Using Software Disk Protect for Classified DOS Processing - Gabrielson

Using Software Disk Protect for Classified DOS Processing

Bruce Gabrielson, PhD
Security Engineering Services, Inc.
PO Box 550
Chesapeake Beach, MD 20732

June 17, 1993

Introduction

Specifying the use of a removable hard drive for computer systems which only occasionally process classified information represents an expense that may not always be necessary on non-windows based information systems. Other possible solutions should be considered before making a final decision on how to implement processing security measures.

Certain application programs are readily available which are intended to block writing attempts to the system hard disk. The intent when using these programs is to place emphasis on procedural requirements and the user rather than the equipment. Procedural measures assume that normal system users do not intentionally try to circumvent their own security protection measures. When used correctly these programs work very well, and are now becoming widely accepted for stand alone computer systems.

The Programs and How They Work

The two common programs that are used to prevent writing to hard disks are PROTECT.COM and WPHD.COM. Both programs are similar. Each trap interrupt number 13, the normal interrupt used for writing to the hard disk. This interrupt is also commonly used by other interrupts for disk writes. Most (but not all) applications use this interrupt for hard disk writing.

The architecture of the typical IBM type pc is such that any user may access the controller directly. For example, pc's use interrupt D or interrupt E to access the hard disk controller. These interrupts could also be used (but seldom are) by very specific applications, but are on a lower level than interrupt 13. Therefore, an interrupt 13 protection program could not stop the direct use of the controller hardware with a lower level interrupt.

MS-DOS applications also sometimes trap interrupts. This is a common programming technique, and could conceivably interfere with the use of the protection program. However, if the protection application is run at boot-up, the chances of circumventing the program are minimal.

Emphasis

Placing control and operational constraints on classified processing activities is not as complicated as it sounds. When using the protection program, the AIS may be operated in both an unclassified and a classified security mode as needed without changing equipment. However, during classified operation the system will need to operate in a stand alone dedicated mode. This means it must not connected to a network, and be limited to one user at any given time (no concurrent processing by more than one user). This approach for security emphasizes the users consciences and active part in the classified processing operation.

Unusual Conditions

While most applications programs work well with the disk protection programs, a few have special problems. For instance, Windows has the peculiar ability to turn off the protection upon exiting if it was enabled after Windows was started. Also, the memory manager function seems to work in "strange ways" for some Window's based applications.

COMMAND.COM can be run in such a way that it re-executes the startup files (COMMAND /p /msg). If the startup files are responsible for executing the protection program then they may run it again. Since both programs toggle when run, this would have the effect of turning the program off.

Other programs, such as WordPerfect, simply display error messages that are simple to work around. For applications programs planned for classified processing activities, it is best to try the program first using protection just to make sure it works as intended. The most important point is that the protection must be manually executed immediately after system boot to be enforced correctly.

Operating Procedures

To effectively use the program with a particular AIS, it is best to prepare a boot disk directly from the system to be protected. Once prepared, and the protection program added, this operating software will be a dedicated to only the protection function. The boot disk will be treated as classified material and will be kept in authorized secure storage when not is use.

The boot disk containing the write protect program will be itself write protected. After the program is manually initiated, the disk should be removed from the floppy drive prior to initiating any user programs. It is important to note that the program will not protect the hard disk against a low level format or against some viruses.

Formal start up procedures should be prepared and incorporated into the standard operating procedures for classified processing. Typical steps for start up and shut down are provided below.

Start up Procedures

Step 1 - Verify that there are no unauthorized personnel within viewing distance of the ADP system.

Step 2 - Inspect the equipment to insure that the power cord, mouse cord, and printer cable are visible and have not been patched or tampered with, and no unauthorized equipment or cables are attached to the microcomputer. This includes physically disconnecting any modem.

Step 3 - Put all unclassified disks away to avoid mixing them with classified ones.

Step 4 - Turn the Printer and the Processor OFF.

Step 5 - Turn the Printer on.

Step 6 - Place the Classified Operating Systems Disk in the top floppy disk drive [Never use an Unclassified Systems Disk when processing classified material.]

Step 7 - Turn the Processor on allowing the processor to test itself. Watch for the system to indicate a successful self test and system load.

Step 8 - After the system boots up and the correct date and time have been inserted type PROTECT. When the screen indicates write protect has been installed, remove the system boot disk.

Step 9 - Start an applications program and try to copy a file to the hard disk. If a message appears indicating the operator cannot write a file to the hard disk, the system is considered operational in a potentially classified mode.

Note: In some word processing applications, a new disk must be inserted into the floppy drive before the program will work correctly.

Step 10 - Provided that Step 9 is successfully completed, record the required information in the System Security Operator's Log. If Step 8 is not successfully completed, notify the Security Officer immediately. Do not proceed.

Step 11 - Insert classified floppy disk used for program outputs into the floppy disk drive and make all appropriate entries in the audit trail (operators log) as necessary.

With the AIS in a classified processing mode, the hard disk resident applications programs may be used to develop classified text or figures. The operator must remain at the processor work station throughout a classified processing session. The operator may leave the processor only when it has been properly declassified or is under continuous observation by an authorized user.

Shut-Down Procedures

Step 1 - After examining the hard disk for any unauthorized files, remove all Classified Data Disks and the Classified System Disk. Exit the applications program.

Step 2 - Turn the power switch of the processor to the OFF position.

Step 3 - Turn the power switch of the printer to the OFF position.

Step 4 - Remove any classified printer ribbons from the printer if applicable (provided printing has been performed).

Step 5 - Turn the printer on and verify that the front panel lights flash on and off. This indicates that the printer has passed its internal self-test.

Step 6 - Turn the processor unit on, without a floppy system disk installed. Wait for the screen to indicate that the processor has completed its power-on self-test.

Step 7 - Complete the Audit Trail entries.

Step 8 - Remove all classified material from the work station area and secure in approved storage.