(12) United States Patent
`Corthell
`
`US00619.2477B1
`(10) Patent No.:
`US 6,192,477 B1
`(45) Date of Patent:
`Feb. 20, 2001
`
`(54) METHODS, SOFTWARE, AND APPARATUS
`FOR SECURE COMMUNICATION OVER A
`COMPUTER NETWORK
`
`-
`e
`-
`(75) Inventor: º Corthell, San Francisco, CA
`
`-
`(73) Assignee: Dagg LLC, Lake Oswego, OR (US)
`-
`::
`-
`(*) Notice:
`Under 35 U.S.C. 154(b), the term of this
`patent shall be extended for 0 days.
`
`
`
`5,428,745 * 6/1995 De Breijn et al. ................... 395/200
`5,561,770 * 10/1996 De Bruijn et al. ............. 395/200.06
`5,594,796 * 1/1997 Grube et al. ........................... 380/25
`5,619,671
`4/1997 Bryant et al. ........................ 395/412
`5,623,601
`4/1997 Vu ................
`395/187.01
`5,628,023
`5/1997 Bryant et al. ........................ 395/800
`5,864,683
`1/1999 Boebert et al. ................. 395/200.79
`5,892,903
`4/1999 Klaus ...........
`... 395/187.01
`5,961,645
`10/1999 Baker ................................... 713/201
`5,991,402
`11/1999 Jia et al. .................................. 380/9
`6,028,937 * 2/2000 Tatebayashi et al. .................. 380/25
`* cited by examiner
`Primary Examiner—Nadeem Iqbal
`(21) Appl. No.: 09/243,097
`(74) Attorney, Agent, or Firm—David P. Lentini
`(22) Filed:
`Feb. 2, 1999
`
`(51) Int. Cl." … G06F 11/00 (57)
`ABSTRACT
`(52) U.S. Cl. ….........…..... 713/201; 380/49
`A method for performing secure communication between a
`(58) Field of Search ..................................... 713/201, 200,
`first user’s computer and second remote computer over a
`713/202; 380/4, 23, 25, 30, 42, 49; 340/825.31,
`computer network is described. According to one embodi
`825.34
`ment of this aspect, the data space of the first computer is
`partition into a first secure portion and a second network
`e
`interface portion. Communication is established between the
`References Cited
`first and &l second. computer, and redirection. and filter
`U.S. PATENT DOCUMENTS
`mechanisms are initialized. An instruction is received by the
`first computer, analyzed by the redirection mechanism, and
`3,936,601 * 2/1976 Obeginski .............................. 178/22
`passed to the filter if the instruction is a protected instruc
`4,672.572 : 6/1987 Alsberg ......
`~ 304,900
`º :: ºº *::: ------i. º; tion. The protected instruction is verified by the filter and
`size.
`/
`athrick et al. .......................
`/
`processed if the verification is successful.
`,126,728 * 6/1992 Hall ................
`. 340/825.3
`5,204,903 * 4/1993 Okada et al. .......................... 380/46
`5,311,593 * 5/1994 Carmi ..................................... 380/23
`
`(56)
`
`33 Claims, 8 Drawing Sheets
`
`… 200
`
`Partition
`
`2. 210
`O/S
`Secure º Directory S.
`Programs
`208 || Unsecured [. 220
`? Programs
`
`-
`
`218
`
`C 216
`H-| Filter
`
`* cºps c 222
`*
`-------
`214
`User-
`Redirector H----|---
`Selected |
`Files
`
`224
`
`Primary Partition
`
`Commun 226
`I'face
`ZX
`
`202
`
`Network
`
`1 14
`
`Google - Exhibit 1007, page 1
`
`Google - Exhibit 1007, page 1
`
`

`
`U.S. Patent
`
`Feb. 20, 2001
`
`Sheet 1 of 8
`
`US 6,192,477 B1
`
`100
`
`
`
`Network
`Interface
`
`112
`
`114
`
`Mass Storage
`
`Figure 1
`
`Google - Exhibit 1007, page 2
`
`Google - Exhibit 1007, page 2
`
`

`
`U.S. Patent
`
`Feb. 20, 2001
`
`Sheet 2 of 8
`
`US 6,192,477 B1
`
`… 200
`
`204
`
`T
`2O6
`
`Protected
`Partition
`
`21
`
`|
`2
`|
`|- 208 || Unsecured K 220
`?
`Programs
`
`210
`
`
`
`Secure
`Programs
`
`216
`
`Filter
`
`
`
`214
`
`
`
`
`
`
`
`|
`|
`
`|
`
`
`
`Copied O'S
`Files
`
`
`
`222
`
`— — — — — — —
`User-
`Selected
`Files
`
`224
`
`Redirector
`
`––––H ––
`
`
`
`
`
`Primary Partition
`
`|
`|
`
`
`
`Figure 2
`
`Google - Exhibit 1007, page 3
`
`Google - Exhibit 1007, page 3
`
`

`
`U.S. Patent
`
`Feb. 20, 2001
`
`Sheet 3 of 8
`
`US 6,192,477 B1
`
`302
`
`Install
`Program
`
`304
`
`Start
`Program
`
`
`
`306
`
`Connect to
`Network/Start
`Session
`
`End
`
`308
`
`Redirect/Filter
`Incoming
`Instructions
`
`Restore
`Original
`Settings
`
`314
`
`
`
`
`
`310
`
`End Session/
`Disconnect
`From Network
`
`Compare,
`Report and
`Tagging
`
`312
`
`Figure 3
`
`Google - Exhibit 1007, page 4
`
`Google - Exhibit 1007, page 4
`
`

`
`U.S. Patent
`
`Feb. 20, 2001
`
`Sheet 4 of 8
`
`US 6,192,477 B1
`
`
`
`402
`
`Partition
`Drive(s)
`
`
`
`404
`
`Partition
`Volatile
`Memory
`
`
`
`
`
`
`
`406
`
`Create "Page File"
`for Protected
`Partition
`
`408
`
`Register
`Executable
`Files
`
`410
`
`
`
`Copy Files
`to Protected
`Partition
`
`Figure 4
`
`Google - Exhibit 1007, page 5
`
`Google - Exhibit 1007, page 5
`
`

`
`U.S. Patent
`
`Feb. 20, 2001
`
`Sheet 5 of 8
`
`US 6,192,477 B1
`
`
`
`502
`
`Initialize Memory
`and Redirector
`Using Parameters
`
`Start Filter
`
`506
`
`Read- and Write
`Protect All Non
`Protected Partitions
`
`Figure 5
`
`Google - Exhibit 1007, page 6
`
`Google - Exhibit 1007, page 6
`
`

`
`U.S. Patent
`
`Feb. 20, 2001
`
`Sheet 6 of 8
`
`US 6,192,477 B1
`
`
`
`610
`
`
`
`Execute Call
`
`616
`
`Establish |S. 602
`Connection
`
`61.2
`
`Disallow
`Call/Report
`
`Receive
`System Call
`
`604
`
`Redirect
`Call to Filter |S.
`
`606
`
`608 º Review Call
`Using Filter
`
`Figure 6
`
`Google - Exhibit 1007, page 7
`
`Google - Exhibit 1007, page 7
`
`

`
`U.S. Patent
`
`Feb. 20, 2001
`
`Sheet 7 of 8
`
`US 6,192,477 B1
`
`
`
`
`
`Establish
`Communication
`
`702
`
`
`
`Receive and
`Redirect
`System Call
`Selectively
`
`704
`
`
`
`710
`
`712
`
`Analyze Call
`
`
`
`Validated?
`
`Yes
`
`
`
`Process Call Using
`O/S Files On
`Protected Side
`
`708
`
`706
`
`71.4
`
`
`
`
`
`Execute Call
`
`N
`
`Figure 7
`
`718 ºn ve. , Grant º
`2’
`N
`N r
`|
`NO
`
`|
`
`Access
`
`720
`T Abort
`
`End
`
`Google - Exhibit 1007, page 8
`
`Google - Exhibit 1007, page 8
`
`

`
`U.S. Patent
`
`Feb. 20, 2001
`
`Sheet 8 of 8
`
`US 6,192,477 B1
`
`
`
`808
`
`
`
`810
`
`812
`
`
`
`Delete File
`From
`Memory
`
`
`
`Compare Write
`Protected File W/
`Its Active Memory
`Image
`
`802
`
`Generate
`Report
`
`806
`
`
`
`Write File to
`"Suspect File
`Directory"
`
`Figure 8
`
`Google - Exhibit 1007, page 9
`
`Google - Exhibit 1007, page 9
`
`

`
`US 6,192,477 B1
`
`1
`METHODS, SOFTWARE, AND APPARATUS
`FOR SECURE COMMUNICATION OVERA
`COMPUTER NETWORK
`
`BACKGROUND OF THE INVENTION
`
`1. Field of the Invention
`The present invention relates to computer networks, and,
`more specifically, to providing data security for computers
`communicating across an unsecured computer network
`communications link. The present invention has applications
`in the areas of computer science and computer network
`security.
`2. The Related Art
`Computer network traffic has grown exponentially over
`the past two decades. Disconnected desktop computers have
`been transferred to large networks of networked computers
`due, in part, to advances in networking technology such as
`modem and Ethernet connections that have made the for
`mation of computer networks financially practical. Over the
`past decade, the reach of computer communications has
`become global due to the expansion of users on the Internet.
`This worldwide computer network has provided millions of
`computer users with access to information and commerce
`opportunities unparalleled in history.
`Access to these resources and opportunities has not come
`without a price. The rise of computer networks has also
`spawned new risks for users in the form of information theft
`and/or sabotage. Such theft and sabotage can be wrought by
`“hackers”: individuals who attempt to gain access to data
`stored on another’s computer system, often for the sheer
`sport of the activity. Some hackers are more malicious, using
`software to install computer “viruses” on client computers to
`alter or destroy data or steal trade secrets. However, even
`organizations such as governments and businesses also “lift”
`and/or modify user data when the user connects to appar
`ently “innocuous” servers over the World-Wide Web. For
`example, a business or government agency could establish
`an engine to scan surreptitiously the contents of a client
`computer's drive(s) when that computer logs-in to a Web
`server. The data obtained from the drive could be used for
`marketing or espionage purposes.
`To counter these threats, many local area networks
`(“LANs”) use firewalls to protect connected to the local
`network from the above-described threats. However, fire
`walls suffer from drawbacks. First, firewall protection is
`generally designed for computer networks; thus, protection
`for individual users is not readily available. Second, firewall
`protection is expensive. Thorough firewall protection often
`requires the purchase and maintenance of one or more
`specialized computer systems. Third, firewalls can only
`protect against known threats. Thus, the firewall software
`must be reconfigured repeatedly as new threats appear.
`For individual users, some protection is available using
`various software packages that monitor certain actions taken
`by software running on the computer and/or scan files for
`known anomalies, such as code patterns that are consistent
`with a computer virus. As with firewalls, these software
`packages must be constantly updated to scan for the latest
`virus code patterns. Also, these packages offer limited
`protection for more dynamic forms of intrusion, such as
`Snooping and/or copying performed by malicious Web sites.
`Thus, there is a need for cheaper, simpler software and
`methods to protect the integrity of data stored on computers
`used to communicate over computer networks, especially
`unregulated networks such as the Internet. More particularly,
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`such software and methods will protect against attacks by
`viruses as well as attempts to copy or alter information on
`the user’s computer by sever computers across in commu
`nication with the user’s computer across a computer net
`work. The present invention meets these and other needs.
`SUMMARY OF THE INVENTION
`The present invention provides relatively simple methods,
`software, and system for maintaining data security on a first
`computer in communication with another computer (e.g., a
`server) across a unsecure computer network such as the
`Internet. The methods, software, and systems described
`herein can be implemented on individual computers, com
`puters coupled with local- or wide-area networks, and client
`computers in a client-server environment (e.g., thin clients).
`In a first aspect, the present invention provides a method
`for performing secure communication between a first user’s
`computer and second remote computer over a computer
`network. According to one embodiment of this aspect of the
`invention, the data space of the first computer (i.e., the
`memory associated with data and instructions stored on the
`first computer at the time communication between the first
`and second computer is initiated) is partition into a first
`secure portion and a second network interface portion.
`Communication is established between the first and second
`computer, and redirection and filter mechanisms are initial
`ized. An instruction is received by the first computer. The
`instruction is analyzed by the redirection mechanism, and
`passed to the filter if the instruction is a protected instruc
`tion. The protected instruction is verified by the filter and
`processed if the verification is successful.
`In another embodiment, data and instructions necessary
`for performing communications over the network are copied
`from the secure portion to the network interface portion. In
`a more specific embodiment, the method of the invention
`includes disconnecting the first and second computers from
`network communication and comparing the files stored in
`the secure and network interface portions. In a still more
`specific embodiment, files that were changed during the
`communications session between the first and second com
`puters are restored to their original state.
`In yet another embodiment, the method of the invention
`includes passing non-protected instructions to the operating
`system of the first computer, and notifying the user of the
`first computer that a received instruction is a protected
`instruction. The user can then determine whether to execute
`the instruction. Instructions not verified can be disallowed.
`In still other embodiments, instructions and/or files stored on
`the first computer are marked and/or tagged. In an alterna
`tive embodiment, instructions and/or files received by the
`first computer are marked and/or tagged.
`In a second aspect, the present invention provides systems
`for performing secure communication between a first com
`puter containing secure data is a data space and a second
`remote computer across a computer network. The system of
`the invention includes, in one embodiment, a first data space
`partition is configured to store data such that the data cannot
`be modified during the communication between said first
`and second computers. A second data space partition is
`configured to store data to enable communication between
`said first and second computers over the network. A redi
`rection mechanism configured to receive data and instruc
`tions from the second computer over said computer network
`is also provided. The redirection mechanism is configured to
`determine whether the received data and instructions include
`instructions to perform protected operations. The redirection
`
`Google - Exhibit 1007, page 10
`
`Google - Exhibit 1007, page 10
`
`

`
`3
`mechanism is coupled with a filter mechanism that is
`configured to receive instructions to perform protected
`operations from the redirection mechanism and verify those
`instructions.
`In one embodiment of the second aspect of the present
`invention, the second data space partition includes images of
`files stored in the first data space partition. In a more specific
`embodiment, these images include operating system files to
`enable function of the images of the executable files stored
`in the second data space partition. In another embodiment,
`the filter is coupled with, and forwards to, the image files
`verified instructions. In still another embodiment, the oper
`ating system of the first computer is stored in the first data
`portion and non-protected instructions are forwarded to the
`operating system directly. In yet another embodiment, the
`filter is configured to abort instructions that are not verified.
`In still another embodiment, the user can override the filter.
`In still another embodiment, a comparator is provided to
`compare files stored in the first data portion with image files
`stored in the second data portion to determine if the image
`files have been altered.
`In a third aspect, the present invention provides a
`computer-readable medium having computer-readable pro
`gram code devices embodied thereon to cause a computer to
`perform the above-described steps of the method of the
`invention.
`These and other aspects and advantages will become
`apparent when the Description below is read in conjunction
`with the accompanying Drawings.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`FIG. 1 is a schematic representation of a computer system
`suitable for use with the present invention.
`FIG. 2 is a schematic representation of the partitioning of
`a computer’s data space into a Primary Partition and a
`Protected Partition in accordance with one embodiment of
`the present invention.
`FIG. 3 is a flowchart illustrating the operation of one
`embodiment of a method for protecting data on a computer
`systems in accordance with the present invention.
`FIG. 4 is a flowchart illustrating the operation of step 302
`in greater detail.
`FIG. 5 is a flowchart illustrating the operation of step 304
`in greater detail.
`FIG. 6 is a flowchart illustrating a first embodiment for the
`operation of step 308 in greater detail.
`FIG. 7 is a flowchart illustrating a second embodiment for
`the operation of step 308 in greater detail.
`FIG. 8 is a flowchart illustrating the operation of one
`aspect of step 312 in greater detail.
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`DESCRIPTION OF SOME EMBODIMENTS OF
`THE INVENTION
`The present invention provides methods, systems, and
`software for protecting networked computers from unautho
`rized operations directed from a remote computer. The
`methods, software, and systems described herein can be
`used on individual computers (e.g., computers that are
`connected to networks only sporadically) as well as com
`puters connected to local- and wide-area networks continu
`ously. “Wide area networks” as used herein includes com
`puters connected to the Internet, either directly (e.g., using
`65
`an Internet Service Provider) or via a local area network.
`Furthermore, the systems, software, and methods described
`
`60
`
`US 6,192,477 B1
`
`4
`herein can be performed on computers using a client-server
`model. The present invention further provides for the seg
`regation of data to prevent unauthorized modification of the
`data. Thus, for at least these reasons, the present invention
`will be seen to address the deficiencies of current computer
`protection technologies.
`FIG. 1 at 100 shows a typical computer-based system in
`accordance with the present invention. Shown is a central
`processing unit 102 (CPU) which is coupled to memory
`devices including read only memory 104 (ROM) and ran
`dom access memory 106 (RAM). As is well known in the
`art, ROM 104 acts to transfer data and instructions unidi
`rectionally to the CPU and RAM 106 is used typically to
`transfer data and instructions in a bidirectional manner. A
`mass memory device 108 is also coupled bidirectionally to
`CPU 102 and provides additional data storage capacity. The
`mass memory device 108 may be used to store programs,
`data and the like and may take the form of a magnetic or
`paper tape reader or some other well known device (e.g.,
`CD-ROM). It will be appreciated that the information
`retained within the mass memory device 108, may, in
`appropriate cases, be incorporated in standard fashion as part
`of RAM 106 in the form of virtual memory. CPU 102 is also
`coupled to one or more input/output devices 110 (I/O) which
`include, but are not limited to, devices such as video
`monitors, trackballs, mice, keyboards, microphones, touch
`sensitive displays, transducer card readers, magnetic or
`paper tape readers, tablets, styluses, voice or handwriting
`recognizers, or other well-known input devices such as, of
`course, other computers. Finally, CPU 102 optionally can be
`coupled to a computer or telecommunications network 114
`using a network connection as shown generally at 112. The
`above-described devices and materials will be familiar to
`those of skill in the computer hardware and software arts
`(see, e.g., Ralston, Anthony, and Reilly, Edwin D. 1993.
`Encyclopedia of Computer Science. Van Norstrand Rein
`hold; Herzog, James H. 1996. Design and Organization of
`Computing Structures. Franklin, Beedle & Associates, Inc.;
`Stone, Harold S. 1983. Microcomputer Interfacing. Addison
`Wesley; Martin, James, and Chapman, Kathleen K. 1989.
`Local Area Networks: Architectures and Implementations.
`Prentice Hall.)
`FIG. 2 at 200 illustrates one example of the partitioning
`of the data space 202 of computer 100 into Primary and
`Protected Partitions at 204 and 206 respectively. Data space
`202 comprises the data store in the volatile memory of
`computer 100. Such memory will include data and instruc
`tions stored in RAM 106 and mass storage 108. Communi
`cation of data and instructions between Partitions 204 and
`206 can be performed as indicated by dashed separator 208
`and as described in greater detail hereinbelow. In one
`embodiment, data can be transferred from Primary Partition
`204 to Protected Partition 206, but not vice versa. In an
`alternative embodiment, data can be transferred between the
`Partitions, but any transfer of data from Protected Partition
`206 to Primary Partition 204 must be approved by the user
`(such approval can be provided beforehand by choice of one
`or more operating parameters). Primary Partition 204
`includes data and instructions that are to be kept secure or
`are not used in communication over the network, such as
`operating system (“O/S”) 210 and secure programs 212.
`Primary Partition 204 further includes a Redirector 214
`coupled with a Filter 216, both of which are described in
`greater detail hereinbelow. The term “partition” will be
`understood to include any type of memory partition known
`to those of skill in the computer science arts, including both
`physical partitions and logical or “virtual” partitions.
`
`Google - Exhibit 1007, page 11
`
`Google - Exhibit 1007, page 11
`
`

`
`25
`
`5
`Protected Partition 206 includes those files and data
`necessary for performing network communication and tasks
`over the network. In one embodiment, these files are
`“images” of files kept in Primary Partition 204. Examples of
`such files include, but are not limited to, Directory (or
`Directories) 218, programs that are used for “unsecure”
`operations (e.g., browser programs, e-mail programs, news
`readers and the like) 220, certain O/S files necessary to
`support operations by the software installed on the Protected
`Partition 222, various user-selected files 224, and Commu
`10
`nication Interface (including drivers, protocol stacks, and the
`like) 226 which is connected to Network 114.
`In one embodiment, Redirector 214 is coupled with Filter
`216 and O/S 210 such that data and instructions that are
`processed by Redirector 214 can be passed to either Filter
`216 or O/S 210 as described in greater detail below. Redi
`rector 214 is also coupled with Communications Interface
`226 such that data and instructions received by Communi
`cations Interface 226 are passed to the Redirector for pro
`cessing. Similarly, Filter 216 is coupled to O/S 210 and O/S
`image files 222 so that data and instructions passed from
`Redirector 214 to Filter 216 can be processed by Filter 216
`and forwarded to O/S 210 and/or O/S image files 222, again
`as described in greater detail below. In some embodiments,
`Redirector 214 can also be coupled with O/S image files 222
`as indicated by the dashed line. It will be appreciated by
`those having skill in the computer science arts that various
`other connections among the files in each of the primary and
`Protected Partitions will exist (although not between files in
`the primary and Protected Partitions). However, these con
`nections are not shown for the sake of clarity.
`In another embodiment, the data and instructions con
`tained in the primary and/or Protected Partitions prior to
`connection to the network are tagged and/or marked to
`identify the data and instructions as trusted (since the data
`and instructions could not have been altered). As used
`herein, “tagging” refers to the labeling of a file with an
`identifier using any method known to those of skill in the
`computer science arts. “Marking” as used herein refers to the
`application of a bit- or byte-level identifier using any method
`known to those of skill in the computer science arts.
`Generally, the tag or mark should be sufficiently unique to
`avoid easy anticipation by anyone desiring to pass spurious
`instructions and/or data to the user across the network.
`A variety of techniques can be used to accomplish such
`tagging and/or marking. For example, an encrypted code
`word can be used. Alternatively, a private/public encryption
`scheme can be used to generate a unique tag or mark. Still
`other methods of generating suitable tags or marks will be
`50
`known to those of skill in the computer science and com
`puter security arts. The use of either or both tagging and
`marking can be made a user option. In one embodiment, the
`user is provided not only with the option to use tagging
`and/or marking, but also the types of data and/or instructions
`to be tagged or marked. Generally, it is anticipated that
`marking executable instructions is the most efficient option.
`In alternative embodiments, data coming from the net
`work to the user’s computer can be tagged and/or marked as
`just described. In such embodiments, the operation of the
`Redirector and Filter will be altered accordingly to treat
`untagged or unmarked data and instructions as “trusted”,
`and process tagged or marked data and instructions as
`“suspect”.
`In one embodiment, the Redirector and Filter are pro
`tected from corruption or attack by comparison of the
`operating code that implements the Redirector and Filter
`
`15
`
`20
`
`30
`
`35
`
`40
`
`45
`
`55
`
`60
`
`65
`
`US 6,192,477 B1
`
`5
`
`6
`with archived code that is write-protected. A variety of
`comparison methods can be used to perform this
`comparison, e.g., a checksum or bit-by-bit comparison. The
`checks can be performed in a “continuous” or quasi
`continuous fashion (for example, as a background process).
`Alternatively, the checks can be performed either before
`and/or after a communications session. In another
`alternative, the user can specify a time interval at which the
`comparison will be performed. If the comparison fails (i.e.,
`the operating code is not faithful to the archived code), then
`the archived code can be written over the corrupted code to
`provide thereby a faithful working copy.
`In one embodiment, the user can switch freely from
`operating software in the Protected Partition to operating
`software in the Primary Partition at will (e.g., using a hot
`key). Thus, for example, a user can browse and download
`information from the Internet using software in the Protected
`Partition, and switch to a word processor in the Primary
`Partition. Use of the methods and software described herein
`provides security for data in the Primary Partition while the
`user is connected to the outside network since instructions
`and data downloaded to the Protected Partition cannot be
`transferred to the Primary Partition without user approval.
`FIG. 3 illustrates one embodiment of the overall operation
`of the data security aspect of the invention. At step 302 the
`user installs software and data on his or her computer. The
`data can be tagged as described above during this procedure.
`One embodiment for this step is described with reference to
`FIG. 4. Starting at step 402 the writeable mass storage
`memory (i.e., the hard drive) is partition into primary and
`protected partitions as described above. At step 404 the
`volatile memory (i.e., the RAM) is also partitioned. At step
`406, a virtual memory space for the RAM is also created.
`The vial memory maps the partitioned RAM onto a portion
`of the Protected Partition. At step 408 the executable files are
`registered with the redirector and filter. Tagging of the
`instructions for the executable files can be performed at this
`step. These steps can be performed automatically, or with
`user-defined parameters. At step 410 the files needed for the
`network session are copied and/or installed from the Primary
`Partition to the Protected Partition. The files in the Primary
`Partition can be read- and/or write-protected at the user’s
`option. Various options can be provided for including the
`selection of individual file, specific file types (e.g., only
`output files), or all files. The write-protection of the files in
`the Protected Partition can be removed selectively during the
`session as described below.
`Returning to FIG. 3, at step 304 the user starts and
`initializes the protection software. One embodiment of this
`step is illustrated in FIG. 5. At step 502, the Redirector and
`memory are initialized using any user-defined parameters.
`Such parameters include, but are not limited to, setting trust
`levels and partition sizes. At step 504, the filter is initialized.
`At step 506 all partitions outside of the Protected Partition
`are read- and/or write-disabled at the user’s determination.
`Returning again to FIG. 3, at step 306 the user connects to
`a remote computer over a network using usual methods and
`software. At step 308 instructions and data received from the
`remote computer are redirected and filtered. Two exemplary
`embodiments for the operation of step 306 are provided in
`FIGS. 6 and 7.
`FIG. 6 illustrates one embodiment for performing step
`308. At step 602 a connection between the user’s computer
`and the network is established. A system call is received at
`step 604. Such calls include, but are not limited to, file
`system operations, read/write operations, software
`installation, and calls to access other computers connected to
`
`Google - Exhibit 1007, page 12
`
`Google - Exhibit 1007, page 12
`
`

`
`US 6,192,477 B1
`
`7
`the user’s computer. At step 606 the system call in redirected
`to the Filter (by Redirector 214) and the call is reviewed at
`step 608. At step 610 a determination is made whether to trap
`the call. This determination can be made in a variety of
`ways, such as the application of pattern matching or heu
`ristics to the trapped call or by examining the call for a tag
`or mark as described above. If the call is trapped, then,
`following the “Yes” branch of step 610, the call is
`disallowed, a report of the call is made at step 612, and the
`process terminates. Otherwise, the “No” branch of step 610
`is followed, the call is executed at step 614 (by passing the
`call to the O/S or one of its image files), and the process
`terminates. In some embodiments, incoming data can be
`buffered by the filter so the data can be processed prior to
`being routed to a particular device(s). For example, video
`and/or audio data often are processed using specialized
`processors and memory. Often such information is transmit
`ted to the user in a “stream” to allow for continuous play. In
`such cases, prior processing and buffering by the filter can
`be employed to maintain performance and security.
`FIG. 7 illustrates an alternative embodiment of step 308
`the invention. A connection between the user’s computer
`and a remote computer (e.g., a server) is established at step
`702. Data and instructions from both the user’s and remote
`computers are received and redirected selectively at step
`704. As described above, in one embodiment, the selective
`redirection includes forwarding system calls from Redirec
`tor 214 to Filter 216 At step 706 the call is validated. If the
`call is valid, i.e., the call is tagged or marked as described
`above, then following the “Yes” branch of step 706 to step
`708, the call is processed using the files on the Protected
`Partition (e.g., using O/S file images). Otherwise, the call is
`determined to be not valid, i.e., no tag or mark is present,
`and, following the “No” branch of step 706 to step 710, the
`content of the call is analyzed. At step 712 a determination
`is made whether the call is forbidden, i.e., the call represents
`an unreasonable security risk. If the risk to the user’s data is
`determined to be reasonable, then the “No” branch of step
`712 is followed to step 714 where the call is executed and
`the process terminates. Otherwise, the call is determined to
`be a security risk. In addition, any tags or marks present on
`data/instructions being sent from the user’s computer to the
`remote computer are stripped by the filter (step not shown).
`In one embodiment (indicated by the dashed boxes), if the
`call is determined to be a risk, then the “Yes” branch of step
`712 is followed to step 716 at which the user is notified that
`a potentially compromising instruction has been received. At
`step 718 the user has the option of registering the call. If the
`user chooses to register the call, then the “Yes” branch of
`step 718 is followed to step 719 where access to the system
`and file resources necessary to perform the call is granted
`and the call is executed at step 714 as described above. The
`source and nature of the call can also be logged so the call
`will be validated by the filter if received from that source
`during another session. The process then terminates. In other
`embodiments, the user can be provided with various choices
`regarding the details of the call, the source, and the degree
`of trust to be accorded the call if received in the future. Such
`options will be familiar to those of skill in the computer
`science and computer security arts. Otherwise, the user can
`refuse to override the filter’s determination and the call is
`aborted at step 720. Alternatively, steps 716–719 can be
`omitted and the call is aborted automatically.
`Returning yet again to FIG. 3, the session is completed
`and the user’s computer disconnected from the network at
`step 310. At step 312 the files installed on the Protected
`Partition are analyzed to determine whether any installed
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`8
`files have been altered and if any new files have been
`installed during the session. One emb