The most progressive approach to using personal computers for collective information processing is to combine personal computers into local area networks (LANs). The establishment of a LAN facilitates information gathering and permits the efficient use of memory resources. However, LANs also provide favorable conditions for the rapid propagation of programs known as computer viruses and the mass distortion of information stored on personal-computer disks. Computer viruses which distort information for purposes of causing economic loss to the information owner are particularly dangerous. The disastrous losses caused by computer viruses and the continually increasing number of viruses have brought about the need for information security subsystems designed to identify and eliminate viruses. However, despite the many different security subsystems, computer crime statistics show that computer viruses present no less of a threat than before, and are still capable of causing serious losses to personal computer users. The risk for users of personal computers connected to a LAN is considerably higher than the risk for users of stand-alone personal computers. Therefore, protection from computer viruses is an urgent problem for stand-alone personal computers, and is especially important for personal computers used in LANs.
A review of prior security subsystems for personal computers shows that these subsystems are usually based on the use of programs which protect files from inadvertent or intentional distortion. Depending on the hardware used to support the protection programs, these security subsystems are either software subsystems or software-hardware subsystems.
Software subsystems do not have any dedicated hardware, and all the resources needed to support the protection programs are borrowed from the main personal computer. Software subsystems quickly became popular among personal computer users and are now the main means for virus protection. However, experience with software subsystems showed that these subsystems are easily thwarted, and thus they are not very promising in the continuing war against viruses. Therefore, the main trend in the development of security subsystems is toward software-hardware security subsystems.
Software-hardware security subsystems include dedicated hardware and borrow some resources from the main personal computer to support the protection programs. A typical example of this type of subsystem is the D.D.C. subsystem (USA), which provides virus diagnostics before the operating system is loaded into the main memory of the personal computer. (Multimillionaire Pickens finances antivirus firm, EDV-Aspekte, No. 9, p. 46, 1992.) The D.D.C. subsystem is an external board which is inserted into one of the expansion slots of the personal computer. The protection program, which is resident in the external board ROM, receives control after the personal computer is reset and eliminates viruses on the hard disk before the operating system is loaded. A similar subsystem known as Thunderbyte was developed by the Dutch firm Esass. Both systems have the advantages of simple hardware supporting the protection program and relatively low cost. However, in these subsystems the protection program is not directly involved with hard disk access. As a result, these subsystems are not capable of preventing inadvertent or intentional distortion of hard disk files.
Subsystems which execute protection programs while the personal computer is in use provide protection against inadvertent or intentional distortion of files.
The following constitute various examples of patents disclosing computer security systems.
In British Patent Application 2248324A (Data Security in a Computer Network), there is disclosed the use of a microcomputer in a computer network which permits shared access to stored data. The microcomputer comprises a security circuit which controls the operation of an address buffer according to a table of access conditions retrieved from non-volatile memory in response to an input password (which can be one of five assigned security levels), there being one of three access conditions ([1] read/write disable, [2] read enable/write disable and [3] read and write enable) for each block of memory addresses. The relevant memory address block is identified by reading of a memory map that has been created and stored by the security circuit in the non-volatile memory. Therefore, portions of a computer's memory are available to selected users and of those users only certain individuals have the ability to modify those portions of memory.
In European Patent Application 0268138A2 (Implementing Privilege on Microprocessor Systems for Use in Software Asset Protection), there is disclosed a software protection system that uses two microprocessors, an application processor and a supervisor processor, to form a dual privilege (high or low) coprocessor protection system. To that end, the application processor only executes the application code and has no input/output capability. The supervisor processor, which controls the application processor, retrieves all of its instructions from a secure ROM which cannot be modified by any external devices. Therefore, all input/output to the application processor is by way of the supervisor processor. A high privilege read only memory and a secure random access memory are enabled only in response to dedicated control signals from the supervisor processor. A secure random access memory is provided for storage of sensitive information such as decryption keys. The coprocessor implements a low privilege level of operation for the purpose of executing protected software which is first decrypted under the control of the supervisor processor and then stored in the application processor random access memory. The coprocessor is also capable of high privilege operation either by the supervisor processor alone or with the supervisor processor controlling the application processor and its associated high privilege read only memory.
In European Patent Application 0407060A2 (Method of Providing Mandatory Secrecy and Integrity File Security in a Computer System) there is disclosed a method for ensuring access to files of a computer system only to computer processes properly authorized for access. A separate security label is associated with each file and process of the system and defines authorized security classes pertaining to the associated file or process. Each security label contains information describing authorizations based on data secrecy and data integrity. A comparison is made on an attempted access of a file by a process of the security label associated with the process and the security label associated with the file. A verification is made based on the comparison that the process is authorized to access the file. The verification as to both secrecy and integrity aspects is accomplished in the single verification step.
In European Patent Application 0458718A2 (Method for Controlling Public Access to a Plurality of Data Objects within a Data Processing System), there is disclosed a method for efficiently controlling public access to a plurality of data objects stored within a data processing system. An access control profile is associated with each data object. Each access control profile preferably includes: an authorization parameter listing the identity of a particular user and the authorization level granted to that user; a shared authorization parameter listing the identities of a plurality of users and the authorization level granted to each listed user; and, a public authorization parameter listing the authorization level granted to each user not specifically set forth within the access control profile. A single "public" user identity is then defined for all users not specifically set forth within the access control profile, and that identity, as well as a public authorization level for an entire group of data objects, is listed within a single shared authorization parameter. That shared authorization parameter is then placed within the access control profile of each data object within the group. Thereafter, a reference to the shared authorization parameter is placed within the public authorization parameter of each data object within the group so that public access to the entire group of data objects may be centrally controlled by means of a single shared authorization parameter.
In British Patent Application 2242295A (Access Control in a Data Processing System), there is disclosed a method of controlling access in a data processing system by way of a set of attributes defining targets that may be accessed and for accessors that may access these targets. A set of access security classes is then defined in terms of these attributes or other classes. Each class has a set of allowable operations associated with it. Each target is assigned a classification comprising one of the classes and a set of allowed operations. Each entrant is assigned an authority consisting of one of the classes and a set of allowed operations. An entrant is allowed to access a target only if there is a common sub-class contained in both the entrant's authority and in the target's classification and if the required operation is defined for that subclass and appears in both the entrant's authority and in the target's classification.
In German Published Application No. 403444A1 (Data-Shielding Workplace Computer), there is disclosed a data-shielding workplace computer with working memory, mass storage, processor, peripherals, and a system bus connecting these system components to each other. Data is stored in encrypted form in the mass storage devices. A security computer is provided, which has an additional processor, additional working memory, and an additional system bus to connect these components to each other and which is compatible with the workplace computer; a bus coupler is provided in order for the two system busses to be connected and disconnected. Furthermore, requests for data from mass storage are processed under the sole command of the security computer. Cryptologic processing of these requests is accomplished exclusively by the security computer; monitoring units are provided in order for the system bus of the workplace computer to monitor access to unallowed addresses and to the security-relevant hardware ports of the mass storage units; an emergency stop is implemented on the workplace computer whenever unallowed access is attempted.
In International Publication No. WO 90/13084 (Computer File Protection System), there is disclosed a module comprising an auxiliary memory and a controller which are connected to the system bus of a computer. The auxiliary memory is used to store supervisor-assigned criteria for secure access to the files. The controller is based on a digital processor, and thwarts access attempts which do not conform to the established security criteria. During the installation process, the controller creates a protected area on the disk for the storage of file signatures. If there is any deviation from the established criteria for secure access to files, the subsystem prevents further use of the computer. However, such a functional-diagnosis subsystem tends to use expensive hardware and relatively high overall cost, making such a security system unavailable to many personal computer users.
In addition, none of the above disclosures provides the operator with a personal computer having hidden storage of security programs in conjunction with a hardware module that establish a single permitted path between the application program and the hard disk controller that can be monitored and/or obstructed when unauthorized access is attempted to, or a computer virus attempts to write to, the hard disk.