WO1993009498A1 - Procede et systeme de protection contre les virus informatiques des donnees stockees dans une memoire - Google Patents
Procede et systeme de protection contre les virus informatiques des donnees stockees dans une memoire Download PDFInfo
- Publication number
- WO1993009498A1 WO1993009498A1 PCT/KR1992/000053 KR9200053W WO9309498A1 WO 1993009498 A1 WO1993009498 A1 WO 1993009498A1 KR 9200053 W KR9200053 W KR 9200053W WO 9309498 A1 WO9309498 A1 WO 9309498A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- file
- storage device
- program
- write operation
- legitimate
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/567—Computer malware detection or handling, e.g. anti-virus arrangements using dedicated hardware
Definitions
- This Invention relates to the computer viruses and more specifically to protect computer data on storage device against computer viruses.
- a well known computer virus in IBM PC environment would be Brain virus, the named derived from volume label.
- the virus infects boot sector of disk or diskette and resets volume label a ⁇ "(C)Brain".
- the virus has few editions some of the virus reside on data area(DA) of diskette, which was not used by system, and resets File Allocation Table(FAT) in disk as 'bad cluster'.
- FAT is a system area in disk or diskette formatted under DOS operation system, containing file allocated information on disk represented by linked list structure.
- the virus may stay in memory, which is called Terminate and Stay Resident(TSR) program, until power is down.
- TSR Terminate and Stay Resident
- Another well known type of virus resides in a binary file .
- the virus is active when a program that virus resides in is invoked. The virus became active entity and find not infected binary file and infects other binary files. Virus achieves goal of propagation itself by infection procedure. The infection procedure makes a binary file infected program.
- Virus instructions are usually machine instructions of target computer but rarely and possibly shell progra Cbatch file program) can also contain virus code. Virus intrinsically propagate itself and became many in number. Virus also to be increased by copying an infected software by users. Virus is also increased by a person who put virus code into system deliberately or unintentionall .
- virus code typically changes interrupt vector of INT 21H (decimal is 33) and some other interrupt vectors to itself°so that when interrupt 21H is occurred virus instructions are executed.
- Virus can do variety of task at this occasion, for example, propagate, display a message, destroy, modify data in storage, modify data in memory etc, and the virus sends control to original interrupt service routine. Any operation seems like normal but the RAM resident portion. User might believe and the data in disk is safe and correct while data has been or will be altered.
- Well organized access system may help to protect system from virus Binary files are altered while it is not necessary, and data files are modified by any program(process) not necessarily.
- Well known personal computer under DOS doesn't provide level or mode of process. Any process potentially can access any resource without restriction under DOS while other operating systems do provide access rights, for example a well known operating system UNIX.
- Normally process in kernel mode( or monitor mode) has privilege and can access any resources without restriction while process in user mode is restricted to its area in accessing resource. If virus has the privilege which is kernel mode, it would be dangerous. Virus potentially can reach high or the higtiest level.
- the invention provides a privileged signal which ever existed. Virus cannot reach the level of privilege named Keyboard Privilege(KP) .
- Infection is done by four different ways.
- One is that, we are concerning, propagation, which is done by virus itself and intrinsically character of virus.
- Virus must alter binary files or some of system area where virus can reside on.
- This invention can prohibit alternation to binary files or some of system area. For example, when computer virus attempts to alter a binary file that has been locked by user, this invention rejects the attempt without any interference with other system. While binary files that have been locked are protected and never be altered, compiler and linker wouldn't work properly. This problem is concerned and solved by policy of association.
- a sort of virus may reside on boot sector of boot sector, which is located the first sector of each d sk/diskette. This attempt is also rejected.
- Figure 1 depicts conventional system in which disk controller connected to disk drive.
- Figure 2 depicts an implementation embedded in disk controller. 1 is this invention comprising disk controller.
- Figure 3 depicts a path for privileged signal, which is a jumper line 2 between keyboard connector and this invention 3 embedded in a disk controller, peripheral device.
- This invention consists of Decision making system, Gate system.
- Gate mechanism controls flow of data to be written on storage device.
- This invention restricts illegitimate write access to resources in storage device including disk drive, floppy tape, optical drive, RAM drive.
- This invention provides the most effective protection against computer viruses. Let user confine accessibility given to conventional system. A specific file or a group of files are prohibited from alternation even in kernel mode.
- Decision making and gate system that embedded in conventional system. Decision making system exams all write operations whether legitimate or not; since virus can manipulate files on storage device, this probe is necessarily required for safety. If a result of probe is legitimate, this let gate open otherwise let close.
- This invention makes decision according to policy of Association and Isolation.
- the policy of Association (referred to Association) confines program's access right into a specified group of data files.
- the group is represented by extension, which is a part/suffix of file name and denotes file type.
- the policy of Isolation (referred to Isolation) restricts write access to some object(fi les) , which is in LK state. All the restrictions are devised in the interest of security against computer viruses.
- NOPEN so that the data to be written on storage device is not forwarded , and doesn't rejects the proposed write operation when gate control command was OPEN.
- This invention support a special case that compiler or linker produce files in state LK(read only mode) to prevent possible infection from computer viruses. This invention gives compiler and linker an exception when they overwrite on binary files" they have produced before.
- This invention consists of policy and mechanism carries the policy.
- This invention has equal application to any type of computer system that comprises storage device.
- This invention has equal application to any type of storage device.
- the present invention is not limited to hard storage device but has application to optical, floppy, tape, RAM drive and other storage device as well.
- This invention can be implemented by a peripheral card or software embedded in system kernel .
- this invention should be implemented by hardware, it may be also implemented by software.
- a target computer in which this invention is intended to implement comprises the memory protection facility
- this invention can be implemented by software and would be effective as much as hardware implementation except some cases under special circumstance. For example, this invention may not .work accordingly as this invention was intended if some of a portion of its software is altered. This alternation can be possibly occurred by virus or some other reasons.
- An advantage of hardware implementation is high reliability and an advantage of software implementation is cheap cost of implementation.
- a computer system without memory protection facility must be chosen hardware implementation for reliability
- peripheral device When this invention is implemented by hardware, this may be embedded in peripheral device, referring Figure 2. When this invention is implemented by software, this may be embedded in Kernel of Operating System.
- a write operation may be driven by computer virus, if the system is under control of virus.
- This invention embedded on conventional system and exams all the write operations before they are written. This invention make decision whether approve write operation or not according to this invention's policy.
- GET_CAP Current Active Program
- GET_CBHF Current Being Handled File
- GET_CBHFE Current Being Handled File's extension
- GET_TRANSIT gets a transit and FindCase matches the currently active program and the currently being handled file with a case.
- FindCase(LC) attempts to match currently active program(CAP), which would be compiler or linker, and currently being handled file(CBHF) with cases from LC1 to LC3.
- CAP currently active program
- CBHF currently being handled file
- Case LC1 is defined that CAP (currently active program) is found and is associated with CBHF(currently being handled file) in table ADLC.
- Case LC2 is defined that CAP is found and is not associated with a CBHF in table ADLC.
- Case LC3 is define that CBHF is not found in table ADLC.
- Case A1 is defined that currently being handled file's extension(CBHFE) is found and is associated with CAP, which would be an application program, in table ODT.
- Case A2 is defined that CBHFE is found and is not associated with CAP in table ODT.
- Case A3 is defined that CBHFE is not found in table ODT.
- Case CBHFE is Decision A1 found associated with CAP NOT DECIDED A2 found not associated CAP NOT OPEN A3 not found NOT DECIDED If matched with a case A2, decision is made as NOT OPEN otherwise another attempt is made. FindCase(I) attempt to match a case between 11 to 14 with CBHF.
- Case 11 is defined that transit is p1 , r3, p4 or p5.
- Case 12 is defined that transit is r2 or r6.
- Case 13 is defined that transit is q1 , q4 or q5.
- Case PI is defined that privileged signal is issued to approve proposal.
- Case P2 is defined that privileged signal is not issued or issued to disapprove.
- EXTid A proposed write operation is described by EXTid, PGid, Ofi that represent current situation. Ofi is represent a file is in storage device, is used as a identification to files. PGid is an identification to programs, in a storage device. LCid is an identification to linker and compiler, used to identify compiler or linker from other linkers or compilers. EXTid is a identification to extensions of a file name. A file in a storage device may be referred by Ofi, PGid, EXTid and LCid.
- a command is passed to gate system.
- the command will be either OPEN or
- the command OPEN means gate let requested data forward storage and the command NOPEN means that gate doesn't let requested data forward storage but resumed.
- NOCOMMAMD is used to indicate initialized state.
- State UK in which object is accessed to write.
- State LK in which object is accessed only to read, write access is forbidden.
- State AL in which object is alerted.
- State A in which object is being altered.
- Isolation prohibits write access to locked object, which is in LK state.
- Conventional system doesn't provide strict and proper restriction to those that are in state LK while this invention distinguishes them and restricts write operations to locked object.
- Isolation isolates binary files that you want from alternation.
- Object in AL LK states should be isolated, and LK shouldn't be altered. More specifically, PS(privileged signal) enables files in state LK, AL to be state UK.
- object can have state WA, UK, LK and AL. According to policy of isolation locked object can't be altered. If data was destined to write on locked object, this operation is ignored and result of record is remained in 9134.log. If data was destined to write on alert object, this operation caused confirmation/asking message window will be opened. If data is destined to write on unlocked object, this operation is granted. Isolation shouldn't interfere with conventional system. The policy should not be violated.
- a mechanism of association is designed to find out relationship between program(data file handler) and data file.
- a table named ODT contains all relationship between them.
- a group of data files are specified in the table and its handlers are specified right-hand side of table while data files are specified left-hand side.
- This table is referred by decision making system
- a specified group of data files are only allowed for write access by the specified handlers. Additionally this table may contain linker and compiler on the program field when EXTid is 255.
- a mechanism of isolation is design to exam write operations. This refers BMT to know a state of object and reports 'illegal operation' when a write access was made to object in LK state.
- the table contains all the state of each object and maintained accordingly changes.
- a priv leged signal may be used to approve or authorize an operation or command as means of reliably distinguish virus and user. For example, if a signal, privileged and virus can't issue or alter, is used when an important operation is proposed or requested. Computer system will not be confused.
- a keyboard signal is used as privileged signal in an embodiment of present invention.
- Keyboard is connected with an 10 port on system.
- CPU gets a word or byte from the 10 port as means of read keyboard scan code.
- This invention gets a signal directly from the 10 port as means of fetching privileged signal.
- this invention gets signal directly from the keyboard connector by a jumper line between this invention and keyboard connector.
- the keyboard privilege can not be violated by any process like virus because it is issued by pressing keyboard or specially designed to issue approval.
- the privileged signal may be simulated or imitated by no other process or executable code or instruction. Since signal is only derived from by the keystroke, no other generate the signal. It may be generated by a bug on keyboard circuit. This invention assume that system have no such a bug and computer circuit was designed that keyboard scan code is delivered to 10 port and no other process can generate the signal except keyboard.
- Write probe mechanism exams a block of data requested to write in Decision making system.
- the write probe mechanism should be placed before proceeding write operation and before gate mechanism.
- Gate mechanism is recommended to nearest to the storage device. Gate and write probe mechanisms may be placed together and gate shouldn't be malfunctioned or by-passed. It means that after gate mechanism, no interference is allowed.
- An embodiment in which the gate is a hardware, which is embedded in storage device as part of the storage, so that no process and executable code can effect operation of the gate and placed the adjacent to hard drive; connected to directly as hard disk interface or hard drive controller- would be ideal. All these arrangement are made to get rid of possibility of illegal alternation to data after gate system.
- Compiler and linker should be able to produce binary files and overwrite them. To overwrite binary files are usual transaction but this should be able to do. Compiler and linker support mode provide a special function that any binary f les(BFA) produced by a compiler or linker can be overwritten by the compiler or linker, no matter BFA is locked or not. Concerning compiler or linker is needed in this because compiler or linker may produce files in LK. In this invention compiler and linker can produce files without any restriction while other program can not. When compiler and linker produce files BFA(Binary Files to be Altered), this invention adds items into table ADLC. When compiler and linker produce another file that doesn't exist also to be added into ADLC table. It is like following: Linker or Compiler field BFA field LCid Ofi ...
- This invention probes accessibility of writing, before compiler and linker produce/overwrite files. If access was legalized, the operation is done, otherwise the operation is denied. When compiler or linker produced files that do not exist currently in system or exist and in UK state, this operation is done and item is added in table ADLC if the file is not existed in the table.
- ODF.DSC UPGRD.DSC and EL.DSC are those files. These files contains information on association between object(fi le ⁇ ) and program. EL.DSC contains extentions is optionally used.
- ODF.DSC is edited by user.
- EL.DSC can be edited by user. Both of files are not to be removed and in AL state. If the files were damaged or removed caused by any accident, they are recovered by system. Any alternation, remove or append an item, causes system opens and reads the f les. These files are edited by editor DSCED. UPGRD.DSC is given by dealer, containing new information. This is used when system upgrade.
- An Embodiment of Present Invention 1 This emulate this invention. This is designed to work under DOS environment without any hardware support so that it doesn't have reliable protection and can't demonstrate all the feature of this invention.
- An Embodiment of Present Invention 2 An Embodiment of Present Invention is a hard drive interface card, which is connected to directly hard drive. No process or executable code can interfere, so that the highest privileged mechanism is realized. All the mechanisms of gate and decision making system are comprised within the card.
Abstract
On a cherché à assurer la protection contre les virus informatiques des ressources stockées dans une mémoire. Les mémoires permettent le stockage et l'extraction de données par un ordinateur, mais les virus informatiques peuvent accéder à ces données et même les endommager. Ainsi, on a prévu un système monté dans le régisseur de la mémoire, dans le système central ou dans le système d'exploitation, et destiné à analyser les opérations d'introduction en mémoire et à déterminer si elles sont valables ou non. Le signal privilégié utilisé pour autoriser certaines opérations ne peut provenir que d'une frappe au clavier ou d'un quelconque dispositif de commutation, et non du processus. Un système à portes n'autorise l'introduction en mémoire des données que si l'opération est valable. Dans le cas contraire, les données ne sont pas introduites.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AUPK913091 | 1991-10-28 | ||
AUPK9130 | 1991-10-28 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO1993009498A1 true WO1993009498A1 (fr) | 1993-05-13 |
Family
ID=3775778
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/KR1992/000053 WO1993009498A1 (fr) | 1991-10-28 | 1992-10-28 | Procede et systeme de protection contre les virus informatiques des donnees stockees dans une memoire |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO1993009498A1 (fr) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2402515A (en) * | 2003-05-20 | 2004-12-08 | Catherine Safa | Controlling write access of an application to a storage medium |
US7047369B1 (en) | 1997-09-25 | 2006-05-16 | Aladdin Knowledge Systems Ltd. | Software application environment |
US7260845B2 (en) * | 2001-01-09 | 2007-08-21 | Gabriel Kedma | Sensor for detecting and eliminating inter-process memory breaches in multitasking operating systems |
WO2008138653A1 (fr) * | 2007-05-09 | 2008-11-20 | International Business Machines Corporation | Procédé et système de traitement des données permettant d'empêcher la manipulation de systèmes informatiques |
US7664924B2 (en) | 2005-12-01 | 2010-02-16 | Drive Sentry, Inc. | System and method to secure a computer system by selective control of write access to a data storage medium |
US8474021B2 (en) | 2001-06-29 | 2013-06-25 | Secure Systems Limited | Security system and method for computers |
US9280683B1 (en) | 2014-09-22 | 2016-03-08 | International Business Machines Corporation | Multi-service cloud storage decision optimization process |
US9600661B2 (en) | 2005-12-01 | 2017-03-21 | Drive Sentry Limited | System and method to secure a computer system by selective control of write access to a data storage medium |
US10503418B2 (en) | 2005-12-01 | 2019-12-10 | Drive Sentry Limited | System and method to secure a computer system by selective control of write access to a data storage medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2222899A (en) * | 1988-08-31 | 1990-03-21 | Anthony Morris Rose | Computer mass storage data protection |
GB2231418A (en) * | 1989-05-03 | 1990-11-14 | S & S Enterprises | Computer viruses |
WO1991013403A1 (fr) * | 1990-02-21 | 1991-09-05 | Rodime Plc | Procede et appareil de limitation de l'acces aux informations contenues dans des systemes d'ordinateur, ainsi que de leur alteration |
-
1992
- 1992-10-28 WO PCT/KR1992/000053 patent/WO1993009498A1/fr unknown
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2222899A (en) * | 1988-08-31 | 1990-03-21 | Anthony Morris Rose | Computer mass storage data protection |
GB2231418A (en) * | 1989-05-03 | 1990-11-14 | S & S Enterprises | Computer viruses |
WO1991013403A1 (fr) * | 1990-02-21 | 1991-09-05 | Rodime Plc | Procede et appareil de limitation de l'acces aux informations contenues dans des systemes d'ordinateur, ainsi que de leur alteration |
Non-Patent Citations (1)
Title |
---|
DATABASE INSPEC (IEE), AN: 89:3325096, August 1988, TI: "The Brain Virus". * |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7047369B1 (en) | 1997-09-25 | 2006-05-16 | Aladdin Knowledge Systems Ltd. | Software application environment |
US7260845B2 (en) * | 2001-01-09 | 2007-08-21 | Gabriel Kedma | Sensor for detecting and eliminating inter-process memory breaches in multitasking operating systems |
USRE43624E1 (en) * | 2001-01-09 | 2012-08-28 | Xiloprem Tre Limited Liability Company | Sensor for detecting and eliminating inter-process memory breaches in multitasking operating systems |
US8474021B2 (en) | 2001-06-29 | 2013-06-25 | Secure Systems Limited | Security system and method for computers |
GB2402515B (en) * | 2003-05-20 | 2007-10-24 | Catharine Safa | Controlling write access of an application to a storage medium |
GB2402515A (en) * | 2003-05-20 | 2004-12-08 | Catherine Safa | Controlling write access of an application to a storage medium |
US9600661B2 (en) | 2005-12-01 | 2017-03-21 | Drive Sentry Limited | System and method to secure a computer system by selective control of write access to a data storage medium |
US10503418B2 (en) | 2005-12-01 | 2019-12-10 | Drive Sentry Limited | System and method to secure a computer system by selective control of write access to a data storage medium |
US7664924B2 (en) | 2005-12-01 | 2010-02-16 | Drive Sentry, Inc. | System and method to secure a computer system by selective control of write access to a data storage medium |
US8239959B2 (en) | 2007-05-09 | 2012-08-07 | International Business Machines Corporation | Method and data processing system to prevent manipulation of computer systems |
WO2008138653A1 (fr) * | 2007-05-09 | 2008-11-20 | International Business Machines Corporation | Procédé et système de traitement des données permettant d'empêcher la manipulation de systèmes informatiques |
US9280683B1 (en) | 2014-09-22 | 2016-03-08 | International Business Machines Corporation | Multi-service cloud storage decision optimization process |
US9742845B2 (en) | 2014-09-22 | 2017-08-22 | International Business Machines Corporation | Multi-service cloud storage decision optimization process |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US5483649A (en) | Personal computer security system | |
US5657473A (en) | Method and apparatus for controlling access to and corruption of information in computer systems | |
US5012514A (en) | Hard drive security system | |
US8239959B2 (en) | Method and data processing system to prevent manipulation of computer systems | |
US5398196A (en) | Method and apparatus for detection of computer viruses | |
CN1307535C (zh) | 安全执行模式下信任客户使用安全核心系统 | |
US4918653A (en) | Trusted path mechanism for an operating system | |
CN101162492B (zh) | 保护数据处理设备中的系统控制寄存器 | |
EP0268138B1 (fr) | Mise en oeuvre de privilèges dans des systèmes microprocesseurs à utiliser pour la protection de biens logiciels | |
US5870467A (en) | Method and apparatus for data input/output management suitable for protection of electronic writing data | |
CN107066311B (zh) | 一种内核数据访问控制方法与系统 | |
KR910005995B1 (ko) | 데이터처리 시스템 및 그 시스템파일의 보호방법 | |
US4087856A (en) | Location dependence for assuring the security of system-control operations | |
US20080104348A1 (en) | Security System And Method For Computer Operating Systems | |
US20020147916A1 (en) | Method and apparatus for securing portions of memory | |
JPH07191776A (ja) | 機密保護を実現するパーソナル・コンピュータ・システム | |
KR20040093472A (ko) | 영역-입도 하드웨어-제어 메모리 암호화를 제공하기 위한시스템 및 방법 | |
JPH07117925B2 (ja) | Lanステーション・パーソナル・コンピュータ及び機密保護方法 | |
CN110532767B (zh) | 面向sgx安全应用的内部隔离方法 | |
WO1993009498A1 (fr) | Procede et systeme de protection contre les virus informatiques des donnees stockees dans une memoire | |
WO2003050688A2 (fr) | Systeme et procede pour gerer l'acces de dispositifs a une memoire avec une plus grande securite | |
US7383584B2 (en) | System and method for controlling device-to-device accesses within a computer system | |
WO1990013864A1 (fr) | Securite amelioree pour systemes de memorisation de donnees programmables a la machine | |
WO1993013477A1 (fr) | Dispositif de protection pour ordinateur | |
CN1163431A (zh) | 一种控制计算机硬盘读写的方法及装置 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AU CA GB JP KR US |
|
NENP | Non-entry into the national phase |
Ref country code: CA |