WO2011094616A1 - The basic architecture for secure internet computers - Google Patents

The basic architecture for secure internet computers Download PDF

Info

Publication number
WO2011094616A1
WO2011094616A1 PCT/US2011/023028 US2011023028W WO2011094616A1 WO 2011094616 A1 WO2011094616 A1 WO 2011094616A1 US 2011023028 W US2011023028 W US 2011023028W WO 2011094616 A1 WO2011094616 A1 WO 2011094616A1
Authority
WO
WIPO (PCT)
Prior art keywords
computer
microchip
network
hardware
unprotected
Prior art date
Application number
PCT/US2011/023028
Other languages
French (fr)
Inventor
Frampton E. Ellis
Original Assignee
Ellis Frampton E
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US13/014,201 external-priority patent/US20110225645A1/en
Priority to CA2825850A priority Critical patent/CA2825850A1/en
Application filed by Ellis Frampton E filed Critical Ellis Frampton E
Publication of WO2011094616A1 publication Critical patent/WO2011094616A1/en
Priority to US13/398,403 priority patent/US8429735B2/en
Priority to US13/815,814 priority patent/US8898768B2/en
Priority to US14/174,693 priority patent/US10057212B2/en
Priority to US14/334,283 priority patent/US9003510B2/en
Priority to US14/333,759 priority patent/US9009809B2/en
Priority to US16/051,054 priority patent/US10375018B2/en
Priority to US16/456,897 priority patent/US10965645B2/en
Priority to US17/187,279 priority patent/US11683288B2/en
Priority to US18/320,577 priority patent/US20230300109A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/85Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices

Definitions

  • This invention relates to any computer, such as a personal computer and/or microchip or wafer with an inner hardware-based access barrier or firewall that establishes a private unit or zone that is disconnected from a public unit or zone having connection to a network of computers, such as the Internet, as well as the private unit having one or more connections to one or more secure non-Internet-connected private networks for personal and/or local administration of the computer and/or microchip.
  • a computer such as a personal computer and/or microchip or wafer with an inner hardware-based access barrier or firewall that establishes a private unit or zone that is disconnected from a public unit or zone having connection to a network of computers, such as the Internet, as well as the private unit having one or more connections to one or more secure non-Internet-connected private networks for personal and/or local administration of the computer and/or microchip.
  • this invention relates to a computer and/or microchip with an inner hardware-based access barrier or firewall separating the private unit that is not connected to the Internet from a public unit connected to the Internet, the private and public units being connected only by a hardware-based access barrier or firewall in the form of a secure, out-only bus or wireless connection.
  • this invention relates to the private and public units also being connected by an in-only bus that includes a hardware input on/off switch or equivalent signal interruption mechanism, including an equivalent circuit on a microchip or nanochip.
  • this invention relates to the private and public units being connected by an output on/off switch or microcircuit equivalent on the secure, out-only bus.
  • this invention relates to a computer and/or microchip that is connected to a another computer and/or microchip, the connection between computers made with the same hardware-based access barriers or firewalls including the same buses with on/off switches described above.
  • this invention relates to a computer and/or microchip with hardware-based access barriers or firewalls used successively between an outer private unit, an intermediate more private unit, an inner most private unit, and the public unit, also including Faraday Cage protection from external electromagnetic pulses.
  • computers cannot be successful defended without inner hardware or firmware-based access barriers or firewalls that, because of their internal position, can be designed to function as access barrier or blockers rather than as general filters.
  • An Internet filter has to screen the entire Internet, which is without measure in practical terms and constantly changing, an impossible task.
  • an access barrier or blocker to an inner protected area of a computer can strictly limit access to only an exception basis. So, in simple terms, a conventional firewall generally grants access to all Internet traffic unless it can be identified as being on the most current huge list of malware; in contrast, an inner access barrier or blocker can simply deny access to all except to a carefully selected and very short and conditioned list of approved sources or types of traffic.
  • computers and microchips can be simply and effectively defended from Internet attack with one or more private, protected hardware- based zones inside the computer, any of which can be personally or locally administrated by a separate and secure non-Internet private network.
  • Figure 1 shows any computer, such as a personal computer 1 and/or microchip 90 (and/or 501) with an inner hardware-based access barrier or firewall 50 establishing a Private Unit or zone 53 of the computer or microchip that is disconnected from a Public Unit or zone 54 that is connected to the Internet 3 (and/or another, intermediate network 2).
  • Fig. 1 also shows an example embodiment of the Private Unit 53 having at least one connection to at least one private or secure non-Internet-connected network 52 for personal or Iocal administration of the personal computer 1 and/or microchip 90 (and/or 501) and/or silicon wafer 1500 (or portion 1501 , 1502, and/or 1503), or graphene equivalent.
  • the number and placement of the non-Internet-connected networks 52 is optional.
  • Figure 2 shows an example embodiment of a personal computer 1 and/or microchip 90 (and/or 501) with an inner hardware-based access barrier or firewall 50 separating a Private Unit 53 disconnected from the Internet 3 and a Public Unit 54 connected to the Internet 3, the Private Unit 53 and Public Unit 54 connected only by a hardware-based access barrier or firewall 50a, for example in the form of a secure, out- only bus (or wire) or channel 55 (or in an alternate embodiment, a wireless connection, including radio or optical).
  • a hardware-based access barrier or firewall 50a for example in the form of a secure, out- only bus (or wire) or channel 55 (or in an alternate embodiment, a wireless connection, including radio or optical).
  • Figure 3 is a similar example embodiment to that shown in Figure 2, but with the Private Unit 53 and Public Unit 54 connected by a hardware-based access barrier or firewall 50b example that also includes an in-only bus or channel 56 that includes a hardware input on/off switch 57 or equivalent function signal interruption mechanism, including an equivalent functioning circuit on a microchip or nanochip.
  • Figure 4 is a similar example embodiment to that shown in Figure 2 and 3, but with Private Unit 53 and Public Unit 54 connected by a hardware-based access barrier or firewall 50c example that also includes an output on/off switch 58 or microcircuit equivalent on the secure, out-only bus or channel 55.
  • Figure 5 shows an example embodiment of any computer such as a first personal computer 1 and/or microchip 90 (and/or 501) that is connected to a second computer such as a personal computer 1 and/or microchip 90 (and/or 501), the connection between computers made with the same hardware-based access barrier or firewall 50c example that includes the same buses or channels with on/off switches or equivalents as Figure 4.
  • Figure 6 shows an example embodiment of a personal computer 1 and/or microchip 90 (and/or 501) similar to Figures 23A and 23B of the '657 Application, which showed multiple access barriers or firewalls 50 with progressively greater protection, but with hardware-based access barriers or firewalls 50c, 50b, and 50a used successively from a inner private unit 53, to an intermediate more private unit 53 1 , and to an inner most private unit 53 2 , respectively.
  • FIGS 7-14 are additional architectural embodiment examples of the use of hardware-based access barriers or firewalls 50a, 50b, and 50c.
  • Figs. 5 and 16 illustrate methods in accordance with the present disclosure.
  • Figures 1-4, 6, 8-14 all show useful architectural example embodiments of any computer or microchip, including a personal computer 1 and/or microchip 90 (and/or 501) or silicon (or graphene) wafer 1500 (or wafer portion 1501 , 1502, and/or 1503) with an inner hardware-based access barrier or firewall 50 establishing a secure Private Unit 53 that is directly controlled by a user 49 (local in this example) and disconnected by hardware from a Public Unit 54 that is connected to the Internet 3 and/or another, intermediate network 2; the connection of the computer 1 (and/or 90 and/or 501) to the network 2 and/or Internet 3 can be wired 99 or wireless 100.
  • a personal computer 1 and/or microchip 90 (and/or 501) or silicon (or graphene) wafer 1500 or wafer portion 1501 , 1502, and/or 1503
  • an inner hardware-based access barrier or firewall 50 establishing a secure Private Unit 53 that is directly controlled by a user 49 (local in this example) and disconnected by hardware from a Public Unit 54 that is connected
  • Hardware-based access barrier or firewall 50 refers to an access barrier that includes one or more access barrier or firewall- specific hardware and/or firmware components.
  • This hardware and/or firmware configuration is in contrast to, for example, a computer firewall common in the art that includes only software and general purpose hardware, such as an example limited to firewall-specific software running on the single general purpose microprocessor or CPU of a computer.
  • the Internet-disconnected Private Unit 53 includes a master controlling device 30 for the computer PC1 (and/or a master controller unit 93 for the microchip 90 and/or 501) that can include a microprocessor or processing unit and thereby take the form of a general purpose microprocessor or CPU, for one useful example, or alternatively only control the computer as a master controller 31 or master controller unit 93'.
  • the user 49 controls the master controlling device 30 (or 31 or 93 or 93') located in the Private Unit 53 and controls both the Private Unit 53 at all times and any part or all of the Public Unit 54 selectively, but can peremptorily control any and all parts of the Public Unit 54 at the discretion of the user 49 through active intervention or selection from a range of settings, or based on standard control settings by default.
  • Figure 1 shows a useful example of an optional (one or more) secure private non-Internet-connected network 52 for personal or local administration of the Private Unit 53.
  • Wired 99 connection offers superior security generally, but wireless 100 connection is a option, especially if used with a sufficiently high level of encryption and/or other security measures, including low power radio signals of high frequency and short range and/or directional.
  • Access from the private non-Internet-connected network can be limited to only a part of the Private Unit 53 or to multiple parts or to all of the Private Unit 53.
  • the private non-Internet-connected network 52 (not connected to the Internet either directly or indirectly, such as through another, intermediate network like an Intranet) allows specifically for use as a highly secure network for providing administrative functions like testing, maintenance, or operating or application system updates to any computers (PC1 or microchip 90 or 501) on a local network, such as a business or home network, and would be particularly useful for the example of businesses administering large numbers of local computers, such as network server arrays (especially blades) for cloud applications or supercomputer arrays with a multitude of microprocessors or local clusters.
  • network 52 traffic can be encrypted and/or authenticated, especially if wireless 100.
  • a computer (PC1 and/or 90 and/or 501) can be configured so that the private non-Internet-connected network 52 can have the capability to allow for direct operational control of the Private Unit 53, and thus the entire computer, from a remote location, which can be useful for example for businesses operating an array or servers like blades or supercomputers with large numbers of microprocessors or cores.
  • One or more access barriers or firewalls 50a, 50b, or 50c can be located between the private non-Internet-connected network 52 and the Private Unit 53 provides a useful example of increased security control.
  • a personal user 49 can dock his smartphone (PC1 and/or 90 and/or 501 and/or 1500, 1501 , 1502, or 1503) linking through wire or wirelessly to his laptop or desktop computer (PC1 and/or 90 and/or 501 and/or 1500, 1501 , 1502, or 1503) in a network 52 connection to synchronize the Private Units 53 of those two (or more) personal computers or perform other shared operations between the Private Units 53.
  • the Public Units 54 of the user's multiple personal computers can be synchronized simultaneously during the same tethering process, or perform other shared operations between the Public Units 54.
  • Other shared operations can be performed by the two or more linked computers of the user 49 utilizing, for example, two or three or more Private Units 53, each unit with one or more private non-Internet connected networks 52, while two or more Public Units 54 can perform shared operations using one or more other networks 2, including the Internet 3, as shown later in Figure 6.
  • FIG. 1 shows an optional removable memory 47 located in the Private Unit 53; the removable memory 47 can be of any form or type or number using any form of one or more direct connections to the Private Unit 53; a thumbdrive or SD card are typical examples, connected to USB, Firewire, or other ports or card slots.
  • Fig. 1 shows as well an optional one or more removable keys 46, of which an access key, an ID authentication key, or an encryption and/or decryption key are examples, also connected to the Private Unit 53 using any form of connection, including the above examples.
  • wireless connection is a feasible option to enable one or more removable memories 47 or one or more removable keys 46 (or combination of both), particularly for ID authentication and/or access control.
  • All or part of the Private Unit 53 of a computer PC1 and/or microchip 90 and/or 501 can be removable from the remaining portion of the same computer PC1 and/or microchip 90 and/or 501 , including the Public Unit 54; the access control barrier or firewall 50 (or 50a and/or 50b and/or 50c) can be removable with the Private Unit 53 or remain with Public Unit 54.
  • Figure 2 shows a useful architectural example embodiment of any computer or microchip, including a personal computer 1 and/or microchip 90 and/or 501 (or wafer 1500, 1501 , 1502, or 1503) with an inner hardware-based access barrier or firewall 50 separating a Private Unit 53 that is disconnected by hardware from external networks 2 including the Internet 3 and a Public Unit 54 that is connected to external networks including the Internet 3.
  • a personal computer 1 and/or microchip 90 and/or 501 or wafer 1500, 1501 , 1502, or 1503
  • an inner hardware-based access barrier or firewall 50 separating a Private Unit 53 that is disconnected by hardware from external networks 2 including the Internet 3 and a Public Unit 54 that is connected to external networks including the Internet 3.
  • the Private Unit 53 and Public Unit 54 are connected only by an inner hardware-based access barrier or firewall 50a in the form of a secure, out-only bus (or wire) or channel 55 that transmits data or code that is output from the Private Unit 53 to be input to the Public Unit 54.
  • the user 49 controls the Private Unit 53-located master controlling device 30 (or 31 or 93 or 93'), which controls all traffic on the secure out-only bus or channel 55.
  • Connections between the user 49 and the master controlling device 30 (or 31 or 93 or 93'), as well as between the master controlling device 30 (or 31 or 93 or 93') and any component controlled by it, can be for example hardwired on a motherboard (and/or executed in silicon on a microchip 90 and/or 501) to provide the highest level of security.
  • the Private Unit 53 can include any non-volatile memory, of which read-only memory and read/write memory of which flash memory (and hard drives and optical drives) are examples, and any volatile memory, of which DRAM (dynamic random access memory) is one common example.
  • An equivalent connection, such as a wireless (including radio and/or optical) connection, to the out-only bus or channel 55 between the two Units 53 and 54 would require at least one wireless transmitter in the Private Unit 53 and at least one receiver in the Public Unit 54, so the Private Unit 53 can transmit data or code to the Public Unit 54 only (all exclusive of external wireless transmitters or receivers of the PC1 and/or microchip 90 and/or 501).
  • An architecture for any computer or microchip (or nanochip) can have any number of inner hardware-based access barriers or firewalls 50a arranged in any configuration.
  • Figure 2 also shows an example embodiment of a firewall 50 located on the periphery of the computer 1 and/or microchip 90 (and/or 501) controlling the connection between the computer and the network 2 and Internet 3; the firewall 50 can be hardwire- controlled directly by the master controlling device 30 (or 31 or 93 or 93'), for example.
  • Figure 3 is a similar useful architectural example embodiment to that shown in Figure 2, but with the Private Unit 53 and Public Unit 54 connected in terms of communication of data or code by an inner hardware-based access barrier or firewall 50b example that includes a secure, out-only bus or channel 55.
  • the connection between units also includes an in-only bus or channel 56 that is capable of transmitting data or code that is output from the Public Unit 54 to be input into the Private Unit 53, strictly controlled by the master controller 30 (and/or 31 and/or 93 and/or 93') in the Private Unit 53.
  • the in-only bus or channel 56 includes an input on/off switch (and/or microchip or nanochip circuit equivalent) 57 that can break the bus 56 Public to Private connection between Units, the switch 57 being controlled by the Private Unit 53-located master controlling device 30 (or 31 or 93 or 93'), which also controls all traffic on the in-only bus or channel 56; the control can be hardwired.
  • an input on/off switch (and/or microchip or nanochip circuit equivalent) 57 that can break the bus 56 Public to Private connection between Units, the switch 57 being controlled by the Private Unit 53-located master controlling device 30 (or 31 or 93 or 93'), which also controls all traffic on the in-only bus or channel 56; the control can be hardwired.
  • the master controller 30 (or 31 or 93 or 93') can by default use the on/off switch and/or micro-circuit (or nano-circuit) equivalent 57 to break the connection provided by the in-only bus or channel 56 to the Private Unit 53 from the Public Unit 54 whenever the Public Unit 54 is connected to the Internet 3 (or intermediate network 2).
  • the master controller 30 (or 31 or 93 or 93') can use the on/off switch and/or micro or nano-circuit equivalent 57 to make the connection provided by the in-only bus or channel 56 to the Private Unit 53 only when very selective criteria or conditions have been met first, an example of which would be exclusion of all input except when encrypted and from one of only a few authorized (and carefully authenticated) sources, so that Public Unit 54 input to the Private Unit 53 is extremely limited and tightly controlled from the Private Unit 53.
  • Another example is an equivalent connection, such as a wireless (including radio and/or optical) connection, to the in-only bus or channel 56 with an input on/off switch 57 between the two Units 53 and 54 would require at least one wireless receiver in the Private Unit 53 and at least one transmitter in the Public Unit 54, so the Private Unit 53 can receive data or code from the Public Unit 54 while controlling that reception of data or code by controlling its receiver, switching it either "on” when the Public Unit 54 is disconnected from external networks 2 and/or 3, for example, or "off' when the Public Unit 54 is connected to external networks 2 and/or 3 (all exclusive of external wireless transmitters or receivers of the PC1 and/or microchip 90 and/or 501).
  • a wireless (including radio and/or optical) connection to the in-only bus or channel 56 with an input on/off switch 57 between the two Units 53 and 54 would require at least one wireless receiver in the Private Unit 53 and at least one transmitter in the Public Unit 54, so the Private Unit 53 can receive data or code from the Public Unit 54 while controlling that reception of data or code
  • An architecture for any computer and/or microchip (or nanochip) can have any number of inner hardware-based access barriers or firewalls 50b arranged in any configuration.
  • Figure 4 is a similar useful architectural example embodiment to that shown in Figure 2 and 3, but with Private Unit 53 and Public Unit 54 connected in terms of communication of data or code by an inner hardware-based access barrier or firewall 50c example that also includes an output on/off switch and/or microcircuit equivalent 58 on the secure out-only bus or channel 55, in addition to the input on/off switch and/or microcircuit (or nano-circuit) equivalent 57 on the in-only bus or channel 56.
  • an inner hardware-based access barrier or firewall 50c example that also includes an output on/off switch and/or microcircuit equivalent 58 on the secure out-only bus or channel 55, in addition to the input on/off switch and/or microcircuit (or nano-circuit) equivalent 57 on the in-only bus or channel 56.
  • the output switch or microcircuit equivalent 58 is capable of disconnecting the Public Unit 54 from the Private Unit 53 when the Public Unit 54 is being permitted by the master controller 30 (or 31 or 93 or 93') to perform a private operation controlled (completely or in part) by an authorized third party user from the Internet 3, as discussed previously by the applicant relative to Figure 17D and associated textual specification of the '657 Application incorporated above.
  • the user 49 using the master controller 30 (or 31 or 93 or 93') always remains in preemptive control on the Public Unit 54 and can at any time for any reason interrupt or terminate any such third party-controlled operation.
  • the master controller 30 (or 31 or 93 or 93') controls both on/off switches 57 and 58 and traffic (data and code) on both buses or channels 55 and 56 and the control can be hardwired.
  • Another example is an equivalent connection, such as a wireless connection, to the in-only bus or channel 56 and out-only bus or channel 55, each with an on/off switch
  • the Private Unit 53 can send or receive data or code to or from the Public Unit 54 by directly controlling the "on” or “off' state of its transmitter and receiver, controlling that flow of data or code depending, for example on the state of external network 2 or Internet 3 connection of the Public Unit 54 (again, all exclusive of external wireless transmitters or receivers of the PC1 and/or microchip 90 and/or 501).
  • An architecture for any computer and/or microchip (or nanochip) can have any number of inner hardware-based access barriers or firewalls 50c arranged in any configuration.
  • Figure 5 shows an architectural example embodiment of a first computer (personal computer 1 and/or microchip 90 and/or 501 or wafer 1500, or 1501 , 1502, or 1503) functioning as a Private Unit 53' that is connected to at least a second computer (or to a multitude of computers, including personal computers 1 and/or microchips 90 and/or 501 or 1500, 1501 , 1502, or 1503) functioning as a Public Unit or Units 54'.
  • the connection between the private computer 53' and the public computer or computers 54' is made including the same inner hardware-based access barrier or firewall 50c architecture that includes the same buses and channels 55 and 56 with the same on/off switches 57 and
  • inner hardware-based access barriers or firewalls 50a or 50b can be used.
  • inner hardware-based access barriers or firewalls 50a, 50b, and 50c can be used within the first and/or second computers.
  • connection between the first and second computer can be any connection, including a wired network connection like the Ethernet, for example, or a wireless network connection, similar to the examples described above in previous Figures 2-4.
  • either on/off switch 57 or 58 can be functionally replaced like in a wireless connection by control of an output transmitter or an input receiver on either bus or channel 55 or 56; the transmitter or receiver being turned on or off, which of course amounts functionally to mere locating the on/off switches 55 or 56 in the proper position on the bus or channel 55 or 56 to control the appropriate transmitter or receiver, as is true for the examples in previous figures.
  • Figure 6 shows a useful architectural example embodiment of any computer (a personal computer 1 and/or microchip 90 and/or 501 or wafer 1500, 1501 , 1502, or 1503) similar to Figures 23A and 23B of the '657 Application incorporated by reference above, which showed multiple inner firewalls 50 with progressively greater protection.
  • Figure 6 shows an example of an internal array of inner hardware-based access barriers or firewalls 50c, 50b, and 50a (described in previous Figures 2-4 above) used in a specific sequence between a public unit 54 and a first private unit 53, between the first private unit 53 and a more private second unit 53 1 , and between the more private second unit 53 1 and a most private third unit 53 2 , respectively.
  • Figure 6 shows a useful architectural example embodiment of one or more master controllers-only C (31 or 93') located in the most private unit 53 2 , with one or more microprocessors or processing units or “cores” S (40 or 94) located in the more private unit 53 1 , in the private unit 53, and in the public unit 54.
  • Each of the microprocessors or processing units or cores S can have at least one secondary controller 32 with which it can be integrated, for example.
  • microprocessors S can be located in any of the computer units, but the majority in a many core architecture can be in the public unit to maximize sharing and Internet use. Alternatively, for computers that are designed for more security-oriented applications, a majority of the microprocessors S (or processing units or cores) can be located in the private units; any allocation between the public and private units is possible. Any other hardware, software, or firmware component or components can be located in the same manner as are microprocessors S (or master controllers-only C) described above.
  • An architecture for any computer and/or microchip or nanochip can have any number of inner hardware-based access barriers or firewalls 50a and/or 50b and/or 50c arranged in any combination or configuration.
  • the private non-Internet network 52 which was discussed previously relative to Figure 1 , can consist in an example embodiment of more than one network, with each additional non-Internet network 52 being used to connect Private Units 53 2 , 53 1 , and 53 of one computer and/or microchip to separate non-Internet networks 52 2 , 52 1 and 52, respectively, and that are connected to Private Units 53 2 , 53 1 , and 53, respectively, of other computers and/or microchips.
  • each computer and/or microchip Private Unit 53 2 , 53 1 , and 53 can have its own separate, non-Internet network 52 2 , 52 1 , and 52, respectively, and so that any Private Unit can be connected to other computer PC1 and/or microchip 90 (and/or 501) units of the same level of security; any Private Unit can also be subdivided into subunits of the same level of security.
  • a computer PC1 and/or microchip 90 or 501 Public Unit 54 can be subdivided into a number of different levels of security, for example, and each subdivided Public Unit 54 can have a separate, non-Internet connected network 52; and a subdivided Public Unit 54 can be further subdivided with the same level of security.
  • any hardware component like a hard drive or Flash memory device (and associated software or firmware), within a private (or public) unit of a given level of security can be connected by a separate non-Internet network 52 to similar components within a private (or public) unit of the same level of security.
  • Access barriers or firewalls 50a and/or 50b and/or 50c can be located between any of the private non-Internet-connected networks 52 2 , 52 1 , and 52, and the Private Units 53 2 , 53 1 , and 53, respectively, providing a useful example of increased security control as shown in Figure 6.
  • each Private Unit 53 2 , 53 1 , and 53 can have one or more ports (or connections to one or more ports), like for a USB connection to allow for the use of one or more optional removable access and/or encryption or other keys 46, and/or one or more optional removable memory (such as a USB Flash memory thumbdrive) or other device 47, both of which as discussed previously in the text of Figure 1 , which example can also have one or more ports for either 46 and/or 47 and/or other device.
  • the Public Unit 54 can also have one or more of any such removable devices, or ports like a USB port to allow for them.
  • Any data or code or system state, for example, for any Public or Private Unit 54 or 53 can be displayed to the personal user 49 and can be shown in its own distinctive color or shading or border (or any other visual or audible distinctive characteristic, like the use of flashing text).
  • Figure 6 shows an example embodiment of different colors indicated for each of the Units.
  • the public unit 54 can be subdivided into an encrypted area (and can include encryption/decryption hardware) and an open, unencrypted area, as can any of the private units 53; in both cases the master central controller 30, 31 , 93, or 93' can control the transfer of any or all code or data between an encrypted area and an unencrypted area considering factors such authentication.
  • Figures 7-14 are useful architectural example embodiments of the inner hardware- based access barriers or firewalls 50a, 50b, and 50c.
  • Figure 7 shows the fundamental security problem caused by the Internet connection to the classic Von Neumann computer hardware architecture that was created in 1945. At that time there were no other computers and therefore no networks of even the simplest kind, so network security was not a consideration in its fundamental design.
  • Figure 8 shows a useful example embodiment of the applicant's basic architectural solution to the fundamental security problem caused by the Internet, the solution being to protect the central controller of the computer with an inner firewall 50 controlling access by the Internet, as discussed in detail in Figures 10A-10D and 10J-10Q, and associated textual specification of the '657 Application incorporated by reference, as well as earlier in this application.
  • Figure 8 and subsequent figures describe example embodiments of a number of specific forms of an inner hardware-based access barrier or firewall 50, such as access barriers or firewalls 50a and/or 50b and/or 50c as described previously in this application; the number and potential configurations of access barriers or firewalls 50a and/or 50b and/or 50c within any computer, such as computer PC 1 and/or microchip 90 (and/or 501) is without any particular limit.
  • an inner hardware-based access barrier or firewall 50 such as access barriers or firewalls 50a and/or 50b and/or 50c as described previously in this application
  • the number and potential configurations of access barriers or firewalls 50a and/or 50b and/or 50c within any computer such as computer PC 1 and/or microchip 90 (and/or 501) is without any particular limit.
  • Figure 9 is a similar embodiment to Figure 8, but also showing a useful architectural example of a central controller integrated with a microprocessor to form a conventional general purpose microprocessor or CPU (like an Intel x86 microprocessor, for example).
  • Figure 8 also shows a computer PC1 and/or microchip 90 and/or 501 with many microprocessors or cores.
  • Figure 10 is the same embodiment as Figure 9, but also shows a major functional benefit of the applicant's access barrier or firewall 50a, 50b, and 50c invention, which is to enable a function to flush away Internet malware by limiting the memory access of malware to DRAM 66 (dynamic random access memory) in the Public Unit 54, which is a useful example of a volatile memory that can be easily and quickly erased by power interruption.
  • the flushing function of a firewall 50 was discussed earlier in detail in Figures 25A-25D and associated textual specification of the '657 Application incorporated by reference earlier.
  • Figure 11 is a useful example embodiment similar to Figure 6 and shows that any computer or microchip can be partitioned into many different layers of public units 54 and private units 53 using an architectural configuration of access barriers or firewalls 50a, 50b, and 50c; the number and arrangement of potential configurations is without any particular limit.
  • the partition architecture provided by firewalls 50 was discussed earlier in detail in Figures 23A-23B and associated textual specification of the '657 Application incorporated by reference earlier.
  • Figure 12 is another useful architectural example embodiment of the layered use of access barriers or firewalls 50, 50c, 50b, and 50c based on a kernel or onion structure; the number of potential configurations is without any particular limit. This structure was discussed in detail relative to firewalls 50 in Figures 23D-23E and associated textual specification of the '657 Application incorporated by reference earlier.
  • Figure 13 is a useful architectural example embodiment showing the presence of many Figure 12 layered access barriers or firewalls 50a, 50b, and 50c structures on any of the many hardware, software, and/or firmware components of a computer; the number of potential configurations is without any particular limit.
  • the many layered kernels structure was discussed in more detail in Figure 23C and associated textual specification of the '657 Application incorporated by reference earlier.
  • Figure 14 is a useful architectural example embodiment similar to Figure 13, but also showing the computer PC1 and/or microchip 90 and/or 501 surrounded by a Faraday Cage 300; the number of potential similar configurations is without any particular limit. This use of Faraday Cages 300 was discussed in detail in Figures 27A-27G and associated textual specification of the '657 Application incorporated by reference earlier.
  • FIG 14 shows a useful example embodiment of a Faraday Cage 300 surrounding completely a computer PC1 and/or microchip 90 and/or 501.
  • the Faraday Cage 300 can be subdivided by an example partition 301 to protect and separate the Private Unit 53 from the Public Unit 54, so that the Private Unit 53 is completely surrounded by Faraday Cage 300 1 and Public Unit 54 is completely surrounded by Faraday Cage 300 2 , in the example embodiment shown.
  • Each unit can alternatively have a discrete Faraday Cage 300 of its own, instead of partitioning a larger Faraday Cage 300 and the surrounding of a Unit can be complete or partial. Any number or configuration of Faraday Cages can be used in the manner shown generally in Figure 14, including a separate Faraday Cage for any hardware component of the computer or microchip.
  • the example embodiments shown in Figures 1-4, 6-11 , and 13-16 are a computer of any sort, including a personal computer PC1 ; or a microchip 90 or 501 , including a microprocessor or a system on a chip (SoC) such as a personal computer on a microchip 90; or a combination of both, such as a computer with the architecture shown in Figures 1-4, 6-11 , and 13-16, the computer also including one or more microchips also with the architecture shown in Figures 1-4, 6-11 , and 13-16.
  • SoC system on a chip
  • the Public Unit 54 shown in Figures 1-6, 8-11 , and 13-14 can be used in a useful embodiment example to run all or a part of any application (or "apps") downloaded from the Internet or Web, such as the example of any of the many thousands of apps for the Apple iPhone that are downloaded from the Apple Apps Store, or to run applications that are streamed from the Internet or Web.
  • any application or "apps”
  • all or part of a video or audio file like a movie or music can be downloaded from the Web and played in the Public Unit 54 for viewing and/or listening be the computer user 49.
  • Some or all personal data pertaining to a user 49 can be kept exclusively on the user's computer PC1 and/or microchip 90 and/or 501 for any cloud application or app to protect the privacy of the user 49 (or kept non-exclusively as a back-up), unlike conventional cloud apps, where the data of a personal user 49 is kept in the cloud and potentially intentionally shared or carelessly compromised without authorization by or knowledge of the personal user 49.
  • the Public Unit 54 can be a safe and private local cloud, with personal files retained there or in the Private Unit 53. All or part of an app can also potentially be downloaded or streamed to one or more Private Units, including 53 2 , 53 1 , and 53.
  • FIG. 6 shows a computer and/or microchip Public Unit 54 and Private Units 53, 53 1 , and 53 2 , each with a separate Faraday Cage. 300 4 , 300 3 , 300 2 , and 300 1 , respectively, that are create using partitions 301°, 301 b , and 301 a , respectively.
  • Any Public Unit 54 or Private Unit 53 can be protected by its own Faraday Cage 300.
  • the Faraday Cage 300 can completely or partially surround the any Unit in two or three dimensions.
  • FIGS 8-11 and 13-14 also show example embodiments of a secure control bus (or wire or channel) 48 that connects the master controlling device 30 (or 31) or master control unit 93 (or 93') or central controller (as shown) with the components of the computer PC1 and/or microchip 90 and/or 501 , including those in the Public Unit 54.
  • the secure control bus 48 provides hardwired control of the Public Unit 54 by the central controller in the Private Unit 53.
  • the secure control bus 48 can be isolated from any input from the Internet 3 and/or an intervening other network 2 and/or from any input from any or all parts of the Public Unit 54.
  • the secure control bus 48 can provide and ensure direct preemptive control by the central controller over any or all the components of the computer, including the Public Unit 54 components.
  • the secure control bus 48 can, partially or completely, coincide or be integrated with the bus 55, for example.
  • the secure control bus 48 is configured in a manner such that it cannot be affected, interfered with, altered, read or written to, or superseded by any part of the Public Unit 54 or any input from the Internet 3 or network 2, for example.
  • a wireless connection can also provide the function of the secure control bus 48 a manner similar to that describing wireless connections above in Figures 2-6 describing buses 55 and 56.
  • the secure control bus 48 can also provide connection for the central controller to control a conventional firewall or for example access barrier or firewall 50c located on the periphery of the computer or microchip to control the connection of the computer PC1 and/or microchip 90 and/or 501 to the Internet 3 and/or intervening other network 2.
  • a conventional firewall or for example access barrier or firewall 50c located on the periphery of the computer or microchip to control the connection of the computer PC1 and/or microchip 90 and/or 501 to the Internet 3 and/or intervening other network 2.
  • the secure control bus 48 can also be used by the master central controller 30, 31 , 93, or 93' to control one or more secondary controllers 32 located on the bus 49 or anywhere in the computer PC1 and/or microchip 90 and/or 501 , including in the Public Unit 54 that are used, for example, to control microprocessors or processing units or cores S (40 or 94) located in the Public Unit 54.
  • the one or more secondary controllers 32 can be independent or integrated with the microprocessors or processing units or cores S (40 or 94) shown in Figure 9 and 11 above, for example; such integrated microprocessors can be specially designed or general purpose microprocessors like an Intel x86 microprocessor, for example.
  • a method of protecting a computer includes a master controlling device that is configured using hardware and firmware; at least two microprocessors; a protected portion of the computer; an unprotected portion of the computer; and an inner hardware-based access barrier or firewall that is located between the protected portion of the computer and the unprotected portion of the computer, the protected portion including at least the master controlling device and at least one of the microprocessors, and the unprotected portion including at least one of the microprocessors, the at least one microprocessor of the unprotected portion being separate from and located outside of the inner hardware-based access barrier or firewall.
  • the method includes allowing a user of the computer to control the microprocessors (150); connecting the protected portion of the computer through a first connection to at least a first network of computers (152); connecting the unprotected portion of the computer through a second connection to a second network of computers including the Internet (154); denying access by the hardware-based access barrier or firewall to the protected portion of the computer by the second network when the personal computer is connected to the second network (156); and permitting access by another computer in the second network to the one or more of the processing units included in the unprotected portion of the microchip for an operation with the another computer in the second network when the personal computer is connected to the second network (158).
  • a method of protecting a computer disclosed in Fig. 16.
  • the computer includes a master controlling device that is configured using hardware and firmware; at least two microprocessors; a protected portion of the computer; an unprotected portion of the computer; and an inner hardware-based access barrier or firewall that is located between the protected portion of the computer and the unprotected portion of the computer, the protected portion including at least the master controlling device and at least one of the microprocessors, and the unprotected portion including at least one of the microprocessors, the at least one microprocessor of the unprotected portion being separate from and located outside of the inner hardware-based access barrier or firewall.
  • the method includes connecting the protected portion of the computer through at least a first connection to at least a first network of computers (160); connecting the unprotected portion of the computer through a second connection to a second network of computers including the Internet (162); controlling the computer from the protected portion through the first network (164); and performing operations in the unprotected portion using the second network (166).
  • any one or more features or components of Figures 1-16 of this application can be usefully combined with one or more features or components of the figures of the above '049 and '553 U.S. Applications, as well as in the above '428, '250, ⁇ 41 , '449, '906, '275, ⁇ 20, '854, '529, 756, and '233 U.S. Patents.
  • Patents are expressly incorporated by reference in its entirety for completeness of disclosure of the applicant's combination of one or more features or components of either of those above two prior applications of this applicant with one or more features or components of this application. All such useful possible combinations are hereby expressly intended by this applicant.
  • any one of Figures 1-16 or associated textual specification of this application can be usefully combined with one or more features or components of any one or more other of Figures 1-16 or associated textual specification of this application.
  • any such combination derived from the figures or associated text of this application can also be combined with any feature or component of the figures or associated text of any of the above incorporated by reference U.S. Applications '657, 769, ⁇ 49, and '553, as well as U.S. Patents Numbers '428, '250, ⁇ 41 , '449, '906, '275, ⁇ 20, '854, '529, '756, and '233.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method or apparatus for a computer or microchip with one or more inner hardware-based access barriers or firewalls that establish one or more private units disconnected from a public unit having connection to the Internet, and one or more of the private units have a connection to one or more secure non-internet-connected private networks for personal and/or local administration. The hardware-based access barriers include a single out-only bus and/or another in-only bus with a single on/off switch and/or both buses, each with a single on/off switch. The hardware-based access barriers can be positioned successively between an outer private unit, an intermediate more private unit, an inner most private unit, and the public unit, and each private unit can be configured for a separate connection to a separate network of computers that excludes the Internet.

Description

THE BASIC ARCHITECTURE FOR SECURE INTERNET COMPUTERS
Applicant claims the right to priority based on U.S. Provisional Patent Application No. 61/282,378, filed January 29, 2010; U.S. Provisional Patent Application No.
61/282,478, filed February 17, 2010; U.S. Provisional Patent Application No. 61/282,503, filed February 22, 2010; U.S. Provisional Patent Application No. 61/282,861 , filed April 12, 2010; U.S. Provisional Patent Application No. 61/344,018, filed May 7, 2010; and U.S. Provisional Patent Application No. (GNC33PA), filed January 24, 2011.
Applicant also claims the right to priority based on U.S. Nonprovisional Patent Application No. 13/014,201 , filed January 26, 2011. The contents of all of these provisional and nonprovisional patent applications are hereby incorporated by reference in their entirety.
BACKGROUND OF THE INVENTION
This invention relates to any computer, such as a personal computer and/or microchip or wafer with an inner hardware-based access barrier or firewall that establishes a private unit or zone that is disconnected from a public unit or zone having connection to a network of computers, such as the Internet, as well as the private unit having one or more connections to one or more secure non-Internet-connected private networks for personal and/or local administration of the computer and/or microchip.
More particularly, this invention relates to a computer and/or microchip with an inner hardware-based access barrier or firewall separating the private unit that is not connected to the Internet from a public unit connected to the Internet, the private and public units being connected only by a hardware-based access barrier or firewall in the form of a secure, out-only bus or wireless connection. Even more particularly, this invention relates to the private and public units also being connected by an in-only bus that includes a hardware input on/off switch or equivalent signal interruption mechanism, including an equivalent circuit on a microchip or nanochip. Still more particularly, this invention relates to the private and public units being connected by an output on/off switch or microcircuit equivalent on the secure, out-only bus.
In addition, this invention relates to a computer and/or microchip that is connected to a another computer and/or microchip, the connection between computers made with the same hardware-based access barriers or firewalls including the same buses with on/off switches described above.
Finally, this invention relates to a computer and/or microchip with hardware-based access barriers or firewalls used successively between an outer private unit, an intermediate more private unit, an inner most private unit, and the public unit, also including Faraday Cage protection from external electromagnetic pulses.
By way of background, traditionally computer security has been based primarily on conventional firewalls that are positioned externally, between the computer and the external network. Such conventional firewalls provide a screening or filtering function to identify and block incoming network malware. But because of their functionally external position, conventional firewalls must allow entry to a significant amount of incoming traffic, so they must perform perfectly, an impossibility, or at least some malware inherently gets into the computer. Once in, the von Neumann architecture of current computers provides only software protection, which is inherently vulnerable to malware attack, so existing computers are essentially indefensible from successful attack from the Internet, which has provided an easy, inexpensive, anonymous, and effective means for the worst of all hackers worldwide to access any connected computer.
SUMMARY OF THE INVENTION
Therefore, computers cannot be successful defended without inner hardware or firmware-based access barriers or firewalls that, because of their internal position, can be designed to function as access barrier or blockers rather than as general filters. This is a critical distinction. An Internet filter has to screen the entire Internet, which is without measure in practical terms and constantly changing, an impossible task. In contrast, an access barrier or blocker to an inner protected area of a computer can strictly limit access to only an exception basis. So, in simple terms, a conventional firewall generally grants access to all Internet traffic unless it can be identified as being on the most current huge list of malware; in contrast, an inner access barrier or blocker can simply deny access to all except to a carefully selected and very short and conditioned list of approved sources or types of traffic.
Such a much simpler and achievable access blocking function allowing for a much simpler and efficient mechanism for providing the function. Whereas a conventional but imperfect firewall involves highly complicated hardware with millions of switches and/or firmware and/or software with millions of bits of code, the hardware-based access barriers described in this application require as little as a single simple one-way bus and/or another simple one-way bus with just a single switch and/or both simple buses, each with just a single switch. This extraordinarily tiny amount of hardware is at the absolute theoretical limit and cannot be less.
With this new and unique approach, computers and microchips can be simply and effectively defended from Internet attack with one or more private, protected hardware- based zones inside the computer, any of which can be personally or locally administrated by a separate and secure non-Internet private network.
This application hereby expressly incorporates by reference in its entirety U.S. Patent Application No. 10/684,657 filed October 5, 2003 and published as Pub. No. US 2005/0180095 A1 on August 18, 2005 and U.S. Patent Application No. 12/292,769 filed November 25, 2008 and published as Pub. No. US 2009/0200661 A1 on August 13, 2009.
Also, this application hereby expressly incorporates by reference in its entirety U.S. Patent Application No. 10/802,049 filed March 17, 2004 and published as Pub. No. US 2004/0215931 A1 on October 28, 2004 and U.S. Patent Application No. 12/292,553 filed November 20, 2008 and published as Pub. No. US 2009/0168329 A1 on July 2, 2009.
Finally, this application hereby expressly incorporates by reference in its entirety U.S. Patent No. 6,167,428 issued 26 December 2000, U.S. Patent No 6,725,250 issued 20 April 2004, U.S. Patent No. 6,732,141 issued 4 May 2004, U.S. Patent No. 7,024,449 issued 4 April 2006, U.S. Patent No. 7,035,906 issued 25 April 2006, U.S. Patent No. 7,047,275 issued 16 May 2006, U.S. Patent No 7,506,020 issued 17 March 2009, U.S. Patent No. 7,606,854 issued 20 October 2009, U.S. Patent No. 7,634,529 issued 15 December 2009, U.S. Patent No. 7,805,756 issued 28 September 2010, and 7,814,233 issued 12 October 2010.
Definitions and reference numerals are the same in this application as in the above incorporated '657, 769, Ό49 and '553 U.S. Applications, as well as in the above incorporated '428, '250, Ί41 , '449, '906, '275, Ό20, '854, '529, 756, and '233 U.S. Patents. BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 shows any computer, such as a personal computer 1 and/or microchip 90 (and/or 501) with an inner hardware-based access barrier or firewall 50 establishing a Private Unit or zone 53 of the computer or microchip that is disconnected from a Public Unit or zone 54 that is connected to the Internet 3 (and/or another, intermediate network 2). Fig. 1 also shows an example embodiment of the Private Unit 53 having at least one connection to at least one private or secure non-Internet-connected network 52 for personal or Iocal administration of the personal computer 1 and/or microchip 90 (and/or 501) and/or silicon wafer 1500 (or portion 1501 , 1502, and/or 1503), or graphene equivalent. The number and placement of the non-Internet-connected networks 52 is optional.
Figure 2 shows an example embodiment of a personal computer 1 and/or microchip 90 (and/or 501) with an inner hardware-based access barrier or firewall 50 separating a Private Unit 53 disconnected from the Internet 3 and a Public Unit 54 connected to the Internet 3, the Private Unit 53 and Public Unit 54 connected only by a hardware-based access barrier or firewall 50a, for example in the form of a secure, out- only bus (or wire) or channel 55 (or in an alternate embodiment, a wireless connection, including radio or optical).
Figure 3 is a similar example embodiment to that shown in Figure 2, but with the Private Unit 53 and Public Unit 54 connected by a hardware-based access barrier or firewall 50b example that also includes an in-only bus or channel 56 that includes a hardware input on/off switch 57 or equivalent function signal interruption mechanism, including an equivalent functioning circuit on a microchip or nanochip. Figure 4 is a similar example embodiment to that shown in Figure 2 and 3, but with Private Unit 53 and Public Unit 54 connected by a hardware-based access barrier or firewall 50c example that also includes an output on/off switch 58 or microcircuit equivalent on the secure, out-only bus or channel 55.
Figure 5 shows an example embodiment of any computer such as a first personal computer 1 and/or microchip 90 (and/or 501) that is connected to a second computer such as a personal computer 1 and/or microchip 90 (and/or 501), the connection between computers made with the same hardware-based access barrier or firewall 50c example that includes the same buses or channels with on/off switches or equivalents as Figure 4.
Figure 6 shows an example embodiment of a personal computer 1 and/or microchip 90 (and/or 501) similar to Figures 23A and 23B of the '657 Application, which showed multiple access barriers or firewalls 50 with progressively greater protection, but with hardware-based access barriers or firewalls 50c, 50b, and 50a used successively from a inner private unit 53, to an intermediate more private unit 531, and to an inner most private unit 532, respectively.
Figures 7-14 are additional architectural embodiment examples of the use of hardware-based access barriers or firewalls 50a, 50b, and 50c.
Figs. 5 and 16 illustrate methods in accordance with the present disclosure.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
Figures 1-4, 6, 8-14 all show useful architectural example embodiments of any computer or microchip, including a personal computer 1 and/or microchip 90 (and/or 501) or silicon (or graphene) wafer 1500 (or wafer portion 1501 , 1502, and/or 1503) with an inner hardware-based access barrier or firewall 50 establishing a secure Private Unit 53 that is directly controlled by a user 49 (local in this example) and disconnected by hardware from a Public Unit 54 that is connected to the Internet 3 and/or another, intermediate network 2; the connection of the computer 1 (and/or 90 and/or 501) to the network 2 and/or Internet 3 can be wired 99 or wireless 100.
Hardware-based access barrier or firewall 50 (or 50a, 50b, or 50c) as used in this application refers to an access barrier that includes one or more access barrier or firewall- specific hardware and/or firmware components. This hardware and/or firmware configuration is in contrast to, for example, a computer firewall common in the art that includes only software and general purpose hardware, such as an example limited to firewall-specific software running on the single general purpose microprocessor or CPU of a computer.
The Internet-disconnected Private Unit 53 includes a master controlling device 30 for the computer PC1 (and/or a master controller unit 93 for the microchip 90 and/or 501) that can include a microprocessor or processing unit and thereby take the form of a general purpose microprocessor or CPU, for one useful example, or alternatively only control the computer as a master controller 31 or master controller unit 93'. The user 49 controls the master controlling device 30 (or 31 or 93 or 93') located in the Private Unit 53 and controls both the Private Unit 53 at all times and any part or all of the Public Unit 54 selectively, but can peremptorily control any and all parts of the Public Unit 54 at the discretion of the user 49 through active intervention or selection from a range of settings, or based on standard control settings by default.
More particularly, Figure 1 shows a useful example of an optional (one or more) secure private non-Internet-connected network 52 for personal or local administration of the Private Unit 53. Wired 99 connection offers superior security generally, but wireless 100 connection is a option, especially if used with a sufficiently high level of encryption and/or other security measures, including low power radio signals of high frequency and short range and/or directional. Access from the private non-Internet-connected network can be limited to only a part of the Private Unit 53 or to multiple parts or to all of the Private Unit 53.
The private non-Internet-connected network 52 (not connected to the Internet either directly or indirectly, such as through another, intermediate network like an Intranet) allows specifically for use as a highly secure network for providing administrative functions like testing, maintenance, or operating or application system updates to any computers (PC1 or microchip 90 or 501) on a local network, such as a business or home network, and would be particularly useful for the example of businesses administering large numbers of local computers, such as network server arrays (especially blades) for cloud applications or supercomputer arrays with a multitude of microprocessors or local clusters. To maximize security, network 52 traffic can be encrypted and/or authenticated, especially if wireless 100.
In addition, in another useful example, a computer (PC1 and/or 90 and/or 501) can be configured so that the private non-Internet-connected network 52 can have the capability to allow for direct operational control of the Private Unit 53, and thus the entire computer, from a remote location, which can be useful for example for businesses operating an array or servers like blades or supercomputers with large numbers of microprocessors or cores.
One or more access barriers or firewalls 50a, 50b, or 50c can be located between the private non-Internet-connected network 52 and the Private Unit 53 provides a useful example of increased security control. In yet another useful example, a personal user 49 can dock his smartphone (PC1 and/or 90 and/or 501 and/or 1500, 1501 , 1502, or 1503) linking through wire or wirelessly to his laptop or desktop computer (PC1 and/or 90 and/or 501 and/or 1500, 1501 , 1502, or 1503) in a network 52 connection to synchronize the Private Units 53 of those two (or more) personal computers or perform other shared operations between the Private Units 53. In addition, the Public Units 54 of the user's multiple personal computers can be synchronized simultaneously during the same tethering process, or perform other shared operations between the Public Units 54. Other shared operations can be performed by the two or more linked computers of the user 49 utilizing, for example, two or three or more Private Units 53, each unit with one or more private non-Internet connected networks 52, while two or more Public Units 54 can perform shared operations using one or more other networks 2, including the Internet 3, as shown later in Figure 6.
Also shown in Figure 1 for personal computer PC1 embodiments is an optional removable memory 47 located in the Private Unit 53; the removable memory 47 can be of any form or type or number using any form of one or more direct connections to the Private Unit 53; a thumbdrive or SD card are typical examples, connected to USB, Firewire, or other ports or card slots. Fig. 1 shows as well an optional one or more removable keys 46, of which an access key, an ID authentication key, or an encryption and/or decryption key are examples, also connected to the Private Unit 53 using any form of connection, including the above examples. For microchip 90 (and/or 501) embodiments, wireless connection is a feasible option to enable one or more removable memories 47 or one or more removable keys 46 (or combination of both), particularly for ID authentication and/or access control. In addition, all or part of the Private Unit 53 of a computer PC1 and/or microchip 90 and/or 501 (or wafer 1500, 1501 , 1502, or 1501 can be removable from the remaining portion of the same computer PC1 and/or microchip 90 and/or 501 , including the Public Unit 54; the access control barrier or firewall 50 (or 50a and/or 50b and/or 50c) can be removable with the Private Unit 53 or remain with Public Unit 54.
Similarly, Figure 2 shows a useful architectural example embodiment of any computer or microchip, including a personal computer 1 and/or microchip 90 and/or 501 (or wafer 1500, 1501 , 1502, or 1503) with an inner hardware-based access barrier or firewall 50 separating a Private Unit 53 that is disconnected by hardware from external networks 2 including the Internet 3 and a Public Unit 54 that is connected to external networks including the Internet 3.
In terms of communication between the two Units in the example shown in Figure 2, the Private Unit 53 and Public Unit 54 are connected only by an inner hardware-based access barrier or firewall 50a in the form of a secure, out-only bus (or wire) or channel 55 that transmits data or code that is output from the Private Unit 53 to be input to the Public Unit 54. The user 49 controls the Private Unit 53-located master controlling device 30 (or 31 or 93 or 93'), which controls all traffic on the secure out-only bus or channel 55. Connections between the user 49 and the master controlling device 30 (or 31 or 93 or 93'), as well as between the master controlling device 30 (or 31 or 93 or 93') and any component controlled by it, can be for example hardwired on a motherboard (and/or executed in silicon on a microchip 90 and/or 501) to provide the highest level of security.
In the example shown in Figure 2, there is no corresponding in-only bus or channel 56 transmitting data or code that is output from the Public Unit 54 to be input to the Private Unit 53. By this absence of any bus or channel into the Private Unit 53, all access from the Internet 3 or intervening network 2 to the Private Unit 53 is completely blocked on a permanent basis. Another example is an equivalent wireless connection between the two Units would require a wireless transmitter (and no receiver) in the Private Unit 53 and a receiver (and no transmitter) in the Public Unit 54, so the Private Unit 53 can only transmit data or code to the Public Unit 54 and the Public Unit 54 can only receive data or code from the Private Unit 53 (all exclusive of external wireless transmitters or receivers of the PC1 and/or microchip 90 and/or 501).
The Private Unit 53 can include any non-volatile memory, of which read-only memory and read/write memory of which flash memory (and hard drives and optical drives) are examples, and any volatile memory, of which DRAM (dynamic random access memory) is one common example.
An equivalent connection, such as a wireless (including radio and/or optical) connection, to the out-only bus or channel 55 between the two Units 53 and 54 would require at least one wireless transmitter in the Private Unit 53 and at least one receiver in the Public Unit 54, so the Private Unit 53 can transmit data or code to the Public Unit 54 only (all exclusive of external wireless transmitters or receivers of the PC1 and/or microchip 90 and/or 501).
An architecture for any computer or microchip (or nanochip) can have any number of inner hardware-based access barriers or firewalls 50a arranged in any configuration.
Figure 2 also shows an example embodiment of a firewall 50 located on the periphery of the computer 1 and/or microchip 90 (and/or 501) controlling the connection between the computer and the network 2 and Internet 3; the firewall 50 can be hardwire- controlled directly by the master controlling device 30 (or 31 or 93 or 93'), for example.
Figure 3 is a similar useful architectural example embodiment to that shown in Figure 2, but with the Private Unit 53 and Public Unit 54 connected in terms of communication of data or code by an inner hardware-based access barrier or firewall 50b example that includes a secure, out-only bus or channel 55. The connection between units also includes an in-only bus or channel 56 that is capable of transmitting data or code that is output from the Public Unit 54 to be input into the Private Unit 53, strictly controlled by the master controller 30 (and/or 31 and/or 93 and/or 93') in the Private Unit 53. The in-only bus or channel 56 includes an input on/off switch (and/or microchip or nanochip circuit equivalent) 57 that can break the bus 56 Public to Private connection between Units, the switch 57 being controlled by the Private Unit 53-located master controlling device 30 (or 31 or 93 or 93'), which also controls all traffic on the in-only bus or channel 56; the control can be hardwired.
For one example, the master controller 30 (or 31 or 93 or 93') can by default use the on/off switch and/or micro-circuit (or nano-circuit) equivalent 57 to break the connection provided by the in-only bus or channel 56 to the Private Unit 53 from the Public Unit 54 whenever the Public Unit 54 is connected to the Internet 3 (or intermediate network 2). In an alternate example, the master controller 30 (or 31 or 93 or 93') can use the on/off switch and/or micro or nano-circuit equivalent 57 to make the connection provided by the in-only bus or channel 56 to the Private Unit 53 only when very selective criteria or conditions have been met first, an example of which would be exclusion of all input except when encrypted and from one of only a few authorized (and carefully authenticated) sources, so that Public Unit 54 input to the Private Unit 53 is extremely limited and tightly controlled from the Private Unit 53.
Another example is an equivalent connection, such as a wireless (including radio and/or optical) connection, to the in-only bus or channel 56 with an input on/off switch 57 between the two Units 53 and 54 would require at least one wireless receiver in the Private Unit 53 and at least one transmitter in the Public Unit 54, so the Private Unit 53 can receive data or code from the Public Unit 54 while controlling that reception of data or code by controlling its receiver, switching it either "on" when the Public Unit 54 is disconnected from external networks 2 and/or 3, for example, or "off' when the Public Unit 54 is connected to external networks 2 and/or 3 (all exclusive of external wireless transmitters or receivers of the PC1 and/or microchip 90 and/or 501).
An architecture for any computer and/or microchip (or nanochip) can have any number of inner hardware-based access barriers or firewalls 50b arranged in any configuration.
Figure 4 is a similar useful architectural example embodiment to that shown in Figure 2 and 3, but with Private Unit 53 and Public Unit 54 connected in terms of communication of data or code by an inner hardware-based access barrier or firewall 50c example that also includes an output on/off switch and/or microcircuit equivalent 58 on the secure out-only bus or channel 55, in addition to the input on/off switch and/or microcircuit (or nano-circuit) equivalent 57 on the in-only bus or channel 56.
The output switch or microcircuit equivalent 58 is capable of disconnecting the Public Unit 54 from the Private Unit 53 when the Public Unit 54 is being permitted by the master controller 30 (or 31 or 93 or 93') to perform a private operation controlled (completely or in part) by an authorized third party user from the Internet 3, as discussed previously by the applicant relative to Figure 17D and associated textual specification of the '657 Application incorporated above. The user 49 using the master controller 30 (or 31 or 93 or 93') always remains in preemptive control on the Public Unit 54 and can at any time for any reason interrupt or terminate any such third party-controlled operation. The master controller 30 (or 31 or 93 or 93') controls both on/off switches 57 and 58 and traffic (data and code) on both buses or channels 55 and 56 and the control can be hardwired.
Another example is an equivalent connection, such as a wireless connection, to the in-only bus or channel 56 and out-only bus or channel 55, each with an on/off switch
57 and 58 between the two Units 53 and 54, would require at least one wireless transmitter and at least one receiver in the Private Unit 53, as well as at least one transmitter and at least one receiver in the Public Unit 54, so the Private Unit 53 can send or receive data or code to or from the Public Unit 54 by directly controlling the "on" or "off' state of its transmitter and receiver, controlling that flow of data or code depending, for example on the state of external network 2 or Internet 3 connection of the Public Unit 54 (again, all exclusive of external wireless transmitters or receivers of the PC1 and/or microchip 90 and/or 501).
An architecture for any computer and/or microchip (or nanochip) can have any number of inner hardware-based access barriers or firewalls 50c arranged in any configuration.
Figure 5 shows an architectural example embodiment of a first computer (personal computer 1 and/or microchip 90 and/or 501 or wafer 1500, or 1501 , 1502, or 1503) functioning as a Private Unit 53' that is connected to at least a second computer (or to a multitude of computers, including personal computers 1 and/or microchips 90 and/or 501 or 1500, 1501 , 1502, or 1503) functioning as a Public Unit or Units 54'. The connection between the private computer 53' and the public computer or computers 54' is made including the same inner hardware-based access barrier or firewall 50c architecture that includes the same buses and channels 55 and 56 with the same on/off switches 57 and
58 as previously described above in the Figure 4 example above and can use the same hardwire control. Alternatively, inner hardware-based access barriers or firewalls 50a or 50b can be used. In addition, inner hardware-based access barriers or firewalls 50a, 50b, and 50c can be used within the first and/or second computers.
The connection between the first and second computer can be any connection, including a wired network connection like the Ethernet, for example, or a wireless network connection, similar to the examples described above in previous Figures 2-4. In the Ethernet example, either on/off switch 57 or 58 can be functionally replaced like in a wireless connection by control of an output transmitter or an input receiver on either bus or channel 55 or 56; the transmitter or receiver being turned on or off, which of course amounts functionally to mere locating the on/off switches 55 or 56 in the proper position on the bus or channel 55 or 56 to control the appropriate transmitter or receiver, as is true for the examples in previous figures.
Figure 6 shows a useful architectural example embodiment of any computer (a personal computer 1 and/or microchip 90 and/or 501 or wafer 1500, 1501 , 1502, or 1503) similar to Figures 23A and 23B of the '657 Application incorporated by reference above, which showed multiple inner firewalls 50 with progressively greater protection. Figure 6 shows an example of an internal array of inner hardware-based access barriers or firewalls 50c, 50b, and 50a (described in previous Figures 2-4 above) used in a specific sequence between a public unit 54 and a first private unit 53, between the first private unit 53 and a more private second unit 531, and between the more private second unit 531 and a most private third unit 532, respectively.
In addition, Figure 6 shows a useful architectural example embodiment of one or more master controllers-only C (31 or 93') located in the most private unit 532, with one or more microprocessors or processing units or "cores" S (40 or 94) located in the more private unit 531, in the private unit 53, and in the public unit 54. Each of the microprocessors or processing units or cores S can have at least one secondary controller 32 with which it can be integrated, for example.
The microprocessors S (or processing units or cores) can be located in any of the computer units, but the majority in a many core architecture can be in the public unit to maximize sharing and Internet use. Alternatively, for computers that are designed for more security-oriented applications, a majority of the microprocessors S (or processing units or cores) can be located in the private units; any allocation between the public and private units is possible. Any other hardware, software, or firmware component or components can be located in the same manner as are microprocessors S (or master controllers-only C) described above.
An architecture for any computer and/or microchip or nanochip can have any number of inner hardware-based access barriers or firewalls 50a and/or 50b and/or 50c arranged in any combination or configuration.
As shown in Figure 6, the private non-Internet network 52, which was discussed previously relative to Figure 1 , can consist in an example embodiment of more than one network, with each additional non-Internet network 52 being used to connect Private Units 532, 531, and 53 of one computer and/or microchip to separate non-Internet networks 522, 521 and 52, respectively, and that are connected to Private Units 532, 531, and 53, respectively, of other computers and/or microchips. That is, each computer and/or microchip Private Unit 532, 531, and 53 can have its own separate, non-Internet network 522, 521, and 52, respectively, and so that any Private Unit can be connected to other computer PC1 and/or microchip 90 (and/or 501) units of the same level of security; any Private Unit can also be subdivided into subunits of the same level of security. This is a useful embodiment example for making relatively local connections from business or home networks and scales up to large business servers, cloud, or supercomputers applications. The connections can be wired or wireless and local or non-local.
Similarly, a computer PC1 and/or microchip 90 or 501 Public Unit 54 can be subdivided into a number of different levels of security, for example, and each subdivided Public Unit 54 can have a separate, non-Internet connected network 52; and a subdivided Public Unit 54 can be further subdivided with the same level of security. In addition, any hardware component (like a hard drive or Flash memory device (and associated software or firmware), within a private (or public) unit of a given level of security can be connected by a separate non-Internet network 52 to similar components within a private (or public) unit of the same level of security.
Any configuration of access barriers or firewalls 50a and/or 50b and/or 50c can be located between any of the private non-Internet-connected networks 522, 521, and 52, and the Private Units 532, 531, and 53, respectively, providing a useful example of increased security control as shown in Figure 6.
Also shown in the example embodiment of Figure 6, each Private Unit 532, 531, and 53 can have one or more ports (or connections to one or more ports), like for a USB connection to allow for the use of one or more optional removable access and/or encryption or other keys 46, and/or one or more optional removable memory (such as a USB Flash memory thumbdrive) or other device 47, both of which as discussed previously in the text of Figure 1 , which example can also have one or more ports for either 46 and/or 47 and/or other device. The Public Unit 54 can also have one or more of any such removable devices, or ports like a USB port to allow for them.
Any data or code or system state, for example, for any Public or Private Unit 54 or 53 can be displayed to the personal user 49 and can be shown in its own distinctive color or shading or border (or any other visual or audible distinctive characteristic, like the use of flashing text). Figure 6 shows an example embodiment of different colors indicated for each of the Units.
For embodiments requiring a higher level of security, it may be preferable to eliminate permanently or temporarily block (by default or by user choice, for example) the non-Internet network 522 and all ports or port connections in the most private unit 532.
The public unit 54 can be subdivided into an encrypted area (and can include encryption/decryption hardware) and an open, unencrypted area, as can any of the private units 53; in both cases the master central controller 30, 31 , 93, or 93' can control the transfer of any or all code or data between an encrypted area and an unencrypted area considering factors such authentication.
The invention example structural and functional embodiments shown in the above described Figures 1-6, as well as the following Figures 7-16 and the associated textual specification of this application all most directly relate to the example structural and functional embodiments of the inner firewall 50 described in Figures 10A-10D, 10J-10Q, 17A-17D, 23A-23E, 24, 25A-25D and 27A-27G, and associated textual specification, of the above '657 Application incorporated by reference.
Figures 7-14 are useful architectural example embodiments of the inner hardware- based access barriers or firewalls 50a, 50b, and 50c.
Figure 7 shows the fundamental security problem caused by the Internet connection to the classic Von Neumann computer hardware architecture that was created in 1945. At that time there were no other computers and therefore no networks of even the simplest kind, so network security was not a consideration in its fundamental design. Figure 8 shows a useful example embodiment of the applicant's basic architectural solution to the fundamental security problem caused by the Internet, the solution being to protect the central controller of the computer with an inner firewall 50 controlling access by the Internet, as discussed in detail in Figures 10A-10D and 10J-10Q, and associated textual specification of the '657 Application incorporated by reference, as well as earlier in this application. Figure 8 and subsequent figures describe example embodiments of a number of specific forms of an inner hardware-based access barrier or firewall 50, such as access barriers or firewalls 50a and/or 50b and/or 50c as described previously in this application; the number and potential configurations of access barriers or firewalls 50a and/or 50b and/or 50c within any computer, such as computer PC 1 and/or microchip 90 (and/or 501) is without any particular limit.
Figure 9 is a similar embodiment to Figure 8, but also showing a useful architectural example of a central controller integrated with a microprocessor to form a conventional general purpose microprocessor or CPU (like an Intel x86 microprocessor, for example). Figure 8 also shows a computer PC1 and/or microchip 90 and/or 501 with many microprocessors or cores.
Figure 10 is the same embodiment as Figure 9, but also shows a major functional benefit of the applicant's access barrier or firewall 50a, 50b, and 50c invention, which is to enable a function to flush away Internet malware by limiting the memory access of malware to DRAM 66 (dynamic random access memory) in the Public Unit 54, which is a useful example of a volatile memory that can be easily and quickly erased by power interruption. The flushing function of a firewall 50 was discussed earlier in detail in Figures 25A-25D and associated textual specification of the '657 Application incorporated by reference earlier. Figure 11 is a useful example embodiment similar to Figure 6 and shows that any computer or microchip can be partitioned into many different layers of public units 54 and private units 53 using an architectural configuration of access barriers or firewalls 50a, 50b, and 50c; the number and arrangement of potential configurations is without any particular limit. The partition architecture provided by firewalls 50 was discussed earlier in detail in Figures 23A-23B and associated textual specification of the '657 Application incorporated by reference earlier.
Figure 12 is another useful architectural example embodiment of the layered use of access barriers or firewalls 50, 50c, 50b, and 50c based on a kernel or onion structure; the number of potential configurations is without any particular limit. This structure was discussed in detail relative to firewalls 50 in Figures 23D-23E and associated textual specification of the '657 Application incorporated by reference earlier.
Figure 13 is a useful architectural example embodiment showing the presence of many Figure 12 layered access barriers or firewalls 50a, 50b, and 50c structures on any of the many hardware, software, and/or firmware components of a computer; the number of potential configurations is without any particular limit. The many layered kernels structure was discussed in more detail in Figure 23C and associated textual specification of the '657 Application incorporated by reference earlier.
Figure 14 is a useful architectural example embodiment similar to Figure 13, but also showing the computer PC1 and/or microchip 90 and/or 501 surrounded by a Faraday Cage 300; the number of potential similar configurations is without any particular limit. This use of Faraday Cages 300 was discussed in detail in Figures 27A-27G and associated textual specification of the '657 Application incorporated by reference earlier.
Figure 14 shows a useful example embodiment of a Faraday Cage 300 surrounding completely a computer PC1 and/or microchip 90 and/or 501. The Faraday Cage 300 can be subdivided by an example partition 301 to protect and separate the Private Unit 53 from the Public Unit 54, so that the Private Unit 53 is completely surrounded by Faraday Cage 3001 and Public Unit 54 is completely surrounded by Faraday Cage 3002, in the example embodiment shown. Each unit can alternatively have a discrete Faraday Cage 300 of its own, instead of partitioning a larger Faraday Cage 300 and the surrounding of a Unit can be complete or partial. Any number or configuration of Faraday Cages can be used in the manner shown generally in Figure 14, including a separate Faraday Cage for any hardware component of the computer or microchip.
The example embodiments shown in Figures 1-4, 6-11 , and 13-16 are a computer of any sort, including a personal computer PC1 ; or a microchip 90 or 501 , including a microprocessor or a system on a chip (SoC) such as a personal computer on a microchip 90; or a combination of both, such as a computer with the architecture shown in Figures 1-4, 6-11 , and 13-16, the computer also including one or more microchips also with the architecture shown in Figures 1-4, 6-11 , and 13-16.
The Public Unit 54 shown in Figures 1-6, 8-11 , and 13-14 can be used in a useful embodiment example to run all or a part of any application (or "apps") downloaded from the Internet or Web, such as the example of any of the many thousands of apps for the Apple iPhone that are downloaded from the Apple Apps Store, or to run applications that are streamed from the Internet or Web. Similarly, all or part of a video or audio file like a movie or music can be downloaded from the Web and played in the Public Unit 54 for viewing and/or listening be the computer user 49.
Some or all personal data pertaining to a user 49 can be kept exclusively on the user's computer PC1 and/or microchip 90 and/or 501 for any cloud application or app to protect the privacy of the user 49 (or kept non-exclusively as a back-up), unlike conventional cloud apps, where the data of a personal user 49 is kept in the cloud and potentially intentionally shared or carelessly compromised without authorization by or knowledge of the personal user 49. In effect, the Public Unit 54 can be a safe and private local cloud, with personal files retained there or in the Private Unit 53. All or part of an app can also potentially be downloaded or streamed to one or more Private Units, including 532, 531, and 53.
Privacy in conventional clouds can also be significantly enhanced using the inner hardware-based access barriers or firewalls 50a and/or 50b and/or 50c described in this application, since each individual or corporate user of the cloud can be assured that their data is safe because it can be physically separated and segregated by hardware, instead of by software alone, as is the case currently.
Similarly, the example embodiment of Figure 6 shows a computer and/or microchip Public Unit 54 and Private Units 53, 531, and 532, each with a separate Faraday Cage. 3004, 3003, 3002, and 3001, respectively, that are create using partitions 301°, 301b, and 301a, respectively. Any Public Unit 54 or Private Unit 53 can be protected by its own Faraday Cage 300. The Faraday Cage 300 can completely or partially surround the any Unit in two or three dimensions.
Figures 8-11 and 13-14 also show example embodiments of a secure control bus (or wire or channel) 48 that connects the master controlling device 30 (or 31) or master control unit 93 (or 93') or central controller (as shown) with the components of the computer PC1 and/or microchip 90 and/or 501 , including those in the Public Unit 54. The secure control bus 48 provides hardwired control of the Public Unit 54 by the central controller in the Private Unit 53. The secure control bus 48 can be isolated from any input from the Internet 3 and/or an intervening other network 2 and/or from any input from any or all parts of the Public Unit 54. The secure control bus 48 can provide and ensure direct preemptive control by the central controller over any or all the components of the computer, including the Public Unit 54 components. The secure control bus 48 can, partially or completely, coincide or be integrated with the bus 55, for example. The secure control bus 48 is configured in a manner such that it cannot be affected, interfered with, altered, read or written to, or superseded by any part of the Public Unit 54 or any input from the Internet 3 or network 2, for example. A wireless connection can also provide the function of the secure control bus 48 a manner similar to that describing wireless connections above in Figures 2-6 describing buses 55 and 56.
The secure control bus 48 can also provide connection for the central controller to control a conventional firewall or for example access barrier or firewall 50c located on the periphery of the computer or microchip to control the connection of the computer PC1 and/or microchip 90 and/or 501 to the Internet 3 and/or intervening other network 2.
The secure control bus 48 can also be used by the master central controller 30, 31 , 93, or 93' to control one or more secondary controllers 32 located on the bus 49 or anywhere in the computer PC1 and/or microchip 90 and/or 501 , including in the Public Unit 54 that are used, for example, to control microprocessors or processing units or cores S (40 or 94) located in the Public Unit 54. The one or more secondary controllers 32 can be independent or integrated with the microprocessors or processing units or cores S (40 or 94) shown in Figure 9 and 11 above, for example; such integrated microprocessors can be specially designed or general purpose microprocessors like an Intel x86 microprocessor, for example.
In accordance with the present disclosure, a method of protecting a computer is disclosed in Fig. 15. The computer includes a master controlling device that is configured using hardware and firmware; at least two microprocessors; a protected portion of the computer; an unprotected portion of the computer; and an inner hardware-based access barrier or firewall that is located between the protected portion of the computer and the unprotected portion of the computer, the protected portion including at least the master controlling device and at least one of the microprocessors, and the unprotected portion including at least one of the microprocessors, the at least one microprocessor of the unprotected portion being separate from and located outside of the inner hardware-based access barrier or firewall. As shown in Fig. 15, the method includes allowing a user of the computer to control the microprocessors (150); connecting the protected portion of the computer through a first connection to at least a first network of computers (152); connecting the unprotected portion of the computer through a second connection to a second network of computers including the Internet (154); denying access by the hardware-based access barrier or firewall to the protected portion of the computer by the second network when the personal computer is connected to the second network (156); and permitting access by another computer in the second network to the one or more of the processing units included in the unprotected portion of the microchip for an operation with the another computer in the second network when the personal computer is connected to the second network (158).
In accordance with the present disclosure, a method of protecting a computer disclosed in Fig. 16. The computer includes a master controlling device that is configured using hardware and firmware; at least two microprocessors; a protected portion of the computer; an unprotected portion of the computer; and an inner hardware-based access barrier or firewall that is located between the protected portion of the computer and the unprotected portion of the computer, the protected portion including at least the master controlling device and at least one of the microprocessors, and the unprotected portion including at least one of the microprocessors, the at least one microprocessor of the unprotected portion being separate from and located outside of the inner hardware-based access barrier or firewall. As shown in Fig. 16, the method includes connecting the protected portion of the computer through at least a first connection to at least a first network of computers (160); connecting the unprotected portion of the computer through a second connection to a second network of computers including the Internet (162); controlling the computer from the protected portion through the first network (164); and performing operations in the unprotected portion using the second network (166).
Any one or more features or components of Figures 1-16 of this application can be usefully combined with one or more features or components of Figures 1-31 of the above '657 U.S. Application or Figures 1-27 of the above 769 U.S. Application. Each of the above '657 and 769 Applications and their associated U.S. publications are expressly incorporated by reference in its entirety for completeness of disclosure of the applicant's combination of one or more features or components of either of those above two prior applications of this applicant with one or more features or components of this application. All such useful possible combinations are hereby expressly intended by this applicant.
Furthermore, any one or more features or components of Figures 1-16 of this application can be usefully combined with one or more features or components of the figures of the above '049 and '553 U.S. Applications, as well as in the above '428, '250, Ί41 , '449, '906, '275, Ό20, '854, '529, 756, and '233 U.S. Patents. Each of the above '049 and '553 Applications and their associated U.S. publications, as well as the above '428, '250, Ί41 , '449, '906, '275, Ό20, '854, '529, 756, and '233 U.S. Patents are expressly incorporated by reference in its entirety for completeness of disclosure of the applicant's combination of one or more features or components of either of those above two prior applications of this applicant with one or more features or components of this application. All such useful possible combinations are hereby expressly intended by this applicant.
In addition, one or more features or components of any one of Figures 1-16 or associated textual specification of this application can be usefully combined with one or more features or components of any one or more other of Figures 1-16 or associated textual specification of this application. And any such combination derived from the figures or associated text of this application can also be combined with any feature or component of the figures or associated text of any of the above incorporated by reference U.S. Applications '657, 769, Ό49, and '553, as well as U.S. Patents Numbers '428, '250, Ί41 , '449, '906, '275, Ό20, '854, '529, '756, and '233.

Claims

CLAIMS:
1. A personal computer, comprising:
a microchip including
a microprocessor, the microprocessor including
a master control unit that is configured using hardware and firmware, and
at least two processing units;
the master control unit of the microprocessor being further configured to allow a user of the personal computer to control the processing units of the microprocessor;
an inner hardware-based access barrier or firewall that is located between a protected portion of the microchip and an unprotected portion of the microchip;
said protected portion of the microchip being configured for at least a first connection to at least a first network of computers and including
at least said master control unit of the microprocessor and at least one of the processing units of the microprocessor, said unprotected portion of the microchip being configured for a second connection to a second network of computers including the Internet and including one or more of the processing units of the microprocessor, said one or more unprotected processing units being separate from and located outside of said inner hardware-based access barrier or firewall;
said inner hardware-based access barrier or firewall denying access to said protected portion of the microchip by a network including the Internet when the personal computer is connected to the network including the Internet; and
said inner hardware-based access barrier or firewall permitting access by another computer in the network including the Internet to said one or more of the processing units included in the unprotected portion of the microchip for an operation with said another computer in the network including the Internet when the personal computer is connected to the network including the Internet.
2. A computer, comprising:
a master controlling device that is configured using hardware and firmware, at least two microprocessors; and
the master controlling device of the computer being further configured to allow a user of the computer to control the microprocessors;
an inner hardware-based access barrier or firewall that is located between a protected portion of the computer and an unprotected portion of the computer;
said protected portion of the computer being configured for at least a first connection to at least a first network of computers and including
at least said master controlling device and
at least one of the microprocessors,
said unprotected portion of the computer being configured for a second connection to a second network of computers including the Internet and including one or more of the microprocessors, said one or more unprotected microprocessors being separate from and located outside of said inner hardware-based access barrier or firewall;
said hardware-based access barrier or firewall denying access to said protected portion of the computer by a network including the Internet when the computer is connected to the network including the Internet; and
said hardware-based access barrier or firewall permitting access by another computer in the network including the Internet to said one or more of the microprocessors included in the unprotected portion of the computer for an operation with said another computer in the network including the Internet when the computer is connected to the network including the Internet.
3. A microchip, comprising:
a microprocessor, the microprocessor including
a master control unit that is configured using hardware and firmware, and at least two processing units;
the master control unit of the microprocessor being further configured to allow a user of the microchip to control the processing units of the microprocessor;
an inner hardware-based access barrier or firewall that is located between a protected portion of the microchip and an unprotected portion of the microchip;
said protected portion of the microchip configured for at least a first connection to at least a first network of computers and including
at least said master control unit of the microprocessor and
at least one of the processing units of the microprocessor,
said unprotected portion of the microchip configured for a second connection to a second network of computers including the Internet and including one or more of the processing units of the microprocessor, said one or more unprotected processing units being separate from and located outside of said inner hardware-based access barrier or firewall;
said hardware-based access barrier or firewall denying access to said protected portion of the microchip by a network including the Internet when the computer is connected to the network including the Internet; and
said hardware-based access barrier or firewall permitting access by another computer in the network including the Internet to said one or more of the processing units included in the unprotected portion of the microchip for an operation with said another computer in the network including the Internet when the microchip is connected to the network including the Internet.
4. The computer of claim 1 , wherein said first network excludes the Internet.
5. The computer of claim 2, wherein said first network excludes the Internet.
6. The microchip of claim 3, wherein said first network excludes the Internet.
7. The computer of claim 4, wherein the protected portion and the unprotected portion are connected by an out-only bus or channel that transmits data or code that is output from the protected portion to be input to the unprotected portion.
8. The computer of claim 5, wherein the protected portion and the unprotected portion are connected by an out-only bus or channel that transmits data or code that is output from the protected portion to be input to the unprotected portion.
9. The microchip of claim 6, wherein the protected portion and the unprotected portion are connected by an out-only bus or channel that transmits data or code that is output from the protected portion to be input to the unprotected portion.
10. The computer of claim 7, wherein the protected portion and the unprotected portion also are connected by an in-only bus or channel that includes a hardware input on/off switch or equivalent bus signal interruption mechanism or an equivalently functioning circuit on a microchip or nanochip.
11. The computer of claim 8, wherein the protected portion and the unprotected portion also are connected by an in-only bus or channel that includes a hardware input on/off switch or equivalent bus signal interruption mechanism or an equivalently functioning circuit on a microchip or nanochip.
12. The microchip of claim 9, wherein the protected portion and the unprotected portion also are connected by an in-only bus or channel that includes a hardware input on/off switch or equivalent bus signal interruption mechanism or an equivalently functioning circuit on a microchip or nanochip.
13. The computer of claim 10, wherein the protected portion and the unprotected portion are connected by an out-only bus or channel that also includes a hardware input on/off switch or equivalent bus signal interruption mechanism or an equivalently functioning circuit on a microchip or nanochip.
14. The computer of claim 11 , wherein the protected portion and the unprotected portion are connected by an out-only bus or channel that also includes a hardware input on/off switch or equivalent bus signal interruption mechanism or an equivalently functioning circuit on a microchip or nanochip.
15. The microchip of claim 12, wherein the protected portion and the unprotected portion are connected by an out-only bus or channel that also includes a hardware input on/off switch or equivalent bus signal interruption mechanism or an equivalently functioning circuit on a microchip or nanochip.
16. The computer of claim 4, wherein an innermost part of the protected portion is connected to an intermediate part of the protected portion by an out-only bus or channel that transmits data or code that is output from the protected portion to be input to the unprotected portion;
the intermediate part of the protected portion is connected to an outermost part of the protected portion by an out-only bus or channel that transmits data or code that is output from the protected portion to be input to the unprotected portion, and also by an in- only bus or channel that includes a hardware input on/off switch or equivalent bus signal interruption mechanism or an equivalently functioning circuit on a microchip or nanochip; and
the outermost part of the protected portion is connected to the unprotected portion by an out-only bus or channel that transmits data or code that is output from the protected portion to be input to the unprotected portion, and by an in-only bus or channel that includes a hardware input on/off switch or equivalent bus signal interruption mechanism or an equivalently functioning circuit on a microchip or nanochip, and also by an out-only bus or channel that also includes a hardware input on/off switch or equivalent bus signal interruption mechanism or an equivalently functioning circuit on a microchip or nanochip.
17. The computer of claim 5, wherein an innermost part of the protected portion is connected to an intermediate part of the protected portion by an out-only bus or channel that transmits data or code that is output from the protected portion to be input to the unprotected portion;
the intermediate part of the protected portion is connected to an outermost part of the protected portion by an out-only bus or channel that transmits data or code that is output from the protected portion to be input to the unprotected portion, and also by an in- only bus or channel that includes a hardware input on/off switch or equivalent bus signal interruption mechanism or an equivalently functioning circuit on a microchip or nanochip; and
the outermost part of the protected portion is connected to the unprotected portion by an out-only bus or channel that transmits data or code that is output from the protected portion to be input to the unprotected portion, and by an in-only bus or channel that includes a hardware input on/off switch or equivalent bus signal interruption mechanism or an equivalently functioning circuit on a microchip or nanochip, and also by an out-only bus or channel that also includes a hardware input on/off switch or equivalent bus signal interruption mechanism or an equivalently functioning circuit on a microchip or nanochip.
18. The microchip of claim 6, wherein an innermost part of the protected portion is connected to an intermediate part of the protected portion by an out-only bus or channel that transmits data or code that is output from the protected portion to be input to the unprotected portion;
the intermediate part of the protected portion is connected to an outermost part of the protected portion by an out-only bus or channel that transmits data or code that is output from the protected portion to be input to the unprotected portion, and also by an in- only bus or channel that includes a hardware input on/off switch or equivalent bus signal interruption mechanism or an equivalently functioning circuit on a microchip or nanochip; and
the outermost part of the protected portion is connected to the unprotected portion by an out-only bus or channel that transmits data or code that is output from the protected portion to be input to the unprotected portion, and by an in-only bus or channel that includes a hardware input on/off switch or equivalent bus signal interruption mechanism or an equivalently functioning circuit on a microchip or nanochip, and also by an out-only bus or channel that also includes a hardware input on/off switch or equivalent bus signal interruption mechanism or an equivalently functioning circuit on a microchip or nanochip.
19. The computer of claim 16, wherein at least the intermediate and outermost parts of the protected portion is each configured for a separate connection to a separate network of computers that excludes the Internet.
20. The computer of claim 17, wherein at least the intermediate and outermost parts of the protected portion is each configured for a separate connection to a separate network of computers that excludes the Internet.
21. The microchip of claim 18, wherein at least the intermediate and outermost parts of the protected portion is each configured for a separate connection to a separate network of computers that excludes the Internet.
22. The computer of claim 19, wherein the computer is fully protected by a Faraday Cage from an external electromagnetic pulse.
23. The computer of claim 20, wherein the computer is fully protected by a Faraday Cage from an external electromagnetic pulse.
24. The computer of claim 21 , wherein the computer is fully protected by a Faraday Cage from an external electromagnetic pulse.
25. A method of protecting a personal computer having a microchip including a microprocessor, the microprocessor including a master control unit that is configured using hardware and firmware and includes at least two processing units; an inner hardware-based access barrier or firewall that is located between a protected portion of the microchip and an unprotected portion of the microchip, the protected portion including at least said master control unit of the microprocessor and at least one of the processing units of the microprocessor, and the unprotected portion including one or more unprotected processing units that are separate from and located outside of said inner hardware-based access barrier or firewall, comprising:
allowing a user of the personal computer to control the processing units of the microprocessor; connecting said protected portion of the microchip through at least a first connection to at least a first network of computers;
connecting said unprotected portion of the microchip through a second connection to a second network of computers including the Internet;
denying access by the hardware-based access barrier or firewall to said protected portion of the microchip by the second network when the personal computer is connected to the second network; and
permitting access by another computer in the second network to said one or more of the processing units included in the unprotected portion of the microchip for an operation with said another computer in the second network when the personal computer is connected to the second network.
26. A method of protecting a computer having a master controlling device that is configured using hardware and firmware; at least two microprocessors; a protected portion of the computer; an unprotected portion of the computer; and an inner hardware- based access barrier or firewall that is located between the protected portion of the computer and the unprotected portion of the computer, the protected portion including at least said master controlling device and at least one of the microprocessors, and the unprotected portion including at least one of the microprocessors, said at least one microprocessor of the unprotected portion being separate from and located outside of said inner hardware-based access barrier or firewall, comprising:
allowing a user of the computer to control the microprocessors;
connecting said protected portion of the computer through at least a first connection to at least a first network of computers; connecting said unprotected portion of the computer through a second connection to a second network of computers including the Internet;
denying access by the hardware-based access barrier or firewall to said protected portion of the computer by the second network when the personal computer is connected to the second network; and
permitting access by another computer in the second network to said one or more of the processing units included in the unprotected portion of the microchip for an operation with said another computer in the second network when the personal computer is connected to the second network.
27. A method of protecting a computer having a master controlling device that is configured using hardware and firmware; at least two microprocessors; a protected portion of the computer; an unprotected portion of the computer; and an inner hardware- based access barrier or firewall that is located between the protected portion of the computer and the unprotected portion of the computer, the protected portion including at least said master controlling device and at least one of the microprocessors, and the unprotected portion including at least one of the microprocessors, said at least one microprocessor of the unprotected portion being separate from and located outside of said inner hardware-based access barrier or firewall, comprising:
connecting said protected portion of the computer through at least a first connection to at least a first network of computers;
connecting said unprotected portion of the computer through a second connection to a second network of computers including the Internet;
controlling the computer from the protected portion through the first network; and performing operations in the unprotected portion using the second network.
PCT/US2011/023028 2010-01-26 2011-01-28 The basic architecture for secure internet computers WO2011094616A1 (en)

Priority Applications (10)

Application Number Priority Date Filing Date Title
CA2825850A CA2825850A1 (en) 2010-01-29 2011-01-28 The basic architecture for secure internet computers
US13/398,403 US8429735B2 (en) 2010-01-26 2012-02-16 Method of using one or more secure private networks to actively configure the hardware of a computer or microchip
US13/815,814 US8898768B2 (en) 2010-01-26 2013-03-15 Computer or microchip with a secure control bus connecting a central controller to volatile RAM and the volatile RAM to a network-connected microprocessor
US14/174,693 US10057212B2 (en) 2010-01-26 2014-02-06 Personal computer, smartphone, tablet, or server with a buffer zone without circuitry forming a boundary separating zones with circuitry
US14/333,759 US9009809B2 (en) 2010-01-26 2014-07-17 Computer or microchip with a secure system BIOS and a secure control bus connecting a central controller to many network-connected microprocessors and volatile RAM
US14/334,283 US9003510B2 (en) 2010-01-26 2014-07-17 Computer or microchip with a secure system bios having a separate private network connection to a separate private network
US16/051,054 US10375018B2 (en) 2010-01-26 2018-07-31 Method of using a secure private network to actively configure the hardware of a computer or microchip
US16/456,897 US10965645B2 (en) 2010-01-26 2019-06-28 Computer or microchip with a secure system bios having a separate private network connection to a separate private network
US17/187,279 US11683288B2 (en) 2010-01-26 2021-02-26 Computer or microchip with a secure system bios having a separate private network connection to a separate private network
US18/320,577 US20230300109A1 (en) 2010-01-26 2023-05-19 Method of using a secure private network to actively configure the hardware of a computer or microchip

Applications Claiming Priority (14)

Application Number Priority Date Filing Date Title
US28237810P 2010-01-29 2010-01-29
US61/282,378 2010-01-29
US28247810P 2010-02-17 2010-02-17
US61/282,478 2010-02-17
US28250310P 2010-02-22 2010-02-22
US61/282,503 2010-02-22
US28286110P 2010-04-12 2010-04-12
US61/282,861 2010-04-12
US34401810P 2010-05-07 2010-05-07
US61/344,018 2010-05-07
US201161457184P 2011-01-24 2011-01-24
US61/457,184 2011-01-24
US13/014,201 2011-01-26
US13/014,201 US20110225645A1 (en) 2010-01-26 2011-01-26 Basic architecture for secure internet computers

Related Parent Applications (2)

Application Number Title Priority Date Filing Date
US13/016,527 Continuation-In-Part US8171537B2 (en) 2010-01-26 2011-01-28 Method of securely controlling through one or more separate private networks an internet-connected computer having one or more hardware-based inner firewalls or access barriers
PCT/US2011/025257 Continuation-In-Part WO2011103299A1 (en) 2010-01-26 2011-02-17 The basic architecture for secure internet computers

Related Child Applications (3)

Application Number Title Priority Date Filing Date
US13/016,527 Continuation-In-Part US8171537B2 (en) 2010-01-26 2011-01-28 Method of securely controlling through one or more separate private networks an internet-connected computer having one or more hardware-based inner firewalls or access barriers
PCT/US2011/025257 Continuation-In-Part WO2011103299A1 (en) 2010-01-26 2011-02-17 The basic architecture for secure internet computers
US13/398,403 Continuation-In-Part US8429735B2 (en) 2010-01-26 2012-02-16 Method of using one or more secure private networks to actively configure the hardware of a computer or microchip

Publications (1)

Publication Number Publication Date
WO2011094616A1 true WO2011094616A1 (en) 2011-08-04

Family

ID=44319821

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2011/023028 WO2011094616A1 (en) 2010-01-26 2011-01-28 The basic architecture for secure internet computers

Country Status (1)

Country Link
WO (1) WO2011094616A1 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012112794A1 (en) * 2011-02-17 2012-08-23 Ellis Frampton E A method of using a secure private network to actively configure the hardware of a computer or microchip
US8429735B2 (en) 2010-01-26 2013-04-23 Frampton E. Ellis Method of using one or more secure private networks to actively configure the hardware of a computer or microchip
US8892627B2 (en) 1996-11-29 2014-11-18 Frampton E. Ellis Computers or microchips with a primary internal hardware firewall and with multiple internal harware compartments protected by multiple secondary interior hardware firewalls
US9021011B2 (en) 1996-11-29 2015-04-28 Frampton E. Ellis Computer or microchip including a network portion with RAM memory erasable by a firewall-protected master controller
US9183410B2 (en) 1996-11-29 2015-11-10 Frampton E. Ellis Computer or microchip with an internal hardware firewall and a master controlling device
US9568946B2 (en) 2007-11-21 2017-02-14 Frampton E. Ellis Microchip with faraday cages and internal flexibility sipes
CN107924365A (en) * 2015-08-31 2018-04-17 纽曼H-R计算机设计有限责任公司 Anti- hacker's Computer Design
EP4198794A4 (en) * 2020-08-11 2024-05-15 Chung Jong Lee Compartmentalized security device, computer including compartmentalized computing module, and hacking prevention method
EP4198795A4 (en) * 2020-08-11 2024-10-16 Chung Jong Lee Mobile computing device comprising compartmentalized computing module

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US1420111A (en) 1917-08-17 1922-06-20 Krantz Mfg Company Inc Safety panel box
US6167428A (en) 1996-11-29 2000-12-26 Ellis; Frampton E. Personal computer microprocessor firewalls for internet distributed processing
EP1164766A2 (en) * 2000-06-16 2001-12-19 Ionos Co., Ltd. Switch connection control apparatus for channels
US6725250B1 (en) 1996-11-29 2004-04-20 Ellis, Iii Frampton E. Global network computers
US6732141B2 (en) 1996-11-29 2004-05-04 Frampton Erroll Ellis Commercial distributed processing by personal computers over the internet
US20040098621A1 (en) * 2002-11-20 2004-05-20 Brandl Raymond System and method for selectively isolating a computer from a computer network
US20040215931A1 (en) 1996-11-29 2004-10-28 Ellis Frampton E. Global network computers
US20050180095A1 (en) 1996-11-29 2005-08-18 Ellis Frampton E. Global network computers
US7024449B1 (en) 1996-11-29 2006-04-04 Ellis Iii Frampton E Global network computers
US7035906B1 (en) 1996-11-29 2006-04-25 Ellis Iii Frampton E Global network computers
US20070162974A1 (en) * 2005-07-09 2007-07-12 Ads-Tec Automation Daten- Und Systemtechnik Gmbh Protection System for a Data Processing Device
US7506020B2 (en) 1996-11-29 2009-03-17 Frampton E Ellis Global network computers
US20090168329A1 (en) 2007-11-21 2009-07-02 Ellis Frampton E Devices with faraday cages and internal flexibility sipes
US20090200661A1 (en) 2007-11-21 2009-08-13 Ellis Frampton E Devices with faraday cages and internal flexibility sipes
US7634529B2 (en) 1996-11-29 2009-12-15 Ellis Iii Frampton E Personal and server computers having microchips with multiple processing units and internal firewalls

Patent Citations (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US1420111A (en) 1917-08-17 1922-06-20 Krantz Mfg Company Inc Safety panel box
US7024449B1 (en) 1996-11-29 2006-04-04 Ellis Iii Frampton E Global network computers
US6725250B1 (en) 1996-11-29 2004-04-20 Ellis, Iii Frampton E. Global network computers
US7047275B1 (en) 1996-11-29 2006-05-16 Ellis Frampton E Internal firewall for a personal computer to deny access by a network to a user's secure portion
US7035906B1 (en) 1996-11-29 2006-04-25 Ellis Iii Frampton E Global network computers
US7805756B2 (en) 1996-11-29 2010-09-28 Frampton E Ellis Microchips with inner firewalls, faraday cages, and/or photovoltaic cells
US20040215931A1 (en) 1996-11-29 2004-10-28 Ellis Frampton E. Global network computers
US20050180095A1 (en) 1996-11-29 2005-08-18 Ellis Frampton E. Global network computers
US6167428A (en) 1996-11-29 2000-12-26 Ellis; Frampton E. Personal computer microprocessor firewalls for internet distributed processing
US7814233B2 (en) 1996-11-29 2010-10-12 Ellis Frampton E Computer and microprocessor control units that are inaccessible from the internet
US7634529B2 (en) 1996-11-29 2009-12-15 Ellis Iii Frampton E Personal and server computers having microchips with multiple processing units and internal firewalls
US6732141B2 (en) 1996-11-29 2004-05-04 Frampton Erroll Ellis Commercial distributed processing by personal computers over the internet
US7506020B2 (en) 1996-11-29 2009-03-17 Frampton E Ellis Global network computers
US7606854B2 (en) 1996-11-29 2009-10-20 Ellis Iii Frampton E Internal hardware firewalls for microchips
EP1164766A2 (en) * 2000-06-16 2001-12-19 Ionos Co., Ltd. Switch connection control apparatus for channels
US20040098621A1 (en) * 2002-11-20 2004-05-20 Brandl Raymond System and method for selectively isolating a computer from a computer network
US20070162974A1 (en) * 2005-07-09 2007-07-12 Ads-Tec Automation Daten- Und Systemtechnik Gmbh Protection System for a Data Processing Device
US20090200661A1 (en) 2007-11-21 2009-08-13 Ellis Frampton E Devices with faraday cages and internal flexibility sipes
US20090168329A1 (en) 2007-11-21 2009-07-02 Ellis Frampton E Devices with faraday cages and internal flexibility sipes

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9021011B2 (en) 1996-11-29 2015-04-28 Frampton E. Ellis Computer or microchip including a network portion with RAM memory erasable by a firewall-protected master controller
US8892627B2 (en) 1996-11-29 2014-11-18 Frampton E. Ellis Computers or microchips with a primary internal hardware firewall and with multiple internal harware compartments protected by multiple secondary interior hardware firewalls
US9531671B2 (en) 1996-11-29 2016-12-27 Frampton E. Ellis Computer or microchip controlled by a firewall-protected master controlling microprocessor and firmware
US9183410B2 (en) 1996-11-29 2015-11-10 Frampton E. Ellis Computer or microchip with an internal hardware firewall and a master controlling device
US9172676B2 (en) 1996-11-29 2015-10-27 Frampton E. Ellis Computer or microchip with its system bios protected by one or more internal hardware firewalls
US9568946B2 (en) 2007-11-21 2017-02-14 Frampton E. Ellis Microchip with faraday cages and internal flexibility sipes
US9003510B2 (en) 2010-01-26 2015-04-07 Frampton E. Ellis Computer or microchip with a secure system bios having a separate private network connection to a separate private network
US9009809B2 (en) 2010-01-26 2015-04-14 Frampton E. Ellis Computer or microchip with a secure system BIOS and a secure control bus connecting a central controller to many network-connected microprocessors and volatile RAM
US8898768B2 (en) 2010-01-26 2014-11-25 Frampton E. Ellis Computer or microchip with a secure control bus connecting a central controller to volatile RAM and the volatile RAM to a network-connected microprocessor
US8429735B2 (en) 2010-01-26 2013-04-23 Frampton E. Ellis Method of using one or more secure private networks to actively configure the hardware of a computer or microchip
US10057212B2 (en) 2010-01-26 2018-08-21 Frampton E. Ellis Personal computer, smartphone, tablet, or server with a buffer zone without circuitry forming a boundary separating zones with circuitry
US10375018B2 (en) 2010-01-26 2019-08-06 Frampton E. Ellis Method of using a secure private network to actively configure the hardware of a computer or microchip
US10965645B2 (en) 2010-01-26 2021-03-30 Frampton E. Ellis Computer or microchip with a secure system bios having a separate private network connection to a separate private network
US11683288B2 (en) 2010-01-26 2023-06-20 Frampton E. Ellis Computer or microchip with a secure system bios having a separate private network connection to a separate private network
WO2012112794A1 (en) * 2011-02-17 2012-08-23 Ellis Frampton E A method of using a secure private network to actively configure the hardware of a computer or microchip
CN107924365A (en) * 2015-08-31 2018-04-17 纽曼H-R计算机设计有限责任公司 Anti- hacker's Computer Design
EP4198794A4 (en) * 2020-08-11 2024-05-15 Chung Jong Lee Compartmentalized security device, computer including compartmentalized computing module, and hacking prevention method
EP4198795A4 (en) * 2020-08-11 2024-10-16 Chung Jong Lee Mobile computing device comprising compartmentalized computing module

Similar Documents

Publication Publication Date Title
US8171537B2 (en) Method of securely controlling through one or more separate private networks an internet-connected computer having one or more hardware-based inner firewalls or access barriers
US20210185005A1 (en) Method of using a secure private network to actively configure the hardware of a computer or microchip
US8474033B2 (en) Computer or microchip with a master controller connected by a secure control bus to networked microprocessors or cores
WO2011094616A1 (en) The basic architecture for secure internet computers
US20110225645A1 (en) Basic architecture for secure internet computers
US11916872B2 (en) Integrated network security appliance, platform and system
EP3635912B1 (en) Integrated multi-level network appliance, platform and system, and remote management method and system therefor
WO2011103299A1 (en) The basic architecture for secure internet computers
US9374344B1 (en) Secure end-to-end communication system
CN102281297A (en) Method, apparatus, and system for enabling a secure location-aware platform
US10116622B2 (en) Secure communication channel using a blade server
CN105049412A (en) Secure data exchange method, device and equipment among different networks
US11321493B2 (en) Hardware security module, and trusted hardware network interconnection device and resources
WO2012112794A1 (en) A method of using a secure private network to actively configure the hardware of a computer or microchip
US20230300109A1 (en) Method of using a secure private network to actively configure the hardware of a computer or microchip
CN103679063A (en) Multi-domain switching system and method having access to virtualized desktop
EP3239887B1 (en) System and method for protecting transmission of audio data from microphone to application processes

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11706057

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11706057

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2825850

Country of ref document: CA