CN113190831A - TEE-based operating system application integrity measurement method and system - Google Patents
TEE-based operating system application integrity measurement method and system Download PDFInfo
- Publication number
- CN113190831A CN113190831A CN202110583860.2A CN202110583860A CN113190831A CN 113190831 A CN113190831 A CN 113190831A CN 202110583860 A CN202110583860 A CN 202110583860A CN 113190831 A CN113190831 A CN 113190831A
- Authority
- CN
- China
- Prior art keywords
- operating system
- integrity measurement
- tee
- value
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000691 measurement method Methods 0.000 title claims abstract description 19
- 238000005259 measurement Methods 0.000 claims abstract description 146
- 238000011156 evaluation Methods 0.000 claims abstract description 16
- 238000000034 method Methods 0.000 claims description 25
- 230000008569 process Effects 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 10
- 230000009191 jumping Effects 0.000 claims description 3
- 230000000977 initiatory effect Effects 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 abstract description 9
- 238000012795 verification Methods 0.000 abstract description 6
- 238000003752 polymerase chain reaction Methods 0.000 description 46
- 238000010586 diagram Methods 0.000 description 11
- 230000006870 function Effects 0.000 description 9
- 230000007246 mechanism Effects 0.000 description 5
- 238000012545 processing Methods 0.000 description 4
- 238000002955 isolation Methods 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 101100296682 Arabidopsis thaliana PCR10 gene Proteins 0.000 description 1
- 239000002131 composite material Substances 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Abstract
The invention discloses a TEE-based operating system application integrity measurement method and a TEE-based operating system application integrity measurement system, which comprise the execution flows under the scene of system initial deployment, an integrity measurement scene, a local evaluation scene and a remote authentication scene, wherein the step of system initial deployment comprises the following steps: the TEE operating system generates a unique HMAC key for the device; the REE operating system generates a file hash value as an integrity measurement reference value for a file to be protected; the REE operating system calls a TEE operating system to encrypt or sign the integrity measurement reference value by using an HMAC key; and the REE operating system saves the integrity measurement reference value after encryption or signature into the IMA extended attribute of the file. The invention can realize the integrity measurement of the operating system based on the TrustZone technology, and has the advantages of comprehensive protection, high verification level, safety, reliability, good universality and strong expansibility.
Description
Technical Field
The invention relates to the field of information security of computer operating systems, in particular to a TEE-based operating system application integrity measurement method and system.
Background
With the rapid development of internet information technology, computers play an increasingly important role in people's daily life. Operating system security is the foundation of computer security, and integrity protection is an important prerequisite for the safe running of an operating system. The Linux system provides IMA framework support for operating system integrity metrics. The IMA integrity verification framework conforms to the TCG open integrity standard and uses the TPM as a root of trust. It supports multiple functions such as remote authentication, local evaluation, trusted metadata management, etc. The overall architecture of IMA comprises three layers: measurement targets (executable files, loadable kernel modules and dynamically linked libraries, etc.), IMA mechanisms (remote authentication and local evaluation), and measurement results (integrity measurement lists and PCR extension values).
In an IMA remote authentication scenario, IMA measures all executables, loadable kernel modules and their configuration files before execution, computes hash values of executables such as SHA-1, SHA-512 and MD5, extends the hash values into PCR10 registers, and creates and maintains an integrity metrics list ML. When a remote challenger initiates a challenge, the platform sends the integrity measurement list ML and a PCR extension value signed by a platform identity key PIK in a TPM chip to the challenger so as to judge whether the platform is trusted, and the IMA plays an important role in security enhancement of mainstream operating systems such as Linux at present.
IMA local evaluation is an extended function of IMA basic functions, and a metric reference value of an evaluated file is generated in advance and stored in security extended attribute security. And comparing the current metric value of the file with the reference value stored in the extended attribute when the file is operated later, and if the metric value of the file is not matched with the reference value, denying the access to the file. IMA using only hashing cannot provide strong integrity and authenticity protection against offline attacks, for example, an attacker can easily forge a hash value of a file to replace a value in the original security extension attribute.
The digital signature expansion function of IMA evaluation is an expansion function of IMA evaluation, and utilizes an IMA signature key to sign a hash value originally stored in a security extension attribute security. When the extended attribute security of the file is verified in an IMA evaluation scene, whether the extended attribute of the file is signed or not is judged, if so, a corresponding key is searched in a kernel, and then the signature and the hash value are verified. It is difficult to forge the security extended attribute signature because the private key used for the signature is not available to an attacker.
The IMA-based file integrity measurement technology is one of important technologies for realizing the security protection of an operating system, and kernel-level integrity measurement is carried out on various files loaded by the operating system based on an integrity measurement list so as to protect the security of system resources.
In a traditional IMA measurement architecture, program codes, data and the like in a system are stored in an operating system kernel, and once an attacker breaks the operating system kernel through kernel bugs or virtual machine bottom layer attacks and the like, the data in a memory can be obtained, even the data is tampered. In the prior art, a public key of an RSA algorithm used by IMA or plaintext data used in operation can be intercepted by a malicious user, and if a hash value of a file is signed by using a private key prepared in advance, the checking of the integrity measurement of IMA can be bypassed, so that the security risk is brought.
Therefore, there is a need for a file integrity detection mechanism that provides kernel data isolation protection for operating systems for the particular needs in security sensitive scenarios. The current emerging TEE technology utilizes the hardware support of the bottom layer of a computer to provide strong-isolation trusted execution environments such as a CPU, a memory, a Cache and the like for upper-layer software, the operation level of the switching control of the isolation environment is higher, and a trust foundation is provided for the upper-layer software to construct a safe and trusted computing environment. Currently, there is a breakthrough in security technology in the aspects of TEE-based operating system monitoring, trusted computing, and the like, and with the advance of technical research, more and more operating system services and applications are enhanced in security by relying on TEE. Therefore, the TrustZone technology is based on, has a good application prospect in realizing integrity protection of the application program, and is a key technical problem to be researched urgently.
Disclosure of Invention
The technical problems to be solved by the invention are as follows: the invention aims to provide a TrustZone-based operating system integrity measurement mechanism which is safe, reliable, good in universality and strong in expansibility and has the advantages of comprehensive protection, high verification level, safety, reliability, good universality and strong expansibility.
In order to solve the technical problems, the invention adopts the technical scheme that:
a TEE-based operating system application integrity measurement method comprises the following steps:
1) the TEE operating system generates a unique HMAC key for the device;
2) the REE operating system generates a file hash value as an integrity measurement reference value for a file to be protected;
3) the REE operating system calls a TEE operating system to encrypt or sign the integrity measurement reference value by using an HMAC key;
4) and the REE operating system saves the integrity measurement reference value after encryption or signature into the IMA extended attribute of the file.
Optionally, the step 2) of generating the file hash value for the file to be protected by the REE operating system means that the REE operating system uses the modified evmctl execution program to generate the file hash value for the file to be protected.
Optionally, step 4) is followed by the step of performing integrity measurement: the REE operating system creates an integrity measurement list ML, and carries out integrity measurement on used codes and key data once through an IMA framework when an executable program runs, a kernel module is loaded and a dynamic link library is loaded, calls the TEE operating system to splice and store the integrity measurement result into a PCR extension value of the TEE operating system, and records the integrity measurement result through the integrity measurement list ML.
Optionally, the splicing and storing the integrity measurement result in the PCR extension value of the TEE operating system specifically includes: and splicing the integrity measurement result and the PCR expansion value, and then taking the hash operation result of the hash operation as a new PCR expansion value.
Optionally, step 4) is followed by the step of performing local evaluation:
s1) starting loading an initial process from the start of the REE operating system through an application integrity measurement hook preset in the REE operating system, hijacking an access request of a kernel of the REE operating system for accessing a target file to be protected, and jumping to execute the next step if the access request of the kernel for accessing the target file to be protected is hijacked;
s2) the REE operating system calculates the hash value of the target file and reads out the integrity measurement reference value of the target file after encryption or signature from the IMA extended attribute of the file;
s3) the REE operating system transmits the hash value of the target file and the integrity measurement reference value after encryption or signature as parameters to the TEE operating system;
s4) the TEE operating system checks the integrity measurement reference value by using the HMAC key to obtain the integrity measurement reference value, and if the check passes and the obtained integrity measurement reference value and the hash value of the target file transferred by the parameter are consistent, the integrity measurement of the target file is judged to be successful; otherwise, judging that the target file integrity measurement fails.
Optionally, after determining that the integrity measurement of the target application is successful in step S4), the method further includes a step of the trusted operating system expanding the measurement value: and the TEE operating system splices the hash value of the target file transferred by the parameter and the PCR extension value and then takes the hash operation result of the hash operation as a new PCR extension value.
Optionally, the step S4) further includes, after determining that the target application integrity measurement is successful, the step of writing the file access process into the integrity measurement log by the REE operating system, and the content written into the integrity measurement log includes part or all of the measurer information, the measured information, the original PCR extension value, the measurement value, the new PCR extension value, and the completion time.
Optionally, step 4) is followed by the step of performing remote authentication for the remote challenger to initiate a platform integrity challenge: the REE operating system receives the platform integrity challenge initiated by the remote challenger and forwards the platform integrity challenge to the TEE operating system; the TEE operating system acquires the PCR extended value, signs the PCR extended value by adopting a platform identity key PIK and forwards the PCR extended value to the REE operating system; and then the REE operating system sends the signed PCR extended value, the platform identity key PIK certificate and the integrity measurement log to a designated verifier, so that the verifier verifies the signature of the PCR extended value and analyzes the integrity measurement log to obtain a platform integrity report result.
In addition, the invention also provides a TEE-based operating system application integrity measurement system, which comprises a microprocessor and a memory which are connected with each other, wherein the microprocessor is programmed or configured to execute the steps of the TEE-based operating system application integrity measurement method.
Furthermore, the present invention also provides a computer-readable storage medium having stored therein a computer program programmed or configured to execute the TEE-based operating system application integrity measurement method.
Compared with the prior art, the invention has the following advantages: the method comprises the steps that a TEE operating system generates a unique HMAC key for equipment; the REE operating system generates a file hash value as an integrity measurement reference value for a file to be protected; the REE operating system calls a TEE operating system to encrypt or sign the integrity measurement reference value by using an HMAC key; the REE operating system stores the integrity measurement reference value after encryption or signature into the IMA extended attribute of the file, and the invention can realize integrity measurement on the file to be protected based on TrustZone technology, and has the advantages of comprehensive protection, high verification level, safety, reliability, good universality and strong expansibility.
Drawings
FIG. 1 is a schematic diagram of a basic flow of a method according to an embodiment of the present invention.
Fig. 2 is a schematic system structure diagram of the method according to the embodiment of the present invention.
Fig. 3 is a flowchart illustrating a system initial deployment scenario in an embodiment of the present invention.
Fig. 4 is a schematic diagram of a composite flow of an integrity measurement scenario and a local evaluation scenario in an embodiment of the present invention.
Fig. 5 is a flowchart illustrating a remote authentication scenario according to an embodiment of the present invention.
Detailed Description
As shown in fig. 1, the method for measuring integrity of an application of a TEE-based operating system in the present embodiment includes:
1) the TEE operating system generates a unique HMAC key for the device;
2) the REE operating system generates a file hash value as an integrity measurement reference value for a file to be protected;
3) the REE operating system calls a TEE operating system to encrypt or sign the integrity measurement reference value by using an HMAC key;
4) and the REE operating system saves the integrity measurement reference value after encryption or signature into the IMA extended attribute of the file.
In this embodiment, the step 2) of generating the file hash value for the file to be protected by the REE operating system means that the REE operating system uses the modified evmctl to execute the program to generate the file hash value for the file to be protected.
Referring to fig. 2, in the embodiment, when the system is deployed for the first time, a key management module, an extended attribute signature module, a metric value comparison module, and a metric value extension module are constructed in a TEE operating system, an IMA signature key and a platform identity key PIK are generated in the TEE operating system by using the key management module, and an application integrity measurement hook is inserted in the REE operating system; after the system is installed, when the system runs for the first time, generating an integrity measurement reference value for an important file in the REE operating system, signing by calling an extended attribute signature module of the TEE operating system, and storing the generated reference value in an IMA extended attribute of the file in the REE operating system; under an integrity measurement scene, before an REE system accesses a key file, the integrity measurement values of the file are spliced and stored into a PCR (polymerase chain reaction) extension value of a TEE measurement value extension module, and an integrity measurement list ML is created and maintained in an REE operating system; in a local evaluation scene, verifying the integrity of important files in the system, sending a request to a metric value comparison module in a TEE operating system by an REE operating system, checking a label of a reference value by the metric value comparison module by using an IMA signature key stored in a key management module, if the label passes the check and the metric value is correct, successfully measuring the integrity, and otherwise, alarming to quit and applying for further authorization operation of a trusted computing terminal owner; in a remote authentication scene, when a challenger initiates a challenge, the platform sends an integrity measurement list ML and a PCR (polymerase chain reaction) extension value in a measurement value extension module signed by a platform identity key PIK (personal identification number) to the challenger, and the challenger judges whether the platform is credible or not by verifying signature validity and verifying an integrity measurement value.
A system initial deployment scene: when the system is deployed for the first time, a key management module, an extended attribute signature module, a metric value comparison module and a metric value extension module are built in a TEE operating system, an IMA signature key and a platform identity key PIK are generated in the TEE operating system by using the key management module, and an application integrity measurement hook is inserted into the REE operating system; after the system is installed, when the system runs for the first time, an integrity measurement value is generated for important files such as an executable program, a kernel module and a dynamic link library in the REE operating system by using related tools, a signature is carried out by calling an extended attribute signature module of the TEE operating system, and a generated reference value is stored in an IMA extended attribute of the file. Referring to fig. 3, the steps of the system at the time of initial deployment include: step 1: a key is created. When the system is initialized, a key management module in the TEE operating system generates an HMAC key, and the HMAC key is generated by the TEE operating system according to the UUID of the universal unified identification code of the equipment. Step 2: using the modified evmctl executive program to generate an IMA extended attribute for a file to be protected in the system, firstly calculating a hash value of an important file to be protected, then calling an extended attribute signature module of a TEE operating system, and using the HMAC key which is just generated to encrypt or sign the hash value of the file; and step 3: and the extended attribute signature module returns the signed value of the REE operating system and stores the signed value in a file system of the REE operating system. Specifically, in the embodiment, when the system is deployed for the first time, a key management module, an extended attribute signature module, a metric value comparison module and a metric value extension module are constructed in the TEE, and an application integrity measurement hook is inserted into the REE operating system; after the system is installed, when the system is operated for the first time, an IMA signature key and a platform identity key PIK are generated in the TEE by using a key management module. The IMA signature key is a Hash Message Authentication Code (HMAC) key, the TEE generates the key according to a Universal Unified Identifier (UUID) of equipment, the Platform Identity Key (PIK) can be generated by a system bottom layer trusted root according to the requirements of a hardware manufacturer, and a key pair comprises a public key and a private key; the embodiment includes modifying an evmctl tool, generating an integrity measurement reference value for important files such as an executable program, a kernel module, a dynamic link library and the like in a system by using the evmctl tool, wherein the specific generation process of the reference value is to calculate a hash digest value for the file in an REE, then call an extended attribute signature module in the TEE, encrypt or sign the hash value by using a Hash Message Authentication Code (HMAC) key stored in the TEE, and finally store the generated reference value in the security.
In this embodiment, step 4) is followed by the step of performing integrity measurement: the REE operating system creates an integrity measurement list ML, and carries out integrity measurement on used codes and key data once through an IMA framework when an executable program runs, a kernel module is loaded and a dynamic link library is loaded, calls the TEE operating system to splice and store the integrity measurement result into a PCR extension value of the TEE operating system, and records the integrity measurement result through the integrity measurement list ML.
In this embodiment, splicing and storing the integrity measurement result in the PCR extension value of the TEE operating system specifically means: and splicing the integrity measurement result and the PCR expansion value, and then taking the hash operation result of the hash operation as a new PCR expansion value.
Integrity measurement scenario: when an executable program runs, a kernel module is loaded, and a dynamic link library is loaded, the IMA measures used code and key data (such as configuration files and structured data) once, creates and maintains an integrity Measurement List (ML) in a REE operating system, and splices and stores Measurement results into a PCR extension value of a Measurement value extension module of the TEE. The expansion mode adopts a compression storage mode, namely, starting from a first component, splicing the integrity metric value of the component with the existing stored value of a target metric value expansion module, carrying out hash operation, storing the obtained result in a related module, and the like. Specifically, in the embodiment, in an IMA measurement scenario, when a user accesses a tool to important files in the system, such as an executable program, a kernel module, and a dynamic link library, the generated hash value is extended in a PCR extension value of a metric value extension module of the TEE, and then recorded in the REE integrity measurement list ML, and one extension method is as follows: the new PCR extension value is hash algorithm (original PCR extension value | | | metric value), and the hash algorithm selects SM 3.
In this embodiment, step 4) is followed by a step of performing local evaluation:
s1) starting loading an initial process from the start of the REE operating system through an application integrity measurement hook preset in the REE operating system, hijacking an access request of a kernel of the REE operating system for accessing a target file to be protected, and jumping to execute the next step if the access request of the kernel for accessing the target file to be protected is hijacked;
s2) the REE operating system calculates the hash value of the target file and reads out the integrity measurement reference value of the target file after encryption or signature from the IMA extended attribute of the file;
s3) the REE operating system transmits the hash value of the target file and the integrity measurement reference value after encryption or signature as parameters to the TEE operating system;
s4) the TEE operating system checks the integrity measurement reference value by using the HMAC key to obtain the integrity measurement reference value, and if the check passes and the obtained integrity measurement reference value and the hash value of the target file transferred by the parameter are consistent, the integrity measurement of the target file is judged to be successful; otherwise, judging that the target file integrity measurement fails.
In this embodiment, after determining that the target application integrity measurement is successful in step S4), the method further includes a step of the trusted operating system expanding the measurement value: and the TEE operating system splices the hash value of the target file transferred by the parameter and the PCR extension value and then takes the hash operation result of the hash operation as a new PCR extension value.
In this embodiment, after determining that the integrity measurement of the target application is successful in step S4), the method further includes writing, by the REE operating system, the file access process into the integrity measurement log, and the content written into the integrity measurement log includes part or all of the measurer information, the measured information, the original PCR extension value, the measurement value, the new PCR extension value, and the completion time.
Local evaluation scenario: in the traditional implementation scheme, when an operating system kernel performs operation, a public key is possibly obtained and tampered by a malicious program, and if an attacker tampers with a signature of a file hash value by using a private key prepared in advance, the detection of an integrity measurement mechanism can be bypassed, so that the safety of the system cannot be guaranteed. In the implementation process of the patent, a cryptographic algorithm is modified into an HMAC algorithm, and meanwhile, a trusted execution environment is used for protecting an HMAC key. Wherein, the Trusted Execution Environment (TEE) can provide security protection based on ARM TrustZone hardware. The TEE is a running environment that coexists with the operating system of the ordinary world on the device, providing security services to the operating system. The TEE is separated from the execution space of the operating system and the accessible software and hardware resources, and has higher security. Therefore, the HMAC key used by the extended attribute signature module and the metric value comparison module can be ensured to be always stored in the TEE, and the REE can only obtain the signed or compared result. Thus, the attacker cannot obtain the HMAC key, and cannot bypass the check of the integrity measurement mechanism. The integrity measurement scenario and the local evaluation scenario are generally performed simultaneously, as shown in fig. 4, the overall flow is as follows: step 1: starting to load an initial process from the start of an REE operating system, and when a kernel of the REE operating system needs to access a file needing to be protected, hijacking a hook by using application integrity measurement preset in the REE operating system; step 2: the REE kernel firstly calculates the hash value of the file, and simultaneously acquires an IMA extended attribute reference value of the file, wherein the reference value is signed by an HMAC algorithm; and step 3: the REE kernel transmits the calculated file hash value and the extended attribute reference value as parameters to the TEE; and 4, step 4: the TEE metric value comparison module checks the label of the reference value by using the IMA signature key stored in the key management module, if the label passes the check and the metric value is correct, the integrity measurement is successfully applied, and the step 5 is executed, otherwise, the alarm exits and the trusted computing terminal owner applies for further authorization operation; and 5: using a TEE metric value expansion module to expand the metric value, wherein one expansion method comprises the following steps: the new PCR extension value is hash algorithm (original PCR extension value | | | metric value); step 6: the REE operating system writes the file access process into the REE measurement log, and the measurement log at least records: the system comprises measurement information, measured information, original PCR extension values, measurement values, new PCR extension values, completion time and the like. Specifically, in the present embodiment, in a local evaluation scenario, the integrity of an important file in the system is verified, a request is sent from the REE to the TEE metric value comparison module, the metric value comparison module uses the HAMC key to check and sign the IMA extended attribute of the file, the hash value of the file is compared, whether the file is illegally tampered is judged, the file is allowed to be accessed only after the verification is passed, and otherwise, the access is denied;
in this embodiment, step 4) is followed by a step of performing remote authentication for initiating a platform integrity challenge for a remote challenger: the REE operating system receives the platform integrity challenge initiated by the remote challenger and forwards the platform integrity challenge to the TEE operating system; the TEE operating system acquires the PCR extended value, signs the PCR extended value by adopting a platform identity key PIK and forwards the PCR extended value to the REE operating system; and then the REE operating system sends the signed PCR extended value, the platform identity key PIK certificate and the integrity measurement log to a designated verifier, so that the verifier verifies the signature of the PCR extended value and analyzes the integrity measurement log to obtain a platform integrity report result.
Remote authentication scenario: when a remote challenger initiates a challenge, the system sends a measurement list ML, a PCR (polymerase chain reaction) extended value in a measurement value extended module signed by a Platform Identity Key (PIK) and a PIK certificate to the challenger, and the challenger judges whether the Platform is credible or not by verifying the validity of the signature and verifying the integrity measurement value. As shown in fig. 5, the steps of the remote authentication scenario include: step 1: the remote verifier initiates a platform integrity challenge; step 2: the TEE acquires a PCR extension value in the metric value extension module and calls a platform identity key PIK in the key management module to sign the PCR extension value; and step 3: the platform provides relevant event log information to the verifier; and 4, step 4: and the verifier verifies the PCR extended value signature by using the platform identity key, analyzes the integrity measurement event log information and obtains a platform integrity report result. Specifically, in this embodiment, when the remote challenger initiates a challenge, the system sends the integrity measurement list ML, the PCR extended value in the measurement value storage module signed by the platform identity key PIK, and the PIK certificate to the challenger, and the verifier verifies the signature of the integrity stored value by using the platform identity key, analyzes the integrity measurement event log information, and obtains a platform integrity report result. The PIK certificate conforms to the x.509v3 standard and is signed by a trusted party before the platform is used, ensuring its trustworthiness.
In this embodiment, after an important file is modified or a new file is created, the modified evmctl tool needs to be used to update or generate the measurement value of the file, and the specific process is that the hash value of the file content is calculated at the REE, then the TEE extended attribute signature module is called, and the extended attribute signature module encrypts or signs the hash value by using the HMAC key, and finally returns the hash value to the REE, and stores the hash value in the extended attribute security.
In summary, the method for measuring integrity of an application of a TEE-based operating system according to the present embodiment includes a first deployment of the system, an integrity measurement scenario, a local evaluation scenario, and an execution flow in a remote authentication scenario, where the first deployment of the system includes: the TEE operating system generates a unique HMAC key for the device; the REE operating system generates a file hash value as an integrity measurement reference value for a file to be protected; the REE operating system calls a TEE operating system to encrypt or sign the integrity measurement reference value by using an HMAC key; and the REE operating system saves the integrity measurement reference value after encryption or signature into the IMA extended attribute of the file. The method can realize the integrity measurement of the operating system based on the TrustZone technology, and has the advantages of comprehensive protection, high verification level, safety, reliability, good universality and strong expansibility.
In addition, the present embodiment also provides a TEE-based os application integrity measurement system, which includes a microprocessor and a memory connected to each other, wherein the microprocessor is programmed or configured to execute the steps of the aforementioned TEE-based os application integrity measurement method.
Furthermore, the present embodiment also provides a computer-readable storage medium, in which a computer program programmed or configured to execute the aforementioned TEE-based operating system application integrity measurement method is stored.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-readable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein. The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks. These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks. These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and the protection scope of the present invention is not limited to the above embodiments, and all technical solutions belonging to the idea of the present invention belong to the protection scope of the present invention. It should be noted that modifications and embellishments within the scope of the invention may occur to those skilled in the art without departing from the principle of the invention, and are considered to be within the scope of the invention.
Claims (10)
1. A TEE-based operating system application integrity measurement method is characterized by comprising the following steps:
1) the TEE operating system generates a unique HMAC key for the device;
2) the REE operating system generates a file hash value as an integrity measurement reference value for a file to be protected;
3) the REE operating system calls a TEE operating system to encrypt or sign the integrity measurement reference value by using an HMAC key;
4) and the REE operating system saves the integrity measurement reference value after encryption or signature into the IMA extended attribute of the file.
2. The TEE-based operating system application integrity measurement method of claim 1, wherein the step 2) of generating a file hash value for the file to be protected by the REE operating system means that the REE operating system uses the modified evmctl executive program to generate a file hash value for the file to be protected.
3. The TEE-based operating system application integrity measurement method of claim 1, further comprising the step of performing integrity measurement after step 4): the REE operating system creates an integrity measurement list ML, and carries out integrity measurement on used codes and key data once through an IMA framework when an executable program runs, a kernel module is loaded and a dynamic link library is loaded, calls the TEE operating system to splice and store the integrity measurement result into a PCR extension value of the TEE operating system, and records the integrity measurement result through the integrity measurement list ML.
4. The TEE-based operating system application integrity measurement method of claim 3, wherein the splicing and storing of the integrity measurement result into the PCR extension value of the TEE operating system specifically means: and splicing the integrity measurement result and the PCR expansion value, and then taking the hash operation result of the hash operation as a new PCR expansion value.
5. The TEE-based operating system application integrity measurement method of claim 4, further comprising the step of performing a local evaluation after step 4):
s1) starting loading an initial process from the start of the REE operating system through an application integrity measurement hook preset in the REE operating system, hijacking an access request of a kernel of the REE operating system for accessing a target file to be protected, and jumping to execute the next step if the access request of the kernel for accessing the target file to be protected is hijacked;
s2) the REE operating system calculates the hash value of the target file and reads out the integrity measurement reference value of the target file after encryption or signature from the IMA extended attribute of the file;
s3) the REE operating system transmits the hash value of the target file and the integrity measurement reference value after encryption or signature as parameters to the TEE operating system;
s4) the TEE operating system checks the integrity measurement reference value by using the HMAC key to obtain the integrity measurement reference value, and if the check passes and the obtained integrity measurement reference value and the hash value of the target file transferred by the parameter are consistent, the integrity measurement of the target file is judged to be successful; otherwise, judging that the target file integrity measurement fails.
6. The TEE-based operating system application integrity measurement method of claim 5, wherein the step S4) of determining the success of the target application integrity measurement further comprises the step of the trusted operating system expanding the measurement value: and the TEE operating system splices the hash value of the target file transferred by the parameter and the PCR extension value and then takes the hash operation result of the hash operation as a new PCR extension value.
7. The TEE-based operating system application integrity measurement method of claim 6, wherein the step S4) of determining that the target application integrity measurement is successful further comprises the step of writing a file access process into the integrity measurement log by the REE operating system, and the content of the written integrity measurement log comprises part or all of the measurer information, the measured person information, the original PCR extension value, the measurement value, the new PCR extension value and the completion time.
8. The TEE based operating system application integrity measurement method of claim 7, further comprising the step of performing remote authentication for a remote challenger initiating a platform integrity challenge after step 4): the REE operating system receives the platform integrity challenge initiated by the remote challenger and forwards the platform integrity challenge to the TEE operating system; the TEE operating system acquires the PCR extended value, signs the PCR extended value by adopting a platform identity key PIK and forwards the PCR extended value to the REE operating system; and then the REE operating system sends the signed PCR extended value, the platform identity key PIK certificate and the integrity measurement log to a designated verifier, so that the verifier verifies the signature of the PCR extended value and analyzes the integrity measurement log to obtain a platform integrity report result.
9. A TEE based os application integrity measurement system comprising a microprocessor and a memory connected to each other, characterized in that the microprocessor is programmed or configured to perform the steps of the TEE based os application integrity measurement method of any one of claims 1 to 8.
10. A computer-readable storage medium having stored thereon a computer program programmed or configured to perform the TEE-based operating system application integrity measurement method of any of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110583860.2A CN113190831A (en) | 2021-05-27 | 2021-05-27 | TEE-based operating system application integrity measurement method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110583860.2A CN113190831A (en) | 2021-05-27 | 2021-05-27 | TEE-based operating system application integrity measurement method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113190831A true CN113190831A (en) | 2021-07-30 |
Family
ID=76985380
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110583860.2A Pending CN113190831A (en) | 2021-05-27 | 2021-05-27 | TEE-based operating system application integrity measurement method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113190831A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114201747A (en) * | 2021-11-29 | 2022-03-18 | 海光信息技术股份有限公司 | Dynamic measurement root implementation method, device, system and storage medium |
| CN114417426A (en) * | 2022-03-29 | 2022-04-29 | 北京凝思软件股份有限公司 | Trusted verification method and device based on tight coupling rule, storage medium and electronic equipment |
| CN114462051A (en) * | 2022-04-12 | 2022-05-10 | 中电云数智科技有限公司 | Trusted computing system and method based on trusted computing environment |
| CN114818005A (en) * | 2022-04-20 | 2022-07-29 | 北京凝思软件股份有限公司 | Linux system integrity checking method and system |
| CN115378740A (en) * | 2022-10-25 | 2022-11-22 | 麒麟软件有限公司 | Method for realizing bidirectional authentication login based on trusted opennsh |
| CN116049866A (en) * | 2022-06-27 | 2023-05-02 | 荣耀终端有限公司 | Data protection method, electronic equipment and chip system |
| WO2023104013A1 (en) * | 2021-12-10 | 2023-06-15 | 华为技术有限公司 | Data integrity protection method and related apparatus |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106096412A (en) * | 2016-06-21 | 2016-11-09 | 华为技术有限公司 | Integrity measurement method and device |
| CN107679393A (en) * | 2017-09-12 | 2018-02-09 | 中国科学院软件研究所 | Android integrity verification methods and device based on credible performing environment |
| CN110414235A (en) * | 2019-07-08 | 2019-11-05 | 北京可信华泰信息技术有限公司 | A kind of dual Architecture system of the active immunity based on ARM TrustZone |
| US20200050798A1 (en) * | 2018-01-23 | 2020-02-13 | Amlogic (Shanghai) Co., Ltd. | Method for improving security of trusted application |
| CN111881467A (en) * | 2020-06-12 | 2020-11-03 | 海光信息技术有限公司 | Method and device for protecting file by using security processor, CPU and computer equipment |
| CN112434306A (en) * | 2020-12-11 | 2021-03-02 | 中国科学院信息工程研究所 | Credibility measuring method, device, system, electronic equipment and storage medium |
-
2021
- 2021-05-27 CN CN202110583860.2A patent/CN113190831A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106096412A (en) * | 2016-06-21 | 2016-11-09 | 华为技术有限公司 | Integrity measurement method and device |
| CN107679393A (en) * | 2017-09-12 | 2018-02-09 | 中国科学院软件研究所 | Android integrity verification methods and device based on credible performing environment |
| US20200050798A1 (en) * | 2018-01-23 | 2020-02-13 | Amlogic (Shanghai) Co., Ltd. | Method for improving security of trusted application |
| CN110414235A (en) * | 2019-07-08 | 2019-11-05 | 北京可信华泰信息技术有限公司 | A kind of dual Architecture system of the active immunity based on ARM TrustZone |
| CN111881467A (en) * | 2020-06-12 | 2020-11-03 | 海光信息技术有限公司 | Method and device for protecting file by using security processor, CPU and computer equipment |
| CN112434306A (en) * | 2020-12-11 | 2021-03-02 | 中国科学院信息工程研究所 | Credibility measuring method, device, system, electronic equipment and storage medium |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114201747A (en) * | 2021-11-29 | 2022-03-18 | 海光信息技术股份有限公司 | Dynamic measurement root implementation method, device, system and storage medium |
| WO2023104013A1 (en) * | 2021-12-10 | 2023-06-15 | 华为技术有限公司 | Data integrity protection method and related apparatus |
| CN114417426A (en) * | 2022-03-29 | 2022-04-29 | 北京凝思软件股份有限公司 | Trusted verification method and device based on tight coupling rule, storage medium and electronic equipment |
| CN114417426B (en) * | 2022-03-29 | 2022-07-01 | 北京凝思软件股份有限公司 | Trusted verification method and device based on tight coupling rule, storage medium and electronic equipment |
| CN114462051A (en) * | 2022-04-12 | 2022-05-10 | 中电云数智科技有限公司 | Trusted computing system and method based on trusted computing environment |
| CN114818005A (en) * | 2022-04-20 | 2022-07-29 | 北京凝思软件股份有限公司 | Linux system integrity checking method and system |
| CN116049866A (en) * | 2022-06-27 | 2023-05-02 | 荣耀终端有限公司 | Data protection method, electronic equipment and chip system |
| CN115378740A (en) * | 2022-10-25 | 2022-11-22 | 麒麟软件有限公司 | Method for realizing bidirectional authentication login based on trusted opennsh |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113190831A (en) | TEE-based operating system application integrity measurement method and system | |
| US8332632B2 (en) | Method and system for execution monitor-based trusted computing | |
| EP2634959B1 (en) | Method and Apparatus for Incremental Code Signing | |
| US8024579B2 (en) | Authenticating suspect data using key tables | |
| TW201500960A (en) | Detection of secure variable alteration in a computing device equipped with unified extensible firmware interface (UEFI)-compliant firmware | |
| JP2014513348A (en) | System and method for processing a request to change a system security database and firmware storage in an integrated extended firmware interface compliant computing device | |
| KR20060108710A (en) | Trusted mobile platform architecture | |
| CN113268742B (en) | Data authorization method and device and electronic equipment | |
| US9122864B2 (en) | Method and apparatus for transitive program verification | |
| CN112511306A (en) | Safe operation environment construction method based on mixed trust model | |
| JP6951375B2 (en) | Information processing equipment, information processing methods and programs | |
| KR20180007922A (en) | User apparatus based on trusted platform module and booting method using the same | |
| EP3338214B1 (en) | Secure computation environment | |
| CN115879099A (en) | DCS controller, operation processing method and protection subsystem | |
| CN117272286A (en) | TEE-based process dynamic integrity measurement method and system | |
| CN115357908B (en) | Network equipment kernel credibility measurement and automatic restoration method | |
| CN109117625B (en) | Method and device for determining safety state of AI software system | |
| CN112988262B (en) | Method and device for starting application program on target platform | |
| CN109977665B (en) | Cloud server starting process anti-theft and anti-tampering method based on TPCM | |
| CN113641463A (en) | Virtualization system credibility authentication method, system and computer readable storage medium | |
| CN111125717A (en) | Method, device, equipment and medium for safely running BIOS (basic input output System) driver | |
| CN113515779A (en) | File integrity checking method, device, equipment and storage medium | |
| CN116089967B (en) | Data rollback prevention method and electronic equipment | |
| CN114816549B (en) | Method and system for protecting bootloader and environment variable thereof | |
| CN117556430B (en) | Safe starting method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210730 |
|
| RJ01 | Rejection of invention patent application after publication |