1. Field of the Invention
This invention relates to an apparatus and method of verifying the integrity of computer data for effects of computer viruses and more particularly to a verification system using a reserved non-DOS hard disk partition resulting in a boot verification system that is independent of and transparent to the operating system.
2. Description of the Related Art
A personal computer (PC) typically contains several forms of storage media such as a hard disk and a floppy disk. These types of media are used to store user software such as the operating system (OS) and applications, and work product information such as electronic documents. A PC also has lower level software known as the Basic Input/Output System (BIOS) contained in Read Only Memory (ROM) on the system board. When the computer is first turned, on the CPU starts executing the BIOS from ROM. The BIOS performs a set of diagnostic routines called Power On Self Test (POST) and if completed successfully, proceeds to locate and boot up the OS.
The BIOS is programmed to locate the operating system by first searching the floppy disk, and then the hard disk. This permits the PC to be booted if either the hard disk has failed or a different OS is required.
Before continuing, background on hard disk drives is deemed appropriate. A computer may have a plurality of hard disks connected to allow storage of large amounts of software and data. Physically, a hard disk is comprised of at least one platter for storing the data. Each platter is divided into a number of concentric storage units called tracks. A track is further divided into sectors. Each platter is accessed by a top head and a bottom head which read and write data onto the hard disk. Logically, a hard disk may be divided into partitions, each partition having an amount of storage selectable at the time of creation, but the aggregate of all partitions not exceeding the storage capacity of the hard disk. For example, a single hard disk could have three partitions logically named C:, D: and E:. Partitions are further divisible into tracks, cylinders and sectors for addressing purposes. Under DOS, a computer may have several disk partitions of different sizes or different types, meaning DOS-type or non-DOS-type, thus allowing more than one operating system to be installed on the same hard disk. Additional disk partition types are reserved for future uses. Each hard disk has a single Master Boot Record (MBR), that contains information pertaining to the size, type and location of disk partitions. A boot record is contained in the boot sector of the bootable partition which contains operating system dependent information relating to the file structure on the hard disk.
Returning now to the boot sequence, once the MBR is found, control is handed to the first byte of the MBR, thus booting the OS.
As mentioned before, most information contained in a computer is stored on the hard disk. Unless otherwise noted, "software" and "program" refers to executable software programs while "data" refers generically to all forms of electronic information including software and files created by software. But in either case, all are stored on the hard disk. Huge amounts of money are invested by companies in purchasing software and even more money is expended on developing the information contained in the electronic data files such as documents, spreadsheets and drawings. Protecting these resources is therefore an important concern.
One method of offering protection is by the use of passwords. The password is typically stored in battery-backed CMOS memory and before the user is allowed access to the computer, the user is required to enter a password. Once entered, the computer compares the entered password to the password in CMOS and, if they match, is allowed access. The main disadvantage with this system is that passwords offer very little protection against certain forms of data corruption, discussed below. Second, other forms of attack can bypass the CMOS memory because it is not read protected in many cases. To address this concern, passwords are encoded, however, once the encoding scheme is reverse engineered the protection has again been breached. Further, the CMOS memory could simply be disconnected from its battery, thus losing any contents including the password and allowing access.
A related art to that of computer protection is that of integrity checking. Integrity checking is used here to denote methods used to check the trustworthiness of data. It should be noted that in this context, integrity and trustworthiness have little to do with defects in the design of the software, or bugs in the software, although certain bugs could cause the integrity of the software to be jeopardized. The two main causes of software untrustworthiness are file corruption and viruses. File corruption usually happens when some sort of system failure occurs during a file transfer for example, if the system is shut off while a file is being copied onto the hard disk. The other much larger threat to software integrity is computer viruses.
While many computer viruses are relatively benign, computer viruses can be hostile, clandestine and created specifically to cause undesirable results on the computer, such as destroy software and data, or cause peculiar computer operation, such as lock-up the keyboard or blank the monitor. They can be introduced into a computer in as many ways as the computer can communicate externally, such as through the floppy drive, a network or a modem. Viruses are typically designed to secretly attach themselves to a file or the MBR or boot record so the user is unaware of the intrusion. The distinguishing feature is that once they attach themselves to the host program, the file must be different. Once attached, any subsequent copies of that host file also contain the virus, thereby increasing the potential for destruction. The virus is then activated when the file is executed. Thus a virus attached to a data file will lay dormant because the data file is not executable.
Certain methods of calculating assessment codes are well suited to detecting the modification of data caused by viruses or accidentally corrupted files. Checksums are adequate for detecting accidental modifications of data, however, they are an insecure defense against viruses. A well-designed virus could easily attach itself to a host program without resulting in a different checksum. Therefore, to address this problem, advanced modification detection codes (MDCs) have been developed to specifically detect deliberate corruption of data, and are superior to checksums. For this purpose, software is assumed trustworthy when it is initially installed onto the fixed disk of the computer. Once installed, an integrity assessment code is calculated and stored. Thereafter, when the computer is turned on again, the stored assessment code is compared to a newly calculated value. If a discrepancy is found, the user is alerted. The disadvantage with this method is that because of the unlimited number of hard disk files, i.e. assessment codes, the assessment codes must be stored on the hard disk thus making the codes themselves susceptible to virus attack.
Modification detection codes are also commonly used in conjunction with the use of digital signatures, which can authenticate the originator of a message. Applied to integrity assessment, an originating program would hold the signature, or MDC, of the data it is assessing. This way the originating program "signs off" on the integrity of the assessed data before it is used.
One common commercial method of assessing the integrity of the user software is to check for viruses by running a virus checking software program. These programs rely on the characteristics of the known viruses to detect their presence. Thus, a new virus would be undetectable to a program like this. Additionally, if a virus is present, the virus checking software itself is susceptible because it is loaded from the infected hard disk and must run in memory that could be infected.
Another improved software method moves the software checking software onto a ROM. When the BIOS boots, the virus checking ROM software is executed. This has the advantage of checking early enough in the boot process so that any viruses in the system can be detected before they have the chance to be loaded into memory. However, the ROM code still relies on the known characteristics of the viruses to detect their presence. Modification detection codes are also used with this technique, but again, the assessment codes are accessible to savvy viruses.
A much more secure technique is described in U.S. patent application Ser. No. 08/231,443, filed Apr. 20, 1994, to David C. Jablon and Nora Hensley, entitled "Method and Apparatus for Assessing Integrity of Computer Software", which is hereby incorporated by reference. The described technique uses CMOS memory as a non-volatile memory (NVRAM). The NVRAM has one location which can be write protected by a write once bit. Once set, the write protection cannot be removed until the computer is reset. This location holds an MDC code for certain operating system programs located on the hard disk. Software in the ROM BIOS needs the protected operating system programs and the MDC of those programs. If the calculated MDC matches that stored in the NVRAM, then the programs are secure and can be executed. In one embodiment for normal operation the write protection is activated at this time. In an alternative embodiment the write protection is activated before the first, non-checked program is executed. The operating system is then loaded and boots the computer, the operating system can then check each further file before it is executed on each file can check the files it initiates. Checking consists of calculating the MDC of the programs, comparing to a value in a previously checked table and passing the program if there is a good comparison. If not, the program has changed and may include a virus.
While the technique is very secure and usable in an ideal environment, a PC is far from an ideal environment. Files change often, in many cases those which are considered critical system files, so the problems of bookkeeping the changes and back calculating through the MDCs is problematic. Further, many PCS have very complicated booting procedures and the technique can interfere with those procedures. So while the technique is theoretically secure, in practice, the many variables of a PC environment limit its usefulness. So it would clearly be desirable to overcome the PC environment problems to utilize the technique to provide positive detection of viruses.