Use BIOS to Control Computer Security

Source: Yuzhou technology, Jiangxi Province


Looking at the security products on the market, from network firewalls to various network encryption, personal digital visas, and early hard drive locks, no substantial protection is provided for personal computers. Most of these security mechanisms are based on the principle of using a software, entering a specific password, after verification.

Obtain valid identities to perform various operations, such as shopping, sending and receiving documents, browsing, and even modifying confidential data. As we all know, this password-based mechanism is very fragile. Therefore, many key industries and departments adopt soft and hard combinations, such as setting up various Smart card authentication mechanisms. Every employee who works in a bank has an IC card representing his/her electronic identity. To go to work every day, he/she must swipe his card before entering the banking business system. The security of this mechanism is greatly improved, but it is too costly for individuals or ordinary enterprises to use computers. Based on the operating principle of BIOS, this paper proposes a new computer security protection mechanism with high security.

I. Principles

BIOS is the most underlying software in computer architecture. When a PC is powered on, the first task is to perform self-check and Initialization on the computer. After checking that all the parts of the PC are normal, the computer is guided to the operating system, such as DOS and Windows. If a PC does not have a BIOS, it cannot be started and becomes a pile of scrap iron. In addition, BIOS is generally not alternative to each other. Only the same manufacturer of the same model of the motherboard, the BIOS can be exchanged. The basic principle of this mechanism is to extract the BIOS from the host and store it in an external device with encryption, such as a USB key disk. Without this disk, the computer cannot be enabled; because the external device is encrypted, even if there is a USB key disk containing BIOS, but do not know the password can not boot, so as to achieve computer protection. Because of the different passwords or encryption algorithms, the encrypted key disk also avoids the possibility of using the same type of BIOS for boot.

II. Implementation

The BIOS is stored in an IC chip (usually FLASH) on the computer motherboard. It has two main components: the BootBlock segment and the main BIOS. The BootBlock segment is not compressed and stored in a fixed address space. It is the first part to be executed when the computer starts up. It is mainly responsible for the most basic and simple initialization of computer hardware, and then decompress other modules of the main BIOS and perform them one by one, as shown in process 1. Due to the characteristics of BootBlock, you do not need to extract the BootBlock segment to an external device. Instead, you need to use its initialization capability to start communication with external devices, such as USB disks. However, you must modify the BootBlock segment to decrypt the USB key disk and read the user's password from the keyboard before checking the BIOS checksum, the password is encrypted by some calculation method and sent to the USB interface. After receiving the password on the USB key disk, the BIOS data in the memory can be readable. The modified BootBlock process.

After modification, the FLASH for storing BIOS in the original motherboard only stores the modified BootBlock code and no longer has the main BIOS. At the same time, FLASH chips are no longer used, and the one-time written PROM is directly used to avoid modifications to the Code in this region by other software or viruses. For specific encryption algorithms and password authentication mechanisms, different manufacturers can choose different methods. For example, you can add the unique parameters on the motherboard to the algorithm, to achieve a single motherboard, there is only one set of USB key disk, and so on.

The implementation of a USB key disk is the same as that of a software dog on the market. However, the storage capacity of the USB key disk must be at least kb. Of course, you can also use CPU cards or SIM cards encapsulated by some IC to form LPT or COM interfaces without using a USB key disk. For example, Beijing jiqi company provides a serial sim ic, you only need to add a simple circuit to implement communication with the comport. The principle is the same as that of the USB key disk, but the communication interface is different.

Iii. Expansion

The mechanism mentioned above can implement computer security protection. However, some simple extensions are required to increase the practicality of computer security, so as to increase the deciphering cost.

Extension1 uses the security features of IDE. Modern computer BIOS supports IDE encryption (both AMI and award bios have this function), which can be used in actual use. This function is used to encrypt the IDE hard disk. You must enter the correct password during BIOS boot. Otherwise, the hard disk cannot be used. Without password verification, the BIOS cannot correctly identify the device type of the hard disk, and the OS cannot use or damage the original data of the hard disk even if it does not know the existence of the hard disk.

The second extension is to modify the system BIOS and back up hard disk parameters, such as partition tables, to the USB key disk in the BIOS. Engineers who have worked on BIOS development know that BIOS is the first thing to execute when the system is turned on, and BIOS is the last thing to execute when the system is turned off (except for accidental Power failure, whether the OS is shut down or press the Power Button to shut down, all have corresponding SMI processors ). With this feature of BIOS, the BIOS is responsible for reading the hard disk parameters from the USB key disk and restoring them to the hard disk each time it is turned on. Before shutdown, the BIOS backs up the hard disk parameters to the USB key disk, at the same time, data in this area of the hard disk is damaged. In this way, even if the hard disk is installed in another system, no corresponding key disk is available.