DE4208777C1 - - Google Patents

Abstract

Write protection circuitry for external mass storages aims at preventing accidental modification of data and programs by destructive software or incorrect operation of the computer, thus avoiding infection by computer viruses. Allocating units of the mass storage may be protected by means of a controller before writing and formatting operations. The controller only allows the protected allocating units to be written on when the operator has identified himself by a user-specific action that cannot be generated by any program. In addition, the protection conditions for the individual allocating units may be flexibly changed.

Description

The invention relates to a circuit arrangement for writing Protection for an external mass storage device, which has a Mass storage controller over a system bus with a Digi talrechner is connected in such a way that the tax instruction solutions from the digital computer to the mass storage of one Control device to be monitored and the writing instruction from this with write protection for the addressed masses memory allocation unit is prevented.

Such a circuit arrangement is known from GB 22 22 899 A.

The number of known computer viruses is increasing steadily There is no end in sight to this development. The viruses are ever more refined and always for the simple user more dangerous. In the beginning, you could still use computer viruses from simple scan codes, so today at Viruses have a clear tendency to self-modify and Coding can be determined. Parallel to this development more and more data are processed on computers and the The number of computers that are integrated in networks increases also more and more. The risk that your own system of a computer virus is constantly increasing.

Furthermore, the increasing networking of Computer opened a new security hole, so try Hackers with the help of Trojan horses control the system across entire computer networks by providing specific Modify system files.

In many government agencies and companies, large quantities of sensitive data processed. If this data from unauthorized modified intentionally or unintentionally serious damage can sometimes occur  (e.g. when making strategic decisions based on the data be felled in the company). Often because of Manipulation too late covers.

Furthermore, data loss due to improper use Handling of the system take place or by possible Pro Gram error when developing new programs. If untrained personnel unintentionally an important one Deletes file or program, so there is no procedure or no method with a correspondingly rational effort enables data feedback.

To prevent destructive and accidental damage with the help of the manipulation measures mentioned above Known solutions such. B. Scan or Checksummer. However, these can usually only be used by the operator after a loading warn about the virus. Many of the protection programs are only able to search for known viruses. If a virus occurs, the scanner or a similar Protection program is not known, it will be easy ignored and not recognized. Through check buzzer and programs, based on the fingerprint method can only a relative certainty before modifying the data or Programs are guaranteed. Because these programs themselves consist of software, they form for other software (e.g. the virus or a Trojan horse) an attack area. It is known that software is always one "Antisoftware" can develop. Obviously, one can Software protection never provides optimal security against one Modification of data and programs through destructive Offer software.

Another is a method of preventing computers Viruses known from DE OS-37 36 760, in which by a unique writable storage medium (e.g. optical disk) which the data flow on a network or a single computer  can record a restoration after infection is made possible. This method is especially safe System files before any modification thought by a virus. This is achieved by Operating system once in a virus-free version on one writable storage medium is applied only once. The disadvantage of this method is that there is a Realization for single computers and smaller computer networks as too uneconomical. Furthermore, this ver drive not applicable to operating systems that are part of their Modify your own system yourself (e.g. under DOS 5.0 the SETVER command).

Furthermore, this system cannot protect against the Ab save a program already infected by the virus guarantee. User programs can also be used by Be viruses. If such an infected program once applied to the write-once storage medium such a virulent program from this Storage medium can no longer be deleted. Therefore this insert (plate) must then be stored medium are removed, this is not inconsiderable Associated costs. Should constantly changing amounts of data be present on the computer network or individual computer, so Every time this data is modified, a transcript must be kept the write-once storage medium can be made, effective security in the event of possible destruction on the unsecured storage medium. Therefore, this procedure is only for temporary backup of data on hard drives or other rewritable Media suitable. The data between the last backup on the write-once storage medium and one possible destruction of the data are inevitable Lich deleted.

There is also a diagnostic procedure a data processing system infected by computer viruses  according to EP 03 04 033 A2, according to which computer viruses are in one data processing system by starting a known host gramms and the possible modification to this host program should be recognized. With this procedure you can Computer viruses are only recognized after a system has been infected will. Furthermore, this method makes no claim for protection in the traditional sense. She can only do that Communicate information whether there may be a computer virus is active. This procedure is used to detect Trojans Unsuitable for horses or destructive operators and works for computer viruses only if these are executable files infested. In addition, this method offers no possibility the operator before any logical bombs or To warn Trojans.

WO 90/13084 presents a solution according to which on rewritable storage media (such as hard drives) prioritized write and read access is made possible. In this system is done by awarding various Passwords a classification of users, and depending on their On the right you can read or write files and programs. Who can read which files and any modifications can be performed on the protected files by a prioritized person (super user) at the time of the system communicated to the file write protection system. The Super User usually has only one known to him Password the possibility of the protected files and Pro gram different reading and writing priorities for the assign individual operators. Through a complicated The data is then protected from an unauthorized person Write or read access protected. The password will not entered directly into the facility, but through a central MP read from the keyboard by a TSR program and passed on to the file protection system in the form of a code directs.

The disadvantage of this method is that it is suitable for systems which  do not perform their file operations at the file level (but e.g. B. on a sector basis, i.e. the individual parts of the files not be written in succession) only very complex is feasible. Furthermore, computer viruses have the possibility by recording the operation on the data bus (Modifying the TSR program or other methods) be agreed passwords for writing and reading priorities nonetheless to get and bypass the entire protection mechanism. The operator cannot be clearly identified. So data from privileged operators can still ge be deleted. When implementing such a system on medium-sized computer systems and personal computers (IBM PCs, ATs, PS / 2, R 6000, R xxxx) the effort would not be lost pedalable, since such an additional system sometimes costs more would as the whole computer. One such, in the patent system explained in writing, is only in large computer systems can be implemented with operating systems such as VMS or UNIX. At Small computers and individual computers of the type IBM PC, AT, PS / 2, R 6000, R xxxx (personal computer or related types) a realization uneconomical.

The device according to GB 22 22 899 A provides write protection of any tracks on hard disks, whereby under Zu areas entered into the system with the help of passwords can be.

The passwords are entered using the normal keyboard and processed by the central processor of the computer and then sent to the protection system. The protection system is between the mass storage controller and the mass storage positioned.

The disadvantage of the device according to GB 22 22 899 A is that that the possibility of using such a protection system is narrowly limited by the arrangement of the device. The most operating systems work in a sector-oriented manner only the ability to protect entire logical drives. With this solution it is not possible to use hard drives of the type  To protect SCSI, IDE, also not MFM, SCSI, IDE- Hard drives in cashed form. All systems that have their con trolling between the mass storage controller and the mass storage suffer from the same Disadvantage, they have to, in order to be functional at all, separate for all recording methods (SCSI, MFM, RLL, IDE) be developed and produced. This arrangement fails even with a write cash on the corresponding mass memory controller.

This system is lacking in the lack of distinction as to whether Human or a program accesses the system easily avoidable.

An action by the user is not a password clearly identified as evidenced below:

In the device according to GB 22 22 899 A, the passwords stored in an EPROM that cannot be read by the computer is. If you want to enter a password, then you use a master password or you can change your password by enters a known password. If you have all the passwords forgot, then the passwords are replaced by a jumper deleted, which you can only be after opening the computer can do.

The only way to ensure that a virus cannot delete all passwords and thus access to the system gets. The virus can without existing passwords Use problems and also rewrite them because the virus has the opportunity to get access to the existing passwords to procure, since the passwords are entered via the computer keyboard and then via the central processor in the Computer is forwarded to the control unit. In this The virus can instantly bind itself into the river and Record all existing passwords and then independently  change a password or just change it into its existing one Use shape. So the virus doesn't even need the passwords change in the system, it is enough if he entered them intercepts and saves the operator and then closes them himself to use. The operator will not suspect that in a virus has nested in its area, which is considered safe and he changes his behavior because he’s in a supposed security. He copies more and rather uses third-party software without checking it.

The method known from GB 22 31 418 A is limited on the protection of the boot sector and the partition table. Therefore, by default, the first cylinder of a mass memory protected and the system files are ver there sets. The protection unit is between the masses memory controller and mass storage.

The disadvantage of the method is that it is not in is able to protect variable areas. It cannot can be programmed flexibly. For a change the Open the computer and press a switch or jumper to ensure a rewriting of the areas that are protected. This arrangement is not from the computer freely programmable, it is only for a fixed area created because computer viruses are less and less and partition sectors spread and primarily executable Infect programs on the hard drive. The system is unable to stop such infection, because it only tries to protect the two system areas. Several boot sectors and parties can also be stored on one computer tion tables are available. This problem is addressed in the solution described does not do it justice because here only from a partition record and a boot sector is spoken (claim 1). There is also operation systems and turnouts that absolutely write this sector to allow the system to reboot. To  one would have to open the computer for every operation, an um start booting and then close the computer again unlock the boot or partition area. Yet virulent software can be installed, it may just don't infect the boot and partition sector. Furthermore, the entire system is between the Mass storage controller and mass storage, what to the above mentioned disadvantages according to GB 22 22 899 A.

From the magazine PC-Praxis 6/91, pages 104 to 105, is a card known ("Thunderbyte"), which put together hanging write protection of areas on the hard drive allowed. The card is for use in systems with MFM / RLL hard disks for IBM PC and compatible computers con designed and intended to work under both MS-DOS and Novell be executable.

The 34-pin connecting cable of the hard disk (s) a short plug-in card "looped in". That is, the steering wheel cable is interrupted and the information must first take the path via the plug-in card. On this card be there is an EPROM as well as various logic gates and PALs. These can prevent write access to the connected hard drive (s) is made. The "Thunder byte card "can only switch the entire hard disk on or off switch. This can only be done with one on the card DIP switches happen, which are only operated can, if the calculator is unscrewed. Furthermore is the function of the card is not independent of the operating system. The "Thunderbyte Card" tries to virus a virus recognize specific actions in system areas. they tries to distinguish whether a program is "good" or "bad" is, so it could be a virus. This happens through the software monitoring of system areas and interrupt vectors. However, some viruses are now known which is the "Thunderbyte card" and cards that follow such  Processes can handle work without problems. The basic problem is the applied ver drive a program based on its actions as "good" or identify "evil".

To the above disadvantages of the prior art Stop the spread of computer viruses, it is an object of the invention to provide a circuit arrangement create an infection of a computer system Computer viruses can be excluded and thus the spread is prevented by computer viruses, as well as a user-friendly The economical and economical solution to find the operating system is independently operational, with all components of the Computer are used and no memory or rake time of the digital computer and the circuit arrangement not specifically circumvented by computer viruses is.

According to the invention the object is achieved in the claim 1 specified features solved. Preferred further training the invention emerge from the subclaims. The advantages of the invention are that one Computer system with a rewritable mass storage protection against destructive operators, computer viruses or Trojan horses and against program errors, the data ver pleasure, can generate. By protecting individual sectors on mass storage media leading to data or belong to programs and are protected by certain System areas (e.g. boot sector, partition sector) is the Computer viruses taken the basis of infection. Furthermore, protection is independent of the operating system achieved, which is very inexpensive to implement. The resources of the computer are not charged, which The control device does not require a main memory of the computer and no computing time.

Particular attention was paid to the user friendliness of the System, the operator does not have to make any decisions,  after he writes all executable files in his system protected.

The arrangement of the system can accommodate multiple controllers A protection system can be used because of the cut is standardized on the mass storage controller and so the individual logs of the various record ver driving no attention must be paid. Furthermore, there are also systems that are mass storage controllers can be protected with cash without loss of data.

The data structures should still be on a hard disk destroyed, they can be marked as protected ned structures without considerable effort through a program can be reconstructed in the BIOS extension ROM. Except no program (e.g. computer virus) can change this to areas marked as protected, as the Attempting a program (computer virus or trojan), Changes to the entries in the control device before is clearly classified as illegal. The Operator must go through the user-specific action only identify before accessing prioritized data can take place in the protection system. Furthermore, in the technical implementation of this Solution not an element of the existing hardware of the computer be discarded. That is why an economical solution is also available on small computers systems and personal computers possible.

The invention is explained below with reference to FIG. 1.

Most computer viruses are currently on PC computers so here is the need for a protection system most acute.

In the following there is always the smallest Zu under a sector order unit of the corresponding mass storage device stand, even if this is called differently.  

The circuit arrangement shown in Fig. 1 for write protection for an external mass storage is shown for clarification on a computer of the type IBM AT. However, it should be emphasized that this circuit arrangement can also be used on other computers.

The system consists of hardware in the form of a micro controller system 1 ; 2 ; 3 ; 4 ; 5 ; 6 ; 7 ; 8 (hereinafter referred to as 1 to 8 ) and management software that runs on the IBM PC. This management software is only activated when a control device 1 ; 2 ; 3 ; 4 ; 5 ; 6 ; 7 ; 8 ; 10 ; 11 Changes to the protected areas on which the data carrier is to be communicated.

All lines of the IBM bus system are under control direction connected.

The control device consists of a microcontroller system 1 to 8 , which consists of a communication unit 1 to the PC, from the SRAM's (CMOS) 2 , which are buffered by the battery 3 , from an activation unit 4 and from the internal ROM 5 on which firmware is stored from the internal CPU 6 ; from a BIOS expansion ROM 7 for the IBM AT, from the gate 8 and from the connections address bus a, data bus b, signal bus c with the IOW line d [belongs by default in the signal bus c, the system bus a; b; c; d form the entirety of all signal lines (a; b; c; d)].

The control device is located between the IBM AT bus system (all lines on the PC bus consisting of: address bus a, data bus b, signal bus c and IOW line d) and the mass storage controller 9 of the storage medium (e.g. hard disk, optical drive, holographic memory). All lines of the IBM address a, data b and signal bus c are transmitted without interruption to the mass storage controller 9 except for the IOW signal d of the IBM PC signal bus (or similar signals which are on the system bus a; b; c; d give a write operation to I / O addresses).

This signal is separated and connected to the gate 8 so that the output of the gate 8 is forwarded to the mass storage controller 9 . An input to gate 8 is from the IOW line d of the IBM PC. The other at the gate is connected to the communication unit 1 . Thus, the microcontroller system 1 to 8 can deactivate the IOW line d if necessary, even if it is present in active form on the PC bus.

The task of the communication unit 1 is to record all the commands and commands that are sent to the mass storage controller 9 via the bus system and to send the corresponding commands to the internal CPU 6 when activating commands, such as sector write or format, to one Initiate a review of the area to be written. If the area in the internal SRAM 2 that is to be accessed is identified as protected, a flag is set by the communication unit 1 and the IOW line d remains disconnected. This means that the mass memory controller 9 simply does not receive this command to write.

If a new area is protected, this area to be protected is included in the list of areas to be protected in the SRAM's 2 . Furthermore, each protected area receives a special identifier in SRAM 2 , which contains information about the write authorization of these areas. Using this identifier, these areas may be described by privileged operators after they have identified themselves. The identification consists of an identification code and an identification action by the privileged operator. The identification code is sent directly to the control device via the PC bus system. Such a code can be sent from a program to the control device. When creating a code for write authorization, certain security rules are observed which make it impossible for a virus to receive the code in an IBM AT, PS 2 or R xxxx system. Furthermore, the operator must identify himself by means of a certain action which is only accessible to him and which cannot be generated by any software program (e.g. flipping a switch 10 ). In this way, no virus can pretend to be a user against the control device. The SRAM 2 is always buffered with the battery 3 and does not lose its content even after the computer is switched off. When the control device is supplied with voltage, the battery 3 charges automatically.

The processing unit (CPU) 6 can be a microprocessor equipped with an internal ROM 5 . This ROM 5 contains the programs required for communication with the PC as well as the routines for checking and updating the protected areas. If the control device (z. B. in a mass storage controller 9 ) is integrated, then this unit is omitted and is replaced by a simple logic circuit in the mass storage controller 9 , which only checks whether the sector in question is protected or not. Communication with the PC can then take place directly via the registers of the mass storage controller 9 .

The BIOS expansion ROM 7 becomes active as soon as the computer is switched on or a warm start has been carried out. The programs in the BIOS expansion ROM 7 are first executed by the CPU. The initial state of the control unit is checked in the BIOS expansion ROM 7 . If the switch 10 is in the open state at the time of activation of the protection system, the operator is informed of this by a screen output, because in the open state of the switch 10 , the control device can be informed of modifications relating to the sectors to be protected. Booting from an external storage medium is also optimally prohibited in the BIOS expansion ROM 7 . Furthermore, the program in the BIOS expansion ROM 7 checks whether changes have been made to the entries in the system files and the entries in the FAT (File Allocations Table). If this is not the case, the system is started. Otherwise, the defective areas are restored on the basis of the stored backup copies of the FAT to the mass storage area marked as read-only and a warning message is output to the user. The activation unit 4 gives the internal CPU 6 a signal when write access to the control device is permitted. The operator must perform a clear action that cannot be reproduced by software. This can be done in such a way that, after booting, an administration program on the PC sends a command sequence to the communication unit 1 of the control device and notifies that new sectors to be protected are to be entered immediately. If the control unit has received this command, the internal CPU 6 asks the activation unit 4 whether this operation was actually carried out by the operator. The operator can clearly identify himself by operating the switch 10 on the control device. Furthermore, instead of using the switch 10 , the operator can send an identifier (simultaneous pressing of a complicated key combination) to the activation unit 4 via a keyboard input 11 via the keyboard directly connected to the control device. This method only works with keyboards that cannot be programmed by the central CPU. With standard IBM AT, PS / 2, R xxxx systems, programming the keyboards is not possible in this way. Thus, the activation unit 4 can send a unique identification code via the keyboard input 11 , which cannot be influenced by the central CPU of the file processing system (e.g. IBM PC). The keyboard is redirected to the control device in terms of hardware and from there a connection to the keyboard input of the original IBM Pcs, ATs, PS / 2 model or similar makes.

Should new files or programs now be protected or ent are protected, so with the help of a system start Management program in the memory of the computer for execution brought. The administration program is in front of the System in the computer and allows protection and deprotection of sector areas of the mass storage medium.

The administration program is in normal operation the control device is not active. The control device works without a program in the RAM of the central CPU of the IBM PC.  

Reference symbols used in FIG. 1:

1 communication unit
2 SRAMS
3 battery
4 activation unit
5 internal ROM
6 internal CPU
7 BIOS expansion ROM
8 gates
9 mass storage controllers
10 switches
11 keyboard input
a address bus
b Data bus
c signal bus
d IOW management
a; b; c; d system bus

Claims (6)

1.Circuit arrangement for write protection for an external mass storage device which is connected via a mass storage controller via a system bus to a digital computer in such a way that the control instructions from the digital computer to the mass storage device are monitored by a control device and the write instruction is used by the latter for write protection for the addressed mass storage allocation unit is prevented, characterized in that the control device ( 1 ; 2 ; 3 ; 4 ; 5 ; 6 ; 7 ; 8 ; 10 ; 11 ) between the system bus (a; b; c; d) of the digital computer and the masses Storage controller ( 9 ) is arranged, sectors being provided as mass storage allocation unit and that information about the mass storage allocation units to be protected is stored flexibly in a rewritable memory ( 2 ) in the control device and that modifications of this information are only possible if through the operator, one at the control connected signal generating device ( 10 ; 11 ) is actuated, the signal generating device ( 10 ; 11 ), which consists of a switch ( 10 ) and a keyboard input ( 11 ), generates an enable signal which enables the information in the rewritable memory ( 2 ) of the control device to be modified which cannot be influenced by the digital computer. 2. Circuit arrangement according to claim 1, characterized in that the release signal, which allows a modification of the information about the mass storage allocation to be protected, is generated by an operator by actuating the switch ( 10 ) of the signal generating device ( 10 ; 11 ). 3. A circuit arrangement according to claim 1, characterized in that the release signal, which allows a modification of the information about the mass storage allocation to be protected units flexibly, by the keyboard of the Digi talrechner, the keyboard input ( 11 ) of the signal generating device ( 10 ; 11 ) is connected, is generated by the operator actuating several keys on the keyboard simultaneously and that the code of the keyboard is evaluated directly by the control device without prior processing by the digital computer, the code that the keyboard generates, not freely by the digital computer can be programmed. 4. Circuit arrangement according to one of claims 1 to 3, characterized in that the mass storage controller ( 9 ) and the control device form a unit by integrating the control device into the mass storage controller ( 9 ). 5. Circuit arrangement according to one of claims 1 to 4, characterized in that the programming and the data contents of the control device even if the Operating voltage is maintained. 6. Circuit arrangement according to one of claims 1 to 5, characterized in that the programming of the control only by means of a hardware release signal is made possible.