WO1993009498A1 - Procede et systeme de protection contre les virus informatiques des donnees stockees dans une memoire - Google Patents

Procede et systeme de protection contre les virus informatiques des donnees stockees dans une memoire Download PDF

Info

Publication number
WO1993009498A1
WO1993009498A1 PCT/KR1992/000053 KR9200053W WO9309498A1 WO 1993009498 A1 WO1993009498 A1 WO 1993009498A1 KR 9200053 W KR9200053 W KR 9200053W WO 9309498 A1 WO9309498 A1 WO 9309498A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
storage device
program
write operation
legitimate
Prior art date
Application number
PCT/KR1992/000053
Other languages
English (en)
Inventor
Sung Moo Yang
Original Assignee
Sung Moo Yang
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sung Moo Yang filed Critical Sung Moo Yang
Publication of WO1993009498A1 publication Critical patent/WO1993009498A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/567Computer malware detection or handling, e.g. anti-virus arrangements using dedicated hardware

Definitions

  • This Invention relates to the computer viruses and more specifically to protect computer data on storage device against computer viruses.
  • a well known computer virus in IBM PC environment would be Brain virus, the named derived from volume label.
  • the virus infects boot sector of disk or diskette and resets volume label a ⁇ "(C)Brain".
  • the virus has few editions some of the virus reside on data area(DA) of diskette, which was not used by system, and resets File Allocation Table(FAT) in disk as 'bad cluster'.
  • FAT is a system area in disk or diskette formatted under DOS operation system, containing file allocated information on disk represented by linked list structure.
  • the virus may stay in memory, which is called Terminate and Stay Resident(TSR) program, until power is down.
  • TSR Terminate and Stay Resident
  • Another well known type of virus resides in a binary file .
  • the virus is active when a program that virus resides in is invoked. The virus became active entity and find not infected binary file and infects other binary files. Virus achieves goal of propagation itself by infection procedure. The infection procedure makes a binary file infected program.
  • Virus instructions are usually machine instructions of target computer but rarely and possibly shell progra Cbatch file program) can also contain virus code. Virus intrinsically propagate itself and became many in number. Virus also to be increased by copying an infected software by users. Virus is also increased by a person who put virus code into system deliberately or unintentionall .
  • virus code typically changes interrupt vector of INT 21H (decimal is 33) and some other interrupt vectors to itself°so that when interrupt 21H is occurred virus instructions are executed.
  • Virus can do variety of task at this occasion, for example, propagate, display a message, destroy, modify data in storage, modify data in memory etc, and the virus sends control to original interrupt service routine. Any operation seems like normal but the RAM resident portion. User might believe and the data in disk is safe and correct while data has been or will be altered.
  • Well organized access system may help to protect system from virus Binary files are altered while it is not necessary, and data files are modified by any program(process) not necessarily.
  • Well known personal computer under DOS doesn't provide level or mode of process. Any process potentially can access any resource without restriction under DOS while other operating systems do provide access rights, for example a well known operating system UNIX.
  • Normally process in kernel mode( or monitor mode) has privilege and can access any resources without restriction while process in user mode is restricted to its area in accessing resource. If virus has the privilege which is kernel mode, it would be dangerous. Virus potentially can reach high or the higtiest level.
  • the invention provides a privileged signal which ever existed. Virus cannot reach the level of privilege named Keyboard Privilege(KP) .
  • Infection is done by four different ways.
  • One is that, we are concerning, propagation, which is done by virus itself and intrinsically character of virus.
  • Virus must alter binary files or some of system area where virus can reside on.
  • This invention can prohibit alternation to binary files or some of system area. For example, when computer virus attempts to alter a binary file that has been locked by user, this invention rejects the attempt without any interference with other system. While binary files that have been locked are protected and never be altered, compiler and linker wouldn't work properly. This problem is concerned and solved by policy of association.
  • a sort of virus may reside on boot sector of boot sector, which is located the first sector of each d sk/diskette. This attempt is also rejected.
  • Figure 1 depicts conventional system in which disk controller connected to disk drive.
  • Figure 2 depicts an implementation embedded in disk controller. 1 is this invention comprising disk controller.
  • Figure 3 depicts a path for privileged signal, which is a jumper line 2 between keyboard connector and this invention 3 embedded in a disk controller, peripheral device.
  • This invention consists of Decision making system, Gate system.
  • Gate mechanism controls flow of data to be written on storage device.
  • This invention restricts illegitimate write access to resources in storage device including disk drive, floppy tape, optical drive, RAM drive.
  • This invention provides the most effective protection against computer viruses. Let user confine accessibility given to conventional system. A specific file or a group of files are prohibited from alternation even in kernel mode.
  • Decision making and gate system that embedded in conventional system. Decision making system exams all write operations whether legitimate or not; since virus can manipulate files on storage device, this probe is necessarily required for safety. If a result of probe is legitimate, this let gate open otherwise let close.
  • This invention makes decision according to policy of Association and Isolation.
  • the policy of Association (referred to Association) confines program's access right into a specified group of data files.
  • the group is represented by extension, which is a part/suffix of file name and denotes file type.
  • the policy of Isolation (referred to Isolation) restricts write access to some object(fi les) , which is in LK state. All the restrictions are devised in the interest of security against computer viruses.
  • NOPEN so that the data to be written on storage device is not forwarded , and doesn't rejects the proposed write operation when gate control command was OPEN.
  • This invention support a special case that compiler or linker produce files in state LK(read only mode) to prevent possible infection from computer viruses. This invention gives compiler and linker an exception when they overwrite on binary files" they have produced before.
  • This invention consists of policy and mechanism carries the policy.
  • This invention has equal application to any type of computer system that comprises storage device.
  • This invention has equal application to any type of storage device.
  • the present invention is not limited to hard storage device but has application to optical, floppy, tape, RAM drive and other storage device as well.
  • This invention can be implemented by a peripheral card or software embedded in system kernel .
  • this invention should be implemented by hardware, it may be also implemented by software.
  • a target computer in which this invention is intended to implement comprises the memory protection facility
  • this invention can be implemented by software and would be effective as much as hardware implementation except some cases under special circumstance. For example, this invention may not .work accordingly as this invention was intended if some of a portion of its software is altered. This alternation can be possibly occurred by virus or some other reasons.
  • An advantage of hardware implementation is high reliability and an advantage of software implementation is cheap cost of implementation.
  • a computer system without memory protection facility must be chosen hardware implementation for reliability
  • peripheral device When this invention is implemented by hardware, this may be embedded in peripheral device, referring Figure 2. When this invention is implemented by software, this may be embedded in Kernel of Operating System.
  • a write operation may be driven by computer virus, if the system is under control of virus.
  • This invention embedded on conventional system and exams all the write operations before they are written. This invention make decision whether approve write operation or not according to this invention's policy.
  • GET_CAP Current Active Program
  • GET_CBHF Current Being Handled File
  • GET_CBHFE Current Being Handled File's extension
  • GET_TRANSIT gets a transit and FindCase matches the currently active program and the currently being handled file with a case.
  • FindCase(LC) attempts to match currently active program(CAP), which would be compiler or linker, and currently being handled file(CBHF) with cases from LC1 to LC3.
  • CAP currently active program
  • CBHF currently being handled file
  • Case LC1 is defined that CAP (currently active program) is found and is associated with CBHF(currently being handled file) in table ADLC.
  • Case LC2 is defined that CAP is found and is not associated with a CBHF in table ADLC.
  • Case LC3 is define that CBHF is not found in table ADLC.
  • Case A1 is defined that currently being handled file's extension(CBHFE) is found and is associated with CAP, which would be an application program, in table ODT.
  • Case A2 is defined that CBHFE is found and is not associated with CAP in table ODT.
  • Case A3 is defined that CBHFE is not found in table ODT.
  • Case CBHFE is Decision A1 found associated with CAP NOT DECIDED A2 found not associated CAP NOT OPEN A3 not found NOT DECIDED If matched with a case A2, decision is made as NOT OPEN otherwise another attempt is made. FindCase(I) attempt to match a case between 11 to 14 with CBHF.
  • Case 11 is defined that transit is p1 , r3, p4 or p5.
  • Case 12 is defined that transit is r2 or r6.
  • Case 13 is defined that transit is q1 , q4 or q5.
  • Case PI is defined that privileged signal is issued to approve proposal.
  • Case P2 is defined that privileged signal is not issued or issued to disapprove.
  • EXTid A proposed write operation is described by EXTid, PGid, Ofi that represent current situation. Ofi is represent a file is in storage device, is used as a identification to files. PGid is an identification to programs, in a storage device. LCid is an identification to linker and compiler, used to identify compiler or linker from other linkers or compilers. EXTid is a identification to extensions of a file name. A file in a storage device may be referred by Ofi, PGid, EXTid and LCid.
  • a command is passed to gate system.
  • the command will be either OPEN or
  • the command OPEN means gate let requested data forward storage and the command NOPEN means that gate doesn't let requested data forward storage but resumed.
  • NOCOMMAMD is used to indicate initialized state.
  • State UK in which object is accessed to write.
  • State LK in which object is accessed only to read, write access is forbidden.
  • State AL in which object is alerted.
  • State A in which object is being altered.
  • Isolation prohibits write access to locked object, which is in LK state.
  • Conventional system doesn't provide strict and proper restriction to those that are in state LK while this invention distinguishes them and restricts write operations to locked object.
  • Isolation isolates binary files that you want from alternation.
  • Object in AL LK states should be isolated, and LK shouldn't be altered. More specifically, PS(privileged signal) enables files in state LK, AL to be state UK.
  • object can have state WA, UK, LK and AL. According to policy of isolation locked object can't be altered. If data was destined to write on locked object, this operation is ignored and result of record is remained in 9134.log. If data was destined to write on alert object, this operation caused confirmation/asking message window will be opened. If data is destined to write on unlocked object, this operation is granted. Isolation shouldn't interfere with conventional system. The policy should not be violated.
  • a mechanism of association is designed to find out relationship between program(data file handler) and data file.
  • a table named ODT contains all relationship between them.
  • a group of data files are specified in the table and its handlers are specified right-hand side of table while data files are specified left-hand side.
  • This table is referred by decision making system
  • a specified group of data files are only allowed for write access by the specified handlers. Additionally this table may contain linker and compiler on the program field when EXTid is 255.
  • a mechanism of isolation is design to exam write operations. This refers BMT to know a state of object and reports 'illegal operation' when a write access was made to object in LK state.
  • the table contains all the state of each object and maintained accordingly changes.
  • a priv leged signal may be used to approve or authorize an operation or command as means of reliably distinguish virus and user. For example, if a signal, privileged and virus can't issue or alter, is used when an important operation is proposed or requested. Computer system will not be confused.
  • a keyboard signal is used as privileged signal in an embodiment of present invention.
  • Keyboard is connected with an 10 port on system.
  • CPU gets a word or byte from the 10 port as means of read keyboard scan code.
  • This invention gets a signal directly from the 10 port as means of fetching privileged signal.
  • this invention gets signal directly from the keyboard connector by a jumper line between this invention and keyboard connector.
  • the keyboard privilege can not be violated by any process like virus because it is issued by pressing keyboard or specially designed to issue approval.
  • the privileged signal may be simulated or imitated by no other process or executable code or instruction. Since signal is only derived from by the keystroke, no other generate the signal. It may be generated by a bug on keyboard circuit. This invention assume that system have no such a bug and computer circuit was designed that keyboard scan code is delivered to 10 port and no other process can generate the signal except keyboard.
  • Write probe mechanism exams a block of data requested to write in Decision making system.
  • the write probe mechanism should be placed before proceeding write operation and before gate mechanism.
  • Gate mechanism is recommended to nearest to the storage device. Gate and write probe mechanisms may be placed together and gate shouldn't be malfunctioned or by-passed. It means that after gate mechanism, no interference is allowed.
  • An embodiment in which the gate is a hardware, which is embedded in storage device as part of the storage, so that no process and executable code can effect operation of the gate and placed the adjacent to hard drive; connected to directly as hard disk interface or hard drive controller- would be ideal. All these arrangement are made to get rid of possibility of illegal alternation to data after gate system.
  • Compiler and linker should be able to produce binary files and overwrite them. To overwrite binary files are usual transaction but this should be able to do. Compiler and linker support mode provide a special function that any binary f les(BFA) produced by a compiler or linker can be overwritten by the compiler or linker, no matter BFA is locked or not. Concerning compiler or linker is needed in this because compiler or linker may produce files in LK. In this invention compiler and linker can produce files without any restriction while other program can not. When compiler and linker produce files BFA(Binary Files to be Altered), this invention adds items into table ADLC. When compiler and linker produce another file that doesn't exist also to be added into ADLC table. It is like following: Linker or Compiler field BFA field LCid Ofi ...
  • This invention probes accessibility of writing, before compiler and linker produce/overwrite files. If access was legalized, the operation is done, otherwise the operation is denied. When compiler or linker produced files that do not exist currently in system or exist and in UK state, this operation is done and item is added in table ADLC if the file is not existed in the table.
  • ODF.DSC UPGRD.DSC and EL.DSC are those files. These files contains information on association between object(fi le ⁇ ) and program. EL.DSC contains extentions is optionally used.
  • ODF.DSC is edited by user.
  • EL.DSC can be edited by user. Both of files are not to be removed and in AL state. If the files were damaged or removed caused by any accident, they are recovered by system. Any alternation, remove or append an item, causes system opens and reads the f les. These files are edited by editor DSCED. UPGRD.DSC is given by dealer, containing new information. This is used when system upgrade.
  • An Embodiment of Present Invention 1 This emulate this invention. This is designed to work under DOS environment without any hardware support so that it doesn't have reliable protection and can't demonstrate all the feature of this invention.
  • An Embodiment of Present Invention 2 An Embodiment of Present Invention is a hard drive interface card, which is connected to directly hard drive. No process or executable code can interfere, so that the highest privileged mechanism is realized. All the mechanisms of gate and decision making system are comprised within the card.

Abstract

On a cherché à assurer la protection contre les virus informatiques des ressources stockées dans une mémoire. Les mémoires permettent le stockage et l'extraction de données par un ordinateur, mais les virus informatiques peuvent accéder à ces données et même les endommager. Ainsi, on a prévu un système monté dans le régisseur de la mémoire, dans le système central ou dans le système d'exploitation, et destiné à analyser les opérations d'introduction en mémoire et à déterminer si elles sont valables ou non. Le signal privilégié utilisé pour autoriser certaines opérations ne peut provenir que d'une frappe au clavier ou d'un quelconque dispositif de commutation, et non du processus. Un système à portes n'autorise l'introduction en mémoire des données que si l'opération est valable. Dans le cas contraire, les données ne sont pas introduites.
PCT/KR1992/000053 1991-10-28 1992-10-28 Procede et systeme de protection contre les virus informatiques des donnees stockees dans une memoire WO1993009498A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
AUPK913091 1991-10-28
AUPK9130 1991-10-28

Publications (1)

Publication Number Publication Date
WO1993009498A1 true WO1993009498A1 (fr) 1993-05-13

Family

ID=3775778

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR1992/000053 WO1993009498A1 (fr) 1991-10-28 1992-10-28 Procede et systeme de protection contre les virus informatiques des donnees stockees dans une memoire

Country Status (1)

Country Link
WO (1) WO1993009498A1 (fr)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2402515A (en) * 2003-05-20 2004-12-08 Catherine Safa Controlling write access of an application to a storage medium
US7047369B1 (en) 1997-09-25 2006-05-16 Aladdin Knowledge Systems Ltd. Software application environment
US7260845B2 (en) * 2001-01-09 2007-08-21 Gabriel Kedma Sensor for detecting and eliminating inter-process memory breaches in multitasking operating systems
WO2008138653A1 (fr) * 2007-05-09 2008-11-20 International Business Machines Corporation Procédé et système de traitement des données permettant d'empêcher la manipulation de systèmes informatiques
US7664924B2 (en) 2005-12-01 2010-02-16 Drive Sentry, Inc. System and method to secure a computer system by selective control of write access to a data storage medium
US8474021B2 (en) 2001-06-29 2013-06-25 Secure Systems Limited Security system and method for computers
US9280683B1 (en) 2014-09-22 2016-03-08 International Business Machines Corporation Multi-service cloud storage decision optimization process
US9600661B2 (en) 2005-12-01 2017-03-21 Drive Sentry Limited System and method to secure a computer system by selective control of write access to a data storage medium
US10503418B2 (en) 2005-12-01 2019-12-10 Drive Sentry Limited System and method to secure a computer system by selective control of write access to a data storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2222899A (en) * 1988-08-31 1990-03-21 Anthony Morris Rose Computer mass storage data protection
GB2231418A (en) * 1989-05-03 1990-11-14 S & S Enterprises Computer viruses
WO1991013403A1 (fr) * 1990-02-21 1991-09-05 Rodime Plc Procede et appareil de limitation de l'acces aux informations contenues dans des systemes d'ordinateur, ainsi que de leur alteration

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2222899A (en) * 1988-08-31 1990-03-21 Anthony Morris Rose Computer mass storage data protection
GB2231418A (en) * 1989-05-03 1990-11-14 S & S Enterprises Computer viruses
WO1991013403A1 (fr) * 1990-02-21 1991-09-05 Rodime Plc Procede et appareil de limitation de l'acces aux informations contenues dans des systemes d'ordinateur, ainsi que de leur alteration

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
DATABASE INSPEC (IEE), AN: 89:3325096, August 1988, TI: "The Brain Virus". *

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7047369B1 (en) 1997-09-25 2006-05-16 Aladdin Knowledge Systems Ltd. Software application environment
US7260845B2 (en) * 2001-01-09 2007-08-21 Gabriel Kedma Sensor for detecting and eliminating inter-process memory breaches in multitasking operating systems
USRE43624E1 (en) * 2001-01-09 2012-08-28 Xiloprem Tre Limited Liability Company Sensor for detecting and eliminating inter-process memory breaches in multitasking operating systems
US8474021B2 (en) 2001-06-29 2013-06-25 Secure Systems Limited Security system and method for computers
GB2402515B (en) * 2003-05-20 2007-10-24 Catharine Safa Controlling write access of an application to a storage medium
GB2402515A (en) * 2003-05-20 2004-12-08 Catherine Safa Controlling write access of an application to a storage medium
US9600661B2 (en) 2005-12-01 2017-03-21 Drive Sentry Limited System and method to secure a computer system by selective control of write access to a data storage medium
US10503418B2 (en) 2005-12-01 2019-12-10 Drive Sentry Limited System and method to secure a computer system by selective control of write access to a data storage medium
US7664924B2 (en) 2005-12-01 2010-02-16 Drive Sentry, Inc. System and method to secure a computer system by selective control of write access to a data storage medium
US8239959B2 (en) 2007-05-09 2012-08-07 International Business Machines Corporation Method and data processing system to prevent manipulation of computer systems
WO2008138653A1 (fr) * 2007-05-09 2008-11-20 International Business Machines Corporation Procédé et système de traitement des données permettant d'empêcher la manipulation de systèmes informatiques
US9280683B1 (en) 2014-09-22 2016-03-08 International Business Machines Corporation Multi-service cloud storage decision optimization process
US9742845B2 (en) 2014-09-22 2017-08-22 International Business Machines Corporation Multi-service cloud storage decision optimization process

Similar Documents

Publication Publication Date Title
US5483649A (en) Personal computer security system
US5657473A (en) Method and apparatus for controlling access to and corruption of information in computer systems
US5012514A (en) Hard drive security system
US8239959B2 (en) Method and data processing system to prevent manipulation of computer systems
US5398196A (en) Method and apparatus for detection of computer viruses
CN1307535C (zh) 安全执行模式下信任客户使用安全核心系统
US4918653A (en) Trusted path mechanism for an operating system
CN101162492B (zh) 保护数据处理设备中的系统控制寄存器
EP0268138B1 (fr) Mise en oeuvre de privilèges dans des systèmes microprocesseurs à utiliser pour la protection de biens logiciels
US5870467A (en) Method and apparatus for data input/output management suitable for protection of electronic writing data
CN107066311B (zh) 一种内核数据访问控制方法与系统
KR910005995B1 (ko) 데이터처리 시스템 및 그 시스템파일의 보호방법
US4087856A (en) Location dependence for assuring the security of system-control operations
US20080104348A1 (en) Security System And Method For Computer Operating Systems
US20020147916A1 (en) Method and apparatus for securing portions of memory
JPH07191776A (ja) 機密保護を実現するパーソナル・コンピュータ・システム
KR20040093472A (ko) 영역-입도 하드웨어-제어 메모리 암호화를 제공하기 위한시스템 및 방법
JPH07117925B2 (ja) Lanステーション・パーソナル・コンピュータ及び機密保護方法
CN110532767B (zh) 面向sgx安全应用的内部隔离方法
WO1993009498A1 (fr) Procede et systeme de protection contre les virus informatiques des donnees stockees dans une memoire
WO2003050688A2 (fr) Systeme et procede pour gerer l'acces de dispositifs a une memoire avec une plus grande securite
US7383584B2 (en) System and method for controlling device-to-device accesses within a computer system
WO1990013864A1 (fr) Securite amelioree pour systemes de memorisation de donnees programmables a la machine
WO1993013477A1 (fr) Dispositif de protection pour ordinateur
CN1163431A (zh) 一种控制计算机硬盘读写的方法及装置

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AU CA GB JP KR US

NENP Non-entry into the national phase

Ref country code: CA