Method and system for protection and security of IO devices using credentials

US 7,925,801 B2
Filed: 01/17/2006
Issued: 04/12/2011
Est. Priority Date: 01/17/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method for protecting access and operation of input/output (IO) devices, comprising the steps of:

issuing from an IO subsystem manager of a computer system a group credential to members of a group of consumers comprising a plurality of consumers that authorizes the consumers to share usage of an IO device, the group credential comprising a first identifier of the group;

issuing from an IO resource manager a device credential to members of a group of consumers comprising a second identifier of the group and specifying the IO device and specifying privileges for use of the IO device;

conveying a request to use the IO device from one of the consumers to a host gateway in a channel, the request comprising an IO command, the group credential and the device credential;

authenticating the one consumer as a member of the group at the host gateway using the group credential;

transmitting the request to a device controller of the IO device specified in the device credential;

making a determination in the device controller that the request conforms to the privileges of the device credential; and

responsively to the determination granting the request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for protection and security of IO devices using credential are provided. The system may include at least one consumer arranged to initiate IO requests from the IO device, and the IO requests may include IO capability allocation and additional parameters. The system may also include an IO resource manager (IORM) arranged to translate the IO capability allocation and additional parameters included in said IO request to a set of capability tokens for the consumer or for a group of consumers, to generate a global key to protect the capability tokens, and further arranged to manage the IO device. The system may further include a channel component arranged to transfer and receive the IO request to and from the IO device.

Citations

28 Claims

1. A method for protecting access and operation of input/output (IO) devices, comprising the steps of:
- issuing from an IO subsystem manager of a computer system a group credential to members of a group of consumers comprising a plurality of consumers that authorizes the consumers to share usage of an IO device, the group credential comprising a first identifier of the group;
  
  issuing from an IO resource manager a device credential to members of a group of consumers comprising a second identifier of the group and specifying the IO device and specifying privileges for use of the IO device;
  
  conveying a request to use the IO device from one of the consumers to a host gateway in a channel, the request comprising an IO command, the group credential and the device credential;
  
  authenticating the one consumer as a member of the group at the host gateway using the group credential;
  
  transmitting the request to a device controller of the IO device specified in the device credential;
  
  making a determination in the device controller that the request conforms to the privileges of the device credential; and
  
  responsively to the determination granting the request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1, further comprising the step of at the host gateway making a comparison between the first identifier and the second identifier, wherein transmitting the request is performed responsively to the comparison.
  - 3. The method according to claim 1, further comprising signing the request in the host gateway using a secured key.
  - 4. The method according to claim 3, further comprising the step of validating the request in the device controller using the secured key.
  - 5. The method according to claim 1, wherein the group credential is a cryptographically signed token that specifies one or more consumers that may share access to one or more IO devices, wherein the host gateway is operative to validate the group credential of the one consumer by verifying the first identifier of the one consumer.
  - 6. The method according to claim 1, wherein the privileges of the device credential comprise device access rights.
  - 7. The method according to claim 6, wherein transmitting the request comprises transmitting a memory access credential specifying memory access rights.
  - 8. The method according to claim 1, wherein the privileges of the device credential comprise IO permissions.
  - 9. The method according to claim 1, wherein the privileges of the device credential comprise IO program execution rights.
  - 10. The method according to claim 1, wherein associating the device credential with the request comprises transmitting the device credential and the request from the host gateway to the device controller and wherein making the determination that the request conforms to the privileges of the device credential is performed by the device controller.

11. A computer software product for protecting access and operation of input/output (IO) devices, including a computer-readable non-transitory storage medium in which computer program instructions are stored, which instructions, when executed by a computer, cause the computer to perform the steps of:
- issuing from an IO subsystem manager of a computer system a group credential to members of a group of consumers comprising a plurality of consumers that authorizes the consumers to share usage of an IO device, the group credential comprising a first identifier of the group;
  
  issuing from an IO resource manager a device credential to members of a group of consumers comprising a second identifier of the group and specifying the IO device and specifying privileges for use of the IO device;
  
  conveying a request to use the IO device from one of the consumers to a host gateway in a channel, the request comprising an IO command, the group credential and the device credential;
  
  authenticating the one consumer as a member of the group at the host gateway using the group credential;
  
  transmitting the request to a device controller of the IO device specified in the device credential;
  
  making a determination in the device controller that the request conforms to the privileges of the device credential; and
  
  responsively to the determination granting the request.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The computer software product according to claim 11, wherein the instructions cause the computer to perform the additional step of at the host gateway making a comparison between the first identifier and the second identifier, wherein transmitting the request is performed responsively to the comparison.
  - 13. The computer software product according to claim 11, wherein the instructions cause the computer to perform the additional step of signing the request in the host gateway using a secured key.
  - 14. The computer software product according to claim 13, wherein the instructions cause the computer to perform the additional step of validating the request in the device controller using the secured key.
  - 15. The computer software product according to claim 11, wherein the group credential is a cryptographically signed token that specifies one or more consumers that may share access to one or more IO devices, wherein the instructions cause the computer to perform the additional step of causing the host gateway to validate the group credential of the one consumer by verifying the first identifier of the one consumer.
  - 16. The computer software product according to claim 11, wherein the privileges of the device credential comprise device access rights.
  - 17. The computer software product according to claim 16, wherein transmitting the request comprises transmitting a memory access credential specifying memory access rights.
  - 18. The computer software product according to claim 11, wherein the privileges of the device credential comprise IO permissions.
  - 19. The computer software product according to claim 11, wherein the privileges of the device credential comprise IO program execution rights.

20. A data processing system adapted to protecting access and operation of input/output (IO) devices comprising:
- a processor;
  
  a plurality of consumers, defining a group of consumers, and comprising at least one operating system and a set of applications executing under control of the at least one operating system;
  
  at least one IO device;
  
  a channel manager for managing protection of the at least one IO device, comprising a host gateway and a device controller for the at least one IO device;
  
  an IO subsystem manager;
  
  an IO resource manager;
  
  a memory accessible to the processor storing programs and data objects therein, wherein execution of the programs cause the system to perform the steps of;
  
  issuing from the IO subsystem manager of a computer system a group credential to members of the group of consumers that authorizes the consumers to share usage of the IO device, the group credential comprising a first identifier of the group;
  
  issuing from the IO resource manager a device credential to members of a group of consumers comprising a second identifier of the group and specifying the IO device and specifying privileges for use of the IO device;
  
  conveying a request to use the IO device from one of the consumers to the host gateway, the request comprising an IO command, the group credential and the device credential;
  
  authenticating the one consumer as a member of the group at the host gateway using the group credential;
  
  transmitting the request to the device controller of the IO device specified in the device credential;
  
  making a determination in the device controller that the request conforms to the privileges of the device credential; and
  
  responsively to the determination granting the request.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
- - 21. The data processing system according to claim 20, wherein the host gateway is operative for making a comparison between the first identifier and the second identifier, wherein transmitting the request is performed responsively to the comparison.
  - 22. The data processing system according to claim 20, wherein the host gateway is operative for signing the request in the host gateway using a secured key.
  - 23. The data processing system according to claim 22, wherein the device controller is operative for validating the request in using the secured key.
  - 24. The data processing system according to claim 20, wherein the group credential is a cryptographically signed token that specifies one or more consumers that may share access to one or more IO devices, wherein the host gateway is operative to validate the group credential of the one consumer by verifying the first identifier of the one consumer.
  - 25. The data processing system according to claim 20, wherein the privileges of the device credential comprise device access rights.
  - 26. The data processing system according to claim 20, wherein the privileges of the device credential comprise IO permissions.
  - 27. The data processing system according to claim 20, wherein the privileges of the device credential comprise IO program execution rights.
  - 28. The data processing system according to claim 20, wherein associating the device credential with the request comprises transmitting the device credential and the request from the host gateway to the device controller and wherein making the determination that the request conforms to the privileges of the device credential is performed by the device controller.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Smith, Thomas Basil III, Engbersen, Ton, Shimony, Ilan, Machulsky, Zorik, Satran, Julian, Shalev, Leah
Primary Examiner(s)
Tsai; Henry W
Assistant Examiner(s)
Mamo; Elias

Application Number

US11/333,716
Publication Number

US 20070168299A1
Time in Patent Office

1,911 Days
Field of Search

710/36
US Class Current

710/36
CPC Class Codes

G06F 21/85 interconnection devices, e....

G06Q 20/3821 Electronic credentials

Method and system for protection and security of IO devices using credentials

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for protection and security of IO devices using credentials

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links