Abstract: A method and apparatus for predicting the outcome of a branch instruction based on the branch history of preceding branch instructions. As a sequence of instructions passes through an instruction execution pipeline, a base branch instruction is chosen, a history index is generated for the base branch instruction and subsequent branch instructions, and a transform is created for the branch instruction to be predicted. The transform is then saved. When the sequence of instructions subsequently passes through the pipeline again, the transform is retrieved and used to operate on the history index of the base branch instruction to produce a history index for the branch to be predicted. The result is used as an index into a prediction array to access the prediction logic for the branch instruction being predicted. By using the predetermined transform, a branch status prediction can be made before the branch to be predicted reaches the normal prediction stage in the pipeline.

Abstract: Full predication of instruction execution is provided by operand predicates, where each operand has an associated predicate bit intuitively indicating the validity of the operand value. In a programmable processor supporting operand predication, an instruction will execute only if the predicate bit of every register containing a source operand is true. The predicate bit, if any, of the destination register is set to the logical AND of the source registers' predicates. Similarly, in a non-programmable processor synthesized with predicated operand support, an operator will perform the associated function depending on the state of inputs' predicates. The output predicate is evaluated as the logical AND of the inputs' predicates. An additional bit for each data register, a change in the semantics of the instructions to include predication, and a few additional instructions to save and restore register predicate bits and to specifically set or reset a register's predicate bit are required.

Abstract: Multi-adaptive processing systems and techniques for enhancing parallelism and performance of computational functions are disclosed which can be employed in a myriad of applications including multi-dimensional pipeline computations for seismic applications, search algorithms, information security, chemical and biological applications, filtering and the like as well as for systolic wavefront computations for fluid flow and structures analysis, bioinformatics etc. Some applications may also employ both the multi-dimensional pipeline and systolic wavefront methodologies disclosed.

Abstract: In order to manage, in the interrupt stage, a memory stack associated with a microcontroller according to a Program Counter signal and to a Condition Code Register signal that can be contained in respective registers, a first part of memory stack is provided which comprises a register for the Program Counter signal, and a second part of memory stack consisting of a bank of memory elements equal in number to the number of bits of the Condition Code Register signal for the number of the interrupts of the microcontroller. The two parts of stack are made to function in parallel by respective stack-pointer signals.

Abstract: A method of designing a pipeline comprises the steps of: accepting a task procedure expressed in a standard programming language, the task procedure including a sequence of computational steps; accepting a performance requirement of the pipeline; and automatically creating a hardware description of the pipeline, the pipeline comprising a plurality of interconnected processor stages, each of the processor stages for performing a respective one of the computational steps, the pipeline having characteristics consistent with the performance requirement of the pipeline.

Abstract: The present invention provides a processor capable of carrying out a plurality of operation instructions simultaneously in one cycle which improves utilization of an instruction when carrying out a single operation instruction, and a system equipped with such a processor. In this processor, an operation mode indicating whether or not a coprocessor should be run in parallel is retained in an operation mode register, and in the integer processor operation mode, a value “0” is set in the operation mode register in an operation mode controller of an integer processor, and an instruction register delivers an integer processor instruction to a decoder, so that an execution unit will execute the integer processor instruction, and outputs a no operation instruction to a data processor without embedding an instruction that defines an operation thereof, and puts the data processor in the halt condition.

Abstract: Methods and apparatus for configuring a hardware device in a pre-boot environment are disclosed. For example, a configuration manager is provided for use in a computer having a processor. The example configuration manager includes an interrupt monitoring agent in communication with a controller to monitor the computer and a driver manager in communication with the controller to load a driver. The configuration manager also includes a firmware interface database agent in communication with the controller to store a set of configuration data for the driver and a user interface in communication with the controller to provide a user with options to modify the set of configuration data.

Abstract: A method of configuring a virtual floppy disk (FD) drive in computer after a power on self test (POST) has been performed is provided. The method comprising inserting a BIOS extension for serving ISR of a normal FD drive; processing SRAM; updating CMOS data of the BIOS extension; simulating the SRAM as the virtual FD drive; and changing the normal FD drive into another FD drive. The invention has advantages of higher reliability and faster access speed. Further, the invention is suitable for storing startup programs or critical data.

Abstract: A method of configuring a virtual floppy disk (FD) drive in computer after a power on self test (POST) has been performed is provided. The method comprising inserting a BIOS extension for serving ISR of a normal FD drive; processing flash memory; updating CMOS data of the BIOS extension; simulating the flash memory as the virtual FD drive; and changing the normal FD drive into another FD drive. The invention has advantages of higher reliability and faster access speed. Further, the invention is suitable for storing startup programs or critical data.

Abstract: Methods and structure for customizable BIOS in a peripheral device adapter. The controller of a peripheral device adapter senses a selection indicative of a desired customized BIOS configuration. BIOS information is updated to reflect the desired customized selection. In one embodiment, customization may be by updating portions of a default BIOS configuration with updated information stored in a selected custom BIOS information element. In another embodiment, each custom BIOS information element may store an entire snapshot of BIOS information customized for a particular application. The selected custom BIOS information may then be copied to a BIOS memory or BIOS memory accesses may be mapped to the selected custom BIOS information element.

Abstract: According to an apparatus form of the invention, a computer system has a memory for storing settings for respective operating circumstances of the computer system, and a manually operable, externally accessible switch for indicating, by a position of the switch, at least one of the operating circumstances. The computer system further includes means for determining the switch position responsive to the computer system booting and means for selecting among the settings responsive to the switch position. In another aspect, the operating circumstances include locations for operating the computer system. Alternatively, the operating circumstances include users who operate the computer system.

Abstract: An apparatus for providing a trusted channel among secure operating systems (OSs) to which a mandatory access control (MAC) policy is applied includes on a data transmission side a trusted channel sub system, a MAC module and a kernel memory. The apparatus further includes on a data reception side a trusted channel system and a kernel memory. By using the apparatus, the contents of data can be prevented from being exposed even in case the packet is intercepted while being transmitted since the packet is encrypted. Furthermore, even though the contents of the data packet are replaced with malicious contents, such modulation of data can be detected by examining the integrity of the packet through the use of authentication data.

Abstract: The invention uses a three phase IKE protocol main mode negotiation to implement a port float algorithm that permits UDP encapsulated ESP traffic to traverse an IPSec-aware NAT. The NAT is connected to a plurality of client computers on a private network and provides an interface between the client computers and a server connected to a public network. In a first phase, a client and the server determine whether both are capable of sending UDP encapsulated ESP packets. In a second phase, the client and server conduct NAT discovery and determine whether the client, server, or both operate behind a NAT. In a third phase, the client and server initiate a port float algorithm, moving a destination UDP port specified in IKE packets from a first port value to a second port value. The server maintains a data structure that allows the server to identify the client sending IKE packets after exiting the second phase and entering the third phase.

Abstract: The capability to encrypt or compress the traffic over network links, thus improving the security of the link on the performance of the links, and the capability to encrypt/decrypt data stored on the storage devices without requiring specialized hosts or storage devices. In a first embodiment, traffic to be routed over a selected link needing encryption and/or compression is routed to hardware which performs the encryption and/or compression and returned for transmission over the link. A complementary unit at the second end of the link routes the received frames to complementary hardware to perform the decryption and/or decompression. The recovered frames are then routed to the target device in a normal fashion. In a variation of this first embodiment the hardware is developed using an FPGA. This allows simple selection of the desired feature or features present in the switch. The switch can be easily configured to perform encryption, compression or both, allowing great flexibility to a system administrator.

Abstract: A system and method for providing an improved way to secure messages being transmitted between communicating devices. Security mechanisms, operating below the session establishment level, provide encryption that becomes stronger over time as devices continue to communicate. After random characters are used to encrypt an initial message, each new message communicated between two devices is encrypted with the most recent message communicated there-between. Moreover, messages to be transmitted are parsed into smaller records having a fixed page length, encrypted and combined with additional encrypted records a predetermined number of times. The disclosed system and method also provide a multi-threading capability, thereby reducing the likelihood of a denial of service of attack.

Abstract: A method for creating communities between communication devices includes a first step of creating a digital credential identifying a common affiliation or interest. A next step includes distributing the digital credential to a communication device. A second device can then query the communication device to compare whether the devices have the same or similar digital credentials. If the devices are credentialed similarly then they can communicate to form a community. In addition, other similarly credentialed devices can be queried to join into the community.

Abstract: Devices (101) are assigned a unique, unalterable, identification or serial number (313) that acts as the devices “electronic” biometric. Any certificate (302) created by a key issuer will contain the device's assigned DRM public key and the device's electronic biometric data. When a consumer wishes to purchase new content (304) from a content provider (103), the consumer will send the DRM certificate containing its DRM public key and the biometric. The rights issuer will then create a license (306) that assigns the content in such a way that only a device with the particular biometric and DRM private key is allowed to render the content.

Abstract: A method and system for enabling interconnection of VPNs is disclosed. An interconnection device manages an interconnection process at one or more facilities including, for example, a gateway device. The gateway device has information relating to a plurality of VPNs, and may facilitate interconnection between devices on at least two of the VPNs by determining that one device is in fact a member of a first one of the VPNs, and by forwarding connection parameters of the first VPN to the second VPN on an as-needed basis. In this way, the gateway allows interconnection without the need for a completely centralized decision-making process, and does so independently of the type of device and/or VPN(s) being used. Moreover, the gateway may implement only those VPN parameters needed by both VPNs to communicate with one another with a desired level of security, thereby simplifying the routing and forwarding processes associated with the actual communication occurring via the interconnection.

Abstract: A selective cross-realm authenticator associates an identifier with a request from an entity authenticated in one realm to access a resource associated with a second realm. The identifier indicates that the entity was authenticated in a realm other than the realm associated with the requested resource. A domain controller associated with the resource performs an access check to verify that the authenticated user is authorized to authenticate to the requested resource. Permissions associated with the resource can be used to specify levels of access to be granted to entities authenticated by a domain controller associated with another realm.

Abstract: In a network, a router uses some secret information combined with a cryptographic process in determination of a subnet's routing prefix.

Abstract: Preventing replay attacks without user involvement. A method according to one embodiment of the invention includes recording a serial number that was verified following a previous request to access a resource, and later receiving a request to access the resource. A serial number is acquired from the source of the request and then updated by increasing its value. The updated serial number is verified by comparing it with the recorded serial number, and access to the resource is granted only if the value of the updated serial number exceeds the value of the recorded serial number.

Abstract: The present invention relates generally to a system and method that provides add-on services and/or facilitates authentication, authorization and/or secure communications of a user using a dialog based interactive protocol and accessing a first computer system, separately from the authentication and security mechanism(s) provided by a second computer system using a dialog based interactive protocol system.

Abstract: A method and apparatus to secure online transactions over the phone comprising a smart card transmitting an identification sequence to an IVR server in the form of a modulated signal, a card reader plugged into the telephone line, and an IVR applet demodulating the identification sequence. The card reader is characterized by the absence of processing means.

Abstract: System and method for providing secure resource management. The system includes a first device that creates a secure, shared resource space and a corresponding root certificate for the shared space. The first device associates one or more resources that it can access with the shared space. The first device invites one or more other devices to join as members of the space, and establishes secure communication channels with the devices that accept this invitation. The first device generates a member certificate for each accepting device, and sends the root certificate and the generated member certificate to the device through the secure channel. These devices may then access resources associated with the shared space by presenting their member certificates. Further, members of the shared space may invite other device to join the space, and may create member certificates in the same manner as the first device.

Abstract: A method for using digital contents is provided. In the method, a request is made to a provider apparatus for a certificate containing a first provider ID embedded therein by a certification authority, and the certificate is received from the provider apparatus. A decision is made by using the certificate as to whether or not the provider is authorized by the certification authority. A request is made to the provider apparatus for a digital content having a second provider ID embedded therein by a contents guarantee authority when the provider is authorized by the certification authority, and the digital content is received from the provider. The first provider ID is read from the certificate, the digital content is correlated with the second provider ID, and the digital content is stored in a storage medium. The second provider ID is detected from the digital content in response to a request to use the digital content.

Abstract: An access management system for managing access of wireless terminals to a wireless communications network. The access management system comprises an access control unit for permitting use of the network by a wireless terminal; an access element arranged to provide access to the network for the wireless terminal if use is permitted by the access control unit; and a network means configured to receive and store information indicating that the wireless terminal is permitted to use the network. The network means is arranged to, if the access element is unable to provide the wireless terminal with access to the network, use the stored information to determine that the wireless terminal is permitted to use the network and, having so determined, provide an alternative access to the network for the wireless terminal.

Abstract: Method and apparatus for verifying the identity of a person seeking access to a computer, whether directly or thorough a digital network, including the Internet or to some data within the computer or a facility provided by it. The basic principle of the invention is to carry out such identification automatically by means of the person's cellular telephone, connected through a suitable adapter, to the computer with which he physically interacts. Also disclosed are means for increasing the security of the identification and the manner of using the method in a variety of applications, including approval of credit-account transactions.

Abstract: A descrambler integrated circuit (IC) is adapted to receive scrambled digital content and to descramble the scrambled digital content. According to one embodiment of the invention, the descrambler comprises a first process block, a second process block and a descrambler. The first process block is configured to encrypt a message using a unique, one-time programmable key to produce a first key. The second process block is configured to receive an encrypted second key and, using the first key, to decrypt the encrypted second key in order to recover the second key in a non-encrypted format. The descrambler is configured to descramble the scrambled digital content using the second key in the non-encrypted format and to produce digital content in a clear format.

Abstract: A method and apparatus for controlling access of individuals to a service, device or location in order to restrict access to members of a particular age and/or gender category, by machine-sensing a predetermined biometric characteristic of the individual indicative of the particular age and/or gender category, and utilizing the machine-sensed characteristic for automatically controlling access of the individual. The method and apparatus are particularly suited to controlling access of children to certain Internet sites, TV programs, chat rooms, or other places inappropriate to children.

Abstract: When an encrypted program and a decryption program are inputted to a first memory, a semiconductor integrated circuit device causes a bus port to disable access from the outside and enables access to the first memory and to a second memory, thereby transferring the encrypted program and the decryption program from the first memory to the second memory. When the transfer is completed, the semiconductor integrated circuit device disables access to the first memory and gives, to a CPU, an instruction to decrypt the encrypted program by using a secret key held in a secret key holder and the decryption program and execute the decrypted program. After the execution of the decrypted program is completed, the semiconductor integrated circuit device disables access to the second memory.

Abstract: A method for protection against modification of data sent by a user to a secure medium via a reader selects and stores some of the data. Confirmation of the authenticity of the selected data is obtained by verifying whether they are identical to those input on request by the user in a secure communication mode of the reader. The method is applicable to the protection against the modification of a command and/or a document signed with an electronic signature.

Abstract: A digital watermark in a data file is used to encode separate watermark data. The digital watermark data must remain intact, or decryption may be prevented, or unscrambling may be prevented, or transmission may be prevented.

Abstract: Secure presentation of media streams includes encoding the media streams into digital content, encrypting a portion of that digital content, the portion being required for presentation, in which the encrypted version is substantially unchanged in formatting parameters from the clear version of the digital content. Selecting those portions for encryption so there is no change in distribution of the media stream: packetization of the digital data, or synchronization of audio with video portions of the media stream. When encoding the media stream into MPEG-2, refraining from encrypting information by which the video block data is described, packet formatting information, and encrypting the video block data using a block-substitution cipher. A block-substitution cipher can be used to encrypt each sequence of 16 bytes of video data in each packet, possibly leaving as many as 15 bytes of video data in each packet in the clear.

Abstract: A descrambler adapted as an integrated circuit (IC) according to one embodiment. The descrambler comprises a control word ladder logic to produce, among other data, a control word to descramble incoming scrambled content. The descrambler further comprises copy protection key ladder logic to recover a copy protection key for encrypting descrambled content before subsequent transmission to a digital device.

Abstract: Techniques are provided for initializing, maintaining, updating and recovering secure operation within an integrated system. The techniques, which employ a data access control function within the integrated system, include authenticating by a current level of software a next level of software within an integrated system. The authenticating occurs before control is passed to the next level of software. Further, an ability of the next level of software to modify an operational characteristic of the integrated system can be selectively limited via the data access control function. Techniques are also provided for initializing secure operation of the integrated system, for migrating data encrypted using a first key set to data encrypted using a second key set, for updating software and keys within the integrated system, and for recovering integrated system functionality following a trigger event.

Abstract: A method of managing access to secure resources (4-9), the method including: providing an schema of permission rights in respect of secure resources; and, delegating to one or more users an ability to delegate (32) a profile (31) of selected permission rights in respect of one or more secure resources.

Abstract: System, method and article of manufacture for securing data. Queries are analyzed to detect security violation efforts. In one embodiment, algorithms for detecting selected security violation patterns are implemented. Generally, patterns may be detected prior to execution of a query and following execution of a query. Illustrative patterns include union query analysis, pare down analysis, non-overlapping and others.

Abstract: A smart card authentication framework may include a card application applet (CAA), an authentication policy applet (APA), and an authentication technology applet (ATA). The CAA may provide a protected service for a user. The APA may provide an authentication-technology-independent user validation service for the CAA. The ATA may provide a technology-specific authentication service. In one embodiment, the CAA provides a first external interface, the ATA provides a second external interface and a first internal interface, and the APA provides a second internal interface. The ATA may receive a host request for user authentication via the second external interface, and the ATA may process the authentication request without participation by the CAA. The CAA may communicate with the APA via the first internal interface to determine whether the user is currently validated. If so, the CAA may provide the protected service for the host via the first external interface.

Abstract: A method for controlling access to functionality in an application program according to one embodiment includes registering at least one permission set in a database. The permission set includes a plurality of privileged actions relating to a functional category of the application program. The method further includes receiving information granting a principal authorization to at least one of the privileged actions in the permission set, and performing the authorized privileged action in accordance with the received information when initiated by the principal.

Abstract: A method of hindering the propagation of a computer virus on a computer network is disclosed. The computer network comprises a plurality of addressable connections capable of receiving data from at least one computer system, and a detection computer arranged to detect the presence of a computer virus. The method comprises: operating the detection computer to monitor the plurality of addressable connections thereby to detect the presence of a computer virus on at least one of the addressable connections; in the event that a computer virus is detected, identifying the at least one computer system that sent the computer virus to the at least one addressable connection; and sending virus remediating means to the at least one identified computer system, the virus remediating means being arranged at least to hinder the operation of the computer virus. A computer program and computer system for hindering the propagation of a computer virus is also disclosed.

Abstract: A method of identifying a software vulnerability on a computer system is disclosed in which the computer system has software stored thereon and is connected to a management system over a computer network. The method comprises the steps of: applying an interrogation program to the software, the interrogation program being capable of exploiting a known software vulnerability if it is present in the software to which the interrogation program is applied; in the event that the software vulnerability is exploited by the interrogation program, operating the interrogation program to generate a set of management information from which can be derived the identification of the computer system; and sending the management information to the management system.

Abstract: A method and apparatus of a configurable address mapping and protection architecture and hardware for on-chip systems have been described.

Abstract: The invention relates to a device (2), such as a chip card, which is connected to a host platform (1) that is linked to a packet network (RES) such as the Internet. The inventive device detects security policy designation parameters (PDP) in packets leaving (PS) and entering (PE) the platform and processes said packets according to the stored security policies (POS) designated by the designation parameters detected. The security information linked to a user can therefore be moved from one platform to another and it is not processed by the platform. Security policies are managed by a server (SG) with which the device can initiate a communication when no security policy corresponding to the policy designation parameters detected in a packet is recognised, so that the server (SG) can assist the device in negotiating a security policy.

Abstract: The invention relates to a method of controlling a locking function in a locking arrangement. The method presented comprises creating (300) a database from predetermined objects; determining (302) at least one user-specific inter-object internal order in the database; detecting (304) a control command for starting the control of the locking function; displaying (306) a predetermined number of objects on the display of the locking arrangement once the control command is detected; detecting (308) the selection order of the objects; and changing (316) the lock state when the detected object selection order is at least sufficiently close to a given user-specific inter-object internal order.

Abstract: The invention is an apparatus and methods realizing secured switch of computing system status. Explanatorily, the switch control unit responds to status switch requests and sends out NMI to CPU; CPU responds to the interrupt signals and processes secured switch control programs; through the stated switch control unit, the stated switch connection unit completes the switch connection alternatively to one of the two stated state save units; after processing the interrupt service program, the stated switch control unit notifies the stated CPU to resume the data stored in the alterable state registers of the computing system before the interrupt; thus the computing system can be safely switched between different operation systems, or internal and external networks.

Abstract: E-mail messages or computer files are scanned to identify embedded internet addresses 18. These embedded internet addresses 18 refer to data that may be retrieved via the internet 4. This data is pre-emptively retrieved and scanned for malware even though it has not been requested by a user. If the data is found to be malware-free, then a record of this is kept. If a user subsequently seeks to access the data associated with that embedded internet address, then the stored data may be referred to and if the internet address is found and the data associated with that address is unchanged since it was previously scanned, then that data may be supplied to the user without the need to be rescanned.

Abstract: A zone locking system detects unauthorized network usage internal to a firewall. The system determines unauthorized network usage by classifying internal hosts inside a firewall into zones. Certain specified zones are unauthorized to initiate client communications with other selected zones. However, zone override services can be designated for each associated internal zone, and thus, authorizing selected network services. An alarm or other appropriate action is taken upon the detection of unauthorized network usage.

Abstract: A user (e.g., a network administrator) can enter user verification information once for each switch on which the user desires to perform an administrative activity (e.g., ROM flash, reboot, etc.). Rather than having to enter the user verification information each time a switch is accessed for an administrative activity, the verification information is entered once and stored in non-volatile memory for subsequent use when accessing the switch.

Abstract: One embodiment of the present invention provides a system that facilitates applying a dynamic lock to a range of a resource within a computer system. Upon receiving a request to lock to the range of the resource from a thread, the system examines an active lock pool to determine if the range of the resource is currently locked. If not, the system retrieves a dynamic lock from a free lock pool. Next, the system sets resource information in the dynamic lock so that the dynamic lock is associated with the resource. The system also sets owner information in the dynamic lock so that the dynamic lock is associated with the thread that is requesting the dynamic lock. Finally, the system adds the dynamic lock to the active lock pool.

Abstract: The capability to encrypt or compress the traffic over network links, thus improving the security of the link on the performance of the links, and the capability to encrypt/decrypt data stored on the storage devices without requiring specialized hosts or storage devices. In a first embodiment, traffic to be routed over a selected link needing encryption and/or compression is routed to hardware which performs the encryption and/or compression and returned for transmission over the link. A complementary unit at the second end of the link routes the received frames to complementary hardware to perform the decryption and/or decompression. The recovered frames are then routed to the target device in a normal fashion. In a variation of this first embodiment the hardware is developed using an FPGA. This allows simple selection of the desired feature or features present in the switch. The switch can be easily configured to perform encryption, compression or both, allowing great flexibility to a system administrator.