Computer system security method and apparatus having program authorization information data structures
INFORMATION PROTECTION AND AUTHENTICATION OF TEXAS, LLCThe holder of the '717 patent has sued Microsoft, Symantec, CA, F-Secure, McAfee, Kaspersky, Sophos, Novell, and PC Tools for infringing this patent.
#126Multiple address space token designation, protection controls, designation translation and lookaside
Last updated: about 1 year ago
Summary / Description
| Summary / Description | This invention is a data processing system which has multiple virtual address spaces under system control and in which the user's management of the address spaces is by means of tokens provided by the system for identifying the spaces. |
Basic Information
| Type of Prior Art | Issued Patents - US |
| Country | United States of America |
| Patent/Application # | 4979098 |
| Kind Code | United States (US) - United STATES Patent - A |
| Patentee Name | International Business Machines Corporation |
| Relevant Pages, Columns, or Lines | col. 22, ln 44 - col. 23, ln 1 |
| URL | http://patft.uspto.gov/netacgi/... |
| Publication Date | June 8, 1990 |
| Additional Information | |
Notes / To Do
| Notes | |
Excerpt
The authority of the calling program to access the address space is now checked. The first check is made at 135 to determine if the P bit 136 is 0. If the P bit of 136 is 0, all programs are authorized to access the address space associated with the ALE, and no further checks are made. If the P bit 136 is 1, the ALEAX 137 is compared to the EAX 138 in control register 8 by the comparator 139. If the comparison at 139 is equal, then the program is specifically authorized to access the address space, and no further checks are made. If the comparison at 139 is not equal, then an ASN extended authorization check is made at 140. The ASN extended authorization check 140 is made by comparing the EAX in control register 8 with the authority table length (ATL) 141 to make sure that the EAX does not designate an entry outside of the bounds of the authority table. The EAX located in control register 8 is used as an index into the authority table whose origin is ATO 142. If the S bit in the authority table is set equal to 1 for that EAX, then the program is authorized to have access into the address space. If the program is authorized to have access to the address space, as described, the STD 144 is provided for the DAT operation at 145.
The private bit and the ALEAX field in the access list entry provide high performance authorization mechanisms to grant or prohibit a program's access to an address space represented by the ALE. The private bit can be 0, thus allowing all programs which execute with the access list to access the address space represented by the ALE. The ALE private bit can be 1 and the user's EAX in control register 8 can be equal to the ALEAX field. This allows programs with a particular EAX to access the address space represented by the ALE. Finally, the ALE private bit can be one and the user's control register 8 EAX can select an entry in the target space's authority table which has the S-bit equal to one. This allows multiple programs running with different EAXs to access the address space represented by the ALE.
Relevance
Claims
Claim 61
In a digital computer system for providing improved computer security having digital data processing means for executing a plurality of digital computer programs for a computer user and memory means for storing digital program instructions and digital data, apparatus for protecting a digital computer user from operations typically performable by a digital computer program executing on behalf of a user comprising:
a) means for storing digital authorization information in said memory means which restricts an associated program from performing operations, when executed by said processing means, which are available to said computer user; and
b) means for storing in at least one segment digital data for associating said authorization information with at least one program to be executed by said processing means.
Relevance
a) means for storing digital authorization information in said memory means which restricts an associated program from performing operations, when executed by said processing means, which are available to said computer user; and b) means for storing in at least one segment digital data for associating said authorization information with at least one program to be executed by said processing means.
a) means for storing digital authorization information in said memory means which restricts an associated program from performing operations, when executed by said processing means, which are available to said computer user; and b) means for storing in at least one segment digital data for associating said authorization information with at least one program to be executed by said processing means.
Claim Chart
All
Claim 1
In a digital computer system having a digital data processing means for executing a plurality of digital programs and a memory means for storing digital program instructions and digital data, apparatus for protecting a digital computer user from operations typically performable by a digital computer program executing on behalf of a user comprising:
a) means for storing a plurality of digital authorization entries in said memory means, wherein said entries qualify operations which an associated program is permitted to perform when executed by said processing means; and
b) means for storing in at least one segment, digital data for associating said authorization entries with at least one program.
Relevance
a) means for storing a plurality of digital authorization entries in said memory means, wherein said entries qualify operations which an associated program is permitted to perform when executed by said processing means; and b) means for storing in at least one segment, digital data for associating said authorization entries with at least one program.
a) means for storing a plurality of digital authorization entries in said memory means, wherein said entries qualify operations which an associated program is permitted to perform when executed by said processing means; and b) means for storing in at least one segment, digital data for associating said authorization entries with at least one program.
Claim Chart
All
Claim 120
In a digital computer system having digital data processing means for executing a plurality of digital computer programs for a computer user and memory means for storing digital program instructions and digital data, a method for providing improved computer security comprising the steps of:
a) storing digital authorization information in said memory means which restricts an associated program from accessing resources when executed by said digital data processing means which are accessible to said computer user; and
b) storing in at least one segment, digital data for associating said authorization information with at least one program to be executed by said processing means for said computer user.
Relevance
a) storing digital authorization information in said memory means which restricts an associated program from accessing resources when executed by said digital data processing means which are accessible to said computer user; and b) storing in at least one segment, digital data for associating said authorization information with at least one program to be executed by said processing means for said computer user.
a) storing digital authorization information in said memory means which restricts an associated program from accessing resources when executed by said digital data processing means which are accessible to said computer user; and b) storing in at least one segment, digital data for associating said authorization information with at least one program to be executed by said processing means for said computer user.
Claim Chart
All
