HUE027444T2 - Biztonsági modul és eljárás személyi számítógép adatforgalmának vezérlésére és ellenõrzésére - Google Patents
Biztonsági modul és eljárás személyi számítógép adatforgalmának vezérlésére és ellenõrzésére Download PDFInfo
- Publication number
- HUE027444T2 HUE027444T2 HUE05782466A HUE05782466A HUE027444T2 HU E027444 T2 HUE027444 T2 HU E027444T2 HU E05782466 A HUE05782466 A HU E05782466A HU E05782466 A HUE05782466 A HU E05782466A HU E027444 T2 HUE027444 T2 HU E027444T2
- Authority
- HU
- Hungary
- Prior art keywords
- data
- personal computer
- security
- logic component
- programmable logic
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims description 16
- 238000012544 monitoring process Methods 0.000 title description 8
- 230000002093 peripheral effect Effects 0.000 claims description 11
- 238000012545 processing Methods 0.000 claims description 10
- 230000008569 process Effects 0.000 claims description 8
- XEEYBQQBJWHFJM-UHFFFAOYSA-N Iron Chemical group [Fe] XEEYBQQBJWHFJM-UHFFFAOYSA-N 0.000 claims 2
- 241000209761 Avena Species 0.000 claims 1
- 235000007319 Avena orientalis Nutrition 0.000 claims 1
- 241000736285 Sphagnum Species 0.000 claims 1
- 230000000052 comparative effect Effects 0.000 claims 1
- 239000004615 ingredient Substances 0.000 claims 1
- 238000002347 injection Methods 0.000 claims 1
- 239000007924 injection Substances 0.000 claims 1
- 229910052742 iron Inorganic materials 0.000 claims 1
- 210000004185 liver Anatomy 0.000 claims 1
- QCAWEPFNJXQPAN-UHFFFAOYSA-N methoxyfenozide Chemical compound COC1=CC=CC(C(=O)NN(C(=O)C=2C=C(C)C=C(C)C=2)C(C)(C)C)=C1C QCAWEPFNJXQPAN-UHFFFAOYSA-N 0.000 claims 1
- 230000033764 rhythmic process Effects 0.000 claims 1
- MEFOUWRMVYJCQC-UHFFFAOYSA-N rimsulfuron Chemical compound CCS(=O)(=O)C1=CC=CN=C1S(=O)(=O)NC(=O)NC1=NC(OC)=CC(OC)=N1 MEFOUWRMVYJCQC-UHFFFAOYSA-N 0.000 claims 1
- 238000012795 verification Methods 0.000 claims 1
- 241000700605 Viruses Species 0.000 description 10
- 230000002155 anti-virotic effect Effects 0.000 description 4
- 230000008901 benefit Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000007257 malfunction Effects 0.000 description 2
- 101100328463 Mus musculus Cmya5 gene Proteins 0.000 description 1
- 241000613130 Tima Species 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 239000004927 clay Substances 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000000630 rising effect Effects 0.000 description 1
- 230000009885 systemic effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/109—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by using specially-adapted hardware at the client
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
- G06F21/123—Restricting unauthorised execution of programs by using dedicated hardware, e.g. dongles, smart cards, cryptographic processors, global positioning systems [GPS] devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/82—Protecting input, output or interconnection devices
- G06F21/85—Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2101—Auditing as a secondary aspect
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Remote Sensing (AREA)
- Radar, Positioning & Navigation (AREA)
- Mathematical Physics (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Bioethics (AREA)
- Storage Device Security (AREA)
- Debugging And Monitoring (AREA)
Description
SEC URH"V MODULE ARP METHOD FOR CONTRGtUNG ΛΝΒ MONITORING THE DATA
TRAFFIC OF A FERhOAAL COMPUTER
Description
The invention relates te the tleld of apparatus and methods for ensuring the data security of personal computers.
Prior art
Modern personal eotnguters estééit a growing complexity both In teens of their hardware configuration and: in relation to the soft ware. They: net only comprise a large number of peripheral devices and farther elements itat are both internal, meaning arranged inside the housing, and external, meaning arranged outside the housing, such as pulse generators, each with its owrs control electronics, but must also execute a large number of procedures simultaneously. Today's persona! computers are, moreover, networked oyer very differeot routes with other personal computers andfor other data processing means, such as ser vers, databases, printers or the Use, via communication networks such as tire internet.
In addition to the speed of data prosessfetg and of data transsmsion, the security of data is of great importance here. On the one hand the rising complexity has the consequence that unwanted changes to data, whether duo to deficiencies ip the software or as a result of opeMting errors, cappot; be avoMed. On the other hand, the Ibef easing networking has the resuit that hsésmtá· sued as can. mew. m a result of eotupuisr viruses, becomes ever more difficult.
Software errors, operating errors and computer viruses are in general considered as different sources for data errors that can even lead to the loss: of data, and the attempts to avoid these origins: are accordingly based on very different: approaches. For example, in order to reduce, operating errors there may be,a restriction op fesers*1 access to spéciim dtps which can, for example, Oitly be fteeiy accessed after the correct input: of an autheutfosftoa code. If is also possible for a: hard dish to fee divided into segments, of which only some can: be freely accessed: fey the user, Even if these precautionary measures can be implemented by means of hardware, they only restrict the scope of data shat can, be accessed in insecure ways. This data can, however, still fee damaged by, for example, operating errors. In most cases, however, such security precautions are Implemented fey means of software, aud can thus fee circumvented fev computer viruses that ha ve infected the software,
Convenii&na] programs available on the market against computer viruses, known as virus protection or antivirus programs, fttnothfo such that the entire memory of the persona! computer is seafened; by the antivirus program. The data located in the memory is compared with program codes of known computer viruses, and protective measures are taken in the event of a match in order to remove this harmful data. This, however cad at best provide protection against known computer viruses. Antivirus programs are thus as ineffective against new, amyet unknown:, computer viruses as against operating: and software
Tima? is, furthermore, a risk that as anfiviros program: ihat merely resides: as software in life memory of tbs personal compxiter Itself becomes the target of an attack by comparer viruses, A plug-in card th&t monitors the flow of ásta between drives and the other .hardware of a personal computer is known from docnntent US 5,222,540. The phrgdn card is set upby the personal computer's operating system daring loitialiaation. Tie program xmed to control the plna-in card is here stored In a working: memory of ih&: personal comp a ter, and checks the access rights of the User through art authentication by meaíss hi querying a user nanig ásd a password. Sttpihfrly to the esse of the antivirus program* there is here again a risk thai the program used m control: tiro ping-in card, which: is· located in the personal computer's working memory, is modified as: a result of the software error, an operating error and/or by a computer virus, in addition it is not possible following an authentication to assume that ail the user's accesses to t|e; data made available to h|nt are petnrlssfbfe and are interpreted by the software without error,
The doenment: IIS b,$xVhl26 dfrcloses a. method in which a coprocessor is installed in a personal: computer with á processor. The copfdeessbr supervises the: personal computer until it is established that It: Is in: a stole that is free ikon} harmful pragmas such m computer viruses. The coprocessor then disengages: from ths: personal eorapuiesfr data iraffre, The M thih f&Éié M Ö*at neither data damage resulting: from Operating errors, tlOr damage tesufrhig froth software errors, is detected.; Ih: addition: there is a problem stmiiat to that associated with ant 1-virus: programs, in that the programs that are harmful: and those that are not must already he knows, A; security module with: a plurality of functional components, each of which Is irsplsjsented hy menus of hardware: and/or soft ware, for blocking and monitoring a data traffic of the personal computer is known from WO (>2/2/445 A2, The funedomt! components Include a programmable logic component, a processor connection connected: to the programmable login coniponest for exchanging electronic data, with: a: central processor of the: personal computer, a hard disk: conn:ce:tio:n that is connected to: the programmable logic component for ekehanglng electronic data With: a: hard disk of the personal computer, myd; :a memory module, connected; to the programmable logic: .component, which ecmiahts luitialiaatioo data for the logic component,The programmable login component moraitors the data traffic of the personal computer in that, by means of programming, a process and control unit for proccssih|:: electronic data being exchanged between the components Of the personal computer is Implemented:, The programmable logic component operates independently of the personal cotnputer, arid is designed to tuhetinnaftae Itself, so that It can even intervene with a booting process of the personal computer. The programmable logic component is designed to detect an exchange of erroneous data and/or an anaufhorlaed data exchange und, if necessary, take corrective action.
The in vention
The object of the Invention is to provide ö scchflty Ptodtrie atfd: o: method for controlling and monitoring data traffic of a personal computer that ensures art increased: security in the operation of the personal computer
This object is achieved; according to the invention by a security module as claimed is the independent Claim Í.
According to the invention, a secority ssodoie ibr coutrollhig: and memitoring data traffic id a pwl computer, with a plurality of fnnctfonal components each of which is tidpletdeoteo by m»®m If' hardware aohware is provided, wherein the plnfailiy of functional components caspse a programmable logic component is which, fey means of programming, a process and control «sit tor processing elect rosin data being: exchanged between the: plurality! of fanstional components is implemented, a processor eoshectiba cormectsd to tM pugraituBable logic compoaeat for «xebaagidg electronic data with a central: processor of the personal computer, a hard dish connection that is eosneefed to the: programtuablo logic component. tor exelastglPg electronic dots with a hard dish of the personal computet,: peripheral device cdhucetions connected to the programmable logic eumponsat Hr exchanging stsetrunle data with peripheral do vices: connected to the personal computer for data lappi and/or data output, aud a memory module conneaed to the programmable logic compottem which contains ipittaljK&tiod: data for the logic edthpemunt., and wherein the programmable! ingle component Is designed to fanetiomilme itself in order, with the aid pf the irdiiailsaUoa data, to make the processing and control unit In the programmable logic component capable of independent inaction,
It is also provided that a eontpfing: nteaps is implemented by means of programming withiu the programmable logic component, comprised of the process and control unit, tor comparing electronic dais that: ip being exchanged between the plurality of fmtetlppal components with ptmdcfinad/alored monitoring data. This, ibr example, allows the prograapusfde logic component to detect ah exchange of erroneous data and/or an unauthorised exchange of data and, if necessary, to take corrective action, for example M that m exchange of this sort is prevented. Likewise the stored monitoring data can he modified depending on the incoming electronic data. Tims for example a specific key press, or a data sentience received via a network connection, can be recognised by the comparing means and thereupon initiate a predefined control function, the result of which manifests itself in a psudlleatipn of the monitoring data.
In contrast with the prior art, the security module has the advantage that a programmable logic eemponent that works independently of the personal computer controls and monitors tie data frafic of the personal computer. This means that the central processor of the personal computer Cannot control the programmable logic component . By cheeking the data of the personal Computer exchanged between indiaidnál eohrpheots in the course of data traffic, for example between the: central processor, the hard: disk and the peripheral devices, the programmable logic ecenpooent can thus prevent any ««wanted access td the data resulting from software errors. Operaiing errors and/or computer viruses. Since the: programmable logic component is designed to luhctiphaiixe itself independently it; is capable of Intervening for controlling and monitoring actions daring the personal computer's: booting process.
Is Sít advantageous eufenöimeoí *>$ fee invention, fee Tmctkssdl courponehis are :^alÍ2«á as an encapsulated system. Tbis tneaos feni the ftmpilpssi eoiStppiients árú assembled tn: Iona as iodependenUy operating system. Is this Wsy!; dé&cts eecussrlag. la the security siodpfe are mbre easily ftpmd, aad the scanty module can 'fee replaced mote; easily Is such a esse.
Is a more user-friendly development Of the Invention» fee; plscsllty öl ftipctltfeál components ate implemented os a phig-ίη card. lids makes it possible to lib a edavestienal: petsosat compiler wife fee security module without having to mod fir th« #·§*«: personal emapfear.
Its a compact emifeodiment of tfee invention, tbs plhM'fty of fuitcdogil p^pddatss: Imptdfeenteb on a motherboard of lbs personal etunpatef. Os fee one band, this shortens fee data traffic romés between; fee central processor of the personal computer and fee security module, which resalts lit as Increase I® speed. On fee other hand, additional external connections to fee motherboard, for example plug-in card connections, are kept tree,:
In a preferred development of the invention, fee plurality of functional components; are at least partialiy implemented In a chipset of the motherboard. The space requirement lor the security -nodule is in this way minimized, something feat Is of bohsiderabie advantage for application in a mobile personal computer, for example.
In an expedient development of the Invention, tbc plurality of fhnctlohal components are at least partially implemetited; In a Porfehrldga chip of fee chipset of the motherboard. Since htorthbridge chips connect the central processor to the rest of the hardware of the personal eppiputor,, Interfaces ffetn the security psodule to fee peripheral devices can he at least partially savéi wife this ofebedlnnuh, this; saving also entails an Increase in speedy since fee security module; ea® sow communicate directly with: the central processor, i nstead of having to rely on connonaicatlpo viba bps spies*,
In an advantageous; efebodiipest of fee isvebiioo, fee spetnory module Is estabii sited: is a RÁM tncmdfy of the personal computer. As a result, an additional memory fer the security toodPlC can he partially of entirely saved, which leads; to a more economics! and compact; construction:, to ΟΡΟ example of the: ipyeatioxs, the programmable logic component; is an FFGA f”Field Programmable Gate Array”) compobehl, This has fee advantage that use enn fen made of tire know® FFGA technology for the nranafaetare of the security module, both in terms of fee propamstable logic component itself as well as mimm of fee auxiliary programming equipment reptitrncffeivitspfpgramth tng, litis allows even eomppiatlpnslly inieitsive processes to be executed In parallel,: and feeretore in a time-saving manner, in hardware instead of sequentially its software,.
In one example, fee invention provides feat the plurality of functional components for the devices coupled: to the plurality of functional components are; Implemented as hmotleoai components that operate feansparently during data exchange, Tins thnt software running on the personal cotstpnter is not affected by the: presence of the security module. The software for controlling fee personal computer does pot therefore have to he mgdifted ;fpr use wife thp security module. As a fetihef advantage of this embodhneht, s computer virus that: has infected the sofewsr© of the personal computer cannot toll whether a security module that requires circumvention is present, leacriptlph of pethfred: exemptary enfeodlomhti;:
The invention is explained; in more detail below with reference to exemplary nmfeodimeats and with reference :i:o a drawing. The only figure here shows a schematic representation of the sseorlty module· with: a programmable logic oömponem.
According to the figure, w security module I conigrises a plurality of fenctional components* which include a programmable logic component 2, a, processor connection 3, a hard disk connection Ά, peripheral device: egoneeiloas $ and a memory module f.· The security module 1 Is Installed in a personal computer |:0 which Isiltted with a central processor or microprocessor 11, a hard disk 12. s memory 14 and peripheral devices 13. The personal computer 10 can he any kind of computer system with a central processor end: a hard disk. The personal computer· It! can, tor example:, he: a mobile computer such as a laptop or FDA (’'Personal Digital Assistant'’),
The pípgraatmahlc logic component 2 can fee. Implemented by means -of m$ kinti of programmshle logic component (also known as a PLD - “Programmable Logie Device"} that can he programmed in order to process: electronic data that Is exchanged between the plurality of functional components. The logic component there can he either a reprogrammable or a one-time programmable component, in the case of the; reprogrammable logic components,, the pA%rarn:mbig: Is performed hy means of memory pells comprised by the programmable logic component .¾. tor example &E.&M, EPROM. FEPR.0M and/or Flash rnstoorv cells. An :ESá ("Field Programmable dale Array*) is preferably used for the programmable logic eomppiténflL A CPLD ("Complex Frograthma|lo Logie Device”) eompenersi or dp ASIC “Appiie&tioo-Speeliie Integrated (Circa if') can, however,, also fee need as the prograntmable logic device 2,
The processor eduheciion 3 connected ίο the programmable iogio component 2 is used far the data: exchange: between the security module 1 and the microprocessor IT of the personal computer Id, If the persohal computer I D comprises: a pluralhy of microprocessors, which means: that It is what is known ss a multiprocessor computer, the processor eohnecsion 3 can he designed to fee able to perform data exchange either with: only one, of with two or more of the plurality of microprocessors:, The processor connection 3 can also be designed to establish an indirect connection between the progranmrable logic component 2 and the microprocessor LI, This connection can, tor example, he mads vis a controller. In payticukr s: hard disk controller.. in this way it is ensured that the microprocessor eontmues to exchange Information with the peripheral devices through the Controller as before. This is, tor example, of aignlfkaocs: to embodiments of the invention in which a query from the microprocessor I I to the irard disk 2 Is indeed made through the security: module Id, but the microproeessor 1} docs not notice the presence of the security module 10, if, that Is, the fonotténál components of the security module 1 for data exchange between the microprocessor 11 and the hard disk 12 operate transparently. For: this purpose the security module HI most simulate the functions of the hard disk 12 to the microprocessor ίί. 1¾¾ :mm$ that tfe.« semmy xtméuk H) must said; #pals íft ié mkroprpegssor II through foe poeessnr eehoeerfon 3 which the microprocessor 11 will interpret 51» having count from the hard disk 12:,
The hard disk connection 4 through which a connection is established to one or more hard disks 12 of the personal computer iO is furthermore connected to the programmable logic component 2. l"hc hard disk 12 can he a hard disk of any available technology, In particular having any desired physical sirs andior storage; eapacityt it can aiso^ for example, comprise what is known as a MieroDrive. The transfer of data irons and to the hard disk 12 can he perforated by mmm if any desired, conventional cemmupkaiios standard, such as m ίθ£> m BIDE or á SATA standard (Í13E - "integrated Drive Electronics”, EIÖE - "Bohauced IDE", SATA,·· “Serial Advanced Technology Attachments’').
The peripheral device conned ions $ can comprise eonaectióhsAo any kind of peripheral devices 13 that can be operated by a personal computer 10, This concerns here is particdlar peripheral devices for data input, such as: a keyboard, a manse», a scantier or the like» and peripheral de vices for data output, pch as a graphic card, a,printer, a sound card1 or the like. Peripheral devfoe: connections S can, however, also he present to peripheral devices which, in addition to datss: input, afo also used for data output, for ekataple to storage devices that are internal (meaning that they are: located inside a housing: of the personal computer 10|: or that are external (meaning that they are loeafod outside a housing of the personal compete? Hi), as well ás; tö network cards with, for example,: modem, ISON and/or LAN foactfonalriy,
Nelwotk bards in. particular represent m impprianf ssitree of harmfoi data, since the personal Computer Í Ö is cohneeted through theso to communication networks. By means of a network card the personal computer 10 can in addition unintentionally, for example as é result of so Aware errors, operating: errors or computer viruses, send messages to other computer systems connected to ike communication network, for example by means of email, la one embodiment of the invention it is therefore provided font ail the data traffic between foe microprocessor 11 of foe personal computer IP and foe network cards (pot illustrated} takes place through the security nmdule 1, ace is controlled and/or monlfored by the programmable logic eompoaem 2, Network cards with arbitrary communication standards or protocols can be present hero, ti can in nartkoiar he provided that one or more of the network cards have two: or more of what are known as MAC (“Media Access Control") addresses. The MáC address is an address that is assigned to every network card at the time of its manufacture, and with which the network card is addressed on a transport layer of a ebmfoonkatfob network font l ies below foe transport; layer oh which what are koowh as IE ("internet Brofocoi") addresses are used, in order to be aisle to address a personal computer optionally on a system management level or on an operating: system level, it must be uniquely addressable using a layer-independent MAC address of the network card or the IP address of the computer, In order to save an additional; network card; for the system management and m additional cable cotfotkiion required for foal, and to avoid the need to change the IP addressing, the presence of a plurality of MAC addresses; Is advantages,.
The connections of the security module 1 fest nmidáp tip processor connection 3. the- hard disk coeneetket. 4. and fee peripheral teke: connections S, m® fee designod as simple connections, Thsy can also, however, at feast partially, comprise complicated circuitry which, fb*' performs as. sdaptios of the protocol artd/or too levels of skoals to be exehMgcd. The security module 1 is fitted with: encoding and/or decoding means in order to convert signals between different communications standards: used: is life personal eotuptiter 1® , The: encoding and/or decoblpg means can be: Implemented: ns parts: of the grogtamtushfe logic: component 2 and/or of the connections.
The memory module 6, finally, serves to provide initialization dura to the programmable logic component j, At least a part of the memory module # should here be designed as a nos-voint ile memory module, in order not to lose: its memory contents after the: operating voltage has been switched off. The Initialisation data is available to the programmable logic component 2 at any time, in particular immediately after an operating voltage has been applied, and its purpose Is that the security module t can act independently of external memory components, such as the &.AM memory of the personal computer 10. The non-volatile memory module can be any kind of memory module that returns its content even after fee operating voltage has been switched off. The memory module d can, for example, comprise a Flash memory. It can also comprise a memory module that is volatile in pineipi% powered fey its own energy soures, such as a hatisry. The non-volatile memory module: can also he integrated into the programmable logic component 2.
In. addition to the non-volatile memory module, the memory: module: 6 can also comprise its own volatile memory module, for example a RAM memory, into which the programmable logic component 2 can, while operating, placc data for later use. Á part; of the memory 14 of the personal computer 10 can, however, also he used for this purpose, in thai this part is reserved for the security module 1 during the sellTisitialixation of the programmable logic component: 2, and the microprocessor fl only has tree access to the remaining part o? the memory 14, A part of fee storage capacity of the hard disk 12 can, in a similar manner, also be claimed by the security module 1.
The peripheral devices 13, the hard disk 12 and/or the microprocessor 11 can be addressed via a bus sy stem: of the personal: computer 1(1. brr one enfeodlnkut of the security module: I as a P CI ping-la card In particular, this allows separate physical connections on the security module 1 to be saved.
So that the security module I executes its monitoring and control function as comprehensively as possible,; in one embodiment all the data, traffic between the microprocessor f 1, the bard disk 12 and the peripheral devices 13 takes place via the security module 1. For reasons of speed ή can he advantageous Tor speeiSc data to fee exchanged without taking the divers lop through fee security module 1. 'in fee presence,; tbr example- of a plurality of hard disks, fee hard disk wife the least important data ego also he connected to fee microprocessor 11 via a direct path.
So that the security module 1 can control and monitor the data traffic of the personal computer lö, the functions? components of the security module I must first be placed into a defined initial state. An initialisation of the programmable logic component 2 takes place lor this purpose after ms operating: yolldge $ϋ '« processing: and: control -mit 1¾ the prtsgrammafelelogic component 2: Its prepared and suppliedwith ibitialiaatloo data. The praeessing ásd control unit: hag fee purpose of: controlling ail: the functional &on\$métifá ®f the saearuy module I independently ©fii® microprocessor 11.
Mowing the infrtátmafiotr, íbé programmable logic component 2 is in a position: m receive data through tfeg connections and t<* -w/MptUR 1fe$m with data stored In the memory -module é id' ©ráér, as. a reaction to that* to |φδ« agpn, Spy example to generate a warning message if important data is to be deleted.
An important process Is the Mfraliaatioo: of the hard dish 12 by means of program routines stored i:a the 81132, wtdel is a program that mediat es feetweett tie software and hardware of a personal core peter. fötöiNg :§&. 'raitis|:Won. ^pdPeíSP óf the personai computer id (also at as the hooting: process), technical data: of the hard disk 12., relatiog for example to the storage capacity of the hard disk, is queried by a: hard disk: controller. Ilia: query Is received throegb the processor connection 3 fey the programmable logic component 2» sod is answered: with the aid of data: stored ip the :msraoty module 6 relating id the hard dish 12, If, for pxUmple, & region of the hard dish 12 is occupied by the security module I, a hard disk capacity that is: redősed fey She storage capacity of the occupied regkor Is cot&mun tested: to the microprocessor í: !.-.
An access of the microprocessor ll to the hard disk 12 is consequently mads la suel a w&f that instntetinns from the microprocessor 11 to the hard disk 12 are first received fey the progmmiMda logit; Component 2 iferodp the processor conheetibn 3, These mxtraeiions are then Checked fey mease of the processing: ami control trait» artd are compared with data stored in the memory module i, If the processing and control unit determines that an action correspond tag to the instruction is not permitted, to tllCr Words if the microprocessor 11 attempts to carry out an unauthorized action, tor example accessing a region of the hard: disk 12 that is not accessible to ft, then this instrucuoa is not passed m to the hard disk 12. An error message that is identical to an error message from the hard disk 12 is seat Insteed through the processor eonneetkm 3 to the micfosrdeessOr % I,In this way the impression is given to the microprocessor 11 that a direct data exchange has taken place between fr and the hard disk 12, The error message sem lor example, fee a message providing the införmation that the region of the lard disk 12 concerned does not exist. Permitted instructions and data are transferred unchanged through the lard disk connection 4 to tie hard: disk 12, This means that lie pepgmmmahle logic component 1,She processor eonneclion 2 and the hard disk connection 4 operate transparently. A similar method is fallowed for a data exchange with tie peripheral devices 13 for data input and/or data output. A data input cast, for example, fee made fey means of a keyfesard. Here, when a key or a combination: of keys is pressed, a signal is initially sent through this to a peripheral device connection 3 of the security module I, The signal is decoded there, or is passed directly to the progtammsfele logic component 2. If on the feasts of the data stored in the memory’ module 6, the processing and control unit of the programmable logic component 2 determines that execution of an insfruction: associated with the
Claims (3)
- ''kW combination leads te an tmaathorized fcctkrn, thm Út», signal is either entirely Ignored and/or a» appropriate waynmg message is displayed ttowgh soofeer peripheral device, fór example via a ^o»i|öfk Ihltós way, however, a command cm also be seat to: the: processing und control «nit iisei| in that It :1¾ used to start a software routine entirely withln:the processing and control unit, hot the key-press is not passed on to the microprocessor 11, This also prevents a .harmful sofiware running or the «UCioproCeksor 11 from monncsnng the operation of the processing and control noli. The festnr&s of the ioveatlbo disclosed in the i%W® #sezipilo&, the claltns and the drawing oats, whstler lndividoaily or in any émimé é!S$&bigJ8$% &»'. slpífcöí for the realization of the invention: hr its varioas embodiments·. BIZTONSÁGI MOD ül. ÉS ELJÁRÁS SZEMÉ L VI SZÁMÍTÓG ÉP ADATFORGALMÁNAK VEZÉRLÉSÉRE ÉS ELLENŐRZÉSÉBE Szabiidéi sní Igénypontok L Biztonsági modul 0) egy személyi számítógép (IS) adatforgalmának vezérlésére Oá éÉenÖízéSéré* tÖÉb funkcionális alkotórésszel, melyek: mísKiegyíke hardveres ötön nfegyaMsííoír, a fekötóháüs alkotórészek magukban foglalnak: ··· «gy programozható logikai alkotórészt (2¾ amelyben programozás htján egy feldolgozd és vezérlőberendezés van megvalósítva a személyi számítógép kmnponenset között cserélt elektronikus adatok: feldolgozására; ··· egy a programozható logikai alkotórésszel összekötött processzor csatlakozást (3) az elektíonikxis adatökoak a személyi számítógép (ló) legalább egy központi professzorává! (11) történd cseréjére: v, egy a programozható logikai alkotórésszel (2) összekötött merevlemez csatlakozást: (4) az elektronikus adatoknak a személyi számítógép (10) merevlemezével (14) történő cseréjére; - a programozható logikai alkotórésszel (2) összekötött, periféria eszköz csatlakozásokat: (5) adatbevitelhez és/vagy adatkiadáshoz, az elektronikus adatoknak a személyi számítógéphez (' 10} saatlskoztaíoít perífem készülékekkel (13) történő cseréiére; és - egy a jgrögsamozkató logikai alkotórésszel összekötött tárolóegységet (6), amely a logikái alkotórész
- (2) Inioiáilzálásí adatait; isztakoszzh; ahol a. programozható logikát álkóförlsk (2) ömtrlélaiizáló módon: van kialakítva, és a személyi számítógép indulási folyamata estén is: vezérlő és ellenőrző módon képes beavatkozni; ahol a logikai alkotórész (2> a személyi s®É®iíÖ:gép (lő) adátföígslmáf vezérli és ellenőrzi, ahol a programozható logikai alkotórész (2) ágy van kialakítva, hogy késés: adátoh nem engedélyezett cseréiét mégálíapÉaní és adott esetben korrigáló máidon beavatkozni;; ahol a programozható logikai alkotórészben (2) programozás álján egy a feldolgozó és νezer ioberendelés által tartalmazott ősszefeásetültő berendezés vas megvalósítva, a személyi számítógép komponensei MzM. cseréit tMMxmikm adatoknak előre megadott tárolt ellenőrző adatokkal történő óból a tarolt ellenőrző ó· ftéénébő éifektromkps adatok főggvébylben bozzáigazítfeáiók, almi: egy vett: adatfolyamot az összehasonlító b&mieasős felismer és· válásaképpen egy előre deffeíáit vezérlő femkcíőt keadetnéayea, melyoek eredménye az ellenőrző adatok hozzáigazításában ölt testet, almi, az adatfolyam a szmhélyi számítógép biilentytetétőj vagy hálózati kártyái ától &tke?M X Az 1, jgéayppar ssetim I biztonsági meéfol (1 k mwi hogy a fenkckmálís alkotórészek tokozott-rendszerként vasmák .megvalósítva, égy. hogy a íonkekmálís alkötótészek egy őaáilőáá spikddő resmszérté vannak ősszéfbps,
- 3, Az 1, vagy Σ Igénypont szerinti biztonsági m&4éi (1), m«t fedgy * festkdtmálís alkotórészek a s:fomélyí száp#ögép (iöi alaplapján vsimak megvalósítva. C A 3* tgénypotd szerinti biztonsági modal (!:):, mmf jeíímm&A begy a íhékefemáíls alkotórészek legalább részben az alaplap egy !agkákész|é*ében vannak mfegvalóstlva. 5, Á 4, igénypont szerinti biztonsági mednl (!), ««goi begy a fenkcksnáíis alkotórészek legalább részben »2 alaplap lapkalészletánsk őiszáki bid lapkáiéban vannak msgvaíősiíva, Ó, Az előző igénypontok:: bármelyiké szerinti biztonsági modal (1),: mzel JetiemezvA bogy a tároló egység (ő) a személyi· számítógép (lő) feAM tárolp|ában van kialakítva,:
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102004038040 | 2004-08-02 | ||
DE102005014837A DE102005014837B4 (de) | 2004-08-02 | 2005-03-30 | Sicherheitsmodul und Verfahren zum Steuern und Kontrollieren eines Datenverkehrs eines Personalcomputers |
Publications (1)
Publication Number | Publication Date |
---|---|
HUE027444T2 true HUE027444T2 (hu) | 2016-09-28 |
Family
ID=35721621
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
HUE05782466A HUE027444T2 (hu) | 2004-08-02 | 2005-07-31 | Biztonsági modul és eljárás személyi számítógép adatforgalmának vezérlésére és ellenõrzésére |
Country Status (10)
Country | Link |
---|---|
US (1) | US20090077660A1 (hu) |
EP (3) | EP1714229B1 (hu) |
CY (1) | CY1117194T1 (hu) |
DE (2) | DE102005014837B4 (hu) |
DK (1) | DK1714229T3 (hu) |
ES (2) | ES2665946T3 (hu) |
HU (1) | HUE027444T2 (hu) |
PL (2) | PL2996062T3 (hu) |
SI (1) | SI1714229T1 (hu) |
WO (1) | WO2006012882A1 (hu) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102005014837B4 (de) | 2004-08-02 | 2007-08-30 | Mahltig, Holger | Sicherheitsmodul und Verfahren zum Steuern und Kontrollieren eines Datenverkehrs eines Personalcomputers |
US7970964B2 (en) * | 2008-11-05 | 2011-06-28 | Micron Technology, Inc. | Methods and systems to accomplish variable width data input |
WO2011005890A2 (en) * | 2009-07-07 | 2011-01-13 | Kuity Corp. | A hardware command filter matrix integrated circuit with restricted command enforcement capability |
CN104598821A (zh) * | 2015-01-15 | 2015-05-06 | 王宏伟 | 一种用于计算机病毒、木马、黑客通用防控方法及装置 |
CN110059478A (zh) * | 2019-01-22 | 2019-07-26 | 阿里巴巴集团控股有限公司 | 安全监测设备、方法、装置及存储介质 |
CN113810371B (zh) * | 2021-08-04 | 2023-04-18 | 苏州椰云科技有限公司 | 一种软硬件解耦平台的安全管理方法 |
Family Cites Families (33)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
BE790650A (fr) * | 1971-10-27 | 1973-02-15 | Wirtgen Reinhard | Procede et dispositif pour fraiser des tapis routiers en beton ou en asphalte |
AU606854B2 (en) * | 1986-01-10 | 1991-02-21 | Wyse Technology, Inc. | Virtual peripheral controller |
US5146575A (en) * | 1986-11-05 | 1992-09-08 | International Business Machines Corp. | Implementing privilege on microprocessor systems for use in software asset protection |
US5144659A (en) * | 1989-04-19 | 1992-09-01 | Richard P. Jones | Computer file protection system |
US5263147A (en) * | 1991-03-01 | 1993-11-16 | Hughes Training, Inc. | System for providing high security for personal computers and workstations |
US5598531A (en) * | 1991-05-13 | 1997-01-28 | William Stanley Hill | Method and apparatus for preventing "disease" damage in computer systems |
IL103062A (en) * | 1992-09-04 | 1996-08-04 | Algorithmic Res Ltd | Data processor security system |
CA2137504C (en) * | 1993-12-09 | 1998-08-25 | Young W. Lee | Memory monitoring circuit for detecting unauthorized memory access |
JPH0834555A (ja) * | 1994-07-25 | 1996-02-06 | Canon Inc | シート搬送装置 |
DE19711998A1 (de) * | 1997-03-13 | 1998-09-17 | Francotyp Postalia Gmbh | Postverarbeitungssystem mit einer über Personalcomputer gesteuerten druckenden Maschinen-Basisstation |
IL120632A0 (en) | 1997-04-08 | 1997-08-14 | Zuta Marc | Multiprocessor system and method |
US6212635B1 (en) * | 1997-07-18 | 2001-04-03 | David C. Reardon | Network security system allowing access and modification to a security subsystem after initial installation when a master token is in place |
US6035423A (en) | 1997-12-31 | 2000-03-07 | Network Associates, Inc. | Method and system for providing automated updating and upgrading of antivirus applications using a computer network |
US6195730B1 (en) * | 1998-07-24 | 2001-02-27 | Storage Technology Corporation | Computer system with storage device mapping input/output processor |
EP1141805B1 (en) * | 1999-01-11 | 2008-05-07 | Myspace Ab | System for processing a security critical activity |
US6493824B1 (en) | 1999-02-19 | 2002-12-10 | Compaq Information Technologies Group, L.P. | Secure system for remotely waking a computer in a power-down state |
US6564326B2 (en) * | 1999-07-06 | 2003-05-13 | Walter A. Helbig, Sr. | Method and apparatus for enhancing computer system security |
EP1076279A1 (en) * | 1999-08-13 | 2001-02-14 | Hewlett-Packard Company | Computer platforms and their methods of operation |
WO2001077789A1 (de) * | 2000-04-06 | 2001-10-18 | Thomas Wespel | Verfahren und vorrichtung zum änderbaren definieren von zugriffsrechten auf computerdateien |
US6772263B1 (en) * | 2000-08-10 | 2004-08-03 | Serverworks Corporation | PCI arbiter with hot plug controller support |
US6813682B2 (en) * | 2000-09-29 | 2004-11-02 | Steven Bress | Write protection for computer long-term memory devices |
JP4334231B2 (ja) | 2001-04-16 | 2009-09-30 | ザクソン・アールアンドディ株式会社 | コンピュータウイルス検査装置及び半導体集積回路 |
US7149854B2 (en) * | 2001-05-10 | 2006-12-12 | Advanced Micro Devices, Inc. | External locking mechanism for personal computer memory locations |
MY134887A (en) * | 2001-06-29 | 2007-12-31 | Secure Systems Ltd | Security system and method for computers |
US20030018892A1 (en) | 2001-07-19 | 2003-01-23 | Jose Tello | Computer with a modified north bridge, security engine and smart card having a secure boot capability and method for secure booting a computer |
US7543334B2 (en) | 2001-08-27 | 2009-06-02 | Mcafee, Inc. | Update status alerting for a malware scanner |
US7426644B1 (en) * | 2001-12-05 | 2008-09-16 | Advanced Micro Devices, Inc. | System and method for handling device accesses to a memory providing increased memory access security |
US7322044B2 (en) * | 2002-06-03 | 2008-01-22 | Airdefense, Inc. | Systems and methods for automated network policy exception detection and correction |
EP1795993B1 (en) * | 2002-07-30 | 2018-02-28 | Fujitsu Limited | Method and apparatus for reproducing information using a security module |
AU2003900764A0 (en) * | 2003-02-20 | 2003-03-06 | Secure Systems Limited | Bus bridge security system and method for computers |
WO2004075056A1 (ja) | 2003-02-21 | 2004-09-02 | National Institute Of Advanced Industrial Science And Technology | ウイルスチェック装置及びシステム |
DE102005014837B4 (de) | 2004-08-02 | 2007-08-30 | Mahltig, Holger | Sicherheitsmodul und Verfahren zum Steuern und Kontrollieren eines Datenverkehrs eines Personalcomputers |
DE202004012280U1 (de) | 2004-08-02 | 2004-12-16 | Mahltig, Holger | Schaltung und Methode zur Verwaltung der Festplattendaten und Kontrolle des Zugriffs |
-
2005
- 2005-03-30 DE DE102005014837A patent/DE102005014837B4/de not_active Expired - Fee Related
- 2005-07-31 WO PCT/DE2005/001368 patent/WO2006012882A1/de active Application Filing
- 2005-07-31 HU HUE05782466A patent/HUE027444T2/hu unknown
- 2005-07-31 DK DK05782466.6T patent/DK1714229T3/en active
- 2005-07-31 ES ES15187499.7T patent/ES2665946T3/es active Active
- 2005-07-31 EP EP05782466.6A patent/EP1714229B1/de not_active Revoked
- 2005-07-31 ES ES05782466.6T patent/ES2562769T3/es active Active
- 2005-07-31 SI SI200532040T patent/SI1714229T1/sl unknown
- 2005-07-31 EP EP17206422.2A patent/EP3327608A1/de active Pending
- 2005-07-31 DE DE202005022130.9U patent/DE202005022130U1/de not_active Expired - Lifetime
- 2005-07-31 PL PL15187499T patent/PL2996062T3/pl unknown
- 2005-07-31 US US11/573,008 patent/US20090077660A1/en not_active Abandoned
- 2005-07-31 EP EP15187499.7A patent/EP2996062B1/de not_active Revoked
- 2005-07-31 PL PL05782466T patent/PL1714229T3/pl unknown
-
2016
- 2016-02-15 CY CY20161100118T patent/CY1117194T1/el unknown
Also Published As
Publication number | Publication date |
---|---|
EP2996062B1 (de) | 2018-01-17 |
DE102005014837B4 (de) | 2007-08-30 |
EP1714229B1 (de) | 2015-11-18 |
US20090077660A1 (en) | 2009-03-19 |
ES2665946T3 (es) | 2018-04-30 |
CY1117194T1 (el) | 2017-04-05 |
EP1714229A1 (de) | 2006-10-25 |
DK1714229T3 (en) | 2016-02-22 |
ES2562769T3 (es) | 2016-03-08 |
EP3327608A8 (de) | 2018-07-18 |
WO2006012882A1 (de) | 2006-02-09 |
PL1714229T3 (pl) | 2016-05-31 |
EP2996062A1 (de) | 2016-03-16 |
EP2996062A8 (de) | 2017-01-04 |
PL2996062T3 (pl) | 2018-07-31 |
DE202005022130U1 (de) | 2014-09-18 |
DE102005014837A1 (de) | 2006-02-23 |
EP3327608A1 (de) | 2018-05-30 |
SI1714229T1 (sl) | 2016-03-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3284003B1 (en) | Paravirtualized security threat protection of a computer-driven system with networked devices | |
CN100375422C (zh) | 鉴别代码和/或数据的方法和系统 | |
US6625730B1 (en) | System for validating a bios program and memory coupled therewith by using a boot block program having a validation routine | |
CN1288527C (zh) | 计算机安全控制装置及其安全保护控制方法 | |
EP1495394B1 (en) | A computer system including a secure execution mode - capable cpu and a security services processor connected via a secure communication path | |
US11907389B2 (en) | Data release control based on authentication and link protection | |
US7073064B1 (en) | Method and apparatus to provide enhanced computer protection | |
US10503892B2 (en) | Remote attestation for multi-core processor | |
CN111742315B (zh) | 安全红-黑气隙便携式计算机 | |
HUE027444T2 (hu) | Biztonsági modul és eljárás személyi számítógép adatforgalmának vezérlésére és ellenõrzésére | |
TW201617957A (zh) | 鑑別變數之管理技術 | |
CN101071463A (zh) | 虚拟个人办公环境的方法和设备 | |
TW200949677A (en) | Microprocessor having secure non-volatile storage access | |
CN107851160A (zh) | 用于在isa控制下进行多个共存可信执行环境的可信i/o的技术 | |
EP1623291A1 (en) | A computer system including a bus bridge for connection to a security services processor | |
CN104335549A (zh) | 安全数据处理 | |
TW201706899A (zh) | 安全裝置及在其內提供安全服務至主機的方法、安全設備以及電腦軟體產品 | |
CN108154032A (zh) | 一种基于可信执行环境的具有内存完整性保障功能的计算机系统信任根构建方法 | |
US20220029793A1 (en) | Systems, methods, and devices for key per input/output security | |
US11531626B2 (en) | System and method to protect digital content on external storage | |
CN109492418A (zh) | 一种基于aes算法的通用dsp安全加解密系统 | |
JP2007310688A (ja) | マイクロコンピュータおよびそのソフトウェア改竄防止方法 | |
US20180316662A9 (en) | Embedded trusted network security perimeter in computing systems based on ARM processors | |
US20050086537A1 (en) | Methods and system for replicating and securing process control data | |
CN104361280B (zh) | 一种通过smi中断实现对usb存储设备进行可信认证的方法 |