Abstract: A method of replacing a current version of a program module with a replacement version of the module concurrently with the execution of the program on a computer system. For each entry point within the current version of said module to which the program may make address reference, a corresponding entry point within the replacement version of the module is determined. While execution of the program is suspended, each address reference in the program to an entry point within the current version of the module is replaced with an address reference to the corresponding entry point within the replacement version of the module. Execution of the program is resumed when each address reference to the current module has been replaced with one to the replacement module.

Abstract: A computer display system, method and article of manufacture are presented allowing a user to interactively arrange two-dimensional windows for display in three dimensions on a two-dimensional display screen of the computer system. A window manager associated with the display screen is configured to respond to a user's selection of a frame edge of a window, e.g., using a third mouse button, by rotating the window from a two-dimensional depiction to a three-dimensional depiction. Rotation of the window occurs on an edge frame opposite to the selected edge frame and the rotation angle is related to the magnitude that the user drags the pointing device after selection of one edge frame of the window to be swung. In a similar manner, a pointing indicator is superimposed within the rotated window for tracking within the rotated coordinates of the window in response to user manipulation of an associated pointing device.

Abstract: A technique is disclosed for managing a workload distributed across multiple data processing systems to enhance shared resource access to meet a common performance standard. The technique includes on at least one system, measuring performance of the work units on the system to create local performance data, and on at least some of the systems sending the local performance data to at least one other system of the multiple data processing systems. The method further includes on at least one of the systems, receiving the performance data from the sending systems to create remote performance data, and adjusting at least one control parameter for accessing shared resources in response to the local and remote performance data to modify the performance of the work units distributed across the data processing systems to achieve the common performance standard. A dynamic resource clustering process is also employed to enhance the shared resource management.

Abstract: When applications connect to a data pipe, which is located on the same system as the connecting applications, the data pipe is considered a local pipe. That is, local media is used to pipe the data. If, however, an application on a different system is to access the pipe, the pipe is transitioned from a local pipe to a cross-system pipe, in which an alternative non-local media is used to pipe the data. The application causing the transition and any other applications to subsequently connect to the pipe use the cross-system pipe. Any local applications still allocated to the pipe are transitioned, such that they now access the cross-system pipe, instead of the local pipe. Likewise, when an application disconnects from a cross-system pipe, such that all remaining connections to the pipe are local connections, the pipe is transitioned from a cross-system pipe to a local pipe.

Abstract: The object of the present invention is to provide a cryptographic communication system that maintains a high level of information security without a sender and a receiver being required to manage a secret key. According to the system of the present invention, a dedicated decryption server that has a secret key is employed in addition to a transmitter used by a sender and a receiver used by a recipient. While the presence of nonencrypted messages in the server is precluded, the server can decrypt an encrypted message and send the decrypted message to an authorized receiver.

Abstract: In a client/server system, a method and apparatus for handing requests for access to a host resource purportedly on behalf of a client from an untrusted application server that may be capable of operating as a “rogue” server. Upon receiving a service request from a client, an untrusted application server creates a new thread within its address space for the client and obtains from the security server a client security context, which is anchored to the task control block (TCB) for that thread. The client security context specifies the client and indicates whether the client is an authenticated client or an unauthenticated client. When the application server makes a request for access to a host resource purportedly on behalf of the client, the security server examines the security context created for the requesting thread.

Abstract: A technique is presented for dynamically inserting a function into an existing application executable of an object-oriented system at runtime of the executable and without requiring recompiling of the code. This is accomplished by modifying configuration settings of the executable at runtime to add a setting to specify the function for at least one class of the executable. The modified configuration settings are then used when running the executable and when a class is encountered for which the function is active, a redirection stub is dynamically inserted to implement the function for the methods of that class. In one embodiment, the function is a trace function and the redirection stub implements an entry trace and an exit trace about each target method of a class for which the trace function is active. Various CORBA implementations of the technique are possible.

Abstract: A technique for selectively dummying a data pipe transparent to a writer application is provided. A writer application writes data to a local data pipe or a cross-system data pipe and one or more reader applications read data from the data pipe. The technique involves determining when a last reader application of the at least one or more reader applications closes the data pipe before the writer application has completed writing data to the data pipe. Upon determining this condition, further writing of data to the data pipe by the writer application is transparently prevented. While transparently preventing writing to a dummied data pipe, writing of data to a fitting, e.g., for a permanent record, can proceed.

Abstract: Managing a log stream of a computer system. An entry of a log stream, desired to be removed from the log stream, but not eligible for removal, is logically deleted. Logical deletion keeps the entry on the log stream and indicates that the entry can be removed from the log stream when it is eligible. When the entry is eligible, it is removed. If a desired entry remains at the tail of the log stream for a given period of time, thus not all owing the removal of one or more undesired entries, the desired entry is rewritten to the head of the log stream and deleted from the tail. Thereafter, other logically deleted entries eligible for deletion are removed from the log stream.

Abstract: Public key security control (PKSC) is provided for a cryptographic module by means of digitally signed communications between the module and one or authorities with whom it interacts. Authorities interact with the crypto module by means of unsigned queries seeking nonsecret information or signed commands for performing specified operations. Each command signed by an authority also contains a transaction sequence number (TSN), which must match a corresponding number stored by the crypto module for the authority. The TSN for each authority is initially generated randomly and is incremented for each command accepted from that authority. A signature requirement array (SRA) controls the number of signatures required to validate each command type. Upon receiving a signed command from one or more authorities, the SRA is examined to determine whether a required number of authorities permitted to sign the command have signed the command for each signature requirement specification defined for that command type.

Abstract: A method and apparatus for selectively using input/output (I/O) buffers as a retransmit vehicle in a client/server system. The decision whether to use an I/O buffer as a retransmit vehicle is based on a number of factors, including the packet size, the expected round-trip time (RTT) for an acknowledgment of the transmission, the number of I/O buffers currently allocated, and the number of I/O buffers remaining. If the decision is made not to use the I/O buffer as a retransmit vehicle, then the data is copied into a send buffer that is maintained by the system for the particular requester. Initially three threshold values, the round-trip time (RTT) threshold, the critical threshold, and the tight buffer threshold, are set. Connections having a longer round-trip time than a set round-trip time threshold or connections made when the number of I/O buffers remaining is below the critical threshold are not allowed to keep the I/O buffer as a retransmission vehicle.

Abstract: A central processing unit of an information handling system is provided with a Trap instruction to facilitate transfer of control from a user program to a trap program. A dispatchable unit control block (DUCT) of the CPU is loaded with the address of a trap control block, which in turn contains the addresses of a trap save area and a trap program. The user program is provided with Trap instructions at the desired transfer points. Upon decoding a Trap instruction in the user program, the CPU saves state information from the program status word (PSW), general registers and access registers in the designated trap save area, loads the address of the trap control block into a general register, and copies the address of the trap program into the instruction address field of the PSW to transfer control to the trap program. Upon completion of execution, the trap program may issue a Resume Program (RP) instruction to restore the previously saved state information to return control to the user program.

Abstract: A method and apparatus for decrypting an input block encrypted under a predetermined key in a cryptographic system having a cryptographic facility providing cryptographic functions for transforming blocks of data. The cryptographic functions include an encryption function for encrypting a block under a predetermined key and a transformation function for transforming a block encrypted under a first key to the same block encrypted under a second key. The cryptographic functions have at least one key pair with the property that successive encryption of a block under the keys of the pair regenerates the block in clear form. The input block is first transformed into an intermediate block encrypted under one of the key pair using the transformation function. The intermediate block is then further encrypted under the other of the key pair using the encryption function to generate an output block successively encrypted under the keys of pair, thereby to regenerate the input block in clear form.

Abstract: A method and apparatus for serializing access by n entities to a shared resource in an information handling system. A waiter list is defined as a circular list of n bits, each of which is assigned to an entity. When a bit is false (0) it indicates that the corresponding entity is not waiting for the lock; when the bit is true (1) it indicates the corresponding entity is waiting for the lock. A next waiter indicator (NWI) is also defined that contains a value from 0 to n inclusive; a value of 0 indicates that there are currently no waiters, while a value from 1 to n indicates the next waiter to whom the lock will be granted. The waiter list is initialized to zeros to indicate there are no waiters. When an entity requests a lock that cannot be granted, the entity is made a waiter by setting the corresponding bit in the waiter list to one. If the next waiter indicator is zero, indicating that there were previously no waiters for the lock, the indicator is set to identify the requesting entity as the next waiter.

Abstract: A method and apparatus for laying out a plurality of instances of graphical objects within a view displayed on a graphical display device. The view contains one or more regions into which the instances may be placed. The placement is done by associating an attribute, parameter or variable with the definition of each of the instances of graphic objects. The attribute defines into which of the regions of the view the instance should be placed. Layout routines are provided to extract the value of the attribute from the definition of the instance of the graphic object and to use it to associate the instance with the region in which it is to be displayed. The layout routines then calculate an optimum display for all of the instances within the region. In addition, a method for moving the instances of the graphic objects from one region to another region This involves changing the value of the attribute and reordering the instances within the regions.

Abstract: Fully-associative non-linear collections of items are browsed. At least a portion of a fully-associative non-linear collection of items is segmented into a plurality of segments. This segmenting is transparent to any browsers of the fully-associative non-linear collection of items. The plurality of segments is then browsed by multiple browsers.

Abstract: A method and apparatus for cryptographically transforming an input block into an output block. The input block has a first block size and is partitionable into a plurality of input subblocks having a second block size that is a submultiple of the first block size. To encrypt or decrypt, the input subblocks are passed through respective first substitution functions controlled by one or more keys to generate a first plurality of modified subblocks. The first plurality of modified subblocks are then passed through a mixing function to generate a second plurality of modified subblocks, each of which depends on each of the first plurality of modified subblocks. Finally, the second plurality of modified subblocks are passed through respective second substitution functions controlled by one or more keys to generate a plurality of output subblocks that are combinable into an output block.

Abstract: A system for authenticating a first entity to a second entity and for simultaneously generating a session key for encrypting communications between the entities. The first entity generates an authentication value by encrypting time-dependent information using a long-lived secret key shared by the entities and transmits the authentication value to the second entity. The first entity independently encrypts other time-dependent information using the long-lived key to generate a session key that cannot be derived from the authentication value without the long-lived key. Upon receiving the transmitted authentication value, the second entity checks the transmitted authentication value using the shared long-lived key to determine whether it is valid. If the authentication value is valid, the second entity authenticates the first entity and generates an identical session key from the same shared secret information and time-dependent information.

Abstract: Segments of storage of a computer system are shared among any number of users at varying virtual addresses. The virtual addresses can be in the same address space or different address spaces. The sharing of a segment of storage is provided by storing the real address of a page table corresponding to the segment of storage to be shared at different virtual addresses. This allows users of the same or different address spaces to share the same segment of storage by referencing the same page table.

Abstract: Managing processor resources in a non-dedicated computer system. An amount of a processor resource is allocated to a real-time application of the computer system. The amount does not exceed a limit chosen for a group of real-time applications, wherein the group includes the real-time application being allocated the resource. A selected amount of the processor resource remains available to execute other types of applications and work on the system. During processing of the real-time application, use of the processor resource does not exceed a chosen maximum value, thereby ensuring the processor resource is not monopolized by the real-time application and allowing other types of work to be processed on the system.