Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-04-30
2001-10-09
Trammell, James P. (Department: 2161)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
Reexamination Certificate
active
06301665
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
This invention relates to security and personal computer systems, and more particularly to a method for extending computer security features to devices having Plug and Play capabilities.
2. Description of the Related Art
The prevention of data theft is extremely important in computer systems designed to exist on corporate networks as well as home computers. Companies and individuals spend large sums of time and money developing data that resides in these systems. Adequately protecting a computer system's resources from unauthorized access is thus a primary concern of computer users.
To address various security issues, including protection of system ROM and other memory locations, a security device was developed as described in commonly-assigned U.S. patent application Ser. No. 081779,061, entitled “SECURITY CONTROL FOR PERSONAL COMPUTE,” which is hereby incorporated by reference for all purposes as if set forth in its entirety. The security device described therein provides a secure method for access to different system resources, and was capable of preventing data transfer via externally accessible channels by turning off common system devices such as the parallel port, the serial port(s), the floppy disk controller, etc. The logic for all of these devices as well as other logical devices normally exists within a computer system's “Super I/O” chip or similar device. The Super I/O chip provides a mechanism to disable the various logical devices via one or more configuration registers.
Merely turning off system devices, however, is not sufficient protection. To make a system more secure, it is necessary that the devices cannot be turned back on by an unauthorized user. In current systems, security logic is used to block ISA bus read and/or write cycles to the registers in the Super I/O chip responsible for turning system devices on or off. The ISA cycles are blocked by gating an address enable signal AEN and/or I/O write control IOWC# signal of the Super I/O chip. Unauthorized cycles to the Super I/O chip are blocked when the security logic decodes and I/O address for the Super I/O chip and the user has set what amounts to a blocking enable bit.
In prior systems, security logic in the security device protected certain ranges of non-volatile CMOS RAM within the Real-Time Clock (RTC) in the Super I/O chip. The protected locations are used to store passwords and other critical information. For example, assume that the I/O Index register address of the RTC is 0070h and the address of the Data register is 0071h. The prior security logic would work by blocking reads or writes to address 0071h when the Index, tracked by examining writes to the address 0071h, was in a predetermined range of indices to be protected. Reads and writes would be blocked by holding the I/O write control signal IOWC# or address enable signal AEN to a logic high level when the value of 0070h (the Index register address) was in the range of an Index containing sensitive information.
The security device operates by providing multiple hardware “lock” signals capable of being toggled by the user. The lock signals restrict access to specific system resources when asserted. In general, a user enters a password for a particular memory “slot” in the security device. The memory slot is then placed in a “protected” state by issuing a PROTECT RESOURCES command to the security device. While in the locked state, a lock signal is asserted, which secures system resources. To unlock the slot, the user issues an ACCESS RESOURCE command to the security device, followed by entry of the correct password. Correctly entering a slot's password changes the state of the slot to “unprotected.” The security device password may only be written if the slot is in the unprotected state. The security device can only verify and does not divulge the password, thereby enhancing the security of the system. Providing computer security is not a static process, however, as technology and new threats to security continue to develop at a rapid pace.
For example, the owners of today's personal computers (PCs) are faced with a myriad of options when choosing peripheral devices. Frequently, computer users decide to upgrade or expand the capabilities of their computer systems rather than buying an entirely new system. In the past, installing new hardware was frequently a time-consuming and frustrating process, requiring the computer user to become familiar with architectural components such as direct memory access (DMA) and various system interrupts (IRQs). Manipulation of various parameters was often required in order to ensure that its newly added components did not conflict with existing components.
Against this backdrop, a number of hardware and software manufacturers undertook an initiative to solve these dilemmas by creating the so-called Plug and Play (PnP) specification. Plug and Play is the industry term for the technology that allows a computer system to understand a user's intentions to install option cards, for example, a sound card, into the computer system and automatically configure it. This allows new options to work immediately following installation without disrupting existing system components. When a new option card is installed, Plug and Play firmware automatically figures the computer system's bus and sets key technology parameters for Plug and Play-ready add-in cards. Previously, users had to set these parameters manually, a complex and problematic exercise. When combined with features in certain operating systems, such as Windows 95, Plug and Play greatly simplifies the process of setting up a personal computer system.
Following the boot process, an operating system incorporating Plug and Play support retrieves Plug and Play information gathered by the BIOS. System resources are then allocated amongst the Plug and Play cards. Conflict-free resources for all inactive logical devices are also allocated. All logical devices that have been configured are activated, and device drivers are loaded. Details of Plug and Play configuration are generally known or available to those skilled in the art Adding Plug and Play capabilities to the Super I/O chip may create additional security concerns. Specifically, the ISA Plug and Play architecture allows a given chip to contain several “logical devices.” It does this by allowing each logical device to have its own base address. The given chip decodes all addresses for its logical devices.
When the RTC located within the Super I/O chip becomes a Plug and Play logical device whose base address can change, prior security devices may not adequately protect the contents of the RTC. For example, an unauthorized user could conceivably modify the base address of the RTC, and then gain access to unprotected Indexed locations. Other logical devices of the Super I/O chip, such as power management logic, may also have base I/O addresses capable of being modified. Further, the base address of the Super I/O chip itself may be modified in an attempt to circumvent security measures.
SUMMARY OF THE INVENTION
Briefly, the present invention provides a security methodology and security logic for protecting certain Plug and Play computer system components from unauthorized access. The security logic utilizes address enable and read/write control signals to the Super I/O chip to prevent access to specific index registers corresponding to specified logical devices. The security logic also protects the base addresses of the Super I/O chip as well as the base addresses of specified logical devices. Protecting the base addresses prevents the security logic from being circumvented by interfering with the address decoding used to track reads and writes to protected index registers.
In order to protect the base address of the Super I/O chip, a specific index register in the index register set of the Super I/O chip is monitored. Following a Plug-and-Play boot process, this index register, which governs the base address of the Super I
Simonich Christopher E.
Tran Robin T.
Akin Gump Strauss Hauer & Feld & LLP
Compaq Computer Corporation
Elisca P.
Trammell James P.
LandOfFree
Security methodology for devices having plug and play... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Security methodology for devices having plug and play..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Security methodology for devices having plug and play... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2553422