US 6249868 Method and system for embedded, automated, component-level control of computer systems and other complex systems
ABSTRACT – A method and system for protecting and controlling personal computers (“PCs”) and components installed in or attached to PCs. The method and system may be used to protect PCs from use after being stolen. An exemplary embodiment of the system includes a server running on a remote computer and hardware-implemented agents embedded within the circuitry that controls the various devices within a PC. The agents intercept all communications to and from the devices into which they are embedded, passing the communications when authorized to do so, and blocking communications when not authorized, effectively disabling the devices. Embedded agents are continuously authorized from the remote server computer by handshake operations implemented as communications messages. When the PC is stolen or otherwise disconnected from the remote server, the embedded agents within the PC fail to receive further authorizations, disable the devices into which they are embedded, and effectively prevent any use of the stolen or disconnected PC. The method and system may also be used to control and manage access to software stored within the PC and to control and manage operation of hardware and software components within the PC.
Computer security is a very broad and complex field within which, during the past several decades, a number of important sub-fields have developed and matured. These sub-fields address the many different problem areas in computer security, employing specialized techniques that are particular to specific problems as well as general techniques that are applicable in solving a wide range of problems. The present application concerns a technique that can be used to prevent the theft and subsequent use of a personal computer (“PC”) or of various PC components included in, or attached to, a PC. This technique may make use of certain security-related techniques which have been employed previously to address other aspects of computer security, and this technique may itself be employed to address both computer security problems other than theft as well as various aspects of computer reliability, computer administration, and computer configuration. In addition, this technique may be applied to protecting other types of complex electronic and mechanical systems as well as computer software and other types of information encoded on various types of media.
PCs are ubiquitous in homes, offices, retail stores, and manufacturing facilities. Once a curiosity possessed only by a few hobbyists and devotees, the PC is now an essential appliance for business, science, professional, and home use. As the volume of PCs purchased and used has increased, and as PC technology has rapidly improved, the cost of PCs has steadily decreased. However, a PC is still a relatively expensive appliance, especially when the cost of the software installed on the PC and the various peripheral devices attached to the PC are considered. PCs, laptop PCs, and even relatively larger server computers have all, therefore, become attractive targets for theft.
FIG. 1 illustrates various types of security systems commonly employed to prevent theft of PCs and PC components. A PC 102 is mounted on a table 104 and is connected to a keyboard-input device 106 and a display monitor 108. The PC 102is physically secured to the table 104 with a hinged fastening device 110, which can be opened and locked by inserting a key 112 into a lock 114. The display monitor 108 is physically attached to the table via a cable 116 and cylindrical combination lock 118 system. Serial numbers 120 or 122 are attached to, or imprinted on, the side of the PC 102 and the side of the display monitor 108, respectively. Finally, there is a software-implemented lock and key system for controlling access to the operating system and hence to the various application programs available on the PC 102. Typically, a graphical password-entry window 124 is displayed on the screen 126 of the display monitor 108. In order to use the computer, the user types a password via the keyboard 106 into the password sub-window 128 of the password-entry window 124. The user then depresses a keyboard key to indicate to a security program that password entry is complete. As the user types the password, each letter of the password appears at the position of a blinking cursor 130. The characters of the password are either displayed explicitly, or, more commonly, asterisks or some other punctuation symbol are displayed to indicate the position within the password in which a character is entered so that an observer cannot read the password as it is entered by the user. The security program checks an entered password against a list of authorized passwords and allows further access to the operating system only when the entered password appears in the list. In many systems, both a character string identifying the user and a password must be entered by the user in order to gain access to the operating system.
The common types of security systems displayed in FIG. 1 are relatively inexpensive and are relatively easily implemented and installed. They are not, however, foolproof and, in many cases, may not provide even adequate deterrents to a determined thief. For example, the key 112 for the hinged fastening device 110can be stolen, or the fastening device can be pried loose with a crowbar or other mechanical tool. A clever thief can potentially duplicate the key 112 or jimmy the lock 114. The cable 116 can be cut with bolt cutters or the cylindrical combination lock 118 can be smashed with a hammer. Often, the combination for the cylindrical combination lock 118 is written down and stored in a file or wallet. If that combination is discovered by a thief or accomplice to theft, the cylindrical combination lock will be useless. In the situation illustrated in FIG. 1, if the table is not bolted to the floor, a thief might only need to pick up the display monitor 108, place it on the floor, slide the cable down the table leg to the floor, and lift the table sufficiently to slip the cable free. While this example might, at first glance, seem silly or contrived, it is quite often the case that physical security devices may themselves be more secure than the systems in which they are installed, taken as a whole. This commonly arises when security devices are installed to counter certain obvious threats but when less obvious and unexpected threats are ignored or not considered.
While the serial numbers 120 and 122, if not scraped off or altered by a thief, may serve to identify a PC or components of the PC that are stolen and later found, or may serve as notice to an honest purchaser of second-hand equipment that the second-hand equipment was obtained by illegal means, they are not an overpowering deterrent to a thief who intends to use a purloined PC or PC component at home or to sell the purloined PC to unsavory third parties.
Password protection is commonly used to prevent malicious or unauthorized users from gaining access to the operating system of a PC and thus gaining the ability to examine confidential materials, to steal or corrupt data, or to transfer programs or data to a disk or to another computer from which the programs and data can be misappropriated. Passwords have a number of well-known deficiencies. Often, users employ easily remembered passwords, such as their names, their children’s names, or the names of fictional characters from books. Although not a trivial undertaking, a determined hacker can often discover such passwords by repetitive trial and error methods. As with the combination for the cylindrical combination lock 118, passwords are often written down by users or revealed in conversation. Even if the operating system of the PC is inaccessible to a thief who steals the PC, that thief may relatively easily interrupt the boot process, reformat the hard drive, and reinstall the operating system in order to use the stolen computer.
More elaborate security systems have been developed or proposed to protect various types of electrical and mechanical equipment and to protect even living creatures. For example, one can have installed in a car an electronic device that can be remotely activated by telephone to send out a homing signal to mobile police receivers. As another example, late model Ford and Mercury cars are equipped with a special electronic ignition lock, which is activated by a tiny transmitter, located within a key. As still another example, small, integrated-circuit identification tags can now be injected into pets and research animals as a sort of internal serial number. A unique identification number is transmitted by these devices to a reading device that can be passed over the surface of the pet or research animal to detect the unique identification number. A large variety of different data encryption techniques have been developed and are commercially available, including the well known RSA public/private encryption key method. Devices have been built that automatically generate computer passwords and that are linked with password devices installed within the computer to prevent hackers from easily discovering passwords and to keep the passwords changing at a sufficient rate to prevent extensive access and limit the damage resulting from discovery of a single password.
While many of these elaborate security systems are implemented using highly complex circuitry and software based on complex mathematical operations, they still employ, at some level, the notion of a key or password that is physically or mentally possessed by a user and thus susceptible to theft or discovery. A need has therefore been recognized for a security system for protecting PCs and components of PCs from theft or misuse that does not depend on physical or software implemented keys and passwords possessed by users. Furthermore, a need has been similarly recognized for intelligent security systems to protect the software that runs on PCs and to protect other types of complex electronic and mechanical systems, including automobiles, firearms, home entertainment systems, and creative works encoded in media for display or broadcast on home entertainment systems.
SUMMARY OF THE INVENTION
One embodiment of the present invention provides a security system for protecting a PC and components installed in or attached to the PC from use after being stolen. Agents are embedded within various devices within the PC. The agents are either hardware-implemented logic circuits included in the devices or firmware or software routines running within the devices that can be directed to enable and disable the devices in which they are embedded. The agents intercept communications to and from the devices into which they are embedded, passing the communications when authorized to do so in order to enable the devices, and blocking communications when not authorized, effectively disabling the devices. Embedded agents are continuously authorized from a remote server computer, which is coupled to embedded agents via a communications medium, by handshake operations implemented as communications messages. When the PC is disconnected from the communications link to the remote server, as happens when the PC is stolen, the devices protected by embedded agents no longer receive authorizations from the remote server and are therefore disabled. User-level passwords are neither required nor provided, and the security system cannot be thwarted by reinstalling the PC’s operating system or by replacing programmable read only memory devices that store low-level initialization firmware for the PC.
Alternative embodiments of the present invention include control and management of software and hardware on a pay-to-purchase or pay-per-use basis, adaptive computer systems, and control and security of electrical and electro-mechanical systems other than computers. A computer system may be manufactured to include various optional hardware and software components controlled by embedded agents and initially disabled. When the purchaser of the computer system later decides to purchase an optional, preinstalled but disabled component, the manufacturer can enable the component by authorizing an associated embedded agent upon receipt of payment from the owner of the system. Similarly, the owner of the computer system may choose to rent an optional component for a period of time, and that component can then be authorized for the period of time by the manufacturer upon receipt of payment. Software may be manufactured to require authorization from a server via an embedded agent either located within the disk drive on which the software is stored or located within the software itself. Computer systems may automatically adjust their configuration in response to changes in workload by enabling and disabling components via embedded agents. Finally, systems other than computers, including industrial machine tools, processing equipment, vehicles, and firearms may be controlled and secured by embedding agents within one or more components included in the systems.