Computer system security method and apparatus having program authorization information data structures
INFORMATION PROTECTION AND AUTHENTICATION OF TEXAS, LLCThe holder of the '717 patent has sued Microsoft, Symantec, CA, F-Secure, McAfee, Kaspersky, Sophos, Novell, and PC Tools for infringing this patent.
Last updated: about 1 year ago
Summary / Description
| Summary / Description | The invention provides a software asset protection mechanism which is based on the separation of the software to be protected from the right to execute that software. |
Basic Information
| Type of Prior Art | Issued Patents - US |
| Country | United States of America |
| Patent/Application # | 4817140 |
| Kind Code | United States (US) - United STATES Patent - A |
| Patentee Name | International Business Machines Corp. |
| Relevant Pages, Columns, or Lines | col. 18, ln 44 - col. 19, ln 1 |
| URL | http://patft.uspto.gov/netacgi/... |
| Publication Date | November 5, 1986 |
| Additional Information | The publication date given is actually the filing date. |
Notes / To Do
| Notes | |
Excerpt
The coprocessor 15 has some features in common with the Support Hardware of our referenced U.S. Pat. No. 4,644,493. More particularly, the coprocessor provides each software vendor with an instance of a higher privilege level than the user but at the same time does not give any software vendor access to other vendors' privileged information. All application software decrypted and run on the coprocessor is at the lower of the two privilege levels; the higher privilege level, implemented in the ROM resident firmware, controls access to the non-volatile RAM 153, loading, decrypting and running operations. This structure in the coprocessor prevents a software vendor from writing a monitor which would run on the coprocessor to access the firmware and non-volatile memory (including the decryption keys) and make that information available to the host 10.
Accordingly, the coprocessor 15 has a first or lower privilege level which has access to the RAM 151; as already described, the RAM 151 is secured from the user and/or the host 10. The first privilege level includes first level operating instructions for executing protected software. The coprocessor 15, however, also has defined a second privilege level including a second level secure memory and second level operating instructions. The second level secure memory is represented by the non-volatile RAM 153 and the second level operating instructions are defined in the ROM 152. The second privilege level is secured both against the user and any software author. It is the second privilege level of the coprocessor 15 which is involved in acquisition of rights to execute and therefore controls the procedures antecedent thereto. The same second privilege level also responds to user requests for execution of protected software, provides for the loading and decryption of protected software and initiating the first privilege level into operation for execution of the protected software, but only in the event that the second privilege level determines that such execution is authorized.
Relevance
Claims
Claim 120
In a digital computer system having digital data processing means for executing a plurality of digital computer programs for a computer user and memory means for storing digital program instructions and digital data, a method for providing improved computer security comprising the steps of:
a) storing digital authorization information in said memory means which restricts an associated program from accessing resources when executed by said digital data processing means which are accessible to said computer user; and
b) storing in at least one segment, digital data for associating said authorization information with at least one program to be executed by said processing means for said computer user.
Relevance
a) storing digital authorization information in said memory means which restricts an associated program from accessing resources when executed by said digital data processing means which are accessible to said computer user
a) storing digital authorization information in said memory means which restricts an associated program from accessing resources when executed by said digital data processing means which are accessible to said computer user
Claim Chart
All
Claim 61
In a digital computer system for providing improved computer security having digital data processing means for executing a plurality of digital computer programs for a computer user and memory means for storing digital program instructions and digital data, apparatus for protecting a digital computer user from operations typically performable by a digital computer program executing on behalf of a user comprising:
a) means for storing digital authorization information in said memory means which restricts an associated program from performing operations, when executed by said processing means, which are available to said computer user; and
b) means for storing in at least one segment digital data for associating said authorization information with at least one program to be executed by said processing means.
Relevance
a) means for storing digital authorization information in said memory means which restricts an associated program from performing operations, when executed by said processing means, which are available to said computer user
a) means for storing digital authorization information in said memory means which restricts an associated program from performing operations, when executed by said processing means, which are available to said computer user
Claim Chart
All
Claim 1
In a digital computer system having a digital data processing means for executing a plurality of digital programs and a memory means for storing digital program instructions and digital data, apparatus for protecting a digital computer user from operations typically performable by a digital computer program executing on behalf of a user comprising:
a) means for storing a plurality of digital authorization entries in said memory means, wherein said entries qualify operations which an associated program is permitted to perform when executed by said processing means; and
b) means for storing in at least one segment, digital data for associating said authorization entries with at least one program.
Relevance
a) means for storing a plurality of digital authorization entries in said memory means, wherein said entries qualify operations which an associated program is permitted to perform when executed by said processing means
a) means for storing a plurality of digital authorization entries in said memory means, wherein said entries qualify operations which an associated program is permitted to perform when executed by said processing means
Claim Chart
All
