Demonstrating integrity of a compartment of a compartmented operating system
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
G06F-017/00
G06F-021/57
G06F-021/50
출원번호
US-0165840
(2002-06-07)
등록번호
US-9633206
(2017-04-25)
우선권정보
GB-0114885.7 (2001-06-19)
발명자
/ 주소
Dalton, Christopher I.
출원인 / 주소
Hewlett-Packard Development Company, L.P.
대리인 / 주소
HP Patent Department
인용정보
피인용 횟수 :
0인용 특허 :
158
초록▼
A computing platform 20 runs a compartmented operating system 22 and includes a trusted device 23 for forming an integrity metric which a user can interrogate to confirm integrity of the operating system. Also, the integrity of an individual compartment 24 is verified by examining status information
A computing platform 20 runs a compartmented operating system 22 and includes a trusted device 23 for forming an integrity metric which a user can interrogate to confirm integrity of the operating system. Also, the integrity of an individual compartment 24 is verified by examining status information for that compartment including, for example, the identity of any open network connections, the identity of any running processes, and the status of a section of file space allocated to that compartment 24. Hence, the integrity of an individual compartment 24 of the compartmented operating system 22 can be demonstrated.
대표청구항▼
1. A method for demonstrating integrity of an operating system compartment in a computing platform having a trusted device, comprising the steps of: (a) providing a host operating system of the computing platform;(b) determining a host operating system status of the host operating system using the t
1. A method for demonstrating integrity of an operating system compartment in a computing platform having a trusted device, comprising the steps of: (a) providing a host operating system of the computing platform;(b) determining a host operating system status of the host operating system using the trusted device;(c) providing a compartment of the host operating system; and(d) determining, by a processor, whether resources assigned to the compartment have been interfered with by resources from outside the compartment, the resources comprising at least a computer process assigned to the compartment; and(e) defining a compartment status based on the determining in step (d),wherein the step (d) comprisescomparing a current state of the compartment against an expected state,providing information about the current state of the compartment, including information about at least one of (i) a section of file space allocated to the compartment, (ii) any processes allocated to the compartment, and (iii) any communication interfaces allocated to the compartment, andat least one of:confirming that the compartment has access only to an expected section of file space;confirming that the allocated section of file space is in an expected condition;confirming that only an expected process or processes are allocated to the compartment; andconfirming that only an expected communication interface or communication interfaces are allocated to the compartment. 2. The method of claim 1, comprising providing a status metric representing the current state of the compartment. 3. The method of claim 2, comprising providing the status metric from the trusted device of the computing platform. 4. The method of claim 1, comprising confirming for each process allocated to the compartment that only an expected Inter-Process Communication channel or channels are open. 5. The method of claim 1, wherein the trusted device is arranged to obtain an integrity metric of the host operating system for comparison against a previously formed certificate issued by a trusted party. 6. The method of claim 5 further including reporting to a user of the computing platform the results of the comparison made against the previously formed certificate issued by the trusted party. 7. The method of claim 1, wherein the step of providing the host operating system includes providing a motherboard, wherein said trusted device is an Application Specific Integrated Circuit (ASIC) and wherein the step of providing the host operating system further includes the step of mounting said ASIC on said motherboard. 8. The method of claim 1, wherein an analysis of the compartment is based upon an analysis of the host operating system. 9. A computing platform, comprising: a host operating system;at least one compartment provided by the host operating system;a trusted device to determine a host operating system status of the host operating system; anda status unit todetermine whether resources assigned to the compartment have been interfered with by resources from outside the compartment, the resources comprising at least a computer process assigned to the compartment, anddefine a compartment status based on the determination of whether the resources assigned to the compartment have been interfered with by resources from outside the compartment,wherein to determine whether the resources assigned to the compartment have been interfered with by resources from outside the compartment, the status unit is to:compare a current state of the compartment against an expected state,provide information about the current state of the compartment, including information about at least one of (i) a section of file space allocated to the compartment, (ii) any processes allocated to the compartment, and (iii) any communication interfaces allocated to the compartment, andat least one of:confirm that the compartment has access only to an expected section of file space,confirm that the allocated section of file space is in an expected condition,confirm that only an expected process or processes are allocated to the compartment, andconfirm that only an expected communication interface or communication interfaces are allocated to the compartment. 10. The computing platform of claim 9, wherein the trusted device forms an integrity metric of the host operating system to be compared against an expected status. 11. The computing platform of claim 9, wherein the status unit comprises at least one of the host operating system or the trusted device. 12. The computing platform of claim 9, wherein the status unit provides a current status of the compartment to be compared against an expected status. 13. The computing platform of claim 12, wherein the status unit provides a status metric. 14. The computing platform of claim 12, wherein the current status identifies at least one of (i) a section of file space allocated to the compartment, (ii) any processes allocated to the compartment, (iii) any IPC channels open for any process allocated to the compartment, or (iv) any communication interfaces allocated to the compartment. 15. The computing platform of claim 14, wherein the status unit confirms a condition of the section of file space allocated to the compartment. 16. The computing platform of claim 15, wherein the condition of the section of file space allocated to the compartment is used to determine whether the section of file space has been corrupted. 17. The computing platform of claim 9, wherein the computing platform includes a motherboard and the trusted device comprises an Application Specific Integrated Circuit (ASIC) mounted on said motherboard. 18. The computing platform of claim 9, wherein an analysis of the compartment by the status unit is based upon an analysis of the host operating system by the trusted device.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (158)
Peters Anthony M. (Bedford TX), Acceleration of system interrupts between operating systems in guest-host relationship.
Thuraisingham Bhavani Marienne (Lexington MA) Ford William Rose Barlett (Billerica MA), Apparatus and method for the detection of security violations in multilevel secure databases.
Arnold William C. (Mahopac NY) Chess David M. (Mohegan Lake NY) Kephart Jeffrey O. (Yorktown Heights NY) White Steven R. (New York NY), Automatic immune system for computers and computer networks.
Bell D. Michael (Beaverton OR), Bootstrap loading from external memory including disabling a reset from a keyboard controller while an operating system.
Frank Yellin ; James A. Gosling, Bytecode program interpreter apparatus and method with pre-verification of data type restrictions and object initialization.
Combs James L. (Lexington KY) Crump Dwayne T. (Lexington KY) Pancoast Steven T. (Lexington KY), Desk top computer system having multi-level power management.
Hecht Matthew S. (Potomac MD) Johri Abhai (Gaithersburg MD) Wei Tsung T. (Gaithersburg MD) Steves Douglas H. (Austin TX), Distributed security auditing subsystem for an operating system.
Blanset David R. (Middletown NJ) Butterfield David A. (Sylmar CA) Keverian Kenneth M. (Westfield NJ) Kline Charles S. (Sherman Oaks CA) Popek Gerald J. (Los Angeles CA), Dual operating system computer.
Robert G. Atkinson ; James W. Kelly, Jr. ; Bryan W. Tuttle ; Robert M. Price ; Robert P. Reichel, Embedding certifications in executable files for network transmission.
Brown Norman P. (Tomball TX) Williams ; Jr. James D. (Cypress TX) Clary Donald P. (Houston TX) Nuckols James H. (Houston TX), External boot information loading of a personal computer.
Le Hung Q. ; Delisle David J. ; Melo Maria Lucia, Flash ROM sharing between processor and microcontroller during booting and handling warm-booting events.
Bertram Randal L. (Lexington KY) Cecil Randal H. (Lexington KY) Ford Jeffrey V. (Lexington KY) Kozel Jerry T. (Lexington KY) Springhetti Rodney P. (Toronto KY CAX) Welman Glenn E. (Lexington KY) Wrig, Flexible computer initialization.
Bizzaro Mario,ITX ; Condorelli Vincenzo ; Hack Michel Henri Theodore ; Kravitz Jeffrey Kenneth ; Lindemann Mark John ; Palmer Elaine Rivette ; Pedrina Gianluca,ITX ; Smith Sean William ; Weingart Ste, Hardware access control locking.
Nguyen Trung K. ; Schwartz Catherine Abueg ; Jose Crispin R. ; Tran Matthew P., Method and apparatus for providing dual booting capabilities to a computer system.
Arnold William C. (Mahopac NY) Bealkowski Richard (Delray Beach FL), Method and apparatus for providing enhanced data verification in a computer system.
Garay Juan Alberto ; Gennaro Rosario ; Jutla Charanjit Singh ; Rabin Tal D., Method and apparatus for the secure distributed storage and retrieval of information.
Garay Juan Alberto ; Gennaro Rosario ; Jutla Charanjit Singh ; Rabin Tal D., Method and apparatus for the secure distributed storage and retrieval of information.
Chan, Shannon; Jensenworth, Gregory; Goertzel, Mario C.; Shah, Bharat; Swift, Michael M.; Ward, Richard B., Method and system for secure running of untrusted content.
Maximino Aguilar ; Norbert Blam ; John William Gorrell, Jr. ; Yuan-Chang Lo ; James Michael Stafford, Method and system for selecting from multiple boot code images to be loaded in a data processing system.
Combs James L. (Lexington KY) Crump Dwayne T. (Lexington KY) Pancoast Steven T. (Lexington KY), Method for saving and restoring the state of a CPU executing code in protected mode.
Sandstrom Brent B. (942 Copperkey Ct. Gilbert AZ 85233) Ewert Ernest R. (261 W. Verano Pl. Gilbert AZ 85233) Reisch Robert D. (2036 E. Clipper Cir. Gilbert AZ 85234), Method for securely storing electronic records.
Richard Patrick,CAX ; Csinger Andrew,CAX ; Knipe Bruce,CAX ; Woodward Bruce,CAX, Method of and apparatus for providing secure distributed directory services and public key infrastructure.
Hill Gregory ; Purcell Raymond A. ; Platz Charles D. ; Atkins Glen ; Atchison Lee, Methods and apparatus for dual-boot memory selection, update, and recovery in a programmable device.
Walker, Richard C., PFN/TRAC system FAA upgrades for accountable remote and robotics control to stop the unauthorized use of aircraft and to improve equipment management and public safety in transportation.
Podgorny Marek ; Beca Lukasz ; Cheng Gang ; Fox Geoffrey C. ; Jurga Tomasz ; Olszewski Konrad ; Sokolowski Piotr ; Walczak Krzysztof,PLX, Platform-independent collaboration backbone and framework for forming virtual communities having virtual rooms with collaborative sessions.
Canova ; Jr. Francis J. (Boynton Beach FL) Parthasarathy Sivagnanam (Corona Del Mar CA), Power management initialization for a computer operable under a plurality of operating systems.
Wisor Michael T. (Austin TX) O\Brien Rita M. (Austin TX), Power management unit including software configurable state register and time-out counters for protecting against misbeh.
Speed Paul F. (Sandbach GB2) Taylor Richard N. (Congleton GB2), Redundant computer system which boots one system as the primary computer from a shared drive.
Rabne Michael W. ; Barker James A. ; Alrashid Tareq M.T. ; Christian Brian S. ; Cox Steven C. ; Slotta Elizabeth A. ; Upthegrove Luella R., Rights management system for digital media.
Cordery Robert A. ; Lee David K. ; Pintsov Leon A. ; Ryan ; Jr. Frederick W. ; Weiant ; Jr. Monroe A., Secure user certification for electronic commerce employing value metering system.
Cordery Robert A. ; Lee David K. ; Pintsov Leon A. ; Ryan ; Jr. Frederick W. ; Weiant ; Jr. Monroe A., Secure user certification for electronic commerce employing value metering system.
Rose Anthony M. (66 Drumalbyn Road Bellevue Hill ; Sydney AUX 2023), Securing a computer against undesired write operations to or read operations from a mass storage device.
Allard James E. ; Anders Mark T. ; Jin Lei ; Kaplan David L. ; Krishnan Murali R. ; Pollack Seth B. ; Sigal Andrew, Server architecture for segregation of dynamic content generation applications into separate process spaces.
Wood, David L.; Norton, Derk; Weschler, Paul; Ferris, Chris; Wilson, Yvonne, Single sign-on framework with trust-level mapping to authentication requirements.
Holden James M. (Valley Center CA) Levin Stephen E. (Poway CA) Wrench ; Jr. Edwin H. (San Diego CA), Support of limited write downs through trustworthy predictions in multilevel security of computer network communications.
Blanc Alain,FRX ; Nicolas Laurent,FRX ; Gohl Sylvie,FRX, Switching system comprising distributed elements allowing attachment to line adapters, and having multicasting capabilities.
Tajalli Homayoon (Ellicott City MD) Badger Mark L. (Rockville MD) Dalva David I. (Rockville MD) Walker Stephen T. (Glenwood MD), System and method for controlling the use of a computer.
Teper Jeffrey A. ; Koneru Sudheer ; Mangione Gordon ; Balaz Rudolph ; Contorer Aaron M. ; Chao Lucy, System and method for providing trusted brokering services over a distributed network.
Ginter Karl L. ; Shear Victor H. ; Spahn Francis J. ; Van Wie David M., System and methods for secure transaction management and electronic rights protection.
Boebert William E. ; Rogers Clyde O. ; Andreas Glenn ; Hammond Scott W. ; Gooderum Mark P., System for providing secure internetwork by connecting type enforcing secure computers to external network for limiting.
Ginter Karl L. ; Shear Victor H. ; Sibert W. Olin ; Spahn Francis J. ; Van Wie David M., Systems and methods for secure transaction management and electronic rights protection.
Ginter Karl L. ; Shear Victor H. ; Spahn Francis J. ; Van Wie David M., Systems and methods for secure transaction management and electronic rights protection.
Ginter Karl L. ; Shear Victor H. ; Spahn Francis J. ; Van Wie David M., Systems and methods for secure transaction management and electronic rights protection.
Ginter Karl L. ; Shear Victor H. ; Spahn Francis J. ; Van Wie David M., Systems and methods for secure transaction management and electronic rights protection.
Ginter Karl L. ; Shear Victor H. ; Spahn Francis J. ; Van Wie David M., Systems and methods for secure transaction management and electronic rights protection.
Ginter Karl L. ; Shear Victor H. ; Spahn Francis J. ; Van Wie David M., Systems and methods for the secure transaction management and electronic rights protection.
Kannan Krishnamurthl (Yorktown Heights NY) Lybrand David P. (Lantana FL) Novak Frank P. (Park Ridge NJ), Techniques for supporting operating systems for portable computers.
Miller Craig A. (Tomball TX) Dhareshwar Yatin (Bombay TX INX) Heller Edmund G. (Spring TX) Garrett Michael R. (Houston TX), Transparent, secure computer virus detection method and apparatus.
Ginter Karl L. ; Shear Victor H. ; Spahn Francis J. ; Van Wie David M. ; Weber Robert P., Trusted and secure techniques, systems and methods for item delivery and execution.
Cagno, Brian J.; Elliott, John C.; Kubo, Robert A.; Lucas, Gregg S., Verifying data integrity of a non-volatile memory system during data caching process.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.