RU2770136C1 - Method for protecting a computer system from unauthorised access to information, implemented at the hardware platform level by means of virtualisation mechanisms, and apparatus for implementation thereof - Google Patents

Abstract

FIELD: information security.

SUBSTANCE: apparatus implementing the method for protecting a computer system from unauthorised access includes an information protection system including a controller and a memory connected to a computer bus, a hypervisor of a first type with a launch subsystem, a compartmentalisation subsystem, an administration subsystem, and an event registration subsystem, implemented on the basis of one or multiple central processors, as well as a chipset, a memory, computer bus, a drive on a hard disk, a solid-state drive, a USB flash drive, a keyboard, a mouse, an optical disk, a network card, a video card, a monitor, a printer, a scanner, a multifunction apparatus.

EFFECT: increased security of the computer system.

5 cl, 2 dwg

Description

This invention relates to the field of computer security, in particular, it is used in the creation of secure computer systems designed to transmit, process and store confidential information, including those used as part of secure local networks of enterprises and organizations.

A computer system can be single-user and multi-user computing equipment (hereinafter referred to as SVT), workstations (hereinafter referred to as AWS), network routers, etc.

A computer system hardware platform is understood as a set of embedded firmware based on central processors (for example, Intel, AMD, ARM, etc.) and commercially available hardware components that determine the architecture of a computer system.

The method of protecting a computer system from unauthorized access (hereinafter - UA) to information, implemented at the level of a hardware platform, is applicable to computer systems regardless of the operating systems installed in them.

The boundary conditions for applying the method of protecting a computer system from unauthorized access to information implemented at the hardware platform level are determined only by the presence of support for virtualization technology in hardware devices that are part of the computer system (for example, determining the x86 / x64 architecture, etc.).

A device for implementing a method for protecting a computer system from unauthorized access to information, implemented at the level of the computer system hardware platform, provides only a wired connection of peripheral devices. For example, peripheral devices using USB, VGA interfaces, etc.

The prior art method of trusted boot in virtualized environments RU 2581552 C2 [IPC G06F 21/31, G06F 21/41, G06F 21/64. Application No. 2014136615/08, 09/10/2014; published on 20.04.2016 in Bull. No. 11], which includes creating a partition on the hard disk of a virtualized environment with a bootloader that provides trusted boot of virtual machines, adding a trusted boot firmware module to the virtual BIOS, starting the virtual machine, and configuring the bootloader. With the subsequent restart of the virtual machine, authentication of the user of the virtual machine, control of the integrity of the files of the virtual machine. The disadvantage of this method is that it is intended for virtual machines, and not for physical CVTs. Any virtual machine without a trusted CVT boot can be compromised. Components that are launched before the start of virtual environments (for example, a type 1 hypervisor that controls the operation of virtual machines, a virtual environment loader, etc.) are located in an unprotected environment (unprotected hard drive, real BIOS, etc.), respectively may be compromised.

The proposed technical solution provides for the location of the protection system components in a hardware device, including in a protected version, provides trusted loading of both CVT and virtual environments, and, accordingly, cannot be compromised.

The purpose of the proposed technical solution is to improve computer security, namely:

- prevention of the creation in a computer system of covert channels of unauthorized transmission of protected information from hardware devices and firmware built into the devices of the computer system hardware platform;

- isolation of control data and software of the computer system from hardware devices (buses and devices) and firmware built into the devices of the computer system hardware platform;

- management of information flows between virtual machines and physical hardware devices (buses and devices) of a computer system.

The technical result of the invention is:

- ensuring trusted loading of the hardware platform;

- creating a secure operating environment for the virtual machine;

- emulation of hardware devices of a computer system, including computing resources of a computer system;

- emulation of the firmware code (in particular, the basic input-output system, etc.) necessary for the functioning of the virtual machine;

- the prohibition of providing virtual machines with information about the actual composition of the hardware resources of the computer system;

- prohibition of providing direct access of a virtual machine to the hardware devices of a computer system, except for devices certified according to the requirements of information protection by state authorities of the country for use in a computer system;

- prohibition of correspondence of the emulated hardware devices to the hardware devices of the computer system in order to ensure the impossibility of exploiting the vulnerabilities of the hardware platform devices for any software running inside the virtual machine;

- access control of access subjects to access objects (virtual machines to the hardware devices of the computer system and hardware devices of the computer system to the computing resources of the computer system associated with the operation of the virtual machine);

- access control of the subjects of access to the memory involved in the processing of information (in particular, RAM);

- managing the access of subjects of access to the memory involved in the storage of information (in particular, delimiting access to information media, including sections of information media);

- managing the hardware configuration of a computer system in order to control the invariance of the hardware configuration;

- management of information flows between virtual machines during network interaction through a firewall;

- application of reversible transformation of information to maintain confidentiality;

- protection of the storage of the executable code and data of the information security system (hereinafter referred to as the IPS);

- protecting the storage of parameters of the firmware code of the hardware platform (in particular, the basic input-output system).

The claimed technical result is achieved:

- preliminary preparation of the hardware platform, consisting of:

neutralization of devices of the hardware platform of a computer system that are not involved in the processing, storage and transmission of information or that pose a threat to the security of information,

elimination of redundancy of the executable code of the firmware code of the hardware platform,

elimination of redundancy of the executable code of privileged modes of functioning of the hardware platform of the computer system and its protection from modification;

- ensuring trusted loading of the hardware platform of the computer system;

- ensuring trusted loading of the information security system;

- ensuring the protection of the firmware code of the hardware platform from analysis;

- ensuring the protection of the executable code of the information protection system from analysis;

- prohibition of updating the firmware code of the hardware platform, including the remote one;

- clearing memory areas containing information protection system data and virtual machines in storage devices before they are allocated or reused;

- cleaning areas of RAM of the hardware platform of the computer system before their allocation or reuse;

- implementation of the features of the architecture of the information security system;

- isolation of virtual machines;

- implementation of the features of information transfer between virtual machines in a computer system;

- emulation of hardware devices of a computer system;

- self-testing of protection mechanisms of the information protection system;

- restoration of a safe state of the computer system;

- definition of subjects and objects of access at the level of the hardware platform;

- processing by the information protection system of virtual machine requests for access to physical hardware devices of the computer system in the following order:

the virtual machine makes a request for access to physical hardware devices based on the provided virtual resources,

the information protection system collects the data or parameters contained in the request of the virtual machine,

the information security system, based on the collected data or parameters and in accordance with the rules for restricting access of access subjects to access objects, checks the eligibility of the request,

if the check result is positive, the information protection system converts data or parameters of virtual computing resources into data or parameters of physical computing resources and transmits the converted request to the corresponding physical hardware device, and if the check result is negative, the request is rejected;

- processing by the information security system of requests from physical hardware devices of the computer system for access to the virtual machine in the following order:

physical hardware devices of a computer system make a request for access to virtual computing resources based on the parameters of physical computing resources,

the information security system collects data or parameters in requests from physical hardware devices, the information security system, based on the collected data and in accordance with the rules for distributing access of access subjects to access objects, checks the eligibility of the request,

if the check result is positive, the information protection system converts the data or parameters of the physical computing resources of the computer system into data or parameters of virtual computing resources and transmits the converted request from the physical hardware device of the computer system to the virtual machine, and if the check result is negative, the request is rejected;

- management of the hardware configuration of the computer system at the start of the computer system by implementing:

determination by the information protection system of the actual composition of all hardware devices, as well as the parameters of their functioning,

initial verification of the compliance of the actual composition of all hardware devices of the computer system, including peripheral devices, with the list of hardware devices allowed by the information security system for use as part of the computer system, as well as the compliance of the parameters of the physical hardware devices identified in the computer system with the permitted parameters set by the information security system for given composition of hardware devices,

setting for each role provided by the information protection system, a list of physical hardware devices allowed for use within this role,

blocking the computer system when a hardware device is detected that is not on the list of hardware devices allowed by the information protection system to be used as part of the computer system for the roles of users and administrators,

blocking the computer system if the parameters of the identified physical hardware devices do not match the allowed parameters set by the information protection system for the given composition of the hardware devices of the computer system for the roles of users and administrators;

- computer system hardware configuration management during computer system operation, providing layered protection against unauthorized changes in the computer system hardware configuration, from creating covert channels of unauthorized access, both to the computing resources of the computer system, and to the software environment of the virtual machine and to user processed data subject to protection from UA to information, and based on:

periodic verification of the composition of the hardware of the computer system and the parameters of their functioning,

continuous analysis of requests from the physical hardware devices of the computer system for access to the computing resources of the computer system (including those related to the functioning of the virtual machine);

- managing the hardware configuration of the computer system when the computer system is operating in maintenance mode, implementing:

implementation of continuous monitoring by the information protection system of the parameters of functioning of all hardware devices of the computer system, as well as checking the compliance of the parameters of physical devices with the allowed parameters set by the information protection system for a particular type of device,

support in the management data of the information security system of the list of hardware devices allowed for use as part of a computer system,

maintenance in the control data of the information security system of the list of hardware devices of the computer system allowed for each role provided by the information security system,

the ability to change the list of hardware devices allowed for use as part of a computer system and the list of hardware devices allowed for each role provided by the information security system;

- managing the hardware configuration of the computer system when the computer system is operating in the audit mode, implementing:

implementation by the information protection system of continuous monitoring of the parameters of functioning of all hardware devices of the computer system, as well as checking the compliance of the parameters of physical devices with the allowed parameters set by the information protection system for a particular type of device,

support in the management data of the information security system of the list of hardware devices allowed for use as part of a computer system,

maintenance in the control data of the information security system of the list of hardware devices of the computer system allowed for each role provided by the information security system,

disabling hardware devices and blocking the operation of the computer system when connecting a hardware device that is not on the list of hardware devices allowed for use as part of a computer system,

blocking the operation of the computer system by the information security system when changing the parameters of the functioning of hardware devices;

- managing the configuration of the hardware of the computer system during the operation of the computer system in the operational mode, realizing:

implementation by the information protection system of continuous monitoring of the parameters of functioning of all hardware devices of the computer system, as well as checking the compliance of the parameters of physical devices with the allowed parameters set by the information protection system for a particular type of device,

support in the management data of the information security system of the list of hardware devices allowed for use as part of a computer system,

maintenance in the control data of the information security system of the list of hardware devices of the computer system allowed for each role provided by the information security system,

disabling hardware devices and blocking the operation of the computer system when connecting a hardware device that is not on the list of hardware devices allowed for use as part of a computer system,

blocking the operation of the computer system by the information security system when changing the parameters of the functioning of hardware devices;

- granting access to users to computer system resources or to virtual machines only through roles with unique identifiers assigned based on the results of user identification and authentication;

- an unambiguous prohibition to request access of any unidentified subject of access to any access objects,

- a ban on any requests for direct access between physical hardware devices or buses of a computer system, except for devices certified for information security requirements by government authorities of the country where the computer system is used, and virtual machines;

- configuring the protection of RAM using the information protection system from direct access from the hardware devices of the computer system, namely:

receiving from a hardware device by the information protection system a list and parameters of allowed devices of a computer system,

formation by the information security system of a list of devices allowed for use as part of a computer system with the possibility of direct access to memory,

receipt by the information protection system of direct memory access parameters from devices permitted for use as part of a computer system,

by configuring the information protection system, it is protected using the received parameters for direct access to RAM from devices allowed for use as part of a computer system;

- protection of the RAM of the computer system from direct access from the hardware devices of the computer system, provided by the information security system and including:

generating requests for direct access to RAM from the physical hardware devices of the computer system;

collection by the information protection system of data or parameters contained in requests for direct access to RAM from hardware devices;

verification by the information security system of the collected request parameters in accordance with the access matrix, if the parameters contained in the request correspond to the parameters of direct memory access from devices allowed for use as part of a computer system,

resolve the request, otherwise block the request,

registration by the information protection system of a request blocking event in the event log;

- differentiation of access to external media or from external media, including:

allowing only one virtual machine to interact with an external storage device, while the external storage device becomes unavailable for interaction with other virtual machines,

sequential use of an external storage device by virtual machines when exchanging information between virtual machines,

providing access of several virtual machines to the shared drive of information in read-only mode;

- the implementation by the information security system of filtering network traffic for each network interaction protocol in accordance with access matrices both for requests coming from a virtual machine and for requests coming from a physical network card, taking into account checking the type of request received from the virtual machine on its compliance with the access control rules established for the levels of the OSI model or for the protocols corresponding to them, as well as taking into account the verification of the data contained in the request of the virtual machine for their compliance with the access attributes established by the information protection system,

- implementation of the event registration information protection system in all modes of operation, for each event registered in the event log, the following information is stored on the date and time of the event, the subject of access that caused the event to be registered, the type of event (when registering an event associated with access, information is also stored about the object and type of access), the success of the event.

The device that implements the proposed method includes an information security system containing a controller, memory, including a protected version, connected to a computer bus, a first type hypervisor with a startup subsystem, an access control subsystem, an administration subsystem and an event registration subsystem, implemented on the basis of one or multiple CPUs, as well as chipset, memory, computer buses, hard disk drive, solid state drive, USB flash drive, keyboard, mouse, CD/DVD/Blu-ray optical drive, network card, video card, monitor, printer , scanner, multifunction device.

PCI, PCIExpress, SMBus, USB, ATA, SATA, PS/2, SCSI, SAS, Fiber Channel, InfiniBand, I2C, SPI, Fire Wire, DMI, HyperTransport, Thunderbolt can be used as computer buses.

An example of the implementation of the proposed method and device.

Consider the stage-by-stage preliminary preparation of the hardware platform:

a) shutdown (neutralization) of hardware platform devices of the computer system that are not involved in the processing, storage and transmission of information or pose a threat to information security.

Disabling (neutralizing) devices of the hardware platform of a computer system that are not involved in the processing, storage and transmission of information or that pose a threat to the security of information includes the implementation of the following measures:

• physical disconnection in the hardware platform of the computer system, if possible, the power supply of the host bus controllers that are not involved in the processing and transmission of information or pose a threat to the security of information. If it is not possible to physically turn off the power supply of the host bus controllers, their operation must be neutralized by blocking unused hardware interfaces (ports, connectors, slots);

• physical disconnection in the hardware platform of the computer system, if possible, the power supply of devices that are not involved in the processing, storage and transmission of information or pose a threat to the security of information:

- devices using wireless communication channels (for example, WiFi, 3G, Bluetooth, NFC, etc.);

- devices that allow tracking user actions (for example, webcam, microphone, positioning modules, sensors, etc.);

- devices for remote control of the hardware platform of the computer system;

- power management devices for the hardware platform of the computer system.

• if it is not possible to turn off the power supply of the specified devices, they were neutralized by removing the firmware code embedded in them, which creates threats to information security.

• if a part of the embedded firmware code does not pose a threat to the security of information in the hardware platform of the computer system and cannot be removed without stopping the operation of the corresponding device, convincing evidence is provided that it is impossible to pose a threat to the security of information in the hardware platform of the computer system when using the specified code;

• unused hardware interfaces (ports) of the following devices are blocked in the hardware platform of the computer system: video adapter, wired network adapter, audio controller, expansion devices (cards), etc.;

b) elimination of redundancy in firmware code hosted in commercial hardware platforms.

Redundant executable code for various stages of initialization/operation of the firmware code has been removed from the composition of the firmware code of the hardware platform of the computer system.

For example, in the basic I / O system removed:

• components that implement network card drivers and network protocol stack;

• components that implement standard file systems (FAT, NTFS, exFAT, etc.);

• components that implement the Computrace software;

• Intel Management Engine support components;

• components that implement EFI shells (Shell), from under which you can run various EFI applications;

• components that implement EFI applications;

• etc.;

c) elimination of redundancy of the executable code of privileged modes of functioning of the hardware platform of a computer system and its protection from modification.

The executable code of the components for updating the firmware code of the computer system hardware platform (for example, UEFI BIOS in SMM mode) has been removed from the composition of the executable code of the privileged modes of functioning of the hardware platform of the computer system;

Consider the provision of trusted loading of the hardware platform of a computer system.

IPS provides trusted loading of the computer system hardware platform with sequential confirmation of the integrity of the firmware components of the computer system hardware platform participating in the trusted loading chain.

In this case, the transfer of control functions to the next firmware component of the computer system hardware platform participating in the trusted boot chain is carried out from the previous firmware component of the computer system hardware platform only when the integrity of this component is confirmed.

If there is no confirmation of the integrity of any of the firmware components of the computer system hardware platform participating in the trusted boot chain, further booting of the computer system is prohibited.

Before starting a trusted boot, the information security system ensures the authenticity of the firmware code of the hardware platform of a computer system (for example, the basic input-output system) used during trusted boot.

The firmware code of a computer system hardware platform (for example, a basic input/output system) used in trusted booting of a computer system is protected from unauthorized modification by implementing the following measures:

- removal of firmware code update components from the firmware code, including in privileged modes of operation of the hardware platform,

- ensuring the immutability of the firmware code of the hardware platform of the computer system (for example, complete blocking of changes in the contents of the flash memory by means of a flash memory chip).

The firmware code of the hardware platform of the computer system transfers control only to the firmware of the information security facility.

When you try to download non-standard software, the SZI blocks the loading of the hardware platform of the computer system.

The firmware code of the hardware platform excludes the possibility for the software of the computer system to use the power consumption modes of the hardware platform that violate the trusted boot chain.

Let's consider the provision of trusted download of the information security facility.

Trusted loading of the IPS is ensured by building a chain of trusted loading, in which each component of the IPS participating in the chain of trusted loading of the IPS, upon completion of its initialization, confirms the integrity of the next component before transferring control to it.

If there is no confirmation of the integrity of any component of the information security system participating in the trusted download chain, further loading of the information security system and the operation of the computer system are terminated.

Consider ensuring the protection of the firmware code of the hardware platform and the executable code of the information security facility from analysis.

Protection of the firmware code of the hardware platform from analysis is provided by special methods. For example, UEFI BIOS protection from parsing is provided by:

• obfuscation of program code,

• depersonalization of the initialization stage,

• depersonalization of the component storage,

• depersonalization of the component representation format in the UEFI BIOS,

• etc.

Ensuring the protection of the IS executable code from analysis is carried out by obfuscation of the IS executable code.

Let's consider ensuring the prohibition of updating the firmware code of the hardware platform, including the remote one.

The following measures are implemented in the hardware platform of the computer system to prohibit updating the firmware code used for trusted loading of the computer system hardware platform, including remote ones:

- firmware update components were removed from the firmware code, including in privileged modes of operation of the hardware platform (for example, UEFI BIOS update components, including in SMM mode),

- the immutability of the firmware code of the hardware platform of the computer system is ensured (for example, by completely blocking changes in the contents of the flash memory by means of a flash memory chip).

Recovery of the firmware code of the hardware platform, including in case of failures of the hardware platform of the computer system, is provided only as part of the procedures for restoring the safe state of the hardware platform of the computer system.

Consider the implementation of the features of the architecture of the information security system.

In a computer system, with the help of the information security facility, the creation of a protected environment for the functioning of a virtual machine is ensured - as a combination of an isolated execution environment of a virtual machine and emulated hardware resources by:

• isolation of the IS executable code from the software of the computer system by setting higher powers (system privileges) for it,

• establishment of prohibition of support of file systems used in the computer system of operating systems by the executable code of the information security facility,

• non-volatile storage and support by the IPS hardware device of integrity control using checksums/hashes/cryptographic values stored in the IPS hardware device:

- parameters of the firmware code of the hardware platform (for example, the basic input-output system),

- DRP related to user roles,

- executable IPS code,

- checksums/hashes/cryptographic values,

- a list of the composition of the hardware resources of the computer system used to control the hardware configuration,

- event logs.

Let's consider ensuring the cleaning of memory areas containing data of the information security facility and virtual machines in storage devices before their allocation/reuse.

Before allocating/reusing memory areas in storage devices containing data of the SIS and virtual machines, the SZI cleans these areas, for example, by filling them with random values or "zeroes".

Let's consider ensuring the cleaning of areas of RAM of the hardware platform of a computer system before their allocation/reuse.

Before allocating/reusing the RAM areas of the hardware platform of the computer system for the IPS and virtual machines, the IPS cleans these areas, for example, by filling them with random values or "zeros".

Consider providing virtual machine isolation.

Virtual machines are allocated a unique set of resources. SZI provides allocation of the following quotas for their use by virtual machines:

- quotas of computer system computing resources (number of CPU cores, processor model, etc.),

- quotas for the use of memory resources,

- quotas for the use of data storage resources (storage devices/partitions of data storage devices).

Consider the implementation of the features of information transfer between virtual machines in a computer system.

The transfer of information between virtual machines is carried out in the operational mode of the information security system only through virtual devices (virtual network adapters, virtual removable storage media, etc.). Any other operations leading to direct transfer of information between virtual machines are prohibited.

Let's consider emulation of hardware devices of a computer system.

SZI provides software emulation of hardware resources of a computer system. An example of the composition of the computing resources of a computer system (taking into account the virtual computing resources created by the information security system) and the parameters characterizing each computing resource of a computer system are shown in Table 1.

SZI provides software emulation of the used firmware code (for example, the basic input-output system).

When emulating an information storage device (for example, a hard drive, etc.) in the information security facility, it is possible to provide software obfuscation of the stored data in order to significantly complicate their analysis.

Consider the registration of events in a computer system.

The information security system of work provides registration of the following events:

• events of launch, operation and shutdown of the hypervisor and virtual machines:

• hypervisor startup and shutdown events, virtual machine startup and shutdown events;

• user authentication events;

• events associated with the firmware code of the hardware platform (for example, the basic input-output system):

- events of checking the authenticity of the firmware code of the hardware platform (for example, the basic input / output system) used during trusted boot,

- events related to the transfer of control from the firmware code of the hardware platform (for example, the basic input / output system) to the software located on the corresponding data storage devices;

• events associated with changes in the composition and parameters of the functioning of the hardware devices of the computer system;

- events related to changes in the composition of the hardware devices of the computer system,

- events associated with a change in the parameters of the functioning of the hardware devices of the computer system;

• events related to integrity violations:

- events related to violations of the integrity of the firmware components of the hardware platform of the computer system participating in the trusted boot chain,

- events related to the violation of the integrity of the executable codes and data of the IPS control, both during the launch of the IPS, and during its operation,

- events related to the actions carried out by the mechanism of automatic recovery of a safe state of the hardware platform of the computer system;

• events related to attempts to violate access control rules:

- events related to unsuccessful attempts to identify and authenticate the user,

- events related to unauthorized launch of IPS configuration tools,

- events related to attempts to access the hardware resources of the computer system;

• events related to unauthorized change of set quotas:

- events related to unauthorized exceeding of the established quotas of computer system computing resources for virtual machines,

- events related to unauthorized exceeding of the set quotas of memory resources for virtual machines,

- events related to unauthorized exceeding of the set quotas for the use of storage resources by virtual machines.

For each logged event, the following information is stored in the event log:

- date and time of the event,

- the access subject that causes the logged event,

- event type (when registering an event related to access, information about the object and type of access is also stored),

- the success of the event.

Consider restoring a computer system to a safe state.

The information security system ensures the restoration of a safe state with the following operations and procedures:

• operations to stop the execution of virtual machines until a safe state of the computer system is restored;

• operations of transferring the information security system to the service mode;

• procedures for registering in the event log information about a violation of the safe state of a computer system, as well as actions of the information security system.

The IPS supports a maintenance mode in which only a user of the "Security administrator" category is allowed to perform any actions, which can perform:

• identification of the reasons for violation of the safe state of the hardware platform of the computer system;

• analysis of the reasons for the transition of the information security system to the maintenance mode;

• restoration of a safe state of the hardware platform of the computer system in accordance with the procedures given in the operational documentation.

Let's consider self-testing of IPS protection mechanisms.

To maintain a safe state of the computer system, the information security system performs a set of self-testing procedures:

• in the process of loading the information security facility;

• Periodically in the process of functioning of the information security facility;

• in the process of changing the IPS control data in the service mode.

During the self-testing of the IPS protection mechanisms, the integrity of the control data and the executable code of the IPS is verified.

In the method of protecting a computer system from unauthorized access to information implemented at the level of a hardware platform, the following are considered as subjects of access:

- virtual machines, as special processes created by the information security system for the implementation of an isolated virtual computing system in which general system and application software (software) operates;

- the physical hardware devices (buses and devices) of a computer system.

As objects of access to be protected from unauthorized access to information implemented at the level of the hardware platform, the following are considered:

- virtual machines;

- the physical hardware devices (buses and devices) of a computer system.

A secure computer system uses a hardware platform that includes:

- elimination of functional redundancy of non-reconfigurable hardware platform devices and functional redundancy of the firmware code of reconfigurable hardware platform devices participating (including indirectly) in the information processing process;

- shutdown or neutralization of devices that are part of the system (motherboard) board and are not involved in the processing of information or pose a threat to information security;

- elimination of functional redundancy of the firmware code located in the hardware platforms (the firmware code of the basic input-output system, the firmware code of the chipset, etc.);

- protection of the microprogram code (basic input-output system, etc.) from analysis;

- the immutability of the modified or removed firmware code (the firmware code of the basic input-output system, the firmware code of the chipset, etc.).

To protect the computer system from unauthorized access to information at the level of the hardware platform, a hardware-firmware information security system is used, which is an integral part of the hardware platform.

The hardware part of the information security system is represented by a device, including a protected version, that provides non-volatile storage:

- parameters of the firmware code of the hardware platform (for example, the basic input-output system);

- access control rules (hereinafter referred to as DRP);

- executable code of the information security facility;

- checksums/hashes/values of reversible transformation of information;

- control data used by the information security system to implement the control and security functions of a computer system;

- event logs.

The firmware part of the information security system can have both monolithic and modular architecture and consists of several subsystems.

Figure 1 shows a simplified basic diagram of the functioning of the information security platform built into the typical architecture of the hardware platform, which provides protection of the computer system from unauthorized access to information, in which 1 is a virtual machine, 2 is an information security facility, 3 is the hardware of the computer system, i.e. physical hardware devices (devices/buses). Figure 1 shows only one virtual machine, but there can be multiple virtual machines.

In accordance with the diagram shown in Figure 1, the general system and application software of the computer system is installed and operates at the level of virtual machine 1.

The basis of the SZI 2 is a hypervisor of the 1st type, which uses hardware virtualization of RAM and a system of commands for firmware operating at the level of hardware virtualization provided by the central processor of a computer system.

The IPS provides a virtual machine with interfaces for interacting only with virtual computing resources created by the IPS. In this case, the virtual machine perceives the virtual computing resources created by the IPS as physical computing resources of the computer system. The virtual machine does not have specialized interfaces for interaction with other IPS subsystems, including the type 1 hypervisor.

Figure 2 shows a simplified architecture of the information security system, which is a combination of the main subsystems, as well as the relationship between subsystems, where 4 is the subsystem for launching the information security system (includes support for the hardware device of the information security system), 5 is the access control subsystem, 6 is the administration subsystem (working with the user ), 7 - event registration subsystem (event registration log).

The launch subsystem of the information security system provides the following main functions:

- support for the hardware device of the information security system as part of the firmware code of the hardware platform (for example, the basic input-output system);

- trusted download;

- control of the integrity of the firmware code of the hardware platform;

- storage of parameters of the firmware code of the hardware platform.

The access control subsystem provides the following main functions:

- memory management (allocation, release and mapping of physical memory into the address space of the virtual machine);

- management of the execution priority of the executable code;

- management of software interfaces of the information security facility;

- time and timer management;

- user authentication;

- management of the operating modes of the information security facility;

- control of the composition of the hardware of the computer system;

- protection of RAM from the hardware of the computer system;

- self-testing of SZI protection mechanisms;

- control and differentiation of access between virtual devices and hardware of a computer system;

- management of information carriers;

- data conversion of information carriers;

- network traffic filtering;

- support for virtual devices and hardware of the computer system;

- hypervisor.

The subsystem of administration (work with the user) provides the following main functions:

- setting the operation parameters of the information security system, as well as the virtual machine;

- work (for example, viewing) with the event log.

The event logging subsystem (event log) provides the primary function of event logging.

The basic scheme of the functioning of the information security system, built into the typical architecture of the hardware platform and ensuring the protection of a computer system from tampering with information, is based on:

- on processing requests from a virtual machine for access to physical hardware devices (buses and devices);

- processing requests from physical hardware devices, including hardware platform devices (buses and devices), for access to a virtual machine.

The information security system provides processing of virtual machine requests for access to physical hardware devices of a computer system in the following order:

1. The virtual machine makes a request for access to physical hardware devices based on the provided virtual resources.

2. IPS collects (intercepts) the data/parameters contained in the virtual machine request.

3. Based on the collected (intercepted) data/parameters and in accordance with the PRD of the subjects of access to the access objects, the information security system checks the eligibility of the request.

4. If the verification result is positive, the IPS converts data/parameters of virtual computing resources into data/parameters of physical computing resources and transmits the converted request to the corresponding physical hardware device.

5. If the verification result is negative, the request is rejected.

In this case, you need to understand that the access control rules (ADR) take into account / include the check:

- identification data of the virtual machine contained in the request, with data of the information security facility, as well as the type of virtual resource and the type of request made by the virtual machine.

- compliance of the data/parameters contained in the request of the virtual machine with the specification (for example, the information security facility ensures that devices strictly follow the instructions defined by the specifications for these devices by monitoring the lists of allowed instructions and rejecting any instructions that do not correspond to the list of allowed instructions);

- additional DRPs of subjects of access to access objects (for example, when accessing information storage devices, sections of information storage devices, a network card);

- etc.

The information security system provides processing of requests from physical hardware devices of a computer system for access to a virtual machine in the following order:

1. Physical hardware devices (buses and devices) of a computer system make a request for access to virtual computing resources based on the parameters of physical computing resources.

2. The information security system collects (intercepts) data/parameters in requests from physical hardware devices.

3. Based on the collected (intercepted) data/parameters and in accordance with the PRD of the subjects of access to the access objects, the information security system checks the eligibility of the request.

4. If the verification result is positive, the IPS converts the data/parameters of the physical computing resources of the computer system into data/parameters of virtual computing resources and transmits the converted request from the physical hardware device of the computer system to the virtual machine.

5. If the verification result is negative, the request is rejected.

In this case, you need to understand that the DRP takes into account / includes the check:

- identification data of the physical hardware device of the computer system and/or identification of the type of hardware device and the type of request;

- data/parameters contained in the request from the physical hardware devices of the computer system for their compliance with the specification (for example, the information security facility ensures that the hardware platform devices strictly follow the instructions defined by the specifications for these devices by monitoring the lists of allowed instructions and rejecting any instructions that do not correspond to the list of allowed instructions);

- additional DRPs of subjects of access to access objects (for example, when accessing information storage devices, sections of information storage devices, a network card);

- etc.

The method of protecting a computer system from unauthorized access to information, implemented at the hardware platform level, provides for the following functions:

- management of the hardware configuration of the computer system;

- access control;

- management of information flows.

Consider hardware configuration management.

IPS provides hardware configuration management at computer system start-up and in computer system operating modes established by IPS, including:

- when starting the computer system:

determination of the actual composition of all hardware devices, as well as the parameters of their functioning;

primary verification of the compliance of the actual composition of all hardware devices of the computer system, including peripheral devices, with the list of hardware devices permitted by the information security facility for use as part of the computer system, as well as the compliance of the parameters of the physical hardware devices identified in the computer system with the security attributes (permitted parameters) established by the information security facility for this composition of hardware devices;

establishing for each role provided by the information security facility, a list (list) of physical hardware devices allowed for use within this role;

blocking the computer system when any hardware device is detected that is not in the list of hardware devices allowed by the information security facility to be used as part of the computer system for the roles of users and administrators;

blocking the computer system if the parameters of the detected physical hardware devices do not match the security attributes (permitted parameters) set by the information security facility for the given composition of the hardware devices of the computer system for the user and security administrator roles;

- in maintenance mode:

continuous monitoring of the functioning parameters of all hardware devices of the computer system, as well as checking the compliance of the parameters of physical devices with the security attributes (allowed parameters) set by the information security system for a particular type of device;

support in the information security information management data of a list of hardware devices allowed for use as part of a computer system (white list);

support in the information protection information management data of the list of hardware devices of the computer system allowed for each role provided by the information protection system;

the ability to change the list of hardware devices allowed for use as part of a computer system (white list) and the list of hardware devices allowed for each role provided by the information security facility;

- in audit mode:

continuous monitoring of the functioning parameters of all hardware devices of the computer system, as well as checking the compliance of the parameters of physical devices with the security attributes (allowed parameters) set by the information security system for a particular type of device;

support in the information security information management data of a list of hardware devices allowed for use as part of a computer system (white list);

support in the information protection information management data of the list of hardware devices of the computer system allowed for each role provided by the information protection system;

disabling hardware devices and / or blocking the operation of a computer system when connecting any hardware device that is not on the list of hardware devices allowed for use as part of a computer system;

blocking the operation of a computer system by the information security system when changing the parameters of the functioning of hardware devices;

- in operational mode:

continuous monitoring of the functioning parameters of all hardware devices of the computer system, as well as checking the compliance of the parameters of physical devices with the security attributes (allowed parameters) set by the information security system for a particular type of device;

support in the information security information management data of a list of hardware devices allowed for use as part of a computer system (white list);

support in the information protection information management data of the list of hardware devices of the computer system allowed for each role provided by the information protection system;

disabling hardware devices and / or blocking the operation of a computer system when connecting any hardware device that is not on the list of hardware devices allowed for use as part of a computer system;

blocking the operation of a computer system by the information security system when changing the parameters of the functioning of hardware devices.

Consider access control.

Access control includes:

- role-based access control.

- access control of access subjects to access objects, including:

basic access control of access subjects to access objects;

access control of access subjects to information storage devices;

access control of access subjects (hardware devices of a computer system) to RAM.

Consider role-based access control.

Role-based access control in a computer system, considered in this technical solution, is the basis for access control, since the creation of virtual machines and the provision of virtual machines with access to physical hardware devices of a computer system is carried out in accordance with the role-based access model.

The access control in a computer system based on roles, considered in this technical solution, is characterized by a key feature, which consists in the fact that access to the resources of a computer system is provided only through roles.

In this case, the role is understood as a set of opportunities provided to the user in the session of the computer system, depending on the duties performed by the user (for example, processing and storing information).

A role is characterized by a role profile and is associated with a unique role identifier assigned based on the results of user identification and authentication.

In role-based access control in a computer system, users gain access to computer system hardware resources and/or virtual machines only through their assigned roles.

Controlling access to hardware resources of a computer system and/or to virtual machines is not based on ownership of the resource, but on the fulfillment by the corresponding user of his duties (for example, processing and storing information).

Role-based access control in a computer system, considered in this technical solution, is more related to access control to operations on access objects in a computer system, and not to access control directly to access objects.

The role is performed in a specific user session and is based on a static division of responsibilities between user categories.

Consider the basic access control of access subjects to access objects in a computer system.

The basic access control of access subjects to access objects is implemented in accordance with the operation scheme of the information security system built into the typical architecture of the hardware platform of the computer system, which ensures the protection of the computer system from unauthorized access to the information shown in Figure 2.

Basic access control of access subjects to access objects in a computer system provides for the mandatory implementation of the following rules:

1. A request for access by any unidentified subject of access to any access objects is expressly prohibited.

2. Any requests for direct access between the physical hardware devices/buses of the computer system, other than devices certified for information security requirements by the government authorities of the country of use of the computer system, and virtual machines should be prohibited.

3. Access must be denied to any subjects of access:

- to data of IPS control;

- to images of virtual machines;

- to the parameters of virtual machines;

- to the list of hardware devices/buses of the computer system involved in information processing;

- to the list of composition of hardware devices/buses of the computer system, used to control the integrity of the hardware resources of the computer system;

- to data characterizing virtual machines and their state;

- to event logs.

Basic control of access subjects to access objects in a computer system is the basic conceptual framework for ensuring the isolation of computer system control data used by the IPS and data processed by the software installed in the computer system from the hardware devices/buses of the computer system.

The information security system creates a secure operating environment for each virtual machine using the basic access control of access subjects to access objects in a computer system.

The basic management of access subjects to access objects in a computer system is directly related to the management of the hardware configuration of the computer system, based on the list of hardware devices allowed for use in the computer system.

Let's consider access control of subjects of access to storage media.

Access control of access subjects to information storage devices in a computer system provides for:

- access control of subjects of access to information storage devices with sections, sections of information storage devices;

- access control of subjects of access to storage media without partitions.

The access control of subjects of access to information storage devices in a computer system is based on the basic scheme of functioning of the information security platform built into the typical architecture of the hardware platform, which ensures the protection of the computer system from unauthorized access to information, taking into account the fact that:

- a physical storage device acts as a physical hardware device;

- DRP, among other things, take into account\include checking additional DRPs of access subjects to access objects (for example, when accessing information storage devices, sections of information storage devices).

Let's consider access control of subjects of access (hardware devices of a computer system) to random access memory.

Access control of access subjects (hardware devices of the computer system) to RAM is based on the algorithm for protecting RAM from direct access from the hardware devices of the computer system.

The information security system provides configuration of the protection of RAM from direct access from the hardware devices of the computer system in accordance with the algorithm:

1. IPS requests and receives from the IPS hardware device a list and parameters of allowed devices of the computer system.

2. IPS forms a "white" list of devices with the possibility of direct memory access.

3. IPS receives direct memory access parameters from devices from the "white" list.

4. The information security system configures protection using the received parameters for direct access to RAM from the computer system devices from the "white" list.

The protection of the RAM of a computer system from direct access from the hardware devices of the computer system is provided by the information security system in accordance with the algorithm:

1. Physical hardware devices of a computer system (devices/clays) generate requests for direct access to RAM.

2. IPS collects (intercepts) data (parameters) contained in requests for direct access to RAM from hardware devices.

3. The information security system checks the collected (intercepted) request parameters in accordance with the access matrix (an example of an access matrix is given in the table. If the parameters contained in the request correspond to the parameters of direct memory access from devices from the "white" list, the request is allowed. Otherwise case, the request is blocked.

4. The information security system registers a request blocking event in the event log.

Consider the management of information flows.

Each virtual machine has its own secure runtime environment (virtual machines are isolated from each other). The exchange of information between virtual machines is possible only through external storage media and network interaction.

To reduce the volume of HDD in a computer system, virtual machines can use shared access of virtual machines to an information storage device with a partition (for example, HDD (HDD partition), etc.).

In this technical solution of a computer system from NSD to information implemented at the level of the hardware platform of the computer system, the following types of information flow management are provided:

- management of information flows when sharing an information storage device, a partition of an information storage device by several virtual machines;

- management of information flows in the network interaction of a computer system.

Consider the management of information flows when sharing an information storage device with several virtual machines.

Information flow management when sharing an information storage device (for example, HDD, etc.) by several virtual machines is based on the SZI mechanisms that provide the ability to use an information storage device (for example, HDD, etc.) by several virtual machines simultaneously (for example, a system partition with installed OS). SZI ensures the immutability of the shared storage drive (for example, HDD (HDD partition), etc.) by providing virtual machines with access to the shared storage drive in read-only mode.

The exchange of information between virtual machines by means of external storage media is carried out in the mode of sequential use of the external storage media by virtual machines. Only one virtual machine can interact with an external storage device. In the case when an external storage device is already used by a virtual machine, it becomes unavailable for interaction with other virtual machines. To interact with an external storage device with another virtual machine, it must be extracted from the first one (for example, the first virtual machine must be turned off). Access control to / from external storage media refers to access control to devices and was discussed above.

Consider the management of information flows in the network interaction of a computer system.

The management of information flows during network interaction of a computer system is based on the mechanisms of the information security system that provide filtering of network traffic.

The IMS performs network traffic filtering for each network interaction protocol both for requests coming from a virtual machine (outgoing requests) and for requests coming from a physical network card (incoming requests).

Information flow management during network interaction of a computer system is based on the basic operation scheme of the information security tool (ISP) built into the typical architecture of the hardware platform, which ensures the protection of the computer system from unauthorized access to information, taking into account the fact that:

- a physical network card acts as a physical hardware device;

- access control rules, among other things, take into account\include checking:

the type of request received from the virtual machine, for its compliance with the access control rules established for the OSI model layers (for example, channel, network and transport) and / or for their corresponding protocols (for example, Ethernet, IPv4, ICMP, TCP, UDP);

data contained in the request of the virtual machine, for their compliance with the access attributes (application of filtering rules) established by the information security facility;

etc.

The information security system filters network traffic for each network interaction protocol in accordance with access matrices both for requests coming from a virtual machine (outgoing requests) and for requests coming from a physical network card (incoming requests).

If there is one virtual machine in the computer system, it is allowed to disable network traffic filtering in the IPS, if network traffic filtering is provided by a hardware router and/or firewall installed behind the computer system.

If there are several virtual machines in a computer system, the IPS provides filtering of network traffic between virtual machines.

Table 1 shows an example of the composition of the computing resources of a computer system (taking into account the virtual computing resources created by the information security system) and the parameters that characterize each computing resource of the computer system.

At the same time, the composition and parameters of virtual resources created by the information security facility differ from the composition and parameters of the physical hardware devices of the computer system in order to:

- guaranteed detection of unauthorized requests from a virtual machine for access to physical hardware devices of a computer system, including hardware platform devices (buses and devices);

- ensuring the impossibility of exploiting the vulnerabilities of the computer system devices for any software running inside the virtual machine.

Configuration management

Consider managing the hardware configuration of a computer system at startup of the computer system.

When a computer system is started, the information security system provides hardware configuration management in the following sequence: the collection of data on the actual composition of all hardware devices of the computer system, as well as the parameters of their functioning, is carried out by means of requests to buses (for example, PCI / PCI Express, USB, SATA, etc. .). Based on the collected data, a list of connected devices and their parameters is compiled. Device operation parameters are selected based on the type of devices.

An example of a list of detected hardware devices of a computer system and their parameters is given in Table 2.

The collection of data on the actual composition of all hardware devices of the computer system, as well as the parameters of their functioning, is carried out every time the computer system is started.

The IPS compares the collected data with similar data previously stored in the IPS control data and performing (in terms of device operation parameters) the role of security attributes. If a discrepancy is found between the composition of hardware devices and / or the parameters of the functioning of devices with the control data of the information protection system, the loading of the information protection system is provided only in the maintenance mode.

The control of the composition and functioning parameters of the hardware devices of the computer system is carried out for each type of device and each parameter of the functioning of devices (an example of a list for a computer system is given earlier in Table 2, and in accordance with the matrix that establishes the rules for checking the compliance of the actual composition of all identified hardware devices of the computer system, the list of hardware devices allowed for use as part of a computer system, as well as the compliance of the parameters of detected physical hardware devices with the security attributes (allowed parameters) set for a given set of hardware devices An example of a matrix for devices connected to the PCI/PCI Express bus is given in the table 3.

The IPS initiates the installation for each role provided by the IPS of a list (list) of physical hardware devices allowed for use within this role.

The IPS receives data that authenticates the user and characterizes his role in the current session of the computer system (from the IPS hardware device) and determines the mode of operation (maintenance mode, operational mode or audit mode).

In the case of ensuring that the information security system is loaded only in the maintenance mode and the operating mode or audit mode is determined, data on the event associated with the detection of an unknown device is recorded in the event log of the information security facility with further blocking of the computer system.

In the case of ensuring the loading of the IPS only in the maintenance mode and determining the maintenance mode of the IPS, it will allow the user authenticated as a protection administrator to view the event log or configure the IPS.

In the absence of ensuring the loading of the information security system only in the maintenance mode:

- when determining the IPS maintenance mode, the IPS will allow the user, authenticated as a security administrator, to view the event log or configure the IPS;

- when determining the IPS audit mode, the IPS will allow the user authenticated as a security administrator to work with the event log;

- when determining the IPS operating mode, the IPS operates in accordance with the data that authenticates the user and characterizes his role in the current session of the computer system. Further, to ensure the operation of the computer system in the operational mode, based on the received data, the information security tool creates virtual resources of the computer system in accordance with the list of virtual devices inherent in this user role. Further, the IPS provides support for the physical hardware devices of the computer system that strictly correspond to the list of virtual resources inherent in this user role. After creating virtual resources of the computer system for the user role in the current session and providing support for physical hardware devices, the IPS creates a virtual machine in a configuration corresponding to this user role in the current session of the operating mode of operation.

Consider managing the hardware configuration of a computer system while the computer system is running.

During the operation of a computer system, the information security system provides control of the hardware configuration of the computer system according to two different schemes:

- according to a scheme based on the mechanisms for periodic verification of the composition of the hardware of a computer system and the parameters of their functioning;

- according to a scheme based on the continuous analysis of requests from the physical hardware devices of the computer system for access to the computing resources of the computer system (including those associated with the functioning of the virtual machine).

Let us consider a scheme based on the mechanisms of periodic checking of the composition of the hardware of a computer system and the parameters of their functioning.

When conducting a periodic check of the composition of the hardware of a computer system and the parameters of their functioning, the information security system performs:

- requests to buses (for example, PCI/PCI Express, USB, SATA, etc.) in order to identify devices connected to these buses and their parameters;

- determination of the composition of the detected devices and their parameters;

- obtaining a list of devices connected to the computer system in a given session of the computer system and a list of devices allowed for use as part of the computer system (white list);

- determination of the presence of changes in the composition of the detected devices and / or their parameters by comparing the relevant data, including the determination of the identified device connected in the "hot" mode, and its parameters.

In the maintenance mode, when a device is detected that is connected in a “hot” mode and is not included in the list of allowed devices for a given session of work, or provided for in the list of allowed devices for a given session, but has other operating parameters, the IPS provides the ability to configure the DTP for the detected device and save configuration changes. When the configuration is saved, a new list of devices allowed by the IPS is generated and stored in the IPS configuration data.

In the audit mode and operational mode, when a device is detected that is connected in a “hot” mode and is not included in the list of devices allowed by the IPS for a given session of work, or provided for in the list of devices allowed by the IPS for a given session, but has other operating parameters, the IPS:

- reflects the event and event data associated with the detection of a device connected in a "hot" mode in the event log;

- ensures the subsequent inclusion of the computer system only in the maintenance mode of the computer system;

- reflects the event and data about the event associated with the transfer of the information security system to the maintenance mode of the computer system in the event log;

- blocks the computer system.

In the audit mode, when a device is detected that is connected in a "hot" mode and is included in the list of devices allowed by the SIS for a given session, as well as having operating parameters allowed by the SZI, the SZI provides work with the event log.

In the operational mode, when a device is detected that is connected in a “hot” mode and is included in the list of devices allowed by the IPS for a given session of work, as well as having the parameters of operation allowed by the IPS, the IPS continues to function within the current session of the computer system in accordance with the user role. Since the support of virtual and physical devices was carried out at the start of the computer system in the current session of the operational mode, the IPS creates the corresponding virtual device in the form of a virtual resource and manages the functioning of the virtual machine in the prescribed manner.

Consider a scheme based on continuous analysis of requests from physical hardware devices of a computer system for access to the computing resources of a computer system (including those associated with the operation of a virtual machine).

When conducting continuous analysis of requests from physical hardware devices of a computer system for access to computing resources of a computer system, the information security system collects (intercepts) data (parameters) contained in requests from physical hardware devices of a computer system.

An example of well-known parameters of physical computing resources of a computer system contained in access requests from physical hardware devices of a computer system was previously given in Table 1.

Based on the collected (intercepted) data, the information security system identifies the physical hardware device of the computer system, incl. the computer system hardware platform device (bus or device) from which the request was made, and the eligibility of the request from that physical computer system hardware device.

In maintenance mode, if the IPS cannot identify the physical hardware device of the computer system and/or it is impossible for the IPS to confirm the eligibility of a request from this physical hardware device of the computer system, this request is rejected. At the same time, the IPS provides the ability to configure the TX for the detected device and save configuration changes. When the configuration is saved, a new list of devices allowed by the IPS is generated and stored in the IPS configuration data.

In the audit mode and operational mode, if the IPS cannot identify the physical hardware device of the computer system and/or the IPS cannot confirm the legitimacy of the request from this physical hardware device of the computer system, this request is rejected. At the same time, SZI:

- reflects the event and event data associated with the detection of an unknown device in the event log;

- ensures the subsequent inclusion of the computer system only in the maintenance mode of the computer system;

- reflects the event and data about the event associated with the transfer of the information security system to the maintenance mode of the computer system in the event log;

- blocks the computer system.

In the audit mode, in case of successful identification of the physical hardware device of the computer system and confirmation of the eligibility of the request from this physical hardware device of the computer system, the information security facility provides work with the event log.

In the operational mode, in case of successful identification of the physical hardware device of the computer system and confirmation of the eligibility of the request from this physical hardware device of the computer system, the IPS, using the data/parameters of the physical computing resources contained in the IPS:

- checks the data contained in the request of the physical hardware device of the computer system for compliance with the specification of the allowed information security facilities;

- converts the data contained in the request of the physical hardware device of the computer system into the data of the virtual device;

- creates the corresponding virtual device in the form of a virtual resource and provides control of the functioning of the virtual machine in the prescribed manner (support for virtual and physical devices was implemented when the computer system was started in the current session of the operational mode);

- broadcasts data/parameters of virtual computing resources to a virtual machine.

Simultaneous implementation in the information security system of two configuration management schemes provides layered protection against unauthorized changes in the hardware configuration of the computer system, from the creation of covert channels of unauthorized access, both to the computing resources of the computer system and to the software environment of the virtual machine and to user processed data subject to protection from NSD for information.

Access control

This technical solution of a computer system from NSD to information implemented at the hardware platform level provides for the following categories of users:

- category "User" - a user who performs the duties of creating, processing and storing information constituting a state secret;

- category "Security administrator" - a user who configures the information security system;

- category "Security administrator" - a user who works with the log of information security events.

Roles are assigned only to the above categories of users.

At the same time, the role profile for the "User" category is understood as a set of characteristics of the virtual machine and the rights set for the role for access to the physical hardware devices of the computer system, and their correspondence to the virtual resources available to the virtual machine.

At the same time, the role profile for the "Protection Administrator" category is understood as a set of access rights for programs for setting up a role profile for the "User" category and for processing data from the IPS event log.

At the same time, the role profile for the "Security administrator" category is understood as a set of access rights for the program for processing the data of the information security event log.

An example of a role profile for the "User" category is shown in tables 4, 5.

When assigning the characteristics of a virtual machine associated with a unique role identifier for the "User" category, their values, subsequently provided upon request of the virtual machine, must necessarily differ from the actual characteristics of the system resources of the computer system.

An example of access rights for programs that characterize the role profile for the Security Administrator category is shown in Table 6.

The Security Administrator role, by default, is denied access to any virtual machines.

An example of access rights for the program for processing the data of the event log of the information security system, characterizing the role profile for the category "Security Administrator" is given in Table 7.

The "Security Administrator" role, by default, is denied the launch of any virtual machines and access to their settings.

An example of an access matrix, in accordance with which access differentiation of access subjects to access objects is provided when implementing basic access control, is shown in Table 8.

Additional DRPs specified in the Access Matrix, in accordance with which access differentiation of access subjects to access objects is ensured when implementing basic access control, apply only to information storage devices and network adapters.

Access control of access subjects to information storage devices with partitions, sections of information storage devices is carried out in accordance with the access matrix (an example of an access matrix is presented in Table 9).

Access control of access subjects to information storage devices without partitions is carried out in accordance with the access matrix (an example of an access matrix is presented in Table 10).

An example of an access matrix, in accordance with which access control of access subjects (hardware devices of a computer system) to RAM is provided, is shown in Table 11).

Information flow management

The management of information flows during network interaction of a computer system is based on the mechanisms of the information security system that provide filtering of network traffic. An example of the levels of the OSI model, at which the IPS provides network traffic filtering, is shown in Table 12.

An example of an access matrix, according to which network traffic is filtered at the link layer of the OSI model for the Ethernet protocol, is shown in Table 13.

Claims (78)

1. A method for protecting a computer system from unauthorized access to information, implemented at the hardware platform level through virtualization mechanisms, including: preliminary preparation of the hardware platform, consisting of: neutralization of devices of the hardware platform of a computer system that are not involved in the processing, storage and transmission of information or that pose a threat to the security of information, elimination of redundancy of the executable code of the firmware code of the hardware platform, elimination of redundancy of the executable code of privileged modes of functioning of the hardware platform of the computer system and its protection from modification; trusted loading of the hardware platform of the computer system; trusted loading of the information security system; ensuring the protection of the firmware code of the hardware platform from analysis; ensuring the protection of the executable code of the information protection system from analysis; prohibition of updating the firmware code of the hardware platform, including the remote one; cleaning up memory areas containing information protection system data and virtual machines in storage devices before they are allocated or reused; cleaning areas of RAM of the hardware platform of the computer system before their allocation or reuse; implementation of the architectural features of the information security system, which consists in creating a secure environment for the operation of a virtual machine as a combination of an isolated execution environment of a virtual machine and emulated hardware resources by isolating the executable code of the information security system from the software of the computer system by setting higher authorities for it, establishing a support ban file systems used in the computer system of operating systems from the side of the executable code of the information security system, non-volatile storage and support by the hardware device of the information security system of integrity control using checksums or hashes or cryptographic values stored in the hardware device of the information security system; isolation of virtual machines; implementation of the features of information transfer between virtual machines in a computer system, which consists in the transfer of information between virtual machines in the operational mode of the information protection system only through virtual devices, while any other operations leading to direct transfer of information between virtual machines are prohibited; emulation of hardware devices of a computer system; self-testing of protection mechanisms of the information protection system; restoring a safe state of the computer system; definition of subjects and objects of access at the level of the hardware platform; processing by the information protection system of virtual machine requests for access to physical hardware devices of the computer system in the following order: the virtual machine makes a request for access to physical hardware devices based on the provided virtual resources, the information protection system collects the data or parameters contained in the request of the virtual machine, the information protection system, based on the collected data or parameters and in accordance with the rules for restricting access of access subjects to access objects, checks the eligibility of the request, if the check result is positive, the information protection system converts data or parameters of virtual computing resources into data or parameters of physical computing resources and transmits the converted request to the corresponding physical hardware device, and if the check result is negative, the request is rejected; processing by the information protection system of requests from physical hardware devices of a computer system for access to a virtual machine in the following order: the physical hardware devices of the computer system make a request for access to virtual computing resources based on the parameters of physical computing resources, the information protection system collects data or parameters in requests from physical hardware devices, the information protection system, based on the collected data and in accordance with the rules for distributing access of access subjects to access objects, checks the eligibility of the request, if the check result is positive, the information protection system converts the data or parameters of the physical computing resources of the computer system into data or parameters of virtual computing resources and transmits the converted request from the physical hardware device of the computer system to the virtual machine, and if the check result is negative, the request is rejected; computer system hardware configuration management at computer system startup, which implements: determination by the information security system of the actual composition of all hardware devices, as well as the parameters of their functioning, initial verification of the compliance of the actual composition of all hardware devices of the computer system, including peripheral devices, with the list of hardware devices permitted by the information security system for use as part of the computer system, as well as the compliance of the parameters identified in the computer system of physical hardware devices with the permitted parameters established by the information security system for a given set of hardware devices, setting for each role provided by the information protection system, a list of physical hardware devices allowed for use within this role, blocking the computer system when a hardware device is detected that is not on the list of hardware devices allowed by the information protection system to be used as part of the computer system for the roles of users and administrators, blocking the computer system if the parameters of the identified physical hardware devices do not match the allowed parameters set by the information protection system for the given composition of the computer system hardware devices for the roles of users and administrators; computer system hardware configuration management during computer system operation, providing layered protection against unauthorized changes in the computer system hardware configuration from creating covert channels of unauthorized access both to the computer system computing resources and to the virtual machine software environment and to user processed data to be protected from unauthorized access to information, and based on: periodic verification of the composition of the hardware of the computer system and the parameters of their functioning, continuous analysis of requests from the physical hardware devices of the computer system for access to the computing resources of the computer system, including those related to the functioning of the virtual machine; computer system hardware configuration management when the computer system is in maintenance mode, which implements: implementation of continuous monitoring by the information protection system of the parameters of functioning of all hardware devices of the computer system, as well as checking the compliance of the parameters of physical devices with the allowed parameters set by the information protection system for a particular type of device, support in the management data of the information security system of the list of hardware devices allowed for use as part of a computer system, maintenance in the control data of the information security system of the list of hardware devices of the computer system allowed for each role provided by the information security system, the ability to change the list of hardware devices allowed for use as part of a computer system and the list of hardware devices allowed for each role provided by the information security system; managing the hardware configuration of a computer system when the computer system is operating in audit mode, which implements: implementation by the information protection system of continuous monitoring of the parameters of functioning of all hardware devices of the computer system, as well as checking the compliance of the parameters of physical devices with the allowed parameters set by the information protection system for a particular type of device, support in the management data of the information security system of the list of hardware devices allowed for use as part of a computer system, maintenance in the control data of the information security system of the list of hardware devices of the computer system allowed for each role provided by the information security system, disabling hardware devices and blocking the operation of the computer system when connecting a hardware device that is not on the list of hardware devices allowed for use as part of a computer system, blocking the operation of the computer system by the information security system when changing the parameters of the functioning of hardware devices; managing the hardware configuration of a computer system when the computer system is in operational mode, which implements: implementation by the information protection system of continuous monitoring of the parameters of functioning of all hardware devices of the computer system, as well as checking the compliance of the parameters of physical devices with the allowed parameters set by the information protection system for a particular type of device, support in the management data of the information security system of the list of hardware devices allowed for use as part of a computer system, maintenance in the control data of the information security system of the list of hardware devices of the computer system allowed for each role provided by the information security system, disabling hardware devices and blocking the operation of the computer system when connecting a hardware device that is not on the list of hardware devices allowed for use as part of a computer system, blocking the operation of the computer system by the information security system when changing the parameters of the functioning of hardware devices; granting access to users to computer system resources or to virtual machines only through roles with unique identifiers assigned based on the results of user identification and authentication; an unambiguous prohibition to request access of any unidentified subject of access to any access objects, a ban on any requests for direct access between physical hardware devices or buses of a computer system, except for devices certified for information security requirements by government authorities of the country where the computer system is used, and virtual machines; configuring the protection of RAM using the information protection system from direct access from the hardware devices of the computer system, namely: receiving from the hardware device by the information protection system the list and parameters of allowed devices of the computer system, formation by the information security system of a list of devices allowed for use as part of a computer system with the possibility of direct access to memory, receipt by the information protection system of parameters of direct access to memory from devices permitted for use as part of a computer system, configuring the protection information protection system using the obtained parameters for direct access to RAM from devices allowed for use as part of a computer system; protection of the RAM of a computer system from direct access by the hardware devices of the computer system, provided by the information security system and including: generation of requests for direct access to RAM from the physical hardware devices of the computer system, collection by the information protection system of data or parameters contained in requests for direct access to RAM from hardware devices, verification by the information security system of the collected request parameters in accordance with the access matrix, if the parameters contained in the request correspond to the parameters of direct memory access from devices allowed for use as part of a computer system, resolve the request, otherwise block the request, registration by the information protection system of a request blocking event in the event log; differentiation of access to external storage media or from external storage media, including: allowing only one virtual machine to interact with an external storage device, while the external storage device becomes unavailable for interaction with other virtual machines, sequential use of an external storage device by virtual machines when exchanging information between virtual machines, providing access of several virtual machines to the shared drive of information in read-only mode; implementation by the information security system of filtering network traffic for each network interaction protocol in accordance with access matrices both for requests coming from a virtual machine and for requests coming from a physical network card, taking into account checking the type of request received from the virtual machine for its compliance with the access control rules established for the levels of the OSI / ISO network protocol stack model or for the protocols corresponding to them, as well as taking into account the verification of the data contained in the virtual machine request for their compliance with the access attributes set by the information protection system, registration of events by the information security system in all modes of operation, for each event registered in the event log, the following information is stored on the date and time of the event, the subject of access that caused the event to be registered, the type of event (when registering an event associated with access, information about object and type of access), the success of the event. 2. A device that implements a method for protecting a computer system from unauthorized access according to claim 1, including an information security system, including a controller and memory connected to a computer bus, a first type hypervisor with a startup subsystem, an access control subsystem, an administration subsystem and an event registration subsystem, implemented on the basis of one or more central processors, as well as a chipset, memory, computer tires, a hard disk drive, a solid state drive, a USB flash drive, a keyboard, a mouse, an optical disk, a network card, a video card, a monitor, a printer, a scanner, multifunction device. 3. The device according to claim. 2, characterized in that it can be made in a secure design. 4. The device according to claim 2, characterized in that PCI, PCIExpress, SMBus, USB, ATA, SATA, PS / 2, SCSI, SAS, FibreChannel, InfiniBand, I2C, SPI, FireWire, DMI can be used as computer buses , HyperTransport, Thunderbolt. 5. Device according to claim 2, characterized in that CD/DVD/Blue-ray optical discs can be used in the device.

Images