JP2020508499A - Hacking resistant computer design - Google Patents

Abstract

A computer architecture for implementing a hack-resistant computing device is disclosed. The computing device, which may be a mainframe computer, a personal computer, a smartphone, or any other computing device suitable for network communication, comprises a first partition and a second partition. The second partition can communicate over a network such as the Internet. In contrast, the first partition cannot connect to the Internet and can only directly communicate with the second partition or with input / output devices directly connected to the first partition. it can. Further, the first partition partitions its memory addressing for program code and protects it hardware from modification. The second partition is hardware restricted from reading or writing to the first partition's memory addressing. As a result, important data files and program code stored on the first partition are protected from malicious code that can adversely affect the second partition.

Description

  A computer architecture for implementing a hack-resistant computing device is disclosed.

  A common way to break into a computer is by putting malicious computer-executable code (malware) into the computer through the Internet or other network connection. Such hacking has become a major threat, and serious cases of hacking have been widely reported. A popular approach to thwart such hacks relies on software to identify, neutralize, or remove malware. However, mint is becoming more and more sophisticated, and the general protection provided is not enough.

  Thus, there is a need in the art for a hack-resistant computer system architecture that utilizes a hardware approach. Such hardware approaches are available from various computers for various applications. For example, banks, businesses, government agencies, or individuals using hardware approaches as disclosed herein may take control of their computers and provide confidential data, personal information, Or fairly well protected from hackers who may try to steal or tamper with your password. The hardware approach disclosed herein protects hackers to an extent not possible with current solutions.

  A computer system architecture for implementing a hack-resistant computing device is disclosed. Computer system architecture indicates that malicious computer-executable code received from the Internet can access or adversely affect sensitive data files. Prevent by limiting to The computing device, which may be a mainframe computer, a personal computer, a smartphone, or any other computing device suitable for network communication, comprises a first partition and a second partition. . The second partition can communicate over a network such as the Internet. In contrast, the first partition can communicate directly with the second partition or with input / output devices directly connected to the first partition. As a result, the first partition is hardware restricted from connecting to the Internet and any other device, such as a server connected to the Internet. All access to the Internet by the first partition is limited to the hardware connection between the first partition and the second partition, after which the second partition can connect to the Internet.

Further, the first partition includes hardware circuitry that utilizes the operating system to partition the memory address of the first partition into sections. Memory addressing for program code, including computer executable code and associated very important data, is partitioned and hardware protected from modification. This approach can also be achieved by using a separate memory unit in the first partition. To protect important data files, the second partition is hardware restricted from reading from or writing to the first partition's memory addressing. The data of the second partition is transferred to the first partition through a "pull" command executed by the operating system of the first partition. Further, the second partition cannot “push” data to the first partition or control the first partition to send a “pull” command. All data that is pulled from the second partition by the first partition is stored by hardware design in a memory section of the first partition dedicated to data files read from the second partition. Further, the first partition prevents data files read from the second partition from being executed due to hardware limitations. As a result, important programs and important data files stored on the first partition are protected from malicious code from the Internet or any other source that adversely affects the second partition.

  The detailed description refers to the accompanying figures.

An exemplary network diagram. 1 is a block diagram illustrating a computer system architecture for implementing a hack-resistant computing device, according to various embodiments presented herein. 1 is a block diagram illustrating a computer system architecture for implementing a hack-resistant computing device, according to various embodiments presented herein. FIG. 4 is a block diagram illustrating a computer system architecture in accordance with various embodiments presented herein. FIG. 4 illustrates memory addressing of a computing device according to a preferred embodiment. FIG. 4 illustrates memory addressing of a computing device according to a preferred embodiment. 5 is a flowchart illustrating a method according to a preferred embodiment. FIG. 2 is a block diagram illustrating an embodiment adapted for use with a computing device that utilizes an existing computer architecture. FIG. 2 is a block diagram illustrating a software embodiment adapted for use with a computing device that utilizes an existing computer architecture. FIG. 2 is a block diagram illustrating a software embodiment adapted for use with a computing device that utilizes an existing computer architecture. FIG. 2 is a block diagram illustrating an embodiment of implementing a virtual partition on a computing device.

  Other objects, features, and characteristics, as well as methods of operation and function of related elements of the combination of structures and portions, will become more apparent from a consideration of the following detailed description when taken in conjunction with the accompanying drawings. . All of the accompanying drawings form a part of the specification.

Detailed and illustrative embodiments are disclosed herein. However, the techniques, methods, processes, systems, and operating structures in accordance with the disclosed principles may be embodied in a wide variety of forms and manners, some of which are quite different from those in the disclosed embodiments. Good. As a result, the specific structural and functional details disclosed herein are merely representative, but nonetheless, in that respect they are deemed to provide the best embodiment for the purposes of disclosure. It is.

  Unless the context clearly requires otherwise, words such as "comprise" and "comprising" are used exclusively in the present description and in the claims. Or, it should be interpreted in an inclusive, rather than exhaustive, sense, ie, "including, but not limited to". As used herein, the term “connected”, “coupled”, or any variation thereof, is directly or indirectly between two or more elements. Means any connection or connection, whether electronic, electronic or non-electronic, and the connection of the connections between the elements can be physical, logical, or a combination thereof. In addition, the terms “herein”, “above”, “below”, and words of a similar meaning, as used herein, may be used herein to refer to Reference is made to this specification in its entirety, and not to any particular part of the book. Where the context permits, words in the Detailed Description that are used in the singular or plural number may each include the plural number or the singular number. The term "or" with respect to a list of two or more items refers to all of the following interpretations of the word: any of the items in the list, all of the items in the list, and Includes any combination of items. The following provides a detailed description with reference to the figures.

Referring initially to FIG. 1, an exemplary network diagram of a hack-resistant computing device is shown. Computing device 300 may be any large commercial or government computer or “mainframe”, a set of linked computers operating in tandem, without limitation, mobile phones, cellular phones, smart phones, laptops, A single personal computer (PC) or including a computer, netbook, personal digital assistant (PDA), household appliance, residential or commercial building controller, or any other computing device suitable for network communication A mobile communication device can be included. The computing device 300 includes a first partition 100 and a second partition 200. First partition 100 is directly interconnected with input / output devices, such as a keyboard, a data storage device, and a printer. In embodiments for large-scale use, the first partition may be connected by direct wiring to a smaller computer or PC located in a physical location under the control of the user of the computing device. . In this embodiment, the user can prevent a smaller computer or PC from making any form of Internet connection, including wire, cable, or Wi-Fi. The second partition 200 communicates with the terminal 600 on the network 500. As described in detail below with reference to FIG. 2A, the first partition 100 can communicate directly with the second partition 200 using a bus, but the first partition 100 Is restricted in terms of hardware from communicating with the network 500. In a preferred embodiment, the CPU of the first partition has direct access to the memory of the second partition and the CPU of the second partition, while the CPU of the second partition has the first partition. Access to the memory and the CPU of the first partition is restricted by hardware. For example, the CPU of the second partition is coupled to a bus interface. The interface is a physical port comprising physical wires for interconnecting the CPU of the first partition to the CPU and memory of the second partition. However, in some embodiments, the interface does not include a physical wire for the CPU of the second partition to access the memory of the first partition or the CPU of the first partition.

  Network 500 may be a local area network (LAN), a wide area network (WAN), the Internet, a cellular network, a satellite network, a combination thereof, or transfer of data to computing device 300, and / or It can be any other network that allows for receiving data from the computing device 300. Data transmitted to the computing device 300 over the network 500, or to the computing device 300 or terminal 600, may be transmitted and transmitted using standard telecommunications or networking protocols. And / or may be received. In a preferred embodiment, the system utilizes Transmission Control Protocol / Internet Protocol (TCP / IP) and network 500 is the Internet and / or an intranet. Other examples of protocols for transmitting and / or receiving data include, but are not limited to, Voice over Internet (VOIP) protocol, Short Message Service (SMS), Bluetooth wireless transmission, and mobile communications. Includes Global System (GSM). Network 500 may utilize one or more protocols of computing device 300 and terminal 600. Further, network 500 may convert to other protocols, or convert from other protocols to one or more protocols of terminal 600. In some situations, the second partition 200 is exposed to malicious computer-executable code that attempts to access or adversely affect critical data files stored on the computing device 300. . As will be described below with reference to FIGS. 2A and 3A, the preferred embodiment prevents such malware from accessing, or adversely affecting, critical data files and memory of the first partition 100. Prevent from exerting.

  Referring now to FIG. 2A, a computing device 300 that is hardware protected from infection of malicious computer-executable code from the Internet and from any other source that can communicate over network 500. A block diagram illustrating a computer system architecture for implementing is shown. Computing device 300 includes first partition 100. The first partition 100 includes a computer processing unit (CPU) 104 interconnected to a bus 102 of the first partition. The memory 106 of the first partition is interconnected to the CPU 104 through the bus 102 of the first partition. As described above with reference to FIG. 1, the first partition 100 is interconnected through an input / output module 110 to one or more input / output devices. In the preferred embodiment, partition 100 further comprises data stores 107,108. Important data files are stored on memory 106 and / or data store 107. The data store 108 is used by the first partition to store other data, including data from the second partition 200 processed by the first partition. First partition 100 contains an operating system for executing computer-executable code. As will be described in more detail below with reference to FIG. 3A, CPU 104 can execute only computer-executable code stored on a memory 106 on a program code address range. This is achieved through control by the operating system of the CPU 104 (which itself is protected from malware by this embodiment) and by hardware circuits. A fundamental weakness in current computer system architecture is that execution control is often passed to malicious computer-executable code that has reached the computer through the Internet. This embodiment restricts any execution of malicious computer executable code downloaded from the Internet to the second partition.

  Computing device 300 further comprises second partition 200. The second partition 200 includes a CPU 204 interconnected to a bus 202 of the second partition. At least one memory 206 is interconnected to the CPU 204 through the second partition bus 202. The communication module 210 enables the second partition 200 to communicate with the terminal through a network. The computer system architecture further includes at least one data store 208. Data store 208 is for storage of data files that are not considered important. Second partition 200 contains an operating system for executing computer-executable code. As described in detail below with reference to FIG. 3A, the CPU 204 can execute computer-executable code from the entire address range of the memory 206 and the data store 208.

  As shown in FIG. 2A, first partition 100 is directly interconnected to second partition 200 via bus 302. Bus 302 includes a plurality of physical wires, including control lines 304, address lines 306, and data lines 308. Data line 308 carries information transmitted between partitions over bus 302. The address line 306 includes an address of data and an address to send data. Finally, control line 304 manages the transfer of addresses and data, including, but not limited to, the direction of the transfer. Exemplary control lines include, but are not limited to, read, write, clock, acknowledge, and reset. In such an embodiment, the control lines from CPU 104 to bus 302 are unidirectional. Further, the control lines from CPU 204 to bus 302 are configured to exclusively receive data, thereby allowing CPU 104 to control CPU 204, but CPU 204 cannot control CPU 104. As shown in FIG. 2A, memory 106 and data stores 107, 108 are not directly connected to bus 302. Therefore, the CPU 204 cannot control the memory of the first partition 100. In contrast, the second partition's memory 206 and data store 208 are connected to the bus 302. In a preferred embodiment, the CPU 104 can write to the entire address range of the memory 206 and data store 208 of the second partition 200 using the control line 304, the address line 306, and the data line 308. One advantage of this design is that the first partition 100 can recover the operating system and data files of the second partition 200 that have been adversely affected by malicious computer executable code. In addition, the CPU 104 can read data from the entire address range of the memory 206 and from the data store 208, but can do so only by a "read" command (pull) by the CPU 104. Because the control line from CPU 104 to bus 302 is unidirectional, CPU 104 cannot accept any data or other files pushed to it by second partition 200 due to hardware limitations. In addition, since the CPU 204 is not connected to the control line of the CPU 104, the second partition 200 cannot pull any data from the first partition 100. In addition, the operating system and supporting programs of the first partition 100 define the format of data and other file characteristics that the CPU 104 accepts from the second partition 200. Any attempt by the second partition 200 to provide a file that does not take the appropriate expected format to the first partition 100 will be rejected by the CPU 104. As will be described in detail below with reference to FIG. 3A, all data files read from the second partition 200 by the CPU 104 are stored in the address range for the second partition in the memory 106 and / or the data store 108. Is written to. Because CPU 104 can only execute computer-executable code stored on the address range for program code in memory 106, first partition 100 will not be able to execute any malicious computer-executable code stored on second partition 200. Also protected from code.

  FIG. 2B shows an exemplary block diagram of hardware that utilizes memory controller 410 to limit access to memory and data stores of a first partition of a second partition. As shown, the CPU 404 of the first partition 400 can directly control the CPU 422, the memory 424, and the data store 426 of the second partition 418 via the bus 416. The first partition 400 includes a memory controller 410. The memory controller 410 manages the flow of data to and from the memory 406 and data stores 407, 408 of the first partition 400. In this embodiment, the memory controller 410 includes a front end 412 and a back end 414. Front end 412 is coupled to bus 402 and bus 416 of the first partition. The front end 412 is hardware configured to ignore read and write control lines having addresses originating from the second partition 418. The front end 412 includes a comparator that compares the generated address to an address stored in a read only memory (ROM) or an erasable programmable read only memory (EEPROM). The ROM or EEPROM contains the addresses of the devices that have restricted access to the memory 406 and data stores 407, 408 of the first partition 400. The front end 412 passes the unrestricted request to the back end 414. In this embodiment, backend 414 sends the request to memory 406 and data stores 407,408. Although the memory controller 410 is shown as a separate component, it may be integrated with a memory controller having a CPU 404.

  In yet another embodiment, the first partition utilizes a comparator to hardware limit the messages conveyed by the second partition. The first partition contains a read only memory (ROM) that contains the address of the CPU of the second partition. Preferably, the ROM is not reprogrammable. In this embodiment, the CPU in the second partition sends a message over the bus having a destination address, an address of the CPU, and a message frame including bytes of data to be sent as the message. An exemplary message is a push or pull request for information. The CPU of the first partition and the memory of the first partition include a comparator. The comparator compares the source address of the message sent over the bus with the ROM. The comparator sends a control signal when the source address matches the address in the ROM, so that the CPU and the memory in the first partition cannot execute the message frame. Therefore, the CPU of the first partition is hardware restricted from accepting push or pull commands from the CPU of the second partition.

FIG. 2C illustrates an exemplary block diagram of hardware that utilizes a bus controller to restrict a second partition from accessing a first partition. Unlike the embodiment shown in FIGS. 2A and 2B, which utilizes a universal bus to interconnect the first partition and the second partition, a bus controller 512 includes a second bus coupled to bus 510. Manages the flow of requests and data between components of one partition and components of a second partition coupled to bus 510. As shown, CPU 504 of first partition 502 is coupled to bus 510, while CPU 518, memory 520, and data store 522 of the second partition are coupled to bus 510. Bus controller 512 includes at least one message queue 514. Message queue 514 includes a plurality of messages from first partition 502 that are sent to second partition 516. In this embodiment, the bus controller 512 includes a look-up table stored in read-only memory having the identification address of the component residing on the first partition 502. Accordingly, the bus controller 512 can utilize a comparator to compare the addresses of the components sending the message over the bus 510 to determine the origin of the message. Only messages that have been authenticated to have originated from the first partition 502 are stored in the message queue 514. Bus controller 512 is configured to send the queued messages in message queue 514. As a result, the bus controller 512 prevents the components of the second partition 516 from adding messages to the message queue 514, so that the hardware circuitry of the bus controller 512 Restricts communicating with or accessing components of the first partition 502 (eg, CPU 504 and memory 506).

  The computer system architecture described in FIG. 2A may be applied to a variety of computing devices, including, without limitation, large mainframe computers, personal computers, pads, tablets, and smartphones. Further, the computer system architecture can be applied to new products or adapted to existing computer designs. Although the computer architecture described in FIG. 2A is disclosed as a set of chips, the technique is based on two separate computers if the computer system is designed according to the principles disclosed herein. -It may be applied to a system having a system. In embodiments having two separate computer systems, the first computer system (having a role similar to that of the first partition) stores important data files that are protected from malicious code; On the other hand, a second computer system (having a role similar to that of the second partition) communicates with the remote terminal. Further, the first computer system is directly connected to the second computer system.

Referring now to FIG. 3A, the memory addressing of a first partition and a second partition is shown. The memory addressing 700 of the first partition (in the memory 106 shown in FIG. 2A) includes at least one address block 702 for program code, at least one address block 704 for first partition data, And at least one second partition data address block 706. In a preferred embodiment, writing and reading data to and from each address block of the first partition's memory addressing 700 is such that the CPU of the first partition is physically limited to the available memory addressing space. Is limited by the design. For example, a CPU that supports 32-bit or 64-bit addressing may limit operating system access to execute computer-executable code to bits mapped to addresses for program code. As a result, malicious computer-executable code located on the first partition data address block 704 and the second partition data address block 706 may cause some such data files to contain: The flag may indicate that it is valid computer-executable code, but will not be executed by the operating system. Further, the CPU in the first partition writes any data read from the second partition only to the second partition data address block 706, which cannot be used for execution. This design prevents malicious computer-executable code in the second partition from being written into the program code address block 702 of the first partition's memory addressing 700. A further advantage of the hardware design is that the address ranges of write and read commands cannot be adversely affected by malicious computer-executable code because memory address ranges are adversely affected. This is because the CPU of the first partition needs to be physically changed. It will be apparent to those skilled in the art that three separate memories could be utilized to separate the addressing of the first partition.

  Yet another degree of hardware protection may be implemented for programs in the address block 702 for program code. This may include very important data files that are not updated frequently and are associated with the program in the address block 702 for program code. Access to update the contents of the program code address block 702 is limited to devices directly connected to the first partition 100. The combination of CPU 104, bus 102, and I / O module 110 may be switched by authorized personnel to allow the contents of program code address block 702 to be changed using optional hardware switches. Can be controlled to need to be turned on. As a result, any updates to the address block 702 for the program code will be accessed by authorized personnel at the directly connected device providing the updates and by authorized personnel to switch on. Requires both independent actions. For a very secure system, this design ensures that even authorized and directly connected users, programs or very important data stored in the program code address block 702 can be used. Provide a higher degree of protection to prevent inadvertent (inadvertent or intentional) attempts to change

  In contrast, the CPU in the second partition is limited to reading and writing to memory address 800 in the second partition. Exemplary hardware limitations include limiting the physical control wires of the second partition's CPU to the physical memory component comprising the second partition's memory address 800. As shown in FIG. 3A, data or program code may be read across the address range of the second partition memory address 800 using techniques known in the art, or Can be written. However, the CPU in the second partition is hardware restricted from accessing or changing the memory address of the first partition. As explained above, the CPU of the second partition may be hardware limited using a memory controller. The memory controller includes an address of the device that is restricted from accessing or modifying the memory of the first partition stored in the memory. For example, the device address of the CPU of the second partition may be stored. As a result, the memory controller may use comparators or other techniques known in the art to prevent the memory of the first partition from responding to requests from a restricted device address. it can. This design prevents the CPU in the second partition from writing to the first partition malicious computer executable code that has adversely affected the second partition coming from a remote terminal through the Internet. Further, the CPU of the first partition has direct access to the memory address 800 of the second partition, which is the activity on the bus that interconnects the first and second partitions. By improving the read and write performance of the CPU in the first partition by avoiding the delay caused by the first partition. The CPU in the first partition can read from memory address 800 and enter only into the second partition data address block 706 dedicated to data read from the second partition.

Referring to FIG. 3A, the address range may be assigned to a portion of one or more memory units, or may include the entire memory unit. Program code 702 includes computer-executable code and associated critical data. Access to program code 702 may be restricted using a memory controller. The memory controller can use the mapping of the restricted operation to the destination memory address to compare the source address with the requested operation (read, write, read, reset). As a result, the memory controller can invalidate a memory unit or a portion of a memory unit that maps to a program code address if limited operation is required. In embodiments where the program code address is mapped to a single memory unit, the write control line of the memory unit can be disabled by connecting that line to ground or a switch.

  Although FIG. 3A shows the memory addresses of the first partition, including three address ranges, more than one address range may be used. FIG. 3B shows a configuration in which the memory addressing 708 of the first partition includes two address blocks: an address range 710 for program code and an address block 712 for the first partition data. I have. In this configuration, the program code address block 710 is used to store code that may be executed by the CPU in the first partition. The first partition data address block 712 is used to store other data that is not intended for execution by the CPU of the first partition. The first partition data address block 712 is also used to store data read from the second partition onto the first partition.

  FIG. 4 shows a flow chart depicting a second partition method of obtaining a data file located on a first partition. First, in step 902, the CPU in the first partition periodically checks for current data requests with the CPU in the second partition. The data request may be a request to obtain an item of data, a request to update an item of data, or an action by a first partition, such as remittance of funds from one account to another, or in a building. For requesting a change in the temperature setting in. Next, in step 904, the program residing on the first partition verifies the validity of the data request. As described above, the programs residing on the first partition are hardware protected from infection by malicious computer-executable code from the Internet and any other networks. For a data request verified by a program residing on the first partition, the method proceeds to step 910. Otherwise, if the verification fails, the method proceeds to step 906. In step 906, the CPU of the first partition requests confirmation by an authorized individual directly connected to the first partition due to any suspicious activity detected in step 904. be able to. If the authorized individual directly connected to the first partition confirms the data request, the method proceeds to step 910. If not, the method proceeds to step 908. In step 908, the CPU in the first partition alerts the authorized individual that the data request has been denied and initiates another data request. Following verification and / or verification, at step 910, the CPU of the first partition accesses the data file and provides the applicable elements of the data to the second partition. Under this design, the second partition cannot gain direct access to any important data files on the first partition. As described above, the hardware of the computer system architecture disclosed in the preferred embodiment is such that commands for sending data files from the first partition cannot be controlled by the second partition. To be built. As a result, any malicious code located on the second partition cannot put the malicious code inside the executable code of the first partition, and therefore has access to any important data files. Or cannot adversely affect them.

In addition to protecting the first partition, the preferred embodiment provides that the first partition recovers data files of the second partition that have been adversely affected by malicious computer executable code. Can be made possible. Malicious computer-executable code can disrupt the second partition and its control over the screen and keyboard, thereby preventing a user from accessing a remote terminal through the second partition. In one embodiment, the first partition utilizes a keystroke sequence to prevent a user directly connected to the first partition from accessing a secondary partition affected by malicious computer executable code. Includes hardware features that allow the CPU of the first partition to be commanded to perform screen and keyboard control as well as program control. Authorized users directly connected to the first partition can start the protection software on the second partition through the first partition. The user may completely erase the memory and / or data files of the second partition to remove malicious computer-executable code, or change the second partition to a location free of such malicious code. The first partition may be instructed to recover to the state saved in the first partition. In this embodiment, the operating system and applications of the second partition are recorded by the first partition. As a result, the first partition can recover the operating system and applications of the second partition after removing malicious computer executable code. The second partition becomes operational after removal of the malicious code, thereby allowing access to a remote terminal for the computing device.

  In addition, the preferred embodiments make it practical to implement various types of protection software. As described above, the preferred embodiment employs various methods to prevent malicious computer executable code from accessing and adversely affecting program code or data files in the first partition. Utilize hardware methods. Such methods include, without limitation, preventing direct access of a first partition to a remote terminal through the Internet, and limiting memory addressing of the first partition. While this design limits requests for data files in the first partition from the second partition, other aspects of the computing device are similar to ordinary computer systems known in the art. Works. For example, when a CPU in a first partition reads data from a second partition, the CPU in the first partition often receives requests for individual items of data to be sent back to the second partition. . This requested information can then be transferred over the network to the remote terminal by the second partition. The preferred embodiment allows a protection program to be executed by the CPU in the first partition to check whether such data requests are suspicious, individually or as a unit over a period of time. I do. An exemplary suspicious data request is one in which a program on a second partition requests an important data file mapped to financial information by software on a first partition. As a result, the CPU of the first partition may take appropriate verification measures, including a request for the involvement of an authorized individual directly connected to the first partition, if suspicious activity is detected. You can start. In a further example, the hardware protected program code of the first partition may send only specific items of data to the second partition instead of the entire file or a full set of important data files. Be programmed. The example program may also refuse to send sensitive data, such as passwords and credit card security codes, to the second partition. In known systems, such computer programs are not realistic because malicious computer-executable code has direct access to important data files and can modify protected programs.

  The principles disclosed herein may be incorporated into the architecture of a mobile device by creating a hardware “sandbox” for the application. Similar to the software "sandbox" currently used on some cellphone operating systems, this provides access to some functions and data while limiting access to other critical memory. Grant access to the application. Unlike those existing methods, this embodiment provides a hardware restriction on the access of malicious computer executable code. Since all auxiliary programs are loaded into the secondary partition, important data and the operating system itself can be protected from modification by any application.

  In addition, the principles disclosed herein may be used to protect a networked device whose primary interface is for functions other than computing. Home appliances such as refrigerators and air conditioners are increasingly being designed to connect to the Internet. Such devices also use the preferred embodiment computer system architecture to shield the function of the primary partition from malicious computer executable code received over the Internet or over a network. Can be designed. Other "smart home" and "smart building" devices, as well as computer-enabled consoles in vehicles, may make use of corresponding computer system architectures.

  Although the preferred embodiment has been described with reference to an integrated new computer system architecture, the principles disclosed herein are not limited to hardware and software that utilize key features of the preferred embodiment. It can be adapted to computing devices that utilize existing architectures, in conjunction with combinations. Such embodiments may be beneficial for users who have invested heavily in existing computers and want to keep using them, but want improved protection against hacking. In one embodiment, the first partition of the integrated system can be connected to an existing computer that can hold most of the important files and programs. As a result, the computer is isolated from the Internet and other external sources, as described above for the first partition of the integrated system. The first partition can communicate with and read from and write to the computer through the bus or I / O module, and the computer is protected from malware by the hardware and operating system.

Another alternative embodiment comprising a first computer 1300 and a second computer 1400 is shown in FIG. First computer 1300 and second computer 1400 utilize computer architectures known in the art, for example, x86, ARM, and PowerPC. As such, first computer 1300 and second computer 1400 include an operating system for executing computer-executable code. As explained above, the disadvantages of these known architectures are that the processors of the first computer 1300 and the second computer 1400 can access and adversely affect important data files on the Internet. To allow the execution of malicious computer-executable code received from Microsoft. Moreover, such malicious computer-executable code can outwit known software solutions. In this embodiment, the second computer 1400 can connect to the Internet. As a result, the second computer 1400 is susceptible to malicious computer executable code from the Internet. However, first computer 1300 is not connected to the Internet, but is interconnected to second computer 1400 through computing device 1000. First
Computer 1300 can achieve some protection through the use of operating system techniques, as described in detail below with reference to FIG. 6A. However, such protection is limited and susceptible to security breaches by sophisticated hackers. Utilizing the computing device 1000 to protect the first computer 1300 from any malicious computer-executable code that adversely affects the second computer 1400 using the hardware design and techniques of the preferred embodiment. This gives you a much higher level of protection. Computing device 1000 embodies many of the fully integrated system architectures described above, in which first computer 1300 transmits data and requests received by the second computer 1400 from the Internet. It can be handled in a manner that withstands hacking attempts on the first computer 1300.

  As shown in FIG. 5, the computing device 1000 includes a first partition 1100 and a second partition 1200. The second partition 1200 comprises a CPU 1204, a memory 1206, a data store 1208, and an I / O module 1212, which are interconnected by a bus 1202. CPU 1204 executes an operating system located on data store 1208 and / or memory 1206 to communicate with second computer 1400 through I / O module 1212. I / O module 1212 may be a USB port, eSATA, WiFi, or any other known communication interface for connecting computing device 1000 to second computer 1400. In this embodiment, the software is running on a second computer 1400, which allows the CPU 1204 to receive data from the second computer 1400. Data files read from second computer 1400 by CPU 1204 are stored on memory 1206 and / or data store 1208. The CPU 1204 is limited in hardware from directly communicating with the first computer 1300. In one embodiment, the bus 1002 uses the bus controller technique described above with reference to FIG. 3C to allow the second computer 1400 to access the CPU and memory of the first computer 1300. Can be restricted. The second partition 1200 further includes a communication module 1210. Communication module 1210 enables second partition 1200 to communicate over a network such as the Internet. As a result, communication module 1210 may be utilized by first computer 1300 to access data from the Internet, instead of utilizing second computer 1400 to access data from the Internet.

  Computer 1300 and computing device 1000 are directly interconnected with input / output devices such as a keyboard, data storage device, and printer. In an embodiment for large-scale use, the computer 1300 and the computing device 1000 are connected by direct wiring to a smaller computer or PC located at a physical location under the control of the user of the computing device. Can be connected to In this embodiment, the user can prevent a smaller computer or PC from making any form of Internet connection, including wire, cable, or Wi-Fi. Computing device 1000 is hardware restricted from communicating with remote terminals over a network. Computer 1300 is preferably restricted from communicating with remote terminals over a network by other means, such as by disabling remote connections in the operating system of computer 1300.

The first computer 1300 is directly connected to the I / O module 1110 of the first partition 1100. The I / O module 1110 is a USB port, eSATA
, Or any known communication interface for connecting the computing device 1000 to the first computer 1300. First partition 1100 further comprises a CPU 1104, a memory 1106, and at least one data store 1108, which are interconnected by a bus 1102. As described in detail above with reference to FIG. 3A, CPU 1104 can execute only the address ranges for program codes in memory 1106 and computer-executable code stored on data store 1108. . This is achieved through the control of the operating system of the CPU 1104 (which is itself protected from malware by this embodiment) and by hardware circuits.

  In this embodiment, the software is running on a first computer 1300, which allows the CPU 1104 to send data and receive data from the first computer 1300. The software allows the user of the first computer 1300 to allocate an area of memory for the first computer 1300 to important programs, important data files, and data and requests received from the computing device 1000. Enables segmentation. In addition, the software prevents the CPU of the first computer 1300 from passing execution control over the memory segment containing the file received from the computing device 1000. One example of computer security for separating memory segments from execution control is the use of a sandbox security mechanism. First partition 1100 is interconnected directly to second partition 1200 via bus 1002. The CPU 1104 can write to the entire address range of the memory 1206 and the data store 1208 of the second partition 1200. In addition, the CPU 1104 can read data from the entire address range of the memory 1206 and from the data store 1208, but can do so only by a “read” command (pull) by the CPU 1104. CPU 1104 cannot accept any data or other files pushed into it by second partition 1200 due to hardware limitations. In this embodiment, software running on first computer 1300 directly connected to first partition 1100 may request CPU 1104 to pull any data from second partition 1200. Can be. Since the CPU 1104 can only execute the computer code executable address range stored on the data store 1108 and the program code address range in the memory 1106, the first partition 1100 of the computing device 1000 Or, it is protected from any malicious computer-executable code stored on the memory 1206.

In this embodiment, the first partition 1100 utilizes the write module 1112 to store memory selected by software running on the first computer 1300 for data files received from the computing device 1000. Write data to the segment. The writing module 1112 includes hardware circuitry for mapping segments of the memory of the first computer 1300 that have been partitioned as data files received from the computing device 1000. Exemplary hardware circuits include a field programmable gate array (FPGA) that can be programmed under the control of authorized staff directly connected to the computing device 1000. In this embodiment, the computing device 1000 includes an enable update switch 1004. Enable update switch 1004 includes an on position and an off position. The on position of the enable update switch 1004 enables programming of the hardware circuitry of the write module 1112 for segments of memory for data files received from the computing device 1000. In addition, the on position of the enable update switch 1004 prevents the computing device 1000 from sending data to the first computer 1300. In contrast, the off position of the enable update switch 1004 allows the computing device 1000 to send data to software running on the first computer 1300. The off position of the enable update switch 1004 prevents unauthorized changes to the hardware circuitry of the write module 1112. Computing device 1000 and computer 1300 may also utilize the additional protection switches and software described above.

  In some embodiments, in addition to the functions described above with reference to FIG. 5, to initiate additional security features to protect the first partition from data in the second partition during an update. , A switch is used. When the switch is activated, the first partition does not access data on the second partition during the update process, and the first partition sends data to the second partition, or The connection between the two partitions may still be invalidated so that data cannot be read from the second partition. During normal operation, in a normal operating state, the first partition uses a logic gate or transistor-based switch set to allow commands for flow from the first partition to the second partition. However, the second partition can be accessed through a direct connection implemented using hardware circuits or through a bus. However, during the update mode, its access is disabled by selecting a switch or bus (such as a tri-state gate or any type of switchable bus) and moving it to the "off" position. , Thus providing additional protection to the first partition during the update process. An "AND" gate may be triggered by a switch position that permits communication (reads "TRUE") if its logical condition is met. In addition, to allow the CPU of the first partition to control any connected devices, such as monitors, keyboards, input devices, printers, and other peripherals, the first partition Externally connected external devices may be utilized. This may be implemented through the form of a “KVM” switch, which may be particularly beneficial if two partitions share the use of peripheral devices, for example, where a malware problem exists in the second partition If so, the user can turn on the enabling device so that the first partition can avoid malware and take control of the monitor and keyboard so that actions can be performed independently on the first partition To

  For many uses, the switches described above with reference to FIG. 5 are important for the update system, so that the program code memory cannot be written to unless the switch is on. The memory uses digital circuits such as logic gates to make the memory read-only. However, although there may be some uses where updates are not expected, the memory address range for the program code should be protected from modification by hardware. Alternative embodiments may be utilized, in which the switch may be omitted. The memory area for the program code can be loaded during the manufacturing process and then permanently restricted from modification using hardware circuits. This can be achieved through various techniques known in the art, such as logic gates in hardware circuits. Thus, the basic embodiment hardware protects the memory address range for program code without reference to the switch, and the ability to add a switch can be a potential additional function.

A separate unit may be used to facilitate convenience and security in updating the operating system and / or key applications for the first partition. This unit can be physically separate, or it can be integrated into the overall enclosure for the system, with different and separate hardware circuits, and connected to the first partition. The unit can be connected to the Internet through an Ethernet cable, Wi-Fi, or similar means for the specific purpose of downloading new important applications or updating existing applications. The unit may have fixed hardware or firmware that allows it to connect only one or more predefined services for this purpose through the Internet. Such preset addresses may include, for example, official update addresses of major computer and software suppliers. In contrast to a regular computer, which allows an Internet address to be typed in or set by software, this device has any other configuration than its hardware or firmware. Connection requests cannot be sent to Internet addresses. This limits access by the device to only pre-approved addresses.

  In normal operation, the first partition is not allowed to accept any data in this manner. At the time of the update, the user turns on the switch described above with reference to FIG. 5 and connects the unit to the Internet, which for this purpose only sends directly to the predetermined Internet address only Connect and download applicable updates.

  If the unit is stand-alone, it can write update data to non-volatile memory, such as a flash drive. The switch described with reference to FIG. 5 allows the first partition to accept such updated data through a USB drive or similar facility connected to the first partition. In that case, a flash drive or similar device can be inserted into the USB drive, the update can be completed, and the user can remove the device, switch it off, and begin normal operation.

  If the unit is incorporated into the overall system housing, the switch described in FIG. 5 allows its use when the switch is turned on. The update can be completed and the user can switch off and undertake normal operation.

  The principles disclosed herein are based on protecting a security key that is installed on any computing device at the time of manufacture or when such a device is ready for shipment by a supplier. May be used to allow secure updates from remote locations. Although most modern cryptographic systems use mathematical algorithms that remain practically secure (the AES-256 standard generally requires millions of years with standard processing power to break). Done), but in theory could still be broken, and the cryptographic society claims that some can break keys up to 2048 bits long. A security key consisting of random numbers provides a higher standard for completely secure messages between any two parties that own the key. A party who wants to communicate more than once can have multiple versions of a disposable key, as spies in World War II, and the computing device may have many versions in memory. Can be held. However, without the hardware protection disclosed herein, any file of such a key is itself vulnerable to tampering. By placing such files in the protected memory of the first partition, distant parties can communicate securely and repeatedly.

FIG. 6A illustrates an embodiment adapted to a computing device that utilizes an existing architecture with a software solution. Software solutions may be susceptible to malicious executable computer code, which limits access to critical data files, restricts program execution access to the first computer , And providing no program control to any input from the second computer, may provide some of the benefits of the hardware solution described above. In this embodiment, the first computer 1500 is connected to the second computer 1600 using a known communication interface, for example, USB, eSATA, WiFi, or Ethernet. First computer 1500 and second computer 1600 utilize computer architectures known in the art, for example, x86, ARM, and PowerPC. As such, first computer 1500 and second computer 1600 include an operating system for executing computer-executable code. The important files and systems reside on the first computer 1500, while the second computer 1600 is used to connect to the Internet. This design allows the software of the first computer 1500 to interact with the second computer 1600 in a manner that reduces the risk of hacking of the first computer 1500. Malware that may be received from the Internet by the second computer 1600 is prevented from reaching the point of executable code on the first computer 1500 by software running on the first computer 1500.

  The first computer 1500 includes a virtual partition 1510 operating on the first computer 1500. Although virtual partition 1510 may utilize some of the computing resources (ie, CPU and storage) of first computer 1500, virtual partition 1510 may be implemented using techniques known in the art, such as software The use of a “sandbox” is isolated from accessing the operating system of the first computer 1500. As a result, the virtual partition 1510 may be affected by the operating system of the first computer 1500 if the virtual partition 1510 is adversely affected by malicious computer executable code received from the virtual partition 1606 of the second computer 1600. Restricts adverse effects. Further, virtual partition 1510 is restricted to access only data from input devices directly connected to first computer 1500 and virtual partition 1606 of second computer 1600. As a result, the virtual partition 1510 is restricted from accessing the computing resources of the first computer 1500, which can connect to remote terminals on the network.

In this embodiment, the operating system of the first computer 1500 allocates a portion of the memory of the first computer 1500 to the virtual partition 1510. The operating system 1502 of the virtual partition 1510 is programmed to execute only the program code located in the program code address block 1504 of the virtual partition 1510. All data received from the virtual partition 1606 of the second computer 1600 is stored in the second partition data address block 1508. Finally, important data files of the virtual partition 1510 are stored in the first partition data address block 1506. In this design, important data files of the first computer 1500 are protected from access by malware that may be located within the second computer 1600. Virtual partition 1510 operates on first computer 1500 to access data files stored on first computer 1500 using the method described in detail above with reference to FIG.・ It can be requested from the system. The operating system of the first computer 1500 can access the entire address range of the memory allocated to the virtual partition 1510. However, any data read from the second computer 1600 is stored in the second partition data address block 1508 of the first computer 1500, and the operating system of the first computer 1500 Is restricted from executing data files stored on the partition data address block 1508 of the first computer 1500 so that any malicious executable code transferred from the second computer 1600 is Do not execute.

  The second computer 1600 includes a virtual partition 1606 generated by resident software running on the second computer 1600. In this embodiment, the second computer 1600 is connected to a remote terminal via a network. Virtual partition 1606 may utilize some of the computing resources (ie, CPU and storage) of second computer 1600. The operating system of the second computer 1600 allocates a portion of the memory of the second computer 1600 to the virtual partition 1606. Further, the operating system of the second computer 1600 allows the virtual partition 1606 to access resources for communicating with a remote terminal over a network. Virtual partition 1606 comprises an operating system 1602, which accesses the entire address range of program code / data address block 1604 assigned to virtual partition 1606 by the operating system of second computer 1600; Can be performed. The operating system 1502 of the virtual partition 1510 is programmed to read data from the entire address range of the program code / data address block 1604 using a pull command. However, operating system 1502 cannot accept any data or other files pushed to it by virtual partition 1606 of second computer 1600 due to software restrictions. Software in the second computer 1600 formats data read by the first computer 1500 in a format required by the operating system 1502. The second computer 1600 can be hacked by an internet hacker. If the malware alters the format of the data provided to the first computer 1500, the operating system 1502 will not accept the improperly formatted data. In addition, the software can utilize the method described in detail above with reference to FIG. 4 for a first computer to obtain data from a second computer.

  While FIG. 6A shows a first computer including three address blocks, more than one address block may be used. FIG. 6B shows a configuration in which the first computer 1520 includes two address blocks, an address block 1524 for program code and an address block 1526 for first partition data. In this configuration, the program code address block 1524 is used to store code that may be executed by the operating system 1522. First partition data address block 1526 is used to store other data not intended for execution by operating system 1522. The first partition data address block 1526 is also used to store data that is read from the second computer 1620 onto the first computer 1520.

Although the embodiments disclosed in FIGS. 6A and 6B utilize virtual partitions to protect the first computer's programs and data from malicious computer-executable code, the disclosed techniques (ie, important Software that restricts access to secure data files, restricts program execution access to the first computer, and does not provide program control to any input from the second computer). Instead, it may be applied directly to the operating systems of the first and second computers. In either case, such an embodiment can reduce the risk of hacking, but is provided by a fully integrated system in the preferred embodiment, which can utilize hardware as well as software protection. Cannot provide a higher degree of protection.

  The computer system architecture described above with reference to FIG. 2A may also utilize a virtual environment on each of the first and second partitions. These partitions can be used to divide the activities of various operating systems and programs. Unlike the software solution described above with reference to FIG. 6A, the virtual environment implemented on the first partition, as described above with reference to FIG. Hardware protected.

  In another embodiment, a computing device that utilizes an existing architecture may utilize a virtual partition instead of two physically separate partitions without departing from the spirit of the broad inventive disclosure. Can be. Such embodiments utilizing virtual partitions include preventing Internet hacking, restricting access to critical data files, restricting program execution access, and restricting program control, Some of the benefits of the hardware solution described above can be provided.

  Such embodiments may utilize computer architectures known in the art with virtual machine capabilities, such as x86, ARM, and PowerPC, and virtual partitioning and processing within a virtual partition system. A "hypervisor" (or modified "kernel" or "container" system) for managing the main aspects of There are two main virtual partitions, a first virtual partition and a second virtual partition, which are physically separate first partitions, described in detail above, and second virtual partitions. Corresponding to the partition. The virtual partition is configured by the administrator before normal operation using a virtual partitioning configuration process that works with a hypervisor or the like. Each virtual partition is assigned access to the computer's hardware resources, including memory, network connectivity, input / output connectivity, CPU, and various other features, depending on the capabilities of the computer. In addition, the hypervisor can reassign virtual partitions or change dynamically.

  The first virtual partition (FVP) comprises a CPU and at least one operating system for executing computer-executable code, and may have a subpartition of a virtual partition belonging to the FVP. For ease of reference, FVPs and their subpartitions are referred to as FVP "families" of virtual partitions.

  At least one second primary virtual partition (SVP) comprises a CPU and at least one operating system for executing computer-executable code and may have at least one sub-partition. For ease of reference, SVPs and their subpartitions are referred to as SVP "families" of virtual partitions.

The FVP and SVP families both include memory and I / O modules,
It may have additional functionality common to computers. Important files and systems reside within the FVP family, while the SVP family can communicate over a network such as the Internet. In contrast, the FVP family can only communicate directly with the SVP family, or with I / O devices directly connected to the FVP family. Virtual partitioning is configured such that the FVP family is not connected to the Internet or any other device such as an Internet-connected server. To protect critical data files, the entire SVP family is configured such that reading from or writing to any memory in the FVP family is prohibited.

  This design allows the FVP family to interact with the SVP family in a way that reduces the risk of Internet hacking of the FVP family. Malware that may be received from the Internet by any part of the SVP family is prevented from running on the FVP family. In addition, important files of the FVP family are prevented from being altered or read by malware that may be present on or written to the SVP family.

  The FVP family is configured such that its memory address is partitioned into at least two sections, one for computer-executable code and one for very important data. Other configurations include at least three memory ranges or partitions, one for computer executable code and very important data, one for data read from the SVP family, and other FVP family data. For at least one.

  FIG. 7 is a simplified block diagram illustrating an exemplary embodiment of implementing a virtual partition on a computing device. The computing device 1900 includes a CPU 1902, a memory 1904, a network adapter 1906, and an input / output 1908 and utilizes an existing computer architecture. In addition, the computing device 1900 has the ability to create virtual partitions using operating system level virtualization or hardware virtualization utilizing Intel VT-x or AMD-V. The hypervisor 1910 is used to create, configure, and manage multiple virtual partitions. As shown, the hypervisor 1910 manages communication with the CPU 1902, memory 1904, network adapter 1906, and input / output 1908 of the virtual partition. Hypervisor 1910 may be an application running within a host operating system. In this embodiment, hypervisor 1910 runs directly on computing device 1900 (a "type-1" hypervisor). Hypervisor 1910 may be one of the commercially available virtual solutions. Operating system level virtualization may be used to isolate virtual partitions and manage computing device resources without departing from the principles disclosed herein.

As shown in FIG. 7, the hypervisor 1910 has created and configured an FVP 1700 that includes a family of subpartitions, and the hypervisor 1910 has configured an SVP 1800 that also includes a family of subpartitions. Further, the hypervisor 1910 manages communication between the FVP 1700 and the SVP 1800. In this embodiment, the hypervisor 1910 has assigned access to the network adapter 1906 to the SVP 1800 and has restricted the FVP 1700 from accessing the network adapter 1906. As a result, the FVP 1700 is protected from malicious computer executable code infection from the Internet and any other source that can communicate through the network adapter 1906. The FVP 1700 family includes an FVP 1701, an FVP 1702, and an FVP 1703. FVP 1701 contains executable code and very important data, FVP 1702 contains data read from SVP 1800, and FVP 1703 contains other FVP data. The operating system of FVP 1700 is configured to execute only the program code located at the program code address in FVP 1701. The SVP 1801 includes data used by the SVP 1800. All data read by SVP 1801 through FVP 1700 is stored in sub-partition FVP 1702. In this embodiment, the hypervisor 1910 restricts access to the CPU 1902 of the computing device 1900 of the SVP 1801.

  The main data files of the FVP 1700 may be stored in the FVP 1701. The hypervisor 1910 configures the FVP 1700 to access the entire address range of the memory 1904 allocated to the FVP 1700 and the SVP 1800. Further, the hypervisor 1910 is configured to send a request by the FVP 1700 to send data from the SVP 1800 to the memory allocated to the FVP 1702. Because the operating system of the FVP 1700 is restricted to executing program code located at program code addresses within the FVP 1701, the FVP 1700 will not be able to execute any malicious executable code transferred from the SVP 1800. Protected.

  In this embodiment, the hypervisor 1910 configures the virtual partition such that the CPU resources allocated to the FVP 1700 can read from or write to only any memory or CPU allocated to the FVP 1700 family. I have. Software within the SVP 1800 family formats the data read by the FVP 1700 family into a specific format and length depending on the data. As described above, hypervisor 1910 has assigned access to network adapter 1906 to SVP 1800. Thus, the SVP 1800 can be invaded by Internet hackers. Hypervisor 1910 contains a list of data formats accepted by FVP 1700. Before transferring the data requested by FVP 1700 from SVP 1800, hypervisor 1910 checks the data with a list of acceptable data formats. If malware that adversely affects the SVP 1800 modifies the format or length of the data provided to the FVP 1700, the hypervisor 1910 may refuse to transfer improperly formatted data to the FVP 1700. In another embodiment, the FVP 1700 may check the format of the data and refuse to accept improperly formatted data.

  To increase security, the hypervisor may configure virtual partitions to isolate the FVP and its subpartition family from other virtual partitions. Therefore, virtual partitions outside of the FVP family are restricted from accessing the CPU, memory, and any files assigned to the FVP family. Further, the hypervisor may limit access at any time, including during the initial creation and configuration of the FVP family, or during the process of dynamically allocating virtual partition resources and sizes. Because many systems use dynamic adjustments to virtual partitions, and because partitioning configurations can create shared areas of memory, the basic relationship between the FVP family and any other partitions outside the FVP family can be reduced. Care must be taken to ensure that dynamic isolation is not violated by dynamic adjustments to virtual partitions.

During normal operation, the hypervisor configures the memory allocated for executable code on FVP 1701 as read-only. In the case of an update mode in which important programs are installed or updated on the FVP 1701, the hypervisor can temporarily suspend the operation of the FVP family. Thereafter, the hypervisor reconfigures the FVP 1701 to permit writing in order to install or update an important program on the FVP 1701. After the critical program update is complete, the hypervisor reconfigures the FVP 1701 as read-only, allowing the FVP 1700 to resume normal operation. Alternatively, a hardware change in the form of a switch that controls whether the FVP 1701 can be written can be introduced into the system to enable the update mode. This switch can also turn on or off the ability of the FVP family to access the SVP family. In addition, the switch or a separate switch can limit the ability of the virtual configuration to be modified with respect to the FVP family. Such switches may utilize logic gates, firmware, field programmable gate arrays, or other similar existing technologies, similar to the switches described above with reference to FIG.

  Any virtual server configured within an SVP partition may be further protected using hardware embodiments according to the principles disclosed herein as gatekeepers for inputs and outputs. Separate units connect to virtual servers between the router and the server bank. One such unit may be located in any set of servers used in a virtual partition, even if separated by significant geographic distance.

  All traffic must pass through the unit just as all information to or from other computers or units must flow through routers, such as on the Internet. Flow through. During the initial setup of the virtual partition, the unit is also configured to direct traffic to FVP and SVP. For example, information cannot be written to the FVP from the remote computer because the unit does not allow it, and all incoming data and code can go only to the SVP partition.

  Similarly, if the SVP wishes to share information with the FVP, it cannot initiate a transfer and no such request will be granted by the unit. Data from the SVP can only go to the SVP 1801, which can be accessed with the FVP 1700 starting. Data in FVP 1703 cannot be pushed to SVP 1800.

  Thus, the unit performs the functions of a type-1 hypervisor, with its supervision function prior to the installation of the operating system, applying an embodiment of hardware protection and its additional security. Its architecture allows direct access for some paths (network to SVP 1800), read-only connections for other paths (FVP 1702 to SVP 1800), and access for others (FVP 1703 to SVP 1800). Do not allow at all. The device is configured to know which address range corresponds to which partition when setting up the virtual partition. The unit may be protected from unauthorized reconfiguration by the use of read / write switches, similar to the switches described above with reference to FIG. Such switches can be manual or electrical, such as using transistors. By limiting the use of the switch to on-site activation, the configuration of the unit cannot be modified from a remote location.

The system may include two or more first partitions combined with one second partition, or two or more second partitions combined with one first partition, or two or more second partitions. It can also be configured with two or more first partitions to be combined. Each of the first partitions has the basic characteristics of a single first partition embodiment, including memory structures, including protected executable code and very important data, Partition is hardware limited from access by any of the second partitions using hardware circuits such as logic gates. This allows, for example, running multiple clients on a single system, and each client's critical files are kept on a separate protected first partition. It also allows the system to communicate through more than one second partition, which may be particularly useful if one second partition has been adversely affected by malware.

  The principles disclosed herein have been described primarily with reference to preferred embodiments, which have been described in considerable detail, with the aim of providing a complete disclosure of the invention. The embodiments described are merely illustrative and are not intended to be limiting or represent an exhaustive listing of all aspects of the principles disclosed herein. Further, it will be apparent to one skilled in the art that numerous changes may be made in such details without departing from the spirit and principles disclosed herein. It is to be understood that these principles may be embodied in other forms without departing from their essential characteristics.

Claims (35)

The first partition,
A first CPU;
A first memory module,
At least one memory address range for program code, said program code comprising computer-executable code, wherein said at least one memory address range for program code is protected from modification by hardware circuitry; At least one memory address range for program code, configured to be protected;
A first memory module comprising: at least one memory address range for other data, including data read from the second partition;
The first CPU is configured in hardware to execute only the computer-executable code within the memory address range for program code;
A first partition;
The second partition,
A second CPU;
A second memory module;
A second partition comprising: at least one communication module configured to couple to the network; and a second partition comprising:
The first CPU can access the second CPU and the second memory module;
The second CPU is restricted from accessing the first CPU or the first memory module;
Computer system. The memory addressing structure is
A first memory unit for said at least one memory address range for program code;
The computer system of claim 1, further comprising: a second memory unit for the at least one memory address range for other data. 2. The computer system of claim 1, wherein said hardware circuit mapping said memory addressing structure for program code comprises at least one field programmable gate array. The at least one memory address range for other data is:
At least one memory address range for data read from said second partition;
At least one memory address range for other first partition data. The memory addressing structure comprises:
A first memory unit for said at least one memory address range for program code;
A second memory unit for data read from said second partition;
The computer system of claim 1, further comprising a third memory unit for other first partition data. At least one external physical switch that can be turned on or off, wherein the first CPU is stored in the at least one address range for program code only when the external physical switch is on. The computer system according to claim 1, wherein the data can be changed. Comprising at least one external physical switch that can be turned on or off;
Only when the external physical switch is on, the first CPU can change data stored in the at least one address range for program code;
While the at least one external physical switch is on, the ability of the first CPU to access the second CPU and the second memory module is disabled;
The computer system according to claim 1. A hardware function utilizing an external device directly connected to the first partition, wherein a user controls one or more input / output devices of the second partition. The computer system of claim 1, wherein the computer system is configured to enable the CPU of the CPU to be instructed. The computer system of claim 1, wherein the at least one address range for program code comprises an operating system. The computer system of claim 1, comprising at least one data store. The computer system of claim 1, wherein a plurality of input / output devices are coupled to at least one I / O module. The computer system according to claim 1, further comprising a chip including the first partition and the second partition. 2. The computer system according to claim 1, further comprising: a first chip including the first partition; and a second chip including the second partition. The ability of the first CPU to access the second memory module and the second CPU is implemented by a hardware circuit;
The first CPU can only read from the second partition within the at least one memory address range for other data;
Restrictions on the second CPU for access to the first CPU or the first memory module are enforced by a hardware circuit;
The computer system according to claim 1. Further equipped with a bus,
Said first partition is interconnected to said second partition through said bus;
The first partition executes a pull command over the bus to read data from the second partition and to apply the data to the data read from the second partition. Configured to write only to a memory address range,
The first partition is configured to execute a push command over the bus to write data to the second partition;
The computer system according to claim 1. Hardware unit,
The unit is connected to only one or more predetermined services through the Internet to download new critical applications or to update existing critical applications;
The unit is configured to connect to the first partition or to write update data to a non-volatile memory;
The first partition is configured to accept data from the unit or the non-volatile memory only when a hardware switch is on,
The computer system according to claim 1. Comprising a hardware unit incorporated in the system,
Said unit comprising fixed hardware or firmware configured to connect only to one or more predetermined services through the Internet;
The first partition is configured to accept data from the unit only when a hardware switch is on,
The computer system according to claim 1. Connected to a device that can communicate over a network such as the Internet or through local wireless communication, including, but not limited to, Bluetooth and RFID transmission, wherein the device or the computer system is provided to the manufacturer prior to distribution. 2. The computer system of claim 1, wherein the computer system is provided with one or more security keys in a protected memory. Configured to include two or more first partitions, or two or more second partitions, or two or more first and second partitions;
The CPU of each second partition is hardware restricted from accessing the CPU or memory module of each first partition;
The computer system according to claim 1. The first partition comprises one or more virtual sub-partitions;
The second partition comprises one or more virtual sub-partitions;
The computer system according to claim 1. A first virtual partition family,
At least one partition;
At least one CPU;
At least one memory module,
At least one address range for program code, said program code comprising computer-executable code, wherein said at least one address range for program code is configured as read-only under normal operating conditions At least one address range for the program code,
And at least one memory module comprising at least one memory address range for other data, including data read from the second partition;
The at least one CPU of the first virtual partition family is configured to execute only the computer-executable code stored in the at least one address range for program code;
A first virtual partition family;
A second virtual partition family,
At least one partition;
At least one CPU;
At least one memory module;
A second virtual partition family comprising: at least one communication module capable of coupling to a network; and
The at least one CPU of the first virtual partition family is configured to be able to access the at least one CPU and the at least one memory module of the second virtual partition family;
The at least one CPU of the second virtual partition family accesses the at least one CPU of the first virtual partition family or the at least one memory module of the first virtual partition family. Configured to be unable to
Computer system. A hardware function that can utilize and turn on or off at least one device connected to the computer, wherein the at least one of the first virtual partition family is provided unless the hardware device is on. 22. The computer system of claim 21, wherein one CPU cannot change data in the first virtual partition family address range for program code. Comprising at least one device connected to the computer, comprising hardware functions including an on position and an off position;
The at least one CPU of the first virtual partition family changes data in the first virtual partition family address range for program code unless the hardware device is in the on position. Can not do,
The ability of the at least one CPU of the first virtual partition family to access the second virtual partition family is disabled while the at least one hardware device is in the on position;
A computer system according to claim 21. A hardware device is located between a server bank that hosts the virtual server and a router that is used to connect to a network such as the Internet;
The device inter-partitions so that no code or data can be written to the first partition unless initiated by the first partition or permitted by a hardware switch. Or manage all traffic between external units or computers connected to the partition,
The device itself is configured to direct traffic to its three separate paths (read and write, read only, and no connection / rejection of request) only when its configuration switch is in the ON position. Good,
A computer system according to claim 21. At least one hardware device connected to the computer, wherein the at least one hardware device can be turned on or off, and the at least one hardware device is not turned on unless the at least one hardware device is turned on. 22. The computer system of claim 21, wherein a virtual configuration of one virtual partition family cannot be changed. A first computer,
A CPU,
A memory module,
At least one memory address range for program code, said program code comprising computer-executable code, wherein said at least one memory address range for program code is protected from modification by hardware circuitry; At least one memory address range for program code, configured to be protected;
A memory module comprising at least one memory address range for other data, including data read from a second computer;
The at least one CPU is configured in hardware to execute only the computer-executable code within the memory address range for program code;
A first computer;
A second computer,
A CPU,
A second computer comprising: at least one communication module configured to couple to a network;
Consists of a bus and
The first computer and the second computer are interconnected only through the bus;
The first computer executes a pull command over the bus to read data from the second computer and apply the at least one data applicable to the data read from the second computer. The bus is configured to write only to a memory address range;
The bus is configured such that the first computer executes a push command over the bus to send data to the second computer;
The bus cannot accept a push command from the second computer or a pull command from the second computer;
A hardware circuit of the bus does not permit the second computer to access the CPU or the memory module of the first computer;
Computer system. The memory addressing structure is
A first memory unit for said at least one memory address range for program code;
27. The computer system of claim 26, comprising: a second memory unit for the at least one memory address range for other data. 27. The computer system of claim 26, wherein said hardware circuit mapping said memory addressing structure for program code comprises at least one field programmable gate array. The at least one memory address range for other data is:
At least one memory address range for data read from said second computer;
At least one memory address range for other first computer data. The memory addressing structure comprises:
A first memory unit for said at least one memory address range for program code;
A second memory unit for data read from said second computer;
27. The computer system of claim 26, further comprising a third memory unit for other first computer data. At least one external physical switch that can be turned on or off, wherein the CPU of the first computer is in the at least one address range for program code only when the external physical switch is on. 27. The computer system of claim 26, wherein the stored data can be changed. 27. The computer system of claim 26, wherein said at least one address range for program code comprises an operating system. 27. The computer system of claim 26, comprising at least one data store. Said first computer comprises at least one input / output module;
A plurality of input / output devices coupled to at least one I / O module;
A computer system according to claim 26. A bus designed to connect two computers,
The bus is configured such that a first computer executes a pull command over the bus to read data from the second computer and deliver it to the first computer;
The bus is configured such that the first computer executes a push command over the bus to send data to the second computer;
The bus does not allow a push command from the second computer or a pull command from the second computer;
A hardware circuit of the bus does not permit the second computer to access a CPU or a memory module of the first computer;
bus.