Method and apparatus enhancing computer system security

Description Submit all comments and votes

FIELD OF THE INVENTION

The present invention relates to the field of computer security and the ability to detect and/or prevent breaches of computer security.

BACKGROUND OF THE INVENTION

Computer systems are subject to attack by intruders who seek to steal or corrupt valuable data or programs. Attackers have various techniques for defeating security measures and gaining access to computer system resources. Attacks generally depend on changing the content of some critical portion of the computer control software. One example is to change an entry in the table of interrupt vectors to redirect execution to a planted program when the affected interrupt executes. Other types of attacks involve rewriting portions of the hard disk boot sector, or modifying the BIOS software. In each case, execution of the planted program gives the attacker access to the computer system.

One of the ways to prevent intrusion is to protect areas of the RAM or disk memory space containing critical portions of the computer control software from being overwritten, except under specified conditions. In some computer architectures, the software address space is divided into two or more protection rings. Preventative protection measures are often quite complex and generally contain a weak link an attacker can exploit to circumvent the protection measures. For example, in the UNIX operating system, which uses a two ring architecture, there is a facility for inner ring root access for processes running in the less privileged outer ring. Since processes in the outer ring can run as root processes in the protected inner ring memory space, it remains possible to modify the portion of the computer control software which controls protected memory.

In the IBM compatible PC standard running DOS, which uses the processor's ringless real addressing mode, there is no architectural constraint preventing any program from corrupting the system software. Even using the real and protected addressing modes of the Intel 386 and later microprocessors, it is generally possible to access real mode from protected mode, thus forming a back door for bypassing the security features set up in protected mode. The foregoing measures are designed for preventing intrusion. Detecting intrusion after the fact, presents a different class of problems.

One of the ways to detect whether an intrusion has occurred, is to check whether any critical portion of the computer control software has been altered. Generally, to detect the alteration of a file, a digital signature for that file is computed using any one of a variety of techniques, such as a nonreversible hashing algorithm, such as described by the National Institute of Standards and Technology, "Secure Hash Standard", FIPS PUB 180-1, published Apr. 17, 1995. A digital signature of this type is also known as a modification detection code (MDC), a manipulation authentication code (MAC) or a message digest. The described hash standard is called secure because it is computationally infeasible to find a message which corresponds to a given message digest, or to find two different messages which produce the same message digest. A system using modification detection codes to verify system software and trusted application programs is shown in U.S. Pat. No. 5,421,006.

A trusted operator initiates the computation of a digital signature for each critical portion of the computer control software or data. Note that the critical program area or control software can be either an executable program or critical system data (e.g. a table of data entries). The resulting set of digital signatures is stored in a secure area of memory. At a later time, the system can be checked by recomputing the digital signatures of the same critical portions of the computer control software or data, and comparing each recomputed digital signature to a corresponding previously stored digital signature. If the recomputed digital signatures are not the same as the originally computed digital signatures, an error condition is flagged to the user, indicating the detection of intrusion tampering.

However, it cannot be guaranteed that an attacker has not altered the operation of the security sequence itself, which would defeat the tamper detection system. For example, on power up or system reset, the computer will initialize the system using its BIOS memory contents, which contents have not been checked for alterations. In the above cited U.S. Pat. No. 5,421,006 the boot record loaded by running BIOS is checked, but BIOS itself is not verified before it is run. Similarly, BIOS extensions are run without verification. Also in the cited patent, BIOS is shown as stored in read only memory, while modern architectures use EEROM for BIOS storage, which is electrically alterable. Running BIOS and its extensions on start up without verification (regardless of a later signature check) remains a potential weak link which can be exploited to gain entry.

Defensively preventing breaches of computer security, and detecting breaches of security are separate, but related goals. Computer security systems which defensively prevent substantially all breaches of computer security will remain an elusive goal as long as the system can be connected to another computer that is insecure. Real time or near real time detection of security breaches must be rapid enough to initiate shut down procedures and prevent further entry, before any damage occurs. Reliable detection alone will not prevent the breach but will limit the damage by promptly reporting it, and providing an audit trail. It would be desirable to provide a detection system which reliably detects substantially all breaches of computer security. Detecting a breach would also include the detection of any attacks upon the detection system. For this purpose, the detection system itself must be sufficiently impervious to attack to enable the detection system to complete its critical function, i.e., to detect the attack.

SUMMARY OF THE INVENTION

In accordance with the present invention, a coprocessor arrangement is inserted into the architecture of a conventional computer system in a novel manner. In particular, the coprocessor arrangement is interposed between the central processor unit (CPU) and the remainder of the computer system enabling the coprocessor to prevent certain critical control signal lines from passing between the two. In such manner, the coprocessor arrangement isolates the CPU of the conventional computer system from the remainder of the computer system, thus permitting the coprocessor to obtain separate control over both the CPU and the remainder of the computer system. By isolating the CPU control signals from the remainder of the computer system, the coprocessor can interrupt the normal computer system operation at any time to check digital signatures of any firmware or software in the computer system before it is used either the first time or any time thereafter.

The present system can be retrofitted, for example, into an existing PC system having an Intel type I486 microprocessor chip as the CPU, by removing the CPU from its socket on the mother board, and inserting an ASIC (Application Specific Integrated Circuit) a daughter board or other form of multi-chip module (MCM), into the empty CPU socket. The removed I486 is reinserted into a socket on the daughter board. The control signals to/from the CPU are passed through logic on the daughter board which intercepts the normal CPU control signals and substitutes other control signals as required for the coprocessor to operate. The CPU is released by allowing control signals to again pass between it and the computer system. Data and address signals are directly connected through lines on the daughter board between the CPU and the computer system as well as to the logic on the daughter board. In future systems, the functions of the daughter board can be partially or totally built into the mother board, and/or integrated in whole or in part, into future integrated circuit microprocessors.

The daughter board further contains a coprocessor subsystem in the form of a RISC microprocessor chip, and a multiprocessor logic controller. The multiprocessor logic controller is a finite state machine controlled by hardware and implemented by one or more field programmable gate arrays (FPGA's) and by firmware in one or more non-volatile memory IC's. The multiprocessor logic controller determines when to disconnect and when to reconnect the associated control signal lines to and from the CPU and the remainder of the conventional PC computer system. During the times when the CPU is disconnected from the remainder of the computer system, the multiprocessor logic controller enables and controls the activities of the CPU and the RISC coprocessor to perform the security checking of the components of the computer system. Disconnection and reconnection of a control signal line may be physical (such as by a relay) optical (such as by an optical coupler), electrical (such as by a solid state switch) or logical (such as by a logic gate). Control signal lines which are bi-directional (carrying control signals to/from the CPU) may be disconnected and substitute control signals interposed in either direction.

For example, the multiprocessor logic controller on the daughter board captures and releases the CPU control signals, and operates the CPU with its own firmware to direct the RISC coprocessor subsystem to generate or verify a digital signature for a given computer file. Towards this end, control over the remainder of the computer system is passed back and forth, according to firmware, between the RISC coprocessor and the CPU by the multiprocessor logic controller. Once the verification of one or more digital signatures is completed, the multiprocessor logic controller then re-establishes the connections between the CPU and the remainder of the computer system, and the system resumes normal PC operation.

In regular computer operation, the CPU receives data and control signals in a normal fashion from the mother board. At the request of the trusted operator, the RISC coprocessor computes digital signatures for files indicated by the trusted operator. The RISC coprocessor stores the digital signatures. Typical files indicated for protection would be the BIOS memory, DOS, the interrupt table, and the autoexec.bat and config.sys files in the root directory. The stored digital signatures represent the secured state of the computer system, i.e., the state of selected critical portions of the computer control software files before any intrusion has taken place. The operation of the circuitry on the daughter board is transparent to normal operation. Each time the system is restarted, a new security check for intrusion is performed.

System Security Check Upon Power Up or System Reset

To detect prior intrusion, the RISC processor and the CPU perform an alternating cross check on power up (or following a hard system reset). The multiprocessor logic controller in the daughter board first captures the CPU control signal lines and then causes both the CPU and the daughter board's RISC processor to run their built in self test routines. The CPU then runs firmware stored in a daughter board Flash RAM that commands the RISC coprocessor to run its software directed self test routine. At this point, the CPU suspends operation, and the RISC coprocessor runs its self check routine and other such system checks such as tests of the memories on the daughter board. Upon successful completion of these tests, the RISC coprocessor suspends operation and the CPU resumes operation. If the trusted operator has previously chosen to have the BIOS ROM tested at this point, the CPU will request that the RISC coprocessor perform the BIOS test, and the CPU will suspend its operation while the RISC coprocessor restarts operation to perform the test.

The RISC coprocessor then computes the digital signature(s) for the BIOS on the mother board and compares it with the signature(s) for the BIOS previously generated and stored on the daughter board. If the recomputed digital signature(s) check against the previously computed digital signature(s), the CPU is released and allowed to run other trusted operator specified tests or to begin normal execution of its BIOS to set up all the other machine tables and parameters it needs for normal PC operation.

As the last part of the normal BIOS execution by the CPU, the CPU checks to see whether any of the computer system's components have extensions to the built in BIOS, and then executes those BIOS extensions that are found to be present. Operating as one of the BIOS extensions, the multiprocessor logic controller on the daughter board (through the execution of the daughter board resident BIOS extension), recaptures the CPU (by capturing its control signal lines) before it can execute the system boot up firmware. Then, as directed by previously specified trusted operator selections, the daughter board checks the digital signatures of DOS, the interrupt tables, autoexec.bat and config.sys files (through direct access to the system's RAM and to the hard disk sectors) or any other critical program as preselected by the trusted operator.

If the daughter board multiprocessor logic controller system verifies all digital signatures of the system components as specified by the trusted operator, the CPU is released and the system allowed to boot and run normally. From this point, the presence of the daughter board is transparent to the operation of the computer system.

Any past attack on the computer system which altered any portions of the computer's BIOS firmware designated for protection by the trusted operator would show up as an error condition upon the next system reset or power up. Any attack on any of the computer's BIOS extension firmware or any critical software designated for protection by the trusted operator would show up as an error condition upon the next system reset of any kind, be it a hard reset or a soft reset (a reset commanded by the simultaneous CTRL-ALT-DEL) keystrokes. In such manner, an intrusion representing a possible breach of computer security is detected.

Monitoring Operation

In accordance with a second aspect of the present invention, the coprocessor arrangement may be utilized as a security monitor. To monitor security, the multiprocessor logic controller on the daughter board, while operating transparently, monitors the control, data and address lines to and from the CPU. In particular, write operations to protected memory areas containing critical programming or data, are monitored. If any of the critical portions of the computer control software designated for protection by the trusted operator are attempted to be altered, the multiprocessor logic controller captures control of the CPU, an alarm goes off and the system shuts down. If the error condition keeps recurring, the system may only be restarted by the trusted operator. In such manner, an intrusion representing a possible breach of computer security is prevented before the breach occurs.

Uniprocessor Implementation of the Present Coprocessor Architecture

The division of functions between the CPU, multiprocessor logic controller and the RISC coprocessor is very flexible. In theory, some functions of the multiprocessor logic controller can be incorporated into the RISC coprocessor software. However, the physical interception of control signals to the CPU is naturally embodied in hardware. In addition, because of the speed needed to respond to the appearance of a forbidden address on the address bus, or to capture control on power up, a hardware implementation of the multiprocessor logic controller is preferred.

Also, since the CPU and RISC coprocessor alternate their operation under the control of the multiprocessor logic controller, (wherein one stops when the other starts), the CPU may perform both functions and the RISC coprocessor be eliminated. In such case, the multiprocessor logic controller switches control of the CPU from its normal environment in the PC, to a protected environment on the daughter board. In the protected environment on the daughter board, the CPU may perform the security functions of the RISC coprocessor. However, the main advantage of using one processor switched between normal PC and security functions is in the economy of having only one processor. The tradeoff for eliminating the RISC coprocessor is reduced security, which, in certain commercial applications is acceptable. For higher security, a separate and independent coprocessor is used.

General Coprocessor Architecture

In accordance with yet another aspect of the present invention, the RISC coprocessor may be utilized as a general purpose coprocessor. Communication is effectuated through the data and address lines which are monitored by the multiprocessor logic controller. Certain combinations of addresses and data form commands to the RISC coprocessor to carry out a particular task. To perform the task, the multiprocessor control logic captures control of the PC and transfers control to the RISC coprocessor which carries out the requested task. When the task is done, the RISC coprocessor stores the task results in memory space available to the CPU and through the multiprocessor logic controller, returns control of the PC to the CPU. In alternative embodiments, the RISC coprocessor may capture the address and data lines to load task results in RAM memory or on hard disk storage or may leave the result in one of the CPU's general registers.

The RISC coprocessor and the CPU have both separate and shared memory address spaces. Shared memory space is used for interprocessor communication, as indicated above. Separate private memory space in the RISC coprocessor assures that the CPU cannot tamper with the security procedures carried out by the RISC coprocessor. The use of separate memory address spaces for the CPU and RISC coprocessor with the ability of the RISC coprocessor to intercept the control lines of the CPU provides the high level of confidence in the security of the present coprocessor arrangement.

By use of the present invention, the computer system can be set up by the trusted operator such that the CPU does not run any firmware or software (including the mother board BIOS) unless the software is first verified by the RISC coprocessor. To solve the prior art problem of where to start to verify (where to begin), the multiprocessor logic controller, in accordance with the present invention, begins by capturing control of the CPU, so that no untrusted software has an opportunity to run. Then, as the system software is verified by the RISC coprocessor in stages, the CPU is permitted to run more and more of the verified system software, also in stages. As compared to the prior art, system software is verified at every level even before the absolute starting point of running BIOS, that nothing has changed since the trusted operator indicated a trusted condition.

DESCRIPTION OF THE FIGURES

FIG. 1 is a block diagram of a security enhanced processor board in accordance with the present invention.

FIGS. 2A and 2B is a state diagram of a logic controller for controlling an I486 CPU operation in accordance with the present invention.

FIG. 3 is a state diagram of a logic controller for controlling a RISC coprocessor operation in accordance with the present invention.

FIG. 4 is a flow chart diagram of the intrusion detection operation of a multiple processor system in accordance with the present invention.

FIG. 5 is a flow chart diagram of the intrusion prevention operation of a multiple processor system in accordance with the present invention.

FIGS. 6 and 7 are memory allocation maps for the memory space of the I486 CPU, RISC coprocessor (MYK-80) and daughter board Flash RAM's.

FIG. 8 is a block diagram of a Security Enhanced Processor Board in accordance with the present invention.

FIG. 9 is a table listing of the signals intercepted, bypassed and monitored by the Security Enhanced Processor Board in accordance with the present invention.

FIG. 10 is a diagram of the choices provided by the Trusted Operator interface program.

DETAILED DESCRIPTION

Overview

A block diagram of a computer with a security coprocessor to form a Security Enhanced Processor Board (SEPB), in accordance with the present invention is shown in FIG. 1.

The SEPB consists of a dual microprocessor arrangement of an Intel I486 CPU 24 and a RISC coprocessor MYK-80, 10, programmed as a security coprocessor. The MYK-80 is a special purpose combination of an ARM6 RISC microprocessor, some amount of ROM to store the firmware that composes the routines, and other logic as needed to support the MYK-80 and external operations. The MYK-80 was designed by, Mykotronix, Inc. and is processed by VLSI Technologies, Inc. Mykotronix, Inc. is responsible for the technical support of the MYK-80 and for its documentation.

Along with the two microprocessors 10, 24 are two sets of ROMs, MFROM 28 and IFROM 30, organized into 32-bit wide memories and holding specialized programs and data for the MYK-80 and the Intel 80486 microprocessor, respectively, and a Shared 32-bit wide RAM, SRAM 26. There are two FPGA's, control FPGA2 40 (MYK80CT2) and control FPGA1 38 (I486CTE), on the SEPB that provide logic for controlling the Host PC operation in general and operations of the MYK-80 and the I486 microprocessors. There are two additional FPGA's, Address Bus Separator FPGA 12 (SEPBABUS) and Data Bus Separator FPGA 14 (SEPBDBSB) that provide the logic for controlling all communications between the MYK-80, the I486 and the PC electronics via the Processor Address Bus 32 and the Processor Data Bus 34, respectively. FPGA's 12 and 14 permit the MYK-80, via subsystem Control Bus 18, to keep the MYK-80 Subsystem Address Bus 20 and MYK-80 Subsystem Data Bus 22 separate from the I486 Processor Address Bus 32 and the I486 Processor Data Bus 34, respectively.

When designed as an add on board to an existing Host PC, the SEPB has a connector on it that is the same as the 168-pin Pin Grid (PGA) connector of the I486 CPU in the Host PC so that the SEPB can be plugged into the Host PC in the same socket that would hold the I486 CPU. The I486 CPU is then plugged into a socket provided for it on the SEPB.

Note that Processor Address Bus 32 and Processor Data Bus 34 are continuously connected to the I486 CPU, and selectively connect to the MYK-80, via FPGA's 12 and 14 to transfer addresses over the Processor Address Bus 32 and to send and receive data over the Processor Data Bus 34. However, part of the Processor Control Bus 36 normally directly connected to the I486 CPU 24 is separated by FPGA 38 from the I486 CPU 24 under the control of the multiprocessor logic controller built into FPGA1 38 and FPGA2 40. In such manner, the multi-processor logic controller acting as a coprocessor to CPU 24, is able to capture CPU 24 by intercepting the CPU 24 Processor Control Bus (Part A) 36 signals and substituting other Processor Control Bus (Part A) 36A signals at the output of FPGA 38 (for control signals to the CPU, and vice versa for control signals from the CPU). The remaining Processor Control Bus (Part B) signals 36B are directly connected to the I486 CPU 24. The multiprocessor logic controller allows the I486 to run special code which can then request the MYK-80 processor 10 to preform a task (usually a security related task). Power on circuit 16 and reset signals 42 are coupled to FPGA's 38 and 40.

A more detailed block diagram of the signals effected by the SEPB logic is shown in FIGS. 8 and 9. In FIG. 8, the SEPB logic 800 intercepts 17 signals to/from 808 the mother board, which are going to/from 806 the processor. The 17 intercepted signals are listed in FIG. 9 tables 904 and 906 respectively on each side of the interception. Sixty seven signals in FIG. 8 are monitored 804 by the SEPB logic. These 67 monitored signals are listed in FIG. 9, table 904. Sixteen signals in FIG. 8 are bypassed 802 by the SEPB logic. These 16 bypassed signals are listed in FIG. 9, table 902.

The portion of FIG. 1 constituting the conventional Host PC System (in conjunction with the I486 CPU 24) includes I/O interface 44, interface controller 48, EISA converter 50, expansion memory controller 52 with associated DRAM memory 54, as well as a master memory controller 46 and DRAM memory 56. Coprocessor 10, SRAM memory 26, FROM memory 28, FPGA's 12, 14, 38, 40, and FROM 30 comprise the elements added to the Host PC system to form a Security Enhanced Processor Board. In situations where an insecure Host PC is being upgraded, the latter elements are added via a plug in daughter board. However, the latter elements may be added onto a conventional mother board, or integrated, fully or partially, into a special purpose I486 CPU.

Intrusion Detection (FIG. 4)

A flow chart illustrating the use of the coprocessor of the present invention for intrusion detection is shown in FIG. 4. The intrusion detection function is entered upon reset or power up at step 60, where the multiprocessor logic controller on the daughter board captures the control signal lines of the CPU.

First, at step 62, the multiprocessor logic controller requests that the CPU run its self test and that, simultaneously, the RISC processor run its self test, and any other tests programmed into the RISC SEPB firmware, such as those of memories and SEPB hardware. When the running of these tests is comp