Hardware Protection
Hardware protection can accomplish various things, including: write protection for hard disk drives, memory protection, monitoring and trapping unauthorized system calls, etc. Again, no single tool will be foolproof and the "stronger" hardware-based protection is, the more likely it will interfere with the "normal" operation of your computer. The popular idea of write-protection (see D3) may stop viruses *spreading* to the disk that is protected, but doesn't, in itself, prevent a virus from *running*. Also, some existing hardware protection schemes can be easily bypassed, fooled, or disconnected, if the virus writer knows them well and designs a virus that is aware of the particular defense. The big problem with hardware protection is that there are few (if any) operations that a general-purpose computer can perform that are used by viruses *only*. Therefore, making a hardware protection system for such a computer typically involves deciding on some (small) set of operations that are "valid but not normally performed except by viruses", and designing the system to prevent these operations. Unfortunately, this means either designing limitations into the level of protection the hardware system provides or adding limitations to the computer's functionality by installing the hardware protection system. Much can be achieved, however, by making the hardware "smarter". This is double- edged: while it provides more security, it usually means adding a program in an EPROM to control it. This allows a virus to locate the program and to call it directly after the point that allows access. It is still possible to implement this correctly though--if this program is not in the address space of the main CPU, has its own CPU and is connected directly to the hard disk and the keyboard. As an example, there is a PC-based product called ExVira which does this and seems fairly secure, but it is a whole computer on an add-on board and is quite expensive.


Dual Mode Operation

-Sharing system resources requires operating system to insure that an incorrect program cannot cause other programs to execute incorrectly.

- Provide Hardware support to defferentiate between at least two modes of operations.

1. User mode - execution done behalf pf a user.
2. Monitor mode (also supervisor mode or system mode) - execution done on behalf of
operating system.


I/O Protection
-All I/O instructions are privileged instructions.• Must ensure that a user program could never gain control ofthe computer in monitor mode (i.e., a user program that, aspart of its execution, stores a new address in the interruptvector).



Memory Protection
• Must provide memory protection at least for the interrupt vectorand the interrupt service routines.• In order to have memory protection, add two registers thatdetermine the range of legal addresses a program may access:– base register – holds the smallest legal physical memoryaddress.– limit register – contains the size of the range.• Memory outside the defined range is protected.

CPU Protection
In series with the CentralProcessing Unit (CPU), in some applications, is a Voltage RegulatorModule (VRM). A VRM DC-DCconverter supplies the requiredvoltage and current to a processor.

Problem/Solution
The VRM design approachremoves cable inductance fromthe distribution and reducesboard inductance. A load-changetransient occurs when coming outof or entering a low power mode.For some CPUs this load-changetransient can be on the order of13A. These are not only quickchanges in current demand, butalso long-lasting average currentrequirements. Even during nor-mal operation the currentdemand can still change by asmuch as 7A as activity levelschange within the processorcomponent. Maintaining voltagetolerance during these changesin current requires high-densitybulk capacitors with low EffectiveSeries Resistance (ESR). Thesehigh-current immediate demandson the circuits can cause compo-nents to fail. Circuit protectionprevents the VRM from damag-ing the CPU in the event of aVRM fault. If the VRM fails, theprocessor tries to pull too muchpower. A PolySwitch device canbe placed on the input pins to theVRMs that supply power to theprocessors, therefore protectingthe processors. If there is a fail-ure, only the VRM needs to bereplaced, rather than the moreexpensive CPU.Device SelectionUp to 12V and several amps areapplied to the circuit. The RGEseries, typically the RGE600–RGE900, is used in this application.PolySwitchdeviceVoltage RegulatorModuleProcessorPolySwitchdeviceVoltage RegulatorModuleProcessorPolySwitchdeviceVoltage RegulatorModuleProcessorPolySwitchdeviceVoltage RegulatorModuleProcessorPowerSupplyFigure 1. Typical Schematic