US2011023106A1PendingUtilityA1
Methods and systems for achieving high assurance computing using low assurance operating systems and processes
Est. expiryMar 12, 2024(expired)· nominal 20-yr term from priority
H04L 63/0272G06F 12/1416H04L 63/0209H04L 63/0442G06F 21/85H04L 63/02G06F 21/53H04W 12/088
46
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
A computing system contains and uses a partitioning microkernel (PMK) or equivalent means for imposing memory partitioning and isolation prior to exposing data to a target operating system or process, and conducts continuing memory management whereby data is validated by security checks before or between sequential processing steps. The PMK may be used in conjunction with an Object Request Broker.
Claims
exact text as granted — not AI-modified1 . A method for operating a computing system comprising the steps of:
booting a high assurance kernel; partitioning available memory so as to allocate and isolate respective specific regions of memory for at least one computer program and at least one security process; inspecting with said security process incoming network data intended for the computer program; delivering inspected said incoming network data to the intended computer program; inspecting with said security process outgoing network data from the computer program; and delivering inspected said outgoing network data to an intended device.
2 . The method of claim 1 , said security process comprising any of firewall, virus and malware checking processes, said inspecting the incoming network data comprising conducting respective firewall, virus and malware checks on the incoming network data.
3 . The method of claim 2 , further comprising the step:
conducting an encryption/decryption process on said incoming and outgoing network data within said security process.
4 . The method of claim 3 , comprising:
accessing encryption/decryption keys from a trusted computing module.
5 . The method of claim 1 , further comprising the step:
conducting an encryption/decryption process on said incoming and outgoing file data within said security process.
6 . The method of claim 1 , further comprising:
inspecting with said security process the specific region of memory associated with said computer program for anomalies.
7 . The method of claim 1 , further comprising the step:
conducting virus checking on incoming and outgoing file data within said security process.
8 . The method of claim 1 , said high assurance kernel comprising a memory partitioning kernel, said step of partitioning available memory comprising partitioning available memory with said memory partitioning kernel.
9 . A method for operating a computing system comprising the steps of:
booting a high assurance kernel; partitioning available memory so as to allocate and isolate respective specific areas of memory for at least each of a computer program and a security process; restricting access by the computer program to the area of memory of the security process; imposing a data flow requiring incoming data to be subjected to the security process before being delivered to the computer program; inspecting with said security process incoming network data intended for the computer program; delivering inspected said incoming network data to the computer program; inspecting with said security process outgoing network data from the computer program; delivering inspected said outgoing network data to an intended device; said security process comprising any of firewall, virus and malware checking processes, said inspecting the incoming network data comprising conducting firewall, virus and malware checks on the incoming network data; conducting virus checking on incoming and outgoing file data within said security process; conducting an encryption/decryption process on said incoming and outgoing file data within said security process; inspecting with said security process the specific area of memory allocated to the computer program for anomalies in the computer program.
10 . The method of claim 9 , comprising:
accessing encryption/decryption keys from a trusted computing module.
11 . A computing system comprising:
a high assurance kernel; an operating system; a security process; and a network interface device; said high assurance kernel configured to upon being booted, impose a partitioning and management of memory and a sequencing of operation among said operating system and said security process whereby security checks are conducted on data by said security process prior to the data being made accessible for a next processing step within the computing system.
12 . The computer system of claim 11 , said high assurance kernel comprising a partitioning kernel.
13 . The computer system of claim 12 , further comprising an object requester broker in association with the partitioning kernel.
14 . The computer system of claim 11 , said security process comprising firewall, virus and malware checking.
15 . The computer system of claim 11 , further comprising an encryption/decryption process subject to said partitioning and management of memory and sequencing of operation by said kernel.
16 . The computer system of claim 15 , further comprising a trusted computing module subject to said partitioning and management of memory and sequencing of operation by said kernel.
17 . The computer system of claim 11 , said system comprising a firewall.
18 . The computer system of claim 17 , said system implemented on a common circuit board.
19 . The computer system of claim 17 , where said firewall is implemented in a motherboard chipset.
20 . A device for providing a blended protection scheme for a high assurance communication device comprising:
a reconfigurable firewall and packet inspection device for enforcing isolation and separation between a communication device's CPUs, memory, and the communication device, where the reconfigurable firewall is implemented on an integrated chip or motherboard chipset; and a protected CPU adapted to mange security functions and to reconfigure the reconfigurable firewall.
21 . The device of claim 20 , said device comprising a firewall and virus infection inspection system.
22 . The device of claim 20 , said device comprising a virtual private network for network based communications.
23 . A method for high assurance packet data processing in a computer system, comprising the steps:
(1) delivering an arriving packet of data to a security process; (2) verifying the security of the packet data, and if not verified then dropping the packet; (3) checking the packet data for encryption, and if not encrypted then delivering it to a contained operating system for processing; (4) checking the packet data for a match to decryption rules, and if not matched then dropping the packet; (5) decrypting the packet data and returning to step (2).Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.