WO1989012864A1 - Independent computer module system - Google Patents
Independent computer module system Download PDFInfo
- Publication number
- WO1989012864A1 WO1989012864A1 PCT/US1989/002360 US8902360W WO8912864A1 WO 1989012864 A1 WO1989012864 A1 WO 1989012864A1 US 8902360 W US8902360 W US 8902360W WO 8912864 A1 WO8912864 A1 WO 8912864A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- icm
- interface unit
- division
- program
- connectorless
- Prior art date
Links
- 230000015654 memory Effects 0.000 claims abstract description 66
- 238000004891 communication Methods 0.000 claims abstract description 37
- 238000000034 method Methods 0.000 claims abstract description 20
- 238000012546 transfer Methods 0.000 claims description 35
- 230000006870 function Effects 0.000 claims description 12
- 239000002360 explosive Substances 0.000 claims description 10
- 230000003287 optical effect Effects 0.000 claims description 10
- 238000003860 storage Methods 0.000 claims description 10
- 238000012545 processing Methods 0.000 claims description 9
- 239000003990 capacitor Substances 0.000 claims description 8
- 230000008859 change Effects 0.000 claims description 8
- 239000000463 material Substances 0.000 claims description 7
- 238000013500 data storage Methods 0.000 claims description 6
- 230000001939 inductive effect Effects 0.000 claims description 6
- 238000003780 insertion Methods 0.000 claims description 5
- 230000037431 insertion Effects 0.000 claims description 5
- 230000002093 peripheral effect Effects 0.000 claims description 4
- 239000004020 conductor Substances 0.000 claims description 3
- 238000004146 energy storage Methods 0.000 claims description 2
- 238000000926 separation method Methods 0.000 claims description 2
- 230000006872 improvement Effects 0.000 claims 25
- 238000004804 winding Methods 0.000 claims 4
- 230000009471 action Effects 0.000 claims 2
- 230000003993 interaction Effects 0.000 claims 1
- 230000008901 benefit Effects 0.000 abstract description 3
- 230000008569 process Effects 0.000 abstract description 2
- 101001106432 Homo sapiens Rod outer segment membrane protein 1 Proteins 0.000 description 7
- 102100021424 Rod outer segment membrane protein 1 Human genes 0.000 description 7
- 231100001261 hazardous Toxicity 0.000 description 6
- 230000007246 mechanism Effects 0.000 description 5
- 230000006698 induction Effects 0.000 description 3
- 229910052760 oxygen Inorganic materials 0.000 description 3
- DIWRORZWFLOCLC-UHFFFAOYSA-N Lorazepam Chemical compound C12=CC(Cl)=CC=C2NC(=O)C(O)N=C1C1=CC=CC=C1Cl DIWRORZWFLOCLC-UHFFFAOYSA-N 0.000 description 2
- 101150065817 ROM2 gene Proteins 0.000 description 2
- QVGXLLKOCUKJST-UHFFFAOYSA-N atomic oxygen Chemical compound [O] QVGXLLKOCUKJST-UHFFFAOYSA-N 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 239000001301 oxygen Substances 0.000 description 2
- 238000007789 sealing Methods 0.000 description 2
- CDBYLPFSWZWCQE-UHFFFAOYSA-L Sodium Carbonate Chemical compound [Na+].[Na+].[O-]C([O-])=O CDBYLPFSWZWCQE-UHFFFAOYSA-L 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 239000000446 fuel Substances 0.000 description 1
- 239000007789 gas Substances 0.000 description 1
- 230000009191 jumping Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 239000002184 metal Substances 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
- G06K7/00—Methods or arrangements for sensing record carriers, e.g. for reading patterns
- G06K7/10—Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation
- G06K7/10544—Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation by scanning of the records by radiation in the optical part of the electromagnetic spectrum
- G06K7/10821—Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation by scanning of the records by radiation in the optical part of the electromagnetic spectrum further details of bar or optical code scanning devices
- G06K7/1097—Optical sensing of electronic memory record carriers, such as interrogation of RFIDs with an additional optical interface
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
- G06F21/123—Restricting unauthorised execution of programs by using dedicated hardware, e.g. dongles, smart cards, cryptographic processors, global positioning systems [GPS] devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/002—Specific input/output arrangements not covered by G06F3/01 - G06F3/16
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2211/00—Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
- G06F2211/007—Encryption, En-/decode, En-/decipher, En-/decypher, Scramble, (De-)compress
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2153—Using hardware token as a secondary aspect
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Definitions
- the present invention is related to the safe and secure operation of computer software.
- the programs to be run are taken from a recording devise such as a disk drive and copied into the Random Access Memory (RAM) of a host computer for processing, or they are programmed into Read Only Memory (ROM) which is either wired directly to the Central Processing Unit (CPU) or is encased in a separate module which has a connector for providing direct connection between the CPU and the ROM.
- RAM Random Access Memory
- ROM Read Only Memory
- CPU Central Processing Unit
- search programs can set up the registers in the CPU for loading data from a target program in a target memory bank, and storing data in a common data area or an area of easy access by the search program; then make multiple jumps throughout the target program until a standard data-moving routine (now corrupted by the new information in the CPU) is encountered. In this way the security of many programs can be violated, programs copied, keys or secret codes can be accessed.
- Search programs often called "virus” or “worms” hidden in operating systems, unused areas of the host computer's memory, or even on diskettes from other sources can write themselves into operating systems and into programs being legitimately copied, allowing search programs to compromise the security of anything that passes through that host computer.
- Diskettes and disk drives contain delicate mechanical and electrical parts that fail in the presents of dirt or moisture. Thus the prior art does not permit such devices to be used underwater, in outer space, in dirty, chemical-filled, or other hazardous environments.
- Prior art provides for the distribution of software on diskettes, magnetic tapes or similar devices.
- the software must be coded for use with a particular CPU, and often for a particular host computer. Therefore a means is needed for software distribution that is both secure, and can operate with a wide variety of host computers regardless of the CPU in the host.
- the present invention solves these problems and provides form many more usefu functions.
- the present invention is an Independent Computer Module (hereafter called an ICM and several types of Interface Units, a generic, a Modular and a Remote.
- the ICM contain a CPU, ROM and/or RAM memory, a rechargable battery or other energy storage device a specialized energy supply method, a specialized memory division switching capability specialized data input and specialized data output method.
- the combination of an ICM and one of the Interface Units comprise an ICM Syste that can function in a multitude of hostile environments, while maintaining strict securit over the programs loaded into the ICM
- the specialized housing maintains the physica security of the programs inside.
- the specialized input, output and power supply maintai the electronic security over the programs loaded into the ICM by the fact that the program themselves do not load into a host computer where they could be compromised, but rathe are operated upon by the CPU located within the ICM housing.
- Program control, and thus all information transfer from the ICM to the host and back are always under the strict control of the CPU and the pre-loaded program within the ICM Therefore, only data authorized by the ICM program for transmittal will actually be transferred. Such data is transferred to and from the host computer via one of the interface units.
- Such data would then be routed by an operating system type program to, or from, any of the peripherals available to the host computer, such as mass data storage devices, CRT video displays, keyboards, printers, etc. Therefore the program inside the ICM can access all of the needed peripherals while maintaining the security of the program, pre-loaded into the ICM Therefore a separation of function is provided in the present invention.
- Applications programs are loaded into and operated in the ICM rather than the host, and the host computer is used to operate the usual peripherals.
- the programs requiring security would be loaded into the ICMs at the time of manufacture, or ICMs manufactured with a minimum, security-controlling program operating system would be provided to the software vendor.
- the software vendor would load in the software needing security, and in turn, the ICM would be sold to the end user who would be able to use, but not copy, any of the software.
- the ICM is constructed inside a portable, conveniently sized housing.
- the ICM When another secure program is to be run, one merely removes the ICM form the interface unit, replacing it with another...much the same way one would remove a video game cartridge and replace it with another.
- the specialized housing is an integral part of the security arrangement of the ICM system, since the housing is completely sealed, with the programs sealed inside making it difficult to mechanically access the secure programs, while the ICMs electrical arrangement maintains the electronic security.
- the specialized input and output arrangement as it relates to the housing.
- Input, and output sensors and emitters, along with the power supply receptors are sealed into the surface of the housing.
- the housing prevents someone from connecting in a secondary input and output, such as a direct memory access, that could be used to override the other security measures.
- the connectorless method chosen for communications and power transfer between the Interface Unit (which is connected to the host computer,) and the ICM can be inductive, capacitive, optical or radio frequency emitters, sensors, and receptors. These methods provide the needed data communications and power supply to the ICM while eliminating the need for plugs or connectors, and allowing for remote access to the ICM as they can be sealed into the surface of the housing, and in many cases just under the surface of the housing and still function properly.
- an inductor comprising the primary of a transformer can be mounted in the Interf ce Unit, and the Secondary of the transformer can be mounted in the ICM
- the metal surface of one side of a capacitor can be mounted in the Interface Unit, and the other surface of th capacitor mounted in the ICM.
- LEDs light emitting diodes
- phototransistors phototransistors
- photovoltaics can be used in the ICM and Interface Units.
- Radio Frequency is chosen, then RF receivers and transmitters, simple or sophisticated ca be used to supply the needed communications and power supply.
- communications signals to and from the emitters and sensors mounte in the housing are provided to the CPU, while energy from the power-supplying recepto is then rectified (if needed), filtered, and supplied to all powered components including rechargable battery.
- the ICM can continue to operate without the need for a plug or direct connection, is easily removable from the Interface Unit, and will continue t operate for a time after removal from the input power source, so that the ICM can be use to transfer authorized data from one host computer to another.
- the Interface Unit need only have a matching set of emitters and sensors, conventiona signal matching electronics (if needed) and a direct connection to the host computer and power source (often from the host computer itself.)
- a secondary benefit is derived by so sealing into the housing the input, output, an power supply sensors, emitters and receptors. An environmental seal is maintained, whil permitting the communications and energy transference required to operate the interna components.
- the housing is provided with conventional metallic RF shielding, either on it surface or below surface, and the materials selected for the housing are chosen to operat within an expected hostile environment.
- an underwater ICM could b completely encapsulated in plastic with the sensors, emitters and receptors encased at or nea the sur ace. While the usefulness of an underwater ICM may not at irst seem apparent, th ICM is also immune to coffee, soda pop and other office hazards.
- the IC could be used in very highly humid environments where the danger of exposure t electronics-damaging items would be a potential possibility such as when computers are i use in submarines, or on board ship.
- Another secondary benefit of this communications and power supply arrangement is that the ICM can be inserted and removed from its Interface Unit without causing the arcing that would occur if conventional plugs were in use. This feature makes the use of the ICM especially attractive in potentially explosive environments such as certain industrial environments, in or near equipment used to transfer fuels, or in enriched oxygen environments such as would be common in space stations.
- the availability of an additional processor to a host computer, or the availability of a multiple group of ICMs operating from a single host computer provide the opportunity for parallel processing.
- a user may wish to operate a program using the type of processor that is available within the ICM, but is not available in the host computer.
- such user programs can be loaded into the ICM and operated by the current user, but such programs must be prevented from accessing any previously loaded program.
- occasions may arise whereby the ICM is to be loaded with several secure programs from several users while allowing each user to use each program, but preventing each user from copying any of the previously-loaded programs. Therefore the ICM is fitted with a specialized memory division switching arrangement.
- the Central Processing Unit CPU
- program-filled Read Only Memory ROM
- Random Access Memory RAM
- the specialized input and output, and power supply sections inside the ICM constitute a complete computer that can operate programs loaded into memory in the standard fashion. All of this memory is divided into sections and division switched by a specialized division switching arrangement that prevents the programs in one division from accessing the programs in any other division.
- One section of memory is designated as a Common Area and is memory mapped so that it is available to all divisions.
- the division switched sections of memory are divided into two types, the Executive Division (EXEC) and the Selected Divisions.
- the Executive Division has complete control and access to all other areas for security and controlling transfer of data between Divisions.
- the Selected memory Divisions are provided for user programs, and are restricted so that user programs with in a Selected Division cannot copy directly any data from any other Division (except the Common data storage Area).
- a division switching apparatus is provided that causes the Executive Division to be operative after a reset of the CPU.
- the division switching apparatus is connected to the control bus so that commands taken from the Executive Division can cause both reads and writes of data in any memory division, while fetching its instructions from the Executive Division only.
- a means is provided for transferring program control to any of the other divisions either directly, or with an accompanying maskable or non- maskable interrupt.
- the Selected Divisions have the capability of fetching, reading and writing to its own division, and the Common Area only. Transfer of program control, to any other division is always accompanied by a non-maskable interrupt (NMI), which causes a hardware interrupt, and program control to a designated place in the newly-switched-on memory. (Or if a maskable interrupt is used, the division switching is prevented unless an interrupt acknowledge signal is received from the CPU indicating that an interrupt is actually in progress, thus preventing the execution of a division switch without an accompanying interrupt.)
- NMI non-maskable interrupt
- These designated entry points are programmed to be operating system entry points, so that information exchange between the divisions is always controllable. This method even allows the loading of any outside program while maintaining the security of the programs in the other memory divisions.
- the result is that the individual programs loaded into each of the Selected Divisions can be loaded directly into Programmable Read Only Memories (PROMs), Erasable Read Only Memories (EPROMs), or even RAM, but are still unable to copy any information from any of the other divisions, but any needed data can be provided by the program in th Executive bank.
- the host computer may, at the discretion of the program in the IC Executive, load programs into the ICM for operation, in any of the Selected Divisions. Th host may receive input and output from those programs.
- the Executive progra can effectively prevent any outside loaded program form copying any data that th Executive does not permit, even though each of the programs may have direct access to th ICM input and output to the host.
- Permanently stored programs can thus be accessed an used at any time by inserting the ICM into an Interface Unit, or accessing it with a Remot Inter ace Unit.
- the ICM can accept outside programs, even temporary ones loaded into th ICM RAM, without compromising the previously stored programs.
- the first code i the Division Selection code which is loaded into a code storage device upon command fro the CPU.
- the second code is the Mode Select code, also loaded into a code storage devic upon command from the CPU.
- the third is the Address Bus, for memory mapping th Common Data Area.
- the fourth is the Control Bus.
- Th security arrangement is, in part, functional because the Executive Division is switched o by a selection of a mode rather than the selection of a Selected division, (which is the prior art way.) Since the Executive Division is part of the mode selection, any other memory may be accessed by the Executive Division simply by changing the Selected Division code.
- the selection of a mode that causes command fetches to come from the Executive Division, and reads and writes to be operative on other divisions allows the Executive program to use fewer CPU commands to move data from one division to another, by using a standard move routine as would be used within a single division, but causing the reads to come from one division and the writes to another. This feature is especially useful when the Executive program is working as an operating system to shuttle information back and forth between an applications program and the host computer.
- the ICM housing is also fitted with a physical damage security system consisting of a damage sensor made of a maze of wires located just under the surface of the housing. Attached to these wires is a method for measuring the wire's resistance, which, in turn, is connected to the CPU. Also connected to the CPU is a self-destruct mechanism, of any convenient kind, that is capable of destroying the memory sections of the ICM In the event that someone should try to either cut into the ICM, and thus through the wires or try to defeat this security mechanism by shorting it out, the CPU would sense the change in resistance, and would then activate the self- destruct mechanism.
- the ICM is interfaced with a host computer or other electronic device through a specialized Interface Unit.
- This unit also has a specialized housing that is completely sealed to prevent damage to the components from a hostile environment. It is provided with a port, or other device for holding the ICM so that its sensors, emitters and receptors are adjacent to corresponding emitters and sensors in the Interface Unit.
- the Interface Unit is fitted with a cable or similar wiring for connecting it directly to a host computer. Room is provided in the housing for any interfacing circuitry needed to operate the sensors and emitters, and connect them properly to the host.
- a specialized Modular Interface Unit is provided.
- the MIU has all of the features of a generic Interface Unit, but is also fitted with two connectors, front and back, so that a number of interface units may be connected together to be operated by a single host computer.
- a Remote Interface Unit is also provided.
- the ICM can also be interfaced with a host computer through a specialized interface unit that can operate over a longer distance than would be usual with the generic or modular interface units.
- the RIU has emitters, and sensors selected for the range and type of communications and power to be supplied.
- the RIU may have infrared LEDs and phototransistors for communicating with the ICM, or several ICMs at a time from across the room.
- modulated lasers and 9 focusing collectors may be required to communicate with an ICM at a considerable distance or in a different hostile environment such as under the sea. The types needed for a particular task are simply chosen and installed during manufacture.
- the RIU housing may also be sealed for operation in a hostile environment, and is fitted with cables, and interfacing electronics just as any of the Interface Units would be.
- Remote interfacing of the ICMs with a host computer allows for the multiple access of many ICMs by the same Remote Interface Unit, while allowing ICMs made for use in one hostile environment to be accessed by a RIU and host in a different environment. This remote capability also allows several users with separate hosts and RIUs to use common ICMs while still maintaining security of the programs.
- the versatility of the ICM System makes it a safer, applications- program-running, processor-independent, remotely-accessible, parallel- processing, hostile-environment-proof, completely-secure, all-electronic, replacement for the conventional floppy disk.
- FIG. 1 A cross section view of a Modular Interface Unit (MIU) with an ICM inserted, and showing the positions of additional MIUs if used.
- MIU Modular Interface Unit
- FIG. 3 A perspective view of an ICM being accessed by a Remote Interface Unit (RIU).
- ROU Remote Interface Unit
- FIG. 4 A detailed block diagram of an ICM and an Interface Unit, showing the memory division switching method, the specialized input, output and energy supply method, along with the mechanical access security system.
- FIG. 1 depicts an exploded perspective of the ICM being inserted into a generic INTERFACE UNIT.
- the ICM is contained in its specialized housing that is completely sealed using materials selected for protection in the particular environment that it is intended to be used. For example, to make the ICM useable underwater, it could be completely encapsulated in plastic.
- the ICM is inserted into the INTERFACE UNIT for connecting the ICM to a host computer through wire H.
- Input power, and data communications ar accomplished through a connectorless energy and data transfer arrangement using sensors emitters, and receptors H,l,01,0,P1,and P.
- the ICM is held in place by the INTERFACE UNIT, so that the respective emitters are held adjacent to their counterpart sensors etc.
- Input power to the ICM for recharging its batteries is provided from the host through an emitter, P1, which transfers energy to receptor, P.
- Data communications is provided through an input and an output set of emitter/ sensor pairs 11 and I for the input to the ICM, along with 01 and 0 for the output.
- a sufficient number of emitter/sensor sets is provided to accommodate all the data and handshaking signals of a standard serial or parallel data port.
- the type of emitter/sensor pair is selected to match the type of energy transfer needed for a particular application with one of each pair in the INTERFACE UNIT and the other in the ICM.
- the primary portion of a split transformer (manufactured in two mechanically separate sections) would be located in one unit and the secondary portion in the other.
- one capacitive surface of a split capacitor (also manufactured in two mechanically separate sections) would be located in one unit and the matching capacitive surface in the other.
- a light source would be provided in the INTERFACE UNIT for power, and photovoltaic cells in the ICM, while data transfer could be by light emitting diodes (LEDs) and phototransistors.
- LEDs light emitting diodes
- radio frequency energy and data transfer the emitter would be a radio transmitter, and the sensor or receptor would be a radio receiver.
- emitters, sensors and receptors are sealed into the surface, or just under the surface of the ICM housing so they can operate normally while maintaining the hazardous environment protection.
- the INTERFACE UNIT likewise can be sealed with the sensors and emitters sealed into the interior surface of the Interface Unit housing.
- Figure 2 depicts a cross section of a Modular Interface Unit, MIU, having a port, PORT, for holding the ICM so that its emitters, sensors and receptor are held adjacent to a matching set of emitters and sensors (P1 near P, 11 near I, and 01 near 0) for supplying power and communications to the ICM Just as describe for Fig. 1.
- MIU Modular Interface Unit
- the Modular Interface Unit has the additional feature of connectors C1 on one side and C2 of the other side. These connectors allow the addition of more Modular Interface Units MIU1 and MIU2 (dotted lines) so that a number of ICMs can be operated by a single host computer.
- Wire and connector H is the connecting wires to the host computer that must come from at least one of the MIUs.
- a seal, S is provided to prevent damage to the connectors C1 and C2 from a hostile environment.
- Standard interface electronics, IE mounted on a conventional printed circuit board, is provided to connect the emitters and sensors to the host.
- FIG. 3 depicts an ICM being accessed and operated through a Remote Interface Unit, RIU.
- the RIU has input (to the ICM) emitters 11 and output (from the ICM) sensors 01. Power output (to the ICM) emitter P1 along with the connecting wires to the host. Just as described in Fig. 1. Emitters and sensors in the RIU are positioned so as to be directed toward the ICM
- the RIU housing is also tightly sealed and made of selected materials so that it may be used in a hostile environment, possibly a different environment from the environment that the ICM is operating in.
- AH of the Interface Units function exactly alike; they serve to provide an connectorless interface between a host and one or more ICMs.
- the different types are provided to give greater versatility to the operation of the basic ICM System.
- FIG. 4 is a block diagram of a typical ICM and an Interface Unit
- Energy is supplied from the host computer through wires,H, and standard interface electronics IE1, through the power emitters Pt of the Interface Unit (any of the types) to the power receptors P in the ICM.
- EC is a material selected to provide hazardous environment protection to the component while permitting the energy form in use for power and data transfer to pass through.
- clear plastic or fiber optics would be provided to pass light from an emitter to the surface of one unit, then rom the surface of the other unit to . the sensor inside, if the emitters and sensors are optical.
- a thin plastic cover could be provided to pass energy using induction, capacitive, or radio transfer, depending on the expected hazardous environment to be encountered.
- ICM input power from P is rectified (if needed) and filtered in the power supply section PWR, and then distributed to all powered components in the ICM (labeled TO ALL) plus the rechargable battery B.
- Data input and output from the host computer is supplied through wires, H, and standard interfacing electronics IE2 to the emitters and sensors 11 and 01 of the Interface Unit to the matching emitters and sensors I and O in the ICM These are in turn connected through a standard input/output interface, I O, to the CPU.
- This arrangement of emitters, sensors, and receptors provide connectorless communications and power supply between the host and the ICM.
- Non-Executive Division Select Latch and Mode Select Latch store the division selection and mode codes output from the CPU upon receiving a strobe from R0M1.
- R0M2 decodes the address, control, mode, and division select signals to provide the instantaneous division selection required among the memory divisions designated as: The Executive Division, EXEC; the Common Data Division, Com; and individually Selected Divisions Mem 1 through Mem n.
- ROM1 also has an input feed back line, FB, taken from the output of the Mode Select Latch.
- FB input feed back line
- This line is on or off depending on whether the Executive memory division is currently in program control or not. This line determines the modes that will be permitted to be loaded depending upon the memory division which has program control. It is this line that provides the ICM with the ability to provide a secure operating system in the EXEC Division while preventing programs in the other divisions from instituting modes that would allow unauthorized data copying; along with the fact that the EXEC Division is not selected as one of the Selected Divisions, but its selection is one of the Modes.
- ROM1 also has an output to the CPU non-maskable interrupt, NMI.
- NMI non-maskable interrupt
- ROM1 is also programmed to allow the simultaneous loading of a mode 0 while causing an NMI. This command is permitted whenever FB indicates that the Selected Divisions have program control. This command is used to switch to the Executive program whenever operating system type functions are desired. By choosing the best fetch/read/write functions to take place within a given CPU command sequence for mode 0, the most rapid transfer of data can be accomplished by the Executive program.
- ROM1 also has an output connected to the CPU maskable interrupt, INTR. This line is operative only when the EXEC Division has program control, as indicated by line FB. Maskable interrupts (depending upon the CPU chosen) often have a software programmable interrupt entry point. If available, this would make the Executive program much more versatile. Otherwise, the Executive program can select the program control beginning address in a Selected Division by simply changing modes from a position in the Common Data Division, and jumping to the desired starting point. Selected divisions would be prohibited from doing this by FB, ROM1 and the NMI. I*.
- the Mode Select Latch is CLEARed by the RESET signal from the CPU, the EXEC Division is designated by ROM1 as having program control in mode 0. Therefore, upon receiving a reset signal, mode 0 is selected, so the EXEC Division has initial program control.
- ROM2 decodes the four major codes, the Division Select code, the Mode Select code, the ADDRES BUS code, and the CONTROL BUS code to provide the selection of memory divisions that produce the following fetching, reading and writing sequences based on the following modes:
- Common memory Com is memory mapped by ROM2 into an address space accessible from all memories, while other required memory operational signals will also be timed and provided properly, such as refresh for dynamic RAMs.
- ROM1 is specially programmed to provide the following command decoding and control functions:
- a physical entry security system is also provided.
- a maze of wires (labeled MAZE) is located just under the surface of the entire ICM housing. These wires are connected to a resistance detector, DET., which, in turn, is connected as an input to the CPU.
- DET. is a self destruct mechanism located so as to be able to destroy the memory divisions if activated by the output from the CPU. If a cut is made in the housing, of if someone attempts to defeat this security device by shorting out the wires, the resistance detector will indicate the change in resistance to the CPU which can then activate the self destruct mechanism to prevent the information stored in them from being accessed.
Abstract
The device described is a portable, Independent Computer Module (ICM) along with several Interface Units for connecting the ICM to a host computer or other external electronic device. The ICM has a CPU, memory, a specialized connectorless communication method, a specialized connectorless power supply method, a specialized data and program security memory division switching method, all contained in a specialized housing. The ICM with either of the Interface Units constitute an ICM system which provides multiple advantages as a portable, programmable, secure, safer method of distributing and operating computer software, an all electronic replacement for floppy disks, and a processor-independent method of using applications programs with a variety of host computers while providing the ability to parallel process with the host. Modular Interface Units provide for multiple ICMs to be connected to a single host computer, and Remote Interface Units allow multiple ICMs to be accessed by host computers from a considerable distance.
Description
Title of the invention: INDEPENDENT COMPUTER MODULE SYSTEM
BACKGROUND OF THE INVENTION
The present invention is related to the safe and secure operation of computer software.
First: A problem arises in the use of software in computers. Typically, the programs to be run are taken from a recording devise such as a disk drive and copied into the Random Access Memory (RAM) of a host computer for processing, or they are programmed into Read Only Memory (ROM) which is either wired directly to the Central Processing Unit (CPU) or is encased in a separate module which has a connector for providing direct connection between the CPU and the ROM The problem is that any user can input a program that will copy any program that must be loaded into the RAM of a host computer.
Attempts have been made to provide software checks and various security arrangements in an attempt to prevent copying. However, the very nature of the process prevents the institution of effective security measures because, any method that allows the host computer's CPU to access the program, either by copying it into RAM or directly accessing it in ROM can be copied from that very memory.
In the past, security bank switching arrangements have required complex encryption equipment, or secret codes for operation. Such methods are expensive, and allow for corruption by specialized search programs. Such search programs can set up the registers in the CPU for loading data from a target program in a target memory bank, and storing data in a common data area or an area of easy access by the search program; then make multiple jumps throughout the target program until a standard data-moving routine (now corrupted by the new information in the CPU) is encountered. In this way the security of many programs can be violated, programs copied, keys or secret codes can be accessed.
Another method of security violation needs to be addressed. Search programs often called "virus" or "worms" hidden in operating systems, unused areas of the host computer's memory, or even on diskettes from other sources can write themselves into operating systems and into programs being legitimately copied, allowing search programs to compromise the security of anything that passes through that host computer.
Therefore, it became necessary to invent a device that would prevent the direct access of the host computer's CPU to the program being run, or by any program that could be used by the host computer; thus preventing software copying and theft.
Secondly, the prior art typically uses connectors between program- containing ROM cartridges that must have their power removed to prevent sparking or arcing upon the insertion or removal of the cartridge from its socket. Therefore such methods become unacceptable in certain hazardous environments where explosive gases, or a high percentage of oxygen is present. Even in the normal atmospheric environment such connectors are subject to considerable wear, are difficult to clean, and cause data and program transfer problems.
Certain other environments are hazardous to the computing equipment. Diskettes and disk drives contain delicate mechanical and electrical parts that fail in the presents of dirt or moisture. Thus the prior art does not permit such devices to be used underwater, in outer space, in dirty, chemical-filled, or other hazardous environments.
Third: Prior art software storage devices are incapable of being accessed remotely, or from an environment much different from the normal atmospheric environment.
Fourth: Prior art provides for the distribution of software on diskettes, magnetic tapes or similar devices. The software must be coded for use with a particular CPU, and often for a particular host computer. Therefore a means is needed for software distribution that is both secure, and can operate with a wide variety of host computers regardless of the CPU in the host.
Fifth: Prior art uses mechanical recording devices for programs which are slow, or ROM cartridges which lack the intelligence to be both swift and provide multiple uses.
The present invention solves these problems and provides form many more usefu functions.
SUMMARY OF THE INVENTION
The present invention is an Independent Computer Module (hereafter called an ICM and several types of Interface Units, a generic, a Modular and a Remote. The ICM contain a CPU, ROM and/or RAM memory, a rechargable battery or other energy storage device a specialized energy supply method, a specialized memory division switching capability specialized data input and specialized data output method.
The combination of an ICM and one of the Interface Units comprise an ICM Syste that can function in a multitude of hostile environments, while maintaining strict securit over the programs loaded into the ICM The specialized housing maintains the physica security of the programs inside. The specialized input, output and power supply maintai the electronic security over the programs loaded into the ICM by the fact that the program themselves do not load into a host computer where they could be compromised, but rathe
are operated upon by the CPU located within the ICM housing. Program control, and thus all information transfer from the ICM to the host and back are always under the strict control of the CPU and the pre-loaded program within the ICM Therefore, only data authorized by the ICM program for transmittal will actually be transferred. Such data is transferred to and from the host computer via one of the interface units.
Typically, such data would then be routed by an operating system type program to, or from, any of the peripherals available to the host computer, such as mass data storage devices, CRT video displays, keyboards, printers, etc. Therefore the program inside the ICM can access all of the needed peripherals while maintaining the security of the program, pre-loaded into the ICM Therefore a separation of function is provided in the present invention. Applications programs are loaded into and operated in the ICM rather than the host, and the host computer is used to operate the usual peripherals. Thus separating the applications program into a separate housing with its separate CPU has provided the opportunity for the secure control of the program that did not exist in the prior art.
Typically, the programs requiring security would be loaded into the ICMs at the time of manufacture, or ICMs manufactured with a minimum, security-controlling program operating system would be provided to the software vendor. The software vendor would load in the software needing security, and in turn, the ICM would be sold to the end user who would be able to use, but not copy, any of the software.
In order for a host computer to use any number of secure programs, the ICM is constructed inside a portable, conveniently sized housing. When another secure program is to be run, one merely removes the ICM form the interface unit, replacing it with another...much the same way one would remove a video game cartridge and replace it with another.
The specialized housing is an integral part of the security arrangement of the ICM system, since the housing is completely sealed, with the programs sealed inside making it difficult to mechanically access the secure programs, while the ICMs electrical arrangement maintains the electronic security.
Further security is provided by the specialized input and output arrangement, as it relates to the housing. Input, and output sensors and emitters, along with the power supply receptors are sealed into the surface of the housing. By sealing in the input and output arrangement, which is completely controlled by the CPU and its program inside, the housing prevents someone from connecting in a secondary input and output, such as a direct memory access, that could be used to override the other security measures.
The connectorless method chosen for communications and power transfer between the
Interface Unit (which is connected to the host computer,) and the ICM can be inductive, capacitive, optical or radio frequency emitters, sensors, and receptors. These methods provide the needed data communications and power supply to the ICM while eliminating the need for plugs or connectors, and allowing for remote access to the ICM as they can be sealed into the surface of the housing, and in many cases just under the surface of the housing and still function properly.
For example: If induction is chosen for a particular application, an inductor comprising the primary of a transformer can be mounted in the Interf ce Unit, and the Secondary of the transformer can be mounted in the ICM If capacitance is chosen, the metal surface of one side of a capacitor can be mounted in the Interface Unit, and the other surface of th capacitor mounted in the ICM. If optical energy transfer is selected, light emitting diodes (LEDs), phototransistors, and photovoltaics can be used in the ICM and Interface Units. If Radio Frequency is chosen, then RF receivers and transmitters, simple or sophisticated ca be used to supply the needed communications and power supply.
Inside the ICM, communications signals to and from the emitters and sensors mounte in the housing are provided to the CPU, while energy from the power-supplying recepto is then rectified (if needed), filtered, and supplied to all powered components including rechargable battery. Thus the ICM can continue to operate without the need for a plug or direct connection, is easily removable from the Interface Unit, and will continue t operate for a time after removal from the input power source, so that the ICM can be use to transfer authorized data from one host computer to another.
The Interface Unit need only have a matching set of emitters and sensors, conventiona signal matching electronics (if needed) and a direct connection to the host computer and power source (often from the host computer itself.)
A secondary benefit is derived by so sealing into the housing the input, output, an power supply sensors, emitters and receptors. An environmental seal is maintained, whil permitting the communications and energy transference required to operate the interna components. The housing is provided with conventional metallic RF shielding, either on it surface or below surface, and the materials selected for the housing are chosen to operat within an expected hostile environment. For example, an underwater ICM could b completely encapsulated in plastic with the sensors, emitters and receptors encased at or nea the sur ace. While the usefulness of an underwater ICM may not at irst seem apparent, th ICM is also immune to coffee, soda pop and other office hazards. Additionally, the IC could be used in very highly humid environments where the danger of exposure t electronics-damaging items would be a potential possibility such as when computers are i use in submarines, or on board ship.
Another secondary benefit of this communications and power supply arrangement is that the ICM can be inserted and removed from its Interface Unit without causing the arcing that would occur if conventional plugs were in use. This feature makes the use of the ICM especially attractive in potentially explosive environments such as certain industrial environments, in or near equipment used to transfer fuels, or in enriched oxygen environments such as would be common in space stations.
The availability of an additional processor to a host computer, or the availability of a multiple group of ICMs operating from a single host computer provide the opportunity for parallel processing. Or a user may wish to operate a program using the type of processor that is available within the ICM, but is not available in the host computer. In either case, such user programs can be loaded into the ICM and operated by the current user, but such programs must be prevented from accessing any previously loaded program. Also, occasions may arise whereby the ICM is to be loaded with several secure programs from several users while allowing each user to use each program, but preventing each user from copying any of the previously-loaded programs. Therefore the ICM is fitted with a specialized memory division switching arrangement.
In the internal operation of the ICM, the Central Processing Unit (CPU), program-filled Read Only Memory (ROM), Random Access Memory (RAM), and the specialized input and output, and power supply sections inside the ICM constitute a complete computer that can operate programs loaded into memory in the standard fashion. All of this memory is divided into sections and division switched by a specialized division switching arrangement that prevents the programs in one division from accessing the programs in any other division. One section of memory is designated as a Common Area and is memory mapped so that it is available to all divisions. The division switched sections of memory are divided into two types, the Executive Division (EXEC) and the Selected Divisions. The Executive Division has complete control and access to all other areas for security and controlling transfer of data between Divisions. The Selected memory Divisions are provided for user programs, and are restricted so that user programs with in a Selected Division cannot copy directly any data from any other Division (except the Common data storage Area).
A division switching apparatus is provided that causes the Executive Division to be operative after a reset of the CPU. The division switching apparatus is connected to the control bus so that commands taken from the Executive Division can cause both reads and writes of data in any memory division, while fetching its instructions from the Executive Division only. Also a means is provided for transferring program control to any of the other divisions either directly, or with an accompanying maskable or non- maskable interrupt.
The Selected Divisions, on the other hand, have the capability of fetching, reading and
writing to its own division, and the Common Area only. Transfer of program control, to any other division is always accompanied by a non-maskable interrupt (NMI), which causes a hardware interrupt, and program control to a designated place in the newly-switched-on memory. (Or if a maskable interrupt is used, the division switching is prevented unless an interrupt acknowledge signal is received from the CPU indicating that an interrupt is actually in progress, thus preventing the execution of a division switch without an accompanying interrupt.) These designated entry points are programmed to be operating system entry points, so that information exchange between the divisions is always controllable. This method even allows the loading of any outside program while maintaining the security of the programs in the other memory divisions. By using the NMI, no program (except the executive program contained within its own division) could seek to find normal data transfer routines in a different target division and corrupt these through adjustments in CPU register values in and attempt to move private data into the Common Area by entering the target program at non-standard points looking for normal data movement routines.
The result is that the individual programs loaded into each of the Selected Divisions can be loaded directly into Programmable Read Only Memories (PROMs), Erasable Read Only Memories (EPROMs), or even RAM, but are still unable to copy any information from any of the other divisions, but any needed data can be provided by the program in th Executive bank. The host computer may, at the discretion of the program in the IC Executive, load programs into the ICM for operation, in any of the Selected Divisions. Th host may receive input and output from those programs. However, the Executive progra can effectively prevent any outside loaded program form copying any data that th Executive does not permit, even though each of the programs may have direct access to th ICM input and output to the host. Permanently stored programs can thus be accessed an used at any time by inserting the ICM into an Interface Unit, or accessing it with a Remot Inter ace Unit. The ICM can accept outside programs, even temporary ones loaded into th ICM RAM, without compromising the previously stored programs.
Individual memory divisions are selected, usually by means of a decoder, or a RO used as a decoder and signal director, on the basis of four input codes. The first code i the Division Selection code which is loaded into a code storage device upon command fro the CPU. The second code is the Mode Select code, also loaded into a code storage devic upon command from the CPU. The third is the Address Bus, for memory mapping th Common Data Area. The fourth is the Control Bus.
By selecting the individual memory divisions based on all four codes, both the securit arrangement that results from Mode and Selected Division codes, and the ability to mor rapidly copy data from one division to another by the Executive program is produced. Th security arrangement, is, in part, functional because the Executive Division is switched o
by a selection of a mode rather than the selection of a Selected division, (which is the prior art way.) Since the Executive Division is part of the mode selection, any other memory may be accessed by the Executive Division simply by changing the Selected Division code.
The selection of a mode that causes command fetches to come from the Executive Division, and reads and writes to be operative on other divisions allows the Executive program to use fewer CPU commands to move data from one division to another, by using a standard move routine as would be used within a single division, but causing the reads to come from one division and the writes to another. This feature is especially useful when the Executive program is working as an operating system to shuttle information back and forth between an applications program and the host computer.
The ICM housing is also fitted with a physical damage security system consisting of a damage sensor made of a maze of wires located just under the surface of the housing. Attached to these wires is a method for measuring the wire's resistance, which, in turn, is connected to the CPU. Also connected to the CPU is a self-destruct mechanism, of any convenient kind, that is capable of destroying the memory sections of the ICM In the event that someone should try to either cut into the ICM, and thus through the wires or try to defeat this security mechanism by shorting it out, the CPU would sense the change in resistance, and would then activate the self- destruct mechanism.
Interface Unit: The ICM is interfaced with a host computer or other electronic device through a specialized Interface Unit. This unit also has a specialized housing that is completely sealed to prevent damage to the components from a hostile environment. It is provided with a port, or other device for holding the ICM so that its sensors, emitters and receptors are adjacent to corresponding emitters and sensors in the Interface Unit. The Interface Unit is fitted with a cable or similar wiring for connecting it directly to a host computer. Room is provided in the housing for any interfacing circuitry needed to operate the sensors and emitters, and connect them properly to the host.
A specialized Modular Interface Unit (MIU) is provided. The MIU has all of the features of a generic Interface Unit, but is also fitted with two connectors, front and back, so that a number of interface units may be connected together to be operated by a single host computer.
A Remote Interface Unit (RIU) is also provided. The ICM can also be interfaced with a host computer through a specialized interface unit that can operate over a longer distance than would be usual with the generic or modular interface units. The RIU has emitters, and sensors selected for the range and type of communications and power to be supplied. For example, the RIU may have infrared LEDs and phototransistors for communicating with the ICM, or several ICMs at a time from across the room. Whereas, modulated lasers and
9 focusing collectors may be required to communicate with an ICM at a considerable distance or in a different hostile environment such as under the sea. The types needed for a particular task are simply chosen and installed during manufacture. The RIU housing may also be sealed for operation in a hostile environment, and is fitted with cables, and interfacing electronics just as any of the Interface Units would be. Remote interfacing of the ICMs with a host computer allows for the multiple access of many ICMs by the same Remote Interface Unit, while allowing ICMs made for use in one hostile environment to be accessed by a RIU and host in a different environment. This remote capability also allows several users with separate hosts and RIUs to use common ICMs while still maintaining security of the programs.
The versatility of the ICM System makes it a safer, applications- program-running, processor-independent, remotely-accessible, parallel- processing, hostile-environment-proof, completely-secure, all-electronic, replacement for the conventional floppy disk.
BRIEF DESCRIPTION OF THE DRAWINGS Figure 1. An exterior exploded perspective view of the Independent Computer Module (ICM) and a generic Interface Unit showing the relationships of inputs and outputs.
Figure 2. A cross section view of a Modular Interface Unit (MIU) with an ICM inserted, and showing the positions of additional MIUs if used.
Figure 3. A perspective view of an ICM being accessed by a Remote Interface Unit (RIU).
Figure 4. A detailed block diagram of an ICM and an Interface Unit, showing the memory division switching method, the specialized input, output and energy supply method, along with the mechanical access security system.
<
DETAILED DESCRIPTION OF PREFERRED EMBODIMENT Figure 1 depicts an exploded perspective of the ICM being inserted into a generic INTERFACE UNIT. The ICM is contained in its specialized housing that is completely sealed using materials selected for protection in the particular environment that it is intended to be used. For example, to make the ICM useable underwater, it could be completely encapsulated in plastic.
In operation, the ICM is inserted into the INTERFACE UNIT for connecting the ICM to a host computer through wire H. Input power, and data communications ar accomplished through a connectorless energy and data transfer arrangement using sensors emitters, and receptors H,l,01,0,P1,and P. The ICM is held in place by the INTERFACE UNIT, so that the respective emitters are held adjacent to their counterpart sensors etc.
Input power to the ICM for recharging its batteries is provided from the host through an emitter, P1, which transfers energy to receptor, P. Data communications is provided through an input and an output set of emitter/ sensor pairs 11 and I for the input to the ICM, along with 01 and 0 for the output. A sufficient number of emitter/sensor sets is provided to accommodate all the data and handshaking signals of a standard serial or parallel data port. The type of emitter/sensor pair is selected to match the type of energy transfer needed for a particular application with one of each pair in the INTERFACE UNIT and the other in the ICM.
For example: for connectorless induction data and energy transfer, the primary portion of a split transformer (manufactured in two mechanically separate sections) would be located in one unit and the secondary portion in the other. For capacitive connectorless energy and data transfer, one capacitive surface of a split capacitor (also manufactured in two mechanically separate sections) would be located in one unit and the matching capacitive surface in the other. For optical connectorless energy transfer a light source would be provided in the INTERFACE UNIT for power, and photovoltaic cells in the ICM, while data transfer could be by light emitting diodes (LEDs) and phototransistors. For radio frequency energy and data transfer the emitter would be a radio transmitter, and the sensor or receptor would be a radio receiver.
These emitters, sensors and receptors are sealed into the surface, or just under the surface of the ICM housing so they can operate normally while maintaining the hazardous environment protection. The INTERFACE UNIT, likewise can be sealed with the sensors and emitters sealed into the interior surface of the Interface Unit housing.
Figure 2 depicts a cross section of a Modular Interface Unit, MIU, having a port, PORT, for holding the ICM so that its emitters, sensors and receptor are held adjacent to a matching set of emitters and sensors (P1 near P, 11 near I, and 01 near 0) for supplying power and communications to the ICM Just as describe for Fig. 1.
The Modular Interface Unit has the additional feature of connectors C1 on one side and C2 of the other side. These connectors allow the addition of more Modular Interface Units MIU1 and MIU2 (dotted lines) so that a number of ICMs can be operated by a single host computer. Wire and connector H is the connecting wires to the host computer that must come from at least one of the MIUs. A seal, S, is provided to prevent damage to the connectors C1 and C2 from a hostile environment. Standard interface electronics, IE, mounted on a conventional printed circuit board, is provided to connect the emitters and sensors to the host.
Figure 3 depicts an ICM being accessed and operated through a Remote Interface Unit, RIU. The RIU has input (to the ICM) emitters 11 and output (from the ICM) sensors 01.
Power output (to the ICM) emitter P1 along with the connecting wires to the host. Just as described in Fig. 1. Emitters and sensors in the RIU are positioned so as to be directed toward the ICM The RIU housing is also tightly sealed and made of selected materials so that it may be used in a hostile environment, possibly a different environment from the environment that the ICM is operating in.
AH of the Interface Units function exactly alike; they serve to provide an connectorless interface between a host and one or more ICMs. The different types are provided to give greater versatility to the operation of the basic ICM System.
Figure 4 is a block diagram of a typical ICM and an Interface Unit
Energy is supplied from the host computer through wires,H, and standard interface electronics IE1, through the power emitters Pt of the Interface Unit (any of the types) to the power receptors P in the ICM.
Sensors and emitters are fitted with a hazardous-environment-safe energy conductor, EC. EC is a material selected to provide hazardous environment protection to the component while permitting the energy form in use for power and data transfer to pass through. For example, clear plastic or fiber optics would be provided to pass light from an emitter to the surface of one unit, then rom the surface of the other unit to. the sensor inside, if the emitters and sensors are optical. Or a thin plastic cover could be provided to pass energy using induction, capacitive, or radio transfer, depending on the expected hazardous environment to be encountered.
ICM input power from P is rectified (if needed) and filtered in the power supply section PWR, and then distributed to all powered components in the ICM (labeled TO ALL) plus the rechargable battery B.
Data input and output from the host computer is supplied through wires, H, and standard interfacing electronics IE2 to the emitters and sensors 11 and 01 of the Interface Unit to the matching emitters and sensors I and O in the ICM These are in turn connected through a standard input/output interface, I O, to the CPU.
This arrangement of emitters, sensors, and receptors provide connectorless communications and power supply between the host and the ICM.
Output (or memory mapped) mode, memory division selection, and switching commands are decoded by Read Only Memory R0M1 (or a similar arrangement of AND and OR functions) with outputs to strobe each of the components individually or simultaneously as needed to carry out each command. Non-Executive Division Select Latch and Mode Select Latch store the division selection and mode codes output from the CPU upon receiving a
strobe from R0M1. R0M2 decodes the address, control, mode, and division select signals to provide the instantaneous division selection required among the memory divisions designated as: The Executive Division, EXEC; the Common Data Division, Com; and individually Selected Divisions Mem 1 through Mem n.
ROM1 also has an input feed back line, FB, taken from the output of the Mode Select Latch. This line is on or off depending on whether the Executive memory division is currently in program control or not. This line determines the modes that will be permitted to be loaded depending upon the memory division which has program control. It is this line that provides the ICM with the ability to provide a secure operating system in the EXEC Division while preventing programs in the other divisions from instituting modes that would allow unauthorized data copying; along with the fact that the EXEC Division is not selected as one of the Selected Divisions, but its selection is one of the Modes.
ROM1 also has an output to the CPU non-maskable interrupt, NMI. When FB indicates that a Selected Division has program control, all division switching commands provide a simultaneous NMI. This is also an important part of the security arrangement, because this line prevents a search program from switching program control to a target division while entering at various places in the target program (as could occur in a conventional bank switching arrangement,) in an effort to discover a routine that could be misused to provide unauthorized data. The NMI causes program control to begin at a set address in the target division; if programmed as a special program, or operating system entry point, the target program will be able to prevent an attempted corruption of any of its routines by initializing the CPU registers, as it needs, to protect its data movement routines.
ROM1 is also programmed to allow the simultaneous loading of a mode 0 while causing an NMI. This command is permitted whenever FB indicates that the Selected Divisions have program control. This command is used to switch to the Executive program whenever operating system type functions are desired. By choosing the best fetch/read/write functions to take place within a given CPU command sequence for mode 0, the most rapid transfer of data can be accomplished by the Executive program.
ROM1 also has an output connected to the CPU maskable interrupt, INTR. This line is operative only when the EXEC Division has program control, as indicated by line FB. Maskable interrupts (depending upon the CPU chosen) often have a software programmable interrupt entry point. If available, this would make the Executive program much more versatile. Otherwise, the Executive program can select the program control beginning address in a Selected Division by simply changing modes from a position in the Common Data Division, and jumping to the desired starting point. Selected divisions would be prohibited from doing this by FB, ROM1 and the NMI.
I*.
The Mode Select Latch is CLEARed by the RESET signal from the CPU, the EXEC Division is designated by ROM1 as having program control in mode 0. Therefore, upon receiving a reset signal, mode 0 is selected, so the EXEC Division has initial program control.
ROM2 decodes the four major codes, the Division Select code, the Mode Select code, the ADDRES BUS code, and the CONTROL BUS code to provide the selection of memory divisions that produce the the following fetching, reading and writing sequences based on the following modes:
0 Fetch from EXEC — Read and Write to Selected Division
1 Fetch and Read from EXEC - Write to Selected Division
2 Fetch from and Write to EXEC -- Read from Select Division
3 Fetch & Read from, Write to EXEC
4 Fetch & Read from, Write to Selected Division
Also: the Common memory Com is memory mapped by ROM2 into an address space accessible from all memories, while other required memory operational signals will also be timed and provided properly, such as refresh for dynamic RAMs.
ROM1 is specially programmed to provide the following command decoding and control functions:
When FB indicates that the EXEC Division is NOT in use:
1. Load 0 into Mode Select Latch, and produce an NMI.
2. Load Division Select Latch, Load code for mode 4 into Mode Select Latch and cause an NMI.
When FB indicates that the EXEC Division IS in use:
1. Load Division Select Latch
2. Load Mode Select Latch.
3. Load Mode Select Latch, and cause a Maskable Interrupt, INTR
A physical entry security system is also provided. A maze of wires (labeled MAZE) is located just under the surface of the entire ICM housing. These wires are connected to a resistance detector, DET., which, in turn, is connected as an input to the CPU. DEST. is a self destruct mechanism located so as to be able to destroy the memory divisions if activated by the output from the CPU. If a cut is made in the housing, of if someone attempts to defeat this security device by shorting out the wires, the resistance detector will indicate the change in resistance to the CPU which can then activate the self destruct mechanism to prevent the information stored in them from being accessed.
Claims
1. Fetch from Executive Division; read from and write to Selected Division.
2. Fetch and read from Executive Division; write to Selected Division.
3. Fetch from and write to Executive Division; read from Selected Division.
4. Fetch and read from, and write to Executive Division.
5. Fetch and read from, and write to Selected Division.
Said program controlled output signals having the following command functions operable ONLY when said mode select information indicates that said Executive Division is in program control, in that fetch instructions, as determined by the current mode, would
be directed to said Executive Division:
1. Load Selected Division storage means.
2. Load Mode Select storage means.
3. Load Mode Select storage means, and cause an interrupt to said Central Processor such that program control begins at a pre-determined address.
Said program controlled output signals having the following command functions operable when said Executive Division is NOT in program control, that is, when fetch instructions, as determined by the current mode, would not be directed to said Executive Division:
1. Load Selected Division storage means, and cause a non-maskable interrupt and a change in program control to a predetermined, hard wired, program address.
2. Load Mode Select storage means with an Executive Division fetch mode code, and cause a non-maskable interrupt and a change in program control to a predetermined, hard wired, program address.
3. Cause a maskable interrupt and thus a change in program control to a predetermined, hard wired, program address. Then load Mode Select storage means with an Executive Division fetch mode code only upon the receipt of an interrupt acknowledge signal from said Central Processor.
4. Cause a maskable interrupt and thus a change in program control to a predetermined, hard wired, program address. Then load said Selected Division storage means only upon the receipt of an interrupt acknowledge signal from said Central Processor.
Said memory division switching means is an improvement in that programs in said Selected Division memories are secure from each other because program control cannot transfer from one Selected Division to another without causing a simultaneous change in program control address to a hard wired address in the newly-switched-in memory division, thus no program in any of the memory divisions can copy information from any other memory division. However the program located in said Executive Division can control the movement of data to and from all memory divisions.
Said memory division switching means is an improvement in that user programs may be loaded into said ICM and executed with different programs in separate divisions, even from different users, while maintaining the security of each program both within said ICM and between each division.
Said memory division switching means is an improvement in that it establishes a parallel memory arrangement whereby programs within said Executive Division may read and write data anywhere in a Selected Division even if the position in said Selected Division has the same address as is occupied by the program in said Executive Division. Thus data may be transferred much more rapidly to and from two separate divisions by
means of single program commands to said Central Processor without the need for switching divisions back and forth with division switching commands but just as if the transfer were taking place within a single division.
CLAIM 18: An ICM as described in Claim 17 having a separate memory division designated as the "Common Data Area". Said Common Data Area is memory mapped such that it is automatically addressable as a part of all divisions. Said memory map is arranged such that said interrupt, hard wired, program entry points are not a part of said Common Data Area.
The addition of said Common Data Area is an improvement in that all programs in each of said Selected Divisions can access said Common Data Area, however security between said Selected Divisions is maintained because any switching from one Selected Division to another is always accompanied by an interrupt and a change in program control to a predetermined location in the newly-switched-in division, thus all program control is maintained within any target program which can thus control all in ormation transfer, while providing a rapid means of transferring authorized data from one Selected Division to another.
CLAIM 19: An ICM as described in Claim 18 having a means for programming those memory divisions constructed with Programmable Read Only Memories, and other non-volatile memory divisions. This is an improvement in that power may be removed from said ICM for a considerable time while maintaining user programs and the security of said programs.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1019900700314A KR900702457A (en) | 1988-06-14 | 1989-06-02 | Independent Computer Module System |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US20600188A | 1988-06-14 | 1988-06-14 | |
US206,001 | 1988-06-14 | ||
CA000602434A CA1340351C (en) | 1988-06-14 | 1989-06-12 | Independent computer module system |
Publications (1)
Publication Number | Publication Date |
---|---|
WO1989012864A1 true WO1989012864A1 (en) | 1989-12-28 |
Family
ID=25672802
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US1989/002360 WO1989012864A1 (en) | 1988-06-14 | 1989-06-02 | Independent computer module system |
Country Status (4)
Country | Link |
---|---|
EP (1) | EP0382811A1 (en) |
AU (1) | AU3840689A (en) |
CA (1) | CA1340351C (en) |
WO (1) | WO1989012864A1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2002027646A1 (en) * | 2000-09-27 | 2002-04-04 | Omnikey Ag | Electronic module comprising a connector coupled to a superordinate arithmetic unit |
WO2023140826A1 (en) * | 2022-01-20 | 2023-07-27 | Игорь Николаевич СИДОРЕНКО | Device and methods for protecting computer systems against unauthorized access |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4328542A (en) * | 1979-11-07 | 1982-05-04 | The Boeing Company | Secure implementation of transition machine computer |
US4521853A (en) * | 1982-06-30 | 1985-06-04 | Texas Instruments Incorporated | Secure microprocessor/microcomputer with secured memory |
US4652990A (en) * | 1983-10-27 | 1987-03-24 | Remote Systems, Inc. | Protected software access control apparatus and method |
-
1989
- 1989-06-02 WO PCT/US1989/002360 patent/WO1989012864A1/en not_active Application Discontinuation
- 1989-06-02 AU AU38406/89A patent/AU3840689A/en not_active Abandoned
- 1989-06-02 EP EP89907474A patent/EP0382811A1/en not_active Withdrawn
- 1989-06-12 CA CA000602434A patent/CA1340351C/en not_active Expired - Fee Related
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4328542A (en) * | 1979-11-07 | 1982-05-04 | The Boeing Company | Secure implementation of transition machine computer |
US4521853A (en) * | 1982-06-30 | 1985-06-04 | Texas Instruments Incorporated | Secure microprocessor/microcomputer with secured memory |
US4652990A (en) * | 1983-10-27 | 1987-03-24 | Remote Systems, Inc. | Protected software access control apparatus and method |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2002027646A1 (en) * | 2000-09-27 | 2002-04-04 | Omnikey Ag | Electronic module comprising a connector coupled to a superordinate arithmetic unit |
WO2023140826A1 (en) * | 2022-01-20 | 2023-07-27 | Игорь Николаевич СИДОРЕНКО | Device and methods for protecting computer systems against unauthorized access |
Also Published As
Publication number | Publication date |
---|---|
EP0382811A1 (en) | 1990-08-22 |
CA1340351C (en) | 1999-01-26 |
AU3840689A (en) | 1990-01-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP3600266B2 (en) | Contactless IC card interface device and communication system using the same | |
US6650254B1 (en) | Computer input device with individually positionable and programmable switches | |
US6064374A (en) | Cordless electronic pen with cartridge | |
KR100505103B1 (en) | Memory stick for universal serial bus | |
US6282643B1 (en) | Computer system having flash memory BIOS which can be accessed remotely while protected mode operating system is running | |
US5987536A (en) | Computer system having flash memory bios which can be accessed while protected mode operating system is running | |
US5396617A (en) | Module for extending the functions of an electronic data processing machine | |
US5860001A (en) | Computer system having at least two boot sequences | |
EP0126542A2 (en) | Portable computer | |
CN101057225B (en) | Selective protection of files on portable memory devices | |
US5301276A (en) | Method and device for assigning I/O address in data processing apparatus | |
US6011850A (en) | Securized, multifunction, acquisition and processing terminal usable in the banking sector, in connection with games and in the electronic management of documents | |
CN101681410A (en) | Apparatus for controlling processor execution in a secure environment | |
JP2010182285A (en) | Cipher data box | |
CN1150846A (en) | Smart card message transfer without microprocessor intervention | |
US5020999A (en) | Personal computer with connector assembly having integral retainer | |
WO1989012864A1 (en) | Independent computer module system | |
EP0136416B1 (en) | A computer system accommodating program cartridges | |
US5737610A (en) | System and method for providing data and program code to a card for use by a reader | |
US20050057517A1 (en) | Computer input device with individually positionable and programmable switches | |
CN110472443A (en) | A kind of local device of data security methods and belt switch | |
US5537103A (en) | Programmer for contact readable electronic control system and programming method therefor | |
CA2018213A1 (en) | Method for transmitting commands excluded from a predefined command set | |
US20240036615A1 (en) | Computing Device | |
KR900702457A (en) | Independent Computer Module System |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AU JP KR SU |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): AT BE CH DE FR GB IT LU NL SE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1989907474 Country of ref document: EP |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 1989907474 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 1989907474 Country of ref document: EP |