Security system for microcomputers
First Claim
1. A security system for protecting an IBM personal computer, or IBM-compatible personal comptuer, against unwanted access to the files thereof and unwanted access to the operating system thereof, comprising:
- an expansion card for insertion into an expansion slot of the personal computer;
said expansion card comprising at least one memory means for storing machine code having a first portion for monitoring file interrupt function calls to the files of the personal computer;
first means for storing information thereon directed to the access rights of users of the personal computer and access rights to the files of the personal computer;
said at least one memory means having a second portion thereof for monitoring all video handler interrupt functions to ensure the security system cannot be overridden during boot processing; and
a third portion for allowing communication between exterior processes and the disc operating system of the personal computer through an available interrupt call of the system;
and second means for storing said exterior processes for access to said disc operating system via said third portion, whereby access to files are protected by a user-by-user basis, and on a file-by-file basis.
5 Assignments
0 Petitions
Accused Products
Abstract
A security system for a personal computer, in which hardware and software are combined to provide a tamper-proof manner of protecting user-access and file-access. The hardware component of the system is an expansion board for insertion into an expansion slot of the PC, and has a first EPROM chip containing four portions of machine code for initializing system function calls and for establishing the proper boot-processing of the PC; a second RAM chip serving as scratch pad memory; a third EEPROM chip storing passwords, audit trail log, protection and encryption system flags, and user-access rights; a fourth automatic encryption and decryption chip for files of the PC; and a fifth clock chip for the audit trail. The software component includes a batch file that runs a program in conjunction with the machine code on the EPROM of the expansion board ensuring access is gained only for valid users. The code on the EPROM monitors all DOS 21H file handling function calls, and initializes the 7CH interrupt vector for allowing the security system to access DOS and the files thereof. During boot processing, the 10H video interrupt handler is monitored to prevent circumventing the security system. Hard-disc format-protection is also provided by monitoring of the 13H interrupt function calls. Files may also be created that may not be copied.
415 Citations
33 Claims
-
1. A security system for protecting an IBM personal computer, or IBM-compatible personal comptuer, against unwanted access to the files thereof and unwanted access to the operating system thereof, comprising:
-
an expansion card for insertion into an expansion slot of the personal computer; said expansion card comprising at least one memory means for storing machine code having a first portion for monitoring file interrupt function calls to the files of the personal computer; first means for storing information thereon directed to the access rights of users of the personal computer and access rights to the files of the personal computer; said at least one memory means having a second portion thereof for monitoring all video handler interrupt functions to ensure the security system cannot be overridden during boot processing; and
a third portion for allowing communication between exterior processes and the disc operating system of the personal computer through an available interrupt call of the system;and second means for storing said exterior processes for access to said disc operating system via said third portion, whereby access to files are protected by a user-by-user basis, and on a file-by-file basis. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A security system for protecting an IBM personal computer, or IBM-compatible personal computer, comprising:
-
an expansion board having a first memory; said first memory comprising machine code for hooking up the operating system of the personal computer with the security system, said first memory having a first main interrupt handler section for monitoring 21H DOS function calls, a second interrupt handler section for allowing communication between exterior processes through an available function interrupt vector; and
a third section for boot process handling for initializing said first main interrupt handler section and said second interrupt handler section;means for inputting and verifying the passwords of each user of the personal computer, said third section of said first memory chip causing said means for inputting and verifying to be executed during boot processing; second memory mounted by said expansion board having a first portion for storing thereon the codes for said passwords, a second portion for storing thereon codes determinant of the access right each user has to a respective file, and the state of encryption of a respective file; said second memory having a third portion for storing thereon an audit trail showing the date and time of accesses to the DOS and its files; a clock chip and associated crystal mounted on said expansion board for providing the time and date of all logon attempts and all attempted accesses to the files; means for recording the time and date audit trail from said clock chip onto said third portion of said second memory for every DOS and file access attempt; and means for continually inputting information onto said first and second portions of said second memory, so that the status of each user and the state of each file may be altered;
said means for continually inputting information comprising means for preventing the use thereof by unauthorized person. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
-
19. A security system for guarding against unwanted user-access to a personal computer and access to the files thereof, comprising:
-
an expansion board for insertion into an expansion slot of the personal computer; said expansion board comprising a read-only-memory having machine code thereon for initializing the security system with the operating system of the personal computer; at least one of a nonvolatile ram chip and EEPROM chip for erasably storing thereon code indicative of the status of each user'"'"'s access rights to a respective file of the system of the personal computer, code indicative of the passwords for valid users of the system of the personal computer, and code indicative of the audit trail of at least one of selected accesses to the system of the personal computer and selected accesses to the files of the system; a clock chip and associated crystal on said expansion board for logging the time and date of selected accesses to at least one of the operating system and selected files; means for recording the audit trail log code on said at least one of said nonvolatile ram and EEPROM for subsequent insepction thereof by a supervisor; means for initializing said clock chip with the operating system of the personal computer; means for erasably encoding said at least one of a nonvolatile ram and EEPROM for recording thereon desired information regarding the state and stats of system flags; and means for accessing the information stored on said at least one nonvolatile ram and EEPROM for the reading thereof by a supervisor. - View Dependent Claims (20, 21, 22)
-
-
23. A method of protecting access to a personal computer and the files thereof, comprising:
-
inputting a code indiciative of the user seeking access to at least one file of the personal computer; monitoring the file handling interrupt function calls of the operating system of the personal computer; determining the status of the user with respect to the at least one file the access to which is sought by the user, said step of determining comprising determining if the user seeking access has read-only access to the at least one file, and read and write access to the at least one file; peritting access to the at least one file if the user has access rights thereof congruent with the file handling interrupt function call initiated; denying access to the at least one file if the user does not have access rights thereof that are not congruent with the file handling interrupt function call initiated; initiating an available interrupt vector of the operating system of the personal computer by which to alter the status of each user with respective to each file when so desired and for determining the current states of the users and files and the status flags thereof for each user and file; and monitoring all video handler interrupt function calls during the booting up process so that said step of monitoring the file handling interrupt function calls may be carried out and not circumvented. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31)
-
-
32. A method of controlling access to the operating system of a personal computer and to the files thereof, comprising:
-
inserting an expansion board into an expansion slot of the personal computer; initializing the components chips of the circuit board with respect to the operating system of the personal computer; grouping the files of the personal computer according to files to-be-protected and files not-to-be protected; further dividing the files to-be-protected according to file groups with each file-group having at least one file thereof, and according to departments with each department having at least one file-group thereof; appointing access-rights to each of the file groups and departments of file-groups by individual user having access to the operating system of the personal computer, said step of appointing comprising assigning read access-rights only to a respective user and read and write access-rights to a respective user by file-group and by department; said step of dividing the files into file-groups and departments comprising a first step of inputting onto an erasable non-volatile memory on the expansion board object code indicative of the grouping thereof; said step of appointing access-rights comprising a second step of inputting onto an erasable non-volatile memory object code indicative of the status of each user with respect to each file-group and department; electing which of the to-be-protected files and not-to-be protected files are to be encrypted; choosing a desired encryption method for files to-be-encrypted; and encrypting files to-be-encrypted with the desired encryption method from said step of choosing a desired encryption method for files to-be-encrypted, said step of encrypting comprising inputting object code from a encryption chip on said expansion board to the erasable nonvolatile memory on the expansion board. - View Dependent Claims (33)
-
Specification