公开(公告)号：JP2010092465A

公开(公告)日：2010-04-22

申请号：JP2009200006

申请日：2009-08-31

Applicant: Internatl Business Mach Corp ,  インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Maschines Corporation

Inventor： SAFFORD DAVID ROBERT ,  KARGER PAUL ASHLEY ,  H HUNT GUERNEY D ,  HALL WILLIAM ERIC ,  MERGEN MARK FREDERICK ,  TOLL DAVID C

IPC: G06F21/24 ,  G06F9/34

CPC classification number: G06F12/1483 ,  G06F21/629 ,  G06F21/71

Abstract: PROBLEM TO BE SOLVED: To provide a method and mechanisms for hardware-based mandatory access control. SOLUTION: Hardware mechanisms are provided for performing hardware-based access control of instructions to data. These hardware mechanisms associate an instruction access policy label with an instruction to be processed by a processor and associate an operand access policy label with the data to be processed by the processor. The instruction access policy label is passed along with the instruction via one or more hardware functional units of the processor. The operand access policy label is passed along with the data via the one or more hardware functional units of the processor. One or more hardware implemented policy engines associated with the one or more hardware functional units of the processor are utilized, to control access by instruction to the data, based on the instruction access policy label and the operand access policy label. COPYRIGHT: (C)2010,JPO&INPIT

Abstract translation: 要解决的问题：提供一种基于硬件的强制访问控制的方法和机制。 解决方案：提供硬件机制，用于执行对数据指令的基于硬件的访问控制。 这些硬件机制将指令访问策略标签与要由处理器处理的指令相关联，并将操作数访问策略标签与要由处理器处理的数据相关联。 指令访问策略标签通过处理器的一个或多个硬件功能单元与指令一起传递。 操作数访问策略标签通过处理器的一个或多个硬件功能单元与数据一起传递。 利用与处理器的一个或多个硬件功能单元相关联的一个或多个硬件实现的策略引擎，以基于指令访问策略标签和操作数访问策略标签来控制对数据的指令的访问。 版权所有（C）2010，JPO＆INPIT

公开(公告)号：FR2800480B1

公开(公告)日：2006-04-07

申请号：FR0012360

申请日：2000-09-28

Applicant: IBM CORP INTERNAT BUSINESS MAC

Inventor： AUSTEL VERNON RALPH ,  KARGER PAUL ASHLEY ,  TOLL DAVID CLAUDE

IPC: G06F12/14 ,  G06F1/00 ,  G06F21/00 ,  G07F7/10

Abstract: Access to files by accessing programs, where files comprise other files, programs and data is controlled. An initial access class is assigned to each file and to each accessing program. An access class comprises an integrity access class and a secrecy access class. An integrity access class comprises rules governing modification of data contained in files and a security access class comprises rules governing disclosure of data contained in files. An integrity access class comprises a set of rules for allowing the performance of a read function, and another set of rules for allowing the performance of write/execute function. An execute function comprises transferring and chaining, where chaining comprises starting another process running at potentially different secrecy and integrity access classes. A secrecy access class comprises a set of rules for allowing the performance of a write function, and another set of rules for allowing the performance of read/execute function. The respective access classes of the target file, target program, and accessing program are compared. If the comparison results meet the security requirements, the function is performed.

公开(公告)号：HU225077B1

公开(公告)日：2006-06-28

申请号：HU9902892

申请日：1997-07-23

Applicant: IBM

Inventor： JOHNSON DONALD BYRON ,  KARGER PAUL ASHLEY ,  KAUFMAN CHARLES WILLIAM JR ,  MATYAS STEPHEN MICHAEL JR ,  SAFFORD DAVID ROBERT ,  YUNG MARCEL MORDECHAY ,  ZUNIC NEVENKO

IPC: G09C1/00 ,  H04L9/32 ,  H04K1/00 ,  H04L9/08 ,  H04L9/14 ,  H04L9/28

Abstract: The method for providing for recovery of a cryptographic key using a number of cooperating key recovery agents comprises generating a number of shared key recovery values such that the key may be regenerated from the shared key recovery values without requiring additional non-public information. The shared recovery values are made available to the key recovery agents to enable recovery of the key. A pair of communicating parties use the cryptographic key to communicate, and the key is set by one party and sent to the ther one. Alternatively the key may be set by both parties acting together.

公开(公告)号：FR2800480A1

公开(公告)日：2001-05-04

申请号：FR0012360

申请日：2000-09-28

Applicant: IBM CORP INTERNAT BUSINESS MAC

Inventor： AUSTEL VERNON RALPH ,  KARGER PAUL ASHLEY ,  TOLL DAVID CLAUDE

IPC: G06F1/00 ,  G06F21/00 ,  G07F7/10 ,  G06F12/14

Abstract: The method assigns an initial access class to files to be protected, which comprises an integrity class and a confidentiality class. The confidentiality class comprises rules defining divulgence of data in the files and the integrity class comprises rules defining modification of data in the files. The access classes for the calling file and the target file are compared to determine access.

公开(公告)号：PL331313A1

公开(公告)日：1999-07-05

申请号：PL33131397

申请日：1997-07-23

Applicant: IBM

Inventor： JOHNSON DONALD BYRON ,  KARGER PAUL ASHLEY ,  KAUFMAN CHARLES WILLIAM JR ,  MATYAS STEPHEN MICHAEL JR ,  SAFFORD DAVID ROBERT ,  YUNG MARCEL MORDECHAY ,  ZUNIC NEVENKO

IPC: G09C1/00 ,  H04K1/00 ,  H04L9/08 ,  H04L9/14 ,  H04L9/28 ,  H04L9/32

Abstract: The method for providing for recovery of a cryptographic key using a number of cooperating key recovery agents comprises generating a number of shared key recovery values such that the key may be regenerated from the shared key recovery values without requiring additional non-public information. The shared recovery values are made available to the key recovery agents to enable recovery of the key. A pair of communicating parties use the cryptographic key to communicate, and the key is set by one party and sent to the ther one. Alternatively the key may be set by both parties acting together.