JP5986897B2 - Terminal device, integrity verification system, and program - Google Patents

Description

  The present invention relates to a technique for verifying the integrity (not tampered) of a terminal device such as a smartphone.

  A Trusted Platform Module (TPM) has been developed that consists of a dedicated tamper-resistant chip that is independent of the OS (Operating System) and that performs secure processing such as encryption. TPM is mainly installed in terminals based on x86 architecture, so-called personal computers. Non-Patent Documents 1 and 2 enable “secure boot” that uses the TPM to safely start the terminal while verifying whether or not the file on the terminal is in a complete state. The technology is described.

  With this technology, when booting the OS using a CD-ROM containing the OS program for a personal computer as the boot disk, the integrity of the boot loader program that starts the OS can be verified using TPM. Done. Since the OS program written on the CD-ROM cannot be rewritten, verifying the integrity of the boot loader can confirm whether or not the terminal has started up completely.

For example, the integrity verification is performed as follows.
(1) “Measurement” is performed to calculate a hash value using each file constituting a program in a complete state corresponding to a program to be verified as an input value of a hash function, and a hash value (expected value) is obtained as a measurement result. This hash value is a value expected to be obtained as a measurement result when the same measurement is performed on the program to be verified.
(2) Measurement is performed on each file constituting the program to be verified, and a hash value (measurement value) is obtained as a measurement result.
(3) The expected value obtained by measuring the program in the complete state is compared with the measured value obtained by measuring the program to be verified. If both measured values match, it can be determined that the program to be verified is complete, and if both measured values are different, the program to be verified is not complete.

“Combining KNOPPIX and TPM to achieve“ safe service ””, [online], [October 29, 2012 search], Internet <URL: http://www.atmarkit.co.jp/news/200802 /07/aist.html> “Knoppix 5.1.1 for Trusted Computing Geeks”, [online], [November 07, 2012 search], Internet <URL: http://unit.aist.go.jp/itri/knoppix/TCGeeks-CD20071105. pdf>

  In the personal computer, the system area on the hard disk where system files including programs for realizing the main functions of the OS are stored is open to the user. For this reason, for example, the state of the system area is arbitrarily changed by an action such as a user adding an arbitrary application to the personal computer. For these reasons, there is a difficulty in formulating the standards for the complete state of personal computers. As of July 2012, secure booting of personal computers has not yet become widespread.

  In the case of a terminal such as a smartphone where the system area where OS system files are stored and the user area where users can add files are separated, special attacks such as virus attacks on the terminal Except for the situation, basically only the terminal manufacturer and the communication carrier can set the system area. Even if an OS update or patch application is performed, assuming that it is possible to grasp what kind of update or application will be performed, the state of the system area that is expected after the OS update or patch application is determined in advance. It becomes possible to formulate.

  However, since the size of the OS system file is enormous, it takes an enormous amount of time if the TPM's weak computing circuit measures the OS system file. Therefore, a method of measuring the OS system file using a CPU (Central Processing Unit) of a terminal capable of high-speed processing can be considered. In this method, the boot loader that starts the OS controls the CPU and measures the OS system file. However, since the boot loader operates with a single task / single thread, the boot loader has a lower processing capability than an OS that can operate with multitask / multithread. Also, since the memory cache functions only in a limited manner, the CPU operates slower than when the OS functions. For this reason, it takes time to measure a system file of an enormous size of OS, and there is a problem that it becomes an obstacle to high-speed startup of a terminal when realizing a secure boot.

  Further, in order for the TPM arithmetic circuit to compare the measured value and the expected value of the OS system file, it is necessary to store the expected value of the OS system file in the storage device in the TPM in advance. However, since the size of the OS system file is enormous, the expected value of the OS system file also becomes enormous, and the expected value of the OS system file may be held in advance in the TPM storage device that has a small storage capacity. Have difficulty. Therefore, the expected value of the OS system file is held in advance in an external device (server) equipped with a storage device having sufficient storage capacity, and the measured value of the OS system file is transferred from the terminal to the external device when the terminal is started. A method can be considered in which the external device compares the measured value of the OS system file with the expected value.

  The present invention has been made in view of the above-described problems, and an object of the present invention is to verify the integrity of the OS when starting up the terminal device and to start up the terminal device at a higher speed.

  The present invention has been made to solve the above-described problems, and measures and measures a service program for realizing a function of a service provided by an OS (Operating System) and control by a kernel. After generating the first measured value as a result, a service measurement / startup program for realizing the function of the service measurement / startup unit for starting the service, and starting the service measurement / startup unit, the service measurement A first storage unit for storing an OS program including a kernel program for realizing the function of the kernel for controlling processing performed by the activation unit, and measuring the service measurement / activation program, A second measurement value is generated, and the kernel program is measured to generate a third measurement value as a measurement result. A second storage unit for storing a boot loader program for realizing a boot loader function for starting the kernel; a processing unit for performing processing in accordance with the OS program and the boot loader program; and measuring the service program The first expected value, which is an expected measurement result, is compared with the first measured value, and the second expected value, which is the expected measurement result when the service measurement / startup program is measured, and the first 2 is compared with the third measured value, and the third expected value, which is a measurement result expected when the kernel program is measured, is compared with the third measured value to verify the integrity of the OS. A terminal device comprising: a transmission unit that transmits the first measurement value, the second measurement value, and the third measurement value to a server.

  Further, the terminal device of the present invention measures the service measurement / startup program, generates a second measurement value as a measurement result, measures the kernel program, and obtains a third measurement value as the measurement result. After generating, measure the second storage unit for storing a rewritable first boot loader program for realizing the function of the first boot loader for starting the kernel, and the first boot loader program, Third memory for storing a second non-rewritable second boot loader program for realizing the function of the second boot loader for starting the first boot loader after generating the fourth measurement value as the measurement result The fourth expected value, which is a measurement result expected when the first boot loader program is measured, and the fourth measured value A verification unit for verifying the integrity of the first boot loader program Ri, and having a.

  In the terminal device according to the present invention, the verification unit is a TPM (Trusted Platform Module) having tamper resistance, a storage unit that stores the fourth expected value, the fourth expected value, and the And a comparison unit that verifies the integrity of the first boot loader program by comparing with a fourth measurement value.

  In the terminal device of the present invention, the TPM further includes a signature unit that generates an electronic signature of the first measurement value, the second measurement value, and the third measurement value, and the transmission unit Transmits the first measurement value, the second measurement value, the third measurement value, and the electronic signature to the server.

  In the terminal device according to the present invention, the service measurement / start program is a program that is executed first by the started kernel.

  The present invention is also an integrity verification system comprising a terminal device and a server, wherein the terminal device is in accordance with a service program for realizing a service function provided by an OS (Operating System) and control by a kernel. , After measuring the service program and generating a first measurement value as a measurement result, a service measurement / startup program for realizing the function of a service measurement / startup unit for starting the service, A first storage unit for storing an OS program including a kernel program for realizing a function of the kernel that activates an activation unit and controls processing performed by the service measurement / activation unit; Measures the startup program, generates a second measurement value as a measurement result, and measures the kernel program After generating a third measurement value that is a measurement result, a second storage unit that stores a boot loader program for realizing a boot loader function for starting the kernel, and processing according to the OS program and the boot loader program A processing unit, and a transmission unit that transmits the first measurement value, the second measurement value, and the third measurement value to the server, and the server measures the service program The first expected value that is a measurement result expected for the service, the second expected value that is the measurement result expected when the service measurement / startup program is measured, and the expected value when the kernel program is measured A second storage unit that stores a third expected value that is a measurement result; and the first measurement value, the second measurement value, and the third measurement value from the terminal device. A receiving unit for receiving a value, comparing the first expected value and the first measured value, comparing the second expected value and the second measured value, and the third expected value. A verification unit that verifies the integrity of the OS by comparing the measured value with the third measurement value.

  The present invention also measures a service program for realizing a service function provided by an OS (Operating System) and control by the kernel, and generates a first measurement value as a measurement result. Thereafter, a service measurement / startup program for realizing the function of a service measurement / startup unit for starting the service, and the service measurement / startup unit are started, and the processing performed by the service measurement / startup unit is controlled. A first storage unit for storing an OS program including a kernel program for realizing a kernel function; measuring the service measurement / startup program; and generating a second measurement value as a measurement result; After measuring the kernel program and generating a third measurement value as a measurement result, the boot program that starts the kernel is started. A second storage unit that stores a boot loader program for realizing the functions of the driver, a processing unit that performs processing according to the OS program and the boot loader program, and a measurement result expected when the service program is measured A first expected value is compared with the first measured value, and a second expected value that is a measurement result expected when the service measurement / startup program is measured is compared with the second measured value. Then, the first measurement is sent to a server that verifies the integrity of the OS by comparing the third expected value, which is a measurement result expected when the kernel program is measured, with the third measured value. A program for causing a computer to function as a value, the second measurement value, and a transmission unit that transmits the third measurement value.

  According to the present invention, the terminal device activates the terminal device by transmitting the first measurement value, the second measurement value, and the third measurement value to the server that verifies the integrity of the OS of the terminal device. Sometimes the server can verify the integrity of the terminal's OS. Further, the service measuring / starting unit measures the service program according to the control by the kernel, so that the terminal device can be started at a higher speed.

It is a block diagram which shows the structure of the terminal device by one Embodiment of this invention. It is a block diagram which shows the function structure of CPU which the terminal device by one Embodiment of this invention has. It is a block diagram which shows the structure of the server by one Embodiment of this invention. FIG. 3 is a reference diagram illustrating an OS file system according to an embodiment of the present invention. It is a flowchart which shows the procedure of operation | movement of the terminal device by one Embodiment of this invention. It is a flowchart which shows the procedure of operation | movement of the terminal device by one Embodiment of this invention. It is a flowchart which shows the procedure of the operation | movement of the server by one Embodiment of this invention.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. The integrity verification system according to the present embodiment includes a terminal device having an OS that is an object of integrity verification, and a server that performs OS integrity verification of the terminal device. FIG. 1 shows the configuration of a terminal device 1 according to the present embodiment.

  The terminal device 1 includes a communication unit 10 (transmission unit), a CPU 11 (processing unit), a flash memory 12, a ROM (Read Only Memory) 13, a RAM (Random Access Memory) 14, and a TPM 15. The communication unit 10 includes a communication circuit that communicates with the server 2. The CPU 11 has a processing circuit that performs various processes. The flash memory 12 is a non-volatile memory that stores various programs. The ROM 13 is a non-volatile memory that stores various programs and cannot be rewritten. The RAM 14 is a volatile memory that temporarily stores various programs and data. The flash memory 12, the ROM 13, and the RAM 14 function as a storage unit that stores each program described below. The TPM 15 (verification unit) has a CPU (not shown) inside and is configured by a dedicated chip having tamper resistance. In this embodiment, a case where a general Android (registered trademark) as an OS for a smartphone is installed in the terminal device 1 will be described as an example.

  The flash memory 12 stores a service program 120, a service measurement / startup program 121, a kernel program 122, and a first boot loader program 123. The ROM 13 stores the second boot loader program 130.

  The service program 120 is a program including a system file for realizing the function of the service provided by the OS. The service 140 is activated when the service program 120 is read from the flash memory 12 into the RAM 14. The service 140 is a program that is resident in the RAM 14 and may be called a daemon depending on the OS. The activated service 140 implements a service function by giving the CPU 11 a command defined by the service program 120.

  The service measurement / startup program 121 is a program for realizing a function of starting the service 140 after measuring the service program 120 and generating a measurement value (first measurement value). When the service measurement / startup program 121 is read from the flash memory 12 into the RAM 14, the service measurement / startup unit 141 is started. The activated service measurement / activation unit 141 realizes the above-described function by giving the CPU 11 a command defined by the service measurement / activation program 121.

  The kernel program 122 realizes basic functions as an OS such as memory management, process management, and device management. In the present embodiment, the kernel program 122 starts the service measurement / startup unit 141 and performs processing performed by the service measurement / startup unit 141. This is a program for realizing the function to be controlled. The kernel 142 is activated by reading the kernel program 122 from the flash memory 12 into the RAM 14. The activated kernel 142 implements the above-described function by giving the CPU 11 an instruction defined by the kernel program 122.

  The service program 120, the service measurement / startup program 121, and the kernel program 122 constitute an OS program. In addition, the service 140 activated on the RAM 14, the service measurement / activation unit 141, and the kernel 142 constitute an OS. The service program 120, the service measurement / startup program 121, and the kernel program 122 are stored in the flash memory 12 in a compressed state.

  The first boot loader program 123 measures the service measurement / startup program 121, generates a measurement value (second measurement value), measures the kernel program 122, and generates a measurement value (third measurement value). This is a program for realizing the function of starting the kernel 142 later. The first boot loader program 123 is started by reading the first boot loader program 123 from the flash memory 12 into the RAM 14. The activated first boot loader 143 implements the above function by giving the CPU 11 an instruction defined by the first boot loader program 123. The first boot loader program 123 of the present embodiment is a rewritable program and can cope with the update of the boot loader function.

  The second boot loader program 130 is a program for realizing a function of starting the first boot loader 143 after measuring the first boot loader program 123 and generating a measurement value (fourth measurement value). The second boot loader program 130 is activated by reading the second boot loader program 130 from the ROM 13 into the RAM 14. The activated second boot loader 144 implements the above function by giving the CPU 11 an instruction defined by the second boot loader program 130. The second boot loader program 130 of this embodiment is a non-rewritable program.

  The first boot loader 143 and the second boot loader 144 constitute a boot loader. In the present embodiment, the first boot loader 143 and the second boot loader 144 are used, but the first boot loader 143 may not be provided, and the second boot loader 144 may have the function. In this case, the entire boot loader cannot be rewritten.

  The TPM 15 includes a storage unit 150, a comparison unit 151, and a signature unit 152. The storage unit 150 stores an expected value (fourth expected value) expected as a measurement result when the first boot loader program 123 is measured. The comparison unit 151 compares the measured value obtained by measuring the first boot loader program 123 with the second boot loader 144 and the expected value stored in the storage unit 150, thereby confirming the integrity of the first boot loader 143. Validate.

  The signature unit 152 includes a measurement value obtained by measuring the service measurement / startup program 121 by the first boot loader 143, a measurement value obtained by measuring the kernel program 122 by the first boot loader 143, and a service measurement / startup unit 141. Generates a signature file with an electronic signature added to each of the measured values obtained by measuring the service program 120. The generated signature file is transmitted to the server 2.

  The CPU 11 corresponds to these functions by executing various instructions given from the service 140, the service measurement / starting unit 141, the kernel 142, the first boot loader 143, and the second boot loader 144 that are loaded into the RAM 14 and started. It functions as a processing unit that executes processing. FIG. 2 schematically shows the functional configuration of the CPU 11. The CPU 11 includes a service processing unit 110 corresponding to the function of the service 140, a service measurement / starting processing unit 111 corresponding to the function of the service measuring / starting unit 141, a kernel processing unit 112 corresponding to the function of the kernel 142, and the first boot loader 143. Functions as a first boot loader processing unit 113 corresponding to the above functions and a second boot loader processing unit 114 corresponding to the functions of the second boot loader 144.

  In the present embodiment, the integrity of the first boot loader 143 is verified by the terminal device 1. However, verification of the integrity of the OS including the service 140, the service measurement / starting unit 141, and the kernel 142 takes time to compare the measured value with the expected value, and thus is performed by the server 2.

  FIG. 3 shows the configuration of the server 2 according to the present embodiment. The server 2 includes a communication unit 20 (reception unit), a verification unit 21, and a storage unit 22. The communication unit 20 includes a communication circuit that communicates with the terminal device 1. The verification unit 21 confirms whether or not the measurement value has been tampered with based on the signature file received from the terminal device 1, and further stores the measurement value included in the signature file and the storage unit 22. The integrity of the OS in the terminal device 1 is verified by comparing with the expected value. The storage unit 22 has an expected value (first expected value) expected as a measurement result when the service program 120 is measured, and an expected value expected as a measurement result when the service measurement / startup program 121 is measured ( A second expected value), an expected value (third expected value) expected as a measurement result when the kernel program 122 is measured, and a result of the verification unit 21 verifying the integrity of the OS in the terminal device 1; Remember. Assume that the integrity of the server 2 is guaranteed in advance.

  Next, the OS file system in the present embodiment will be described. FIG. 4 shows an OS file system built on the flash memory 12. FIG. 4 shows a state when the terminal device 1 is activated. “*” Indicates the root directory. A character string surrounded by “[” and “]” indicates a directory (folder). In addition to the directories / data, / proc, / sbin, / sys, and / system, the root directory includes programs / init, files default.prop, init.goldfish.rc, init.rc, tcg- scan.conf etc. A file can be mounted (stored) in the directory. For example, a file called adb is mounted in / sbin. No files are mounted in / data, / proc, / sys, or / system when the terminal device 1 is started.

  init is a program executed first by the kernel 142. The order in which init executes processes is specified in init.rc. Init.rc has a process for measuring the service program 120 added to the conventional process for starting and initializing the service program 120. In addition, conditions when the init measures the service program 120 according to init.rc are defined in tcg-scan.conf. The tcg-scan.conf includes, for example, the path of the file to be measured, the matching pattern of the name of the entry to be measured, the entry type (file, directory, node, link, device, etc.) and the like.

  The service measurement / startup program 121 includes at least init, init.rc, and tcg-scan.conf. The service program 120 includes at least system files mounted at / data and / system. As described above, since files are not mounted on / data and / system when the terminal device 1 is started up, the service program 120 is executed after the system files constituting the service program 120 are mounted on / data and / system. Measured. Note that the kernel program 122 is not included in the file system.

  Next, the operation at the time of starting the terminal device 1 according to the present embodiment will be described. 5 and 6 show the operation at the time of starting the terminal device 1. FIG. 5 shows the operation of the OS and the boot loader, and FIG. 6 shows the operation of the TPM 15. The CPU 11 performs processing according to each program read and started by the RAM 14 to perform each processing shown in FIG. 4. Hereinafter, each program started on the RAM 14 will be described as the main subject of processing.

  When the terminal device 1 is powered on and activated, the second boot loader program 130 is read from the ROM 13 into the RAM 14 and the second boot loader 144 is activated as shown in FIG. 5 (step S100). The second boot loader 144 reads the first boot loader program 123 from the flash memory 12 into the RAM 14 and measures the first boot loader program 123 (step S105). The measured value of the first boot loader program 123 is output to the TPM 15.

  Subsequently, the second boot loader 144 reads the first boot loader program 123 from the flash memory 12 into the RAM 14 and activates the first boot loader 143 (step S110). The activated first boot loader 143 waits for an instruction to be output from the TPM 15.

  As illustrated in FIG. 6, when the measurement value of the first boot loader program 123 is input, the comparison unit 151 of the TPM 15 reads the expected value of the first boot loader program 123 from the storage unit 150. The comparison unit 151 compares the measured value of the first boot loader program 123 with the expected value (step S200).

  Subsequently, the comparison unit 151 determines whether or not the measured value of the first boot loader program 123 matches the expected value (step S205). If the measured value and the expected value of the first boot loader program 123 do not match, the comparison unit 151 outputs an end instruction (step S235), and the TPM 15 ends the process. In this case, the integrity of the first boot loader 143 could not be confirmed.

  If the measured value and the expected value of the first boot loader program 123 match, the comparison unit 151 outputs a start instruction (step S210). In this case, the integrity of the first boot loader 1434 has been confirmed. Subsequently, the signature unit 152 waits for a measurement value to be input to the TPM 15.

  As shown in FIG. 5, the first boot loader 143 determines the content of the instruction output from the TPM 15 (step S115). If the instruction output from the TPM 15 is an end instruction, the first boot loader 143 ends the process. In this case, activation of the terminal device 1 is stopped. If the instruction output from the TPM 15 is a start instruction, the first boot loader 143 expands (decompresses) the kernel program 122 to the RAM 14 while reading the compressed kernel program 122 from the flash memory 12 and measuring it. . The first boot loader 143 expands the service measurement / startup program 121 in the RAM 14 while reading the compressed service measurement / startup program 121 from the flash memory 12 and measuring it (step S120). The measured values of the kernel program 122 and the service measurement / startup program 121 are output to the TPM 15.

  Subsequently, the first boot loader 143 reads the compressed kernel program 122 from the flash memory 12 again, expands it in the RAM 14, and starts the kernel 142. Also, the first boot loader 143 reads the compressed service measurement / startup program 121 from the flash memory 12 again and expands it in the RAM 14, and starts the service measurement / startup unit 141 (step S125).

  Subsequently, the activated kernel 142 activates the above-described init to activate the service measurement / activation unit 141 (step S130). The init of the activated service measurement / activation unit 141 performs processing according to the procedure defined in init.rc. The init.rc of this embodiment stipulates that processing is performed in the order of mounting of system files constituting the service program 120, measurement of the service program 120, and activation of the service 140. Therefore, init of the service measuring / starting unit 141 reads the compressed service program 120 from the flash memory 12 and expands it, and mounts system files constituting the service program 120 at / data and / system in the flash memory 12. (Step S135).

  Subsequently, init of the service measurement / startup unit 141 reads the service program 120 mounted on / data and / system from the flash memory 12 to the RAM 14 according to tcg-scan.conf, and measures the service program 120 (step S140). ). In step S140, measurement is performed for each file included in the system file constituting the service program 120, and a measurement value is calculated for each file. The measurement values of each file are collected into one file and stored in the flash memory 12 as a file in which the measurement values of the service program 120 are recorded.

  Subsequently, init of the service measurement / startup unit 141 reads the service program 120 mounted on / data and / system from the flash memory 12 to the RAM 14 and starts the service 140 (step S145). The activated service 140 waits for an instruction to be output from the TPM 15 when a communication function is activated.

  As shown in FIG. 6, when the measurement value of the kernel program 122 is input after the activation instruction is output from the comparison unit 151, the signature unit 152 of the TPM 15 generates a signature file including the measurement value and the electronic signature. It is generated and stored in the flash memory 12 (step S215). The electronic signature included in the signature file is information obtained by encrypting the hash value of the measurement value of the kernel program 122 with the secret key held by the TPM 15. The secret key used for generating the signature file is stored in the storage unit 150, for example.

  Subsequently, when the measurement value of the service measurement / startup program 121 is input, the signature unit 152 generates a signature file including the measurement value and the electronic signature, and stores the signature file in the flash memory 12 (step S220). The electronic signature included in the signature file is information obtained by encrypting the hash value of the measurement value of the service measurement / startup program 121 with the private key held by the TPM 15.

  Subsequently, the signature unit 152 reads a file including the measurement value of the service program 120 from the flash memory 12, generates a signature file including the measurement value and the electronic signature, and stores the signature file in the flash memory 12 (step S220). The electronic signature included in the signature file is information obtained by encrypting the hash value of the measurement value of the service program 120 with the secret key held by the TPM 15.

  Subsequently, the signature unit 152 outputs a signature file transmission instruction to the service 140 (step S230), and the TPM 15 ends the process.

  As shown in FIG. 5, the service 140 determines whether or not a signature file transmission instruction is output from the TPM 15 (step S150). If the signature file transmission instruction is not output, the service 140 waits until the signature file transmission instruction is output. When the signature file transmission instruction is output, the service 140 reads the signature file from the flash memory 12, outputs the signature file to the communication unit 10, and transmits the signature file to the server 2 (step S225). The signature file includes a signature file including the measurement value of the kernel program 122, a signature file including the measurement value of the service measurement / startup program 121, and a signature file including the measurement value of the service program 120. The signature file may be a single file including the measurement values of each of these programs and the electronic signature. After transmitting the signature file, the service 140 completes the process related to the activation of the terminal device 1 and performs the process during activation.

  The rewriting of the first boot loader program 123 is performed after the service 140 is activated as necessary. Immediately after the first boot loader program 123 is rewritten, the expected value of the first boot loader program 123 is calculated. The calculated expected value is output to the TPM 15, and the expected value stored in the storage unit 150 of the TPM 15 is updated to the expected value input to the TPM 15. Assuming the possibility that rewriting of the first boot loader program 123 fails, the following may be performed. For example, when the first boot loader program 123 in the initial state is stored in the ROM 13 in advance and the comparison unit 151 of the TPM 15 determines that the measured value of the first boot loader program 123 does not match the expected value, the initial state The start instruction using the first boot loader program 123 is output. Based on this activation instruction, the second boot loader 144 reads the first boot loader program 123 in the initial state from the ROM 13 into the RAM 14 and activates the first boot loader 143. The activated first boot loader 143 performs the process of step S120.

  Next, the operation of the server 2 according to the present embodiment will be described. FIG. 7 shows the operation of the server 2.

  The communication unit 20 receives the signature file from the terminal device 1 and outputs it to the verification unit 21 (step S300). The verification unit 21 verifies the electronic signature included in the signature file (step S305). At this time, the verification unit 21 reads the public key from the storage unit 22, decrypts the electronic signature included in the signature file with the public key, and uses the obtained hash value and the measurement value included in the signature file. Check whether the calculated hash value matches. If they match, it is guaranteed that the contents of the signature file have not been tampered with.

  The public key that the server 2 has is a key that is paired with the secret key that the TPM 15 of the terminal device 1 has. When communication is enabled when the terminal device 1 is activated, the public key is transmitted from the terminal device 1 to the server 2 separately from the signature file or together with the signature file.

  If the contents of the signature file are not falsified, the verification unit 21 reads the expected value of the kernel program 122 from the storage unit 22, the measured value of the kernel program 122 included in the signature file, and the expected value read from the storage unit 22. Are compared (step S310). Subsequently, the verification unit 21 reads the expected value of the service measurement / startup program 121 from the storage unit 22, and obtains the measured value of the service measurement / startup program 121 included in the signature file and the expected value read from the storage unit 22. Compare (step S315). Further, the verification unit 21 reads the expected value of the service program 120 from the storage unit 22, and compares the measured value of the service program 120 included in the signature file with the expected value read from the storage unit 22 (step S320). The expected value of the service program 120 is an expected value for each file included in the system files that constitute the service program 120.

  Subsequently, the verification unit 21 determines whether or not the OS of the terminal device 1 is complete based on the processing results of steps S310, S315, and S320 (step S325). In all of Steps S310, S315, and S320, when the measured values and expected values of all files completely match, it is determined that the OS of the terminal device 1 is complete. In addition, in at least one of steps S310, S315, and S320, if the measured value of one of the files does not match the expected value, it is determined that the OS of the terminal device 1 is not complete.

  When it is determined that the OS of the terminal device 1 is complete, the verification unit 21 generates information indicating that the OS of the terminal device 1 is complete, and the identification information of the terminal device 1 (MAC address or TPM 15 ID). Etc.) and recorded in the storage unit 22 (step S330). When it is determined that the OS of the terminal device 1 is not complete, the verification unit 21 generates information indicating that the OS of the terminal device 1 is not complete, and associates the identification information of the terminal device 1 with the storage unit 22. Recording is performed (step S335). By referring to the information recorded in the storage unit 22 in steps S330 and S335, it can be confirmed later whether or not the terminal device 1 has been activated in a complete state. When one of the processes in steps S330 and S335 ends, the server 2 ends the process of verifying the integrity of the OS of the terminal device 1.

  In the present embodiment, the following modifications are possible. The determination in step S115 may be performed by the second boot loader 144 before the process in step S110 is performed. Further, the order in which the processes of steps S215, S220, and S225 are performed may not be the order shown in FIG. Moreover, the order in which each process of step S310, S315, S320 is performed does not need to be the order shown in FIG.

  In the above description, init of the service measurement / startup unit 141 measures the service measurement / startup program 121 and the kernel program 122, the init of the service measurement / startup unit 141 executes the measurement program, and the measurement is performed. The service program may measure the service measurement / startup program 121 and the kernel program 122. In this case, the service measurement / startup program 121 includes a measurement program.

  In the above description, the second boot loader 144 measures and expands the compressed service measurement / startup program 121 and the kernel program 122. However, the second bootloader 144 does not use the compressed service measurement / startup program 121 and After the kernel program 122 is measured and the kernel 142 is activated, the kernel 142 may expand the compressed service measurement / activation program 121 and the kernel program 122.

  In the above description, the service measurement / startup program 121 and the kernel program 122 are separated, but both may be integrated.

  In the above description, the first boot loader program 123 and the second boot loader program 130 are separated, but both may be integrated and the program may be stored in the ROM 13.

  Next, the reason why the terminal device 1 can be activated at a higher speed will be described. In the present embodiment, the init of the service measurement / startup unit 141 performs the measurement of the service program 120, so that the measurement time is shortened compared to the case where the boot loader performs the measurement of the service program 120. It can start at high speed.

  Before the kernel 142 is booted, the boot loader cannot use functions provided by the kernel 142 such as opening a file, closing a file, and creating a thread. Since the measurement of the system file constituting the service program 120 is performed in units of files, in order for the boot loader to measure the service program 120, the boot loader needs to be able to handle the file. However, since the code size increases when a function for opening and closing files is added to the boot loader, it is conceivable that the file cache (page cache) function is not implemented in the boot loader instead of adding the function.

  Without the file cache function, each time a file is opened, a device (flash in this embodiment) is used to search the directory from the root directory at the highest level of the file system to the directory where the file to be opened is mounted. The memory 12) needs to be accessed, and the time required to open the file becomes longer. Also, it is conceivable that a file prefetching function is not implemented, and the device is accessed to read the file, resulting in a lot of waiting time. Furthermore, since the handling of the L2 cache (secondary cache) is troublesome, it can be considered to invalidate the L2 cache. As a result, a miss penalty due to a cache miss in the L1 cache (primary cache) occurs, and the processing speed decreases.

  Further, as described above, since the boot loader operates with a single task / single thread, even when a plurality of CPU cores are mounted, only one CPU core can be used.

  On the other hand, since the kernel 142 is activated when the init of the service measuring / starting unit 141 is started, the init of the service measuring / starting unit 141 opens the file provided by the kernel 142, closes the file, and sets the thread. Functions such as generation can be used. As a result, the init of the service measuring / starting unit 141 can operate in multitasking / multithreading, and the measurement target file can be read and measured in parallel. In addition, the file cache function reduces the number of times the same directory is repeatedly read in vain when searching the directory where the file to be opened is mounted. In addition, the file read-ahead feature reduces the number of times the device is accessed. Further, by enabling the L2 cache, the miss penalty due to a cache miss in the L1 cache is reduced.

  Further, when a plurality of CPU cores are mounted, it is possible to perform measurement in parallel by assigning a CPU core to each of a plurality of threads.

  As described above, the init of the service measuring / starting unit 141 uses various functions of the kernel 142, thereby shortening the time required for the measurement of the service program 120 and, as a result, starting the terminal device 1 at a higher speed. Can do.

  Next, an example in which the integrity verification system of this embodiment is applied will be described. Bring Your Own Device (BYOD), which brings terminal devices owned by individuals into the company, is advancing. Implemented for quarantine services that connect the terminal device to the company network after verifying that the system area is complete, that is, it is a safe terminal device that is not affected by malware infection or unauthorized modification by employees It is possible to apply a form integrity verification system. For example, the server 2 is a company management server, and the terminal device 1 is connected to the company network only when it is confirmed that the OS of the terminal device 1 is complete.

  Further, when using the bank settlement application, the integrity of the terminal device 1 may be confirmed. For example, when the bank settlement application is installed in the terminal device 1 and the bank settlement application makes a settlement request to the bank server, the bank server requests the server 2 to confirm the integrity of the terminal device 1. The server 2 confirms whether or not the OS of the terminal device 1 is complete based on the information stored in the storage unit 22 and notifies the bank server of the confirmation result. The bank server processes the payment only when it is confirmed that the OS of the terminal device 1 is complete. Alternatively, the server 2 may be a bank server.

  As described above, according to the present embodiment, the server 2 can verify the integrity of the OS of the terminal device 1 when the terminal device 1 is activated. Further, the service measuring / starting unit 141 measures the service program 120 under the control of the kernel 142, so that the terminal device 1 can be started at a higher speed.

  Further, the service measurement / startup program 121 is implemented by adding the function of measuring the service program 120 to the initialization program (init) for initializing the service 140 to configure the service measurement / startup program 121. Becomes easier.

  As described above, the embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to the above-described embodiments, and includes design changes and the like without departing from the gist of the present invention. . In this embodiment, hash values are used for measured values and expected values. However, any irreversible values can be used instead of hash values. In the present embodiment, Android (registered trademark) is installed as the OS in the terminal device 1, but the OS system file is stored in the disk area (an area such as a flash memory or a hard disk drive) of the terminal apparatus. It suffices that the system area and the user area where a user can arbitrarily add a file are separated, and another OS may be installed in the terminal device 1.

  1 terminal device, 2 server, 10, 20 communication unit, 11 CPU, 12 RAM, 13 flash memory, 14 ROM, 15 TPM, 21 verification unit, 22,150 storage unit, 110 service processing unit, 111 service measurement / startup process , 112 kernel processing unit, 113 first boot loader processing unit, 114 second boot loader processing unit, 120 service program, 121 service measurement / start program, 122 kernel program, 123 first boot loader program, 130 second boot loader program, 140 service , 141 Service measurement / starting unit, 142 Kernel, 143 First boot loader, 144 Second boot loader, 151 Comparison unit, 152 Signature unit

Claims (7)

A service program for realizing the functions of the service provided by the OS (Operating System);
A service measurement / startup program for realizing the function of a service measurement / startup unit for starting the service after measuring the service program according to control by the kernel and generating a first measurement value as a measurement result;
A kernel program for activating the service measurement / starting unit and realizing the function of the kernel for controlling processing performed by the service measurement / starting unit;
A first storage unit for storing an OS program including:
The service measurement / startup program is measured to generate a second measurement value that is a measurement result, and the kernel program is measured to generate a third measurement value that is a measurement result, and then the kernel is started. A second storage unit for storing a boot loader program for realizing the function of the boot loader;
A processing unit for performing processing according to the OS program and the boot loader program;
It is a measurement result expected when the service measurement / startup program is measured by comparing a first expected value, which is a measurement result expected when the service program is measured, with the first measurement value. By comparing a second expected value and the second measured value, and comparing a third expected value that is a measurement result expected when the kernel program is measured and the third measured value A transmission unit for transmitting the first measurement value, the second measurement value, and the third measurement value to a server that verifies the integrity of the OS;
A terminal device comprising: The service measurement / startup program is measured to generate a second measurement value that is a measurement result, and the kernel program is measured to generate a third measurement value that is a measurement result, and then the kernel is started. The second storage unit for storing a rewritable first boot loader program for realizing the function of the first boot loader;
A second non-rewritable second for realizing the function of the second boot loader that activates the first boot loader after measuring the first boot loader program and generating a fourth measurement value as a measurement result. A third storage unit for storing the boot loader program of
A verification unit that verifies the integrity of the first boot loader program by comparing a fourth expected value, which is a measurement result expected when measuring the first boot loader program, with the fourth measured value. When,
The terminal device according to claim 1, comprising: The verification unit is a TPM (Trusted Platform Module) having tamper resistance,
A storage unit for storing the fourth expected value;
A comparison unit that verifies the integrity of the first boot loader program by comparing the fourth expected value and the fourth measured value;
The terminal device according to claim 2, comprising: The TPM further includes a signature unit that generates an electronic signature of the first measurement value, the second measurement value, and the third measurement value;
The terminal device according to claim 3, wherein the transmission unit transmits the first measurement value, the second measurement value, the third measurement value, and the electronic signature to the server. .   The terminal device according to claim 1, wherein the service measurement / startup program is a program that is executed first by the started kernel. An integrity verification system comprising a terminal device and a server,
The terminal device
A service program for realizing the functions of the service provided by the OS (Operating System);
A service measurement / startup program for realizing the function of a service measurement / startup unit for starting the service after measuring the service program according to control by the kernel and generating a first measurement value as a measurement result;
A kernel program for activating the service measurement / starting unit and realizing the function of the kernel for controlling processing performed by the service measurement / starting unit;
A first storage unit for storing an OS program including:
The service measurement / startup program is measured to generate a second measurement value that is a measurement result, and the kernel program is measured to generate a third measurement value that is a measurement result, and then the kernel is started. A second storage unit for storing a boot loader program for realizing the function of the boot loader;
A processing unit for performing processing according to the OS program and the boot loader program;
A transmission unit for transmitting the first measurement value, the second measurement value, and the third measurement value to the server;
Have
The server
A first expected value that is a measurement result expected when the service program is measured, a second expected value that is a measurement result expected when the service measurement / startup program is measured, and the kernel program A second storage unit that stores a third expected value that is a measurement result expected when the measurement is performed;
A receiving unit for receiving the first measurement value, the second measurement value, and the third measurement value from the terminal device;
The first expected value and the first measured value are compared, the second expected value and the second measured value are compared, and the third expected value and the third measured value are compared. Verifying the integrity of the OS by comparing
An integrity verification system characterized by comprising: A service program for realizing the functions of the service provided by the OS (Operating System);
A service measurement / startup program for realizing the function of a service measurement / startup unit for starting the service after measuring the service program according to control by the kernel and generating a first measurement value as a measurement result;
A kernel program for activating the service measurement / starting unit and realizing the function of the kernel for controlling processing performed by the service measurement / starting unit;
A first storage unit for storing an OS program including:
The service measurement / startup program is measured to generate a second measurement value that is a measurement result, and the kernel program is measured to generate a third measurement value that is a measurement result, and then the kernel is started. A second storage unit for storing a boot loader program for realizing the function of the boot loader;
A processing unit for performing processing according to the OS program and the boot loader program;
It is a measurement result expected when the service measurement / startup program is measured by comparing a first expected value, which is a measurement result expected when the service program is measured, with the first measurement value. By comparing a second expected value and the second measured value, and comparing a third expected value that is a measurement result expected when the kernel program is measured and the third measured value A transmission unit for transmitting the first measurement value, the second measurement value, and the third measurement value to a server that verifies the integrity of the OS;
As a program to make the computer function as.

Images