RU2231112C1 - Method for connecting personal computer - Google Patents

Abstract

FIELD: computer engineering; data-computing systems and networks.

SUBSTANCE: proposed method that can be used in integrity checkup networks to protect information resources in workstations, information and functional servers, and the like includes following procedures. After checkup clock signal is supplied in the course of bootstrap program code of trust bootstrap is loaded, protective system is checked for integrity, data on users and protective system adjustment are retrieved, personal computer initialization function is invoked involving user identification, user private password is requested and checked, then user's private interface is loaded in compliance with authority level submitted, and after that program instructions are loaded.

EFFECT: enhanced protection level, facilitated operation with system.

1 cl

Description

The invention relates to computer technology, namely to information computer systems and networks, and can be used in an integrity monitoring network to protect information resources in workstations, information and functional servers, etc.

The most important unrealized in the control system is the integrity function of the control system itself. At the same time, this system must be implemented in a fundamentally different way, so that it is possible to unauthorized to remove the software component of the control system only by disassembling the calculator, having previously removed the computer case, in the free slot of which the board of the hardware component of the integrity monitoring system is placed. In the case of hardware implementation of system control and integrity control during unauthorized removal of a software component, the possibility of uncontrolled functioning of the computer should be blocked, and for the convenience of working with a computer, the possibility of authorized removal of the software protection system without removing the hardware component (without disassembling the computer) should be provided.

There is a known system for protecting information resources of a computing system and the Secret Net network (see Secret Net Access Control System. User Guide, 1996). The system is a software package that can be installed on a stand-alone computer or on computers connected to a local area network.

The system solves the problem of monitoring the integrity (integrity) of files when the system is turned on. Recent versions of Secret Net also provide scheduled file integrity monitoring. In both cases, only a particular task of monitoring file integrity is solved with low efficiency.

A known method of controlling the stability of the functioning of programs by providing stability control for the required time interval (see RF patent No. 1709321, CL G 06 F 11/30, publ. 1992).

There is also a control and debugging method based on measuring the results at the end of the error detection, localization and error correction step, the measurement being carried out during the error detection by dividing the control test into intervals with the localization of the detected error on this interval or during the subsequent control test interval (see RF patent No. 2050588, class G 06 F 11/28, publ. 1995).

A disadvantage of the known methods is the need to separate the control parameters at different intervals, which always entails the appearance of errors and a subsequent system failure.

The closest known for its technical essence and the achieved result is the selected as a prototype method of connecting a personal computer, in which the program commands are supplied and the test clock is sent when loading program commands during the test mode (see, for example, RF patent No. 2138075 , CL 2050588, CL G 06 F 11/00, publ. 1999).

The disadvantage of this method is its relatively low efficiency.

The essence of the claimed invention is expressed in the aggregate of essential features sufficient to achieve the technical result provided by the invention, which is expressed in increasing the level of security by expanding the functions of the integrity monitoring system as part of expanding the functions of the software component, as well as the convenience of working with the protected system.

The specified technical result is achieved by the fact that in the method of connecting a personal computer, in which the program commands are supplied and the verification clock signal is supplied when loading the program instructions during the verification mode, after the verification clock signal is supplied when loading is performed, the program code of the trusted download module is sequentially loaded, checking the integrity of the protection system, searching for data about users and settings of the protection system, calling the function of initializing the equipment of persons the computer with user identification, as well as requesting and verifying the user's personal password, then they load the personal user interface in accordance with the granted level of authority and further download the program commands.

Comparison of the claimed technical solution with the prototype made it possible to establish compliance with its criterion of "novelty", since it is not known from the prior art.

The proposed method is industrially applicable by existing technical means and meets the criterion of "inventive step", because it does not explicitly follow from the prior art, while the latter does not reveal any transformations characterized by significant features distinguishing from the prototype to achieve this technical result.

Thus, the proposed technical solution meets the established conditions of patentability of the invention.

The other known technical solutions for a similar purpose with similar significant features by the applicant was not found.

The proposed method is as follows.

The main parts of the personal computer BIOS responsible for processing hardware interrupts, SMI, POST, as well as the interactive setup program "Setup" are contained in separate packed "files". The unpacked form contains only the code necessary for initializing the chipset and checking for the presence of memory, as well as the unpacking procedure. This code takes control after powering up or resetting the processor at address 0FFFFFFF0h, where the command “jmp far ptr 0F000h: 0E05Bh” is located, which transfers control to the initial equipment initialization (POST) subroutine. Next, the primary memory is checked and, if the check gave a positive result , copying part of the BIOS image F000h: 0000h - 0F000h: 0FFFFh to the 2000h segment. Then, the “file” “original, tmp” is unpacked into RAM at the addresses 5000h: 0000h - 6000h: 0FFFFh. After that, the copy_segE_segF_2 function is called in line 2000h: 0Е4С6h. which permits it writes to the “shadow” region of memory from the address 0E0000h no 0FFFFFh, and then copies to this region either the unpacked “file” if the checksum matches or, if the sums do not match, the 1000h segment containing an exact copy of the F000 segment for further recovery attempts BIOS contents. After copying, the function prohibits writing to the E000 and F000 segments, thus fully simulating the operation of the ROM, however, this process significantly increases the further execution speed of the program. Next, on line 2000: E4CE, the “jmp far ptr F000: F80D” command is executed, transferring control to the copied area. From this moment, the program is executed in RAM, but with a forbidden entry. First, it copies the remainder of the 4000h segment to the 0E000h segment (after allowing recording). Next, the program transfers control in turn to each function from the POST table. The last function in this table executes the int 19h command, loading the operating system.

The results of the POST (Power-on self test) study allowed us to develop a method for ensuring trusted loading of the PC operating system, implemented by embedding the program code of the "trusted loading module" in the BIOS and calling it at the initial stage of the BIOS operation. The trusted boot module is designed to verify user privileges with a personal computer.

Work algorithm:

- turning on the power button of the PC;

- loading BIOS;

- starting the bootloader BIOS;

- memory check and BIOS checksum;

- start POST procedures;

- when performing procedure No. 8Bh, loading the program code of the "trusted boot module";

- verification of the integrity of the protection system;

- Search in the computer's EEPROM for data about users and settings of the protection system;

- call the equipment initialization function;

- conducting user identification;

- request and verification of the user's personal password;

- loading the personal user interface in accordance with its level of authority,

- continuation of the BIOS.

Unlike the known implementation methods (Dallas Lock, Secret Net, Accord), the proposed method does not require the installation of additional hardware devices in the expansion slots of the PC, uses standard BIOS procedures and provides verification of user rights at the very early stage of the PC, which significantly reduces the possibility of obtaining unauthorized access to information resources.

Claims (1)

A method of protecting information resources of a personal computer, in which the program commands are supplied and a verification clock signal is supplied when loading program instructions during the verification mode, characterized in that after the verification clock signal is supplied during loading, the program code of the trusted download module is sequentially loaded, integrity checking security systems, searching for data about users and settings of the security system, calling the initialization function of personal computer equipment EPA to conduct user authentication, as well as request and check user personal password, then perform the download of the user's interface, in conformity with the level of authority and further loading of program instructions.