Transparent, secure computer virus detection method and apparatus
First Claim
1. A method for operating a computer system, the computer system including a processor;
- random access memory;
read only memory containing a ROM program executed by said processor upon resetting of the computer system;
at least one storage means having a non-DOS partition and at least one other partition, said non-DOS partition having a first and second region, said first region for storing a first verification program executed by said processor, a first verification list for storing a list of files stored on said second region, said files including files required to boot the computer system and a second verification program, and a first hash code table for storing hash codes of said first verification list files, said second region for storing a first operating system and the second verification program executed by said processor, a second verification list for storing a list of files stored on said other partitions and a second hash code table, said other partitions include at least a second partition for storing a second operating system and user programs executed by said processor; and
a non-volatile memory having a plurality of locations for storing an non-volatile memory hash code and accessible to said processor, said non-volatile memory hash code containing at least one value being a modification detection code of said first region, said plurality of locations of said non-volatile memory being readable and writable by said processor after a first reset of the computer system, being write protected after receipt of a designated signal from said processor, and being made writable again only after a second reset of the computer system, the method comprising the steps of;
resetting the computer system and executing said ROM program, whereupon the ROM program causes execution of the following steps;
computing a hash code for said first region of said non-DOS partition;
determining if said computed hash code is equal to said non-volatile memory hash code value stored in said non-volatile memory;
loading said first verification program stored on said non-DOS partition into said random access memory if said computed hash code is equal; and
executing said first verification program loaded into said random access memory; and
wherein said first verification program further causes execution of the following steps;
computing hash codes for files listed in said first verification list;
determining if said computed hash codes are equal to hash code values stored in said first hash code table; and
booting said first operating system on said non-DOS partition if said computed hash codes are equal; and
wherein said operating system further causes execution of the following steps upon booting;
loading said second verification program stored on said non-DOS partition into said random access memory; and
executing said second verification program loaded into said random access memory; and
wherein said second verification program further causes execution of the following steps;
computing hash codes for files listed in said second verification list;
determining if said computed hash codes are equal to ash code values stored in said second hash code table; and
returning control to said ROM program; and
whereupon the ROM program causes further execution of the following steps if said computed hash codes are equal;
providing said designated signal to said non-volatile memory device prior to booting said second operating system; and
booting said second operating system from said second partition.
3 Assignments
0 Petitions
Accused Products
Abstract
A computer system which verifies the integrity of installed software on the computer system. A reserved non-DOS hard disk partition is used to store routines which pre-boot the computer system and provide a secure environment from which to verify files. Routines start by performing a self check on the non-DOS partition routines, then check the master boot record and boot sectors of the hard disk. System files of the user DOS partition are verified next and any additional designated user files are verified until the computer system is verified. Since the computer booted from an atypical partition, the drives are remapped to account for the shift in logical disk drive addressing. When completed and prior to booting from the user partition, an NVRAM latch is set to prevent unauthorized modification of the initial checksums. The non-DOS partition contains three different sets of DOS: a copy of the user DOS, if DOS is installed on the user partition; a subset of DOS and a backup of the DOS subset. This allows the non-DOS partition to be booted to allow easier execution of the routines. Additionally, if the user changes DOS versions, such changes can be provided to the non-DOS partition for future use.
181 Citations
14 Claims
-
1. A method for operating a computer system, the computer system including a processor;
- random access memory;
read only memory containing a ROM program executed by said processor upon resetting of the computer system;
at least one storage means having a non-DOS partition and at least one other partition, said non-DOS partition having a first and second region, said first region for storing a first verification program executed by said processor, a first verification list for storing a list of files stored on said second region, said files including files required to boot the computer system and a second verification program, and a first hash code table for storing hash codes of said first verification list files, said second region for storing a first operating system and the second verification program executed by said processor, a second verification list for storing a list of files stored on said other partitions and a second hash code table, said other partitions include at least a second partition for storing a second operating system and user programs executed by said processor; and
a non-volatile memory having a plurality of locations for storing an non-volatile memory hash code and accessible to said processor, said non-volatile memory hash code containing at least one value being a modification detection code of said first region, said plurality of locations of said non-volatile memory being readable and writable by said processor after a first reset of the computer system, being write protected after receipt of a designated signal from said processor, and being made writable again only after a second reset of the computer system, the method comprising the steps of;resetting the computer system and executing said ROM program, whereupon the ROM program causes execution of the following steps; computing a hash code for said first region of said non-DOS partition; determining if said computed hash code is equal to said non-volatile memory hash code value stored in said non-volatile memory; loading said first verification program stored on said non-DOS partition into said random access memory if said computed hash code is equal; and executing said first verification program loaded into said random access memory; and wherein said first verification program further causes execution of the following steps; computing hash codes for files listed in said first verification list; determining if said computed hash codes are equal to hash code values stored in said first hash code table; and booting said first operating system on said non-DOS partition if said computed hash codes are equal; and wherein said operating system further causes execution of the following steps upon booting; loading said second verification program stored on said non-DOS partition into said random access memory; and executing said second verification program loaded into said random access memory; and wherein said second verification program further causes execution of the following steps; computing hash codes for files listed in said second verification list; determining if said computed hash codes are equal to ash code values stored in said second hash code table; and returning control to said ROM program; and whereupon the ROM program causes further execution of the following steps if said computed hash codes are equal; providing said designated signal to said non-volatile memory device prior to booting said second operating system; and booting said second operating system from said second partition. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- random access memory;
Specification