Browse Prior Art Database

Security With Keyswitch Controlled Initial Process Loading

IP.com Disclosure Number: IPCOM000107791D
Original Publication Date: 1992-Mar-01
Included in the Prior Art Database: 2005-Mar-22
Document File: 3 page(s) / 149K

Publishing Venue

IBM

Related People

Ambers, DM: AUTHOR [+4]

Abstract

Disclosed is a design for keyswitch-controlled Initial Processor Loading (IPL) that offers improved workstation security in many environments. The additional security does not compromise system usability or function.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 42% of the total text.

Security With Keyswitch Controlled Initial Process Loading

       Disclosed is a design for keyswitch-controlled Initial
Processor Loading (IPL) that offers improved workstation security in
many environments. The additional security does not compromise system
usability or function.

      Workstations pose an interesting security problem that does not
exist with mainframe or minicomputer systems.  With larger systems
the computer can be stored in a secure environment, while users have
only a terminal in their office or laboratory.  Workstations, by
their very nature, are kept in users' offices and laboratories - that
is, generally unsecured areas.  Systems that are kept in unsecured
areas are subject to two sorts of attack.  The first, which will not
be discussed here, involves physical compromise of the system itself,
normally with the intention of stealing or destroying the data stored
on the system. The second sort of attack requires that the operating
system be corrupted in some form.

      It should be noted here that workstations are distinguished
here from personal computers in that workstations include an
operating system with at least one privileged state that is not
accessible to normal users. Thus workstation operating systems are
able to enforce a security policy, while personal computer operating
systems cannot.

      Users who are able to corrupt the operating system are
frequently able to acquire system privileges.  With these privileges,
the users are not only able to access data on their own workstation,
but they can usually access data throughout the network that serves
as the computing backplane for workstations.

      An especially vulnerable point of attack occurs when the system
is powered on or rebooted.  At that point, the operating system is
loaded into the computer and the system begins operation.  The
operating system may be obtained from one or more of several
different media, including hard disk, floppy disk, tape or optical
disk, and may even be read from a network connection.  It is the use
of removable media which presents a problem with operating system
integrity. If the system loads the operating system (or IPLs) from a
hard disk which is contained within the system unit, the integrity of
the operating system is as strong as the integrity of the rest of the
data stored on the system.  But if the system may be IPLed from a
removable medium (for example, floppy disk), a system penetrator need
only generate a version of the operating system that allows normal
users to obtain system privilege and store this corrupted version on
a IPL-able floppy disk.  The penetrator then uses this floppy disk to
IPL the system.

      It would be possible to defeat the attack by simply disallowing
IPL from removable media, but this would make it difficult or
impossible for legitimate administrators to perform maintenance
functions or even to load new versions of the operating system.

   ...