WO1990013864A1

WO1990013864A1 - Improved security for machine-writeable data storage systems

Info

Publication number: WO1990013864A1
Application number: PCT/GB1990/000666
Authority: WO
Inventors: Christopher William Cowsley
Original assignee: Christopher William Cowsley
Priority date: 1989-04-28
Filing date: 1990-04-30
Publication date: 1990-11-15
Also published as: GB9009640D0; EP0470163A1; GB2230881A

Abstract

Data storage apparatus includes at least three access security levels and switching means for selectively connecting a user to said apparatus at a pre-determined one of said access security levels.

Description

IMPROVED SECURITY FOR MACHINE-WRITEABLE DATA STORAGE SYSTEMS This invention relates to data storage systems and, in particular to arrangements for inhibiting the vulnerability of serial storage devices to virus programs.

Serial data storage devices are those, which present their output as a serial stream of data, or as a parallel set of serial streams. They are characterised by the fact that for any particular set of stored data, there is a natural 'next' set of data.

Such devices are typified by magnetic disc storage units, which typically present their data as a set of parallel bit streams. Most current disc devices select one of these streams at a time. Each stream comprises a cycle of data bits within which a format or pattern serves to identify the user's stored data bits.

Another form of serial storage is typified by a magnetic tape, where the several bit streams are all selected at once, to present a stream of parallel bit patterns. Within the stream, a pattern or format again serves to identify the user's stored data bits.

The formatting arrangements are implemented using two concepts. The first is the concept of a finite block of data.

A block is identified by particular bit patterns, gaps, or other characteristics which denote the start of a block. The second concept is that of 'next'. In the conventional disc storage device, for instance, an identification block is used to 'label' the next block, which is a data block. This technique is used to fix the position of data blocks on the magnetic surface, so that they can be overwritten with new data if necessary without the danger of timing errors accumulating, causing the block to wander outside of its allotted area and corrupt adjacent blocks. A series of alternate identification and data blocks is first written in a process known as 'formatting'. Thereafter, only the data blocks are overwritten. The time allowed between blocks is designed to be generous enough to ensure that when a data block is rewritten, it will never stray over either of the adjacent identification blocks. The identification blocks usually include an explicit address assigned to the following data block, and are referred to as 'address' blocks.

Virus programs are alien programs which are sometimes introduced into a computer to interfere with its proper operation. Current computer designs have inherited features from earlier generations of computer, which promote the development of virus programs. Whilst this problem has been addressed as a software issue, the very existence of the problem can be attributed to shortcomings in hardware design.

Most of the obvious options for combating virus programs depend on the users unfailing observance of onerous or even impossible disciplines, or on software 'antidotes' which become available only after an 'infection' has been discovered. Computer systems can be made 'virus' proof, but only at the expense of commercial flexibility, and user flexibility. It is the ability to enhance a computer system by simply Issuing new software which also enables a mischievous programmer to modify the system by including illicit self propagating code in an otherwise legitimate program.

This invention finds particular application to non-volatile storage systems. It offers the designers and users of a computer system the facilities needed to prevent unauthorised access to stored data, whilst permitting authorised access on the same storage device or medium. The security provisions which can be established are potentially invisible to any program - except in so far as a program might be able to detect that something which should have been done has been prevented by the security system. In combination with, for example, an audible warning of the intervention of the security system, these improvements ensure that a virus program which attempts to propagate Itself within the non-volatile storage area of a user's system will be unaware of any impediment to doing so, until it has revealed itself in the attempt. By protecting the data storage rather than an individual computer, these measures also address the propagation route from one system to another - which is usually through shared access to one or more storage elements - for example the floppy discs used to distribute software and data. The intimate level of integration between computer design, operating software, and storage systems means that the changes which conceptually relate to the storage system, generate consequential changes to the other elements of a computer system. There is a very blurred distinction in some cases between what is the computer, and what is the storage device. This invention is applicable to storage systems in the widest interpretation; it relates also to the design of computers which incorporate some storage elements in addition to those which may be an intimate part of an attached or attachable storage device.

This invention finds particular application to any serial storage device where there 1s provision to rewrite some elements of data within a data stream without rewriting the whole stream. It makes use of information included within the data stream for formatting purposes, and provides for additional information to be included within the format pattern, to identify a security level for the following block of data.

It permits a security check to be implemented in the time interval between a target block being identified, and it being read or overwritten. On its own, this would be a trivial objective, but this invention implements it in such a way that the security status can not only be recognised, but can also be changed within the same time interval. This enables an effective security system to be implemented without any significant impact on the performance of the storage device.

The method proposed here has the advantage that it does not need further security blocks between an identifying block and its data block. Any such blocks would carry a storage capacity penalty, since they would need their own formatting information. According to the present invention there is provided data storage apparatus having at least three access security levels and switching means for selectively connecting a user to said apparatus at a pre-deter ined one of said access security levels. There are several forms of machine-writeable storage media currently available, including (but not limited to) magnetic tape, magnetic discs, and semiconductor storage devices. These storage media are used as part of more complex systems, which may (but need not) be computer systems. Nearly all of the current forms are fitted with security devices which can be set so that the stored information can be read, but not not written to. These devices are used to protect valuable information from loss or corruption due to software or hardware failures elsewhere in the system, or due to accidental user error.

Some forms of media are designed to present alternative sections of the medium to the system - for instance, cassette tapes and some floppy discs can present one of two 'sides' to the system. In such cases, each section of the medium has its own security device. Once the medium has been loaded onto the system, only the chosen section and its security device are available to the system. The alternative section(s) are not loaded, in the sense that the system has no access to them. Other forms (such as double sided floppy disks) can be loaded in one way only, and further forms (such as hard disks, and battery powered memory) are available in a permanent form, and cannot readily be unloaded.

The security devices currently available signal one of two states to the system. Either the whole of the medium loaded is available for 'read only' access but cannot be updated, or it is all available to be read and over-written as the system may require. Thus, if a data file on the storage medium is to be updated, the existing security device must be set to permit this write operation. This means that, for instance, programs loaded on the same medium are unprotected against any accidental or malicious corruption attempted through the system. This security loophole is typical of the shortcomings of a security device capable of indicating only two states. It can be exploited by a malicious 'virus' program to spread copies of itself.

The invention envisages the use of devices which provide further security states in addition to the two traditional

'write permit' and 'write protect' states. In these further states, the ability to read or write may be selectively limited, so that for instance, program information may be protected whilst data files are being updated on the same medium. As with the current 'Write Protect' provisions, this protection is not implemented by software controls which are vulnerable to virus attack. They are implemented by hardware, and are under the direct control of the user.

The invention provides the user with a switch which allows him to select different security states, including at least one state other than the read-only and full read-write states currently available. It may allow the user to readily switch between at least two of these states. The states may, for instance, be designated 'Write Protect', 'Normal Access', and

^•Privileged Access', where the first and last two states are the same as the conventional Write Protect/Write Permit states, and the third state affords protection against program corruption and 'virus' infection whilst files are being updated during day to day use of the computer. In this example, the user may wish to switch readily from the Normal to Privileged state, whilst the 'Write Protect' state may perhaps be made semi-permanent for use when material goes into archive store. One embodiment of such a device is the extension of the two-position slide switch currently fitted to 3.5" floppy discs, so that it becomes a 3-position switch, occluding an extension to the existing aperture when the slider is in the new third position. A second way would be the fitting of a multi-position hand operated switch to a hard disc storage unit.

A third might be the provision of a switch as part of a computer system, so that hard disc units and floppy disc units were all under the control of the same switch. In this case, the switch might, to advantage, be incorporated into an on-off switch, or so interlocked with the computer's on-off switch or other initialising processes that the user is prevented from proceeding directly from one task to another where this could jeopardise the security of the system.

The operative part of the invention includes a security circuit which controls and modifies the data flow associated with a storage device, or a family of storage devices such as a set of floppy discs. The circuit accepts an input from the switch associated with its storage devices, or a signal from a remote sensor which relays the state of the switch. (Such a sensor might be an extension to the sensor fitted on floppy discs, extended so that three states instead of two are relayed). It includes provision to prohibit, allow or modify the operation of the storage device in response to its normal commands. The action taken by this circuit may depend on any or all of the setting of the switch, the command, and the nature of any data which is the subject of the command. This operative part of the invention may include an alarm or other provision for alerting the user when the security circuit intervenes in selected ways - for instance when it prohibits a transfer of data. If it does not itself include an alarm, it may provide a signal to an alarm provided elsewhere.

The security circuit is capable of preventing any attempt to read or write data, on the basis of the state signalled by the sensor, and any other information available to it. For instance, when the sensor signals a 'Write Protect' setting, the circuit might prevent all write operations. And when a 'Privileged Access' is signalled it might permit all write operations. But when 'Normal Access' is signalled it might prevent write operations to certain storage addresses, or to storage elements associated with certain markers on the medium, or to storage elements which it has identified and recorded in the course of earlier write operations, or to storage elements which were not written in 'Privilege' or 'Normal' mode. Any or all of these or other criteria may or may not be used singly or in combination to determine whether a write operation is to be permitted or prevented. Similarly, combinations of these or other criteria may determine whether a read operation is allowed to proceed.

More than one 'Normal Access' state may be provided for, each with its own rule for determining which operations are to be permitted, and which to be prevented. This gives the system designer the means of implementing very flexible security systems. For instance the user may be offered 'Normal Data' mode and 'Normal Program' mode, with the intention that his day to day work is conducted in 'Normal Data' mode. In this mode, the security circuit might prevent any attempt to change Information stored earlier in 'Normal Program' mode. The user would be expected to use 'Normal Program' mode to store his programs.

The security circuit and alarm if fitted, may to advantage be so arranged that it (or they) cannot be disabled, disguised, hidden or otherwise influenced by any automatic or programmable facility within the system, except to the extent (if any) which may be implied by a particular state set by the user. Further security advantage is gained if the security state set by the user is not signalled to any part of the system other than the security circuit. There is thus no possibility of a malicious programmer, for example, writing a program which determines in advance whether or not an attempt to corrupt stored information is likely to succeed.

The invention will now be particularly described with reference to the accompanying drawings, in which:- Figure 1 is a block diagram schematically showing an interlock circuit, Figures 2 to 4

Figure 3: Storage device with security input-output provision Figure 4: Security Control logic

Figure 5: Enhanced communications link Figure 6: Circuit generating 'Protected Operation' signal Figure 7: Redefinable Security Control logic Figure 8: Completed security design Figure 9: A software based implementation

Embodiments of the invention are presented here using the example of a small computer system which needs protection against computer virus programs. The first example is a simple switch fitted to a computer which includes a hard disc. These discs are usually supplied without any form of security protection, since they are an Integral and permanent resource of the system, to be read and written to under the absolute control of the machine operating system. As a result, if the information is Infiltrated by a virus program, the machine must always be considered to be at risk from the virus. A simple switch which prevents any data being read from the hard disc, in conjunction with an operating system which can tolerate this situation, and take its initial data from a different (exchangeable) medium, allows a user to establish an operating mode from which any resident virus has been totally barred. It may be of advantage in this situation to allow the computer to write data to the disc, even though reading may be prohibited. Such a switch and an associated interlock circuit could be retro-fitted very easily to most hard disk storage units.

A further extension would be the provision of a switch to prevent modification of the storage area used for the sensitive initial data. A second example would be the extension of the current Write Protect/Write Permit system on a floppy disk based system to a four-way Write Protect/Write Data/Write Program/Privilege Access system. In such a system, each block of storage would be associated with an address as at present, and a new item - an access qualifier may also be present. With the switch indicating 'Write Protect', all write operations would be inhibited. With the switch indicating 'Write Data', write operations would be allowed unless the access qualifier indicated a PROGRAM block was to be written to. With the switch indicating 'Write Program', write operations would be restricted to PROGRAM or DATA blocks, with any DATA blocks rewritten being given the status of PROGRAM blocks. With the switch indicating 'Privilege Access' all write operations including reformatting the disc would be permitted, and any 'PROGRAM' blocks rewritten would revert to 'DATA' block status. The storage protocols used on many floppy disk systems allow a security circuit of the form outlined below,to achieve this in a form which can be readily fitted to many computers of this type. If the system were required to work with security switches fitted to exchangeable media, the media would need slight modification, but would remain compatible with existing computer systems. The computer system would, however, need drive units fitted with a new sensor device, capable of distinguishing the various security states.

The operating system software would need special provisions to take advantage of the new facilities, and to respond in a suitable way when the security system intervened. For instance filing structures would have to obey certain disciplines. Data would be stored in blocks designated 'DATA', User Programs would be stored in blocks designated 'PROGRAM'.

In operation, when the switch indicates 'Privilege Access' the system has unrestricted freedom to modify any storage block or access qualifier. The user should use this mode only for the purpose of reformatting his discs, or for running programs provided specifically for systems management tasks which can only be accomplished in this mode. Any such programs should be certified 'Virus Free' and run from original copies only. Further security may be provided if the circuit is modified to allow only whole tracks to be written in this mode, since the user would then be alerted automatically if he inadvertently left the switch at this setting for any other purpose.

In DATA or PROGRAM modes, whenever a block 1s written, its access qualifier is updated automatically to match the DATA or PROGRAM setting of the switch. In 'PROGRAM' mode, the user should again be careful only to run original copies of virus free 'Installation' programs for the purpose of copying other 'Service' programs onto his disc. He must not run these other 'Service' programs in this mode. The housekeeping information needed to find 'PROGRAM' blocks is preferably controlled by file directory information stored in ^•PROGRAM' blocks. That needed to find 'DATA' blocks is preferably controlled by directory information stored in 'DATA' blocks. Ideally, the directory structure of the operating system should allow for two roots, but if this 1s not possible, the single root directory is stored as a 'PROGRAM' file. Where an operating system maintains a 'map' of storage allocation, this preferably is duplicated, with the operating system maintaining the copy appropriate to the security setting (deduced, for example from the root directory in use), updating it as necessary from the other copy.

The storage medium is thus effectively administered as two distinct working areas using up the common free space as required. The user is able to restrict his day to day file updating to DATA blocks only, making it impossible for a virus program to take over the machine. Any virus program which attempts to corrupt program information under cover of legitimate data access would fail to do so, and would alert the user to its presence in the course of its attempt. The same provision can be provided even more easily on hard disc units, since the basic storage format does not have to be retained for compatible exchange of stored data between different computer systems. The access qualifier does not need to be realised by subterfuge - as in the case of the floppy disc, and it is a simple matter to provide a multiplicity of sequential qualifiers to implement hierarchical security provisions. Where the storage medium is not exchangeable, the access qualifiers may even be stored elsewhere within the intimate control system for the device.

The form of interlock circuit referred to in the second example above can be realised from a more generalised form outlined in the functional block diagram of Figure 1. The circuit takes advantage of the relatively large timing tolerances built into floppy disc protocols, stealing a small proportion of this time by delaying the signal being written. This small time slot is used to insert or detect a short but quite distinctive signal. The signal is ignored by the rest of the system, since it comes before the systems own mark indicating the start of valid data. The signal is sufficiently distinctive for even a small part of it to be recognised.

The block diagram shows a form of Interlock circuit which could offer several different security codes, if 1t were fitted into a system which allowed a sufficiently large time slot to be stolen. The principles of operation can best be described, however, by reference to the limited case of example two above, where only one form of marker is encoded. The presence or absence of this marker represents the access qualifier types

'PROGRAM' and 'DATA'. In this simple case, the facility to prohibit reading (implemented by the element labelled

'Permit/Forbid Read' in figure 1) is not invoked. This implementation always permits read operations. This implementation also always indicates the same Write Protect condition to the computer as it receives from the drive. The facility to modify this signal within the Decision Circuit is shown for the purpose of implementing more complex security provisions in conjunction with appropriate operating system software.

Returning to the simple case, there 1s only one form of marker signal generated here, and only 'PROGRAM' blocks have this marker signal. When the security switch is in the 'PROGRAM¹ position, blocks are written with the marker. When the switch is in the 'DATA' position, the marker is not written, but the data coming off the disc is scanned for signs of the marker. If there are no signs of the marker, the data is allowed through after the stolen time slot.

The time slot is stolen by feeding the 'Write Gate' and 'Write Data' signals through two parallel shift registers acting as delay lines. Both signals need to be processed into suitable forms for storage, and rebuilt after storage; the techniques for doing this are widely known and used. The delay lines are clocked at a higher rate than the data - in this instance eight times higher - to enable non-standard signals to be injected into the data stream. The data stream expected for this system contains time intervals corresponding to 8, 12 and 16 clock intervals. The single non-standard signal chosen for this simple case might, for example, be a stream of pulses at ten clock intervals. Depending on the computer system and floppy disc system used, other clock ratios and signal formats may be appropriate.

When writing a data block in 'PROGRAM' mode, the non-standard pattern and a Write Gate signal are injected into the shift registers as soon as the computer starts writing. The marker is thus written to the disc ahead When writing in 'DATA' mode, the 'Permit/Forbid' Write element is set to forbid writing. After the computer starts to write data into the delay line, the 'Decision Circuit' waits for it to be available from the output of the delay line. Provided the data co ing off the disc shows no sign of the marker signal during this wait - indicated by the 'Marker Code Detector' element of the circuit, the writing is then allowed to proceed until the end of the computer generated 'Write Gate' signal emerges from the delay line. If however the marker is detected coming off the disc, writing remains prohibited and the alarm sounds.

The user is required to select 'PRIVILEGE' mode if he wishes to reformat the disc. To prevent reformatting in the protected modes, the Decision Circuit monitors the timing of the computer's Write Gate signals relative to the Index signal. If the time interval is lower than the realistic minimum for the computer and disc concerned, writing is forbidden until the next Index signal, when the test starts again.

With the switch set to 'PRIVILEGE', the 'Permit/Forbid Write' element 1s set permanently to forbid writing from the delay line output, and the 'Permit Direct Write' element is set permanently to permit writing direct from the computer signals. The delay lines, clocks and marker detector circuits are all irrelevant in this mode - and the unit behaves as though the computer was connected directly to the drive. With the switch set to 'Write Protect', both the 'Permit/ForbldWrite' and the 'Permit Direct Write' circuit elements are set to prevent any writing.

Another aspect of the invention is described as it might be applied to a magnetic disc storage device, where these considerations are particularly demanding.

A typical magnetic disc stores data according to the pattern indicated in Figure 2. This pattern is laid down initially in a formatting operation. Thereafter, the data blocks will be rewritten as necessary. In general, the pattern of any block will be:

First, a possible area of indeterminate character known as the splice area. This arises when a data block is rewritten, and consists of the various remains of earlier data blocks, where small timing differences have caused the start and finish of the data block to depart from the exact timing of the original format.

Second, a synchronising stream or preamble which allows the electronics to lock on to the timing of the coming block, after the disturbance of the splice.

Third, a mark which cannot be mistaken for part of the preamble. This indicates the end of the synchronising stream, and the start of the stored block.

Fourth, the stored information. Fifth, a checksum added to the stream in accordance with a rule which ensures that if the rule is still true when the stream is read back, the block has been read correctly.

This pattern applies to the identification blocks and to the data blocks. The Identification blocks are recognised either by the material within the block, the form of the marker, the length of the block, or any other suitable feature which the designer may choose.

The security system proposed here attaches a security level to each data block. The format of the preceding address block defines this level. For the highest security level, this may be the standard format described above, or any other format which meets the basic needs of the device.

For a data block at the next lower security level (level 2), the preceding address block contains everything required for the top level address block, plus further data which may be of any form (provided it does not look like a synchronising train or marker, or otherwise risk misinterpretation as to its purpose) and which may include a further checksum which, for instance, may make the whole nev ⁽longer) address block valid. For a data block at the next lowest level (level 3) the address block would include further data, which again may include a checksum making this even longer address block valid. Such an address block for a following data block at level 3 is depicted in Figure 3. Typically, the designer may arrange for the formatting process to give every block the lowest security level he wishes to cater for, so that it starts off at its maximum length.

The storage device implements the security levels as follows. At the highest level of security it will accept as valid an address block which is valid at the first checksum. It will thus recognise and give access to all data blocks at this highest level. At the second level of security, it requires a valid second checksum, and so on. At the lowest level of security, it will only find and recognise data blocks for which the address blocks are still at their original formatted length.

Where data has to be written at a new security level, that part of the address block which remains after it has been recognised at the level required is deliberately corrupted. The amount of data between the successive checksums is designed to allow the electronics time to start this corruption before the next checksum can be read. The corruption may, for instance, be implemented by forthwith starting to write the new data block. Since the address block has to be recognised at the required new level, the data block cannot be rewritten if it has previously been given a higher security level than that currently requested. The address block for a level three data block, shown in Figure 4, can be corrupted to indicate a level 2 data block, as shown in figure 3. The security level of the old data has been checked, and new data has been written at a raised security level (from level 3 to level 2) in a single pass of the data stream.

The invention also addresses the problem of computer security with special reference to networked multi-user computer systems. Such systems suffer fro^™ ? particular vulnerability to computer virus infection, since they are usually sufficiently dispersed, and have sufficiently different stand-alone uses, to make operating disciplines difficult to enforce. They are, however, sufficiently intimately connected to facilitate the transmission of any virus infection throughout the network. The system described here addresses the mutual need of all the users for protection against malicious programs. It does not specifically address the need for security against malicious users acting within their Implied authorities, nor does it address the problems of security inherent in the use of communication facilities. It does, however, allow each user to have secure storage areas, not necessarily on his own local machine, which are hardware write protected. They may only be updated under conditions which are closely specified, and typically would require access from a particular terminal of the network, and possibly by a specified keyholder. The write protection 1s implemented in such a way that it cannot be interfered with by any software within any of the machines.

The system is of sufficient flexibility to provide similar security against unauthorised read access to stored data. The extension to provide read access security control is an obvious extension of the write protection facilities described, with the observation that whereas for security purposes, write protection of some material is mandatory, for operating purposes, read access to some material is similarly mandatory.

Two common concepts are used in the description of these new security facilities. These concepts are given the names 'Secure Code' and 'Protected Operation'

Secure Code is code and associated data which is trusted with the administration of the computer's security provisions, and which the user has stored in such a way that he knows it cannot have been altered from its intended form. Such code may for instance be stored on write protected floppy discs. Or it may for instance be stored usin; f-o security provisions described hereunder. Operating system code kept on write protected floppy discs is a common form of Secure Code. Applications code similarly stored ÷s not usually considered Secure Code, since it is not necessarily trusted with the administration of the computer's security provisions. Secure Code does not necessarily remain Secure Code once it is loaded into the computer.

A 'Protected Operation' state is a machine state which the user knows to be free from any ongoing malicious interference from illicit or faulty software. Such a state typically exists after switch-on, provided the computer initialises itself using only Secure Code. The state continues for so long as only this Secure Code has control of the computer. It ends as soon as the Secure Code yields control of any part of the computer system to any other code. Exceptionally, this 'Protected Operation' state may be prolonged by an expert user - for instance as part of a virus-cleaning operation using anti-virus Secure Code. Secure Code loaded Into the computer does remain Secure Code so long as the Protected Operation state persists. The security systems envisaged are built from the component elements described herein. These elements may include a switch or switches with which the user may establish input signals to various elements of the security system. Such switches may be operated by a key or other identification device. They may also be Implemented as the outputs of, for instance, magnetic security card readers, security keypads or other user operated devices. Additionally, automatic circuits may be provided to generate signals which modify or replace those from the user switch or switches, so as to reduce the risk of user error leading to a breach of the security rules.

The first component element is a non-exchangeable, non volatile storage device, which on a ci^"""^*"ent computer might be a hard disc, or a battery backed-up '-^■'s density semiconductor store. The device incorporates a ^•-•-"-^■ command validator which may be implemented as depicted in - ' ς'.'-re 5. which is able to modify data being stored, or to make use of the storage device for its own purposes. This comman validator intercepts all commands to the non volatile storage of the computer, and determines on the basis of the security inputs, the stored data, and any other Information which is or may have been available to it, whether or not a command issuec to the device is valid within the security rules. The functionality of such a device is best understood by reference to a specific example (a 'Disc Command Validator') which polices the commands going to a hard disc storage device. The extension to other fixed non-volatile storage devices is obvious.

The ultimate function of the Disc Command Validator is to block those operations which are forbidden according to the rules of the security system. In practice, this control function may be realised with some economy by embedding the relevant new logic within that of the storage device itself. A special feature of the combined device is the provision of one or more additional inputs, and ootionally, one or more additional outputs, through which the security inputs and the alarm output are provided.

The special input signals (Figure 5) may be used to define the security nature of data being written, or to define the security nature of data which may be read, or to define the security nature of data which may be overwritten, these definitions possibly being dependent also on the other information available to the Disc Command Validator.

The outputs of the device may include signals to indicate that an attempt to violate the security rules has been detected, or that access has been made to data of a particular category, or such other event as may suit the purpose of the user.

As an aid to understanding the use of such a device, two simple logical implementations which protect a single user computer are described as follows:

LOGIC 1: The first device ?s ^*:^***cvision for two input signals. One is identified as the Ξ 0Ri^*'Ai signal, one as the UNPROTECTED signal. These signals co'.^* σ be generated by manual switches, by software controlled switches, or they could be the result of logical operations performed on a combination of either or both types of such switches. For the purpose of this simple example they will be provided by hand operated switches. The device has a single output, identified as an ALARM output.

The function of the Disc Command Validator in this simple implementation is to associate security marks with any data as it is written in accordance with the following table (TABLE 1):

TABLE 1

REFORMAT NOT SET REFORMAT SET

UNPROTECTED Mark Mark deleted

NOT SET unchanged if present

UNPROTECTED Mark Mark

SET unchanged set

and to permit or forbid write commands and any special commands which might interfere with the normal functioning of the storage device according to the following table (TABLE 2) according to the switch settings, and whether or not a security mark is associated with the data to be overwritten. The ALARM signal is asserted 1f the Disc Command Validator is presented with a command which it forbids:

TABLE 2: REFORMAT NOT SET REFORMAT SET

UNPROTECTED Permit write only if no mark. No NOT SET Forbid special commands. Restriction

UNPROTECTED Permit all writes. No SET Forbid special commands. Restriction With this example, the user has control over his storage device as follows:

With neither switch set, the data which has a security mark associated with it is protected from overwriting. In common parlance it is write protected.

By setting the 'UNPROTECTED' switch he has access to overwrite this data.

By setting the 'REFORMAT' switch, he can choose whether or not to associate a security mark with the data he is writing. He would typically use this facility to set up protected and unprotected areas on his disc to suit his purpose.

If he chooses to use this security measure to protect his program files, so as to secure them from infection by a software virus, the ALARM signal will alert him to any such attempts at infection. He would need to take appropriate operational precautions to prevent a virus infection whilst he worked in any of the privileged states.

LOGIC 2 is a more complex use of the protection facility for a single user computer. As before, one input signal is designated REFORMAT, but in this case there are several other input signals. These latter signals are for convenience named FlagA, FlagB, FlagC etc. The Command Validator is able to associate marks of type A.B.C etc. with blocks of stored data. Each block may have none, one or several of these marks associated with it.

As before, the user associates marks with his data by writing data with the REFORMAT switch set. If any of the Flag switches is set, the appropriate mark is added to those already associated with the data block being written. If none are set, the data block has all marks removed.

Whilst it is possible to define arbitrarily complex rules for the interpretation of the security marks, for the purpose of example two simple rules are described here. The first is that a write operation is permitted 1f any of the flags associated with the data to be overwritten has its appropriate switch set. The second is the rule that a write operation is permitted if all of the flags associated with the data are signalled by their respective switches. In the former example, the user might use the switches to indicate the task he is doing, and use the security marks to release selected data to each task. In the latter, he might use the flags to define the status of his data, and set the switches to indicate the data categories he wishes to expose to updating in the course of a particular task. This latter rule is the basis of an example of the more complex multi-user application described later.

The user of this latter system might reasonably use the security facility to define storage areas as System, User Program 1, User Data 1, User Program 2, User Data 2 etc. with the REFORMAT switch set. With the REFORMAT switch returned to its unset position, he would then use the switches to enable write operations to the selected storage areas appropriate to his task.

For the purpose of virus protection, he may choose to connect his switches with the computer hardware RESET circuit in such a way that the act of enabling access to any of the protected program areas causes a RESET. He can then be sure that any memory resident virus does not survive the change of security status to Infect his program files.

The second element of the multi-user security system is the security control logic facility, depicted in Figure 6. One purpose of this device is to effect a translation between a series of switch inputs, and a series of switch outputs. Depending on the pattern of inputs presented, a pattern of outputs is relayed to the security connections of the storage device. A second purpose of the device is to generate a hardware RESET signal, for which purpose the logic may define security groups which cannot be newly enabled without a reset being forced.

The first mentioned purpose may for instance be implemented by a Read Only Memory device, with the switch inputs defining an address, so that the stored ROM data is presented as the switch output signals. The second purpose may be implemented by a matrix of logic gates which enable or disable the switch inputs and outputs (any or all of which may be inputs to the matrix) to one of several 'or' gates or circuits, each representing a security group, and which may be realised by a 'wired-or' input to a onostable as shown in Figure 6. The control input of each logic gate of the matrix may be wired to indicate which matrix element passes its input through to its output. Alternatively, the control inputs to these gates may be controlled by hardware storage elements arranged as a set of registers.

In the example circuit of Figure 6, the new assertion of any one of the output 'or' circuits represents the new enabling of a security group, and by means of the associated monostable and output 'or' gate, causes a hardware RESET. A less flexible alternative with some advantages is to realise the second purpose by generating a hardware RESET whenever selected switch inputs (for instance any local key operated switch) is set.

Optionally, the device may also include circuitry to recognise security cards, or passwords entered via a security keypad. The decoded information from such alternative inputs may be processed and presented as simple switch-like signals for the two purposes described above.

The third element of the multi-user security system is an enhanced communication link, as depicted in Figure 7. The function of the link 1s enhanced beyond that normally implemented according to current practice, in that every message which passes along the link carries with it additional information which defines the signals p^resent at the special inputs of the sending unit. This additional information is interpreted at the receiving end, and presented at the special outputs of the receiving unit. The special outputs may be latched, so that they reflect the state of the remote inputs when the last message was sent. Optionally, the device may be arranged to send a null message to transmit only a change of state at one of the special inputs, so that within the limitations imposed by the speed of transmission, the special outputs always indicate the signals present at the remote special inputs. Optionally, for security purposes, the communication link may be realised in such a way that the normal communication channel has limited means of determining the state of the special inputs at either end of the link, or in such a way that it has no such means at all. The limited means which may be provided could usefully include the facility to report once, but once only following a system RESET, the states of the special inputs and outputs. The limited means might also be to report on these states only when certain of the inputs or outputs is or are in a particular state.

The link may conveniently be made symmetrical, so that signals presented to the special inputs at either end are available at the other end of the link.

Optionally, some of the special inputs may be permanently or semi-permanently wired to indicate the identity of the computer in which the device is resident. Other inputs may be connected to switches which can only be manipulated by keyholders or cardholders. Others may be connected to signal voltages generated elsewhere in the computer.

Optionally, and to great advantage, the communications link may be incorporated with the logic unit responsible for passing commands to a local fixed storage unit. In this way,

Instructions from the remote end of the link can readily be presented to the storage device, along with, for instance the remote switch settings relevant to the instruction. (And for logical consistency, any locally gener? e commands may be accompanied by a pattern of output signals eαual to the pattern of the local input signals.) In these circumstances access to the storage device from the remote computer may be achieved without any further arrangements to secure the co-operation of the local computer or its addressable store, and thus without affording any opportunity for the local computer to interfere with the transaction or the security signals associated with it. The facility of the communications link to relay special signals in both directions may be used to ensure that any alarm signal from the local Command Validator is relayed back to the user who originates an access command.

The fourth element of the multi-user security system is a circuit which provides a signal to indicate a 'Protected Operation' state. Figure 7 shows one example of the logic which may be involved in providing such a signal, so that it becomes an automatic switch indicating whether the user is in a secure mode of operation, known to be virus free. In this example, the secure signal can only be set by a signal derived from the hardware RESET circuit, and validated as necessary (depending on the design of the host computer) to ensure that a momentary or ineffective RESET signal cannot register with the security circuit. The 'Protected Operation' signal thus becomes present when the computer starts with its volatile store in an indeterminate state.

For the signal to remain valid and effective, it must be reset as a result of any event which may compromise the security of the protected mode of operation. Such events may, for instance, include the loading of software from any exchangeable storage device such as a floppy disc, or the loading of any software which is not known to be virus-free. Considerable advantage arises if there is a user-alterable program (such as an AUTOEXEC.BAT file, or a file containing code used for the initialisation of some part of the computer system) which can be run whilst the protected operation signal is still true. Typically, this code or program might cancel the protected operation signal before releasing the processor to any further undefined tasks. Prior to this cancellation and release, the code or program may conveniently provide user facilities for redefining the security system. The security provisions described herein enable a user to safeguard the software which implements this element of the system against virus, or any other corruption, so that it qualifies as 'Secure Code'.

The user may thus be provided with a trusted, user-alterable start-up program which is responsible for generating a signal (Software generated signal A, Figure 8) as soon as the user exercises an option not associated with secure and trusted security programs. Such an option may be exercised by secure code which implements any 'BREAK', 'ESCape' or similar exit from the program, or by the explicit use of an option designed to allow a less secure mode of operation. The 'Protected Operation' signal may thus be negated in all cases once any measure of control is passed from the start-up program.

Optionally, and usually, It will be desirable to prevent the 'Protected Operation' signal being set if the computer is initialised from an exchangeable device. The signal 'Exchangeable device ready' is readily available from devices such as floppy disc drives, and may be introduced as shown in Figure 8, to negate the 'Protected Operation¹ signal if such a device is used. Optionally it may be desirable to load data from such an exchangeable device as part of a secure operation - 1n which case the 'Forbid exchangeable device' signal which is normally asserted true, may be set false. This could be achieved in any convenient way, including for instance a key operated switch, or a software instruction from Secure Code. Where other special features of the host computer present a similar risk to the virus-free environment, they may be Interlocked in a similar manner to that used for floppy discs, to ensure that the Protected Operation signal is set false if the feature is enabled without special precautions. The elements so far listed enable a computer user with access to a second remote computer to relay his switch settings to the remote computer, and subject to the logical process defined within the remote computer's security control logic, to establish protected files on the remote disc as he would on his own. For practical reasons, two users cannot have totally free access to a shared device. There has to be a way of resolving conflicts between the needs of the two users, and of accommodating the possibly changing needs of both. This problem gets harder as the number of users increases. The Security Control Logic is able to map arbitrarily the switch inputs available to it onto the switch outputs which it provides to the storage device. For operational flexibility, it may be advantageous to provide a reprogrammable version of the Security Control Logic, so that the logic can be redefined to accommodate changes, or resolve conflicting user requirements.

With advantage, reprogramming of the security control logic may be restricted to the 'Protected Operation' state. Figure 9 depicts a way in which this can be achieved. The ROM-like function of the Security Logic Unit, of asserting a pattern of outputs in response to a pattern of inputs, is now Implemented by RAM devices, which are written to as part of the protected start-up process. The data for the RAM devices is loaded via the access gate, as Is data to be loaded into registers providing control inputs for the matrix of logic gates (see Figure 6) which determine when the RESET signal is to be generated. With advantage, generation of the RESET signal may be inhibited when the security logic unit is being reprogrammed.

A normal single user might well store the start-up data and programs in a storage area with a high level of security -possibly requiring a local keyholding operator to be present, as evidenced by the setting of a key switch, before It may be altered. If the storage resource were later to be placed under the control of, say, a remote user identified as a network co-ordinator, the local user would use is authority to modify the start-up information so that the authority needed to update the start-up file is transferred from his key switch to a pattern of switch settings appropriate to the location and chosen switch settings advised by the co-ordinator. The new authorities will be loaded next time the start-up file is run (I.e. at next switch on), and the authority will then have been transferred.

A simple but comprehensive network of computers able to function as stand alone computers, active network stations, and passive network servers, with two keyholders per computer, might be constructed from these components, establishing data areas on the hard disc of each computer as follows:

1 A system area Including data which defines the security control logic as part of the start-up program.

2 An unprotected area for working data and general interchange, where users from remote terminals with no other area reserved for them may leave messages.

3 A program area for approved software controlled by the finance department

4 A data area for statutory financial data (not on the C machine)

5 A program areas for programmes approved by QC

6 A data area for operational QC data (not on the finance machine)

7 A program and data area for local office applications

Area 1 is able to be updated only by the network system coordinator, who alone can write updates to the operating system, or change the security control logic of any terminal. The coordinator may choose to make the continued assertion of the locally generated Protected Operation signal a requirement for access to his files, to guard against the danger of a local user program calling on incompatible versions of system files as a result of them being updated part way through a job. The local and remote Protected Operation signals may be wired as inputs to the Security Control Logic.

Area 3 can be updated only with the authority of a nominated keyholder from the central accounting function, with responsibility for the integrity of the accounting program suite.

Area 4 can only be updated by the local keyholding accounts clerk, except on the QC machine, where this second key authorises transmission of QC program updates to the remote systems.

Area 5 is as area 3, but the keyholder is located in central QC.

Area 6 is as area 4 but a QC key and keyholder, except in the Accounts department, where this second key authorises transmission of accounting program updates.

Area 7 is available for unrestricted local use. It cannot be altered from any remote terminal.

The disc storage space is thus segmented into areas under the Independent control of various authorities. Users have hardware restricted access to their respective storage areas, so that it is not possible, for instance, for a program run by the office administrator or his agent to affect programs or data under the control of any of the other parties.

One way in which the elements above may be combined to provide these facilities on IBM PC compatible computers running under MS-DOS is illustrated in Figure 10. Each computer is fitted with two preset input switches (1.3) set so as to encode one of the four computer identities. Each also has two key operated security switches (K,L) with c users authenticate themselves. A further two switch sign?is are automatically generated - the Protected Operation signa' (P) and the security alarm signal (A).

The Disc Command Validator for use with MS-DOS may be microprocessor based, and programmed to operate without the use of a REFORMAT switch setting, by associating each of the MS-DOS areas of the hard disk commonly identified as C:, D:, E:, F:, etc. with one of Its security inputs. The Disc Command Validator has access to the information needed to establish a cross reference table between each security switch input and the addresses defining its area, form the MS-DOS files on the disc itself. The Disc Command Validator permits a write operation to a data area only when the associated security input is set. In terms of the description above, these MS-DOS areas are assigned to the areas 1, 2, 3 etc. in order; thus C: is area 1, D: is area 2 and so on.

The inputs IJKLP and A are applied to the Communication Link, and the corresponding signals from the remote processors are available for each Incoming message as ijklp and a. The Communication Link has direct access to the Disc Command Validator via a private buffer storage area, so that commands received over the Communication Link requiring service from the disc may be serviced without any interference from the local host processor.

In this example, the Security Logic Unit uses only eight of the Inputs available to 1t, namely KLP and ijklp, and is programmed to generate seven outputs for the Disc Command

Validator as follows. The signals are named after the MS-DOS areas associated with them:

C: is set only when ijk are valid for the network coordinator's computer Identity and key, and when P and p are both set. In this implementation, the network coordinator needs trusted software which runs without negating the Protected Operation signal to update C:. To prevent any current job on the remote computer being corrupted as a result of unexpected changes to C:, the remote machine being updated must be switched on but idle in the Protected Operation state.

D: is set irrespective of the states of the eight input signals. E: is set only when ijl are valid for the finance department computer Identity and software authority key, and when K is not set (i.e. the program files are not in use).

F: is set only when i and j are the computer's own identity, and when K is set. F: is used for QC software work on the QC department machine.

G: is set only when ijk are valid for the QC computer and QC software authority key, and L is not set.

H: is set only when i and j are the computer's own Identity, and when L is set. H: is used for accounts software work on the accounts machine.

I: is set only when i and j are the computer's own identity, and neither K nor L is set.

The RESET command is generated whenever either of the local key switches changes.

Whilst the facilities of the Security Logic Unit have been described in terms of hardware, it is possible to implement the required functionality within the program of a microprocessor.

A single microprocessor could thus implement the functions of Communications Link, Disc Command Validator and Security Logic

Unit. The code for this microprocessor, tailored to meet the user's specific requirements, may be loaded from the host processor's secure store as a protected operation. In such an implementation, the physical switches IJ may be replaced by arbitrarily many data bits loaded from the host's secure store.

If the key switches are replaced by a security device such as a security card reader or keypad, arbitrarily many different operator authorities may also be programmed, thus removing the artificial limitation of two key switches and keyholders per machine which arises in the simple example above.

Such a system may also use the microprocessor to advantage, to simultaneously handle transactions from several remote computers, ensuring that the correct hardware signals are exchanged over each connection. With this extended flexibility, it is possible to extend the Security Logic Unit to provide a REFORMAT switch setting to the user and to the Disc Command Validator, for applications which require such flexibility. An example of a system offering the full flexibility of a software Implementation is depicted in Figure 11.

The microprocessor of Figure 11 may be initialised by the system RESET signal, by a locally generated signal to Indicate recent application of power, by an explicit command from the host processor, or by a combination of these. It initialises itself by running a program in its own ROM, which accepts from the host processor an operational program, which may for example include everything necessary to determine the security rules which it will Implement. For this Initialisation to be valid, the Protected Operation signal must be present throughout the process. Once initialisation is complete, control is transferred to the loaded code. With advantage, this code may be so devised that any further attempt by the host to re-initialise the microprocessor is invalid, even if the Protected Operation signal remains set. This may be accomplished, for instance, by operating a logic gate so as to disconnect the microprocessor from the 'Protected Operation' signal .

With advantage, the host may cause several programs to be loaded and run, amongst which may be one which passes information to the host concerning the signals present at the user switch.

With advantage, the host may load a succession of programs, depending on the state of the user switch, the last of which becomes permanent and unchangeable by its disconnecting the 'Protected Operation' signal. In particular, secure code within the host processor may offer the user reformatting options with which the security flags associated with various storage areas may be redefined, if the switch signals are appropriate. In the event of any invalid operation being attempted, the microprocessor may set the Alarm signal.

The designer of the security system thus has access to secure code and to a secure computer environment in which to accomplish whatever task he desires, including reprogramming the security system according to information which he may determine using all or any of the facilities available to the computer.

The restrictions which he must observe in order to preserve his secure environment may typically be reduced to the need to include code which will disconnect the security system microprocessor from the 'Protected Operation' signal as soon as he has established the required final mode of operation, and the need to include within the Secure Code of the host processor, provision to negate the 'Protected Operation' signal as soon as the operating system allows the user to invoke any process incompatible with 'Protected Operation' status.

Claims

1. Data storage apparatus characterised in that it has at least three access security levels and switching means for selectively connecting a user to said apparatus at a pre-determined one of

5 said access security levels.

2. Data storage apparatus as claimed in claim 1 characterised in that it Includes security circuit means to control and modify data flow associated with a storage device which circuit means is adapted to accept an Input signal indicative of the status of

10 a switch and to prohibit, allow or modify the operation of the storage device in response to said input.

3. Data storage apparatus as claimed in claim 2 characterised in that it further includes alarm means to alert a user in response to predetermined operation of said circuit means.

154. Data storage apparatus as claimed in claim 1 characterised in that 1t includes means to inhibit reading from a storage medium whilst permitting writing to said medium.

5. Data storage apparatus as claimed in claim 4 characterised in that 1t is further adapted to write only integral tracks 0 whilst reading from the storage medium is inhibited.

6. Data storage apparatus as claimed in claim 1 characterised in that it incorporates means sensitive to a security signal comprising a series of elemental signals and means adapted to activate successively higher security access levels as 5 successively fewer of said elemental signals are present in said series.

7. A multi-user system incorporating data storage apparatus as claimed in claim 1 characterised in that it includes a non-exchangeable, non volatile storage device incorporating a 0 new command validator adapted to intercept all commands to a non-volatile storage region of a computer and to determine whether or not a command issued to the device is valid within predetermined rules.

8. A multi-user system incorporating data storage apparatus as 5 claimed in claim 1 characterised in that it incorporates security control logic means to effect a translation between a series of inputs, and a series of switch outputs, which translation is dependent on the pattern of inputs presented.

9. A multi-user system incorporating data storage apparatus as claimed in claim 8 characterised in that it incorporates means to generate a hardware RESET signal on new enabling of predefined security groups.

10. A multi-user system incorporating data storage apparatus as claimed in claim 1 character sed in that it incorporates circuit means responsive to security status signals received together with data signals.