1. Technical Field
The invention disclosed broadly relates to data processing and more particularly relates to the establishment of a trusted path between remote portions of a data processing network.
2. Background Art
Many data processing applications involve highly confidential information such as in financial applications, national security applications, and the like where data or programs in a remote processor of a data processing system must be accessed by a user at a local processor connected to the system. The prior art has not provided an effective mechanism to prevent unauthorized persons or programs from reading data from the remote processor. In prior art data processing systems, the communication path between the local processor and the operating system software in the remote processor can either be forged or penetrated by an unauthorized program known as a Trojan horse, which can masquerade as the program in the remote processor with which the user intends to communicate, and can divert, replicate or otherwise subvert the security of the confidential information being accessed in the remote processor by the user at his local processor.
For national security applications, the U.S. Government has established a standard by which the security of data processing systems can be evaluated, that standard having been published in "Trusted Computer System Evaluation Criteria," U.S. Department of Defense, December 1985, DoD publication number 5200.28-STD (referred to herein as DoD Standard). The DoD Standard defines a trusted computer system as a system that employs sufficient hardware and software integrity measures to allow its use for processing simultaneously a range of sensitive or classified information. A trusted computing base (TCB) is defined as the totality of protection mechanisms within a computer system, including hardware, firmware and software, the combination of which is responsible for enforcing a security-policy. A TCB consists of one or more components that together enforce a unified security policy over a product or system. The ability of a TCB to correctly enforce a security policy depends solely on the mechanisms within the TCB and on the correct input by system administrative personnel of parameters such as a user's clearance, related to the security policy. A trusted path is defined by the DoD Standard as a mechanism by which a person at a terminal of a local processor can communicate directly with the trusted computing base. The trusted path mechanism can only be activated by the person or the trusted computing base and cannot be imitated by untrusted software. Trusted software is defined as the software portion of a trusted computing base.
The problem of maintaining a trusted path between a local processor and a trusted computing base in a remote processor is compounded for those operating systems which accommodate multiple users. Some examples of prior art multi-user operating systems which have not provided an effective mechanism for establishing a trusted path include UNIX (UNIX is a trademark of AT&T Bell Laboratories), XENIX (XENIX is a trademark of Microsoft Corporation) and AIX (AIX is a trademark of the IBM Corporation). UNIX was developed and is licensed by AT&T as an operating system for a wide range of minicomputers and microcomputers. For more information on the UNIX Operating System, the reader is referred to "UNIX (TM) System, Users Manual, System V," published by Western Electric Company, January 1983. A good overview of the UNIX Operating System is provided by Brian W. Kernighan and Rob Pike in their book entitled "The UNIX Programming Environment," published by Prentice-Hall (1984). A more detailed description of the design of the UNIX Operating System is to be found in a book by Maurice J. Bach, "Design of the UNIX Operating System," published by Prentice-Hall (1986).
AT&T Bell Labs has licensed a number of parties to the use of UNIX Operating System, and there are now several versions available. The most current version from AT&T is Version 5.2. Another version known as the Berkley version of the UNIX Operating System was developed by the University of California at Berkley. Microsoft Corporation has a version known under their trademark as XENIX.
With the announcement of the IBM RT PC (RT PC are trademarks of IBM Corporation), (RISC (reduced instruction set computer) technology personal computer) in 1985, IBM Corporation released a new operating system called AIX which is compatible at the application interface level with AT&T's UNIX Operating System, Version 5.2, and includes extensions to the UNIX Operating System, Version 5.2. For a further description of the AIX Operating System, the reader is referred to "AIX Operating System Technical Reference," published by IBM Corporation, 2nd Edition (September 1986).
The Defense Data Network (DDN) Protocol Handbook, Volume 2, 1985, pages 2-575 to 2-593, (RFC 854 and RFC 855, describes TELNET which is a data communications protocol for distributed data processing systems. The purpose of TELNET Protocol is to provide a fairly general, bi-directional, eight-bit byte oriented communications facility. Its primary goal is to allow a standard method of interfacing terminal devices and terminal-oriented processes to each other. The protocol may also be used for terminal-terminal communication ("linking") and process-process communication (distributed computation). A TELNET connection is a Transmission Control Protocol (TCP) connection used to transmit data with interspersed TELNET control information. The TELNET Protocol includes the principle of a "Network Virtual Terminal" and the principle of negotiated options.
When a TELNET connection is first established, each end is assumed to originate and terminate at a "Network Virtual Terminal", or NVT. An NVT is an imaginary device which provides a standard, network-wide, intermediate representation of a canonical terminal. This eliminates the need for "server" and "user" or "client" hosts to keep information about the characteristics of each other's terminals and terminal handling conventions. All hosts, both client and server, map their local device characteristics and conventions so as to appear to be dealing with an NVT over the network, and each can assume a similar mapping by the other party. The "user" or "client" host is the host to which the physical terminal is normally attached, and the "server" host is the host which is normally providing some service. As an alternate point of view, applicable even in terminal-to-terminal or process-to-process communications, the "user" or "client" host is the host which initiated the communication.
The principle of negotiated options accommodates the fact that many hosts will wish to provide additional services over and above those available within an NVT, and many users will have sophisticated terminals and would like to have elegant, rather than minimal, services. Independent of, but structured within the TELNET Protocol are various "options" that will be sanctioned and may be used with a "DO, DON'T, WILL, WON'T" structure to allow a user and server to agree to use a more elaborate (or perhaps just different) set of conventions for their TELNET connection. Such options could include changing the character set, the echo mode, data security features, etc. The basic strategy for setting up the use of options is to have either party (or both) initiate a request that some option take effect. The other party may then either accept or reject the request. If the request is accepted the option immediately take effect; if it is rejected the associated aspect of the connection remains as specified for an NVT.
Copending U.S. patent application, Ser. No. 149,446, filed Jan. 28, 1988, by Abhai Johri and Gary Luckenbaugh entitled "A Trusted Path Mechanism for An Operating System," assigned to the IBM Corporation, is incorporated herein by reference. The Johri and Luckenbaugh application discloses a trusted path mechanism invention which guarantees that data typed by a user on a terminal keyboard is protected from any intrusion by unauthorized programs in the local data processor to which the terminal is attached. It allows a user to create a non-forgeable and non-penetrable communication path between the user's terminal and the trusted operating system software in the local data processor. The user can create a trusted path by simply pressing a key, called the Secure Attention Key (SAK), on the terminal keyboard. This operation can be called when the user logs into the system in order to be sure that the user is communicating with the real login program and not a Trojan horse program masquerading as a login program, which would steal the user's password. After the user has established the trusted path, he can enter his critical data, such as a password, and can be sure that his password is not being stolen by an intruder's program. Then, after the user logs out, he can be sure that the trusted path has actually logged him out of the system so that a Trojan horse program is not capable of continuing the session started by the user.
The invention described in the Johri and Luckenbaugh application, is contained in a data processing system including a memory to which is connected a plurality of terminals, with at least one terminal including a keyboard having a Secure Attention Key. It is a method in a UNIX-type operating system for creating, in response to the Secure Attention Key, a trusted path between the terminal and a trusted shell portion of a trusted computing base which is a child process of an init process under the operating system. The method includes detecting the Secure Attention Key in a keyboard device driver connected to the keyboard and outputting from the keyboard device driver to a Secure Attention Key Signal Generator, information that the Secure Attention Key has been been detected. It further includes outputting from the Secure Attention Key Generator a SIGSAK signal to all processes operating in a process group of the terminal, terminating all of the processes in the terminal process group. The method further includes applying the SIGSAK signal to access authorization tables associated with all the device drivers interfacing with the terminal, to deny access authorization to all processes in the data processing system except the init process. The method further includes applying the SIGSAK signal to a file access table to remove all addressing information relating to the device drivers interfacing with the terminal, to all processes in the data processing system except the init process. The method further includes executing a fork system call by the init process for a new child process. The method further includes executing an exec system call to overlay a trusted shell process onto the new child process, the trusted shell process having access authorization to the device drivers interfacing with the terminal and the trusted shell process having an addressing relationship defined in the file access table to the device drivers interfacing with the terminal. Thereby a trusted path is established between the terminal and the trusted shell process in the local data processor.
The invention disclosed and claimed herein specifically concerns providing a mechanism for establishing a remote trusted path for communication over TELNET between a local and a remote processor running a multi-user operating system such as UNIX, XENIX, or AIX, so that unauthorized programs are prevented from reading data from the remote processor. None of the prior art multi-user operating systems provides an effective mechanism for establishing a trusted path which prevents unauthorized programs from reading data from a remote processor.