[go: up one dir, main page]

WO2010097090A2 - Environnement informatique commandé - Google Patents

Environnement informatique commandé Download PDF

Info

Publication number
WO2010097090A2
WO2010097090A2 PCT/DK2010/050049 DK2010050049W WO2010097090A2 WO 2010097090 A2 WO2010097090 A2 WO 2010097090A2 DK 2010050049 W DK2010050049 W DK 2010050049W WO 2010097090 A2 WO2010097090 A2 WO 2010097090A2
Authority
WO
WIPO (PCT)
Prior art keywords
computer
operating system
system environment
verification server
accordance
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/DK2010/050049
Other languages
English (en)
Other versions
WO2010097090A3 (fr
Inventor
Christian Horsdal Gammelgaard
Sven Skyum
Søren Pingel DALSGAARD
Aksel Byskov JØRGENSEN
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Mjolner Informatics AS
Aarhus Universitet
Original Assignee
Mjolner Informatics AS
Aarhus Universitet
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mjolner Informatics AS, Aarhus Universitet filed Critical Mjolner Informatics AS
Publication of WO2010097090A2 publication Critical patent/WO2010097090A2/fr
Publication of WO2010097090A3 publication Critical patent/WO2010097090A3/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • G06F21/125Restricting unauthorised execution of programs by manipulating the program code, e.g. source code, compiled code, interpreted code, machine code
    • G06F21/126Interacting with the operating system
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2101Auditing as a secondary aspect
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2103Challenge-response
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2149Restricted operating environment

Definitions

  • the present invention relates to an authorized operating system environment and ensuring that a computer is running in the authorized operating system environment.
  • a corporation may need in-house consulting from a software programmer to gain support on how to use an advanced software program. If the corporation is extremely sensitive about its information technology (IT) systems, including the data stored in them, it may require that the consultant uses a computer provided by the corporation's own IT personnel, rather than a computer, say a laptop, that the consultant brings along with him. The IT personnel can set up the computer with only the programs and enabled hardware that the consultant needs in order to provide his service. The computer may therefore have the advanced software program installed on it, as well as other programs that might be needed, perhaps a word processing program for taking notes or documenting a process.
  • IT information technology
  • a general purpose computer can be tightly controlled using a virtual environment such as for instance VMWare ACE.
  • An entire operating system can be generated and loaded onto the computer along with the specialized software and the word processing program.
  • Different hardware devices on the computer can be activated, or not, according to the needs.
  • the computer may for instance have an Infrared Port device, but if the functionality is not needed, there is no reason to provide it. Accordingly, the virtual machine is specified to not load the Infrared Port device.
  • Other communication devices such as a Bluetooth radio device may also be present in the computer hardware but not be necessary. Accordingly, the Bluetooth radio is also not activated.
  • system administrator can provide a controlled computer environment, since he can control which features the operating system has, including access to software and hardware.
  • the system administrator can provide a standardized and controlled environment in accordance with his or hers specifications.
  • the thinking and practice of a skilled system administrator is that he will build an environment, test it, and then release it once it has displayed the degree of robustness that the system administrator demands. It is therefore obvious to trust such a system.
  • a first aspect of the invention provides a method for determining whether a first computer is running an authorized operating system environment. The method comprises:
  • the notification signal is sent via an operable data connection between the first computer and the verification server.
  • This could be a wired ethernet connection; a wireless network connection; a High Speed Packet Access (HSPA) protocol; a Bluetooth connection; or an infrared connection.
  • standards specifications include, but are not necessarily limited to, the IEEE 802.11 specification set; the IEEE 802.3 specification set, and the IEEE 802.15 specifications.
  • protocol is used in a broad sense to denote any given set of rules which specify a means of communication between two or more machines or computers across one or more networks.
  • a protocol may be part of a protocol stack, as exemplified, but not limited, by the OSI reference model.
  • a protocol can specify one, more or all layers in the protocol stack it is part of.
  • the authorized operating system environment can be an operating system, such as a Microsoft Windows operating system, a Linux operating system, a UNIX operating system, or yet another operating system.
  • the authorized operating system environment is a virtual machine having an operating system, such as one of those just mentioned, installed. This is also referred to as "a virtual machine running an operating system", even if the virtual machine and the operating system are not switched on.
  • a virtual machine may, in the context of the present invention, be defined as any software implementation of a machine or computer that is capable of executing - known as hosting - other software programs as if it were a physical machine.
  • a virtual machine may emulate a concrete type of physical machine or it may define and implement its own model of a machine.
  • a virtual machine may allow the hosted software or parts of the hosted software to run directly on the underlying physical hardware or it may emulate the hardware completely.
  • a virtual machine can execute directly on hardware, be hosted in another virtual machine or run on top an operating system.
  • Virtual machines are also known as e.g. hypervisors, system virtual machines and virtualization platforms.
  • the authorized operating system environment may, in the context of the present invention, be a plurality of operating systems and/or virtual machines, a so-called “stack" of operating systems. Examples include:
  • a general purpose operating system hosting a virtual machine which in turn hosts a second operating system.
  • a dedicated operating system hosting a virtual machine which in turn hosts a second operating system.
  • the operating system may particularly be a dedicated operating system, tailored to the specific task of implementing the present invention, as opposed to a general-purpose operating system.
  • two operating systems may be running, a dedicated operating system according to the present invention, and a general purpose operating system providing services to a user of the first computer.
  • the authorized operating system, or part of the authorized operating system, or part of the "stack" of operating systems mentioned above can be downloaded from a server during the initial run of the authorized operating system environment.
  • one embodiment of the present invention may be implemented in so-called terminal-server solution, where the fundamental operating system in the stack of operating systems may be loaded from a portable storage medium, e.g. memory stick like a USB stick. Instead of running the virtual machine the next operating system in the stack may be loaded.
  • a portable storage medium e.g. memory stick like a USB stick.
  • the authorized operating system environment may be implemented on the first computer by executing an application on the first computer's pre-installed operating system, the said application initializing and configuring the authorized operating system environment on the first computer.
  • the authorized operating system environment including any notification signals, may be implemented on the first computer.
  • authorized could mean that the operating system has been approved by a system administrator.
  • authorized in relation to "authorized operating system environment” shall not be construed as limiting the scope. The term is used as a reference to the particular operating system environment that the first computer is supposed to be running.
  • non- trusted user will be used to describe a person to whom the system administrator has granted access to a computer that the system administrator administrates.
  • a “non-trusted user” is a person that the system administrator is concerned may, whether deliberately or not, compromise the system administrator's computer network.
  • the first computer is running an authorized operating system.
  • the operating system is capable of causing the first computer to send the notification signal to the verification server. Either, this function is built into the operating system as such.
  • a simple solution is to implement the function via a software program installed in the operating system. This software program will be referred to as a "security program”.
  • the method according to the first aspect allows a system administrator to ensure that the operating system running the security program is operable. In case the operating system is shut down, and potentially replaced by another operating system, the verification server will no longer receive a notification signal.
  • the notification protocol is a protocol according to which notification signals are sent, or attempted sent, by the first computer to the verification server. They may be specifiable, or they may be fixed and not subject to alteration.
  • the notification protocol may ensure that two notification signals are sent within an acceptable amount of time. "Acceptable amount of time” is subjective, and it is clear to a person skilled in the art that this amount of time can be implemented in an infinite number of ways.
  • Examples include: A "beacon” protocol by which a signal is sent (or attempted sent) to the server each 10 seconds or 1 minute or other amount of time; a protocol in which there is a degree of variation, for instance via a random (or pseudorandom) number generator generating a number representing the amount of time that is to pass before a next notification signal is attempted to be sent.
  • Examples for the protocol may include various kinds of periodic patterns for the notification signals, the periodic pattern comprising one of more frequencies of reoccurrence for the said signal.
  • a notification signal may be attempted to be sent upon a specific event taking place within the operating system, such as accessing a shutdown command or attempting to investigate system files or log files on the computer.
  • a specific event taking place within the operating system such as accessing a shutdown command or attempting to investigate system files or log files on the computer.
  • the first computer might send a notification signal to the verification server. This can be considered an early warning that the non-trusted user are about to perform unwanted actions.
  • the notification signal might comprise information indicative of an action having been performed on the computer.
  • the information indicative of the action (“action information”) can comprise the name of the command, and might also include a file path for the file.
  • the action information may comprise a command capable of disabling a functionality associated with the first computer.
  • the first computer may, in response to receiving the command capable of disabling functionality, perform one, or more, of:
  • the said action information may comprise a command capable of enabling a functionality associated with the first computer.
  • the first computer may, in response to receiving the command capable of enabling a functionality, perform one, or more, of: • opening a window on a graphical user interface connected to the first computer, the window comprising an information indicating that an unwanted action has been performed on the first computer;
  • a logging file e.g. a key grabber or similar, related to actions performed on the first computer, the logging file, or part thereof, being accessible from the verification server, and/or being transferred to the verification server, and
  • the notification signal might alternatively, or additionally, comprise information indicating a degree of severeness (degree of non-acceptability) of the action or indicating a certain type of action.
  • a degree of severeness degree of non-acceptability
  • certain system commands might, when executed, be classified according to a translation table or other type of classification.
  • the viewing of a system event log can reveal operating system weaknesses, user names, and other information. Such information is typically irrelevant to a user if the operating system is operating correctly in the respects in which the user actually requires it to operate correctly. However, a non-trusted user might find this information interesting and access it for the purpose of compromising the system.
  • the security software might translate the action of viewing a system event log to a "1” or “true”, whereas opening a word processing program might translate into a "0” or “false”, where a "1” (or “true”).
  • a “l” (or “true”) might then be indicative of an unwanted action and "0" (or “false") indicative of an acceptable action.
  • the computer sends this information ("1” or “0”, for instance, as appropriate) to the verification server, which is then accordingly adapted to provide the fault signal if the notification signal comprises a "1" (or “true”).
  • the present invention may be implemented in various protocols with respect to the status of the first computer and the verification server.
  • the server is passive and the first computer is active, i.e. the first computer is initiating the communication, and the server is responding. In other embodiments, both entities may initiate the communication according to the specific protocol.
  • the server is active and the first computer is passive, i.e. the verification server is initiating the communication, and the first computer is responding. The latter embodiments are particularly advantageous in that this enables mass broadcasting from the verification server to a plurality of computers that are monitored or under surveillance according to the teaching of the present invention.
  • the first computer receives at least part of the implementation of the notification protocol from the verification server, when connected.
  • the operating system does not require pre-configuration with respect to the behaviour relating to notifications, and accordingly the protocol can be changed with no, or few, preceding steps or preparations.
  • This information, or at least part of it, can be transferred, e.g. downloaded, from the verification server, which means that the notification protocol can be adapted by the system administrator according to the specific needs that he or she is facing in a given situation.
  • the notification protocol can, in some embodiments, be dependent on a credential provided at the first computer.
  • the notification protocol may, in some cases, be provided by the verification server.
  • the security program implements a default protocol. This ensures that the security program is operable without receiving a notification protocol or parts of a notification protocol from the verification server.
  • a default protocol can also define some boundaries. For instance, they can ensure a first notification signal and an immediately subsequent notification are separated by an amount of time that is at most 1 minute, no matter what a notification protocol from the verification server provides for.
  • the default protocol can define information that must be transmitted to the verification server.
  • the notification signal can comprise very specific information, such as information about central processing unit (CPU) processes or process threads, or system event log information. Such information could also be comprised in a separate signal - a signal that is not a notification signal in accordance with the notification protocol.
  • CPU central processing unit
  • the notification information comprises a file.
  • files that are being manipulated in the operating system can be backed up via the verification server (on the verification server or a separate storage facility).
  • the authorized operating system environment running on the first computer may be stored on a server from which the first computer, when the server is connected to the first computer, can load and run the authorized operating system environment. This may be implemented as a so-called networking booting sequence.
  • the authorized operating system environment may comprise a plurality of operating systems, wherein at least one of the operating systems is a non-authorised operating system.
  • This may be implemented as so- called "citrix solution”.
  • the initially non-authorised operating system may be authorized or approved by the verification server and/or a system administrator, for example the non-authorised operating system may be installed by a user of first computer, and later approved by the verification server.
  • the authorized operating system environment running on the first computer may be stored on a portion of a readable, and optionally writeable, memory connected with the first computer, the said memory being a main storage memory of the first computer.
  • This may for instance be a memory such as hard disk (HD), or alternatively other kinds of memory entities, e.g. solid state disks (SSD), etc.
  • a partition of a HD may be used, the partition having restricted access and/or limited possibility for modification by a user of the first computer. It is then to be understood that the stored, authorized operating system environment is pre-installed or installed from verification server or portable storage medium as explained above and below.
  • the authorized operating system environment running on the first computer may be stored on a portable storage medium from which the first computer, when the portable storage medium is connected to the first computer, can load and run the authorized operating system environment.
  • the authorized operating system environment stored on the portable storage medium may be encrypted, the authorized operating system environment being decrypted as a part of an initial running of the authorized operating system environment.
  • the notification protocol may comprise sending notification signals at one or more periodic intervals.
  • the notification protocol may comprise sending notification signals at one of more predefined events performed by, or at, the first computer.
  • the said pre-defined events may comprise one, or more, of:
  • the said pre-defined events may beneficially comprise initializing and/or finalizing of the authorized operating system environment.
  • the notification signal itself may comprise logging information so as to document actions performed on the first computer.
  • the said notification protocol may be implemented by means of tcp/ip, http, ssh, SQL connection protocol, telnet, ftp, icmp, xml-over-html, RCP, or any combination thereof.
  • tcp/ip http, ssh, SQL connection protocol, telnet, ftp, icmp, xml-over-html, RCP, or any combination thereof.
  • Low level/data link layer ethernet (IEEE820.*), USB, GSM, Edge, IEEE1394
  • ATOM Really High level/presentation or application layer: ATOM, RSS, SOAP, OData, GData, http(s), ssh.
  • the notification server(s) may regularly request ATOM or RSS feeds from the first computer, and the other computers.
  • the computer(s) may then publish their feed at regular intervals, e.g. after 1, 10 or 100 seconds.
  • the server(s) may monitor the activity one or more feeds.
  • the security software may generate a first token that it sends to the verification server.
  • the verification server checks that the first token is valid.
  • the verification server then provides a second token that it returns to the first computer, which then checks that the second is valid.
  • the security program and the verification server might implement encryption certificates.
  • the verification server provides an authentication token.
  • the verification server sends the authentication token to the computer, which then signs or encrypts the authentication token using an authorized private key.
  • the signed or encrypted authentication token is then returned to the verification server in a notification signal or a separate signal.
  • the verification server can then check that the authentication token reached the first computer and that the returned notification signal (or separate signal) comes from the first computer (that is aware of the authorized private key). This is done by checking the signature of the returned authentication token or decrypting the returned authentication token and comparing the decrypted token to the token that the verification server sent to the first computer.
  • the verification server will, in case it does not receive a valid notification signal, return an interference signal to the first computer.
  • the security software is adapted to perform some interference action in response.
  • the interference signal may cause the security program to lock the operating system, requiring a login by an authorized person, such as the system administrator.
  • the security program may cause the keyboard and/or mouse to stop functioning correctly, or it can bring up a notification window that containing information to the effect that an unwanted action has been performed.
  • the notification window may include information about the unwanted action, such as the name of an offending command or offending action.
  • the notification signal may further comprise logging information to further document actions performed on the first computer.
  • logging information could for instance comprise information about commands executed on the first computer; content of system log files on the first computer; screen shots from the first computer; information about processes running on the first computer.
  • a second aspect of the invention provides an operating system environment adapted to enable appropriate computer hardware, when the operating system environment is executed thereon, to operate as the first computer referred to in the first aspect of the invention.
  • a third aspect of the invention provides a computer program product comprising the operating system environment referred to as the second aspect of the invention.
  • a fourth aspect of the invention provides data storage medium comprising such an operating system environment.
  • a fifth aspect of the invention provides computer hardware adapted to operate as the first computer described in relation to the first aspect of the invention.
  • a sixth aspect of the invention provides the security program referred to above, for execution on the first computer.
  • a seventh aspect of the invention provides computer hardware adapted to operate as the verification server described in relation to the first aspect of the invention.
  • a data storage medium comprising the security program of the sixth aspect of the invention; a verification server computer program adapted to enable appropriate computer hardware, when executing the verification server computer program, to operate as the verification server of the seventh aspect of the invention; a data storage medium comprising the verification server computer program.
  • Figure 1 illustrates a system comprising computers running an authorized 5 operating system environment in accordance with the invention, connected to a verification server in accordance with the invention.
  • FIG. 2 illustrates schematically a computer architecture.
  • Computer 200 comprises a Central Processing Unit (CPU) 202, memory 203, a harddisk storage
  • Graphics 209 can be thought of either as a graphics hardware card or a graphics hardware card having a display connected to it, just as keyboard 207 is not
  • Figure 3 illustrates a method in accordance with the invention by which it can be 20 determined whether a computer is running an authorized operating system.
  • Figure 4 illustrates a method in accordance with the invention, where the computer running the authorized operating system environment can receive and execute commands.
  • Fig. 1 illustrates computers 110, 111, 111, 114 connected to a verification server 120 via connections 125.
  • the computers 110, 111, 111, 114 may be different computers having different hardware and operating system.
  • the connections 125 can be any type of operable data connection, such as ethernet connections or 30 IEEE 802.11 wireless connections.
  • the connections 125 need not all be of same type.
  • the computers 110, 111, 114 run operating systems stored on storage devices 115, 116, 116 and 118. They can be different operating systems, implementing different software, hardware etc, and the storage devices can be of different types, and might be USB devices, DVD devices, network cards or the like.
  • the operating systems running on computers 110, 111, 114 from storage device 115, 116 and 118 are authorized operating systems that all have a functionality that allow them to send notification signals to the verification server 120. Notification signals are sent by the computers to the verification server in order to check whether the authorized operating systems are operable. In case computer 114, which is running an authorized operating system loaded from device 118, is switched off, the computer will stop sending notification signals to the verification server 120.
  • the verification server 120 is capable of connecting to computers 110, 111, 111, 114.
  • the verification server will listen for notification signals from these computers.
  • the status of computer 114 becomes unknown to the verification server 120, as the verification server is no longer - in this example - in operable connection with computer 114. From the point of view of a system administrator who has sensitive and critical information stored on his or her computers and network devices, this state may be unacceptable.
  • Fig. 2 illustrates, schematically and greatly simplified, a computer architecture that computers 110, 111, and 114 might have.
  • the computers may be different and implement different and other architectures.
  • the verification server 120 may have a similar or different architecture.
  • Fig. 3 illustrates a method in accordance with the present invention.
  • the figure illustrates a login procedure for registering a computer with the verification server, as well as the protocol for determining if a computer, such as computer 114 in Fig. 1 is running an authorized operating system.
  • the login procedure can be used for different purposes.
  • One purpose is to uniquely associate a user of the computer with data stored either on the verification server or on another facility, such as storage 136 on computer 130 in Fig. 1, which might be connected to the verification server as illustrated by connection 128 in Fig. 1.
  • Credentials, secret or not can also be a way for the system administrator to indicate to the verification server an identity of a user of the computer 114.
  • Step 302 illustrates the login action at the computer.
  • the login may for instance comprise a username (USER) and a password (PASS).
  • USER username
  • PASS password
  • the verification server may send an indication AUTH OK, in step 306, to the computer to inform it that authenticated credentials have been used.
  • the verification server sends AUTH OK to the computer, the verification server starts listening for notification signals from the computer.
  • AUTH OK this is a signal to the computer that the verification server is listening for notification signals, and that it should begin sending notification signals in accordance with the notification protocol that it is aware of. This is illustrated by step 308.
  • the computer sends a notification signal NS to the verification server in step 310.
  • a notification signal NS may or may not be necessary to include credentials in order for the verification server to be able to identify the computer 114 from which the notification signal is sent.
  • the verification server determines whether a valid notification signal has been received. If the computer 114 is switched off, the verification server will not receive a notification signal from computer 114 at all. The verification server has therefore not received a valid notification signal. The verification server determines whether a notification signal is valid by comparing with the notification protocol that the computer implements. In this way, the verification server can determine if the computer 114 has fulfilled the obligation set forth by the protocol. For instance, if the protocol prescribes that the computer sends a notification signal each 30 seconds, then the verification server can determine that if one notification signal from the computer is not followed by another notification signal within 30 seconds (plus a margin for network transit time, say 2 seconds, for example), then the verification server will give off a fault indication in step 314.
  • a message e.g. an e-mail an SMS or MMS or similar messages
  • a device which is accessible by a system administrator as indication to him. or her, that the computer 114 is in an unknown state.
  • the system administrator may also use a centralised system, e.g. a server or a computer in a network, for monitoring or administering.
  • the verification server may include a token, Tl 1 in a message to the computer.
  • Tl might for instance be a pseudorandom number. This might be part of a handshake procedure by which the verification server and computer ensure that the connection 125 (see Fig. 1) is intact and that there is no interference, such as a man-in-the-middle-attack that attempts to trick the verification server into incorrectly determining that the computer is running the authorized operating system, even if it is not.
  • the token could be signed by the computer using a private key.
  • the result is sent as token T2 (see Fig. 3).
  • the verification server can then check that the signature on the token T2 is valid and that the token T2 corresponds to the token Tl .
  • the verification server can respond with a server response signal, SRS.
  • a token T3 might also be included.
  • the token T3 could be a new pseudorandom number that the computer must sign and return as part of the handshake procedure for ensuring the integrity of the connection.
  • the server response signal may also comprise instructions to the security program running on the computer.
  • the verification server finds that notification signal is has received is invalid, the verification server can return a response containing an instruction that causes the security program on the computer to disable the keyboard or bring up a window on a display connected to the computer, informing a user that an unwanted action has been performed.
  • various actions can be taken. This is a matter of design.
  • the notification signal could also comprise file data.
  • the notification signal can carry a copy of the project file (a data file), which the verification server can then store, either in a store of its own, or send to another store, such as store 136 on computer 130 via connection 128.
  • Fig. 3 also illustrates how an SMS (short message service) message can be sent (for instance to the system administrator), in step 324. It could also be an email, as in step 326. Or it could be an alarm sounded at the computer (per instruction from the verification server), in step 322.
  • SMS short message service
  • Fig. 4 illustrates additional steps by which the computer 114 can for instance be disabled.
  • the computer 114 investigates, in step 402, whether the SRS comprises a command. If not, the computer returns to following the notification protocol, in step 310. If the SRS comprises a command, the computer executes, in step 404, the command (or sets of commands, if desired). This can either be a benign command that merely causes an extraordinary event to take place at the computer, namely the event causes by the performing the command. In that case, the computer can return to step 310 and continue following the notification protocol.
  • the computer may no longer return to step 310 and continue following the notification protocol.
  • the computer will be in a disabled state 414 and can no longer be operated normally.
  • the invention is applicable in scenarios in which a system administrator wants to increased awareness about a computer's operational state.
  • a situation in which the invention is particularly suitable relates to computer- implemented testing in for instance schools and universities. In some cases, students are allowed to use all available information. Even so, it can be a problem to simply let student use their computers freely. Two students at a testing location may enable for instance Bluetooth radios or wireless network connections and exchange data that way. Unless this is allowed, the possibility of doing so should be eliminated.
  • Bluetooth radios can be disabled (or rather: not enabled), thereby eliminating the possibility of students exchanging data over a Bluetooth connection.
  • Network interfaces can be controlled to prevent computer-to-computer network communication. In some types of tests, students may not use any information other than that which they remember. Thus, hard disks should be disabled in this case.
  • the present invention may be applied for not enabling certain functionalities on a computer, e.g. wireless connections as above, but the present invention may alternatively, or additionally, provide a logging of certain events or actions that may be possible to perform as such on the computer but the said events or actions may nevertheless be forbidden (or not allowed) to be performed in a certain situations, e.g. a testing or exam situation, or other events where restrictions are desirable.
  • the present invention may be utilised to limit, restrict and/or control the access to certain websites, both in an exam/testing situation and in more general teaching situation, the use of these web based services may be considered counter-productive to the overall testing or teaching purpose, e.g. cheating.
  • the present invention may be effectively close access to a translation web-service, e.g. GoogleTM translate, or other similar services, but allow access to a web-based dictionary.
  • the present invention allows this kind of control and at the same time ensures that the authorized operating system is not disabled whereby other information can potentially be accessed.
  • student receives a USB stick with an authorized operating system.
  • the system can determine that a given student is using a computer that is running the authorized operating system. If notification signals are no longer received from this computer, the student could be attempting to circumvent some of the limitations imposed by the authorized operating system.
  • the verification server of the present invention will determine if this is the case, and if so, will give of a fault indication. The issue is that the student might be in the process of rebooting his or her computer to be able to access information stored on their hard disk, or be able to communicate via for instance Bluetooth radios.
  • the notification signal or a separate signal comprises a copy of the document or documents.
  • the verification server or on the separate computer 130
  • students have a backup of their work. In case their computer fails, they can borrow a spare computer and retrieve a backup copy of their work from the verification server (or separate computer).
  • the verification server responds with a second signal.
  • the second signal is also provided in a way that ensures prevention of a non-authorized provision.
  • the second signal allows the first computer to determine that the verification server is a trusted verification server. This allows the first computer to determine whether its verification is performed correctly. In case the alleged verification server is actually a non-authorized server, the first computer can determine this because the verification signal is incorrect. As a consequence, the first computer can take action to prevent correct operation. For instance, the operating system can block operation of the keyboard and permanently display a message to the effect that it cannot proceed because of an irregularity.
  • This embodiment is further advantageous because communication of information to the server, such as transmission of a document, is not performed unless the first computer has determined that the verification server is authorized.
  • the operating system can for convenience be placed on a USB storage medium, such as a USB flash drive.
  • the first computer can boot the operating system from the USB drive. This allows a system administrator to provide a very well- controlled computing environment on a computer.
  • the communication with the verification server is a safe indication that the computer is in fact running the well-controlled environment.
  • the operating system is advantageously provided in such a way that it provides only the required functionality.
  • Communication protocols such as Bluetooth, that is available of most present-day laptops, for instance, might be used to transfer data from the computer to a mobile storage medium.
  • the system administrator can prevent this from happening by configuring the operating system to not recognize Bluetooth devices.
  • Only network functionality needs to be activated so that the computer can communicated with the verification server.
  • the verification server will provide a fault indication to notify for instance the system administrator that the authorized operating system is not active.
  • a person might be operating the computer outside the authorized boundaries. For instance, the person might bring a non-controlled operating system that allows the Bluetooth radio module to be operated, whereby information can be transmitted from the computer to a receiving Bluetooth device.
  • the invention can be implemented by means of hardware, software, firmware or any combination of these.
  • the invention or some of the features thereof can also be implemented as software running on one or more data processors and/or digital signal processors.
  • the individual elements of an embodiment of the invention may be physically, functionally and logically implemented in any suitable way such as in a single unit, in a plurality of units or as part of separate functional units.
  • the invention may be implemented in a single unit, or be both physically and functionally distributed between different units and processors.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Debugging And Monitoring (AREA)
  • Hardware Redundancy (AREA)

Abstract

La présente invention porte sur un environnement de système d'exploitation autorisé et assure le fait qu'un ordinateur exécute l'environnement de système d'exploitation autorisé. L'invention porte sur un procédé qui améliore la sécurité de machines virtuelles. Un ordinateur fonctionnant dans l'environnement de système d'exploitation autorisé est apte à envoyer des signaux de notification à un serveur de vérification. Le signal comprend des informations identifiant l'ordinateur. Dans le cas où le serveur de vérification ne reçoit pas un signal de notification valide provenant de l'ordinateur dans un laps de temps spécifié, le serveur de vérification fournira une indication de défaut. L'invention porte également sur un environnement de système d'exploitation associé et sur d'autres aspects.
PCT/DK2010/050049 2009-02-25 2010-02-25 Environnement informatique commandé Ceased WO2010097090A2 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US15538709P 2009-02-25 2009-02-25
DKPA200900265 2009-02-25
DKPA200900265 2009-02-25
US61/155,387 2009-02-25

Publications (2)

Publication Number Publication Date
WO2010097090A2 true WO2010097090A2 (fr) 2010-09-02
WO2010097090A3 WO2010097090A3 (fr) 2010-11-25

Family

ID=42136018

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/DK2010/050049 Ceased WO2010097090A2 (fr) 2009-02-25 2010-02-25 Environnement informatique commandé

Country Status (1)

Country Link
WO (1) WO2010097090A2 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150370584A1 (en) * 2013-01-17 2015-12-24 Hitachi, Ltd. Computer system and program

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
SE504827C2 (sv) * 1995-09-05 1997-05-12 Daniel Danielsson Sätt för övervakning av ett datorsystem
US6697948B1 (en) * 1999-05-05 2004-02-24 Michael O. Rabin Methods and apparatus for protecting information
US6757824B1 (en) * 1999-12-10 2004-06-29 Microsoft Corporation Client-side boot domains and boot rules
US20080082813A1 (en) * 2000-01-06 2008-04-03 Chow David Q Portable usb device that boots a computer as a server with security measure
US20030009687A1 (en) * 2001-07-05 2003-01-09 Ferchau Joerg U. Method and apparatus for validating integrity of software
CA2363411A1 (fr) * 2001-11-21 2003-05-21 Platespin Canada Inc. Systeme et methode de fourniture de logiciel
US7373666B2 (en) * 2002-07-01 2008-05-13 Microsoft Corporation Distributed threat management
US20050183143A1 (en) * 2004-02-13 2005-08-18 Anderholm Eric J. Methods and systems for monitoring user, application or device activity
US7210047B2 (en) * 2004-06-16 2007-04-24 Gateway Inc. Method of switching modes of a computer operating in a grid environment based on the current operating mode
US20070180509A1 (en) * 2005-12-07 2007-08-02 Swartz Alon R Practical platform for high risk applications
US8468591B2 (en) * 2006-10-13 2013-06-18 Computer Protection Ip, Llc Client authentication and data management system
US9015703B2 (en) * 2006-10-17 2015-04-21 Manageiq, Inc. Enforcement of compliance policies in managed virtual systems
WO2009018366A1 (fr) * 2007-08-01 2009-02-05 Signacert. Inc. Procédés et appareil pour la vérification de l'intégrité de cycle de vie de machines virtuelles

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
None

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150370584A1 (en) * 2013-01-17 2015-12-24 Hitachi, Ltd. Computer system and program

Also Published As

Publication number Publication date
WO2010097090A3 (fr) 2010-11-25

Similar Documents

Publication Publication Date Title
US11846975B2 (en) Distributed security analysis for shared content
KR102504519B1 (ko) 네트워킹된 장치들을 갖는 컴퓨터 구동 시스템의 반가상 보안 위협 보호
US9424430B2 (en) Method and system for defending security application in a user's computer
EP3179697B1 (fr) Validation de l'identité d'une application mobile de gestion d'applications mobiles
JP7565990B2 (ja) rootレベルアクセス攻撃を防止する方法および測定可能なSLAセキュリティおよびコンプライアンスプラットフォーム
US10691475B2 (en) Security application for a guest operating system in a virtual computing environment
US9805199B2 (en) Securely booting a computer from a user trusted device
JP2012508931A (ja) モバイル装置とコンピュータを組み合わせ、安全な個人ごとの環境を生成する装置および方法
GB2549546A (en) Boot security
JPWO2006003914A1 (ja) 検疫システム
JP6130050B2 (ja) 安全な記憶装置を用いたホストリカバリ
RU130429U1 (ru) Терминал и защищенная компьютерная система, включающая терминал
US11822648B2 (en) Systems and methods for remote anomaly data scanner for cyber-physical systems
Cheng et al. Per-user network access control kernel module with secure multifactor authentication
US20240169071A1 (en) Device risk-based trusted device verification and remote access processing system
WO2010097090A2 (fr) Environnement informatique commandé
Pedone et al. Trusted computing technology and proposals for resolving cloud computing security problems
Zhao Authentication and Data Protection under Strong Adversarial Model
Jogi Establishing, Implementing and Auditing Linux Operating System Hardening Standard for Security Compliance
KR101415403B1 (ko) 공유 가능한 보안공간 제공시스템 및 그 방법
Pedone and Proposals for Resolving Cloud
Halsey Troubleshooting Viruses and Malware
Goktepe Windows XP Operating System security analysis
Schiffman Practical system integrity verification in cloud computing environments

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10707435

Country of ref document: EP

Kind code of ref document: A2

122 Ep: pct application non-entry in european phase

Ref document number: 10707435

Country of ref document: EP

Kind code of ref document: A2