1. Field of the Invention
The present invention generally relates to methods and systems for securing computer systems. The present invention more particularly relates to methods and devices for securing information in a computer system wherein the computer system may be connected to a networked environment.
2. Description of the Related Art
With the advent and widespread deployment of the Internet, conventional computer security systems have been found to be deficient. A disadvantage of the Internet is that it permits many ways to infiltrate conventional computer system perimeter defense systems. Damaging virus programs, for example, can be injected through firewalls and into a computer system. This can compromise data and computer programs, and therefore derivative capabilities such as digital rights management.
This deficiency in computer system perimeter defenses creates the need to position security defense systems in the local computer system. A conventional example of such localized computer system security is virus detection software. Virus detection software, however, can be susceptible to many exploits including, but not limited to, “spoofing” or “wrappering” strategies. Consequently, virus detection software may be made to appear operational when it is not properly operating.
Perhaps the greatest fundamental problem with conventional computer security systems is that their operation is common to the environment of the operating system environment. Furthermore, the operating system environment for many computer systems is also common to the Internet environment, for example, or another network communications medium. Because of this common environment, many means of attack on a computer system are available merely by moving computer code from the Internet to the computer operating system.
Some conventional methods of computer protection may involve special purpose security hardware or firmware installed in the BIOS of a computer system. These methods can establish secondary lines of defense internal to operation of a computer system but external to the complicated and error-prone operating system environment. However, these methods often fail to recognize that a better line of defense could be realized with non-writeable firmware in the attached storage devices that provide the bulk of data and code storage for computer systems.
Other conventional computer security systems may include a security device connected to an SCSI bus that protects storage devices on the bus. This type of security system recognizes that the storage device is more secure while not operating in an environment common to the operating system. However, the SCSI bus of this system exposes all devices on the bus, including the storage devices, to access and therefore requires intimate operating systems involvement. It would be an improvement over this technique to put the security measures in the attached storage firmware and data storage. The same solution could also then be applied in SCSI environments and other environments such as ATA storage device environments.
Still other computer security systems recognize the benefit of guarding the storage device at the controller level but are based on shared private keys. Shared private keys are well-known to provide less security than securing and concealing elements of public-private key encryption, because authentication keys are shared and not private to a single device. This type of system is also directed to modification of the file management system of the computer operating system and therefore suffers the same problem of operating system dependence illustrated above for SCSI security. An improved computer security system could leave the operating system file management intact while maintaining separate control over security through a special security interface to the attached storage device.
In another type of computer security system, the security perimeter consists of self-contained software that exports only a simple storage interface for external access and verifies the integrity of each command before processing the command. By contrast, most file servers and client machines execute a multitude of services that are susceptible to attack. Since this self-securing storage device is a single-function device, the task of making it secure is made easier. However, the objective of this system is to provide for automated recovery to a known good state relying on the previous secure storage mechanisms. This type of system also requires operating systems modification. It incorporates complexity, and therefore vulnerability, approaching that of an operating system, and permits opportunities for the introduction of Trojan horses, for example, into the system. Furthermore, this type of system does not recognize the improved security afforded by using the storage device for hiding and securing public-private key operations.
Security afforded to a computer system by the ATA Host Protected Area security protocol can be provided by a method used in connection with readying a storage device during the boot phase of a computer system. In this method, the storage device can be declared to the operating system to have less storage space than the storage device actually has ready for use by the operating system. Special BIOS firmware or other special code can have exclusive access to the undeclared portion of storage space. As an additional security measure, the ATA Host Protected Area can require passcode access to this additional amount of storage space. The ATA Host Protected Area was originally designed to provide security assurance in the form of enhanced operating system and application crash recovery efficiencies. A known good version of the system or application software could be cached in a location outside the capability of the operating system to address. In practice, this restricts access to a portion of the storage device to a computer program running either in the main device firmware or in the operating system environment.
A problem with the ATA Host Protected Area protocol is that it is still possible to intercept communications with the storage device that contain critical information. The hidden ATA Host Protected Area partition of the storage device can be revealed, for example, by putting that same disk drive into another computer that does not reserve the Host Protected space. The passcode, if used, is not retained across power cycles. The ATA Host Protected Area, in practice, is an acceptable place to protect local backup code and data from virus-like infections but is typically not the best place to conceal data. Furthermore, the only authentication required by ATA Host Protected Area is a “first come first served, winner take all” type of device authentication. Public-private key techniques applied to sections of secure data storage would provide an improvement in this type of security.
Therefore, computer security methods and systems are needed that address the aforementioned shortcomings in the art. Method and system approaches are needed in the storage device environment that provide resistance to unauthorized access and use of computer programs and data. Methods and systems are needed that permit sections of the storage device to store data that are not available to the file system or operating system in a computer system for reading or writing operations, except under controlled and cryptographically-guarded conditions. Such controlled conditions should include device authentication and user authentication of secured datasets performed externally to the operating system of the computer system. Methods and systems are also needed that provide firmware and storage devices with controls on access, storage and retrieval of data. These controls should not be able to be written by any process available to the computer system and should be localized in the attached storage device.