SE523953C2 - Security critical activity data processing system for mailing services, includes switches which denies computer processor access to and from resources, based on information contained in switch - Google Patents

Abstract

Switches (60) are activated by a signal from a security device (50), in response to a call from a computer processor (52) or from handling devices (20,28-38). Based on information in the switches, the switches enables security device access to and from resources and denies the computer processor access to and from resources (14,42). The switches controls requests from the computer processor to the resources or resource ranges depending on the information contained in the switch.

Description

25 30. ,. - .- 523 953 .. -i-u available network, which is open to all intruders. Such firewalls filter the communication between the local network and the outside world by only allowing certain selected services to pass through. If other services are requested, passage through the firewall will only be possible if a valid password is provided.

The communication then reaches either a personal computer or a server within the local network. This security measure will of course increase security but will still not guarantee that the security-critical measures are carried out in the manner intended by the user.

Vulnerabilities in the implementation of the permitted, unfiltered, services may allow an intruder to invade the personal computer.

Another possible security measure is to introduce security mechanisms in the operating system, such as requiring passwords for access to certain services.

The main reason why the above mentioned security mechanisms are not completely secure is that they are software based. Since software always contains bugs, they can be corrupted, and can therefore be compromised through exploited security holes, malicious codes, resident Trojan horses and other software. Software-based security solutions are also too fragile, ie if the security of the operating system is compromised, all data and all applications performed by it will also be compromised.

Another but similar approach to increasing the security of the operating system is to build so-called multi-level security systems (Multi level security MLS). Such systems label objects according to a security classification code and define rules for how information is allowed to leak through the system. This classification of different security levels and the record keeping of which users have access to different security levels and objects is very time consuming to maintain. In addition, conventional personal computer applications are not compatible with the MLS operating system, and not all applications. ø ~ - - ~ 10 15 20 25 30 523 953 u. .nu must be tailored for the MLS system. This is of course very costly.

A method for performing or executing security-critical activities in a computer is described in WO 98/19243 with the same inventors as for the present invention, which document is hereby incorporated by reference. The system comprises a security device to be connected to the communication means of a personal computer, such as a serial port or the PCI bus. The security device includes a processor, memory and cryptocurrency. Some selected IO devices of the computer, such as the screen, keyboard, mouse and card reader, are provided with switches and crypto devices.

During normal operation (normal mode), the security device is not active and the computer operates normally. The presence of the security device and the switching and crypto means are transparent to the computer.

When a security-critical activity is initiated by a signal from the computer's processor, the computer switches to safe processing mode.

The security device takes control of the selected user IO devices through the switching and cryptographic means and shuts down the computer's processor from access. The execution of the safety-critical activity is transferred to the safety device and executed with the appropriate intervention of the user. Data is protected from the computer's processor during transmission between the security device and the user's IO devices.

The security device must be designed so that the execution of the security-critical activity can be performed safely without any possibility for the computer processor to compromise the execution. The system described above fulfills this by having a separate processor, separate program memory, separate data memory and fl your other devices and control means separate. . . -. »- 10 15 20 25 30 523 953 Unfortunately, this is an expensive solution, as so many functional circuits need to be duplicated. It would be preferable if, for example, access to parts of the existing PC memory could be allocated for the security device. This would be a great cost saving, as suitable memory circuits are usually only provided in large sizes. This would also allow flexibility, as the security device could allocate as much memory from the large PC memory required for the security activity.

There are fl your other resources in a PC that could be separated from the PC's normal control and use, for protected use of the security device; devices on specific slots on the PCI bus or ISA bus, entire storage devices or sectors on storage devices on an IDE bus, logic devices on a USB bus.

It is important for the security of the security device to minimize the number of hardware mechanisms that both the computer processor and the security device can control, as unexpected and dangerous interactions can be performed by the computer processor. On the other hand, we can clearly see the cost advantages that arise through the possibility of protected use for the security device of existing PC resources. The presence of the security device would also cause minimal changes in the normal mode of the computer, for compatibility reasons.

SUMMARY OF THE INVENTION The object of the invention is to provide a system for performing safety-critical activities in a safe manner according to the method described above in a cost-effective manner by utilizing many of the memory means and IO devices present in a personal computer. ». . . ._ 10 15 20 25 30. u -. According to one aspect of the invention, this is achieved by a system according to the preamble, comprising a safety device comprising a processor and signal generators, a number of control means, hereinafter referred to as switches, with signal receivers arranged between the safety device and the preselected ones. the resources, that the switches contain information regarding availability to and from the resources, or parts of the resources, hereinafter referred to as resource areas, the switch checking the request from the computer processor to the resource or resource area depending on the information contained in the switch, and wherein, in response to a call from the processor of the computer or the handling devices, the switches are activated by receiving a signal from the security device, which enables access of the security device to and from the resources or resource areas selected by the security device, and denies access of the computer processor to and from the resources or resource areas alts of the safety device.

According to a further aspect of the invention, this is characterized in that the information contained in the switches controls other possible processors arranged in, or connected to, the computer.

According to a further aspect of the invention, this is characterized in that the safety device comprises a signal generator, wherein, when a switch receives a signal, the safety device is able to change the information content of that switch.

According to another aspect of the invention, it is characterized in that the information in the switch enables the switch to control certain parts of the memory means allocated to be available only to the safety device and in that the information in the switch enables the switch to check that certain resources are available to the computer processor. when it is not in the safe handling mode, and only 10 15 20 25 30 -. ø. n. 523 953 available for the safety device when it is in the safe handling mode.

According to a further aspect of the invention, this is characterized in that the gears are hardware gears.

The advantage of the system according to the invention is that security-critical activities can be performed safely and to utilize existing memory and device means which already exist in the computer. By arranging the switches at certain positions, such as connection points to different resources, the fact that the switches contain information regarding availability from the processors in different situations, and by checking the switches using the safety device, the safety device has full control over the computer when performing a safety critical activity . At the same time, the switches allow the computer's processor to have access to certain resources that the safety device does not use.

The safety device can select the appropriate resources, for example only activate the switches that belong to the resources needed for the current operation. The control of the resources by means of the switches enables a configuration where certain memory areas are allocated only to the security device, thereby ensuring that no compromised data can ever reach the security system.

The safety device is also able to change the information contained in the switches depending on the activities to be performed, which provides a greater degree of fl flexibility.

By using hardware switches, the security system can be built in "from the beginning", ie largely integrated into the computer's hardware such as the bridges. All in all, a cost-effective and secure system is achieved with the present invention. 10 15 20 25 30. 523 953 These and other aspects of, and advantages of, the present invention will become apparent from the detailed description of an embodiment and from the claims.

BRIEF DESCRIPTION OF THE DRAWING FIGURES In the following description of an example of an embodiment, reference will be made to the accompanying drawings, in which Fig. 1 shows a block diagram of the architecture of a pentium computer; Fig. 2 shows the configuration of a gear unit included in the system according to the invention, Fig. 3 shows an example of memory management of a main memory in a computer according to the invention, Fig. 4 shows an example of handling of a PCI bus according to the invention, and Fig. 5 shows an example of handling of a USB bus. bus according to the invention.

DETAILED DESCRIPTION OF EMBODIMENTS In Fig. 1, the reference numeral 10 denotes a processor unit.

The processor unit is equipped with an internal cache in a conventional manner. In this regard, it should be noted that even if a processor unit is shown in Fig. 1, a number of processors can operate in parallel.

The processor unit is signal-connected to a Host bus 12. A Host / PCI bridge 14 is connected to the Host bus, in some applications referred to as North Bridge. In some applications, this can be divided into two bridges, referred to as the compatibility and auxiliary bridges. In this respect, the bridges act as an intermediary in the communication between the devices on different buses and the processor. To the Host / PCI bridge is a main DRAM 16 (Dynamic Random Access Memory) connected for temporary read / write instructions to and from the processor unit. The memory is also connected to, and. . . . n. 10 15 20 25 30. . - - .n u. n .. 523 953 is controlled by, two data paths 17, which in turn are connected to the Host / PCI bridge and the Host bus.

An AGP connection 18 (Advanced Graphics Port) is arranged between the Host / PCI bridge and a screen controller and a monitor 20.

A PCI bus 22 is connected to the Host / PCI bridge and to the PCI bus an E / ISA bridge 24 is connected, in some applications referred to as South bridge. A number of different buses can be connected to the E / lSA bridge. Fig. 1 shows the ISA bus 26 to which a number of card slots 28 are connected, which card slots can be used for sound cards, network cards and the like; The USB bus 30 to which, for example, keyboard 32, floppy drive 34, mouse 36 and card reader 38 are connected; The IDE bus 40 to which, for example, hard disks 42 are connected, and the X bus 44. In the case of a multiprocessor system, i.e. with more than one processor, a bus is also arranged between the E / ISA bridge and the processor unit, the APIC bus ( Advanced Programmable Interrupt Controller).

The function of the APIC bus is to interrupt requests from IO devices to the processors.

A safety device 50 is connected to the PCI bus.

The security device includes a processor 54 capable of executing certain commands, which will be described in detail below. A ROM 54 is connected to the processor. The safety device is further provided with signal generators SGA and SGpM, the function of which will be explained below. At certain positions, control means, hereinafter referred to as switches 60, are arranged in the computer hardware. According to the invention, a switch is arranged at the connection point for the main memory to the l-Iost / PCI bridge. Other switches may be provided at the connection point between the bridges and the buses and / or various devices of the computer such as the graphics card, the keyboard, the hard disk and the like. Conveniently, the switches connected to different buses can be integrated in the bridges. For example, for a hard drive connected to. . . . -. 10 15 20 25 30. . . . .n 523 953 IDE bus, the switch is arranged on the E / ISA bridge at the connection of the bus.

Fig. 2 shows an example of a gear unit incorporated in a system. A switch 60 is connected to the address and operation lines ADR, OP of a bus. The ADR and OP lines are further connected to a "rectifier" 68.

The switch is further arranged with a number of signal receivers SRA (change, alter), SRpM (source, source) and SRpM (protection mode).

The operation of the rectifier and signal receivers will be described below. An enable / cancel line 66 is arranged between the switch and the rectifier 68. The rectifier is further connected to different resources or resource areas 74. In this respect it is to be understood that the word resources refers to devices such as the hard disk, keyboard and the like. of a memory.

The exchange contains a table T with addresses of the various resources and a comparator C whose function will be described below. The table also contains information regarding access to the various resources.

As an example, the resource can be a memory. If the computer is running in normal mode, the computer's processor is active and the processor of the safety device is passive, which is sensed by the switch via the signal receiver SRS which receives a source signal. When the computer's processor requests access to the memory, the addresses of the exchange are checked and the sources of the request are compared with the source signal by the comparator C. There are then two scenarios regarding the access. Either only a part of the memory area, a resource area, is allocated to the security device, as specified in Table T, the switch then denies the computer processor access to these areas, or the computer processor may have access if it is in normal mode. Depending on the request from the computer processor and the availability provided by the switch, data and operation signals are directed to and from the requested resource or denied completely. 10 15 20 25 30. . . If a safety-critical activity is requested, and the safety device requests that the system enter a safe processing mode, a signal of the safety device is sent from the signal generator SGPM to the safe mode signal receiver SRPM of the exchange. Depending on the information in the switch, the access of the computer's processor to the resources controlled by the switch can be further reduced when entering the secure processing method. These resources will then only be available to the safety device processor, according to the information in the switch. The switch, in the embodiment shown in Fig. 2, checks the availability of the various resources 74 with the rectifier 68 depending on the request via the enable / cancel line 66. In some cases, the unit requesting an operation denied by the switch needs to know that access was denied.

Therefore, a line 67 is connected between the enable / cancel line 66 and the operation lines to provide information which is sent back to the unit.

Depending on the safety-critical activity to be performed, the contents of Table T of the gear may need to be changed. It can either be that the security device does not need a certain resource for the activity and can allow the computer processor to use it, or deny the computer processor access to a resource. In this case, a signal is sent from an Alter Signal Generator SGA of the safety device to the Alter Signal Receiver SRA of the respective exchange, together with addresses, operations and data. It is to be understood that only the safety device is capable of changing the contents of the gear unit in this way.

An example of memory access is shown in Fig. 3. Here, a switch is connected to the RAM controller function block 80. If it is in normal mode, the switch operates according to the contents of the table to allow the security device processor access to the memory area allocated only to the security device while the rest of the memory area is available for the computer processor. Some memory area that is 10 15 20 25 30 »-. - .u »n ..- 525 953 ll available in normal mode for the computer processor can be allocated only to the security device processor in safe mode. The switch handles memory requests from different sources SC and allows or denies access according to the mode and the source. Unlike the switch according to Fig. 2, no rectifier is needed as there is only one source, DRAM, and the switch enables or interrupts access via lines 66.

The same main operation as described above can be obtained with other types of resources such as the screen controller. In normal mode, the computer's processor has full access to the screen controller, but can be denied access completely in safe mode, to ensure that only "secure" data is displayed on the screen.

In the example shown in Fig. 2, the switch is activated by physically separate signals from SGpM and SGA to SRPM and SRA, respectively, which can be obtained easily with multi-line buses. However, physically separate signals via wires do not need to be propagated between different bus types through controllers such as North and South bridges. These controllers may also need to translate the signal between different formats for different buses or packet formats. The controllers / translators are preferably arranged at the connection point between the PCI bus and the North and South bridges, respectively. It should also be understood that they can be arranged in the gears.

Figure 4 shows an example of a switch controlling the PCI bus 22. In this case, the switch is part of the function controller 82 of the PCI controller.

The switch is not located between the requesting source and the resource.

Instead, it "monitors" the PCI bus. If, according to the contents of the exchange, a request for access to a resource is requested by a source, which is not allowed, the exchange generates an "illegal" signal via line 84 to the bus, thereby denying access to this resource. In the same way as above, signals are sent by the safety device to the gear unit to enter a protection mode or to change the contents of the gear unit table. 10 15 20 25 30 ». ». .u vo "523 953 12 Some devices that the security device wants to control in protection mode may be connected to serial buses, such as keyboards, mice, card readers, and the like. In these cases, depending on how the information is transmitted on the bus, the signals from the security device may be transmitted together If the information is sent in packets containing address, operation and data, part of the packet contains the signals to the exchange.

If, on the other hand, the information is divided into smaller packets "sub-packets", i.e. a packet contains addresses, a packet contains data, and so on, a packet contains the signals to the exchange.

Figure 5 shows the correct example of a switch 60 that controls a USB bus. Here, the switch is located between the USB request and control function block 90. Depending on the request from different sources, and the contents of the switch and the mode, the switch may allow access or send an interrupt request back to the source.

A further alternative is that a switch is arranged at the connection between, for example, the E / ISA bridge and the serial bus and which works in the manner described above. In this way, only one gear is required to control and enable / disable access to a number of devices on the bus, depending on the information in the gear.

The switches may also contain cryptographic means for encrypting and decrypting data from and to various devices and the security device processor. We will not further discuss the case of communication between the security device and a device protected by crypto organs. Reference is made to WO 98/19243 for more information regarding this.

During normal operation, the main processor has access to and communicates with most devices and memories of the computer via various buses and bridges, ie normal mode. Under normal 10 15 20 25 30 ~ - -. .- 523 953 13 operation, controls and denies the switches access to the resources allocated only to the safety device, as specified in the switches.

When a safety-critical activity is requested, which may have been initiated by the processor or an IO device, the safety device is activated.

Depending on the type of security-critical activity, certain information and programs are transferred from the security device's ROM to its processor to perform certain tasks before the security-critical activity begins, that is, to put the computer in a secure processing mode.

Signals from SGPM are then generated to the switches that are affected by the current safety-critical activity.

An example is if the safety-critical activity requires temporary memory space, a PM signal is sent by the processor of the safety device to the switch arranged at the connection to the main memory. To ensure that the information written and read in the main memory during the safety-critical activity is compromised, a certain part of the main memory can be allocated only to the processor of the safety device.

A further example is whether the safety device requires a large program or large volumes of information to perform a safety-critical activity. In this case, a switch in connection with, for example, the IDE bus can be activated. As with the main memory, some areas of the hard disk may be allocated only to the security device. This action ensures that only the security device can access and deliver data from and to this area on the hard disk, which ensures that the information cannot be compromised.

According to the invention, switches can be built in at suitable locations and for various devices, internal as well as IO devices. The function of 10 15 20 25 30. - ~ - .n 523 953 -. n.- 14 the switch can be different types depending on the type of device and its function, such as access only of the security device, access only of the computer processor or access of the security device if the computer is in safe processing mode.

It should be noted that although the computer processor has been mentioned above as the primary source for requesting various sources, apart from the security device, there may be other processors in a modern computer as the design tends to become more and more distributed. For example, there may be PCI cards that contain processors that are capable of writing / reading to any part of the memory.

In addition, the processor unit of the computer may contain more than one processor, it being important that a switch is provided at the connection between the APIC bus and the Host / PCI bridge, as the APIC bus handles many interrupt requests.

It is therefore important that the security device is able to control sources other than the computer processor to prevent an attacker from bypassing the security system by changing the contents of the PCI card operating system. A function of the security device can be a plug-and-play function, i.e. the security device looks up and identifies all sources connected to the computer in order to be able to control them. In this way, a distributed MMU-like function is obtained, which gives a greater robustness against safety loopholes. However, writing of information to the switches should always be able to be performed only by the processor of the safety device, and the allocation request of resources must be sent to the processor of the safety device for approval.

In this regard, it should be noted that the information contained in the various exchanges, such as addresses and availability for which processor and in which situations, are arranged depending on the actual resources - which the exchange in question controls. It should also be noted that. . . . _. 10 15. . . - u »523 953 a. an: 15 the safety device activates different switches to different resources depending on the actual safety-critical activity to be performed.

It is clear that interrupt signals generated by allocated resources are returned by the switch to the processor of the safety device. Support functions such as DMA functions and timers are handled in a similar way and their operation must in some cases be controlled by a switch function to prevent them from being used illegally by the computer processor. These problems are well known to a person skilled in the art.

It should also be noted that the configuration of the computer described and shown is only an example. There can be a variety of other configurations and arrangements with the same function. In this regard, it is to be understood that the bridges may be one and the same bridge, that the computer may or may not have all the different buses described, that the screen controller may be connected to the AGP, ISA or PCI bus, that the keyboard, floppy drive, and the mouse can be connected to other buses such as USB. . . . . _.

Claims (6)

70 15 20 25 30 i 523 953. . . . . . Q -. . .a 15 Patent claims A system for data processing a security-critical action in a secure processing mode in a computer, which computer comprises a processor (10), handling devices (20,28-38), memory storage means (14,42), hereinafter referred to as resources; that the system comprises a safety device (50) comprising a processor (52) and signal generators (SGW, SGA), a number of control means, hereinafter referred to as switches (60), with signal receivers (SRK SRW) arranged respectively between the safety device and default resources, that the switches contain information regarding availability hereinafter to and from the resources, or parts of the resources, called resource areas, characterized in that the switches control the request from the computer processor to the resources or resource areas depending on information contained in the switch, and in response to a call from the computer processor or handling devices, the switches are activated (SGPM) by receiving a signal from the safety device, giving the safety device access to and from the resources or resource areas selected by the safety device. device and denies the computer processor access to and from the resources or resource areas selected by the security ets that the signal (SGW) device can only be generated by the safety device and that the safety device comprises a signal generator (SGA), whereby, when a switch receives a signal (SGA), together with new information (addresses, operation , data), the security device is capable of changing the content of the information in that exchange. 2. System. according to claim 1, characterized in that the information contained in the switches controls access to: patranor \ docs \ docwork \ new patent claims doc, 2003-12-18 70 15 20 .nu u. ... aao: ° '.:' . . ... . .- a v -. - s a - v I .aa u n - I u ß '0 ° _,. . . a. a - q, ... . u a »- - ~ -. n to resources for request from other possible processors, which are arranged in, or connected to, the computer. k ä n n e t e c k n a t of att (SRS) The system of claim 1, the switches comprising a signal receiver with which they can detect which source is operating the computer, and that the switch compares this with the resource sonl requesting access to a resource or resource area controlled by the switch, and depending on the information in switch, enables or denies access to that resource. of that 4. System. according to claim 1, the information in the switch enables the switch to control certain areas of the memory means which are only allocated to be accessible to the processor of the safety device. System according to claim 1, characterized in that the information in the switch enables the switch to check that certain resources are available to the computer processor when it is not in safe processing mode, and only available to the safety device when it is in safe processing mode. System according to claim 1, characterized in that the switches are hardware switches. p: \ patranor \ docs \ docwork \ nya patentkravdoc, 2003-12-18