A major source of infection is the floppy disk. With the virus protection schema we can guarantee that certain areas of the disk remain virus free and that general partitions become contained units, rendering partition to partition infection impossible. Infecting an active partition is, however, still possible via a floppy disk. A few possible methods of reducing, or removing the chance of infection by this method are presented below. They all depend on the addition of the floppy disk controlling hardware onto the supervisor card.
4.3.0 DENIAL OF ALL REQUESTS IN SUPERVISED MODE
This is the simplest solution. All requests to read or write, from or to, a floppy disk, whilst in Supervised mode, are denied. This insures that infection of the active partition cannot take place. It does, however, also prevent the backing up or restoring of software, or the introduction of valid files. This would therefore require the Unsupervised user to introduce all software, and backup all files on a regular basis. This method of restriction would heavily reduce the functionality of the machine, and would impinge on the freedom of the user in the completion of tasks. It is, however, the most ri gourous solution, and could be implemented, provided the Un supervised user was particularly diligent and regularly available.
4.3.1
RESTRICTED ACCESS IN SUPERVISED MODE
With the security shell implemented, as mentioned above, it is possible to provide a restricted access mechanism, in one of two ways.
One way would be to restrict access to certain users. This could be implemented by the addition of a row to the access table where access to the floppy drive can be granted on an individual user basis. The advantage of this would be that a subset of trusted users could have backup abilities, whilst ensuring less trustworthy users, or those who would not require such access, do not. This would reduce the chance of infection and maintain a small, well defined group who are responsible for the state of the machine. No partitions, save 'Read Only' ones, could be guaranteed virus free by this mechanism.
A second way would be to restrict access to sessions on the machine where certain partitions are active. This could be implemented by the addition of a column to the access table. Dependent on the choice of active partition, a user may or may not be granted permission to access the floppy drive. This has the advantage that certain partitions, without floppy permission can be guaranteed virus free as for the floppy scheme presented in section 4.3.0. These partitions would have to be backed up by the
unsupervised user. Certain other partitions would have permission and in this case cl backing up and maintaining a virus free condition would be the responsibility of the
users. For example, continuing with the access table in figure 4.4, partitions 'Word', 'Accounts' and 'Dbase' could have floppy access denied and be maintained by the unsupervised user, whilst partitions 'Dave', 'Fred' and 'John' would have floppy access and would be the responsibility of the user assigned to them. The 'Games' partition would probably be given access rights, as this partition would have very low security associated with it, allowing users to introduce games, and possibly viruses, at will. This would prevent employees being tempted to introduce the games elsewhere, risking infection within partitions where important data is kept.
4.3.2 FULL ENCRYPTED ACCESS IN SUPERVISED MODE
Ideally one would wish for complete virus protection, rather than containment, whilst allowing the backing up, and restoring, to and from, floppy disk. This could be implemented using a reasonably complex method involving encryption.
The implementation of this method requires that a portion of the Z80 ROM be filled with a random sequence, different for each ROM. The supervisor would segment this
In supervised mode, all Write requests to a floppy disk would cause the data to be encrypted, before transfer, using the machine number and partition number corresponding to the active partition, as the lock and key to the encryption algorithm. All Read requests would be similarly decrypted. See figure 4.6.
ROM machine number
partition 1
f ' 1
WRITE REQUEST Unsup Mode ?
X \
partition X ---► ENCRYPT Write to Disk
(Active P = X) . i Write to Disk max partition f ' ] 1 READ REQUEST Read From Disk
4 Unsup Mode ? sY DECRYPT (Active P = X) Stop
I
StopFigure 4.6 : Encryption of Floppy Disk Data in Supervised Mode
Thus, a floppy disk formatted, and written to, by a supervised user, may only be read when the disk is returned to the same machine, with the same partition active. This means that no software may be introduced into a partition, unless it originated from that partition. It also means that this particular floppy disk cannot cause a virus to be spread, within the machine, or to an outside machine, as it is unreadable outwith its defined partition.
A partition with encryption implemented can therefore be guaranteed virus-free, whilst allowing users of the partition floppy access for vital backing up and restoring. It should also be noted that important, sensitive data cannot be removed from the partition and read elsewhere, providing a secure way of preventing theft and careless spread of data.
Using the ROM as storage of the random sequence ensures that no user can gain access to the sequence, whilst guaranteeing that, even after a disk crash, data can be retrieved from backup floppies. Alteration of the partition structures after such a crash from what they had previously been, by the unsupervised user, could mean that the partition which encrypted the floppy disk would no longer exist. The unsupervised user would be provided with a utility which would decrypt any floppy encrypted on the machine by trying all possible unique partition numbers, which could be used"either for restoring after a crash, or for introducing information into a different partition. New software could only be introduced by the unsupervised user, which is the ideal case.
It is probably desirable that only certain partitions be protected in this manner, as it would require a reasonable amount of diligence of the user to mark floppies with the machine and partition indicated. Failure to do this would mean that a floppy introduced into an incorrect partition would appear unformatted and it could be mistaken for a blank disk. Partitions requiring only low security, such as a games partition, could be left unprotected. Implementation would require the addition of a row in the access table indicating whether encryption would be required.
This method provides the desired level of protection and is reasonably transparent to the user and operating system. All that is required is that a user is fully aware that a floppy disk, once formatted, can be used solely when using the machine and partition