System and method for protecting a computer system from malicious software
Abstract
In a computer system, a first electronic data processor is communicatively coupled to a first memory space and a second memory space. A second electronic data processor is communicatively coupled the second memory space and to a network interface device. The second electronic data processor is capable of exchanging data across a network of one or more computers via the network interface device. A video processor is adapted to combine video data from the first and second electronic data processors and transmit the combined video data to a display terminal for displaying the combined video data in a windowed format. The computer system is configured such that a malware program downloaded from the network and executing on the second electronic data processor is incapable of initiating access to the first memory space.
Claims
exact text as granted — not AI-modified1. A method of operating a computer system having at least a first and second electronic data processor capable of executing instructions using a common operating system, comprising the steps of:
executing instructions in a first logical process within the common operating system using the first electronic data processor, wherein the first logical process is capable of accessing data contained in a first memory space and a second memory space; executing instructions in a second logical process within the common operating system using the second electronic data processor, wherein the second logical process is capable of accessing data contained in the second memory space, the second logical process being further capable of exchanging data across a network of one or more computers; displaying, in a windowed format on a display terminal, data from the first logical process and the second logical process, wherein a video processor is adapted to combine data from the first and second logical processes and transmit the combined data to the display terminal; wherein the computer system is configured such that the second electronic data processor is operating in a protected mode and data residing on the first memory space is protected from corruption by a malware process downloaded from the network and executing as part of the second logical process.
2. The method of claim 1 wherein the first memory space and the second memory space comprise separate regions of a common memory space.
3. The method of claim 1 wherein the second logical process is selected from the group consisting of; an electronic mail process, an instant messaging process, an internet browser process, an interactive gaming process, a virtual private network (VPN) process, and a reader application process.
4. The method of claim 1 wherein the first logical process receives user interface data, and passes the user interface data to the second logical process.
5. The method of claim 1 wherein the first and second electronic data processors are part of a multi-core electronic data processor.
6. The method of claim 1 and further comprising the step of restoring at least one corrupted data file residing on the second memory space from an image residing on the first memory space.
7. The method of claim 1 and further comprising the step of automatically deleting at least one data file residing on the second memory space when the second logical process is terminated.
8. The method of claim 1 and further comprising the steps of:
encrypting data with the first logical process;
transferring the encrypted data from the first logical process to the second logical process;
transferring the encrypted data from the second logical process to the network interface device.
9. The method of claim 8 and further comprising the steps of:
decrypting the data with the network interface device;
transferring the decrypted data from the network interface device to the network.
10. A multi-processor computer system using a common operating system, comprising:
a first electronic data processor capable of executing instructions using the common operating system and communicatively coupled to a first memory space and a second memory space; a second electronic data processor capable of executing instructions using the common operating system and communicatively coupled to the second memory space and to a network interface device, wherein the second electronic data processor is capable of exchanging data across a network of one or more computers via the network interface device; a video processor adapted to combine video data from the first and second electronic data processors and transmit the combined video data to a display terminal for displaying the combined video data in a windowed format; wherein the computer system is configured such that the second electronic data processor is operating in a protected mode and data residing on the first memory space is protected from corruption by a malware process downloaded from the network and executing on the second electronic data processor.
11. The computer system of claim 10 wherein the first memory space and the second memory space comprise separate regions of a common memory space.
12. The computer system of claim 10 wherein the first and second electronic data processors are part of a dual processor computer system.
13. The computer system of claim 10 wherein the second electronic data processor and the video processor are colocated on a circuit card, the circuit card being communicatively coupled to the first electronic data processor.
14. The computer system of claim 10 wherein the computer system is configured such that the first electronic data processor is protected from executing instructions initiated by a malware process downloaded from the network and executing on the second electronic data processor.
15. A multi-processor computer system using a common operating system, comprising:
at least a first and second electronic data processor capable of executing instructions using the common operating system; at least a first and second memory space; a video processor; wherein the first and second electronic data processors, first and second memory space, and video processor are configured for performing the steps of: executing instructions in a first logical process with the first electronic data processor, wherein the first logical process is executing within the common operating system and is capable of accessing data contained in the first memory space and the second memory space; executing instructions in a second logical process with the second electronic data processor, wherein the second logical process is executing within the common operating system and is capable of accessing data contained in the second memory space, the second logical process being further capable of exchanging data across a network of one or more computers; displaying, in a windowed format on a display terminal, data from the first logical process and the second logical process, wherein the video processor is adapted to combine data from the first and second logical processes and transmit the combined data to the display terminal; wherein the computer system is configured such that the second electronic data processor is operating in a protected mode and data residing on the first memory space is protected from corruption by a malware process downloaded from the network and executing as part of the second logical process.
16. The computer system of claim 15 wherein the computer system is further configured such that the first logical process is protected from executing instructions initiated by a malware process downloaded from the network and executing as part of the second logical process.
17. The computer system of claim 15 and further comprising: at least one network interface device capable of exchanging data with both the second logical process and with the network.
18. The computer system of claim 17 wherein the network interface device is capable of decrypting data received from the second logical process and transmitting the decrypted data to the network while preventing the second logical process from accessing the decrypted data.
19. The computer system of claim 15 wherein the at least one electronic data processor is selected from the group consisting of: a multi-core electronic data processor; dual electronic data processors; and multiple electronic data processors.
20. The computer system of claim 15 and further configured for performing the step of: restoring at least one corrupted data file residing on the second memory space from an image residing on the first memory space.
21. A method of generating data for display of website content on a portable computer employing a common operating system in a secure manner, comprising:
distributing website content, via a network of one or more computers, to the portable computer capable of executing a secure web browser process, wherein the website content potentially contains malware; wherein the secure web browser process is capable of executing on at least one electronic data processor and comprises a first web browser process and at least one second protected web browser process, the first web browser process and the at least one second protected web browser process being configured to access the website content via the network of one or more computers, the at least one electronic data processor capable of being communicatively coupled to a first memory space and to a second protected memory space, the first memory space having at least one system file, the secure web browser process configured for:
executing instructions in the first web browser process, wherein the first web browser process is configured to access data contained in the first memory space and to initialize the at least one second protected web browser process;
passing data from the first web browser process to the at least one second protected web browser process;
executing instructions in the at least one second protected web browser process, wherein the at least one second protected web browser process is configured to access data contained in the second protected memory space but is denied access to the first memory space;
generating data for display of the distributed website content potentially containing malware;
wherein the secure web browser process is configured such that the at least one system file residing on the first memory space is protected from corruption by the website content potentially containing malware executing in the at least one second protected web browser process.
22. The method of claim 21 wherein the first web browser process is configured to directly exchange data with a network interface device and with the at least one second protected web browser process.
23. The method of claim 22 wherein the first web browser process is configured to pass website content downloaded from the network to the at least one second protected web browser process.
24. The method of claim 21 wherein the at least one second protected web browser process is configured to directly exchange data with a network interface device and with the first web browser process.
25. The method of claim 21 wherein the website content potentially containing malware comprises internet advertising.
26. The method of claim 25 wherein the internet advertising contains digital content selected from the group consisting of:
graphical content; multimedia content; and video content.
27. The method of claim 21 further comprising:
closing the at least one second protected web browser process; and upon closing the at least one second protected web browser process, automatically deleting at least one file selected from the group consisting of:
a temporary internet file;
a cookie; and
a file corrupted by malware.
28. The method of claim 21 further comprising the first web browser process initializing a plurality of second protected web browser processes, wherein each of the plurality of second protected web browser processes comprises a separate second protected memory space, and each of the plurality of second protected web browser processes are disallowed from initiating access to another one of the plurality of second protected web browser processes.
29. The method of claim 21 wherein the at least one second protected web browser process is initialized from clean system files.
30. The method of claim 21 further comprising:
executing instructions from the first web browser process on a first core of a multi-core processor; and executing instructions from the at least one second protected web browser process on a second core of the multi-core processor.
31. The method of claim 21 wherein the data for display of the distributed website content potentially containing malware is rendered using a video processor.
32. The method of claim 21 wherein at least one file corrupted by a malware process is capable of being restored from a protected image.
33. The method of claim 32 wherein the protected image is stored at a location selected from the group consisting of:
a removable drive; the first memory space; and a partition on a memory device.
34. The method of claim 21 wherein the at least one second protected web browser process is capable of running a process selected from the group consisting of:
an electronic mail process; an instant messaging process; a gaming process; and a reader application process.
35. The method of claim 21 wherein the portable computer comprises an intelligent cellular telephone with a built-in secure web browser.
36. A method of operating a portable computer based system employing a common operating system and configured with a first memory space and a second protected memory space and at least one electronic data processor, comprising:
storing at least one system file within the first memory space; downloading website content potentially containing malware from a network of one or more computers using a secure web browser process, wherein the secure web browser process is configured to execute on the at least one electronic data processor, and comprises a first web browser process and at least one second protected web browser process, the first web browser process and the at least one second protected web browser process being configured to access the website content via the network of one or more computers; executing instructions in the first web browser process, wherein the first web browser process is configured to access data contained in the first memory space and to initialize the at least one second protected web browser process; passing data from the first web browser process to the at least one second protected web browser process; executing instructions in the at least one second protected web browser process, wherein the at least one second protected web browser process is configured to access data contained in the second protected memory space and to execute instructions from the downloaded website content, wherein the downloaded website content is capable of accessing the second protected memory space but is denied access to the first memory space; displaying digital content generated by the secure web browser process; wherein the secure web browser process is configured such that the at least one system file residing on the first memory space is protected from corruption by website content potentially containing malware downloaded from the network and executing as part of the at least one second protected web browser process.
37. The method of claim 36 wherein the first web browser process is configured to directly exchange data with a network interface device and with the at least one second protected web browser process.
38. The method of claim 37 wherein the first web browser process is configured to pass website content downloaded from the network to the at least one second protected web browser process.
39. The method of claim 36 wherein the at least one second protected web browser process is configured to directly exchange data with a network interface device and with the first web browser process.
40. The method of claim 36 wherein the website content potentially containing malware comprises internet advertising.
41. The method of claim 40 wherein the internet advertising contains digital content selected from the group consisting of:
graphical content; multimedia content; and video content.
42. The method of claim 40 wherein the internet advertising is downloaded from a search engine website.
43. The method of claim 36 further comprising:
closing the at least one second protected web browser process; upon closing the at least one second protected web browser process, automatically deleting at least one file selected from the group consisting of:
a temporary internet file;
a cookie; and
a file corrupted by malware.
44. The method of claim 36 further comprising blocking attempts by malware to record data entry by a computer user.
45. The method of claim 36 further comprising the first web browser process opening a plurality of second protected web browser processes, wherein each of the plurality of second protected web browser processes comprises a separate second protected memory space, and each of the plurality of second protected web browser processes are disallowed from initiating access to another one of the plurality of second protected web browser processes.
46. The method of claim 36 wherein the at least one second protected web browser process is initialized from clean system files.
47. The method of claim 36 wherein the at least one second protected web browser process is capable of accessing the first memory space only with the permission of a computer user.
48. The method of claim 36 wherein at least one user file residing on the first memory space is protected from being read by a malware process downloaded from the network and executing as part of the at least one second protected web browser process.
49. The method of claim 36 further comprising:
executing instructions from the first web browser process on a first core of a multi-core processor; and executing instructions from the at least one second protected web browser process on a second core of the multi-core processor.
50. The method of claim 36 wherein the digital content is rendered using a video processor.
51. The method of claim 36 wherein the at least one second protected web browser process is capable of running a process selected from the group consisting of:
an electronic mail process; an instant messaging process; a gaming process; and a reader application process.
52. The method of claim 36 wherein the portable computer based system comprises an intelligent cellular telephone with a built-in secure web browser.
53. A portable computer based system employing a common operating system for protecting critical files from malicious software attacks via a network of one or more computers, comprising:
a first web browser process capable of executing instructions using at least one electronic data processor and further capable of accessing a first memory space, wherein the first memory space contains at least one critical file; and at least one second protected web browser process capable of executing instructions using the at least one electronic data processor and further capable of accessing a second protected memory space; the first web browser process configured to:
accept data entry from a computer user;
execute instructions to access website content from the network of one or more computers;
initialize the at least one second protected web browser process; and
pass data to the at least one second protected web browser process;
the at least one second protected web browser process configured to:
execute instructions for the display of the website content downloaded from the network of one or more computers, wherein the instructions for the display of the website content potentially contain malware;
access data contained in the second protected memory space, wherein the instructions potentially containing malware are capable of accessing the second protected memory space but are denied access to the first memory space; and
generate data for display of website content downloaded from the network of one or more computers;
wherein the portable computer based system is configured such that the at least one critical file residing on the first memory space is protected from corruption by the instructions for the display of website content potentially containing malware downloaded from the network and executing as part of the at least one second protected web browser process; wherein the portable computer based system is configured such that the at least one second protected web browser process is initialized from clean system files.
54. The portable computer based system of claim 53 wherein the first web browser process is configured to directly exchange data with a network interface device and with the at least one second protected web browser process.
55. The portable computer based system of claim 54 wherein the first web browser process is configured to pass website content downloaded from the network to the at least one second protected web browser process.
56. The portable computer based system of claim 53 wherein the at least one second protected web browser process is configured to directly exchange data with a network interface device and with the first web browser process.
57. The portable computer based system of claim 53 wherein the instructions for the display of website content potentially containing malware comprise internet advertising.
58. The portable computer based system of claim 57 wherein the internet advertising contains digital content selected from the group consisting of:
graphical content; multimedia content; and video content.
59. The portable computer of claim 57 wherein the internet advertising is downloaded from a search engine website.
60. The portable computer based system of claim 53 wherein the data for display of website content is rendered using a video processor.
61. The portable computer based system of claim 53 further comprising:
closing the at least one second protected web browser process; upon closing the at least one second protected web browser process, automatically deleting at least one file selected from the group consisting of:
a temporary internet file;
a cookie; and
a file corrupted by malware.
62. The portable computer based system of claim 53 further comprising the first web browser process opening a plurality of second protected web browser processes, wherein each of the plurality of second protected web browser processes comprises a separate protected memory space, and each of the plurality of second protected web browser processes are disallowed from initiating access to another one of the plurality of second protected web browser processes.
63. The portable computer based system of claim 53 further comprising:
executing instructions from the first web browser process on a first core of a multi-core processor; and executing instructions from the at least one second protected web browser process on a second core of the multi-core processor.
64. The portable computer based system of claim 53 wherein the at least one second protected web browser process is automatically reinitialized from clean system files following a malware infection.
65. The portable computer based system of claim 53 further comprising an intelligent cellular telephone with a built-in secure web browser.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.