METHODAND SYSTEMFORPREVENTINGUNWANTEDALTERATIONS OF DATAANDPROGRAMSSTOREDINACOMPUTERSYSTEM
Field of the Invention
The present invention relates generally to computer systems, and more specifically to a method and system for preventing the unwanted alteration of data and programs stored in a computer system.
Background of the Invention
It is well known that computer viruses pose a serious threat to the secure storage of computer data. The term computer virus generally relates to any software code which has been designed to enter a computer and perform an undesired function. Once this code has entered a computer, that computer is said to have been "infected" by the virus.
Computers are most often infected by viruses as a result of introducing software code which has virus code buried within it. This software is typically introduced via an input device such as a disk drive, or via a communication network such as the Internet. Once the software code containing the virus is executed, the virus is activated.
Upon being activated, a virus cait perform a wide variety of functions. These functions can consist of relatively harmless functions such as posting an unwanted message on one's monitor or adding additional words to an existing document. These functions, however, can also be very serious and may include occupying all available memory or destroying data and programs stored on the computer or on the hard drive.
Various attempts have been made to try to limit and prevent the damage caused by computer viruses. The most common method of detecting and removing viruses is via anti-
virus software packages. These anti-virus programs, known as virus scanners, detect viruses by searching for binary signatures (patterns of code) of known viruses. Upon detection of a virus the user is notified and the virus is removed. One limitation of virus scanning software is that the virus protection offered is reactive. That is to say, a virus can only be detected once the binary signature of a particular virus is known and added to the viras-scanning database. Thus, users are not offered any protection against newly created viruses.
A need exists, therefore, for an improved system for preventing the unwanted alteration of computer data and programs.
EXPLANATION OF TERMS:
DHW: Downloadable hardware. The design file that describes the hardware attributes.
DSP: Secure downloadable platform. The hardware where the DHW is loaded.
PKS : A password key system which consists of one or more of the following methods of limiting access to the DSP and/or the storage device protected by the DSP: a series of reads or writes to a series of locations in the storage device; the timing of these writes; challenge/response where the writes depend on the values read. It also includes using any one or more of the following methods: sharing secret knowledge; probabilistic challenges; multi-level passwords; and a one time pad. A feature of this method is that there are many pieces of secret information required to access a storage device.
PASS CODE: Is the string that the users send to the application program, e.g. a password, whereas the PKS is the method that describes the interaction between the apphcation programs and the DSP.
ONE TIME PAD: A sequence of secret numbers which the anti-virus application program uses to identify itself to the DSP.
RANGE: A sequence of blocks for which a particular access applies.
ACCESS: The manner of actions that can occur to the blocks specified in a range; these actions may be one or more of the following: ability to write the block; read the block; translate the read or write from one block to another; to cause an interrupt Control Section: one or more blocks where instructions are passed from the CPU to the DSP.
Summary of the Invention
It is therefore an object of the invention to provide a method and system which obviates or mitigates at least one of the disadvantages described above.
One aspect of the invention is described as a method for preventing unwanted alterations of data and programs stored in a computer system comprising the steps of: obtaining a pass code; implementing a profile to prescribe the treatment of at least one command signal in response to the PKS obtained; monitoring data transferred between a CPU and a storage device for a cornmarid signal and; responding to at least one command signal based on the implemented profile.
Another aspect of the invention is defined as a system for preventing unwanted alterations of data and programs stored in a computer system comprising: A central processing unit (CPU); a secure platform circuit (DSP); a storage device; the DSP being operable to: obtain a pass code; the DSP being operable to: implement a profile to prescribe the treatment of at least one command signal in response to the pass code obtained; monitor data transferred between the CPU and the storage device; respond to the at least one command signal based on the implemented profile.
Another aspect of the invention is defined as a secure computer platform for down-loadable hardware (DHW) comprising die steps of: monitoring for the reception of a DHW file; determining whether the DHW file is permitted to be installed in response to receiving the DHW file; installing the DHW file in response to determining tiiat the DHW file is permitted to be installed.
Another aspect of the invention is defined as a system for providing a secure computer platform for down-loadable hardware comprising: a central processing unit (CPU); a secure platform circuit (DSP); the CPU being operable to: monitor for the reception of a DHW file; determine whether the DHW file is permitted to be installed in response to receiving the DHW file; the DSP being operable to: install the DHW file in response to determining that the DHW file is permitted to be installed.
The following features, methods and advantages are facilitated by the present invention:
Prevention of write and/or read to certain blocks of the device or system;
Control of access to storage devices by means of passwords;
Detection that the device or system has been "hacked";
Definition of userprofiles to permit different levels of access to device (e.g. disk) or system;
Use of passwords to: (a) select profiles; (b) permit a series of "writes" to a series of locations in storage device; (c) timing of the "writes"; (d) "writing challenges;
Providing passwords embedded in random sequences of bytes and check summing the password,
Password challenges partially driven by the system and partially by the user;
Providing the concept of, and enabling, downloadable hardware;
Serialization of product within the downloadable hardware with an encrypted password in order to change configuration; - Providing a "one time pad" password security;
Making data invisible by prohibiting block needs to certain areas;
Making data invisible by returning data from a different block other than the one targeted; and
Interrupting computer system where access violation is detected.
Brief Description of the Drawings
These and other features of the invention will become more apparent from the following description in which reference is made to the appended drawings in which:
Figure 1 is a block diagram of a computer system as known in the prior art;
Figure 2 is a block diagram of a system for preventing unwanted alterations of data stored in a computer system in an embodiment of the invention;
Figure 3 is a flow chart of a method for preventing unwanted alterations of data stored in a computer system in an embodiment of the invention;
Figure 4 is a flow chart of a method for updating information stored in the protected area of a hard disk in a preferred embodiment of the invention;
Figure 5 is a flow chart of a method for providing a secure computer platform for downloadable hardware in an embodiment of the invention;
Figure 6 is a flow chart of a method for providing a secure computer platform for downloadable hardware in a preferred embodiment of the invention.
Detailed Description of the Invention
The present invention is directed to a method and system for preventing the unwanted alteration of data and programs stored in a computer system which substantially obviates one or more of the problems due to limitations and disadvantages of the related art.
The reason viruses can perform these unwanted functions is best understood with reference to Figure 1. That figure shows a computer system 100 as is well known in the prior art. In particular Figure 1 shows various input 102, output 104, network communication 106 and storage 108 devices physically linked to a central processing unit (CPU) 110. The CPU
110 performs the various functions of the computer system as specified by various software applications. These functions include directing the operation of the various devices connected to the CPU. A virus, similar to any other software application, is merely a list of instructions which can be carried out by the CPU. Thus, if these instructions include deleting data stored on the computer's hard disk (a storage device), that function will be performed. This is because the instructions provided by a virus are indecipherable to the CPU from those provided by legitimate software applications. Thus, if the CPU is unable to detect the existence of a virus there is nothing to prevent its instruction from being effected.
A block diagram of an embodiment of the present system is shown in Figure 2. The system itself 200, includes a central processing unit (CPU) 202, downloadable secure platform (DSP) 204 and a storage device 206. The DSP 204 includes circuitry capable of carrying out the method steps of the present invention. Said circuitry includes flash memory 208 and a field programmable gate array (FPGA) 210. An FPGA is a programmable logic chip which includes numerous arrays of logic block functions and logic gates. The FPGA is programmable to perform a variety of complex functions by modifying the manner in which said gates are interconnected. As will be apparent to one skilled in die art, the flash memory 208 is utilized to store information necessary for
programming the FPGA. Upon the powering of the DPS, the flash memory 208 loads the FPGA 210 with the appropriate circuit design for implementing the methodology of die application and including the invention. In a preferred embodiment of the invention the storage device 206 included in the system is a hard disk drive. The present invention, however, is not limited to employing a hard disk drive and could include any means for storing data including: PDA (personal digital assistant); cell phones; biological storage; floppy disks, CD ROM's or zip disks to name a few.
The present invention, however, is not limited to an FPGA and could also be implemented using an ASIC with some loss of capabilit .
A methodology for preventing unwanted alterations of data and programs stored in a computer system, in an embodiment of the invention, is shown in Figure 3. The metiiodology initiates at step 300 wherein a pass code is obtained from a variety of possible sources. For example the pass code could be obtained by prompting an end user for pass code via a software system installed on said end user's computer. The user may command an application program to transmit a PSK to the DSP. The DSP only accepts PSK's, not user passcodes. PSK's can be very complex. Similarly, a PSK could be obtained remotely from an end user or an additional computer linked to the CPU via a communication network.
The DSP can be configured to allow access to some parts of the storage device, therefore, no PSK need be received by the DSP unless a change in profile, or other change is desired. A PSK is a sequence of bits which are sent to the DSP at step 302, by transferring a sequence of bytes (groups of binary data) from the CPU to the storage device. As will be explained below, the PSK is used for identifying the various command signals which a CPU may send to the storage device. This list of available command signals which may be sent by the CPU to the storage device is known as a profile. The CPU does not have to be aware that there is a DSP present. The CPU will access the storage device transparently as long as not access is made to a prohibited area.
Upon receiving a pass code the DSP then implements a profile to prescribe the treatment of command signals which can be passed to die storage device based on die PKS forwarded from the CPU 304. This is achieved by enabling the FPGA with a profile implementation associated with the PKS obtained. These various implementations which area associated with the various PKS codes are stored within the flash memory of the DSP or in the storage device.
The methodology continues at step 306 wherein the DSP monitors data being transferred between the CPU 202 and the storage device 206 for a command signal. A command signal can include any write or read signals directed to the storage device. Write and read signals being directions to save to or retrieve data from the storage device respectively.
Upon detecting the transfer of a command signal, the methodology continues at step 306 wherein the DSP responds to the command signal transferred based on the profile implemented within the DSP. In the event that the implemented profile allows for the command to be effected, the DSP responds by allowing the command signal to be passed to the storage device. That is to say, the DSP becomes transparent. If, on the other hand, the implemented profile does not allow for the desired command to be effected, the DSP can respond in a number of ways. First, the DSP can simply prevent the transfer of the command signal to the storage device. Additionally, the DSP can cause an interrupt to be sent back to the CPU to notify the end user, or other computers attached via a communication network, that the desired command is restricted. Alternatively, in the event of a write signal, the DSP could either deny access to die area, or, translate the address ranges to which the write signal is directed to an unprotected area of the storage device. In the event of a read signal, the DSP could translate the address ranges to which the read signal is directed to an unprotected area of the storage device, or could deny it and cause and interrupt.
This methodology can protect against the unwanted alterations of computer data and programs, particularly as the result of computer viruses, in the following ways. First, as
mentioned previously the PKS serves the function of selecting a profile which determines die command signals a particular CPU will be allowed to send to its corresponding storage device. Thus, one can prevent the unwanted alteration of data stored in a computer system by limited the various command signals which are forwarded to a computer's storage device. For example, by merely identifying a range of protected addresses and restricting write signals to these addresses, one can protect against the unwanted alteration of the data stored therein. This is because, as mentioned previously, a virus program operates by initiating a number of unwanted commands to a computer's storage device. If, therefore, a CPU's ability of initiate these commands are restricted, the command signals within a virus will be similarly restricted.
Taking this metiiodology one step further, it is seen that the PKS concept could also be utilized to minimize any damage caused by a virus where multiple persons or computers share a single storage device. This could be achieved by providing numerous users of a particular computer, or various computers on a network, with distinct pass codes, which implies distinct PKS for the DSP. The different pass codes could then be used to restrict the user's or computer's, access to particular commands and areas with respect to the storage device. The access any particular user would have to the storage device would be stored within the user's or computer's particular profile. Each user may have many profiles and many PKS which will be managed by an application program. For example, the range of addresses to which each end user or computer could write to can be limited.
Additional levels of protection could also be achieved in the system by varying the means by which a pass code is obtained. For example, each attempt to enter a pass code or PKS could be monitored. Therefore, the number of pass code or PKS attempts could be limited to a prescribed value. Thus, snooping viruses, which attempt to bypass security systems by trying all permutations of a particular code, could be guarded against. As an additional level of security the length of the pass code could be increased or the complexity of the PKS could be increased in the event a snooping virus is detected. This would increase the number of permutations and add an additional level of protection against said snooping
viruses. Similarly, snooping viruses could be prevented by requiring the pass code to be entered within a particular time period. That is to say, one could incorporate a timer into the process of obtaining a pass code or PKS. Furthermore, a clock could be incorporated into the process of obtaining a pass code or PKS. Said clock would serve the purpose of limiting the validity of a pass code or PKS to certain time periods. For example said clock could be used to limit the validity of a pass code or PKS to one particular time period (e.g. Jan 1, 2000) or to a recurring time period (e.g. working hours). Additionally, one could incorporate a secondary pass code. This secondary pass code would provide an end user, or computer on a network, with the abihty to modify the pass code necessary to access their particular profile. The secondary pass code feature woidd be beneficial in that a pass code or PKS could be modified in the event of detecting a failed pass code attempt. Multiple passwords could also be used to enable the system. A challenge response system is yet another alternative. A challenge response system operating between the anti-virus application program and the DSP is one by which the program is challenged to return a value when given a number. The challenge response cycle may be repeated a number of times for security. A "one time" pass code could be utilized. That is to say, a different pass code is required each time the circuitry is accessed.
As an additional feature, the circuitry could also be configured to "learn" the locations of programs to protect This is useful when said system is employed in an operating system which does not know the actual locations of data stored on the computer's storage device. This achieved by writing a start file and an end file marker to the beginning and end of the data which is being protected. Thus the hardware can be made aware of the range of the files to protect.
Referring to Figure 4 a method is provided for updating the information stored within a protected area of the computer's storage device. The method initiates at step 400 wherein the FPGA is implanted witii a profile (PI) which allows one to read part of the contents of the storage device. At step 402 the profile is then changed to one that allows writing to a temporary area within the storage device (P2). A new file (e.g. a new software
application), which is intended to be stored on the storage device, is then written to the temporary area on the storage device 404. A copy of the existing data to be overwritten is then written to the temporary area as well 406. The FPGA is then implemented with the original profile (PI) to ensure that the data copied to the temporary area is correct 408. Once the copied files have been confirmed, the FPGA is implemented with a third profile (P3) which allows one to overwrite files which have been recently copied to the temporary area 410. The new files are then copied to the protected area previously occupied by the files to be overwritten 412. The FPGA is then programmed with the original profile (PI) to ensure the files have been properly updated 414. Finally, the methodology terminates with the FPGA being programmed with P2 such that the old files can be deleted if necessary 416.
Although in the preferred embodiment of the invention these actions take place on a real time basis, it is noted that the invention is not limited in this manner. Rather, the changing of profiles could be delayed, from the action of writing files, such that a snooping virus could not detect that access to the protected area will soon follow. This prevents a snooping virus from writing to the storage device without being detected.
As an additional safeguard, one should note that the process of updating files could be performed by circuitry independent of the CPU. This would, therefore, prevent any snooping program from ever writing to the storage device as said device would only be unprotected when the DSP is performing a copy. This is because the CPU would be prevented from accessing the storage device when the DSP is performing any copies to the storage device. Thus, the unwanted alteration of computer data, particularly those files when are permanent, could not result from a command of the CPU.
Referring now to Figure 5, a methodology fpr providing a secure platform for downloadable hardware (DHW) is shown in another embodiment of the present invention.
Referring now the Figure 5, a methodology for providing a secure platform for downloadable hardware (DHW) is shown in another embodiment of the present invention.
The methodology presented in Figure 5 initiates at step 500 wherein the CPU monitors various input or network communication devices for the reception of a DHW file. Upon receiving a DHW file, the CPU then determines whether the DHW file is permitted to be installed in the DSP 502. In a preferred embodiment of the invention this step of determining whether the DHW is permitted to be installed occurs by umtizing a series of Keys and encryptions. An example of a Key and encryption algorithm employed in a preferred embodiment of the invention is described below in further detail with respect to Figure 6. The methodology terminates at step 504, wherein the DHW file is installed in the DSP in response to determining that said DHW is permitted to be installed.
The benefit of this methodology is that it ensures that the only DHW files capable of being installed in one's DSP are those which are intended for that particular DSP. In the context of the present invention, i.e. providing virus protection, this methodology is beneficial in that it provides a secure means for updating the implementation stored in the DSP.
The PKS provides a method so that incorrect access to a particular lock within a predetermined number of attempts, or/and time, causes the current PSK to be voided and a new longer identity string and a new longer password assigned. This process is repeated as many times as is desired. This implies that the probability of breaking the lock gets worse with repeated trials and at the same time the probability that die lock could be made un- openable goes down.
From time to time new implementations could be made available to end users. The new implementations could be provided by downloading said implementations via an input or communication network device. This methodology provides a secure platform for installing DHW as it prevents any unwanted DHW from being downloaded directiy into the DSP by the CPU.
Each DSP will have its own unique key and serial number.
A flow chart outlining the steps of the key and encryption algorithm utilized in a preferred embodiment of the present invention is shown in Figure 6. The methodology initiates at step 600 wherein a completed DHW file is made into an electronic file (FI). A key (Kl ) is then attached to the electronic file (FI) to create a new electronic file (F2) 602. A key is a secret password which includes a series of characters for restricting an end user's access to an electronic file. The first key (Kl) serves the purposes of ensuring each (F2) is unique based on the DSP it is targeted for. This prevents the wrong, or virus contaminated, DHW form reaching the DSP. A second key (K2) is then utilized to encrypt the electronic file (F2) 604. As wfll be apparent to one skilled in the art of computer data encryption, said file could be encrypted using any number of encryption engines. Each DSP could have a different encryption engine. A third key (K3) is then employed by the DSP to allow the encrypted electronic file F2 to be transferred to a hard-disk protected configuration area (HDCA) via the DSP 606. The HDCA is a temporary storage within the storage device utilized for purpose of storing the DHW file while it is being authorized. This third key (K3) is merely a pass code, utilized by the DSP, allowing the F2 to be written to the HDPA. The encrypted electronic file is then decrypted using the second key (K2) 608. This key would have to be provided to an end user to decrypt the encrypted electronic file (F2). After the file (F2) us decrypted the first key (Kl) is extracted from the file leaving only the original electronic file (FI) 610. The first key (Kl) is the compared to a key stored with the particular DSP circuitry 612. If the key supposed with the electric file (FI) matches that stored within the DSP circuitry, the file (FI) is installed in the DSP 614. This occurs by the DSP retrieving the decrypted filed (FI) from the HDPA and installing said file (FI) into the flash memory 208. As mentioned previously, the flash memory would then program the FPGA with the new implementations as specified in the electronic file (FI).
One should note that the key referred to in the preferred embodiment is not limited to a single password including a series of characters for enabling a user to access the electronic
file. Said Key could also include a series of transactions wherein various nit (as opposed to bytes) are sent to the DSP form the CPU on a periodic basis.
In the preferred embodiment of the invention the above methodology is used for the purpose of updating DHW for virus protection. One can readily see, however, that said methodology could be easily adapted to provide a secure platform for downloading any DHW.
The preferred embodiment of the hardware of the invention is to build the DSP in the disk storage device circuit board or disk storage assembly.
It will be apparent to those skilled in the art that various modifications and variations can be made in the implementation of the present invention without departing from the spirit and scope of the invention. Thus, it is intended that the present invention cover the modifications and variations of this invention provided they come within the scope of the appended claims and their equivalents.