Patent application number | Description | Published |
20100088739 | Hardware Based Mandatory Access Control - Hardware mechanisms are provided for performing hardware based access control of instructions to data. These hardware mechanisms associate an instruction access policy label with an instruction to be processed by a processor and associate an operand access policy label with data to be processed by the processor. The instruction access policy label is passed along with the instruction through one or more hardware functional units of the processor. The operand access policy label is passed along with the data through the one or more hardware functional units of the processor. One or more hardware implemented policy engines associated with the one or more hardware functional units of the processor are utilized to control access by the instruction to the data based on the instruction access policy label and the operand access policy label. | 04-08-2010 |
20100125708 | Recursive Logical Partition Real Memory Map - A recursive logical partition real memory map mechanism is provided for use in address translation. The mechanism, which is provided in a data processing system, receives a first address based on an address submitted from a process of a currently active logical partition. The first address is translated into a second address using a recursive logical partition real memory (RLPRM) map data structure for the currently active logical partition. The memory is accessed using the second address. The RLPRM map data structure provides a plurality of translation table pointers, each translation table pointer pointing to a separate page table for a separate level of virtualization in the data processing system with the data processing system supporting multiple levels of virtualization. | 05-20-2010 |
20100125709 | Logical Partition Memory - A mechanism is provided, in a data processing system, for accessing memory based on an effective address submitted by a process of a partition. The mechanism may translate the effective address into a virtual address using a segment look-aside buffer. The mechanism may further translate the virtual address into a partition real address using a page table. Moreover, the mechanism may translate the partition real address into a system real address using a logical partition real memory map for the partition. The system real address may then be used to access the memory. | 05-20-2010 |
20100125915 | Secure Computer Architecture - A secure computer architecture is provided. With this architecture, data is received, in a component of an integrated circuit chip implementing the secure computer architecture, for transmission across a data communication link. The data is converted, by the component, to one or more first fixed length frames. The one or more first fixed length frames are then transmitted, by the component, on the data communication link in a continuous stream of frames. The continuous stream of frames includes one or more second fixed length frames generated when no data is available for inclusion in the frames of the continuous stream. | 05-20-2010 |
20110035532 | Secure Recursive Virtualization - A mechanism is provided for performing secure recursive virtualization of a computer system. A portion of memory is allocated by a virtual machine monitor (VMM) or an operating system (OS) to a new domain. An initial program for the new domain is loaded into the portion of memory. Secure recursive virtualization firmware (SVF) in the data processing system is called to request that the new domain be generated. A determination is made as to whether the call is from a privileged domain or a non-privileged domain. Responsive to the request being from a privileged domain, all access to the new domain is removed from any other domain in the data processing system. Responsive to receiving an indication that the new domain has been generated, an execution of the initial program is scheduled. | 02-10-2011 |
20120331466 | Secure Recursive Virtualization - A mechanism is provided for performing secure recursive virtualization of a computer system. A portion of memory is allocated by a virtual machine monitor (VMM) or an operating system (OS) to a new domain. An initial program for the new domain is loaded into the portion of memory. Secure recursive virtualization firmware (SVF) in the data processing system is called to request that the new domain be generated. A determination is made as to whether the call is from a privileged domain or a non-privileged domain. Responsive to the request being from a privileged domain, all access to the new domain is removed from any other domain in the data processing system. Responsive to receiving an indication that the new domain has been generated, an execution of the initial program is scheduled. | 12-27-2012 |
20130019307 | Secure Computer Architecture - A secure computer architecture is provided. With this architecture, data is received, in a component of an integrated circuit chip implementing the secure computer architecture, for transmission across a data communication link. The data is converted, by the component, to one or more first fixed length frames. The one or more first fixed length frames are then transmitted, by the component, on the data communication link in a continuous stream of frames. The continuous stream of frames includes one or more second fixed length frames generated when no data is available for inclusion in the frames of the continuous stream. | 01-17-2013 |
20130227704 | PROCESSOR AND DATA PROCESSING METHOD WITH NON-HIERARCHICAL COMPUTER SECURITY ENHANCEMENTS FOR CONTEXT STATES - Disclosed are a processor and processing method that provide non-hierarchical computer security enhancements for context states. The processor can comprise a context control unit that uses context identifier tags associated with corresponding contexts to control access by the contexts to context information (i.e., context states) contained in the processor's non-stackable and/or stackable registers. For example, in response to an access request, the context control unit can grant a specific context access to a register only when that register is tagged with a specific context identifier tag. If the register is tagged with another context identifier tag, the contents of the specific register are saved in a context save area of memory and the previous context states of the specific context are restored to the specific register before access can be granted. The context control unit can also provide such computer security enhancements while still facilitating authorized cross-context and/or cross-level communications. | 08-29-2013 |
Patent application number | Description | Published |
20080263662 | SYSTEM AND METHOD FOR FUZZY MULTI-LEVEL SECURITY - An access control system and method includes a risk index module which computes a risk index for a dimension contributing to risk. A boundary range defined for a parameter representing each risk index such that the parameter above the range is unacceptable, below the range is acceptable and in the range is acceptable with mitigation measures. A mitigation module determines the mitigation measures which reduce the parameter within the range. | 10-23-2008 |
20090049111 | METHOD, APPARATUS AND SYSTEM FOR RESISTANCE TO SIDE CHANNEL ATTACKS ON RANDOM NUMBER GENERATORS - A random number generator (RNG) resistant to side channel attacks includes an activation pseudo random number generator (APRNG) having an activation output connected to an activation seed input to provide a next seed to the activation seed input. A second random number generator includes a second seed input, which receives the next seed and a random data output, which outputs random data in accordance with the next seed. An input seed memory is connected to the activation seed input and a feedback connection from the activation output so that the next seed is stored in the input seed memory to be used by the APRNG as the activation seed input at a next startup cycle. | 02-19-2009 |
20090055890 | SYSTEM AND METHOD FOR SECURITY PLANNING WITH HARD SECURITY CONSTRAINTS - A method for security planning with hard security constraints includes: receiving security-related requirements of a network to be developed using system inputs and processing components; and generating the network according to the security-related requirements, wherein the network satisfies hard security constraints. | 02-26-2009 |
20090282487 | Method of Managing and Mitigating Security Risks Through Planning - An exemplary method is provided for managing and mitigating security risks through planning. A first security-related information of a requested product is received. A second security-related information of resources that are available for producing the requested product is received. A multi-stage process with security risks managed by the first security-related information and the second security-related information is performed to produce the requested product. | 11-12-2009 |