WO2002048844A2 - Changing of operating modes in a computer - Google Patents

Changing of operating modes in a computer Download PDF

Info

Publication number
WO2002048844A2
WO2002048844A2 PCT/DK2001/000820 DK0100820W WO0248844A2 WO 2002048844 A2 WO2002048844 A2 WO 2002048844A2 DK 0100820 W DK0100820 W DK 0100820W WO 0248844 A2 WO0248844 A2 WO 0248844A2
Authority
WO
WIPO (PCT)
Prior art keywords
mode
memory
computer system
controller
information
Prior art date
Application number
PCT/DK2001/000820
Other languages
French (fr)
Other versions
WO2002048844A3 (en
Inventor
Søren KILSGAARD
Mike Lind Rank
Original Assignee
Apomon Aps
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Apomon Aps filed Critical Apomon Aps
Priority to AU2002220540A priority Critical patent/AU2002220540A1/en
Publication of WO2002048844A2 publication Critical patent/WO2002048844A2/en
Publication of WO2002048844A3 publication Critical patent/WO2002048844A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2105Dual mode as a secondary aspect

Definitions

  • the present invention relates to a hardware resource sharing method enabling a computer system including one or more processors and a number of hardware resources to be operated in at least two non-concurrent modes, where the accessibility of a first pre-selected fraction of said hardware resources including a shared memory is enabled in both a first and a second of said non-concurrent modes, and where the accessibility of a second pre-selected fraction of said hardware resources including a restricted memory is enabled in said first mode and is precluded in said second mode, said method comprising the steps of:
  • said configuring includes writing predefined information in the shared memory or at least a pre-selected subset thereof, said predefined information including operational status information of said system in the selected mode of operation, and
  • Viruses are spread from one computer to another and can either be harmless or more or less destructive ranging from simple damage to parts of the operating system to a complete erasure of the hard disc.
  • Sniffers are often invisible and difficult to disclose by the user. They work in connection with the operating system and can listen to keyboard strokes, locate interesting files, or collect sensitive communication on the computer and log it all in a file for later catch up or transmission. They can also open a trap door to the Internet so that a remote intruder can access and investigate the hard disc of the computer.
  • Parasites are also invisible for the user and can manipulate the operating system in order to steal processor power and/or memory space.
  • a parasitic infected computer or collection of computers can be utilized by a remote hacker for distributed computing, bulk e-mailing or storage place for illegal documents.
  • a solution to the described problems can partly be found in a hardware resource sharing method enabling a computer system, including a number of hardware resources, to be operated in at least two non-concurrent modes, where the accessibility of a first pre-selected fraction of said hardware resources including a shared memory is enabled in both a first and a second of said non-concurrent modes, and where the accessibility of a second pre-selected fraction of said hardware resources, including a restricted memory, is enabled in said first mode and is precluded in said second mode, said method comprising the steps of: selecting the mode in which the system shall be operated, configuring said hardware resources to enable and preclude access to the hardware resources according to the selected mode, and operating the computer system in the selected mode.
  • a resource sharing method with these properties is described in the following related patents.
  • VDS Virtual Disk Storage
  • the VDS system includes a memory system for storing information and a VDS controller which is in communication with the memory system and the CPU.
  • the VDS controller partitions the memory system into multiple virtual data storage devices, and then restricts the computer system from communicating with certain of these virtual data storage devices.
  • the VDS controller thus selectively isolates at least one of the virtual data storage devices from communicating with the computer system in order to prevent corruption of information stored in at least one virtual data storage device.
  • US 6,052,781 describes a multiple user computer including anti-concurrent user- class based disjunctive separation of plural hard drive operation.
  • a computer sharing system which adapts a computer's hardware resources to providing virtual dual system operation for several non-concurrent system users, is disclosed.
  • a separate hard disc drive including a full complement of boot, operating system, program and data file software is provided for each of the non-concurrent system users. Access by one system user to another system user's hard disc drive and files is denied, and corruption of one user's hard disc drive files as a result of another user's carelessness or malicious intent or through unique setup adaptation of one user's program files, which may otherwise interact with and impose unwanted changes on the operational perfor- mance of another user's file, is prevented.
  • Each of the separate hard disc drives may be uniquely formatted to service totally different operating systems, including boot track code, in support of various operating systems including MS-DOS, WindowsNT, OS/2, Unix and others.
  • US 6,000,518 discloses a computer system and method for storing distinct data types.
  • the computer system includes a plurality of data storage devices, wherein data of a first type may be stored on a first one of the data storage devices and data of a second type maybe stored on at least another one of the data storage devices, wherein at least one of the data types requires controlling access thereto.
  • the invention provides for ensuring the integrity of the data stored on the data storage devices. It also prevents misappropriation of data stored on the devices.
  • the invention includes a switch, which selects one of the data storage devices to be used in a computer system. Selecting a data storage device activates it and places it in an operational mode. The remaining data storage devices are placed into a non-operational mode.
  • the computer system implements a complete hardware reset in order to ensure that data from one storage device cannot be transferred to another storage device and is unavailable to users of another storage device. At least one of the data storage devices will require a password and login code in order to gain access.
  • US 5,657,470 and US 5,483,649 deal with methods for hard disc protection for multiple user operation. Each user is restricted to operate on his own hard disc partition and does not have write access to other partitions.
  • the described protection mechanism is mainly based on a software program that runs in the kernel of the operating system and does not rely on a hardware protection mechanism. This means that a clever written virus or sniffing program can gain full access to parts of the hard disc that is not even intended to be accessed by the current user, thereby making it possible for a program to corrupt or steal data saved on secure partitions on the hard disc.
  • WO 99/42915 describes a computer system adapted to be operated according to a method defined by the introducing part of claim 1.
  • the system includes a public storage area and a secured storage area which are connected to the computer via an I/O and communication controller.
  • the system is adapted to be being operated in at least two modes: a public and a secured mode.
  • a hibernator adapted to store an initial state of various components such as the CPU, the Direct Access Memory controller and the chipset is located in both the public storage area and the secured storage area.
  • a change of mode is performed by booting the computer and loading an operating system from a selected area, according to a user selected mode. When changing mode, the system is brought into an initial state defined by the hibernator in the selected mode.
  • the object of the invention is to provide a method of the above-mentioned type overcoming the disadvantages of the prior art without reducing the safety of the system, i.e. no undesirable data such as viruses and the like is to be transmitted between the restricted memory and the shared memory of the system.
  • the object of the invention is achieved by a method according to the introducing part of claim 1, characterised in that said one or more processors are deactivated prior to said configuring the hardware resources hereby allowing for a swift and secure change of mode.
  • a desired operation of the system after the change of mode is ensured which is of particular interest when the mode of operation is changed from a first mode to a second mode hereby ensuring that the precluded fraction of hardware is isolated from said first pre-selected fraction of the hardware.
  • no undesirable data such as viruses and the like can be transmitted between the restricted memory and the shared memory; i.e. between the first and second mode of operation, and vice versa.
  • said writing of predefined information to the shared memory includes writing system settings to shared memory in preselected hardware resources such as CPU, chip-set, plug-in cards, CMOS bios and/or firmware, hereby allowing all the hardware resources or a fraction thereof to be given a predefined setting when switching to a desired mode of operation.
  • preselected hardware resources such as CPU, chip-set, plug-in cards, CMOS bios and/or firmware
  • the content of the shared memory or at least a subset thereof is saved as operational status information in a dedicated memory which can only be accessed during change of mode, and the operational status information previously saved when exiting the given selected mode of operation is used as said predefined information in the step of configuration.
  • a given mode of operation can be resumed when this mode is reentered.
  • This enables a user to quickly change between modes including reentering a previous mode of operation and continue the work in this mode just as if the operation in this mode had not been interrupted by an operation in another mode.
  • an extremely flexible hardware resource sharing method is achieved according to the invention.
  • the content of the shared memory to be saved as operational status information is selected by utilizing the memory management or paging system in the computer system including the CPU to only include non-pageable pages and dirty pages, and the information is compressed before written to said dedicated memory and decompressed when read from said dedicated memory system.
  • the amount of operational status information is reduced which then reduce the amount of time used in writing and reading the operational status information to and from the dedicated memory.
  • the change of mode can take place very quickly and thereby make it transparent to the user.
  • the invention also relates to a computer system comprising a basic part including one or more processors and a shared memory, two or more resource parts each including at least one hardware resource such as a volatile memory, a non- volatile memory and/or a network resource, and a general controller forming an interface between said basic part and said two or more resource parts and being adapted to enable interaction there between, the general controller further being adapted to enable switching between two or more predefined modes in which said basic part is restricted to interact with a mode-specific resource part, the general controller being adapted to write predefined information in the shared memory and the basic parts or at least a preselected subset thereof when switching between two of said modes, said predefined information including mode specific operational status information of said system.
  • a basic part including one or more processors and a shared memory
  • two or more resource parts each including at least one hardware resource such as a volatile memory, a non- volatile memory and/or a network resource
  • a general controller forming an interface between said basic part and said two or more resource parts and being adapted
  • the method according to the invention is characterized by being adapted to deactivate said one or more processors prior to said writing of said predefined information.
  • the general controller is, prior to said writing of predefined information, adapted to save current system settings and the content of the shared memory or at least a subset thereof as operational status information in a dedicated memory system which can only be accessed by the general controller during switch of mode, and the operational status information saved when exiting the selected mode previously is used as said predefined information.
  • the amount of operational status information is reduced hence decreasing the amount of time used in writing and reading the operational status information to and from the dedicated memory.
  • the general controller is adapted to utilize a memory management or paging system of the computer system for selecting the information to be saved as operational status information when exiting the mode of operation as non-pageable pages and dirty pages.
  • the change of mode is optimised as a limited amount of data is to be transferred during change of mode.
  • the time consumption during change of mode is minimized and the amount of memory for storing the operational status data is mini- mised.
  • the general controller comprises the dedicated memory system including a bus controller, a memory and a memory controller, a number of switches located as connection links between network interfaces and networks, where the states of said switches are dependent on the selected mode, and a compression unit compressing information to, and decompressing information from, said dedicated memory system.
  • the dedicated memory system is RAM
  • a change from one mode to another can be carried out very quickly due to the much faster access to a RAM compared to the access to a hard disc.
  • the use of a compression unit reduces the amount of data to be transferred to and from the dedicated memory system, thereby making a further reducing the time spent on changing mode.
  • the general controller system is very flexible in placement and may be an integrated part of another hardware unit including the following units : motherboard, chip-set, CPU, hard disc, hard disc controller and memory system.
  • the general controller is adapted to enable data to be transferred between a first mode-specific restricted resource part of a first mode to a second mode-specific resource part of a second mode when allowed according to one or more predefined safety rules, and a dedicated memory system in at least one resource part is adapted for being used as a temporary storage while switching between said first mode-specific restricted resource part to said second mode-specific restricted resource part.
  • a dedicated memory system in at least one resource part is adapted for being used as a temporary storage while switching between said first mode-specific restricted resource part to said second mode-specific restricted resource part.
  • said one or more safety rules includes a hardware implemented acknowledgement of user input such as a password and/or one or more keystrokes.
  • user input such as a password and/or one or more keystrokes.
  • the invention relates to a hardware resource sharing controller including at least one input line and at least one output line, said input and output lines being adapted to connect said controller to a computer system comprising a basic part including one or more processors and a shared memory, two or more resource parts each including at least one hardware resource such as a volatile memory, a non- volatile memory and/or a network resource, said controller being adapted to form an interface between the basic part and the two or more resource parts and enabling interaction there between when connected to said computer system, and the general controller further being adapted to enable switching between two or more predefined modes of said computer system in which said basic part is restricted to interact with a mode-specific resource part, the general controller being adapted to write predefined information in the shared memory or at least a pre-selected subset thereof when switching between two of said modes, said predefined information including mode specific operational status information of said system.
  • the hardware resource sharing controller is characterized by being adapted to deactivate said one or more processors prior to the configuring of the hardware resources.
  • the controller enables a swift and secure change of mode to be performed by a computer connected thereto. Furthermore, a desired operation of the system after the change of mode is ensured which is of particular interest when the mode of operation is changed from the first mode to the second mode, as it is ensured that the precluded fraction of hardware is hereby isolated from the first pre-selected fraction of said hardware. As a result, no undesirable data such as viruses and the like can be transmitted between the restricted memory and the shared memory; i.e. between the first and second mode of operation. Also a switch from one restricted mode to an- other can be done without re-booting the computer system and thereby enabling a rapid change from one mode to another.
  • the resource sharing controller is adapted to retrieve current system settings and the content of the shared mem- ory or at least a subset thereof via at least one of said input lines, where the subset selection may utilize the memory management or paging system of the computer system to include only the non-pageable pages and dirty pages, and save it as operational status information in a dedicated memory system included in said resource part which can only be accessed by the general controller during switch of mode, and the operational status information saved when exiting the selected mode previously is used as said predefined information and is transferred to the computer system via at least one of the output lines.
  • the amount of operational status information is reduced hence decreasing the amount of time used in writing and reading the operational status information to and from the dedicated memory.
  • At least one of the input lines is adapted to operatively connect an input device, such as a keyboard, a mouse or a switch mounted on a wire to said controller, said input lines connecting the input device to the computer system via said controller.
  • an input device such as a keyboard, a mouse or a switch mounted on a wire to said controller, said input lines connecting the input device to the computer system via said controller.
  • said hardware resource sharing controller is adapted to receive user input, such as a password and/or one or more keystrokes, and to perform a hardware implemented acknowledgement of the user input and enabling the switching between two or more predefined modes only if the input is acknowledged.
  • user input such as a password and/or one or more keystrokes
  • Figure 1 is a block diagram of a first embodiment of a computer system according to the invention
  • Figure 2 illustrates a hard disc having three hard disc partitions
  • FIG. 3 is a block diagram of a System Isolation Handler according to the invention.
  • Figure 4 is a block diagram of a second embodiment of a computer system according to the invention.
  • FIG. 5 is a block diagram of a third embodiment of a computer system according to the invention.
  • FIG. 6 is a flow diagram of the Swap Initiator
  • FIG. 7 is a functional flow diagram of the System Isolation Handler
  • Figure 8 is a functional flow diagram of the Memory Swap Unit, and it is a detailed description of box 150 in figure 7,
  • Figure 9 is a functional flow diagram of the Memory Swap Unit using optional RAM in the System Isolation Handler, and together with figure 8 it is a detailed description of box 152 in figure 7.
  • the present invention provides a solution to the problem of protecting a computer containing private, sensitive, or business related data from known or not yet known hacks spread over the Internet.
  • the invention has its origin in the fact that the best protection from the Internet is obtained by having two computers; one for private data and one for public data.
  • this principle is contracted to be handled by one computer only, thereby saving physical space and utilizing resources that can be shared; CPU, monitor, power supply, keyboard etc.
  • Figure 1 illustrates a block diagram of a general purpose computer 1 to which a general controller or System Isolation Handler 2 is com ected.
  • the computer 1 is a hardware unit used for data processing and it includes a CPU, volatile memory, non- volatile memory, Network Interface 15, user interfaces, and it also includes at least one operating system and some software applications.
  • the computer 1 is a hardware unit used for data processing and it includes a CPU, volatile memory, non- volatile memory, Network Interface 15, user interfaces, and it also includes at least one operating system and some software applications.
  • the present invention concerns the System Isolation Handler 2 (SIH) and the related software running on the computer 1.
  • SIH 2 is a hardware unit that is inserted between the computer 1 and a hard disc 3 of the computer system 4.
  • the hard disc 3 should have three partitions as depicted in figure 2. Although three partitions are preferred, it is not a restriction - any number of partitions can be handled.
  • the SIH is a hardware unit that is inserted between the computer 1 and a hard disc 3 of the computer system 4.
  • the hard disc 3 should have three partitions as depicted in figure 2. Although three partitions are preferred, it is not a restriction - any number of partitions can be handled.
  • the operational status information defines a predetermined valid state of the computer 1 and may for example include system settings of preselected hard- ware resources such as CPU, chip-set, plug-in cards, CMOS bios and/or firmware.
  • the two main partitions of the hard disc 3 are the private and the public partitions 11 and 12.
  • the private partition 11 contains private related data and programs including an operating system.
  • the public partition 12 contains all data and programs that can be regarded as public, typically this would include an operating system and an Internet browser.
  • the Memory Swap Partition 10 contains a copy of working memory for both the private and the public system, respectively.
  • working memory includes the physical memory in the computer system.
  • the software included in this invention is an application program that is placed in the private and the public software system respectively. It is referred to as the Swap Initiator (SI), and it is used to initiate and finish each swap from the private to the public system and vice versa.
  • SI Swap Initiator
  • a swap from the private to the public system, or vice versa may for example be demanded by the user by pressing an assigned key on a keyboard of the computer, or by clicking an icon on the desktop related to the current operating system using a pointing device of the computer 1.
  • the swap can also be initiated automatically e.g. when launching or ending an Internet browser, a network program, or an user specified program.
  • the SI will be activated. After it is started, the SI takes care of halting all currently running applications and then handles control to the SIH 2.
  • FIG. 3 A more detailed drawing of the SIH 2 is depicted in figure 3.
  • the SIH 2 reads the partition table from the master boot record (not shown) on the hard disc 3. Based upon this table the Disc Request Handler 31 knows the physical location of the three partitions 10, 11 and 12. The, Disc Request Handler 31 in the SIH 2 then only allows the computer system to access one partition at a time, either the private partition 11 or the public partition 12. Due to security, read or write access to the Memory Swap Partition 10 and write access to the master boot record are not allowed.
  • the complete system control is transferred to the SIH 2.
  • the Disc Request Handler 31 first disconnects access to the private hard disc partition 11.
  • the Memory Swap Unit 32 transfers the current working memory from the computer system to the Memory Swap Partition 10.
  • the Disc Request Handler 31 allows the public hard disc partition 12 to be accessed and handles control to the Swap Initiator (SI) in the public operating system.
  • SI Swap Initiator
  • Going from the public to the private system is done correspondingly. While the swap is carried out, no other parts in the computer system, except the SIH 2 together with the SI can access the working memory and system settings in the computer 1.
  • the described method ensures that no data or running application, from either the private or the public system, can cross the boarder between the two systems. Due to this fact, the two systems can be claimed to be completely isolated.
  • the working memory in the computer 1 is 64 Mbytes and the hard disc interface is an ATA/66, which allows a maximum transfer rate of 66 Mbytes/sec.
  • the hard disc interface is an ATA/66, which allows a maximum transfer rate of 66 Mbytes/sec.
  • a preferred embodiment of the SIH 2 contains a Data Compression Unit 34 which runs a compression algorithm on all data to and from the Memory Swap Partition 10 on the hard disc 3.
  • the Swap Initiator decides which pages that need to be saved and hands over this information to the SIH 2 so that a complete system control is preserved in the SIH 2 while the swap takes place.
  • the way to decide which pages that need to be saved is described in the 'Memory Management and Paging' section.
  • the RAM block 35 needs only to be as large as the working memory in the computer system.
  • a small buffer for temporary data, contained in the RAM controller 37, makes it possible to swap small pieces of memory to and from com- puter 1. By repeating the small swaps, the whole working memory can be swapped with the SIH RAM block 35.
  • the transfer rate on a 64 bit PCI bus is approximately 264 MByte/sec. On a computer 1 with 64 MByte working memory, this gives a swap time of 0.5 seconds without the improvements that can be obtained by taking advantage of the previous described compression and memory paging.
  • the Memory Swap Unit 32 When the Memory Swap Unit 32 (MSU) swaps memory, it may copy the full working memory of computer 1 into the optional RAM block or into the Memory Swap Partition 10 on hard disc 3. However, only the used working memory, actually only parts thereof, must be moved. Which parts that need to be saved depend on the Operating System (OS).
  • OS Operating System
  • the working memory in computer 1 is often used by the OS in a segmentation and/or paging scheme.
  • the part of the OS performing that task is often called the Virtual Memory Manager (VMM) and it applies the Memory Management Unit (MMU).
  • VMM code resides in the small section of memory called nonpaged pool which is never paged to disk. This means that the non-paged pool must always be copied by the MSU.
  • the virtual memory is often organized in multilevel page tables (typically two-level).
  • the page tables map to a single Page Table Entry (PTE) containing the Page Frame number (the physical memory page) and a status of Present, Modified/Dirty, Referenced, Protection.
  • PTE Page Table Entry
  • the VMM has a way to keep track of their status often denoted the Page Frame Database.
  • a proper inspection of the Page Frame Database reveals which pages to save.
  • the SIH 2 can also contain a transfer bridge be- tween the private and the public system. E.g. to transfer files or data from the one system to the other. Just like one would have done by a disk or a CD between two separated computers.
  • the transfer bridge can be made in many different ways. For instance, a certain part of a connected hard disc 3 or a general memory system can be used as a temporary storage place, while a swap from one isolated system to another isolated system is carried out. Assume one wants to transfer a file from the private system to the public system: the file is then copied to the temporary storage place while in the private system, and when the public system is active it is then possible to read or copy the file from the temporary storage place. Going from the public to the private system is done correspondingly.
  • the software applications or hardware included in this invention can notify the user before a transfer is carried out.
  • the level of notification can be user programmable or set in hardware with different kind of notification levels.
  • the notification levels can range from simple warnings to strong warnings where it e.g. requires a password to carry out the data transfer.
  • Notification and/or transfer denial can also be determined out from the type of data that are going to be transferred. E.g. it can be decided that files with certain names or extensions cannot be transferred whereas other files only give a notification.
  • a file transfer may also activate a virus scan program that scans the files under transfer for known viruses. A transfer is then only accepted and accomplished if the virus scan program approves the files.
  • the security level of data transfer between isolated systems can also be programmed such that data transfer from certain isolated systems to other certain systems is prohibited. For instance this information can be programmed to the hardware unit.
  • the system according to the invention may also include a Net Switch 16 as depicted in figure 4.
  • the computer 1 communicates through a Network Interface 15, which e.g. can be an Ethernet-, LAN-, or ADSL card.
  • A. Net Switch 16 connects the Network Interface 15 and thereby the computer 1 to either the private or the public network.
  • the Net Switch 16 is completely controlled by the System Isolation Handler 2 (SIH) and controlled in such a way that if the SIH 2 is in private mode (private partition access) then only the private network can be accessed through the Network Interface 15. On the contrary if the SIH 2 is in public mode (public partition access) then only the public network can be accessed through the Network Interface 15.
  • SIH System Isolation Handler 2
  • the Net Switch 16 can be purely electrical (e.g. transistor logic), opto electrical, mechanical or a combination of these.
  • the invention is not restricted to cope with only one Network Interface 15, one or more can be connected to the computer 1. If for instance two Network Interfaces 25A, 25B are used to access two separate networks - one for a private network and the other for a public network, then the Net Switch 16 will be extended to work as a double switch 26A, 26B. This is depicted in figure 5.
  • the SIH 2 Only one switch at a time in the double switch will be active. If e.g. the SIH 2 is in private mode then only the private Network Interface 25 A has access to surroundings through the double switch 26A, 26B, and it will be the private network. On the con- trary if the SIH 2 is in public mode then only the public Network Interface 25B has access to surroundings through the double switch, and it will be the public network.
  • the SI is an application program that exists in two versions, one runs in the Operating System (OS) in the private system and the other runs in the OS in the public system. It should be noted here, that since the two systems are com- pletely isolated, the two-in-one computer system 4 is not restricted to run the same OS on each system. In fact, the isolated systems can hold any combination of Operating Systems including Linux, Windows, Dos, Unix, Mac OS, Mac OS X.
  • Steps 100-106 of the SI in figure 6 illustrate the program flow in the one system (private or public), and the last part - steps 110-114 - illustrate the program flow in the other system.
  • the SI When the SI is called or activated it makes some initializations (step 100) where after the CPU clears the internal and external CPU-caches (step 102) to make sure that nothing from the one system is left over to the system that takes over.
  • step 104 the processor (CPU) of the system 1 is deactivated.
  • step 106 the CPU issues a command, via the PCI bus, to the SIH 2 that instructs it to make a change in system mode (public/private). The command is recognized by the SIH 2, which then takes over the control of the computer system and makes the requested change in system mode.
  • the SIH 2 wakes up or reactivates the CPU (step 110), which includes clearing of internal and external CPU caches (step 112) and start of code execution (step 114) in the new system at the point it was left when the last change of mode in that system was carried out. Waking up or reactivating the CPU can be done via an interrupt issued by the SIH 2. It is noted that the period of inactivity of the system processor or CPU is controlled by the SIH 2.
  • SIH System Isolation Handler 2
  • the CPU is in idle state, i.e. the CPU is deactivated, so not to disturb the memory transfer. Waking up or reactivating the CPU is done immediately after the memory swap has ended and is initiated by some signal, e.g. an interrupt.
  • the SIH 2 is depicted in figure 3. It is a hardware unit that is inserted between the computer 1 and the computer systems hard disc 3. If it is decided to implement the optional RAM 35, in order to reduce the swap time, there will also be a flat cable connection to a PCI slot in the computer 1. As depicted in figure 3, a preferred embodiment of the SIH 2 consist of a Disc Request Handler 31, a. Memory Swap Unit 32, a Data Compression Unit 34, PCI controller 39, a RAM controller 37, and some optional RAM 35. A RAM socket is implemented on the board so it is easy to add a RAM block.
  • All units except the RAM 35 are intended to be implemented in a FPGA, an ASIC, or a Micro-controller solution, or a combination of these, and may be supported by non- volatile memory such as FLASH and/or ROM.
  • non- volatile memory such as FLASH and/or ROM.
  • a unique tag for each SIH 2 hardware unit may be included.
  • the tag maybe a number similar to the so-called MAC address defined in the IEEE 802 standard or a digital key for cryptographically use.
  • the tag may also be used for software/fi ⁇ nware updates.
  • FIG. 7 An elaborated functional flow of the SIH 2 is depicted in figure 7.
  • the SIH 2 determines which mode should be the current active by reading pre-settings in a non-volatile memory part, which can reside in the SIH 2.
  • the access rules for the Disc Request Handler 31 are set up (step 126) according to pre-settings supplied with information of the physical locations of the partitions 10, 11 and 12 on the hard disc 3 (step 124).
  • the access rules ensure that an access to the private partition 11 from computer 1, when operating in public mode, is prohibited. Also the access rules can prohibit access to the public partition 12 from the computer system, when operating in private mode.
  • Hard disc access and rales are checked in steps 130, 132, 134 and 136. If the hard disc request does not comply with the rules, an error is returned (step 138). If the request complies with the rules, the request is accepted (step 140) and read/write access to the hard disc 3 is allowed.
  • the access rules can be regarded as a mapping scheme that redirects, with a bijective (one-to-one and onto) map, request to a first logical fraction of hardware resources to a second physical fraction of hardware resources where said second hardware resources include at least one physical hard disc area and the definition of said disk area includes a definition in terms of logical drive parameters heads, cylinders, and sectors or geometry parame- ters and where said mapping scheme is individual for each said predefined mode.
  • a very flexible Disc Request Handler 31 is obtained since resources specific for one mode can be spread over many parts of one or more disks.
  • step 142 system mode information in the computer system can be requested by the SIH 2 (step 144), for example if files are to be transferred to the new mode. Then all network connections are disconnected (step 146). If the SIH 2 is not equipped with RAM 35 then the change of mode is done by swapping content of system memory with the Memory Swap Partition 10 on the hard disc 3 (step 150). However, if the SIH 2 is equipped with RAM 35 then it is used in the swapping of content of system memory (step 152).
  • the mode in the Disc Request Handler 31 will be set to public if previous mode was private (step 160) and will be set to private if previous mode was public (step 156). Then network connection is established according to the new mode (step 158), (step 162). Finally, the SIH 2 reports a resume to the SI in the new system (step 164) . This instructs the SI to start up operation from the point it was left in when the last change of mode in that system was carried out.
  • the SIH 2 gains full control over computer 1 by having full access to working memory in computer 1 via one or more of the busses or data transfer lines, such as IDE, ATA, PCI, AGP, USB, and Firewire.
  • the signaling must be in accordance with the respective standards .
  • the data transfer can utilize DMA or ULTRA DMA if necessary .
  • the assistance program can take care of data compression/decompression to reduce the amount of data to be transferred between the computer system and the SIH 2. In that case it should be secured that the CPU only runs the assistance program, and that this program is fully known and not tampered with.
  • the program can be transferred by the SIH 2 to a part in the working memory in the computer system, while the CPU is in idle state. After that the CPU can be brought into operation (i.e. the CPU is reactivated) of the assistance program by an interrupt initiated by the SIH 2.
  • the assistance program is already in the computer systems working memory, and then inspected by the SIH 2 while the CPU is idle. If the inspection, which can be a hash check, reveals that the assistance program is known and not tampered with, the CPU is then brought into operation of the program, by an interrupt initiated by the SIH 2. While the swap is carried out, no other parts in the computer system 4, except the SIH 2 together with the assistance program, can access the working memory and system settings of the computer system.
  • Figure 8 is a detailed functional flow of box (step 150) in figure 7, which is used if the SIH 2 is not equipped with optional RAM 35.
  • the assistance program is rrans- ferred to the computer 1 (step 172) by the SIH 2 where after it is activated (step 174) by the SIH 2.
  • the transfer is optimized by taking advantages of the paging information in the computer, then only the non-pageable pages and dirty pages are taken into account (step 180), if not, then the complete memory is transferred (step 178).
  • the data received by the SIH 2 is then compressed (step 182) by the Data Compressing unit 34 in the SIH 2 and then stored in the Memory Swap Partition 10 on the hard disc 3 (step 184).
  • the previous data and status of the previous system, which is stored in the Memory Swap Partition 10 on the hard disc 3 is then acquired by the SIH 2 ((step 188) if paging information is used, otherwise (step 186)) and decompressed (step 190).
  • the decompressed data is transferred to computer 1 by the SIH 2 (step 192).
  • FIG 9 is a detailed functional flow of box (step 152) in figure 7, which is used if the SIH 2 is equipped with optional RAM 35.
  • a data block (step 200) from the computer 1 is acquired by the SIH 2 and is compressed (step 202) and then stored in a temporary buffer (step 204) in the SIH 2.
  • a data block belonging to the previous system is taken from the RAM 35 in the SIH 2 and is decompressed (step 208) and then transferred to the computer system (step 210).
  • the content in the temporary buffer is transferred to the RAM 35 in the SIH 2 (step 212). If the com- plete swap is not carried out then the sequence is repeated (step 214) otherwise, the process will return.
  • the present invention is extended to handle these elements as well.
  • the Swap Initiator Before performing the swap from the private to the public system the Swap Initiator makes a copy of all accessible firmware and/or special configuration memories and places it in the private partition on hard disc 3.
  • the Swap Initiator just before completing its job - checks to see if the backup copy of the computer systems FW and SCM, which is still in the private partition 11, is in correspondence with the computer systems FW and SCM. If there are differences, the inconsistencies are corrected immediately and control is then safely handed over to the private system, which now will be in the same condition as it was left.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

A mode specific computer system hardware resource sharing system based on a hardware controller including a dedicated memory system, a number of switches located as connection links between network interfaces and networks, a Data Compression Unit 34, a Disc Request Handler 31 and a Memory Swap Unit 32 (MSU). The controller denoted System Isolation Handler (SIH) is adapted to be inserted between a computer and at least one hard disc. The hardware resources including hard discs and networks are controlled by the SIH 2 so that a fraction is shared and other mutually exclusive fractions are mode dependent. Each mode is a fully isolated system including mode specific operating system and applications. By virtue of the MSU, the swap, from one mode to another, is done either automatically or on demand by the user and will take place promptly. Given an unconnected private mode and an Internet connected public mode a complete Internet security is obtained.

Description

Title: Rapid Swap of Isolated Systems in a Computer
Background of the Invention
The present invention relates to a hardware resource sharing method enabling a computer system including one or more processors and a number of hardware resources to be operated in at least two non-concurrent modes, where the accessibility of a first pre-selected fraction of said hardware resources including a shared memory is enabled in both a first and a second of said non-concurrent modes, and where the accessibility of a second pre-selected fraction of said hardware resources including a restricted memory is enabled in said first mode and is precluded in said second mode, said method comprising the steps of:
- selecting the mode in which the system shall be operated,
- configuring the hardware resources to enable and preclude access to the hardware resources according to the selected mode, said configuring includes writing predefined information in the shared memory or at least a pre-selected subset thereof, said predefined information including operational status information of said system in the selected mode of operation, and
- operating the computer system in the selected mode.
As Internet on-line rates become cheaper, computers get connected more frequently and for longer periods to the Internet. Furthermore since operating systems become larger and more complex, 'holes' for sophisticated hacking will appear. These facts mean that today's and future computers become more vulnerable to Internet hacking, especially if they always are online. Furthermore, since extended amounts of professional work, sensitive materials, and personal documents are transferred and worked out on computers, it is evident that Internet security is and will become a very impor- tant issue.
Hacking over the Internet can roughly be divided into three groups: viruses, sniffers, and parasites. Viruses are spread from one computer to another and can either be harmless or more or less destructive ranging from simple damage to parts of the operating system to a complete erasure of the hard disc. Sniffers are often invisible and difficult to disclose by the user. They work in connection with the operating system and can listen to keyboard strokes, locate interesting files, or collect sensitive communication on the computer and log it all in a file for later catch up or transmission. They can also open a trap door to the Internet so that a remote intruder can access and investigate the hard disc of the computer. Parasites are also invisible for the user and can manipulate the operating system in order to steal processor power and/or memory space. A parasitic infected computer or collection of computers can be utilized by a remote hacker for distributed computing, bulk e-mailing or storage place for illegal documents.
On a private computer, the above mentioned methods can result in complete loss of data and programs, disclosure of passwords for Internet banking or insight in personal documents or accounts. In a company, an infected computer can result in serious losses due to loss of data, insight in research and development or disclosure of future business plans.
A solution to the described problems can partly be found in a hardware resource sharing method enabling a computer system, including a number of hardware resources, to be operated in at least two non-concurrent modes, where the accessibility of a first pre-selected fraction of said hardware resources including a shared memory is enabled in both a first and a second of said non-concurrent modes, and where the accessibility of a second pre-selected fraction of said hardware resources, including a restricted memory, is enabled in said first mode and is precluded in said second mode, said method comprising the steps of: selecting the mode in which the system shall be operated, configuring said hardware resources to enable and preclude access to the hardware resources according to the selected mode, and operating the computer system in the selected mode. A resource sharing method with these properties is described in the following related patents.
WO 99/67713 describes a Virtual Disk Storage (VDS) system for providing multiple virtual data storage devices for use in a computer system which contains a central processing unit (CPU). The VDS system includes a memory system for storing information and a VDS controller which is in communication with the memory system and the CPU. The VDS controller partitions the memory system into multiple virtual data storage devices, and then restricts the computer system from communicating with certain of these virtual data storage devices. The VDS controller thus selectively isolates at least one of the virtual data storage devices from communicating with the computer system in order to prevent corruption of information stored in at least one virtual data storage device.
US 6,052,781 describes a multiple user computer including anti-concurrent user- class based disjunctive separation of plural hard drive operation. A computer sharing system, which adapts a computer's hardware resources to providing virtual dual system operation for several non-concurrent system users, is disclosed. A separate hard disc drive including a full complement of boot, operating system, program and data file software is provided for each of the non-concurrent system users. Access by one system user to another system user's hard disc drive and files is denied, and corruption of one user's hard disc drive files as a result of another user's carelessness or malicious intent or through unique setup adaptation of one user's program files, which may otherwise interact with and impose unwanted changes on the operational perfor- mance of another user's file, is prevented. Each of the separate hard disc drives may be uniquely formatted to service totally different operating systems, including boot track code, in support of various operating systems including MS-DOS, WindowsNT, OS/2, Unix and others. US 6,000,518 discloses a computer system and method for storing distinct data types. The computer system includes a plurality of data storage devices, wherein data of a first type may be stored on a first one of the data storage devices and data of a second type maybe stored on at least another one of the data storage devices, wherein at least one of the data types requires controlling access thereto. The invention provides for ensuring the integrity of the data stored on the data storage devices. It also prevents misappropriation of data stored on the devices. The invention includes a switch, which selects one of the data storage devices to be used in a computer system. Selecting a data storage device activates it and places it in an operational mode. The remaining data storage devices are placed into a non-operational mode. Upon selecting one of a data storage device, the computer system implements a complete hardware reset in order to ensure that data from one storage device cannot be transferred to another storage device and is unavailable to users of another storage device. At least one of the data storage devices will require a password and login code in order to gain access.
The patents described above all deal with the concept of splitting a computer system up hi two or more separate parts. However, the choice of which part to operate in is something that has to be decided before or while the computer system is booting up. If one want to shift from one separate system to another, it will require a complete new boot up of the computer system. The time consuming process of booting up a computer will result in restricted freedom and be a strong limitation in the users daily work. This is because a user often wants to have quick and easy access to the Internet, while at the same time be able to work securely on private matters.
US 5,657,470 and US 5,483,649 deal with methods for hard disc protection for multiple user operation. Each user is restricted to operate on his own hard disc partition and does not have write access to other partitions. However, the described protection mechanism is mainly based on a software program that runs in the kernel of the operating system and does not rely on a hardware protection mechanism. This means that a clever written virus or sniffing program can gain full access to parts of the hard disc that is not even intended to be accessed by the current user, thereby making it possible for a program to corrupt or steal data saved on secure partitions on the hard disc.
WO 99/42915 describes a computer system adapted to be operated according to a method defined by the introducing part of claim 1. The system includes a public storage area and a secured storage area which are connected to the computer via an I/O and communication controller. The system is adapted to be being operated in at least two modes: a public and a secured mode. A hibernator adapted to store an initial state of various components such as the CPU, the Direct Access Memory controller and the chipset is located in both the public storage area and the secured storage area. A change of mode is performed by booting the computer and loading an operating system from a selected area, according to a user selected mode. When changing mode, the system is brought into an initial state defined by the hibernator in the selected mode.
Even though the above-mentioned hardware resource sharing methods according to the prior art often are very useful, the change of mode has been found to be a very time consuming process.
The object of the invention is to provide a method of the above-mentioned type overcoming the disadvantages of the prior art without reducing the safety of the system, i.e. no undesirable data such as viruses and the like is to be transmitted between the restricted memory and the shared memory of the system.
The object of the invention is achieved by a method according to the introducing part of claim 1, characterised in that said one or more processors are deactivated prior to said configuring the hardware resources hereby allowing for a swift and secure change of mode. A desired operation of the system after the change of mode is ensured which is of particular interest when the mode of operation is changed from a first mode to a second mode hereby ensuring that the precluded fraction of hardware is isolated from said first pre-selected fraction of the hardware. As a result, no undesirable data such as viruses and the like can be transmitted between the restricted memory and the shared memory; i.e. between the first and second mode of operation, and vice versa.
According to a preferred embodiment of the invention said writing of predefined information to the shared memory includes writing system settings to shared memory in preselected hardware resources such as CPU, chip-set, plug-in cards, CMOS bios and/or firmware, hereby allowing all the hardware resources or a fraction thereof to be given a predefined setting when switching to a desired mode of operation. As both the fraction of hardware to be accessible in the modes and the setting thereof can be predefined, a very flexible system is achieved compared the computer systems of the prior art. Further, as these settings may be changed during operation, the mode of operation may be changed without rebooting the computer system, including the case where the CPU may be halted while said change is carried out. Therefore, according to the invention, the mode of operation can be changed rapidly.
According to a preferred embodiment of the invention, prior to the writing of predefined information in the shared memory, the content of the shared memory or at least a subset thereof is saved as operational status information in a dedicated memory which can only be accessed during change of mode, and the operational status information previously saved when exiting the given selected mode of operation is used as said predefined information in the step of configuration. Hereby, a given mode of operation can be resumed when this mode is reentered. This enables a user to quickly change between modes including reentering a previous mode of operation and continue the work in this mode just as if the operation in this mode had not been interrupted by an operation in another mode. As a consequence an extremely flexible hardware resource sharing method is achieved according to the invention. Hence it is possible for a user to freely choose between private work and public work such as the Internet, with a security level similar to two separate computers and without the time consuming process of booting up the computer.
According to a preferred embodiment of the invention, the content of the shared memory to be saved as operational status information is selected by utilizing the memory management or paging system in the computer system including the CPU to only include non-pageable pages and dirty pages, and the information is compressed before written to said dedicated memory and decompressed when read from said dedicated memory system. Hereby, the amount of operational status information is reduced which then reduce the amount of time used in writing and reading the operational status information to and from the dedicated memory. As a result, the change of mode can take place very quickly and thereby make it transparent to the user.
The invention also relates to a computer system comprising a basic part including one or more processors and a shared memory, two or more resource parts each including at least one hardware resource such as a volatile memory, a non- volatile memory and/or a network resource, and a general controller forming an interface between said basic part and said two or more resource parts and being adapted to enable interaction there between, the general controller further being adapted to enable switching between two or more predefined modes in which said basic part is restricted to interact with a mode-specific resource part, the general controller being adapted to write predefined information in the shared memory and the basic parts or at least a preselected subset thereof when switching between two of said modes, said predefined information including mode specific operational status information of said system.
The method according to the invention is characterized by being adapted to deactivate said one or more processors prior to said writing of said predefined information.
This ensures a swift and secure change of mode during use of the system. Further, a desired operation of the system after the change of mode is ensured which is of particular interest when the mode of operation is changed from a first to a second mode, as it is ensured that the precluded fraction of hardware is isolated from the first pre-selected fraction of said hardware. As a result, no undesirable data such as viruses and the like can be transmitted between the restricted memory and the shared memory, i.e. between the first and second mode of operation. Also a switch from one restricted mode to another restricted mode can be carried out without re-booting the computer and thereby ensuring a rapid change of mode.
According to a preferred embodiment of the invention, the general controller is, prior to said writing of predefined information, adapted to save current system settings and the content of the shared memory or at least a subset thereof as operational status information in a dedicated memory system which can only be accessed by the general controller during switch of mode, and the operational status information saved when exiting the selected mode previously is used as said predefined information. Hereby, the amount of operational status information is reduced hence decreasing the amount of time used in writing and reading the operational status information to and from the dedicated memory.
According to a preferred embodiment of the invention, the general controller is adapted to utilize a memory management or paging system of the computer system for selecting the information to be saved as operational status information when exiting the mode of operation as non-pageable pages and dirty pages. Hereby, the change of mode is optimised as a limited amount of data is to be transferred during change of mode. As a consequence the time consumption during change of mode is minimized and the amount of memory for storing the operational status data is mini- mised.
According to a preferred embodiment of the invention, the general controller comprises the dedicated memory system including a bus controller, a memory and a memory controller, a number of switches located as connection links between network interfaces and networks, where the states of said switches are dependent on the selected mode, and a compression unit compressing information to, and decompressing information from, said dedicated memory system. Hereby, in the case that the dedicated memory system is RAM, a change from one mode to another can be carried out very quickly due to the much faster access to a RAM compared to the access to a hard disc. The use of a compression unit reduces the amount of data to be transferred to and from the dedicated memory system, thereby making a further reducing the time spent on changing mode. When the computer system is connected to net- works, said switches make it possible to obtain complete protection from insecure networks by switching off the connection to those networks, while operated in the mode intended for private matters. The general controller system is very flexible in placement and may be an integrated part of another hardware unit including the following units : motherboard, chip-set, CPU, hard disc, hard disc controller and memory system.
According to a preferred embodiment of the invention, the general controller is adapted to enable data to be transferred between a first mode-specific restricted resource part of a first mode to a second mode-specific resource part of a second mode when allowed according to one or more predefined safety rules, and a dedicated memory system in at least one resource part is adapted for being used as a temporary storage while switching between said first mode-specific restricted resource part to said second mode-specific restricted resource part. Hereby, a way to transfer data from one mode to another is made possible when required by the user. Just like one would have done when changing a disk or a CD between two separated computers.
According to a preferred embodiment of the invention, said one or more safety rules includes a hardware implemented acknowledgement of user input such as a password and/or one or more keystrokes. Hereby, it is ensured that data may only be exchanged between different modes of operation when a user inputs a predefined password and, further, the user may hereby be made aware that a data transmission between different modes of operation is to be performed.
Furthermore, the invention relates to a hardware resource sharing controller including at least one input line and at least one output line, said input and output lines being adapted to connect said controller to a computer system comprising a basic part including one or more processors and a shared memory, two or more resource parts each including at least one hardware resource such as a volatile memory, a non- volatile memory and/or a network resource, said controller being adapted to form an interface between the basic part and the two or more resource parts and enabling interaction there between when connected to said computer system, and the general controller further being adapted to enable switching between two or more predefined modes of said computer system in which said basic part is restricted to interact with a mode-specific resource part, the general controller being adapted to write predefined information in the shared memory or at least a pre-selected subset thereof when switching between two of said modes, said predefined information including mode specific operational status information of said system.
The hardware resource sharing controller according to the invention is characterized by being adapted to deactivate said one or more processors prior to the configuring of the hardware resources.
Hereby, the controller enables a swift and secure change of mode to be performed by a computer connected thereto. Furthermore, a desired operation of the system after the change of mode is ensured which is of particular interest when the mode of operation is changed from the first mode to the second mode, as it is ensured that the precluded fraction of hardware is hereby isolated from the first pre-selected fraction of said hardware. As a result, no undesirable data such as viruses and the like can be transmitted between the restricted memory and the shared memory; i.e. between the first and second mode of operation. Also a switch from one restricted mode to an- other can be done without re-booting the computer system and thereby enabling a rapid change from one mode to another.
According to a preferred embodiment of the invention, the resource sharing controller is adapted to retrieve current system settings and the content of the shared mem- ory or at least a subset thereof via at least one of said input lines, where the subset selection may utilize the memory management or paging system of the computer system to include only the non-pageable pages and dirty pages, and save it as operational status information in a dedicated memory system included in said resource part which can only be accessed by the general controller during switch of mode, and the operational status information saved when exiting the selected mode previously is used as said predefined information and is transferred to the computer system via at least one of the output lines. Hereby, the amount of operational status information is reduced hence decreasing the amount of time used in writing and reading the operational status information to and from the dedicated memory.
Preferably, at least one of the input lines is adapted to operatively connect an input device, such as a keyboard, a mouse or a switch mounted on a wire to said controller, said input lines connecting the input device to the computer system via said controller.
Preferably, said hardware resource sharing controller is adapted to receive user input, such as a password and/or one or more keystrokes, and to perform a hardware implemented acknowledgement of the user input and enabling the switching between two or more predefined modes only if the input is acknowledged.
General Description of the Invention
The invention will now be described in more detail below with reference to the draw- ings, in which: Figure 1 is a block diagram of a first embodiment of a computer system according to the invention,
Figure 2 illustrates a hard disc having three hard disc partitions,
Figure 3 is a block diagram of a System Isolation Handler according to the invention,
Figure 4 is a block diagram of a second embodiment of a computer system according to the invention, and
Figure 5 is a block diagram of a third embodiment of a computer system according to the invention,
Figure 6 is a flow diagram of the Swap Initiator,
Figure 7 is a functional flow diagram of the System Isolation Handler,
Figure 8 is a functional flow diagram of the Memory Swap Unit, and it is a detailed description of box 150 in figure 7,
Figure 9 is a functional flow diagram of the Memory Swap Unit using optional RAM in the System Isolation Handler, and together with figure 8 it is a detailed description of box 152 in figure 7.
The figures are schematic and simplified for clarity, and they only show the details essential to the understanding of the invention, while other details are left out. Throughout, the same reference numerals are used for identical or corresponding parts.
The present invention provides a solution to the problem of protecting a computer containing private, sensitive, or business related data from known or not yet known hacks spread over the Internet. The invention has its origin in the fact that the best protection from the Internet is obtained by having two computers; one for private data and one for public data. In the present invention, this principle is contracted to be handled by one computer only, thereby saving physical space and utilizing resources that can be shared; CPU, monitor, power supply, keyboard etc.
Figure 1 illustrates a block diagram of a general purpose computer 1 to which a general controller or System Isolation Handler 2 is com ected. In this context the computer 1 is a hardware unit used for data processing and it includes a CPU, volatile memory, non- volatile memory, Network Interface 15, user interfaces, and it also includes at least one operating system and some software applications. The computer
1 and the System Isolation Handler 2 form part of a computer system 4.
The present invention concerns the System Isolation Handler 2 (SIH) and the related software running on the computer 1. The SIH 2 is a hardware unit that is inserted between the computer 1 and a hard disc 3 of the computer system 4. The hard disc 3 should have three partitions as depicted in figure 2. Although three partitions are preferred, it is not a restriction - any number of partitions can be handled. The SIH
2 is able to handle any number of connected hard discs and/or general memory units which each can have any number of partitions, and where said SIH hardware unit 2 is equipped with interface to at least one computer data transfer bus. Hence, changing operational status information and memory contents in the computer system can be done by the hardware unit with or without intervention from the general purpose computer 1. The operational status information defines a predetermined valid state of the computer 1 and may for example include system settings of preselected hard- ware resources such as CPU, chip-set, plug-in cards, CMOS bios and/or firmware.
As can be seen in figure 2 the two main partitions of the hard disc 3 are the private and the public partitions 11 and 12. The private partition 11 contains private related data and programs including an operating system. The public partition 12 contains all data and programs that can be regarded as public, typically this would include an operating system and an Internet browser. The Memory Swap Partition 10 contains a copy of working memory for both the private and the public system, respectively. In this document, working memory includes the physical memory in the computer system.
The software included in this invention is an application program that is placed in the private and the public software system respectively. It is referred to as the Swap Initiator (SI), and it is used to initiate and finish each swap from the private to the public system and vice versa.
A swap from the private to the public system, or vice versa, may for example be demanded by the user by pressing an assigned key on a keyboard of the computer, or by clicking an icon on the desktop related to the current operating system using a pointing device of the computer 1. The swap can also be initiated automatically e.g. when launching or ending an Internet browser, a network program, or an user specified program. In each case the SI will be activated. After it is started, the SI takes care of halting all currently running applications and then handles control to the SIH 2.
A more detailed drawing of the SIH 2 is depicted in figure 3. When a system boot takes place the SIH 2 reads the partition table from the master boot record (not shown) on the hard disc 3. Based upon this table the Disc Request Handler 31 knows the physical location of the three partitions 10, 11 and 12. The, Disc Request Handler 31 in the SIH 2 then only allows the computer system to access one partition at a time, either the private partition 11 or the public partition 12. Due to security, read or write access to the Memory Swap Partition 10 and write access to the master boot record are not allowed.
After a swap is initiated the complete system control is transferred to the SIH 2. If the swap is from private to public the Disc Request Handler 31 first disconnects access to the private hard disc partition 11. After that the Memory Swap Unit 32 transfers the current working memory from the computer system to the Memory Swap Partition 10. Then it transfers a copy of the public working memory from the Memory Swap Partition to the working memory in the computer system. Finally, the Disc Request Handler 31 allows the public hard disc partition 12 to be accessed and handles control to the Swap Initiator (SI) in the public operating system. Here the SI (not shown) will finish the swap and resume all earlier halted application programs . Going from the public to the private system is done correspondingly. While the swap is carried out, no other parts in the computer system, except the SIH 2 together with the SI can access the working memory and system settings in the computer 1.
Because the computer 1 including the processor is in idle state when the swap takes place, and since the SIH 2 has complete control over the memory transfer, in that period, the described method ensures that no data or running application, from either the private or the public system, can cross the boarder between the two systems. Due to this fact, the two systems can be claimed to be completely isolated.
Assume the working memory in the computer 1 is 64 Mbytes and the hard disc interface is an ATA/66, which allows a maximum transfer rate of 66 Mbytes/sec. However, on today's ATA/66 hard discs, only an effective sustained data transfer rate of maximum 33 Mbyte/sec can be obtained. This gives a swap time of approximately four seconds. To reduce this time, a preferred embodiment of the SIH 2 contains a Data Compression Unit 34 which runs a compression algorithm on all data to and from the Memory Swap Partition 10 on the hard disc 3. When the compression takes place in real time and with an average compression of 2:1 it is possible to obtain an apparent effective data transfer rate of 66 Mbytes/sec, thereby reducing the swap time to two seconds.
Further improvements in swap time can be obtained by only transferring those parts in working memory that actually need to be saved. In a pageable memory system these parts include non-pageable pages, and dirty pages. If we assume that these pages amounts to approximately 50% of the total working memory, another factor two reduction may be obtained. In the example above it means that only 32 Mbytes of working memory need to be transferred, thereby reducing the swap time to one second.
The Swap Initiator decides which pages that need to be saved and hands over this information to the SIH 2 so that a complete system control is preserved in the SIH 2 while the swap takes place. The way to decide which pages that need to be saved is described in the 'Memory Management and Paging' section.
The above described transfer bus and transfer rates are only used as an example to clarify what can be gained when using compression and paging information. The invention is not restricted to these - in fact any transfer bus and transfer rate can be used.
If the swap time needs to be further reduced, then it is possible to add a RAM block 35 and thereby avoiding the Memory Swap Partition 10 on hard disc 3, which could be a bottleneck. Further reduction in swap time could be an issue if computer 1 contains a lot of working memory or if the hard disc 3 is slow. Instead of saving the computers' working memory in the Memory Swap Partition 10 it is now saved and maintained in the RAM block. The data transfer between the computer 1 and the RAM 35 in the SIH 2 is carried out over a PCI bus. Although a PCI bus is the preferred transfer bus it is not a restriction. Any kind of high-speed data/transfer bus can be used.
As a maximum, the RAM block 35 needs only to be as large as the working memory in the computer system. A small buffer for temporary data, contained in the RAM controller 37, makes it possible to swap small pieces of memory to and from com- puter 1. By repeating the small swaps, the whole working memory can be swapped with the SIH RAM block 35.
The transfer rate on a 64 bit PCI bus is approximately 264 MByte/sec. On a computer 1 with 64 MByte working memory, this gives a swap time of 0.5 seconds without the improvements that can be obtained by taking advantage of the previous described compression and memory paging.
When the Memory Swap Unit 32 (MSU) swaps memory, it may copy the full working memory of computer 1 into the optional RAM block or into the Memory Swap Partition 10 on hard disc 3. However, only the used working memory, actually only parts thereof, must be moved. Which parts that need to be saved depend on the Operating System (OS). The working memory in computer 1 is often used by the OS in a segmentation and/or paging scheme. The part of the OS performing that task is often called the Virtual Memory Manager (VMM) and it applies the Memory Management Unit (MMU). The VMM code resides in the small section of memory called nonpaged pool which is never paged to disk. This means that the non-paged pool must always be copied by the MSU.
The virtual memory is often organized in multilevel page tables (typically two-level). Typically, the page tables map to a single Page Table Entry (PTE) containing the Page Frame number (the physical memory page) and a status of Present, Modified/Dirty, Referenced, Protection. However, as is it cumbersome to search all PTEs to find the status of the physical memory pages, the VMM has a way to keep track of their status often denoted the Page Frame Database. Hence, a proper inspection of the Page Frame Database reveals which pages to save.
To make the system more flexible, the SIH 2 can also contain a transfer bridge be- tween the private and the public system. E.g. to transfer files or data from the one system to the other. Just like one would have done by a disk or a CD between two separated computers.
The transfer bridge can be made in many different ways. For instance, a certain part of a connected hard disc 3 or a general memory system can be used as a temporary storage place, while a swap from one isolated system to another isolated system is carried out. Assume one wants to transfer a file from the private system to the public system: the file is then copied to the temporary storage place while in the private system, and when the public system is active it is then possible to read or copy the file from the temporary storage place. Going from the public to the private system is done correspondingly.
To make the data transfer securely, the software applications or hardware included in this invention can notify the user before a transfer is carried out. The level of notification can be user programmable or set in hardware with different kind of notification levels. The notification levels can range from simple warnings to strong warnings where it e.g. requires a password to carry out the data transfer. Notification and/or transfer denial can also be determined out from the type of data that are going to be transferred. E.g. it can be decided that files with certain names or extensions cannot be transferred whereas other files only give a notification. A file transfer may also activate a virus scan program that scans the files under transfer for known viruses. A transfer is then only accepted and accomplished if the virus scan program approves the files. The security level of data transfer between isolated systems can also be programmed such that data transfer from certain isolated systems to other certain systems is prohibited. For instance this information can be programmed to the hardware unit.
Security is only obtained when only the public system can connect to the Internet or other insecure networks. The private system should be left unconnected or at most only connected to a secure network. In order to make it impossible for the private system to connect to the Internet or other insecure networks, the system according to the invention may also include a Net Switch 16 as depicted in figure 4.
The computer 1 communicates through a Network Interface 15, which e.g. can be an Ethernet-, LAN-, or ADSL card. A. Net Switch 16 connects the Network Interface 15 and thereby the computer 1 to either the private or the public network. The Net Switch 16 is completely controlled by the System Isolation Handler 2 (SIH) and controlled in such a way that if the SIH 2 is in private mode (private partition access) then only the private network can be accessed through the Network Interface 15. On the contrary if the SIH 2 is in public mode (public partition access) then only the public network can be accessed through the Network Interface 15. The Net Switch 16 can be purely electrical (e.g. transistor logic), opto electrical, mechanical or a combination of these.
The invention is not restricted to cope with only one Network Interface 15, one or more can be connected to the computer 1. If for instance two Network Interfaces 25A, 25B are used to access two separate networks - one for a private network and the other for a public network, then the Net Switch 16 will be extended to work as a double switch 26A, 26B. This is depicted in figure 5.
Only one switch at a time in the double switch will be active. If e.g. the SIH 2 is in private mode then only the private Network Interface 25 A has access to surroundings through the double switch 26A, 26B, and it will be the private network. On the con- trary if the SIH 2 is in public mode then only the public Network Interface 25B has access to surroundings through the double switch, and it will be the public network.
When the user wants a change in system mode (public/private), while the computer 1 is in operation, the Swap Initiator (SI) is activated. The program flow of the SI is depicted in figure 6. The SI is an application program that exists in two versions, one runs in the Operating System (OS) in the private system and the other runs in the OS in the public system. It should be noted here, that since the two systems are com- pletely isolated, the two-in-one computer system 4 is not restricted to run the same OS on each system. In fact, the isolated systems can hold any combination of Operating Systems including Linux, Windows, Dos, Unix, Mac OS, Mac OS X.
Steps 100-106 of the SI in figure 6 illustrate the program flow in the one system (private or public), and the last part - steps 110-114 - illustrate the program flow in the other system. When the SI is called or activated it makes some initializations (step 100) where after the CPU clears the internal and external CPU-caches (step 102) to make sure that nothing from the one system is left over to the system that takes over. In step 104 the processor (CPU) of the system 1 is deactivated. In step 106 the CPU issues a command, via the PCI bus, to the SIH 2 that instructs it to make a change in system mode (public/private). The command is recognized by the SIH 2, which then takes over the control of the computer system and makes the requested change in system mode. When change of mode is done the SIH 2 wakes up or reactivates the CPU (step 110), which includes clearing of internal and external CPU caches (step 112) and start of code execution (step 114) in the new system at the point it was left when the last change of mode in that system was carried out. Waking up or reactivating the CPU can be done via an interrupt issued by the SIH 2. It is noted that the period of inactivity of the system processor or CPU is controlled by the SIH 2.
When memory swap is in progress, the System Isolation Handler 2 (SIH) has full control over the memory bus. At this time the CPU is in idle state, i.e. the CPU is deactivated, so not to disturb the memory transfer. Waking up or reactivating the CPU is done immediately after the memory swap has ended and is initiated by some signal, e.g. an interrupt.
The SIH 2 is depicted in figure 3. It is a hardware unit that is inserted between the computer 1 and the computer systems hard disc 3. If it is decided to implement the optional RAM 35, in order to reduce the swap time, there will also be a flat cable connection to a PCI slot in the computer 1. As depicted in figure 3, a preferred embodiment of the SIH 2 consist of a Disc Request Handler 31, a. Memory Swap Unit 32, a Data Compression Unit 34, PCI controller 39, a RAM controller 37, and some optional RAM 35. A RAM socket is implemented on the board so it is easy to add a RAM block. All units except the RAM 35 are intended to be implemented in a FPGA, an ASIC, or a Micro-controller solution, or a combination of these, and may be supported by non- volatile memory such as FLASH and/or ROM. For configuration, validation and identification, a unique tag for each SIH 2 hardware unit may be included. The tag maybe a number similar to the so-called MAC address defined in the IEEE 802 standard or a digital key for cryptographically use. The tag may also be used for software/fiπnware updates.
An elaborated functional flow of the SIH 2 is depicted in figure 7. In the beginning of the process (step 122), after a boot (step 120), the SIH 2 determines which mode should be the current active by reading pre-settings in a non-volatile memory part, which can reside in the SIH 2. After that the access rules for the Disc Request Handler 31 are set up (step 126) according to pre-settings supplied with information of the physical locations of the partitions 10, 11 and 12 on the hard disc 3 (step 124). The access rules ensure that an access to the private partition 11 from computer 1, when operating in public mode, is prohibited. Also the access rules can prohibit access to the public partition 12 from the computer system, when operating in private mode. Hard disc access and rales are checked in steps 130, 132, 134 and 136. If the hard disc request does not comply with the rules, an error is returned (step 138). If the request complies with the rules, the request is accepted (step 140) and read/write access to the hard disc 3 is allowed. More generally the access rules can be regarded as a mapping scheme that redirects, with a bijective (one-to-one and onto) map, request to a first logical fraction of hardware resources to a second physical fraction of hardware resources where said second hardware resources include at least one physical hard disc area and the definition of said disk area includes a definition in terms of logical drive parameters heads, cylinders, and sectors or geometry parame- ters and where said mapping scheme is individual for each said predefined mode. Hereby a very flexible Disc Request Handler 31 is obtained since resources specific for one mode can be spread over many parts of one or more disks.
If the SIH 2 is instructed to change the mode of operation (step 142) then system mode information in the computer system can be requested by the SIH 2 (step 144), for example if files are to be transferred to the new mode. Then all network connections are disconnected (step 146). If the SIH 2 is not equipped with RAM 35 then the change of mode is done by swapping content of system memory with the Memory Swap Partition 10 on the hard disc 3 (step 150). However, if the SIH 2 is equipped with RAM 35 then it is used in the swapping of content of system memory (step 152).
After swapping content of system memory the mode in the Disc Request Handler 31 will be set to public if previous mode was private (step 160) and will be set to private if previous mode was public (step 156). Then network connection is established according to the new mode (step 158), (step 162). Finally, the SIH 2 reports a resume to the SI in the new system (step 164) . This instructs the SI to start up operation from the point it was left in when the last change of mode in that system was carried out.
The SIH 2 gains full control over computer 1 by having full access to working memory in computer 1 via one or more of the busses or data transfer lines, such as IDE, ATA, PCI, AGP, USB, and Firewire. The signaling must be in accordance with the respective standards . The data transfer can utilize DMA or ULTRA DMA if necessary . Eventually it can be decided to have the CPU running, while the data transfer takes place, in order to make the computer system assist the SIH 2 in doing the data transfer. For instance, the assistance program can take care of data compression/decompression to reduce the amount of data to be transferred between the computer system and the SIH 2. In that case it should be secured that the CPU only runs the assistance program, and that this program is fully known and not tampered with. To secure the origin of the assistance program the program can be transferred by the SIH 2 to a part in the working memory in the computer system, while the CPU is in idle state. After that the CPU can be brought into operation (i.e. the CPU is reactivated) of the assistance program by an interrupt initiated by the SIH 2. Another possibility is that the assistance program is already in the computer systems working memory, and then inspected by the SIH 2 while the CPU is idle. If the inspection, which can be a hash check, reveals that the assistance program is known and not tampered with, the CPU is then brought into operation of the program, by an interrupt initiated by the SIH 2. While the swap is carried out, no other parts in the computer system 4, except the SIH 2 together with the assistance program, can access the working memory and system settings of the computer system.
Figure 8 is a detailed functional flow of box (step 150) in figure 7, which is used if the SIH 2 is not equipped with optional RAM 35. In case the transfer of working memory is assisted by a program in computer 1 , then the assistance program is rrans- ferred to the computer 1 (step 172) by the SIH 2 where after it is activated (step 174) by the SIH 2. If the transfer is optimized by taking advantages of the paging information in the computer, then only the non-pageable pages and dirty pages are taken into account (step 180), if not, then the complete memory is transferred (step 178). The data received by the SIH 2 is then compressed (step 182) by the Data Compressing unit 34 in the SIH 2 and then stored in the Memory Swap Partition 10 on the hard disc 3 (step 184). The previous data and status of the previous system, which is stored in the Memory Swap Partition 10 on the hard disc 3 is then acquired by the SIH 2 ((step 188) if paging information is used, otherwise (step 186)) and decompressed (step 190). The decompressed data is transferred to computer 1 by the SIH 2 (step 192).
Figure 9 is a detailed functional flow of box (step 152) in figure 7, which is used if the SIH 2 is equipped with optional RAM 35. A data block (step 200) from the computer 1 is acquired by the SIH 2 and is compressed (step 202) and then stored in a temporary buffer (step 204) in the SIH 2. A data block belonging to the previous system (step 206) is taken from the RAM 35 in the SIH 2 and is decompressed (step 208) and then transferred to the computer system (step 210). The content in the temporary buffer is transferred to the RAM 35 in the SIH 2 (step 212). If the com- plete swap is not carried out then the sequence is repeated (step 214) otherwise, the process will return.
In case that computer 1 contains other read/writable elements than the working memory and the hard disc 3, e.g. firmware (FW) or special configuration memory (SCM), the present invention is extended to handle these elements as well. Before performing the swap from the private to the public system the Swap Initiator makes a copy of all accessible firmware and/or special configuration memories and places it in the private partition on hard disc 3. When control is handed back to the private system, the Swap Initiator - just before completing its job - checks to see if the backup copy of the computer systems FW and SCM, which is still in the private partition 11, is in correspondence with the computer systems FW and SCM. If there are differences, the inconsistencies are corrected immediately and control is then safely handed over to the private system, which now will be in the same condition as it was left.
Note that it is the private system that is protected from attack from the Internet, not the public system. However, that is not a big problem because not much is stored on the public system, typically an operating system and an Internet connection. So in case of a corrupted public system, due to a virus or the like, it is not a big deal to rework the system again because no sensitive data are lost.
Note that the transfer bridge for files and data cannot guarantee that infected files from the public system enters the private system, if they are brought there by a user demanded transfer. That is also the case for two separated computers where a file is transferred from the one computer to the other, say on a disk. The security completely relies on the user, who should only transfer files of known origin or from trusted vendors.
Although the present invention has been described in terms of specific exemplary embodiments, it will be appreciated that various modifications and alterations might be made by those skilled in the art without departing from the spirit and scope of the invention. For example, the above given definition of a computer will include Personal Computers, Notebook Computers, Laptop Computers, Servers, Mainframe Computers, Palm Pilots and Mobile/Cellular telephones. However, the principles described can be used for any software/hardware programmable device which may communicate to other devices.

Claims

Claims
1. A hardware resource sharing method enabling a computer system including one or more processors and a number of hardware resources to be operated in at least two non-concurrent modes, where the accessibility of a first pre-selected fraction of said hardware resources including a shared memory is enabled in both a first and a second of said non-concurrent modes, and where the accessibility of a second pre-selected fraction of said hardware resources including a restricted memory is enabled in said first mode and is precluded in said second mode, said method comprising the steps of:
- selecting the mode in which the system shall be operated,
- configuring the hardware resources to enable and preclude access to the hardware resources according to the selected mode, said configuring includes writing predefined information in the shared memory or at least a pre-selected subset thereof, said predefined information including operational status information of said system in the selected mode of operation, and
- operating the computer system in the selected mode,
characterised in that said one or more processors are deactivated prior to said configuring the hardware resources.
2. A method according to claim l,characterisedin that said writing of prede- fined information to the shared memory includes writing system settings to shared memory in preselected hardware resources such as CPU, chip-set, plug-in cards, CMOS bios and/or firmware.
3. A method according to claim lor2,characterisedin that prior to the writ- ing of predefined information in the shared memory, the content of the shared memory or at least a subset thereof is saved as operational status information in a dedicated memory which can only be accessed during change of mode, and the operational status information previously saved when exiting the given selected mode of opera- tion is used as said predefined information in the step of configuration.
4. A method according to claim 3, c h a r a c t e r i s e d in that the content of the shared memory to be saved as operational status information is selected by utilizing the memory management or paging system in the computer system including the CPU to only include non-pageable pages and dirty pages, and the information is compressed before written to said dedicated memory and decompressed when read from said dedicated memory system.
5. A computer system comprising a basic part including one or more processors and a shared memory, two or more resource parts each including at least one hardware resource such as a volatile memory, a non- volatile memory and/or a network re- source, and a general controller forming an interface between said basic part and said two or more resource parts and being adapted to enable interaction there between, the general controller further being adapted to enable switching between two or more predefined modes in which said basic part is restricted to interact with a mode-specific resource part, the general controller being adapted to write predefined informa- tion in the shared memory and the basic parts or at least a pre-selected subset thereof when switching between two of said modes, said predefined information including mode specific operational status information of said system, c h a r a c t e r i s e d in that the computer system is adapted to deactivate said one or more processors prior to said writing of said predefined information.
6. A computer system according to claim 5, c h a r a c t e r i s e d in that the general controller is, prior to said writing of predefined information, adapted to save current system settings and the content of the shared memory or at least a subset thereof as operational status information in a dedicated memory system which can only be accessed by the general controller during switch of mode, and the operational status information saved when exiting the selected mode previously is used as said predefined information.
7. A computer system according to claim 5 or 6, characterised in that the general controller is adapted to utilize a memory management or paging system of the computer system for selecting the information to be saved as operational status information when exiting the mode of operation as non-pageable pages and dirty pages.
8. A computer system according to claim 6 or 7, characterisedin that the general controller comprises the dedicated memory system including a bus controller, a memory and a memory controller, a number of switches located as connection links between network interfaces and networks, where the states of said switches are dependent on the selected mode, and a compression unit compressing information to, and decompressing information from, said dedicated memory system.
9. A computer system according to one or more of claims 5-8, characterised in that the general controller is adapted to enable data to be transferred between a first mode-specific restricted resource part of a first mode to a second mode-specific resource part of a second mode when allowed according to one or more predefined safety rales, and a dedicated memory system in at least one resource part is adapted for being used as a temporary storage while switching between said first mode-specific restricted resource part to said second mode-specific restricted resource part.
10. A computer system according to claim 9, characterizedin that said one or more safety rules includes a hardware implemented acknowledgement of user input such as a password and/or one or more keystrokes.
11. A hardware resource sharing controller including at least one input line and at least one output line, said input and output lines being adapted to connect said controller to a computer system comprising a basic part including one or more processors and a shared memory, two or more resource parts each including at least one hardware resource such as a volatile memory, a non- volatile memory and/or a network resource, said controller being adapted to form an interface between the basic part and the two or more resource parts and enabling interaction there between when connected to said computer system, and the general controller further being adapted to enable switching between two or more predefined modes of said computer system in which said basic part is restricted to interact with a mode-specific resource part, the general controller being adapted to write predefined information in the shared memory or at least a pre-selected subset thereof when switching between two of said modes, said predefined information including mode specific operational status information of said system, c h a r a c t e r i s e d in that said controller is adapted to deac- tivate said one or more processors prior to the configuring of the hardware resources.
12. A hardware resource sharing controller according to claim l l, c h a r a c t e r i s e d in that the resource sharing controller is adapted to retrieve current system settings and the content of the shared memory or at least a subset thereof via at least one of said input lines, where the subset selection may utilize the memory management or paging system of the computer system to include only the non-pageable pages and dirty pages, and save it as operational status information in a dedicated memory system included in said resource part which can only be accessed by the general controller during switch of mode, and the operational status information saved when exiting the selected mode previously is used as said predefined information and is transferred to the computer system via at least one of the output lines.
13. A hardware resource sharing controller according to claim 11 or 12, c h a r a c t e r i z e d in that at least one of the input lines is adapted to operatively connect an input device, such as a keyboard, a mouse or a switch mounted on a wire to said controller, said input lines connecting the input device to the computer system via said controller.
14. A hardware resource sharing controller according to claim 13, c h ar a c t eri z e d by being adapted to receive user input, such as a password and/or one or more keystrokes, and to perform a hardware implemented acknowledgement of the user input and enabling the switching between two or more predefined modes only if the input is acknowledged.
PCT/DK2001/000820 2000-12-11 2001-12-11 Changing of operating modes in a computer WO2002048844A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2002220540A AU2002220540A1 (en) 2000-12-11 2001-12-11 Changing of operating modes in a computer

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DKPA200001851 2000-12-11
DKPA200001851 2000-12-11

Publications (2)

Publication Number Publication Date
WO2002048844A2 true WO2002048844A2 (en) 2002-06-20
WO2002048844A3 WO2002048844A3 (en) 2002-08-08

Family

ID=8159898

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/DK2001/000820 WO2002048844A2 (en) 2000-12-11 2001-12-11 Changing of operating modes in a computer

Country Status (2)

Country Link
AU (1) AU2002220540A1 (en)
WO (1) WO2002048844A2 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2595362A1 (en) * 2011-11-17 2013-05-22 Flight Focus Pte. Ltd. Aircraft computer system for executing inflight entertainment and electronic flight bag applications
WO2014025307A3 (en) * 2012-08-07 2014-04-10 Klaus Drosch Apparatus and method for protection of stored data
CN110598412A (en) * 2018-06-12 2019-12-20 杨力祥 Method and computing device for isolating power information and checking power based on power information
US10572691B2 (en) 2015-04-28 2020-02-25 Microsoft Technology Licensing, Llc Operating system privacy mode

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0326700A2 (en) * 1988-02-01 1989-08-09 International Business Machines Corporation A trusted path mechanism for virtual terminal environments
US5491787A (en) * 1994-08-25 1996-02-13 Unisys Corporation Fault tolerant digital computer system having two processors which periodically alternate as master and slave
WO1998025372A2 (en) * 1996-11-22 1998-06-11 Voltaire Advanced Data Security Ltd. Information security method and apparatus
WO1999042915A2 (en) * 1998-02-18 1999-08-26 Voltaire Advanced Data Security Ltd. Information security method and apparatus
US6038667A (en) * 1997-02-13 2000-03-14 Helbig, Sr.; Walter A. Method and apparatus enhancing computer system security
WO2000020949A1 (en) * 1998-10-05 2000-04-13 Cet Technologies Pte Ltd. Method for security partitioning of a computer system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0326700A2 (en) * 1988-02-01 1989-08-09 International Business Machines Corporation A trusted path mechanism for virtual terminal environments
US5491787A (en) * 1994-08-25 1996-02-13 Unisys Corporation Fault tolerant digital computer system having two processors which periodically alternate as master and slave
WO1998025372A2 (en) * 1996-11-22 1998-06-11 Voltaire Advanced Data Security Ltd. Information security method and apparatus
US6038667A (en) * 1997-02-13 2000-03-14 Helbig, Sr.; Walter A. Method and apparatus enhancing computer system security
WO1999042915A2 (en) * 1998-02-18 1999-08-26 Voltaire Advanced Data Security Ltd. Information security method and apparatus
WO2000020949A1 (en) * 1998-10-05 2000-04-13 Cet Technologies Pte Ltd. Method for security partitioning of a computer system

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2595362A1 (en) * 2011-11-17 2013-05-22 Flight Focus Pte. Ltd. Aircraft computer system for executing inflight entertainment and electronic flight bag applications
WO2014025307A3 (en) * 2012-08-07 2014-04-10 Klaus Drosch Apparatus and method for protection of stored data
US20150199144A1 (en) * 2012-08-07 2015-07-16 Klaus Drosch Apparatus and method for protection of stored data
EP2883185A4 (en) * 2012-08-07 2016-03-09 Klaus Drosch Apparatus and method for protection of stored data
US9442667B2 (en) 2012-08-07 2016-09-13 Klaus Drosch Apparatus and method for protection of stored data
US10572691B2 (en) 2015-04-28 2020-02-25 Microsoft Technology Licensing, Llc Operating system privacy mode
CN110598412A (en) * 2018-06-12 2019-12-20 杨力祥 Method and computing device for isolating power information and checking power based on power information

Also Published As

Publication number Publication date
AU2002220540A1 (en) 2002-06-24
WO2002048844A3 (en) 2002-08-08

Similar Documents

Publication Publication Date Title
US11061566B2 (en) Computing device
DE112005001739B4 (en) Tracking protected storage areas to speed up antivirus programs
US7203808B2 (en) Isolation and protection of disk areas controlled and for use by virtual machine manager in firmware
US7689733B2 (en) Method and apparatus for policy-based direct memory access control
US8104083B1 (en) Virtual machine file system content protection system and method
US20140115316A1 (en) Boot loading of secure operating system from external device
CN100389408C (en) Fixed disk data enciphering back-up and restoring method
US9529805B2 (en) Systems and methods for providing dynamic file system awareness on storage devices
US11403180B2 (en) Auxiliary storage device having independent recovery area, and device applied with same
US20090320128A1 (en) System management interrupt (smi) security
JP2004258840A (en) Computer system with virtualized i/o device
US10565141B1 (en) Systems and methods for hiding operating system kernel data in system management mode memory to thwart user mode side-channel attacks
US20070233727A1 (en) Multiple Virtual Devices
US20030018869A1 (en) Operation method for controlling paged memory access attributes of the memory unit and its structure
WO2002048844A2 (en) Changing of operating modes in a computer
US20050138263A1 (en) Method and apparatus to retain system control when a buffer overflow attack occurs
US11755745B2 (en) Systems and methods for monitoring attacks to devices
JP4908367B2 (en) Information processing device
KR20070030931A (en) Secure storage tracking for anti-virus speed-up
US20170235953A1 (en) Systems and Methods for Providing Dynamic File System Awareness on Storage Devices
WO2006071626A1 (en) Protecting privacy of networked devices containing management subsystems
CN112580023B (en) Shadow stack management method and device, medium and equipment
KR101434794B1 (en) The method and system for defending program hacking
JP3112203U (en) Storage dedicated disk unit
GB2441909A (en) Scanning files in subdivided storage area for malicious code

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG US UZ VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

AK Designated states

Kind code of ref document: A3

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG US UZ VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: COMMUNICATION PURSUANT TO RULE 69(1) EPC (EPO FORM DATED 10.09.03)

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase in:

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP