Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
2000-05-30
2003-07-08
Wright, Norman M. (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S100000
Reexamination Certificate
active
06591366
ABSTRACT:
BACKGROUND OF THE INVENTION
Field of the Invention
The invention relates to a method and a configuration for loading data.
Data processing systems, such as personal computers for example, usually become fully functionable only after an operating system has been loaded. Even without an operating system, the data processing systems require a basic functionality that enables elementary operations to be executed. Examples of such elementary operations are routines for the inputting of characters via a keyboard and the outputting thereof on the screen and the printer, a routine for the loading of the operating system into the main memory, and also test routines for a self-test that runs automatically when the data processing system is switched on. These operations are also referred to as basic system routines. The data required for executing these system routines are stored permanently in a non-volatile memory module in a data processing system, for example PROM, EPROM, FLASH, etc. Another term used in this context is basic input output system (BIOS).
The document: c't 1997 Issue 2, Pages 106-110 has already disclosed calling suitable driver and application programs during the loading of BIOS data.
Since the basic system routines significantly influence the method of operation of the data processing system, it is sometimes necessary to use a revised version of the basic system routines in the data processing system. This can be done by exchanging the memory module PROM. If, instead of a non-overwritable PROM, an overwritable memory module, for example EEPROM, or a FLASH module is present in the data processing system, then the basic system routines can be loaded into the memory module.
In order to transfer the data for the new basic system routines, special programs are used which cooperate with conventional operating systems (i.e. Microsoft DOS). During the loading of the customary operating systems, a copy of the data from the non-volatile memory for basic system routines is stored in the main memory of the data processing system. If a functionality defined in the basic system routines is required, recourse is had to this copy in the main memory. However, the co-operation with the copy of the basic system routines results in disadvantages in respect of security, since the copied data can be altered in a comparatively simple manner by circumventing the write protection. Therefore, recent operating systems (IBM OS/2, Microsoft Windows 95 and Microsoft Windows NT) strive for executability that is possible without recourse to a copy of the basic system routines in the main memory of the data processing system.
On account of such security considerations, the recent operating systems do not support the loading of a new version of the basic system routines into the non-volatile memory module. Only programs of an application layer of the operating system are available to the user. The user has no access to programs in a kernel layer of the operating system for which access to functional elements of the data processing system which are essential to security is allowed. Therefore, the data processing system always has to be rebooted, that is to say restarted, for the loading of a new version for basic system routines. This restart must then be performed by use of another operating system, which supports at least the loading of the new version of the basic system routines. If such an operating system is loaded, security mechanisms of the operating system that is actually provided for the operation of the data processing system cannot take effect. As a result, it becomes possible to access other data stored within the data processing system. Moreover, these data can be altered in an impermissible manner by so-called viruses in such a way that functional disturbances may occur during later regular operation.
SUMMARY OF THE INVENTION
It is accordingly an object of the invention to provide a method and a configuration for loading data for basic system routines of a data processing system that overcome the above-mentioned disadvantages of the prior art methods and devices of this general type, which largely precludes security risks during the loading of the data.
With the foregoing and other objects in view there is provided, in accordance with the invention, a data loading method, which includes:
calling an application program stored in an application layer, the application program initiating a loading of information with regard to hardware components from a file containing new data for basic system routines into a main memory of a data processing system;
checking if a respective user has authorization in an event that the application program is called;
calling a driver program in a kernel layer by the application program, the driver program being prompted to read and transfer information regarding the hardware components stored in a non-volatile memory;
transferring the new data for the basic system routines and information for controlling a loading operation of the new data for the basic system routines into the non-volatile memory from the application program to the driver program; and
writing the new data for the basic system routines to the non-volatile memory, in this manner the new data for the basic system routines can be written into the non-volatile memory by the driver program from the kernel layer without a corresponding access from the application layer.
By virtue of the use of two different programs, the application program and the driver program, which can be called and are executable in the application layer and in the kernel layer, respectively, the data processing system can be operated unchanged with its intended operating system, which is protected against manipulation, during the loading operation. Impermissible circumventing of the security techniques of the operating system is thus precluded. Unauthorized overwriting of the basic system routines is thus effectively prevented. Authorization for calling the application program can be assigned for example to those users who also have administrator authorizations. The data processing system cannot be infected with viruses, provided that the operating system contains suitable protection mechanisms for combating them.
Only the data of the new version of the data for basic system routines have to be made available to the data processing system. These are transferred to the driver program by the application program. The driver program, which cannot be accessed from the application layer, transfers the data to the non-volatile memory.
In accordance with an added feature of the invention, there are the steps of using the application program for performing a comparison for ascertaining an association of the information with regard to the hardware components stored in the new data for the basic system routines with the information regarding the hardware components stored in the non-volatile memory, and ending operations if no correspondence is determined in the comparison.
Using a data comparison, it can be ensured that only those new system routines which the hardware components of the data processing system can actually process are loaded into the non-volatile memory of the data processing system. By way of example, it is thus ensured that the existing type of system board (motherboard) and of the memory and functional modules that are disposed on it correspond to the types of boards and modules which are demanded in the new data. It is thus ensured that the data processing system is fully functional after the loading operation of the basic system routines.
It is furthermore provided that the application program accepts so-called location information from the file with the new data for basic system routines. On the basis of this location information, the application program splits the new data into packets that are provided with corresponding location information items and transferred to the driver program. As a result of the data being transferred in portions in this way, the method of operation of the operating system and o
Altmann Helmut
Michel Uwe
Munker Thomas
Fujitsu Siemens Computer GmbH
Greenberg Laurence A.
Locher Ralph E.
Revak Christopher
Stemer Werner H.
LandOfFree
Method and configuration for loading data for basic system... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and configuration for loading data for basic system..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and configuration for loading data for basic system... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3076743