CN1243312C - Embedded safety module and its safety protection method - Google Patents
Embedded safety module and its safety protection method Download PDFInfo
- Publication number
- CN1243312C CN1243312C CN 01138249 CN01138249A CN1243312C CN 1243312 C CN1243312 C CN 1243312C CN 01138249 CN01138249 CN 01138249 CN 01138249 A CN01138249 A CN 01138249A CN 1243312 C CN1243312 C CN 1243312C
- Authority
- CN
- China
- Prior art keywords
- security module
- circuit
- computing machine
- safety
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The present invention relates to an embedded safety module and a safety protection method thereof, which belongs to the technical field of information security. The safety module comprises a central processing unit (CPU) for safety management, a memory, an input and output unit for transmitting information with the outside, and a safety control unit for managing and controlling the underlayer hardware of a computer. In the safety protection method, the safety module outputs control signals to start or stop or control the underlayer hardware devices of computers through the safety control unit according to users' authority information conveyed to the safety module by the input and output unit. The present invention has the advantages that the hardware resources of a computer are not completely opened any longer but managed and controlled by the safety module, the safety of a computer is protected from the bottom layer of the hardware, and the usage permission of users with different identity is limited.
Description
Technical field
The present invention relates to a kind of embedded safety module, belong to field of information security technology, be particularly suitable for the strict occasion of computer information safe is used.
Background technology
In the existing computer system framework, all be open to the visit of any standard device, as floppy disk, hard disk drive, PCI equipment, USB device.The read-write mode of these equipment and communications protocol all are disclosed, and it allows Any user directly to visit these equipment, and can directly read information from these equipment.Because this open framework makes the assailant of some malice to obtain the information of Computer Storage by these hardware devices of direct read, or destroys these information.Such as an assailant can be directly the direct sense data from hard disk magnetic track sector of program direct control hard disk drive by bottom, the data of DISK to Image can be read by this method, analyzed, therefrom extract the data that needs, perhaps by simple low-level formatting program crash DISK to Image data.Because this attack can not rely on specific operating system, this makes any protection based on operating system and upper layer software (applications) thereof all can't prevent this attack.The people of a familiar with computers system even can revise BIOS or from newly writing bsp driver, thereby make this attack can not rely on BIOS, thereby avoid the restriction of some BIOS, perhaps by revising BIOS computing machine is destroyed, the virus CIH of outburst is exactly an example of revising BIOS before resembling.
Summary of the invention
The objective of the invention is to, solve the problem of aforementioned calculation machine safety, it is embedded safety module that a kind of computer safety protective device is provided.Described embedded safety module is the core as the computer information safe protection; it can supervisory control computer bottom hardware equipment; have user right or identity information input interface, the control of authority of the bottom hardware that can use a computer to the user of different identity.
The technical scheme of a kind of embedded safety module of the present invention is to realize like this; It comprises a central processing unit (CPU) that is used for safety management; Also have storer and be used for input, output unit with outside transmission information; And the security control unit of the bottom hardware of management, control computer; Described input, output unit be with user special information input equipment interface be connected computing machine be used for security module and calculate between the interface of exchange message; Described user special information input equipment is the IC-card card reader, or/and identification equipments such as fingerprint, sound, images, and other light, electric identification equipment; The information that exchanges between described security module and the computing machine can be the command information of transmitting between computing machine and the module, or computing machine is transferred to the data message of resume module; Described security control unit is a circuit that is connected to computing machine and the computing machine bottom hardware is managed control; The control bus of this circuit is I
2One or more of C bus, pci bus, usb bus, universal serial bus, parallel bus or other private bus, the computing machine bottom hardware of being managed can be a USB device, PCI equipment, hard disk drive, software driver, serial communication equipment, parallel communication equipment, keyboard, mouse, and one or more of other controllable devices.
Being suitable for method for security protection of the present invention is: described security module is sent to the user right information of security module according to its input-output unit, opens or closes or the hardware device of control computer bottom by safety control module output control signal.
The invention has the advantages that: the hardware resource of computing machine no longer is wide-open, but manages control by security module, from hardware bottom layer computing machine is carried out safeguard protection, and the user's of different identity rights of using are limited.
Description of drawings
Fig. 1 is the security module structural representation;
Fig. 2 is the computer control part synoptic diagram supporting with security module;
Fig. 3 is an embodiment component parts synoptic diagram more specifically;
Fig. 4 is security module workflow and method for security protection synoptic diagram.
Embodiment
As shown in Figure 1, security module of the present invention is a hardware module, can also be the chip that comprises the security module parts, or comprises the device of other packing forms of security module parts; Security module is to be embedded in the computing machine computer-implemented security control, can also be outer hanging over outside the computing machine; Security module has a central processing unit (CPU) 1, and it is based on the processor of the kernel of X86, can also be the processor of ARM.MIPS.POWERPC kernel, or other application specific processors; A storer 2 is arranged, and it is that storer 2.2 as Fig. 3 random access memory 2.1 and electrically-erasable is or/and ROM (read-only memory); Also have input-output unit 3 shown in Figure 1, it is a user special information input equipment interface 3.3, connects the interface 3.1,3.2 that computing machine is used for module and intercomputer exchange message; User special information input equipment as shown in the figure is an IC-card card reader 5, can also be the fingerprint identification equipment, voice-recognition device, and one or more of other photoelectricity identification equipments; Also have clock circuit 3.4 or/and warning circuit 3.5, clock circuit 3.4 is circuit that security module provides time reference, and warning circuit is the circuit that security module detects the abnormity notifying user; The information that exchanges between security module and the computing machine can be the command information of transmitting between computing machine and the module, can also be the data message that computing machine is transferred to resume module.This processing is encryption and deciphering etc.As shown in Figure 1, the security control unit 4 of security module is a circuit that is connected to computing machine and the computing machine bottom hardware is managed control; The control bus of this circuit is I as shown in Figure 3
2C bus 4.1 can also be a usb bus, or universal serial bus, or parallel bus, or one or more of other private buss; The computing machine bottom hardware of described management can be a USB device 16 as shown in Figure 2, PCI equipment 12, hard disk drive 20, floppy disk 22, serial communication equipment 14, parallel communication equipment 10, one or more of keyboard, mouse 8 and other controllable devices 18.
Computing machine that security module of the present invention is supporting or similar devices comprise at least one on-off circuit 6 as shown in Figure 2, the signal that this circuit is connected with the control module 4 of security module by an energy at least opens or closes computing machine relevant hardware resource by this signal control switch circuit 7,9,10 etc.Described similar devices can be an industrial control equipment.
Be security module of the present invention embodiment more specifically as shown in Figure 3.The present embodiment security module is by a central processing unit 1, and storer 2 has 2.1, one electrically-erasable storeies 2.2 of a random access memory, and input-output unit 3 also has the interface circuit 3.3 of 3.5, one IC-cards of 3.4, one warning circuits of a real time clock circuit; Security control unit 4 is I
2C bus controller 4.1.Central processing unit 1 is used for safe handling, random access memory 2.1 is used for the stored programme ephemeral data, electrically-erasable storer 2.2 is used for stored programme itself and needs data information stored, real time clock circuit 3.4 is used for providing a time reference to security module, warning circuit 3.5 is by the alarm abnormal conditions, and 7816 bus controllers 3.3 offer the security module user special information as a kind of authentication interface.That safety control circuit uses is I
2C bus controller 4.1 output control signals, this control signal is connected on the on-off circuit 6 on the computer motherboard (as shown in Figure 2) by this bus controller, and this on-off circuit also comprises one I
2The GPIO expanded circuit of C bus interface and the on-off circuit that is connected with this expanded circuit output terminal (as Fig. 27,9,11,15,19,21,13,17), the floppy disk 22 of this on-off circuit control computer, hard disk drive 20, PCI equipment 12, USB device 16, serial communication equipment 14, parallel communication equipment 10, keyboard, mouse 3 On/Off, this on-off circuit and be connected to opening computer circuit 23 and reset circuit 24 replaces former opening computer button 25, reset button 26.
As shown in Figure 4 be security module workflow and method for security protection synoptic diagram:
Among the figure, before the computer system operate as normal, security module at first starts, and promptly carries out self-check program after security module starts, after self check occurs unusually, security module is reported to the police by warning circuit, waits for that the user handles, after self check is normal, security module waits for that the user inserts IC-card, after the user inserted IC-card, the legitimacy of security module checking IC-card had only the legal security module of IC-card (ESM) just to power up, wait for computer run by safety control circuit to computing machine; After powering up, computing machine begins to enter bios program; After BIOS finishes computing machine self initialization, eject an interface that requires the user to input password, after the user inputs password, computing machine is sent to security module with this password by input, output port, and the order of sending authentication password to security module, security module begins authentication procedure, reads encrypted message and input password with the user and verify from IC-card, if authentication error, security module notice computing machine also requires the user to re-enter password; After authentication was correct, security module was taken out the user right data from IC-card, and security module is opened the corresponding bottom hardware equipment of computing machine according to the user right data, and notice BIOS continued to carry out bios program after this process was finished; BIOS gives operating system with control after finishing self program, and operating system is taken out information such as user right from security module, the beginning application program; When application program detects abnormal conditions, application program is notified security module by operating system, security module is reported to the police, and with abnormal conditions records, be stored in the storer of electrically-erasable, the time of record is that the real-time clock by security module itself provides, and closes corresponding calculated machine hardware bottom layer equipment according to the grade of abnormal conditions.In a word; the method for security protection of described security module; being security module is sent to the user right information of security module according to its input-output unit, opens or closes or the method for the hardware device of control computer bottom by security control unit output control signal.
Claims (7)
1, a kind of embedded safety module is characterized in that, it comprises:
A central processing unit (CPU) (1) that is used for safety management;
Also has storer (2); With
Be used for input, output unit (3) with outside transmission information; And
The security control unit (4) of management, control computer bottom hardware;
Described input, output unit (3) be with user special information input equipment interface be connected computing machine be used for security module and calculate between the interface of exchange message; Described user special information input equipment is the IC-card card reader, or/and identification equipments such as fingerprint, sound, images, and other light, electric identification equipment; The information that exchanges between described security module and the computing machine can be the command information of transmitting between computing machine and the module, or computing machine is transferred to the data message of resume module; Described security control unit (4) is a circuit that is connected to computing machine and the computing machine bottom hardware is managed control; The control bus of this circuit is one or more of I2C bus (4.1), pci bus, usb bus, universal serial bus, parallel bus or other private bus, the computing machine bottom hardware of being managed can be USB device (6), PCI equipment (12), hard disk drive (20), software driver (2), serial communication equipment (14), parallel communication equipment (10), keyboard, mouse (8), and one or more of other controllable devices.
2, security module according to claim 1 is characterized in that, described central processing unit (CPU) (1) is based on the processor of X86 kernel, can also be the processor of ARM, MIPS, POWER PC kernel, or other application specific processors.
3, security module according to claim 1 is characterized in that, described storer (2) is the storer of random access memory and electrically-erasable, or/and ROM (read-only memory).
4, security module according to claim 1 is characterized in that, it also has a clock circuit (3.4), or/and warning circuit (3.5); Described clock circuit (3.4) is the circuit that security module provides time reference; Described warning circuit (3.5) is that security module detects the circuit that abnormal conditions are notified the user.
5, security module according to claim 1 is characterized in that, it is hardware module for a security module, or comprises the chip of the parts of security module, or comprises the device of other packing forms of security module parts.
6, security module according to claim 1 is characterized in that, its security control unit (4) and controlled computing machine or similarly equipment be connected.
7, the computing machine that is complementary of the described security module of a kind of and claim 6 or similarly equipment, it is characterized in that, it has at least one on-off circuit, the input interface that this circuit has at least an energy to be connected with the security control unit (4) of security module, described on-off circuit is the circuit of control computer bottom hardware On/Off, described hardware comprises firmly, floppy disk, keyboard, mouse, printer etc., one or more of PCI equipment, USB device are the hardware by the security module control and management; Described similar devices can be an industrial control equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 01138249 CN1243312C (en) | 2001-12-05 | 2001-12-05 | Embedded safety module and its safety protection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 01138249 CN1243312C (en) | 2001-12-05 | 2001-12-05 | Embedded safety module and its safety protection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1423202A CN1423202A (en) | 2003-06-11 |
| CN1243312C true CN1243312C (en) | 2006-02-22 |
Family
ID=4674466
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 01138249 Expired - Fee Related CN1243312C (en) | 2001-12-05 | 2001-12-05 | Embedded safety module and its safety protection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1243312C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101320410B (en) * | 2008-05-20 | 2010-09-08 | 北京深思洛克软件技术股份有限公司 | Copyright protection method of embedded system |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103049715A (en) * | 2013-01-04 | 2013-04-17 | 上海瑞达安全集成电路有限公司 | Computer capable of controlling enabling of peripherals |
| CN105162620B (en) * | 2015-08-04 | 2018-11-27 | 南京百敖软件有限公司 | A method of realizing system monitoring under different framework |
| CN106302397B (en) * | 2016-07-29 | 2019-04-30 | 北京北信源软件股份有限公司 | A kind of equipment identifying system based on device-fingerprint |
| CN107203716B (en) * | 2017-05-03 | 2020-05-22 | 中国科学院信息工程研究所 | Lightweight structured protection method and device for Linux kernel |
| EP3506143B1 (en) * | 2017-12-27 | 2024-02-14 | Siemens Aktiengesellschaft | Interface for a hardware security module |
| CN109902513A (en) * | 2019-03-05 | 2019-06-18 | 黄冈职业技术学院 | A kind of intelligent computer security system |
| CN111783113A (en) * | 2020-06-22 | 2020-10-16 | 济南浪潮高新科技投资发展有限公司 | Data access authority control method based on SAS Controller |
-
2001
- 2001-12-05 CN CN 01138249 patent/CN1243312C/en not_active Expired - Fee Related
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101320410B (en) * | 2008-05-20 | 2010-09-08 | 北京深思洛克软件技术股份有限公司 | Copyright protection method of embedded system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1423202A (en) | 2003-06-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| RU2321055C2 (en) | Device for protecting information from unsanctioned access for computers of informational and computing systems | |
| US9047486B2 (en) | Method for virtualizing a personal working environment and device for the same | |
| CN101281570B (en) | Credible computing system | |
| CN100489823C (en) | Method and apparatus for disabling a universal serial bus port | |
| CN100378609C (en) | Method and apparatus for unlocking a computer system hard drive | |
| US7364087B2 (en) | Virtual firmware smart card | |
| US7392404B2 (en) | Enhancing data integrity and security in a processor-based system | |
| US6748544B1 (en) | Discrete, background determination of the adequacy of security features of a computer system | |
| CN101436247A (en) | Biological personal identification method and system based on UEFI | |
| CN103400075A (en) | Hardware-based anti-virus scan service | |
| CN103119560A (en) | Demand based usb proxy for data stores in service processor complex | |
| TW200949601A (en) | Microprocessor apparatus providing for secure interrupts and exceptions | |
| CN101535957A (en) | System and method for sharing atrusted platform module | |
| CN101281572A (en) | USB port access management | |
| CN105122260A (en) | Context based switching to a secure operating system environment | |
| CN101080722A (en) | Techniques for filtering attempts to access component core logic | |
| CN201820230U (en) | Computer and trusted-computing trusted root equipment for same | |
| CN1243312C (en) | Embedded safety module and its safety protection method | |
| CN101140545B (en) | Advices processing device, external device and program | |
| CN102024115B (en) | Computer with user security subsystem | |
| CN2526906Y (en) | Information safety protector | |
| CN104361298A (en) | Method and device for information safety and confidentiality | |
| NL9101594A (en) | COMPUTER SYSTEM WITH SECURITY. | |
| RU2633098C1 (en) | Computer system with remote control by server and device for creating trusted environment and method for implementation of remote control | |
| CN201203867Y (en) | Credible computing system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: JETWAY INFORMATION SECURITY INDUSTRY CO., LTD. Free format text: FORMER NAME: WUHAN JETWAY INFORMATION SECURITY INDUSTRY CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 430070 Hubei Province, Wuhan city Wuchang District Wuluo Road No. 628 A Asia Trade Plaza, 27 floor Patentee after: JETWAY Information Security Industry Co., Ltd. Address before: 430070 Hubei Province, Wuhan city Wuchang District Wuluo Road No. 628 A Asia Trade Plaza, 27 floor Patentee before: Ruida Electronics Co., Ltd., Wuhan |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Electronic tag, vehicle identification module and embedded safety module separation method Effective date of registration: 20111228 Granted publication date: 20060222 Pledgee: Guangdong Development Bank, Limited by Share Ltd, Wuhan, East Lake branch Pledgor: Ruida information security industry, Limited by Share Ltd|Shanghai Ruida safety integrated circuit Co., Ltd. Registration number: 2011990000522 |
|
| PC01 | Cancellation of the registration of the contract for pledge of patent right |
Date of cancellation: 20140304 Granted publication date: 20060222 Pledgee: Guangdong Development Bank, Limited by Share Ltd, Wuhan, East Lake branch Pledgor: Ruida information security industry, Limited by Share Ltd|Shanghai Ruida safety integrated circuit Co., Ltd. Registration number: 2011990000522 |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Electronic tag, vehicle identification module and embedded safety module separation method Effective date of registration: 20140304 Granted publication date: 20060222 Pledgee: Guangdong Development Bank, Limited by Share Ltd, Wuhan, Wuchang branch Pledgor: JETWAY Information Security Industry Co., Ltd. Registration number: 2014990000132 |
|
| PLDC | Enforcement, change and cancellation of contracts on pledge of patent right or utility model | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20060222 Termination date: 20181205 |