| 词条 | Host protected area |
| 释义 |
The host protected area (HPA) is an area of a hard drive or solid-state drive that is not normally visible to an operating system. It was first introduced in the ATA-4 standard CXV (T13) in 2001.[1] How it worksThe IDE controller has registers that contain data that can be queried using ATA commands. The data returned gives information about the drive attached to the controller. There are three ATA commands involved in creating and using a host protected area. The commands are:
Operating systems use the IDENTIFY DEVICE command to find out the addressable space of a hard drive. The IDENTIFY DEVICE command queries a particular register on the IDE controller to establish the size of a drive. This register however can be changed using the SET MAX ADDRESS ATA command. If the value in the register is set to less than the actual hard drive size then effectively a host protected area is created. It is protected because the OS will work with only the value in the register that is returned by the IDENTIFY DEVICE command and thus will normally be unable to address the parts of the drive that lie within the HPA. The HPA is useful only if other software or firmware (e.g. BIOS) is able to use it. Software and firmware that are able to use the HPA are referred to as 'HPA aware'. The ATA command that these entities use is called READ NATIVE MAX ADDRESS. This command accesses a register that contains the true size of the hard drive. To use the area, the controlling HPA-aware program changes the value of the register read by IDENTIFY DEVICE to that found in the register read by READ NATIVE MAX ADDRESS. When its operations are complete, the register read by IDENTIFY DEVICE is returned to its original fake value. Use{{anchor|BEER|PARTIES}}{{Refimprove section|date=November 2016}}
Identification and manipulationIdentification of HPA on a hard drive can be achieved by a number of tools and methods. Note that the HPA feature can be hidden by DCO commands (documentation states only if the HPA is not in use), and can be "frozen" (until next power-down of the hard disk) or be password protected. Identification tools
Identification methodsThe Windows program ATATool can detect an HPA. For instance, to see if the first disk has an HPA use the command: Using Linux, there are various ways to detect the existence of an HPA. Recent versions of Linux will print a message when the system is booting if an HPA is detected. For example: dmesg | less[...] hdb: Host Protected Area detected. current capacity is 12000 sectors (6 MB) native capacity is 120103200 sectors (61492 MB) The program hdparm (versions 8.0 and above) will detect an HPA on drive sdX when invoked with these parameters: For versions of hdparm below 8, one can compare the number of sectors output from 'hdparm -I' with the number of sectors reported for the hard drive model's published statistics. Manipulation methodsThe Windows program ATATool can be used to create a HPA. For instance, to create a 10GB HPA: The Linux program hdparm (version >= 8.0) will create an HPA when invoked with these parameters: (sdX: target drive, #: number of non-HPA visible sectors) See also
References1. ^{{cite web|url=https://www.utica.edu/academic/institutes/ecii/publications/articles/EFE36584-D13F-2962-67BEB146864A2671.pdf|title=Host Protected Areas|website=Utica.edu|format=PDF}} 2. ^1 Blunden, Bill. The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System. 1st ed. Jones & Bartlett Publishers, 2009 p.538 3. ^{{cite book|last1=Nelson|first1=Bill|last2=Phillips|first2=Amelia|last3=Steuart|first3=Christopher|title=Guide to computer forensics and investigations|date=2010|publisher=Course Technology, Cengage Learning|location=Boston|isbn=1-435-49883-6|page=334|edition=4th}} 4. ^https://www.schneier.com/blog/archives/2014/02/swap_nsa_exploi.html External links
4 : AT Attachment|Computer forensics|Computer security procedures|Information technology audit |
| 随便看 |
|
开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。