"METHOD TO STORE ELECTRONIC DOCUMENTS IN A NON-MODIFIABLE MANNER" * * * * * FIELD OF THE INVENTION The present invention concerns a method to store, in a non-modifiable manner, information contained in electronic documents, for example the description of the events generated by a calculator or the activities performed by said calculator. Such documents are known in English as files in general and log files in the particular case when they contain the description of events or activities concerning a calculator. They can contain information concerning, for example, connection attempts, access to documents, malfunctioning. These files must be protected so that the memorization is exempt from possible breaches or cancellations by unauthorized third parties. Hereafter we shall use the word "document" to mean both whole files and also individual pieces of information (for example the description of a single event). The invention is applied indifferently to both cases. BACKGROUND OF THE INVENTION Methods to protect electronic calculators, or other devices similar thereto for the purposes of the present invention, from access by unauthorized third parties, even with a high level of protection, are known. Known protection methods have the disadvantage that, once the barriers have been passed, the calculator is freely accessible. One of the problems of calculators is that it is possible for an unauthorized third party to penetrate inside a calculator, bypassing the possible protections. In this case, having once obtained control of the calculator, the third party can cancel the traces of his unauthorized
activity, either directly or indirectly by carrying out automatic programs to breach security. These traces are registered in the log files memorized in the calculator that has suffered the attack, and they can therefore be modified, altered or cancelled. The state of the art therefore makes it difficult, or impossible, to discover the provenance, date, time and modality of the attack. More generally, following an attack or a virus infection, documents being processed can be lost, which are hence without back-up copies. The US patent US-A-5,978,475 discloses a system for memorizing log files generated by an electronic calculator, linking them sequentially and encrypting them. This conventional system however does not prevent the risk that the log files, thus memorized, can be cancelled, so as to make it impossible, later, to retrieve the data contained therein before they were cancelled. The US patent US-A-5,361,359, instead, discloses a system and a method for the protection of an area of memory of an electronic calculator, for example that of a hard disk. The conventional system provides that the area to be protected is accessible, by means of a virtual communication channel, exclusively by an authorized person, but it does not prevent the data relating to the memorized files from being cancelled, and thus lost, for example when the whole hard disk is cancelled. One purpose of the present invention is to render available all the data necessary to discover the provenance, date, time and modality of the attack, even when the log files normally used in known methods are modified, altered or cancelled in an unauthorized manner. Another purpose of the present invention is to detect possible anomalies by analyzing the content of the log
files and to signal such anomalies, for example by means of alarm messages, which can be displayed on a screen or transmitted automatically by means of normal channels of communication (for example by means of a cell phone system) . Another purpose of the present invention is to provide a protected archive for generic documents in the course of processing, which can be up-dated but not modified or cancelled by the system at risk of attack or virus. The Applicant has devised, tested and embodied this invention to overcome the shortcomings of the state of the art and to obtain these and other purposes and advantages . SUMMARY OF THE INVENTION The present invention is set forth and characterized in the main claim, while the dependent claims describe other characteristics of the invention or variants to the main inventive idea. In accordance with the above purposes, a method according to the present invention can be used to store, in a non- modifiable manner, electronic documents generated by an electronic calculator and containing the description of events and activities performed by the electronic calculator itself, the log files, or the files containing the generic data of users. The method according to the invention comprises a step to intercept or select the electronic documents present on the electronic calculator, on each occasion, according to a predetermined, or variable, pattern. According to a characteristic of the present invention, the method also comprises at least the following steps. During a transmission step, the electronic documents are transmitted by the electronic calculator to a storage device, which can be a second electronic calculator, or a
dedicated storage device. The transmission is made by means of at least a communication channel of a unidirectional type, so that the electronic documents can be transmitted from the electronic calculator to the storage device, and not vice versa. During a subsequent memorization step, the electronic documents transmitted from the electronic calculator are memorized in the storage device. The physical architecture of the unidirectional connection and the devices used, as well as the program and the protocols employed, guarantee that it is impossible to alter the documents stored by the calculator which transmitted them, even when the security of the latter has been breached, precisely because the communication channel of a unidirectional type does not allow access from the first electronic calculator to the storage device. As is known, electronic documents, including log files, are normally memorized in the same calculator where they are generated. According to the present invention, said documents, having reached a storage device, are memorized in the latter without being able to be subsequently cancelled or altered by the calculator that transmitted them. Thanks to this technical solution, when storing log files, at least all the data necessary to discover the provenance and modality of a possible attack which has breached the security of the calculator are memorized in a non-modifiable manner. According to another characteristic, when storing log files, the invention provides one or more steps to analyze the content of said log files received, so as to detect possible anomalies on the first calculator. According to a variant, the transmission step comprises
at least a step to label the above documents, so as to allow the reception step to reconstruct the documents transmitted. BRIEF DESCRIPTION OF THE DRAWINGS These and other characteristics of the present invention will become apparent from the following description of a preferential form of embodiment, given as a non-restrictive example with reference to the attached drawings wherein:
- fig. la is a schematic representation of the connection mode between a first and a second electronic calculator, according to the present invention;
- fig. lb is a schematic representation of the connection mode between the first calculator and a dedicated storage device, according to the present invention;
- fig. 2 is a schematic representation of a sequence of steps performed on the first calculator, according to the method;
- fig. 3 shows the structure of a particular message sent from the first to the second calculator or to the dedicated device;
- fig. 4 shows the structure of a generic message sent from the first to the second calculator or to the dedicated device; - fig. 5 is the block diagram of a first sequence of steps performed on the second calculator or inside the dedicated device;
- fig. 6 is the block diagram of a second sequence of steps performed on the second calculator or inside the dedicated device;
- fig. 7 is a variant of fig. 1;
- fig. 8 is another variant of fig. 1. DETAILED DESCRIPTION OF A PREFERENTIAL FORM OF EMBODIMENT
With reference to fig. la, the memorization method according to the present invention provides a first calculator 11 that generates the log files and a second calculator 12a. The latter is able to receive data from the first calculator 11 by means of a dedicated connection 16 which can be for example the so-called serial communication port RS-232 or the USB (Universal Serial Bus), or otherwise . The first calculator 11 can communicate with a plurality of other calculators by means of a network of calculators 13, such as for example a network with TCP/IP protocols based on Ethernet technology, Token Ring, Wireless LAN (WiFi) or suchlike, and indicated in fig. 1 by the generic term "Internet". The second calculator 12a has no connection to the above- mentioned network of calculators 13, and communicates with the first calculator 11 by means of the dedicated connection 16 in a substantially exclusive manner, through a reserved communication protocol. The dedicated connection 16 is a unidirectional channel by means of which the first calculator 11 can transmit data to the second calculator 12a, but not vice versa. Thanks to this technical solution, an unauthorized person or a virus can penetrate into the first calculator 11, but is unable to penetrate into the second calculator 12a. According to a preferential embodiment of the present invention, the first calculator 11 performs a sequence of steps, called transmitting sequence, to intercept the log files generated by the first calculator 11, and to send them to the second calculator 12a. The latter in turn performs another sequence of steps, called receiving sequence, mating with the first sequence, in order to receive said log files and to store them.
Said sequences of steps can be implemented on any calculator using any known operating system. To be more exact, trials have been made also using the Linux operating system, respecting all the criteria established by the POSIX standard (Portable Standard for Unix) . With reference to fig. 2, the transmitting sequence uses information with a configuration that can be defined a priori, for example to open the communication port used 20, or to identify the log files 21 to be memorized securely. According to one embodiment of the invention, the transmitting sequence performs as many other sequences of steps, called daughter steps, as there are log files 21 to be transmitted to the second calculator 12a. In turn, each daughter sequence activates a step 22 to intercept the writing operations on the log file 21 pertinent thereto. As is known, these writing operations are performed by the operating system of the first calculator 11. The data arriving from the different log files 21 are inserted in a memory register 23, substantially of the FIFO type (First In First Out), also called in English "pipe". Subsequently, since the data are sent by the first calculator 11 to the second calculator 12a through the same connection 16, the step 24 labels them. In this way the receiving sequence is able to associate each message received with the corresponding log file 21. The labelling step 24 of every message 26 (fig. 4) occurs according to the structure indicated hereafter. At the beginning of the message 26 a 3-byte heading is affixed: the first 27 contains the STX (start of text) character, also coded according to the known ASCII code (American Standard Code for Information Interchange) . The second byte 28 contains the information relating to the number of log files 21 from which the data come, and in the third byte 29
the length of the whole message 26 is inserted. At the end of the message a last byte 31 is affixed, in which the ASCII ETX code, end of text, is inserted, in order to indicate the end of the message 26. The body 30 of the message 26 contains the data arriving from the log file 21 to which the message 26 itself refers. Generally, given that the majority of the log files 21 are in a purely textual form, each message 26 is delimited by the characters STX and ETX, which are special characters for text transmissions. So that there are no characters present in the text that have the same code as STX or ETX, the second byte 28 contains the number of log files 21 from which the message arrives, increased by a number corresponding to the ASCII code for ETX, that is, the number 4 in the hexadecimal numerical base. To the same end, the third byte 29 indicates the length of the whole message 26, therefore including the 4 bytes of the label. Thanks to the information contained in the third byte 29, the receiving sequence is limited to controlling the presence of ETX in the last byte 31, avoiding the need to examine every individual byte in order to find the end of the message 26. According to a variant of the present invention, the above procedure makes it possible to transmit not only text messages, but also binary messages, since the body 30 of the message 26 is not analysed by the receiving sequence, as will be clarified in the following description. The receiving sequence comprises a first and a second sequence of steps. The first (fig. 5) provides a cycle of steps that deals with the reception (steps 35, 36, 38 and 39) of the data corresponding to one or more messages 26 transmitted by the first calculator 11. The first sequence also provides a step 37 to memorize the above data in a
FIFO register. The second sequence of steps deals with the reconstruction of the messages 26 starting from the data memorized in said FIFO register during the first sequence. With reference to fig. 6, steps from 40 to 44 recompose the label (27, 28 and 29 in fig. 4) of one of the messages 26 received, and steps 51 to 53 and 55 deal with the reconstruction of the body 30 of the same message 26. Step 58 addresses the message 26 to the respective log file 21 to which it is intended. The second sequence of steps also performs a check on the correctness of the information received in every message 26, such as for example the heading (steps 45 to 47) and the end of the message 26 (steps 53 to 57). The transmitting sequence, if errors or malfunctions are detected, transmits to the second calculator 12a a message 25 of fig. 3. Consequently, the receiving sequence receives the message 25, identifying it by means of step 48 of fig. 6 and activating an alarm (step 49). It is clear that modifications and/or additions of parts may be made to the method for storing electronic documents in a non-modifiable manner as described heretofore, without departing from the field and scope of the present invention. A variant may provide to implement a procedure to correct the errors, for example on the level of the physical connection. According to a variant of the invention, the dedicated connection 16, apart from the already mentioned serial communication door RS-232, or the Universal Serial Bus (USB), can be made by means of any unidirectional data transmission device, via cable, or via radio, for example according to the Bluetooth® communication standard.
It is also provided to use a connection by means of a network according to the known TCP/IP protocol, used in unidirectional transmission mode. According to the variant shown in fig. 7, the second calculator 12a is connected to a plurality of dedicated electronic calculators, such as generic servers 60, proxy servers 61, application servers 62, file servers 63, database servers 64 and firewalls 65. The connection between the plurality of dedicated electronic calculators 60-65 and the second calculator 12a is achieved by means of a corresponding plurality of unidirectional communication channels 16, which in the case shown here are via radio, according to the Bluetooth® communication protocol. In this way, a single device, the second calculator 12a, is sufficient for the secure storage of the log files generated by the plurality of calculators 60-65. According to the variant shown in fig. 8, the second electronic calculator 12a is connected to two farm servers 68 and 69, physically independent from each other, by means of a network of calculators 17 according to the TCP/IP communication protocol in unidirectional mode. In this case too, the second calculator 12a receives and memorizes securely the log files generated by the two farm servers 68 and 69. It is also clear that, although the present invention has been described with reference to some specific examples, a person of skill in the art shall certainly be able to achieve many other equivalent forms of method for storing electronic documents in a non-modifiable manner, having the characteristics as set forth in the claims and hence all coming within the field of protection defined thereby.