CN106484477B - The software download and starting method of safety - Google Patents
The software download and starting method of safety Download PDFInfo
- Publication number
- CN106484477B CN106484477B CN201610885227.8A CN201610885227A CN106484477B CN 106484477 B CN106484477 B CN 106484477B CN 201610885227 A CN201610885227 A CN 201610885227A CN 106484477 B CN106484477 B CN 106484477B
- Authority
- CN
- China
- Prior art keywords
- download
- program
- equipment
- download instruction
- field
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44505—Configuring for program initiating, e.g. using registry, configuration files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
Abstract
The invention discloses a kind of safe software downloads and starting method, include the following steps: step 1, the startup program using hardware logic electric circuit verification by software realization;Step 2 reads downloading attribute field by the startup program or hardware logic electric circuit;If step 3, the downloading attribute field show that current equipment is in and can download the application program stage that startup program verifies download instruction processing routine, then executes download instruction processing routine;If the downloading attribute field shows that current equipment is in and can not download the application program stage, startup program verification Application program, then executing application.The present invention can resist the attack that attacker uses means of different to carry out equipment, improve the safety of equipment.
Description
Technical field
The present invention relates to security chip design technical fields, more particularly to a kind of safe software download and starting side
Method.
Background technique
Attacker can reach illegal objective by the program in physical attacks means alterable storage.This attack
Generally carried out under equipment off-mode.
In addition, equipment after manufacture, is typically necessary the individual demand according to each user, different application journeys is used
Sequence.These application programs are all stored in the nonvolatile memory of equipment.This means that equipment has after manufacture
One download channel downloads application program for user.
This download channel, which is equally existed by attacker's utilization, reaches downloading illegal program, destroys the safety of equipment
Purpose.
How these attack means are prevented, so that equipment is safer, it is exactly problem to be solved by this invention.
Summary of the invention
The technical problem to be solved in the present invention is to provide a kind of safe software downloads and starting method, can resist attack
The attack that person uses means of different to carry out equipment, improves the safety of equipment.
In order to solve the above technical problems, the software download and starting method of safety of the invention, include the following steps:
Step 1 verifies the startup program by software realization using hardware logic electric circuit;
Step 2 reads downloading attribute field by the startup program or hardware logic electric circuit;
If step 3, the downloading attribute field, which show that current equipment is in, can download the application program stage, start journey
Sequence verifies download instruction processing routine, then executes download instruction processing routine;
If the downloading attribute field shows that current equipment is in and can not download the application program stage, startup program school
Application program is tested, then executing application.
Another program that the safe software download and starting method use, includes the following steps:
Step A, hardware logic electric circuit reads downloading attribute field;
Step B, the described hardware logic electric circuit verifies the startup program by software realization;
If step C, the described downloading attribute field, which shows that current equipment is in, can download the application program stage, start journey
Sequence verifies download instruction processing routine, then executes download instruction processing routine;
If the downloading attribute field shows that current equipment is in and can not download the application program stage, startup program school
Application program is tested, then executing application.
Using method of the invention, the startup program by software realization is verified using hardware logic electric circuit, can be guaranteed
Startup program is not distorted by attacker.This is because hardware logic electric circuit is compared to for software program, it is not easy to by attacker
Attack.
Using method of the invention, so that attacker is difficult to utilize by attack means at the original download instruction of equipment
Reason program implements the confidential information that attack obtains equipment, the verification to operation program in start-up course, but also attacker
Distorting for device program verified can be come out during startup under equipment off-mode, without being performed.These are all
So that equipment is safer.
Detailed description of the invention
Present invention will now be described in further detail with reference to the accompanying drawings and specific embodiments:
Fig. 1 is the safe software download and starting method flow schematic diagram;
Fig. 2 is download instruction processing routine flow diagram in Fig. 1.
Specific embodiment
The safe software download and starting method, including hardware check program, software startup program, at download instruction
Manage program.Safe software download and self-starting may be implemented in this method.Using the equipment of this method in nonvolatile memory
In store downloading attribute field;Startup program is also stored, program and the respective length field of application program and self-correcting are downloaded
Test field.
Referring to Fig. 1, after actuation using the equipment of the safe software download and starting method, first by hardware logic
Circuit verifies the startup program by software realization.This is because hardware logic electric circuit is compared to for software program, it is not easy to quilt
Attacker's attack, so guaranteeing that startup program is not attacked by the hardware logic electric circuit startup program that verification software is realized first
The person of hitting distorts.Then startup program or hardware logic electric circuit go to read downloading attribute field.It goes to read if it is startup program, then
This step just must be after hardware logic electric circuit verifies this step of startup program;It goes to read if it is hardware logic electric circuit, then
This step can verify this step exchanging order of startup program with hardware logic electric circuit.This is because hardware logic electric circuit goes reading
Words, the safety of this two step is the same;And if software startup program goes reading, the safety of startup program is by hardware logic
What the check results of circuit guaranteed, so order cannot change.
Downloading attribute field needs multidigit redundant representation, and indicates that the condition that can be downloaded is equal to some fixed number,
Other all indicate to download, in this way when nonvolatile memory is under attack, it is not easy to cause safety problem.So-called peace
Full problem refers to, when equipment should be in the stage that cannot download application program, due under attack, so that become can for equipment
To download application program.If after under attack, 1 bit is easy to overturn when using 1 bit as downloading attribute field,
To generate safety problem.It is when using more bits, for example being indicated with 32 bits, the attack of 32 bits is specific at one
Number, hence it is evident that more many than the hardly possible that attack carrys out 1 bit reversal.
If reading downloading attribute field shows that current equipment is in the stage that can download application program, startup program
With regard to verifying download instruction processing routine, download instruction processing routine is then executed;If the downloading attribute field shows current
Equipment is in the stage of application program of can not downloading, then startup program is with regard to verification Application program, then executing application;
That is before application program or download instruction processing routine are performed verified by startup program, protected with this
Card application program or download instruction processing routine are not distorted by attacker.
For download instruction processing routine, application program to be downloaded is passed in the data segment for write on download instruction
It brings.
As shown in connection with fig. 2, firstly, download instruction processing routine will start reception.After receiving download instruction, first checking command
Whether format is correct.If download instruction format is incorrect, continue to etc. to be received;If download instruction format is correct
Words are just sequentially written in the data segment in instruction in the nonvolatile memory of storage program;Then it sees in download instruction again
Whether final data attribute field is last time transmission data, is referred to if it is not, so continuing starting and receiving next downloading
It enables, if it is last primary transmission data, then just rewriting the length field of application program, self checking field and downloading mark
Field, last download instruction processing routine self-destruction.The download instruction processing routine self-destruction after having downloaded, this can enable attackers
Can not illegal program be downloaded using this download instruction processing routine by attack means again.Self-destruction can be by program
Certain section of code is rewritten into invalid code to realize, can also pass through the self checking field write error download instruction processing routine
Value is realized.
The startup program that above-mentioned hardware logic electric circuit verification software is realized, startup program verify download instruction processing routine,
Startup program verification Application program;The verifying function of these description the insides, specific implementation can be since fixing address, first read
Then the length field of program to be verified reads through length field according to length field again, then read entire program segment, in the same of reading
When can calculate check value, after running through, whether calculated check value consistent compared with there are the check field at program segment end again,
If consistent, verification just passes through, and otherwise verifies and does not just pass through.When verification, to read through length field again is in order to length word
Section also includes into data to be verified, if this, which can protect length field to be distorted by attacker, verified can also come out.
In addition, including data sequence field in download instruction, data sequence field indicates the data in this download instruction
It is which data, when whether checking command format is correct, also checks whether data sequence field is correct, if secondary
It is and then to want received that sequence field, which shows this data not, and it is incorrect that this is also considered as instruction format.
Attribute field is downloaded, only being write as in equipment production Shi Caineng indicates Downloadable fixed value, and solid being write as
Complete wipe is needed to be implemented before definite value to operate, and the data in the memory of equipment are emptied;It can only just be fixed after manufacture from this
Value is written as other values.This is realized by the memory authority management module of equipment;It is indicated by the level of the external terminal of equipment
Equipment is the stage after production phase or production;In the final step of production, physically, irreversibly destroy outside this
Portion's pin.Just can guarantee in this way attribute field after manufacture not by never Downloadable state be changed to can download state, thus by
Attacker utilizes downloading illegal program.Complete wipe is needed to be implemented before writing to operate, and the data in the memory of equipment are emptied,
Be in order to just in case by attacker attack at can download state, then can also protect the confidential data in memory not by attacker
It obtains.
The length field and self checking field of startup program cannot be written over after manufacture, the length word of application program
Section and self checking field download attribute field expression can not download when, cannot be written over, this by equipment storage
Device authority management module is realized.These are provided to prevent attacker from distorting these fields, so that startup program is to application
The verification of program is failed.
By above various measures, work in coordination, especially download after the completion of self-destruction download instruction processing routine this
Point, so that attacker is difficult to that the original download instruction processing routine of equipment is utilized to set to implement attack acquisition by attack means
Standby confidential information, the verification to operation program in start-up course but also attacker under equipment off-mode to equipment journey
Distorting for sequence verified can come out without being performed during startup.These all make equipment safer.
Above by specific embodiment, invention is explained in detail, but these are not constituted to of the invention
Limitation.Without departing from the principles of the present invention, those skilled in the art can also make many modification and improvement, these
It should be regarded as protection scope of the present invention.
Claims (12)
1. a kind of safe software download and starting method, which comprises the steps of:
Step 1 verifies the startup program by software realization using hardware logic electric circuit;
Step 2 reads downloading attribute field by the startup program or hardware logic electric circuit;
If step 3, the downloading attribute field show that current equipment is in and can download the application program stage, startup program school
Download instruction processing routine is tested, download instruction processing routine is then executed;
If the downloading attribute field shows that current equipment is in and can not download the application program stage that startup program verification is answered
With program, then executing application.
2. a kind of safe software download and starting method, which comprises the steps of:
Step A, hardware logic electric circuit reads downloading attribute field;
Step B, the described hardware logic electric circuit verifies the startup program by software realization;
If step C, the described downloading attribute field shows that current equipment is in and can download the application program stage, startup program school
Download instruction processing routine is tested, download instruction processing routine is then executed;
If the downloading attribute field shows that current equipment is in and can not download the application program stage that startup program verification is answered
With program, then executing application.
3. method according to claim 1 or 2, it is characterised in that: application program to be downloaded writes on the data of download instruction
Then Duan Zhong is transmitted;The method of specific implementation is as follows,
Step a, the described download instruction processing routine starting receives;After receiving download instruction, whether first checking command format is correct;
If download instruction format is incorrect, continue waiting for receiving;If download instruction format is correct, by the number in download instruction
It is sequentially written according to section in the nonvolatile memory of storage program;
Step b, whether the final data attribute field checked in download instruction is last time transmission data;If it is not, then
Continue starting and receives next download instruction;If it is last time transmit data, then rewrite application program length field, from
Check field and downloading attribute field, last download instruction processing routine self-destruction.
4. method as claimed in claim 3, it is characterised in that: the download instruction includes data sequence field, the data time
Sequence field indicates which data are the data in this download instruction be, when the download instruction processing routine checking command format
Whether it is correct when, need to check whether data sequence field correct, if it is immediately that data sequence field, which shows this data not,
Want received, then it is incorrect to be also considered as instruction format.
5. method as claimed in claim 3, it is characterised in that: the download instruction processing routine self-destruction, by will be in program
Certain section of code be rewritten into invalid code realization, or by by the self checking field write error value of download instruction processing routine
It realizes.
6. method as claimed in claim 3, it is characterised in that: the downloading attribute field, using multidigit redundant representation, and
Indicate that the condition that can be downloaded is equal to some fixed number, other all indicate to download.
7. method according to claim 1 or 2, it is characterised in that: the downloading attribute field, only just when equipment produces
Can be write as indicates Downloadable fixed value, and needs to be implemented complete wipe before being write as fixed value and operate, the memory of equipment
In data empty;After manufacture then other values can only be written as from the fixed value.
8. the method for claim 7, it is characterised in that: determined locating for equipment as the memory authority management module of equipment
Stage;Indicate that equipment is the stage after production phase or production by the level of the external terminal of equipment;It is producing
Final step physically irreversibly destroy the external terminal.
9. method according to claim 1 or 2, it is characterised in that: the length field and self checking field of the startup program
It cannot be written over after manufacture.
10. method as claimed in claim 9, it is characterised in that: determine equipment institute by the memory authority management module of equipment
The stage at place;Indicate that equipment is the stage after production phase or production by the level of the external terminal of equipment;In life
The final step of production physically irreversibly destroys the external terminal.
11. method according to claim 1 or 2, it is characterised in that: the length field and self checking field of application program are in institute
When stating downloading attribute field expression can not download, then it cannot be written over.
12. method according to claim 1 or 2, it is characterised in that: the verification is first read to be verified since fixing address
The length field of program, then reads through length field according to length field again;Entire program segment is read later, at this moment in the same of reading
When calculate check value, after running through, by calculated check value with there are the check fields at program segment end to be compared, if one
It causes, then verification passes through, and otherwise verifies and does not pass through.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610885227.8A CN106484477B (en) | 2016-10-11 | 2016-10-11 | The software download and starting method of safety |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610885227.8A CN106484477B (en) | 2016-10-11 | 2016-10-11 | The software download and starting method of safety |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106484477A CN106484477A (en) | 2017-03-08 |
| CN106484477B true CN106484477B (en) | 2019-11-12 |
Family
ID=58269262
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610885227.8A Active CN106484477B (en) | 2016-10-11 | 2016-10-11 | The software download and starting method of safety |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106484477B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108513169B (en) * | 2018-04-04 | 2021-09-24 | 海信视像科技股份有限公司 | Method for downloading starting program from chip, chip and liquid crystal television |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2001195247A (en) * | 2000-01-07 | 2001-07-19 | Nec Corp | System and method for verifying and guaranteeing safety of software |
| CN1897515A (en) * | 2006-06-29 | 2007-01-17 | 中兴通讯股份有限公司 | Method for assuring equipment software on-line downloading reliability |
| CN101122936A (en) * | 2007-09-21 | 2008-02-13 | 武汉大学 | Embed type platform guiding of credible mechanism |
| CN101965570A (en) * | 2008-02-29 | 2011-02-02 | 先进微装置公司 | A computer system comprising a secure boot mechanism |
-
2016
- 2016-10-11 CN CN201610885227.8A patent/CN106484477B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2001195247A (en) * | 2000-01-07 | 2001-07-19 | Nec Corp | System and method for verifying and guaranteeing safety of software |
| CN1897515A (en) * | 2006-06-29 | 2007-01-17 | 中兴通讯股份有限公司 | Method for assuring equipment software on-line downloading reliability |
| CN101122936A (en) * | 2007-09-21 | 2008-02-13 | 武汉大学 | Embed type platform guiding of credible mechanism |
| CN101965570A (en) * | 2008-02-29 | 2011-02-02 | 先进微装置公司 | A computer system comprising a secure boot mechanism |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106484477A (en) | 2017-03-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11829479B2 (en) | Firmware security verification method and device | |
| US20170255384A1 (en) | Efficient secure boot carried out in information processing apparatus | |
| US20210149681A1 (en) | Secure Firmware Management with Hierarchical Boot Sequence using Last Known Good Firmware | |
| US20090260084A1 (en) | Method for verifying conformity of the logical content of a computer appliance with a reference content | |
| US20090199014A1 (en) | System and method for securing and executing a flash routine | |
| US9262631B2 (en) | Embedded device and control method thereof | |
| CN102968392A (en) | Microprocessor protected against memory dump | |
| KR20080050216A (en) | Secure booting apparatus and method of mobile platform using tpm | |
| US10846421B2 (en) | Method for protecting unauthorized data access from a memory | |
| CN106484477B (en) | The software download and starting method of safety | |
| US9660802B1 (en) | Systems and methods for generating and storing silicon fingerprints for a security chip | |
| EP1739587A1 (en) | Portable electronic apparatus and secured data output method therefor | |
| US11269986B2 (en) | Method for authenticating a program and corresponding integrated circuit | |
| CN106935266B (en) | Control method, device and system for reading configuration information from memory | |
| CN106326726A (en) | Method and system for embedded type encrypting and recognition based on DS2432 chip | |
| CN108270767B (en) | Data verification method | |
| CN108537066A (en) | Security code redirects and executes gating | |
| JP4701260B2 (en) | Information processing apparatus, information processing method, and information processing program | |
| US10193694B1 (en) | Method and apparatus for securely configuring parameters of a system-on-a-chip (SOC) | |
| US20240012903A1 (en) | Method for Executing a Program on a Data Processing Device | |
| Francillon et al. | Comments on Refutation of On the difficulty of software-based attestation of embedded devices | |
| CN109614807B (en) | Method and device for protecting sensitive information and readable storage medium | |
| EP3889816A1 (en) | Method for securely processing digital information in a secure element | |
| US20160171214A1 (en) | Method of executing a program by a processor and electronic entity comprising such a processor | |
| US7822953B2 (en) | Protection of a program against a trap |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |