Trusted workstation in a networked client/server computing system
First Claim
1. A BIOS computer-readable memory comprising computer-executable program instructions stored therein for being executed by a computer during initialization of the computer following a hardware reset of said computer, said computer-executable program instructions comprising identification and authentication instructions for being executed by said computer for identifying and authenticating a computer user entirely during a pre-boot state of said computer, said pre-boot state taking place after said hardware reset and before booting of any operating system in said computer in response to said hardware reset, said computer-executable program instructions also including verification instructions for being executed by said computer during said pre-boot state for verifying a signature of said identification and authentication instructions to detect whether unauthorized modification has been made to said identification and authentication instructions.
8 Assignments
0 Petitions
Accused Products
Abstract
A trusted workstation includes a network interface card (NIC) with trusted computing base (TCB) extensions that provide for securely booting the workstation and performing subsequent receive and transmit packet filtering in support of a network'"'"'s system architecture requirements. The NIC includes a send address confirm circuit which includes a trusted source address (e.g., a MAC address) uniquely associated with the trusted workstation. For each packet to be transmitted from the trusted workstation over the network, the NIC first checks the source address inserted in the packet by the NIC driver running in the user session to be sure that the driver inserted source address is to equal to the trusted address resident. Thus, if untrusted software on the workstation attempts mischiefly transmit a forged packet with a source address other than the trusted source address, the NIC prohibits transmission of the packet with the forged source address. This prevents the trusted workstation from forging its packets with another client'"'"'s source address. The NIC also includes a receive address confirmation circuit which ensures that the trusted workstation only receives packets from authorized servers.
218 Citations
15 Claims
- 1. A BIOS computer-readable memory comprising computer-executable program instructions stored therein for being executed by a computer during initialization of the computer following a hardware reset of said computer, said computer-executable program instructions comprising identification and authentication instructions for being executed by said computer for identifying and authenticating a computer user entirely during a pre-boot state of said computer, said pre-boot state taking place after said hardware reset and before booting of any operating system in said computer in response to said hardware reset, said computer-executable program instructions also including verification instructions for being executed by said computer during said pre-boot state for verifying a signature of said identification and authentication instructions to detect whether unauthorized modification has been made to said identification and authentication instructions.
- 4. A BIOS computer-readable memory comprising computer-executable program instructions stored therein for being executed by a computer during initialization of the computer following a hardware reset of said computer, said program instructions comprising instructions for verifying, entirely during a pre-boot state of said computer, whether at least one pre-boot module of executable program instructions is authentic and for preventing said at least one pre-boot module from being loaded and executed by said computer during said pre-boot state unless a signature of said pre-boot module is verified during said pre-boot state, said pre-boot state taking place after said hardware reset and before booting of any operating system in said computer in response to said hardware reset.
-
7. A BIOS computer-readable memory comprising computer-executable program instructions stored therein for being executed by a computer during initialization of the computer following a hardware reset of said computer, said computer-executable program instructions comprising instructions for:
-
initiating and controlling downloading of at least one pre-boot module of executable computer program instructions from a server to the computer during a pre-boot state of said computer;
verifying a signature of said at least one pre-boot module whereby to detect whether said at least one pre-boot module has been unauthorizedly modified, during said pre-boot state; and
if said signature of said at least one module is verified, initiating execution of said at least one pre-boot module in said computer during said pre-boot state;
wherein said at least one pre-boot module includes program instructions for identifying and authenticating a user of said computer entirely during said pre-boot state, said pre-boot state taking place after said hardware reset and before booting of any operating system in said computer in response to said hardware reset. - View Dependent Claims (8, 9)
-
- 10. A BIOS computer-readable memory comprising computer-executable program instructions stored therein for being executed by a computer during initialization of the computer following a hardware reset of said computer, said program instructions comprising instructions for being executed during a pre-boot state of said computer to verify a signature of a pre-boot module of executable instructions to determine authenticity of said pre-boot module of executable instructions, said pre-boot module of executable instructions being for preventing the computer from booting any operating system unless a user of said computer is successfully authenticated during said pre-boot state.
- 13. A BIOS computer-readable memory comprising computer-executable program instructions stored therein for being executed by a computer during initialization of the computer following a hardware reset of said computer, said program instructions comprising instructions for being executed by said computer entirely during a pre-boot state of said computer for validating a signature of a pre-boot module of instructions whereby to determine authenticity of said module of instructions, said module of instructions being for preventing the computer from communicating with a server unless a user of said computer is successfully authenticated during said pre-boot state, said pre-boot state taking place after said hardware reset and prior to booting of any operating system in said computer in response to said hardware reset.
Specification