Method and apparatus for enhancing computer system security
First Claim
1. In a computer system including a memory and a central processor unit, said central processor unit having respective address signals, data signals and a plurality of control signals coupled thereto, said plurality of control signals provided to/from said central processor unit on a respective plurality of control signal lines including a first control signal line being one of said plurality of control signal lines, said first control signal line including a first control signal, said computer system having at least one critical program area stored in said memory, a method for enhancing the security of said computer system, said method comprising:
- redirecting said first control signal line from said central processor unit to a second processor having an associated logic controller thereby intercepting said first control signal;
substituting a second control signal to/from said second processor in place of said first control signal such that the second processor captures control of said central processor unit by said logic controller;
verifying said critical program area in said memory with said second processor;
further redirecting said first control signal line if said critical program area is verified such that control of said central processor unit is released by said logic controller to run said critical program;
wherein said second processor, said logic controller, and operation of circuitry associated with said second processor and said logic controller are invisible to all other portions of said computer system, with the exception of a BIOS extension associated with said logic controller, subsequent said step of further redirecting said first control signal line.
2 Assignments
0 Petitions
Accused Products
Abstract
A security enhanced computer system arrangement includes a coprocessor and a multiprocessor logic controller inserted into the architecture of a conventional computer system. The coprocessor and multiprocessor logic controller is interposed between the CPU of the conventional computer system to intercept and replace control signals that are passed over certain of the critical control signal lines associated with the CPU. The multiprocessor logic controller arrangement thereby isolates the CPU of the conventional computer system from the remainder of the conventional computer system, permitting separate control over the CPU and separate control over the remainder of the computer system. By controlling the control signals that are normally passed between the CPU and the remainder of the computer system, the multiprocessor logic controller permits the coprocessor to perform highly secure operations. These secure operations, selectable by a trusted operator or built in to a cooperating operating system, verify that the computer system is a trusted computing base which can be relied upon to perform its operations properly and without compromise.
358 Citations
70 Claims
-
1. In a computer system including a memory and a central processor unit, said central processor unit having respective address signals, data signals and a plurality of control signals coupled thereto, said plurality of control signals provided to/from said central processor unit on a respective plurality of control signal lines including a first control signal line being one of said plurality of control signal lines, said first control signal line including a first control signal, said computer system having at least one critical program area stored in said memory, a method for enhancing the security of said computer system, said method comprising:
-
redirecting said first control signal line from said central processor unit to a second processor having an associated logic controller thereby intercepting said first control signal; substituting a second control signal to/from said second processor in place of said first control signal such that the second processor captures control of said central processor unit by said logic controller; verifying said critical program area in said memory with said second processor; further redirecting said first control signal line if said critical program area is verified such that control of said central processor unit is released by said logic controller to run said critical program; wherein said second processor, said logic controller, and operation of circuitry associated with said second processor and said logic controller are invisible to all other portions of said computer system, with the exception of a BIOS extension associated with said logic controller, subsequent said step of further redirecting said first control signal line. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. In a computer system including a memory and a central processor unit, said central processor unit having respective address signals, data signals and a plurality of control signals coupled thereto, said plurality of control signals provided to/from said central processor unit on a respective plurality of control signal lines including a first control signal line being one of said plurality of control signal lines, said first control signal line including a first control signal, said computer system having at least one critical program area stored in said memory, a method for enhancing the security of said computer system, said method comprising:
-
providing a second processor having an associated logic controller; detecting start up of said computer system; capturing control of said central processor unit by said logic controller responsive to said step of detecting start up of said computer system; verifying a first critical program area in said memory with said second processor; releasing control of said central processor unit by said logic controller to run said critical program if said first critical program area is verified; wherein said second processor, said logic controller, and operation of circuitry associated with said second processor and said logic controller are invisible to all other portions of said computer system, with the exception of a BIOS extension associated with said logic controller, subsequent said step of releasing control. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
-
-
36. In a computer system including a memory and a central processor unit, said central processor unit having respective address signals, data signals and a plurality of control signals coupled thereto, said plurality of control signals provided to/from said central processor unit on a respective plurality of control signal lines including a first control signal line being one of said plurality of control signal lines, said first control signal line including a first control signal, said computer system having at least one critical program area stored in said memory, an apparatus for enhancing the security of said computer system, said apparatus comprising:
-
means for redirecting said first control signal line from said central processor unit to a second processor having an associated logic controller thereby intercepting said first control signal; means for substituting a second control signal to/from said second processor in place of said first control signal such that the second processor captures control of said central processor unit by said logic controller; means for verifying said critical program area in said memory with said second processor; means for further redirecting said first control signal line if said critical program area is verified such that control of said central processor unit is released by said logic controller to run said critical program; wherein said second processor, said logic controller, and operation of circuitry associated with said second processor and said logic controller are invisible to all other portions of said computer system, with the exception of a BIOS extension associated with said logic controller, subsequent said further redirecting of said first control signal line. - View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
-
-
52. In a computer system including a memory and a central processor unit, said central processor unit having respective address signals, data signals and a plurality of control signals coupled thereto, said plurality of control signals provided to/from said central processor unit on a respective plurality of control signal lines including a first control signal line being one of said plurality of control signal lines, said first control signal line including a first control signal, said computer system having at least one critical program area stored in said memory, an apparatus for enhancing the security of said computer system, said apparatus comprising:
-
a second processor having an associated logic controller; means for detecting start up of said computer system; means for capturing control of said central processor unit by said logic controller responsive to said means for detecting start up of said computer system; means for verifying a first critical program area in said memory with said second processor; means for releasing control of said central processor unit by said logic controller to run said critical program if said first critical program area is verified; wherein said second processor, said logic controller, and operation of circuitry associated with said second processor and said logic controller are invisible to all other portions of said computer system, with the exception of a BIOS extension associated with said logic controller, subsequent said releasing control. - View Dependent Claims (53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70)
-
Specification