CN201514636U

CN201514636U - High-safety information equipment

Info

Publication number: CN201514636U
Application number: CN2009202461488U
Authority: CN
Inventors: 须清
Original assignee: Beijing Paragon Technology Co Ltd
Current assignee: Beijing Paragon Technology Co Ltd
Priority date: 2009-10-23
Filing date: 2009-10-23
Publication date: 2010-06-23
Anticipated expiration: 2019-10-23

Abstract

The utility model provides the high-safety information equipment which comprises an information processing component, a control component and a second storage component, wherein the control component comprises a hardware switch, and the hardware switch at least contains the following two states: a first state and a second state; and at least one control signal line of the information processing component, responsible for the write operation of the second storage component, is connected with the second storage component through the control component. When the hardware switch is in the first state, the control component cuts off the connection of the control signal and the signal line of the second storage component; and when the hardware switch is in the second state, the control component maintains the connection of the control signal and the signal line of the second storage component. Therefore, the software is protected against the attack of the computer virus or the hacker's program and kept running normally, and the information system has complete defense against the computer virus or the hacker's program, therefore, the information system with real security is achieved.

Description

High-security information equipment

Technical field

The utility model relates to high-security information equipment, and the method that particularly adopts processor controls to be connected signal with hardware between the memory bank prevents the method and apparatus of computer virus invasion and computer hacker's attack.

Background technology

The term explanation: said computer virus or virus all are identical implications among the present invention, it is the clearly definition that comprises in the employing " Computer Information System Security Protection Ordinance of the People's Republic of China ", be that computer virus " refers to the destruction computer function working out or insert or destroys data, influence computing machine use and a set of computer instructions or program code that can self-replacation " in computer program; Be also contained in the destruction infosystem function inserted in the infosystem except computing machine or destroy data, influence that infosystem is used and one group of infosystem that can self-replacation is instructed or program code.As the virus in portable terminals such as mobile phone, multimedia portable equipment.

The term explanation: said infosystem is meant with electronic hardware with calculation process device and information recording device and the electronic system of having stored a software program at least, as PC (PC), server, communication apparatus, multimedia equipment, portable terminal etc. among the present invention.

Along with development of computer, the popularity rate of infosystems such as computing machine, portable terminal, communication apparatus is more and more higher, and the kind of computer virus is more and more, causes entirely collapsing of hardware loss, loss of data even infosystem.Particularly along with the development of internet technique, broadcast of computer virus and infection speed improve rapidly, bring the massive losses of a lot of puzzlements and aspects such as economy, spirit for people use infosystem.

Assault provides prestige, the service quality of website to cause great infringement for information service, and the report of the major event that is modified by assault, webpage of the government website of Chu Xianing often influences the image of government.

Prevention method for computer virus adopts computer fire proof wall and installation anti-virus software to carry out killing virus more at present.Wherein computer fire proof wall mainly is to limit or the restriction of part computer program process interface by some PORT COM for computing machine, this method can not be removed the virus that has existed in the infosystem, can not stop the non-network port such as the serial ports, parallel port, USB (universal serial bus) physical interfaces such as (USBs) of viruliferous file by computing machine to import in the infosystem.Anti-virus software generally is made up of virus checking engine (Scan Engine) and virus characteristic storehouse (VirusDefinition).The virus checking engine is checked the file in the infosystem according to the virus characteristic in the virus characteristic storehouse computer documents, if find to have corresponding virus pattern code to exist, then show this document by specific computer virus infection, anti-virus software adopts relative measures that computer virus is removed.Utilize anti-virus software to carry out Prevention and Cure of Computer Virus, need frequent renewal virus characteristic storehouse, because every kind of new computer virus all can have the condition code that is different from known viruse, after new virus produces, by to its analysis, just can find out its condition code, it is added in original virus characteristic storehouse, constantly upgrade anti-virus software could killing new virus, this shows, this method always lags behind the appearance of new virus, can't find for the new virus that does not also show effect in normal program or data of hiding, and can't realize the prevention to new virus, in case the condition of new virus outbreak satisfies, will damage infosystem, light then influence the operation of system, heavy then cause the paralysis of infosystem.And frequent anti-virus software is upgraded and is made troubles and economically continuous input to the user.Even so, because new virus constantly occurs, still can not use by the normal fully of guarantee information system.

For solving the shortcoming of present anti-virus software, people have also proposed some solutions.

On February 16th, 2005 disclosed Chinese patent application whether number be 03143793.1 patent name allow to move this document for the method judgement that discloses the raw information data that adopts record and comparison file before operating file and current file information material in the file of " a kind of method and device that prevents computer virus ", this method can refuse that the file of infective virus is performed at this machine, avoids computer virus further to infect alternative document.But because this document has been stored in this computing machine, may be copied in other infosystems by network or other modes, thereby do not solve the infection of computer virus problem, this document have computer virus before raw information how to judge file simultaneously generated?

On August 17th, 2005 disclosed Chinese patent application number be to disclose in the file of 038118423.4 patent name for " The deformation calculation machine virus detects " to adopt register signatures to detect the virus of distortion and other types, but still be based on the viral test mode of having imported into after the infosystem.

Operation action by watchdog routine is disclosed on August 16th, 2006, disclosed Chinese patent application number was for the file of 200510007682.X patent name for " computer protecting method of analyzing based on program behavior ", with attack record in the recognition rule storehouse and compare and judge whether infective virus of file, this method requires to judge by executive routine, cause viruliferous file to move also transmitted virus, and malicious in spite of illness file can can't be found viruliferous program in advance with being intended to copy between storage medium.

On April 14th, 2004 disclosed Chinese patent application number be that 03156347.3 patent name discloses employing client-server mode in the file of " method of ring property detection computations machine virus is duplicated in a kind of utilization ", metadata on the client computer is sent to the method for carrying out risk assessment in the server, does not still solve the problem of the system of importing into malicious file.

Because such scheme does not still solve the problem that computer virus is propagated, the technology solution that therefore needs to seek other prevents broadcast of computer virus and infection effectively.

The application number that applicant of the present invention applied on November 20th, 2007 is that 200710177690.8 denominations of invention have solved the problem of cutting off the approach of virus disseminating for " a kind of method and apparatus that prevents computer virus " though also be awarded the patented claim of patent for invention, but still do not solve for the network problem that assault causes, the problem of illegally being distorted for webpage does not have fine solution especially.

Summary of the invention

The objective of the invention is to overcome the shortcoming of above-mentioned prior art, propose a kind of high-security information system so that small part solves the shortcoming of prior art, and the method for electrifying startup, software installation, operating software, connection network that just how to realize is studied to realize infosystem ground security and illegally not distorted in high-security information system of the present invention.

For addressing the above problem, the technical solution that the present invention proposes is based on following knowledge and method:

Cause the infosystem of prior art to be by the essence of assault or infected virus: all information of existing information system are stored in the memory unit of infosystem with data mode, the software of infosystem operation can carry out write operation for memory unit, and promptly the memory contents of memory unit can be made amendment by software.Though existing software such as Windows operating system have been taked a lot of safety practices, on the one hand, as long as just might there be leak in the software that people write; Be meant on the other hand and want software can control write operation for memory unit, the hacker just can revise the content of memory unit, and virus just can write its Virus Info the data of destruction memory unit in the memory unit.

Technology of the present invention is a kind of new safety information system of design, the write operation of the memory unit in the infosystem is not to be controlled by software fully, but the write operation by the memory unit in the connection control information system of hardware signal and make this connection control not realized by the software of infosystem or program, when infosystem when the outside provides information, thereby the hardware signal of the write operation by cut off realizing memory unit is realized any assault or virus attack and all can't be revised the content in the memory unit.When needing the content of updated stored parts, realize the renewal operation of information simultaneously by the hardware signal that connects the write operation of realizing memory unit.Cut-out or connection to hardware signal are not subjected to the instruction or the software control of infosystem fully, but are controlled by special hardware switch.The method of corresponding electrifying startup, software installation, operating software, connection network also is different from prior art.

The solution of high-security information system has a plurality of schemes, is respectively:

1, a kind of high-security information system comprises:

Information processing apparatus;

Control assembly, described control assembly comprises hardware switch, and described hardware switch comprises two states at least: first state and second state;

Second storage component, described second storage component is carried out write operation and/or Data Update operation and/or data modification operation to described information processing apparatus and/or data are added operation and/or data deletion is operated and/or at least one control signal wire of Refresh Data operation is connected with described second storage component by described control assembly, when described hardware switch was in first state, described control assembly cut off described control signal and is connected with the signal wire of described second storage component; When described hardware switch was in second state, described control assembly kept described control signal to be connected with the signal wire of described second storage component.

2, a kind of high-security information system comprises:

Information processing apparatus;

The system bootstrap routine that solidifies, described system bootstrap routine makes described information processing apparatus be in running status;

3, a kind of high-security information system comprises:

Information processing apparatus;

First storage component, described information processing apparatus can carry out data read and data write operation to described first storage component;

Second storage component, described second storage component is carried out write operation and/or Data Update operation and/or data modification operation to described information processing apparatus and/or data are added operation and/or data deletion is operated and/or at least one control signal wire of Refresh Data operation is connected with described second storage component by described control assembly, when described hardware switch was in first state, described control assembly cut off described control signal and is connected with the signal wire of described second storage component; When described hardware switch was in second state, described control assembly kept described control signal to be connected with the signal wire of described second storage component;

4, a kind of high-security information system comprises:

Information processing apparatus;

5, above four kinds of scheme optimizations is further to comprise information input part, described information input part comprises at least one specific keys, the signal wire of described specific keys is connected with described control assembly, by the operation of described specific keys being controlled the state of described hardware switch.

6, above four kinds of scheme optimizations is further to comprise system shell, described system shell comprises at least one specific keys, the signal wire of described specific keys is connected with described control assembly, by the operation of described specific keys being controlled the state of described hardware switch.

7, above four kinds of scheme optimizations is that described control assembly further comprises electrify restoration circuit, the hardware switch of described control assembly is powered on after always acquiescence be in first state.

8, above four kinds of scheme optimizations is that the hardware switch of described control assembly further comprises the third state.

9, above-mentioned information processing apparatus carries out at least one write control signal line of write operation to described second storage component and at least one read control signal line of read operation is connected with described second storage component by described control assembly, when described hardware switch was in first state, described control assembly cut off described write control signal and is connected with the signal wire of described second storage component and keeps described read control signal to be connected with the signal wire of described second storage component; When described hardware switch was in second state, described control assembly kept described write control signal to be connected with the signal wire of described second storage component keeping described read control signal to be connected with the signal wire of described second storage component simultaneously; When described hardware switch was in the third state, described control assembly cut off described write control signal and is connected with the signal wire of described second storage component and cuts off described read control signal simultaneously and be connected with the signal wire of described second storage component.

The method for energizing and starting of high-security information system is:

1, a kind of method for energizing and starting of high-security information system comprises following operation:

Described high-security information system comprises information processing apparatus, control assembly, second storage component, described control assembly comprises hardware switch, described information processing apparatus carries out write operation to described second storage component at least one control signal wire is connected with described second storage component by described control assembly, when described hardware switch was in first state, described control assembly cut off described control signal and is connected with the signal wire of described second storage component; When described hardware switch was in second state, described control assembly kept described control signal to be connected with the signal wire of described second storage component, comprises following steps;

Operating described hardware switch makes described hardware switch be in first state;

Power on for described system;

Described control assembly cuts off described control signal and is connected with the signal wire of described second storage component;

Described information processing apparatus is finished power-up initializing.

2, a kind of method for energizing and starting of high-security information system is characterized in that:

Described high-security information system comprises information processing apparatus, control assembly, first storage component, second storage component, described control assembly comprises hardware switch, described second storage component has been stored at least one software program that can move at described information processing apparatus, described information processing apparatus carries out write operation to described second storage component at least one control signal wire is connected with described second storage component by described control assembly, when described hardware switch was in first state, described control assembly cut off described control signal and is connected with the signal wire of described second storage component; When described hardware switch was in second state, described control assembly kept described control signal to be connected with the signal wire of described second storage component, comprises following steps;

Power on for described system;

Described information processing apparatus is finished power-up initializing;

Described information processing apparatus reads described software program and stores described first storage component into from described second storage component;

The described software program of described first storage component is stored in described information processing apparatus operation into.

3, a kind of method for energizing and starting of high-security information system is characterized in that:

Described high-security information system comprises information processing apparatus, control assembly, first storage component, second storage component, the system bootstrap routine that solidifies, described control assembly comprises hardware switch, described second storage component has been stored at least one software program that can move at described information processing apparatus, described information processing apparatus carries out write operation to described second storage component at least one control signal wire is connected with described second storage component by described control assembly, when described hardware switch was in first state, described control assembly cut off described control signal and is connected with the signal wire of described second storage component; When described hardware switch was in second state, described control assembly kept described control signal to be connected with the signal wire of described second storage component, comprises following steps;

Power on for described system;

Described information processing apparatus is carried out the system bootstrap routine of described curing and is finished power-up initializing;

The software installation method of high-security information system is:

1, a kind of software installation method of high-security information system is characterized in that:

Make described high-security information system be in normal operating condition;

Operate described hardware switch and make described hardware switch be in second state, make described control assembly be communicated with described control signal and be connected with the signal wire of described second storage component;

Described information processing apparatus will need installed software to be installed in described second storage component becomes install software;

Operate described hardware switch and make described hardware switch be in first state, make described control assembly cut off described control signal and be connected with the signal wire of described second storage component.

2, a kind of software installation method of high-security information system is characterized in that:

Described high-security information system comprises information processing apparatus, control assembly, first storage component, second storage component, described control assembly comprises hardware switch, described information processing apparatus carries out write operation to described second storage component at least one control signal wire is connected with described second storage component by described control assembly, when described hardware switch was in first state, described control assembly cut off described control signal and is connected with the signal wire of described second storage component; When described hardware switch was in second state, described control assembly kept described control signal to be connected with the signal wire of described second storage component, comprises following steps;

Described information processing apparatus will need installed software to be installed in described first storage component becomes install software;

Described information processing apparatus writes described second storage component after described install software is read from described first storage component;

Operate described hardware switch and make described hardware switch be in first state, make described control assembly cut off described control signal and be connected with the signal wire of described second storage component;

3, a kind of software installation method of high-security information system is characterized in that:

The operating software method of high-security information system is:

1, a kind of operating software method of high-security information system is characterized in that:

Described high-security information system comprises information processing apparatus, control assembly, second storage component, described control assembly comprises hardware switch, described second storage component has been stored at least one software program that can move at described information processing apparatus, described information processing apparatus carries out write operation to described second storage component at least one control signal wire is connected with described second storage component by described control assembly, when described hardware switch was in first state, described control assembly cut off described control signal and is connected with the signal wire of described second storage component; When described hardware switch was in second state, described control assembly kept described control signal to be connected with the signal wire of described second storage component, comprises following steps;

Described information processing apparatus leaves in the storage space of information processing apparatus from the part or all of code that described second storage component reads described software program;

Described information processing apparatus moves described part or all of code.

2, a kind of operating software method of high-security information system is characterized in that:

3, a kind of operating software method of high-security information system is characterized in that:

The method that high-security information system connects network is:

1, a kind of high-security information system connects the method for network, it is characterized in that:

Described high-security information system comprises information processing apparatus, control assembly, second storage component, network components, described control assembly comprises hardware switch, described second storage component has been stored the network linker that can move at described information processing apparatus, described information processing apparatus carries out write operation to described second storage component at least one control signal wire is connected with described second storage component by described control assembly, when described hardware switch was in first state, described control assembly cut off described control signal and is connected with the signal wire of described second storage component; When described hardware switch is in second state, described control assembly keeps described control signal to be connected with the signal wire of described second storage component, described high-security information system is connected with network by network components under the control of described information processing apparatus, comprises following steps;

Described information processing apparatus leaves in the storage space of information processing apparatus from the code that described second storage component reads described network linker;

Described information processing apparatus moves described code and realizes and being connected of network.

2, a kind of high-security information system connects the method for network, it is characterized in that:

Described information processing apparatus moves described network linker in the described second storage component and realizes and being connected of network.

3, a kind of high-security information system connects the method for network, it is characterized in that:

Described high-security information system comprises information processing apparatus, control assembly, first storage component, second storage component, network components, described control assembly comprises hardware switch, described second storage component has been stored the network linker that can move at described information processing apparatus, described information processing apparatus carries out write operation to described second storage component at least one control signal wire is connected with described second storage component by described control assembly, when described hardware switch was in first state, described control assembly cut off described control signal and is connected with the signal wire of described second storage component; When described hardware switch is in second state, described control assembly keeps described control signal to be connected with the signal wire of described second storage component, described high-security information system is connected with network by network components under the control of described information processing apparatus, comprises following steps;

Described information processing apparatus reads described network linker and stores described first storage component into from described second storage component;

The described network linker realization of described first storage component and being connected of network are stored in described information processing apparatus operation into.

4, a kind of high-security information system connects the method for network, it is characterized in that:

Described high-security information system comprises information processing apparatus, control assembly, first storage component, second storage component, the system bootstrap routine that solidifies, network components, described control assembly comprises hardware switch, described second storage component has been stored the network linker that can move at described information processing apparatus, described information processing apparatus carries out write operation to described second storage component at least one control signal wire is connected with described second storage component by described control assembly, when described hardware switch was in first state, described control assembly cut off described control signal and is connected with the signal wire of described second storage component; When described hardware switch is in second state, described control assembly keeps described control signal to be connected with the signal wire of described second storage component, described high-security information system is connected with network by network components under the control of described information processing apparatus, comprises following steps;

5, a kind of high-security information system connects the method for network, it is characterized in that:

Described high-security information system comprises information processing apparatus, control assembly, second storage component, network components, described control assembly comprises hardware switch, described second storage component has been stored the network linker that can move at described information processing apparatus, described second storage component is carried out at least one write control signal line of write operation to described information processing apparatus and at least one read control signal line of read operation is connected with described second storage component by described control assembly, when described hardware switch was in first state, described control assembly cut off described write control signal and is connected with the signal wire of described second storage component and keeps described read control signal to be connected with the signal wire of described second storage component; When described hardware switch was in second state, described control assembly kept described write control signal to be connected with the signal wire of described second storage component keeping described read control signal to be connected with the signal wire of described second storage component simultaneously; When described hardware switch is in the third state, described control assembly cuts off described write control signal and is connected with the signal wire of described second storage component and cuts off described read control signal simultaneously and be connected with the signal wire of described second storage component, described high-security information system is connected with network by network components under the control of described information processing apparatus, comprises following steps;

Operating described hardware switch makes described hardware switch be in the third state;

6, a kind of high-security information system connects the method for network, it is characterized in that:

Described high-security information system comprises information processing apparatus, control assembly, first storage component, second storage component, network components, described control assembly comprises hardware switch, described second storage component has been stored the network linker that can move at described information processing apparatus, described second storage component is carried out at least one write control signal line of write operation to described information processing apparatus and at least one read control signal line of read operation is connected with described second storage component by described control assembly, when described hardware switch was in first state, described control assembly cut off described write control signal and is connected with the signal wire of described second storage component and keeps described read control signal to be connected with the signal wire of described second storage component; When described hardware switch was in second state, described control assembly kept described write control signal to be connected with the signal wire of described second storage component keeping described read control signal to be connected with the signal wire of described second storage component simultaneously; When described hardware switch is in the third state, described control assembly cuts off described write control signal and is connected with the signal wire of described second storage component and cuts off described read control signal simultaneously and be connected with the signal wire of described second storage component, described high-security information system is connected with network by network components under the control of described information processing apparatus, comprises following steps;

7, a kind of high-security information system connects the method for network, it is characterized in that:

Described high-security information system comprises information processing apparatus, control assembly, first storage component, second storage component, the system bootstrap routine that solidifies, network components, described control assembly comprises hardware switch, described second storage component has been stored the network linker that can move at described information processing apparatus, described second storage component is carried out at least one write control signal line of write operation to described information processing apparatus and at least one read control signal line of read operation is connected with described second storage component by described control assembly, when described hardware switch was in first state, described control assembly cut off described write control signal and is connected with the signal wire of described second storage component and keeps described read control signal to be connected with the signal wire of described second storage component; When described hardware switch was in second state, described control assembly kept described write control signal to be connected with the signal wire of described second storage component keeping described read control signal to be connected with the signal wire of described second storage component simultaneously; When described hardware switch is in the third state, described control assembly cuts off described write control signal and is connected with the signal wire of described second storage component and cuts off described read control signal simultaneously and be connected with the signal wire of described second storage component, described high-security information system is connected with network by network components under the control of described information processing apparatus, comprises following steps;

Beneficial effect of the present invention: utilize the present invention, the control of hardware resources power of infosystem is not exclusively by software control, but the resource of infosystem is controlled by the parts beyond the software, so when some resource of wishing infosystem is invalid for certain operational order, just can make this resource of infosystem inoperative by artificial control for certain operational order, when some resource of wishing infosystem is effective for certain operational order, just can this resource of infosystem be worked for certain operational order by artificial control, computer virus or Hacker Program are also with regard to the purpose that can not realize computer virus or Hacker Program and normal software is still finished the write operation for certain resource under artificial control like this, make infosystem reach immunocompetence up hill and dale, realize real safety information system for computer virus or Hacker Program.

Description of drawings:

Fig. 1 is first kind of solution principle schematic that the present invention realizes high-security information system

Fig. 2 is second kind of solution principle schematic that the present invention realizes high-security information system

Fig. 3 is the third solution principle schematic that the present invention realizes high-security information system

Fig. 4 is the 4th kind of solution principle schematic that the present invention realizes high-security information system

Fig. 5 is the 5th kind of solution principle schematic that the present invention realizes high-security information system

Fig. 6 is the method for energizing and starting process flow diagram of the high-security information system realized of the present invention

Fig. 7 is first kind of software installation method process flow diagram of the high-security information system realized of the present invention

Fig. 8 is second kind of software installation method process flow diagram of the high-security information system realized of the present invention

Fig. 9 is the operating software method flow diagram of the high-security information system realized of the present invention

Figure 10 is that first kind of the high-security information system realized of the present invention connects the network method process flow diagram

Figure 11 is that second kind of the high-security information system realized of the present invention connects the network method process flow diagram

Figure 12 is that first kind of network service based on high-security information system that the present invention realizes provides the platform synoptic diagram

Figure 13 is that second kind of network service based on high-security information system that the present invention realizes provides the platform synoptic diagram

Figure 14 is that the third network service based on high-security information system that the present invention realizes provides the platform synoptic diagram

Figure 15 is that the 4th kind of network service based on high-security information system that the present invention realizes provides the platform synoptic diagram

Figure 16 is that the 5th kind of network service based on high-security information system that the present invention realizes provides the platform synoptic diagram

Figure 17 is that the 6th kind of network service based on high-security information system that the present invention realizes provides the platform synoptic diagram

Embodiment:

In order to make those skilled in the art person understand the present invention better, the present invention is described in further detail below in conjunction with drawings and embodiments.

Because infosystem is controlled for the hardware resource of infosystem based on operational order: storage data, reading matter data, calculation process etc.Just become the software of infosystem when the function set that these operational orders are write according to the function of specifically finishing.People control for the hardware resource of infosystem by software, also comprise for the software that is stored in the infosystem to carry out read-write operation.And computer virus and Hacker Program also are to operate or control for the hardware resource of infosystem by the operational order that infosystem is supported, make infosystem move the hardware resource of control information system according to computer-virus program or the desirable mode of Hacker Program.Because the existing information system can effectively be used for the hardware resource that makes infosystem, these resources are available for operating system and application software, promptly can carry out read operation, write operation, renewal operation etc.This also becomes the necessary condition that computer virus or Hacker Program are finished attack.Be stored in the information of infosystem as the Hacker Program desired modifications, then need to obtain for the write operation of the memory unit of infosystem or upgrade the ability of operation.Because the ability of the write operation of the memory unit of infosystem or renewal operation is to open to the software of operate as normal, Hacker Program also can find the write operation of the memory unit of infosystem or upgrade the breach of operating and revise the infosystem canned data.Same computer virus just can be in infosystem constantly the resource of control information system reach the purpose of computer virus.If but the control of hardware resources of infosystem power is not exclusively by software control, but the resource of infosystem is controlled by the parts beyond the software, so when some resource of wishing infosystem is invalid for certain operational order, just can make this resource of infosystem inoperative by artificial control for certain operational order, when some resource of wishing infosystem is effective for certain operational order, just can this resource of infosystem be worked for certain operational order by artificial control, computer virus or Hacker Program are also with regard to the purpose that can not realize computer virus or Hacker Program and normal software is still finished the write operation for certain resource under artificial control like this, make infosystem reach immunocompetence up hill and dale, realize real safety information system for computer virus or Hacker Program.

With reference to Fig. 1, Fig. 1 is first kind of solution principle schematic that the present invention realizes high-security information system.Information processing apparatus 101 and part signal 105 during signal between the second storage component 103 is connected are to be connected with second storage component 103 after becoming control output signal 106 after being handled by control assembly 102 again.Wherein control assembly 102 comprises a hardware switch 104.Described hardware switch 104 comprises two states: first state and second state; When hardware switch 104 was in first state, described control assembly 102 cut off described part signal 105 and is connected with the signal wire of described second storage component, and control output signal 106 does not reflect the information of part signal 105; When described hardware switch 104 was in second state, described control assembly 102 kept described part signal 105 to be connected with the signal wire of described second storage component, and control output signal 106 is identical with the information of part signal 105.Obviously, when part signal 105 is the signal of information processing apparatus 101 control second storage components 103 write operations, can realize that information processing apparatus 101 depends on the state of hardware switch 104 for second storage component 103 write operations, and the state of hardware switch 104 can be artificial control, hardware switch 104 is not controlled by information processing apparatus simultaneously, and it is inoperative for the write operation instruction that infosystem just can artificially be controlled the storage resources that makes infosystem like this.In like manner, part signal 105 also can be the signal of information processing apparatus 101 control second storage components 103 read operations, can realize that artificial control makes the storage resources of infosystem inoperative for the read operation instruction.Equally also can realize realizing artificial controls and not being subjected to the control of information system software for all controlled hardware resources of infosystem.

Fig. 2 is second kind of solution principle schematic that the present invention realizes high-security information system.Compare with the realization example of Fig. 1, on the basis of Fig. 1, the solution of Fig. 2 further comprises first storage component 201.Because the program of information processing apparatus operation can be carried out write operation to memory bank usually and be done; and second storage component 103 is in the write operation disarmed state in the present invention usually to resist virus or hacker's attack; be head it off; increase a first storage component 201, information processing apparatus 101 can carry out read operation and write operation with first storage component 201.Deposited the program that needs operation at second storage component 103, do not attacked in order to make the program that is stored in the second storage component 103, information processing apparatus 101 is working procedure in second storage component 103 not, write first storage component 201 but earlier program is read out from second storage component 103, then the program in the information processing apparatus 101 operation first storage components 201.Even virus or assault the program of first storage component 201, also can be by reading the program that original program covers the first storage component of being attacked 201 fully again from second storage component 103, thus can remove the service disruption problem that virus or assault bring rapidly.

Fig. 3 is the third solution principle schematic that the present invention realizes high-security information system.On the basis of Fig. 2, the solution of Fig. 3 further comprises the system bootstrap routine 301 of curing.Realize that infosystem is in power up, the system bootstrap routine 301 that information processing apparatus 101 operations are solidified, comprising will need further the program of operation to read out from second storage component 103 to write first storage component 201 automatically, then the program in the information processing apparatus 101 operation first storage components 201.What the system bootstrap routine 301 that solidifies usually adopted is read-only memory bank, and virus or hacker can not attack.And increase the system bootstrap routine 301 that solidifies, make infosystem guarantee to load the program that needs operation automatically after infosystem powers at every turn according to design philosophy of the present invention.

Fig. 4 is the 4th kind of solution principle schematic that the present invention realizes high-security information system.The solution of Fig. 4 is the further improvement on the solution basis of Fig. 3.Mainly be that control assembly 402 comprises a hardware switch 404.Described hardware switch 404 comprises three kinds of states: first state, second state and the third state; Can the control information processing element 101 with a plurality of signals of second storage component 103 to be in hardware manually controlled.When hardware switch 404 is in first state, described control assembly 402 cuts off described part signal 105 and is connected with the signal wire of described second storage component, control output signal 106 does not reflect the information of part signal 105 but keeps described part signal 405 to be connected with the signal wire of described second storage component simultaneously that control input signals 406 is identical with the information of part signal 405; When described hardware switch 404 is in second state, described control assembly 402 keeps described part signal 105 to be connected with the signal wire of described second storage component, the information of control output signal 106 and part signal 105 is identical but keep described part signal 405 to be connected with the signal wire of described second storage component simultaneously, and control input signals 406 is identical with the information of part signal 405; When described hardware switch 404 is in the third state, described control assembly 402 cuts off described part signal 105 and is connected with the signal wire of described second storage component, control output signal 106 does not reflect the information of part signal 105 but cuts off described part signal 405 simultaneously and be connected with the signal wire of described second storage component that control input signals 406 does not reflect the information of part signal 405.Obviously, when part signal 105 is that the signal of information processing apparatus 101 control second storage components 103 write operations is when part signal 405 is the signal of information processing apparatus 101 control second storage components 103 read operations simultaneously, can realize that information processing apparatus 101 all depends on the state of hardware switch 404 for second storage component 103 write operations and read operation, and the state of hardware switch 404 can be artificial control, hardware switch 404 is not controlled by information processing apparatus simultaneously, and it is inoperative for write operation instruction and/or read operation that infosystem just can artificially be controlled the storage resources that makes infosystem like this.Equally also can realize realizing artificial controls and not being subjected to the control of information system software for all controlled hardware resources of infosystem.

Fig. 5 is the 5th kind of solution principle schematic that the present invention realizes high-security information system.The solution of Fig. 4 is the further improvement on the solution basis of Fig. 3.Mainly be further to increase electrify restoration circuit 501.By electrify restoration circuit 501, when being powered on, infosystem make control assembly 402 be in the duty of hope.As but the state of forgetting manual switchover hardware switch 404 when avoiding using infosystem causes the power on undesirable state of state of back hardware switch 404 of system to become virus or the hacker attack to second storage component 103 as the write operation state.More the improvement of You Huaing is, the state that forms when electrify restoration circuit 501 and the state of hardware switch 404 are to seasonable increase prompting parts, thereby the prompting user is correctly switched the state of hardware switch 404.

Fig. 6 is the method for energizing and starting process flow diagram of the high-security information system realized of the present invention.Solution with Fig. 3 is that example illustrates method for energizing and starting flow process of the present invention.The described hardware switch of step 601 operation makes described hardware switch be in first state; Step 602 powers on for described system; The described control assembly of step 603 cuts off described control signal and is connected with the signal wire of described second storage component; The described information processing apparatus of step 604 is carried out the system bootstrap routine of described curing and is finished power-up initializing; The described information processing apparatus of step 605 reads described software program and stores described first storage component into from described second storage component; The described software program of described first storage component is stored in the described information processing apparatus operation of step 606 into.All read described software program and store described first storage component into owing to power at every turn, thereby even the back that guarantees at every turn to power on by virus or assault, makes the fast quick-recovery of infosystem by re-powering to remove fast from described second storage component.

Fig. 7 is first kind of software installation method process flow diagram of the high-security information system realized of the present invention.Solution with Fig. 1 is that example illustrates software installation method flow process of the present invention.Step 701 infosystem is in normal operating condition; Make described hardware switch be in second state at the described hardware switch of step 702 operation, make described control assembly be communicated with described write operation control signal and be connected with the signal wire of described second storage component; Entering step 703 control information processing apparatus will need installed software to be installed in described second storage component to become install software; Make described hardware switch be in first state at the described hardware switch of step 704 operation then, make described control assembly cut off described write operation control signal and be connected with the signal wire of described second storage component.Owing to only when software is installed, could carry out write operation, install the back just by hardware switch disconnection write operation signal, thereby make the software can infected virus or by assault to second storage component.

Fig. 8 is second kind of software installation method process flow diagram of the high-security information system realized of the present invention.Solution with Fig. 3 is that example illustrates software installation method flow process of the present invention.Step 801 infosystem is in normal operating condition, and this moment, described hardware switch was in first state, made described control assembly cut off described write operation control signal and was connected with the signal wire of described second storage component; To need installed software to be installed in described first storage component at the described information processing apparatus of step 802 and become install software; Enter the described hardware switch of step 803 operation and make described hardware switch be in second state, make described control assembly be communicated with described write operation control signal and be connected with the signal wire of described second storage component; Reading described install software from described first storage component after, the described information processing apparatus of step 804 writes described second storage component then; Enter the described hardware switch of step 805 operation again and make described hardware switch be in first state, make described control assembly cut off described write operation control signal and be connected with the signal wire of described second storage component.Owing to could carry out write operation to second storage component when writing described second storage component after only after the software installation, from described first storage component, reading, copy finishes the back just by hardware switch disconnection write operation signal, thereby makes the software can infected virus or by assault.

Fig. 9 is the operating software method flow diagram of the high-security information system realized of the present invention.Solution with Fig. 3 is that example illustrates software installation method flow process of the present invention.Infosystem is in normal operating condition, and the common switch of described hardware this moment is in first state, makes described control assembly cut off described write operation control signal and is connected with the signal wire of described second storage component; If not then at first making described hardware switch be in first state at the described hardware switch of step 901 operation; Entering step 902 information processing apparatus then reads described software program and stores described first storage component into from described second storage component; Store the described software program of described first storage component in the operation of step 903 information processing apparatus.Because each run software all reads described software program and stores described first storage component into and in the operation of described first storage component from described second storage component, virus or hacker can only attack the information of described first storage component but the information that can not attack described second storage component, and each run all reads described software program and stores described first storage component into from described second storage component, thereby makes the software can infected virus or by assault.

Figure 10 is that first kind of the high-security information system realized of the present invention connects the network method process flow diagram.Solution with Fig. 3 is that example illustrates connection network method flow process of the present invention.Infosystem is in normal operating condition, and the common switch of described hardware this moment is in first state, makes described control assembly cut off described write operation control signal and is connected with the signal wire of described second storage component; If not then at first making described hardware switch be in first state at the described hardware switch of step 1001 operation; Entering step 1002 information processing apparatus then reads described network linker and stores described first storage component into from described second storage component; Store the described network linker realization of described first storage component and being connected of network in the operation of step 1003 information processing apparatus.Because each run network linker all reads described network linker and stores described first storage component into and in the operation of described first storage component from described second storage component, virus or hacker can only attack the network linker of described first storage component but can not attack the network linker of described second storage component, and each run all reads described network linker and stores described first storage component into from described second storage component, thereby makes the network linker can infected virus or by assault.

Figure 11 is that second kind of the high-security information system realized of the present invention connects the network method process flow diagram.Solution with Fig. 4 is that example illustrates connection network method flow process of the present invention.Infosystem is in normal operating condition, and the common switch of described hardware this moment is in first state, makes described control assembly cut off described write operation control signal and is connected with the signal wire of described second storage component; If not then at first making described hardware switch be in first state at the described hardware switch of step 1101 operation; Entering step 1102 information processing apparatus then reads described network linker and stores described first storage component into from described second storage component; Make described hardware switch be in the third state at the described hardware switch of step 1103 operation, make described control assembly cut off described write operation control signal and be connected with the signal wire of described second storage component with the read operation signal; And then enter that described network linker that step 1104 information processing apparatus operation stores described first storage component into is realized and being connected of network.Because each run network linker all reads described network linker and stores described first storage component into and in the operation of described first storage component from described second storage component, and the described hardware switch of operation makes described hardware switch be in the third state before described first storage component operation, making described control assembly cut off described write operation control signal is connected with the signal wire of described second storage component with the read operation signal, thereby cut off the read and write access of network or working procedure for described second storage component, be that described second storage component is invisible for virus or hacker, therefore virus or hacker can only attack the network linker of described first storage component but can not attack the network linker of described second storage component, and each run all reads described network linker and stores described first storage component into from described second storage component, thereby makes the network linker can infected virus or by assault.

Figure 12 is that first kind of network service based on high-security information system that the present invention realizes provides the platform synoptic diagram.Described high-security information system comprises information processing apparatus 1202, control assembly 1204, second storage component 1205 and network link 1206.Information processing apparatus 1202 and part signal during signal between the second storage component 1205 is connected are to be connected with second storage component 1205 after being handled by control assembly 1204 again.Wherein control assembly 1204 comprises a hardware switch.Described hardware switch comprises two states: first state and second state; When hardware switch was in first state, described control assembly 1204 cut off described part signal and is connected with the signal wire of described second storage component; When described hardware switch was in second state, described control assembly 1204 kept described part signal to be connected with the signal wire of described second storage component.Described network link 1206 is connected with information processing apparatus 1202.When hardware switch is in first state before the described information processing apparatus 1202 operational network linkers, described control assembly 1204 cuts off described part signal and is connected with the signal wire of described second storage component 1205, be connected with the internet by described network link 1206 behind the operational network linker like this, carry out information communication.Even the information of transmitting in the interconnection network is by virus or assault, owing to can not revise information and data for described second storage component, thereby can be by the virus attack of hacker's goods.Make infosystem have very high security.

Figure 13 is that second kind of network service based on high-security information system that the present invention realizes provides the platform synoptic diagram.Different with the implementation of Figure 12 is to upgrade for the information of second storage component by another information processing apparatus, particularly for information service system as government's electronic service platform one class, if its information spinner offers popular information reliably, and by internal network connection the carrying out renewal of exhibition information, infosystem in the past is to pass through fire wall, the security of enhanced system such as antivirus software, but because the memory bank of its canned data can carry out write operation by software, thereby government website often appears by assault, report that original information is illegally distorted and incident occur.The system that employing is invented can avoid the appearance of similar incidents.Described high-security information system comprises first information processing element 1301, second information processing apparatus 1302, control assembly 1304, second storage component 1305 and network link 1306.But the signal connecting element part 1307 that described first information processing element 1301 is passed through an information communication line 1303 and a plug is connected when needed with described second information processing apparatus 1302 or disconnects.Described information processing apparatus 1302 and part signal during signal between the second storage component 1305 is connected are to be connected with second storage component 1305 after being handled by control assembly 1304 again.Wherein control assembly 1304 comprises a hardware switch.Described hardware switch comprises two states: first state and second state; When hardware switch was in first state, described control assembly 1304 cut off described part signal and is connected with the signal wire of described second storage component; When described hardware switch was in second state, described control assembly 1304 kept described part signal to be connected with the signal wire of described second storage component.Described network link 1306 is connected with information processing apparatus 1302.When hardware switch is in first state before described second information processing apparatus, the 1302 operational network linkers, described control assembly 1304 cuts off described part signal and is connected with the signal wire of described second storage component 1305, be connected with the internet by described network link 1306 behind the operational network linker like this, carry out information communication.Even the information of transmitting in the interconnection network is by virus or assault, owing to can not revise information and data for described second storage component, thereby can be by the virus attack of hacker's goods.Make infosystem have very high security.When needing to upgrade the information of described second storage component 1305, described second information processing apparatus is re-powered startup to cover the storage space that may be attacked when described second information processing apparatus is connected network with program that is not subjected to virus or assault in the described second storage component and data simultaneously.And keep described network link 1306 to be in off-state with the internet, but described then first information processing element 1301 is connected with described second information processing apparatus 1302 by the signal connecting element part 1307 of an information communication line 1303 and a plug, when controlling described hardware switch and being in second state, described control assembly 1304 keeps described part signal to be connected with the signal wire of described second storage component, thereby makes described first information processing element 1301 just can data updated be write described second storage component by second information processing apparatus 1302.After Data Update was finished, when the control hardware switch was in first state, described control assembly 1304 cut off described part signal and is connected with the signal wire of described second storage component.The information in the second storage component is upgraded in realization safely like this.

Figure 14 is that the third network service based on high-security information system that the present invention realizes provides the platform synoptic diagram.Described high-security information system comprises first information processing element 1401, second information processing apparatus 1402, control assembly 1404, second storage component 1405 and network link 1406.Described first information processing element 1401 and described second information processing apparatus 1402 respectively could the described second storage components 1405 of connected reference by described control assembly 1404.Wherein control assembly 1404 comprises a hardware switch.A kind of implementation of described control assembly 1404 is that described hardware switch comprises two states at least: first state and second state; When hardware switch is in first state, described control assembly 1404 cuts off described first information processing element 1401 and is connected with the signal wire of described second storage component 1405 write operations, cut off described second information processing apparatus 1402 and be connected with the signal wire of described second storage component 1405 write operations and connect described second information processing apparatus 1402 simultaneously and be connected, realize that described second information processing apparatus 1402 is only with the information that reads described second storage component 1405 but can not revise or increase the data of described second storage component 1405 with the read operation signal wire of described second storage component 1405.When described hardware switch is in second state, described control assembly 1404 connects described first information processing element 1401 and is connected, cuts off described second information processing apparatus 1402 with the signal wire of described second storage component 1405 write operations and be connected with the signal wire of described second storage component 1405 write operations, realizes that described first information processing element 1401 can upgrade or increase or revise the information of described second storage component 1405.When hardware switch is in first state before described second information processing apparatus, the 1402 operational network linkers, be connected with the internet by described network link 1406 behind the operational network linker, carry out information communication.Even the information of transmitting in the interconnection network is by virus or assault, owing to can not revise information and data for described second storage component 1405, thereby can be by the virus attack of hacker's goods.Make infosystem have very high security.Simultaneously when needing to upgrade the information of described second storage component 1405, operate described hardware switch and be in second state, described first information processing element 1401 is connected with the write operation signal of described second storage component 1405, and this moment, described second information processing apparatus 1402 was not connected with the write operation of described second storage component 1405, therefore described second storage component 1405 can not be subjected to virus or assault, and described like this first information processing element 1401 realizes upgrading safely the information in the second storage component.

Figure 15 is that the 4th kind of network service based on high-security information system that the present invention realizes provides the platform synoptic diagram.Different with technical scheme shown in Figure 12 is to have increased first storage component 1511, when the insufficient memory of described information processing apparatus 1202 working procedures, can be by connecting first storage component 1511 expansion working procedure spaces, and first storage component 1611 can also be stored by the information of network interaction when connecting as the infosystem internet of speaking temporarily, have only described first storage component 1511 canned datas of affirmation not have just may add in the described second storage component behind virus or the Hacker Program, be to increase system flexibility and interactivity in the security that improves described high-security information system.

Figure 16 is that the 5th kind of network service based on high-security information system that the present invention realizes provides the platform synoptic diagram.Different with technical scheme shown in Figure 13 is to have increased first storage component 1611, when the insufficient memory of described second information processing apparatus, 1302 working procedures, can be by connecting first storage component 1611 expansion working procedure spaces, and first storage component 1611 can also be stored by the information of network interaction when connecting as the infosystem internet of speaking temporarily, having only by the information of confirming described first storage component 1611 does not have just may add in the described second storage component behind virus or the Hacker Program, be to increase system flexibility and interactivity in the security that improves described high-security information system.

Figure 17 is that the 6th kind of network service based on high-security information system that the present invention realizes provides the platform synoptic diagram.Different with technical scheme shown in Figure 14 is to have increased first storage component 1711, when the insufficient memory of described second information processing apparatus, 1402 working procedures, can be by connecting first storage component 1411 expansion working procedure spaces, and first storage component 1711 can also be stored by the information of network interaction when connecting as the infosystem internet of speaking temporarily, having only by the information of confirming described first storage component 1711 does not have just may add in the described second storage component behind virus or the Hacker Program, be to increase system flexibility and interactivity in the security that improves described high-security information system; Simultaneously, this technical scheme has also increased feature: but the signal connecting element part 1707 that described first information processing element 1401 is passed through an information communication line 1703 and a plug is connected with described second information processing apparatus 1402.By such connection, can handle by the information of 1401 pairs of described first storage components 1711 of described first information processing element, as remove virus, Hacker Program, judgement information availability etc.

Claims

1. high-security information equipment is characterized in that comprising:

Information processing apparatus;

2. high-security information equipment is characterized in that comprising:

Information processing apparatus;

3. high-security information equipment is characterized in that comprising:

Information processing apparatus;

4. high-security information equipment is characterized in that comprising:

Information processing apparatus;

5. according to each described equipment in the claim 1 to 4, it is characterized in that further comprising information input part, described information input part comprises at least one specific keys, the signal wire of described specific keys is connected with described control assembly, by the operation of described specific keys being controlled the state of described hardware switch.

6. according to each described equipment in the claim 1 to 4, it is characterized in that further comprising system shell, described system shell comprises at least one specific keys, the signal wire of described specific keys is connected with described control assembly, by the operation of described specific keys being controlled the state of described hardware switch.

7. according to each described equipment in the claim 1 to 4, it is characterized in that described control assembly further comprises electrify restoration circuit, the hardware switch of described control assembly is powered on after always acquiescence be in first state.

8. according to each described equipment in the claim 1 to 4, it is characterized in that described information processing apparatus is connected with described second storage component by described control assembly at least one write control signal line that described second storage component carries out write operation, when described hardware switch was in first state, described control assembly cut off described write control signal and is connected with the signal wire of described second storage component; When described hardware switch was in second state, described control assembly kept described write control signal to be connected with the signal wire of described second storage component.

9. according to each described equipment in the claim 1 to 4, it is characterized in that the hardware switch of described control assembly further comprises the third state.

10. equipment according to claim 9, it is characterized in that described information processing apparatus carries out at least one write control signal line of write operation to described second storage component and at least one read control signal line of read operation is connected with described second storage component by described control assembly, when described hardware switch was in first state, described control assembly cut off described write control signal and is connected with the signal wire of described second storage component and keeps described read control signal to be connected with the signal wire of described second storage component; When described hardware switch was in second state, described control assembly kept described write control signal to be connected with the signal wire of described second storage component keeping described read control signal to be connected with the signal wire of described second storage component simultaneously; When described hardware switch was in the third state, described control assembly cut off described write control signal and is connected with the signal wire of described second storage component and cuts off described read control signal simultaneously and be connected with the signal wire of described second storage component.