Browse Prior Art Database

Method to reliably detect unauthorized changes to protected partitions on personal computer hard disk.

IP.com Disclosure Number: IPCOM000015732D
Original Publication Date: 2002-Jun-11
Included in the Prior Art Database: 2003-Jun-21
Document File: 2 page(s) / 42K

Publishing Venue

IBM

Abstract

A method is disclosed that provides a method of detecting that a "Parties" partition has been unlocked during unsecure (operating system) system operation. Over the years, there have been schemes to make certain portions of a personal computer's hard disk isolated from the operating systems regular disk space. One example would be the IBM PS/2 Reference

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 53% of the total text.

Page 1 of 2

  Method to reliably detect unauthorized changes to protected partitions on personal computer hard disk.

A method is disclosed that provides a method of detecting that a "Parties" partition has been unlocked

during unsecure (operating system) system operation.

Over the years, there have been schemes to make certain portions of a personal computer's hard disk

isolated from the operating systems regular disk space. One example would be the IBM PS/2 Reference

Partition (proprietary design), another example is the current "Parties" technology which is an open

industry standard defined in the latest ATA standards.

Some examples of functions that might be provided on the Parties partition might be:
1. A restore function for critical operating system files.
2. System hardware diagnostic tools.
3. Local and remote change management and problem determination tools.
4. BIOS change management tools and new bios binaries.
5. etc...

Normally, the Parties partition is not subject to modifications (either accidental or malicious) from the operating system environment (it's not visible or accessible during regular operating system operation). However, there is a method defined in the ATA specification that allows the partition to be unlocked under the operating system. This method has a legitimate purpose (being able to update information on the parties partition) and can have a level of security (requiring a password to be entered before the partition is unlocked).

Passwords, however, have certain risk that are difficult to address if you are very concerned with the security of data on a system (i.e., TCPA compliant systems). A fairly simple example of how a password can be compromised is the case where a legitimate owner of a password is observed entering the password on the keyboard by a sharp eyed individual whose intentions are to compromise the system's integrity. This could open the possibility that the secure, trusted data and code on the parties partition could be compromised (virus infected, important data corrupted, etc.).

There are ways to check for data integrity on the partition that could be invoked each time you booted to the parties partition. These could include such things as checking for valid digital signature's, checking hash values of files against encrypted stored hash values of the files, and running virus detection software against the contents of the partition. Doing all this can give you some assurance that the partition contents have not been altered unexpectedly, but performing all these checks whenever you boot to the parties partition would <greatly> increase the time needed to access the functions contained on the partition. The present invention describes a method for performing the integrity check only when its really required.

Our invention provides a method to securely record the fact tha...