The present invention relates to a method and apparatus for controlling access to and corruption of information in a computer system.
PCT/GB91/00261 (WO91/13403) now U.S. Pat. No. 6,092,161 also by the present inventors (the disclosure of which is incorporated herein by reference) discloses a method and apparatus particularly concerned with the detection and containment of hostile programs such as xe2x80x9cvirusxe2x80x9d programs within computer systems. In this document there is disclosed a method of (and related apparatus for) controlling access to and modification of information stored on a storage medium forming part of a computer system comprising:
dividing information stored on the storage medium into a plurality of non-overlapping partitions, including a boot partition and a plurality of general partitions, each of the partitions being further divided into a plurality of sectors, any designated subset of the general partitions being active at any given time when the computer system is in use, characterised by
providing supervising means (a Supervisor) separate of a central processing unit (CPU) of the computer system and made inaccessible to the user for controlling the performance of read, write and format operations upon the information stored on the storage medium so as to allow, restrict or prevent such operations depending upon the type of information stored within a sector and type and status of the partition within which the sector is located,
the supervising means causing a reset to be required of the computer system should an attempt be made to perform a prohibited read, write or format operation, said reset causing memory to be cleared and the operating system to be loaded.
In the invention disclosed in PCT/GB91/00261 the boot partition becomes xe2x80x9cRead Onlyxe2x80x9d when the system is in Supervised Mode. This prevents attack by a virus, whilst allowing execution of DOS utilities and programs providing they are not self-modifying.
Since the conception of virus isolation according to PCT/GB91/00261 there have been changes and improvements to PC operating systems. These present certain limitations to the scope of the virus isolator invention. For example:
(1) Microsoft Windows, although not strictly self-modifying, does require that certain files located within the Windows directory, can be written to.
(2) A system administrator may install an executable in the boot partition without knowing it is self-modifying. If such an executable is installed in the boot partition self-modification of this program is attempted when the system is in Supervised Mode, the Supervisor will block the write attempt and freeze the system.
(3) Microsoft Windows virtual memory manager may require write access to either or both the Windows directory and the root directory of the boot partition.
(4) Network software may require access to the boot partition.
(5) In general, with a complex operating system, making the boot partition xe2x80x98Read Onlyxe2x80x99 is restrictive and may cause incompatibility and high administration overhead.
It is an object of the present invention to obviate or mitigate the aforementioned problems.
According to a first aspect of the present invention there is provided a method of controlling access to and modification of information stored on a storage medium forming part of a computer system comprising:
dividing information stored on the storage medium into a plurality of non-overlapping partitions including a boot partition and at least one general partition, characterised by
designating at least one of said partitions a Write Many Recoverable (WMR) partition wherein, in use, if a write command is issued to overwrite any resident information stored in a/the WMR partition by updated information the updated information is written on the storage medium in a location other than where the/any resident information is stored and a (virtual) pointer to the updated information is set up/kept so that the updated information can be accessed, as required during a remainder of a session.
A system reset causes the updated information, together with the list of pointers to this information, to be cleared. This returns the WMR partition to it""s original state as configured in Unsupervised Mode.
Providing such a WMR partition is virus-free to start with it will be virus-free at the start of each new session.
Preferably a boot partition on the storage medium would be WMR protected. A general partition could also be WMR protected should a user require it.
The basis of the method according to the first aspect of the present invention to achieve this is to set up a scheme in which the original information stored in the WMR partition is keep unaltered and that datawhich would normally overwrite it is stored securely elsewhere on the storage medium where it can be accessed as required during the remainder of a session. The scheme defines how this is done efficiently in terms of minimal additional storage space and minimal reduction in throughput time while at the same time providing maximum security.
Preferably according to the method of the first aspect of the present invention there is also provided supervising means (a Supervisor) separate of a central processing unit (CPU) of the computer system and made inaccessible to the user,
said supervising means allowing/restricting/prohibiting read/write operations upon the storage medium depending upon whether information to be read from a sector or written to a sector is operating system information or user information, whether the sector is in the boot partition or in a general partition, and whether the partition is active or inactive,
said supervising means also allowing a format operation only on a general partition which is active and prohibiting a format operation on the boot partition or on a general partition which is inactive,
and causing a warning to be issued to the user should an attempt be made to perform a prohibited read, write or format operation.
Preferably, space is reserved on the storage medium which may be accessed only by the Supervisor, referred to as the dedicated area 2. The dedicated area may be a special partition, a range of sectors within the WMR partition, or unallocated sectors withing a dormant partition.
Each WMR partition has a Sector Relocation Table (SRT) associated with it which table is held in Supervisor RAM, each entry in a SRT defining the address of a range of sectors in the WMR partition that have been updated and the address where the updated information is located, this location being within the dedicated area.
According to a second aspect of the present invention there is provided an apparatus for controlling access to and modification of information stored on a storage medium of a computer system, the storage medium being divided into a plurality of non-overlapping partitions including a boot partition and at least one general partition, characterised in that
at least one of said partitions comprises a Write Many Recoverable (WMR) partition wherein, in use, if a write command is issued to overwrite (ie, update) any information stored in the WMR partition the updated information is stored elsewhere on the storage medium and a pointer to this information kept so the information can be accessed as required during the remainder of the session, wherein a system reset causes the updated information, together with the list of pointers to this information, to be cleared, thus returning the WMR partition to its original state as configured in Unsupervised Mode.
Preferably the apparatus further comprises a supervising means (a Supervisor) separate of a central processing unit (CPU) of the computer system and made inaccessible to the user,
said supervising means allowing/restricting/prohibiting read/write operations upon the storage medium depending upon whether information to be read from a sector or written to a sector is operating system information or user information, whether the sector is in the boot partition or in a general partition and whether if the partition is a general partition the partition is active or inactive,
said supervising means also allowing a format operation only on a general partition which is active and prohibiting a format operation on the boot partition or on general partition which is inactive,
the supervising means causes a warning to be issued to the user should an attempt be made to perform a prohibited read, write or format operation said operation being prevented by the Supervisor.
According to a third aspect of the present invention there is provided a method of controlling access to and modification of information stored on a storage medium forming part of a computer system comprising:
dividing information stored on the storage medium into a plurality of non-overlapping partitions including a boot partition and at least one general partition, characterised by
designating at least one of said partitions a Write Many Recoverable (WMR) partition wherein, in use, if a write command is issued to overwrite any information stored in a/the WMR partition prior to undertaking said write command said information is copied and stored elsewhere on the storage medium to be copied back to said WMR partition when requiredxe2x80x94for example upon a system reset.
It is apparent that according to the third aspect of the present invention a previously xe2x80x9cRead Onlyxe2x80x9d partition, such as the boot partition, is permitted to be written to without limit during a session. At the start of a new session, however, all changes to the partition are undone and the partition is restored to its original state. This partition may, therefore, be called a Write Many Recoverable (WMR) partition. Provided such a partition is virus-free to start with it will be virus-free at the start of each new session.
The basis of the method of the third aspect of the present invention to achieve this is to set up a scheme in which a copy of any xe2x80x9cclusterxe2x80x9d in the WMR partition that is to be over-written is stored securely elsewhere on the storage medium and can be copied back when required. The scheme defines how this is done efficiently in terms of minimal additional storage space and minimal reduction in throughput time while at the same time providing maximum security.
Preferably according to the method of the third aspect of the present invention there is also provided supervising means (a Supervisor) separate of a central processing unit (CPU) of the computer system for controlling the performance of read, write and format operations upon the information stored on the storage medium so as to allow, restrict or prevent such operations depending upon the type of information stored within a sector and type and status of the partition within which the sector is located,
the supervising means causing a reset to be required of the computer system should an attempt be made to perform a prohibited read, write or format operation, said reset causing memory to be cleared and the operating system to be loaded.
Preferably, the storage medium provides a special partition (Virus Isolation Space), each WMR partition having a File Allocation Table (FAT) allocated to it which table is held in said special partition, each entry in a FAT defining the address of a cluster that has been altered in the WMR partition and the address of the copy of the information originally held in said cluster.
The information originally held in said cluster may be copied to the special partition.
Alternatively, the information originally held in said cluster may be copied to an inactive partition.
According to a fourth aspect of the present invention there is provided an apparatus for controlling access to and modification of information stored on a storage medium of a computer system, the storage medium being divided into a plurality of non-overlapping partitions including a boot partition and at least one general partition, characterised in that
at least one of said partitions comprises a Write Many Recoverable (WMR) partition wherein, in use, if a write command is issued to overwrite any information stored in a/the WMR partition prior to undertaking said write command said information is copied and stored elsewhere on the storage medium to be copied back to said WMR partition when requiredxe2x80x94for example upon a system reset.
Preferably the apparatus further comprises a supervising means (a Supervisor) separate of a central processing unit (CPU) of the computer system for controlling the performance of read, write or format operations stored on the storage medium so as to allow, restrict or prevent such operations depending upon the type of information stored within a sector and the type and status of the partition within which the sector is located wherein, in use, the supervising means causes a reset to be required of the computer system should an attempt be made to perform a prohibited read, write or format operation.
According to any of the foregoing method aspects of the present invention read operations may be allowed on any information in the boot partition, but an attempt to write or format the boot partition may cause a system reset.
Further, boot sectors of the storage medium may be considered to be part of the boot partition, irrespective of the position of the starting sector of the boot partition as may be defined by the storage medium operating system.
Also, reading of any operating system information sectors or user-generated information sectors in an active general partition may be allowed, writing to such user-generated information sectors may be allowed, and writing to such operating system information sectors may be restricted such that an attempt to modify the size or boundaries of the partition causes a system reset.
Only the reading of information from operating system sectors of inactive general partitions may be allowed, and an attempt to perform any other read, write or format operations on such partitions may be either denied or causes a system reset.
The restriction or prevention of the performance of read, write and format operations can be removed to allow set-up or maintenance of the storage medium and thereafter reinstated.
The storage medium may be selected from any one of a hard disk, a floppy disk, an optical disk or a tape.
Alternatively, the storage medium may be a filesaver, and the computer system is a local area network, and which user computer is using which partition of the fileserver may be determined such that an attempt by a user computer to perform a prohibited operation causes a reset to be required of the user computer.
According to any of the foregoing apparatus aspects of the present invention the apparatus may provide hardware means adapted to be incorporated into the computer system.
Alternatively, the apparatus may provide firmware means adapted to be incorporated into the computer system.
Alternatively, the apparatus may provide a combination of both hardware and firmware means, both being adapted to be incorporated into the computer system.
There may be provided a processor which may be made inaccessible to a user and to any virus and which supervises all data transfers between and within sub-divisions of the storage medium or storage media placed under its control.