process terminates due to a normal exit and said existing process was an untrusted process, executing an exec system call to overlay a getty process onto said child process to provide a login function for a new session at said terminal. - View Dependent Claims (3, 4, 5, 6)
-
-
7. In a data processing system including a memory to which is connected a plurality of terminals, with at least one terminal including a keyboard having a Secure Attention Key, a method in a UNIX-type operating system for creating, in response to said Secure Attention Key, a trusted path between said terminal and a trusted shell portion of a trusted computing base which is a child process of an init process under said operating system, comprising the steps of:
-
detecting said Secure Attention Key in a keyboard device driver connected to said keyboard; outputting from said keyboard device driver to a Secure Attention Key Signal Generator, information that said Secure Attention Key has been detected; outputting from said Secure Attention Key Generator a SIGSAK signal to all processes operating in a process group of said terminal, terminating all of said processes in said terminal process group; applying said SIGSAK signal to access authorization tables associated with all device drivers interfacing with said terminal, to deny access authorization to all processes in said data processing system except said init process; applying said SIGSAK signal to a file access table to remove all addressing information relating said device drivers interfacing with said terminal, to all processes in said data processing system except said init process; executing a fork system call by said init process for a new child process; executing an exec system call to overlay a trusted shell process onto said new child process, said trusted shell process having access authorization to said device drivers interfacing with said terminal and said trusted shell process having an addressing relationship defined in said file access table to said device drivers interfacing with said terminal; whereby a trusted path is established between said terminal and said trusted shell process.
-
Specification