Advances in computer and communications technology have increased the flow of information between and within computer networks. This ability to communicate between computers and networks has also made it possible to develop a wide variety of services that can be performed from your own personal computer. Such services may for example be mailing, home shopping, home banking etc. Many of these services comprise security critical activities that have to be performed when the computer is on-line, such as transferring money through Internet.
Performing such security critical activities, is of course a security risk, since also potential intruders can listen to and/or compromise these security critical activities, by breaking into the computer. One of the reasons for this is that the operating systems of personal computers were not designed with security in mind, since they were personal and without connections to any network. Thus, it is easy to use malicious code, Trojan horses or the like to compromise the operating system of a personal computer and thereby the security critical activities executed thereon. Also more secure operating systems, such as Unix, may be compromised with a relatively small effort. Today there is no commercial operating system that protects the user from Trojan horses.
To increase the security of the operating system there has been suggested to provide firewalls between the local network and the public available networks open to any intruders. Such firewalls filter the communication between the local network and the outside world by only allowing certain selected services to pass through. If other services are requested the passing through the firewall will only be enabled if a valid password is presented. The communication then eventually reaches either a personal computer or a server computer inside the local network. This safety measure will of course increase the security, but will still not guarantee that the security critical activities are performed the way the user initially intended. Vulnerabilities in the implementation of the allowed, non-filtered, services may allow an intruder to intrude into the personal computer.
Another possible security measurement is to insert security mechanisms in the operating system, like requiring passwords for access to certain services.
The main reason why the above security mechanisms are not totally safe is that the % are software based. Since software always contains bugs, it is corruptible, and may therefore be compromised by exploited security holes, malicious code, resident Trojan horse software etc. Software based security solutions are also too brittle, i.e. if the operating system security is compromised all data and all applications that are executed thereon will also be compromised.
One different, but similar approach to increase the operating system security is to build a so called multi level secure (MLS) operating system. Such systems label objects and subjects according to a security classification, and define rules for how information is allowed to flow through the system. The classification of different security levels and the record keeping of which users that have access to different security levels and objects is very time consuming to maintain. Furthermore, conventional personal computer applications are not compatible with the operating systems of the MLS system, and all applications have to be tailor-made for the MLS system. This is of course very costly.
A method for performing or executing security critical activities in a computer is disclosed in WO 98/19243 with the same inventor as for the present invention, which document is hereby incorporated for reference. The system comprises a security device to be connected to the communications means of a personal computer, like a serial port or the PCI bus. The security device comprises a processor, memory and crypto means. Certain selected IO devices of the computer, such as the screen, keyboard, mouse and smart card reader are provided with switches and crypto means. During normal activity (normal mode) the security device is not active and the computer functions as normal. The presence of the security device and the switching and crypto means are transparent to the computer.
When a security critical activity is initiated by a signal from the computer processor, the computer is switched to secure management mode. The security device gains control over the selected user IO devices through the switching and crypto means and shuts out the computer processor from access. The execution of the security critical activity is tranferred to the security device and executed there with proper user involvement. Data is protected from the computer processor during transfer between the security device and the user IO devices.
The security device must be constructed so that the execution of the security critical activity can be performed securely without any possibility for the computer processor to compromise the execution. The above described system accomplishes this by having a separate processor, separate program memory, separate data memory and several other devices and controllers separate.
Unfortunately, this is an expensive solution, since so many functional circuits need to be duplicated. It would be preferable if for example access to a part of the existing PC memory could be divided off for the security device. This would be a major cost benefit, since suitable memory circuits usually only are provided in large sizes. This would also allow for flexibility, since the security device could divide off as much memory from the large PC-memory as needed for the security activity.
There are several other resources in a PC which could be divided off from the PC's normal control and usage, for protected usage by the security device; devices in specific slots on the PCI bus or the ISA bus, whole storage devices or sectors on storage devices on a IDE bus, logical devices on an USB bus.
It is important for the security of the security device to minimize the number of hardware mechanisms both the computer processor and the security device can control, since unexpected and dangerous interactions might be performed by the computer processor. On the other hand, we clearly see the cost benefit arising from the ability for protected usage by the security device of existing PC resources. The presence of the security device should also cause minimal changes to the computer processor's normal mode, for compatibility reasons.