专利快速检索-快速检索全球专利，免费商用专利数据库-IPRDB

1. 发明授权

US10802990B2 Hardware based mandatory access control 有权
公开(公告)号：US10802990B2
公开(公告)日：2020-10-13
申请号：US12245964
申请日：2008-10-06
申请人： William E. Hall , Guerney D. H. Hunt , Paul A. Karger , Mark F. Mergen , David R. Safford , David C. Toll
发明人： William E. Hall , Guerney D. H. Hunt , Paul A. Karger , Mark F. Mergen , David R. Safford , David C. Toll
IPC分类号： G06F12/14 , G06F21/71 , G06F21/62
摘要： Hardware mechanisms are provided for performing hardware based access control of instructions to data. These hardware mechanisms associate an instruction access policy label with an instruction to be processed by a processor and associate an operand access policy label with data to be processed by the processor. The instruction access policy label is passed along with the instruction through one or more hardware functional units of the processor. The operand access policy label is passed along with the data through the one or more hardware functional units of the processor. One or more hardware implemented policy engines associated with the one or more hardware functional units of the processor are utilized to control access by the instruction to the data based on the instruction access policy label and the operand access policy label.

2. 发明申请

US20100125709A1 Logical Partition Memory 有权
标题翻译：逻辑分区内存
公开(公告)号：US20100125709A1
公开(公告)日：2010-05-20
申请号：US12272261
申请日：2008-11-17
申请人： William E. Hall , Guerney D.H. Hunt , Paul A. Karger , Mark F. Mergen , David R. Safford , David C. Toll
发明人： William E. Hall , Guerney D.H. Hunt , Paul A. Karger , Mark F. Mergen , David R. Safford , David C. Toll
IPC分类号： G06F12/10 , G06F12/00 , G06F12/02
CPC分类号： G06F12/1036
摘要： A mechanism is provided, in a data processing system, for accessing memory based on an effective address submitted by a process of a partition. The mechanism may translate the effective address into a virtual address using a segment look-aside buffer. The mechanism may further translate the virtual address into a partition real address using a page table. Moreover, the mechanism may translate the partition real address into a system real address using a logical partition real memory map for the partition. The system real address may then be used to access the memory.
摘要翻译：在数据处理系统中提供了一种基于由分区的进程提交的有效地址来访问存储器的机制。该机制可以使用段间隔缓冲区将有效地址转换为虚拟地址。该机制可以使用页表进一步将虚拟地址转换成分区实际地址。此外，该机制可以使用分区的逻辑分区实际存储器映射将分区实际地址转换为系统实际地址。然后可以使用系统实际地址来访问存储器。

3. 发明授权

US06535607B1 Method and apparatus for providing interoperability between key recovery and non-key recovery systems 有权
公开(公告)号：US06535607B1
公开(公告)日：2003-03-18
申请号：US09184002
申请日：1998-11-02
申请人： Coimbatore S. Chandersekaran , Rosario Gennaro , Sarbari Gupta , Stephen M. Matyas, Jr. , David R. Safford , Nevenko Zunic
发明人： Coimbatore S. Chandersekaran , Rosario Gennaro , Sarbari Gupta , Stephen M. Matyas, Jr. , David R. Safford , Nevenko Zunic
IPC分类号： H04L900
CPC分类号： H04L9/0841 , H04L9/0894
摘要： A method and apparatus for ensuring that a key recovery-enabled (KR-enabled) system communicating with a non-KR-enabled system in a cryptographic communication system transmits the information necessary to permit key recovery by a key recovery entity. In a first embodiment, data is encrypted under a second key K that is generated as a one-way function of a first key K′ and a key recovery block KRB generated on the first key K′. The key recovery block KRB and the encrypted data e(K, data) are transmitted to the receiver, who cannot decrypt the data without regenerating the second key K from the first key K′ and the key recovery block KRB. In a second embodiment, data is encrypted under a second key K that is generated independently of the first key K′. A third key X, generated as a one-way function of the first key K′ and a key recovery block KRB generated on the second key K, is used to encrypt the XOR product Y of the first and second keys K′, K. The key recovery block KRB, the encrypted XOR product e(X, Y) and the encrypted data e(K, data) are transmitted to the receiver, who cannot decrypt the data without regenerating the third key X from the first key K′ and the key recovery block KRB, decrypting the XOR product Y using the regenerated third key X, and recombining the XOR product Y with the first key K″ to regenerate the second key K. In a third embodiment, an integrity value is computed on a key K and its key recovery block KRB. The integrity value and the key K are encrypted to form an encrypted portion of a key exchange block KEB, while the key recovery block KRB is put in an unencrypted portion of the key exchange block KEB, which is sent along with the encrypted data e(K, data) to the receiver. The receiver decrypts the encrypted portion, recomputes the integrity value and compares it with the received integrity value. Only if the two integrity values compare is the key K extracted and used to decrypt the data.

4. 发明授权

US08850557B2 Processor and data processing method with non-hierarchical computer security enhancements for context states 有权
标题翻译：处理器和数据处理方法，用于上下文状态的非分层计算机安全增强
公开(公告)号：US08850557B2
公开(公告)日：2014-09-30
申请号：US13408170
申请日：2012-02-29
申请人： Richard H. Boivie , William E. Hall , Guerney D. H. Hunt , Suzanne K. McIntosh , Mark F. Mergen , Marcel C. Rosu , David R. Safford , David C. Toll , Carl Lynn C. Karger
发明人： Richard H. Boivie , William E. Hall , Guerney D. H. Hunt , Paul A. Karger , Suzanne K. McIntosh , Mark F. Mergen , Marcel C. Rosu , David R. Safford , David C. Toll
IPC分类号： G06F12/14 , G06F21/31
CPC分类号： G06F21/31 , G06F21/54 , G06F21/6218 , G06F2221/2105
摘要： Disclosed are a processor and processing method that provide non-hierarchical computer security enhancements for context states. The processor can comprise a context control unit that uses context identifier tags associated with corresponding contexts to control access by the contexts to context information (i.e., context states) contained in the processor's non-stackable and/or stackable registers. For example, in response to an access request, the context control unit can grant a specific context access to a register only when that register is tagged with a specific context identifier tag. If the register is tagged with another context identifier tag, the contents of the specific register are saved in a context save area of memory and the previous context states of the specific context are restored to the specific register before access can be granted. The context control unit can also provide such computer security enhancements while still facilitating authorized cross-context and/or cross-level communications.
摘要翻译：公开了一种为上下文状态提供非分层计算机安全增强的处理器和处理方法。处理器可以包括上下文控制单元，其使用与相应上下文相关联的上下文标识符标签来控制上下文对包含在处理器的不可堆叠和/或可堆叠寄存器中的上下文信息（即上下文状态）的访问。例如，响应于访问请求，上下文控制单元可以仅在该寄存器被标记有特定上下文标识符标签时才向该寄存器授予特定上下文访问。如果寄存器用另一个上下文标识符标记，则将特定寄存器的内容保存在存储器的上下文保存区域中，并且特定上下文的先前上下文状态将被恢复到特定寄存器，然后才能授予访问权限。上下文控制单元还可以提供这样的计算机安全增强，同时还促进授权的交叉上下文和/或跨级通信。

5. 发明授权

US08135937B2 Logical partition memory 有权
标题翻译：逻辑分区内存
公开(公告)号：US08135937B2
公开(公告)日：2012-03-13
申请号：US12272261
申请日：2008-11-17
申请人： William E. Hall , Guerney D. H. Hunt , Paul A. Karger , Mark F. Mergen , David R. Safford , David C. Toll
发明人： William E. Hall , Guerney D. H. Hunt , Paul A. Karger , Mark F. Mergen , David R. Safford , David C. Toll
IPC分类号： G06F12/00 , G06F13/00 , G06F13/28 , G06F9/46 , G06F9/26 , G06F9/34
CPC分类号： G06F12/1036
摘要： A mechanism is provided, in a data processing system, for accessing memory based on an effective address submitted by a process of a partition. The mechanism may translate the effective address into a virtual address using a segment look-aside buffer. The mechanism may further translate the virtual address into a partition real address using a page table. Moreover, the mechanism may translate the partition real address into a system real address using a logical partition real memory map for the partition. The system real address may then be used to access the memory.
摘要翻译：在数据处理系统中提供了一种基于由分区的进程提交的有效地址来访问存储器的机制。该机制可以使用段间隔缓冲区将有效地址转换为虚拟地址。该机制可以使用页表进一步将虚拟地址转换成分区实际地址。此外，该机制可以使用分区的逻辑分区实际存储器映射将分区实际地址转换为系统实际地址。然后可以使用系统实际地址来访问存储器。

6. 发明授权

US08055912B2 Method and system for bootstrapping a trusted server having redundant trusted platform modules 有权
标题翻译：用于引导具有冗余可信平台模块的可信服务器的方法和系统
公开(公告)号：US08055912B2
公开(公告)日：2011-11-08
申请号：US12621524
申请日：2009-11-19
申请人： Steven A. Bade , Linda Nancy Betz , Andrew Gregory Kegel , David R. Safford , Leendert Peter Van Doorn
发明人： Steven A. Bade , Linda Nancy Betz , Andrew Gregory Kegel , David R. Safford , Leendert Peter Van Doorn
IPC分类号： G06F11/30
CPC分类号： G06F21/575
摘要： Multiple trusted platform modules within a data processing system are used in a redundant manner that provides a reliable mechanism for securely storing secret data at rest that is used to bootstrap a system trusted platform module. A hypervisor requests each trusted platform module to encrypt a copy of the secret data, thereby generating multiple versions of encrypted secret data values, which are then stored within a non-volatile memory within the trusted platform. At some later point in time, the encrypted secret data values are retrieved, decrypted by the trusted platform module that performed the previous encryption, and then compared to each other. If any of the decrypted values do not match a quorum of values from the comparison operation, then a corresponding trusted platform module for a non-matching decrypted value is designated as defective because it has not been able to correctly decrypt a value that it previously encrypted.
摘要翻译：以冗余的方式使用数据处理系统内的多个可信任的平台模块，其提供用于安全地存储用于引导系统可信平台模块的休息处的秘密数据的可靠机制。管理程序请求每个可信平台模块加密秘密数据的副本，从而生成加密的秘密数据值的多个版本，然后存储在可信平台内的非易失性存储器中。在稍后的时间点，加密的秘密数据值由执行先前加密的可信任平台模块进行解密，然后进行比较。如果解密值中的任何一个与比较操作中的值的数量不匹配，则用于非匹配解密值的相应的可信平台模块被指定为有缺陷的，因为它不能正确解密之前加密的值。

7. 发明申请

US20100088739A1 Hardware Based Mandatory Access Control 审中-公开
标题翻译：基于硬件的强制访问控制
公开(公告)号：US20100088739A1
公开(公告)日：2010-04-08
申请号：US12245964
申请日：2008-10-06
申请人： William E. Hall , Guerney D. H. Hunt , Paul A. Karger , Mark F. Mergen , David R. Safford , David C Toll
发明人： William E. Hall , Guerney D. H. Hunt , Paul A. Karger , Mark F. Mergen , David R. Safford , David C Toll
IPC分类号： G06F12/14 , G06F21/00
CPC分类号： G06F12/1483 , G06F21/629 , G06F21/71
摘要： Hardware mechanisms are provided for performing hardware based access control of instructions to data. These hardware mechanisms associate an instruction access policy label with an instruction to be processed by a processor and associate an operand access policy label with data to be processed by the processor. The instruction access policy label is passed along with the instruction through one or more hardware functional units of the processor. The operand access policy label is passed along with the data through the one or more hardware functional units of the processor. One or more hardware implemented policy engines associated with the one or more hardware functional units of the processor are utilized to control access by the instruction to the data based on the instruction access policy label and the operand access policy label.
摘要翻译：硬件机制被提供用于执行对数据的指令的基于硬件的访问控制。这些硬件机制将指令访问策略标签与要由处理器处理的指令相关联，并将操作数访问策略标签与要由处理器处理的数据相关联。指令访问策略标签与指令一起通过处理器的一个或多个硬件功能单元传递。操作数访问策略标签与数据一起通过处理器的一个或多个硬件功能单元传递。与处理器的一个或多个硬件功能单元相关联的一个或多个硬件实现的策略引擎被用于基于指令访问策略标签和操作数访问策略标签来控制对数据的指令的访问。

8. 发明授权

US10255463B2 Secure computer architecture 有权
公开(公告)号：US10255463B2
公开(公告)日：2019-04-09
申请号：US12272217
申请日：2008-11-17
申请人： William E. Hall , Guerney D. H. Hunt , Paul A. Karger , Mark F. Mergen , David R. Safford , David C. Toll
发明人： William E. Hall , Guerney D. H. Hunt , Paul A. Karger , Mark F. Mergen , David R. Safford , David C. Toll
IPC分类号： H04L12/28 , G06F21/85 , G06F21/60
摘要： A secure computer architecture is provided. With this architecture, data is received, in a component of an integrated circuit chip implementing the secure computer architecture, for transmission across a data communication link. The data is converted, by the component, to one or more first fixed length frames. The one or more first fixed length frames are then transmitted, by the component, on the data communication link in a continuous stream of frames. The continuous stream of frames includes one or more second fixed length frames generated when no data is available for inclusion in the frames of the continuous stream.

9. 发明申请

US20130019307A1 Secure Computer Architecture 审中-公开
标题翻译：安全的计算机体系结构
公开(公告)号：US20130019307A1
公开(公告)日：2013-01-17
申请号：US13613708
申请日：2012-09-13
申请人： William E. Hall , Guerney D.H. Hunt , Paul A. Karger , Mark F. Mergen , David R. Safford , David C. Toll
发明人： William E. Hall , Guerney D.H. Hunt , Paul A. Karger , Mark F. Mergen , David R. Safford , David C. Toll
IPC分类号： G06F21/00
CPC分类号： G06F21/85 , G06F21/606
摘要： A secure computer architecture is provided. With this architecture, data is received, in a component of an integrated circuit chip implementing the secure computer architecture, for transmission across a data communication link. The data is converted, by the component, to one or more first fixed length frames. The one or more first fixed length frames are then transmitted, by the component, on the data communication link in a continuous stream of frames. The continuous stream of frames includes one or more second fixed length frames generated when no data is available for inclusion in the frames of the continuous stream.
摘要翻译：提供安全的计算机体系结构。利用这种架构，在实现安全计算机架构的集成电路芯片的组件中接收数据，用于跨数据通信链路进行传输。数据被组件转换成一个或多个第一固定长度的帧。一个或多个第一固定长度帧然后由组件以连续的帧流在数据通信链路上发送。连续的帧流包括当没有数据可用于包括在连续流的帧中时生成的一个或多个第二固定长度帧。

10. 发明申请

US20120331466A1 Secure Recursive Virtualization 审中-公开
标题翻译：安全递归虚拟化
公开(公告)号：US20120331466A1
公开(公告)日：2012-12-27
申请号：US13603643
申请日：2012-09-05
申请人： William E. Hall , Guerney D. H. Hunt , Paul A. Karger , Suzanne K. McIntosh , Mark F. Mergen , David R. Safford , David C. Toll
发明人： William E. Hall , Guerney D. H. Hunt , Paul A. Karger , Suzanne K. McIntosh , Mark F. Mergen , David R. Safford , David C. Toll
IPC分类号： G06F9/455
CPC分类号： G06F9/45533 , G06F9/5077 , G06F21/57 , G06F2009/4557 , G06F2009/45579
摘要： A mechanism is provided for performing secure recursive virtualization of a computer system. A portion of memory is allocated by a virtual machine monitor (VMM) or an operating system (OS) to a new domain. An initial program for the new domain is loaded into the portion of memory. Secure recursive virtualization firmware (SVF) in the data processing system is called to request that the new domain be generated. A determination is made as to whether the call is from a privileged domain or a non-privileged domain. Responsive to the request being from a privileged domain, all access to the new domain is removed from any other domain in the data processing system. Responsive to receiving an indication that the new domain has been generated, an execution of the initial program is scheduled.
摘要翻译：提供了一种用于执行计算机系统的安全递归虚拟化的机制。内存的一部分由虚拟机监视器（VMM）或操作系统（OS）分配给新域。新域的初始程序被加载到内存部分。调用数据处理系统中的安全递归虚拟化固件（SVF）来请求生成新的域。确定呼叫是来自特权域还是非特权域。响应于来自特权域的请求，对数据处理系统中的任何其他域的所有对新域的访问都将被删除。响应于接收到新域已被生成的指示，调度初始程序的执行。

你已经成功收藏专利！

检索式保存成功!

IPRDB

热门服务

关于我们

友情链接

联系方式