KR20080006638A - Systems and methods for integrity certification and verification - Google Patents

Abstract

A method and system for integrity certification and verification in a computer environment based on characteristics and behaviors of one or more applications, systems or system components as compared with a profile of characteristics and behaviors, including determining a behavior integrity profile (BIP) specifying characteristics and behaviors of one or more applications, systems or system components; determining based on the BIP whether or not characteristics and behaviors of one or more applications, systems or system components are compliant with characteristics and behaviors defined in a behavior integrity profile specification; and determining access rights to the one or more applications, systems or system components based on the step of determining the compliance.

Description

System and Method for Integrity Assurance and Verification {SYSTEMS AND METHODS FOR INTEGRITY CERTIFICATION AND VERIFICATION}

The present invention relates to integrity assurance and verification. In particular, the present invention relates to the use of a profile comprising an Application Integrity Profile (AIP) and a Behavioral Integrity Profile (BIP).

[0002] One of the most important issues that enable wide distribution and use of various purposes through electronic commerce of digital documents and electronic services is the need for protection of intellectual property rights of content owners and suppliers. Efforts to address these issues include Intellectual Property Rights Management (IPRM), Digital Property Rights Management (DPRM), Intellectual Property Management (IPM), and Digital Rights Management: DRM), Rights Management (RM) and Electronic Copyright Management (ECM).

However, content providers want their content to be consumed by certified applications and systems with desired characteristics and / or behaviors. In addition, providers of applications, services, and computer systems want their applications, services, and systems to be accessed or used only by applications and systems having the desired characteristics and / or behaviors.

Direct use of the Public Key Infrastructure (PKI) enables application and system providers to endorse their own products, allowing content and service providers to consume their content and services. It allows you to verify the integrity of the applications and systems used. However, the direct use of public key infrastructure creates a many-to-many relationship between sellers and providers, which is not easy to scale. Thus, there is a need for a method and system for managing such relationships and for verifying integrity efficiently, in near real time, or near real time.

Therefore, there is a need for a method and system for handling the above needs and problems and other problems related thereto. The above needs and problems and other problems related thereto may be solved by exemplary embodiments of the present invention that provide a method and system for integrity assurance and verification.

Thus, as an exemplary form of the present invention, there is provided a method and system for integrity assurance and verification in a computer environment based on the features and behavior of one or more applications, systems or system components compared to a profile of features and behaviors. Is provided. This example method and system includes determining a behavioral integrity profile (BIP) that specifies the features and behaviors of one or more applications, systems or system components; Determining based on the behavior integrity profile whether the features and behavior of the one or more applications, systems or system components conform to the features and behaviors defined in the details of the behavior integrity profile; Determining access rights to the one or more applications, systems or system components based on the determining compliance.

Further embodiments, features, and advantages of the present invention will be readily apparent from the following detailed description of the invention by simply illustrating various embodiments in accordance with the present invention, and various embodiments of the present invention are embodied by the present invention. Include the best way to be expected to be. In addition, various embodiments of the present invention may be modified in various forms without departing from the spirit of the invention. Accordingly, the drawings and detailed description of the invention should be considered as illustrative and not restrictive.

Like reference numerals refer to like elements in the accompanying drawings, and embodiments of the present invention are shown by way of example and not by way of limitation.

1A is a functional overview illustrating a first embodiment of an integrity assurance and verification system in accordance with the present invention.

FIG. 1B is a functional schematic diagram illustrating a first embodiment of an integrity assurance and verification system using a behavioral integrity profile (BIP) and an application integrity profile (AIP) in accordance with the present invention.

[0011] FIG. 1C is a functional schematic diagram illustrating a first embodiment of an integrity assurance and verification system using a Behavioral Integrity Profile (BIP) in accordance with the present invention.

2 is a functional block diagram illustrating a first embodiment of the integrity assurance and verification system according to the present invention.

3 is a workflow diagram of an exemplary integrity assurance and verification apparatus in accordance with the present invention.

4A shows an exemplary structure of an integrity profile according to the present invention.

4B shows an exemplary structure of a behavioral integrity profile in accordance with the present invention.

5 shows an exemplary environment stack in accordance with the present invention.

6 shows another exemplary environmental stack in accordance with the present invention.

FIG. 7 shows an example workflow of an example environment stack in accordance with the present invention. FIG.

8 shows another example workflow of an example environment stack in accordance with the present invention.

9 illustratively illustrates a method of manipulating an environmental stack in accordance with the present invention.

10 illustratively illustrates a method of preventing dynamic tampering through the use of debugging in accordance with the present invention.

11A is a flow diagram illustrating the outline of one exemplary embodiment of an integrity assurance and verification method according to the present invention.

[0023] Figure 11B is a flow diagram illustrating an overview of one exemplary embodiment of an integrity assurance and verification method that uses a behavioral integrity profile and an application integrity profile in accordance with the present invention.

[0024] Figure 11C is a flow diagram illustrating the approximation of one exemplary embodiment of an integrity assurance and verification method using a behavioral integrity profile in accordance with the present invention.

12 is a flow diagram illustrating the outline of one exemplary embodiment of a method of registering applications and / or system in accordance with the present invention.

FIG. 13 is a flow diagram illustrating the approximation of one exemplary embodiment of a method of determining an integrity profile according to the present invention. FIG.

FIG. 14 is a flow diagram illustrating an overview of one exemplary embodiment of a method for verifying the integrity of an integrity authenticator in accordance with the present invention. FIG.

The present invention recognizes that content and service providers want to make their content and service often consumed by guaranteed applications and systems with desired characteristics and behaviors. By controlling these aspects of the content and service consumption environment, content providers can limit usage, such as copying, printing, embedding, distribution, and the like.

For example, a content or service provider may want to protect content from misuse in a manner that requires a system that consumes content to be at some level of safety and rights management capabilities. The content provider may also be able to communicate with any content consuming application on the user's system that any "alien" application, such as a debugger, virus, interception routine, etc., seizes or otherwise "steals" the content or other sensitive information. You may not want to interact. For example, U.S. Patent Application No. 09 / 649,841 filed on Aug. 28, 2000, entitled " Method and Apparatus for Managing Document Distribution and Using Standard Rendering Engine & Method and Apparatus for Controlling Standard Rendering Engine " There is an invention incorporated in the application and incorporated herein by reference, which allows the user to restrict access to a document through the functional management of the user system. These ideas apply equally to providers of applications, services and computer systems.

In order to ensure that given applications and systems have the desired characteristics and behavior, verification of all applications and system components required to consume content, access to a service or interaction with other systems Working applications and components need to be verified by the verification application. The verification application verifies the application and system components using one or more integrity profiles, which may be the same or different from each other. In addition, two or more integrity profiles of the same or different type may be combined or used separately from each other.

The integrity profile may be in various forms. As an embodiment of the present invention, the integrity profile may include an Application Integrity Profile (AIP), a Behavior Integrity Profile (BIP), and the like. have. The application integrity profile may include verifiable information and features specific to the application. As such, application integrity profiles can be combined into special applications. The behavioral integrity profile may include information specifying whether the behaviors of the applications conform to that specified in the details of the behavioral integrity profile. The behavioral integrity profile may preferably include a behavioral integrity profile identification that specifies the details of the behavioral integrity profile. The details of the behavioral integrity profile detail the set of behaviors and / or consumption conditions, etc. by compliant applications. For example, the Behavior Integrity Profile Details may specify that all legitimate applications conforming to the Behavior Integrity Profile are play-only applications that are allowed to play without performing other behavior. In addition to functions or behaviors, other embodiments of the present invention may be of other types of behavioral integrity profiles based on, for example, geography, location, time, performance, service level, other suitable criteria, etc. to verify applications, systems, devices, components, etc. Provide them.

Embodiments of the present invention include a system and method for providing warranty and verification services for a computer environment. Within such a system, an integrity assurance and verification device that provides these services can be introduced between a provider of content or services and a provider such as a system or application. This assurance device can register individual applications and / or systems of each provider from their respective providers, and can guarantee the integrity of these applications and / or systems according to a predetermined selection. Through the use of these services, the user can "trust" the integrity assurance and verification device. With this trust, the provider sets up a profile of the applications and system sets that are allowed to consume its content, and verifies that the user's applications and system sets are authenticated to the user system according to that profile. .

Embodiments of the present invention preferably include providing assurance and verification services for the integrity of content and the integrity of consumption environments such as documents and other content. Within such systems, integrity assurance and verification devices that provide such services include content providers and content consumption systems, such as personal computers, handheld computers, personal digital assistants (PDAs), multimedia displays, DVD players, distributed network operated telephones. network enabled phones) and application providers that distribute applications such as word processors, content viewers, and multimedia players. The integrity assurance and verification device registers the individual applications and / or systems of the content consuming system / application providers and assures the content providers of this application and the set of systems. By using such a service, a content provider can select or trust an integrity assurance and verification device and set up a profile of a set of systems and applications that are allowed to consume this content, and the applications on the user system in accordance with the profile. You can verify that your system is certified. In this way, the degree of access or control of the content requested or submitted by the user can be controlled and determined.

Example embodiments include assurance and verification devices that use an behavior integrity profile. In one embodiment of the present invention, the integrity assurance and verification device registers and assures individual applications and / or systems of the content and service consumption system / application providers, and verifies that the behavior of the application conforms to the behavior integrity profile details. It provides proof of compliance. The consumer may use any suitable content or service consuming system or application to consume a service or content that complies with some behavioral integrity profile enforced by the provider. In this way, the use of content or services can be controlled without limiting consumption for a particular application or system. Similarly, a consumer can use any suitable computer system or application that interacts with another application or system that conforms to some behavioral integrity profile.

For more secure security, verification of applications, systems, and the like may be performed by using an Behavioral Integrity Profile (BIP) with an Application Integrity Profile (AIP). In one embodiment of the present invention, the integrity assurance and verification device registers and assures individual applications and / or systems from content and service consuming system / application providers, wherein the applications are in an integrity profile associated with the application and system components. It verifies that there is authenticity, verifies that the application's actions conform to the behavior integrity profile details, and provides evidence of this compliance.

[0036] The term "document", as used herein, is any unit of information to be distributed or conveyed, such as letters, books, periodicals, newspapers, other documents, software, plug-ins, photographs, other images, audio video clips. And other multimedia presentations. Documents are digital data recorded on any other known or future development of various media or storage media, including such as compact discs (CDs), digital video discs (DVDs), laser discs, magnetic and magneto-optical media, and the like. It may also be embodied in the form printed on paper. The terms "consumption" and "consumer", as used herein, include meanings such as accessing, rendering, editing, manipulating, executing, copying, storing, communicating, publishing, acquiring, distributing, and the like. It may include any suitable form of action, including the use or access to content and services or otherwise interaction with computer systems. As used herein, the term "content" may refer to any suitable term that may be used as a noun such as entity, resource, quality, event, state, concept, content, and the like. Example resources may include documents, multimedia files, web or other services, name, email address, and the like.

The system and method of example embodiments apply to an integrity assurance and verification apparatus. Example embodiments may separately provide systems and methods for integrity assurance and verification devices, respectively, for a content consumption system environment. Example embodiments may also provide systems and methods for assuring and verifying standardized behaviors of systems and applications. Example embodiments may also separately provide a system and a method for determining an integrity profile. Example embodiments may additionally provide a system and method for verifying the integrity of one or more system environments. Example embodiments may also provide a system and method for managing integrity profiles, system and system component information. Example embodiments can additionally provide a system and method for performing an integrity check at a user system using an integrity profile. Example embodiments may additionally provide a system and method for performing compliance checks on a user system using a behavioral integrity profile.

As one embodiment of the invention, a content provider, such as a content publisher or distributor, may initiate a request for an integrity profile to provide content consumed by a user, system, device, or the like. This request for integrity profile is forwarded to the integrity assurance and verification device. The integrity assurance and verification device, if there is no integrity profile for the requested applications and system components, queries the content consumption system / application provider who has been supplying the various system components and / or applications to the user. can do. The content consumption system / application provider returns authentication information about specific applications or system components to the integrity assurance and verification device. The integrity assurance and verification apparatus having access to the authentication information may compare or verify the integrity of the application or system component on the user system and the original application or system component distributed by the content consuming system / application provider.

The authentication information regarding system applications and components may be stored in a component database. Profiles for content providers may be stored in a profile database. As another alternative, the content consuming system / application provider may maintain a database of authentication information that may be passed directly to each database of the integrity assurance and verification device, without the need for the integrity assurance and verification device to determine the integrity profile. In this case, an integrity profile identification is returned to the content provider, corresponding to the determined integrity profile.

A content provider, such as a content distributor, provides the user with protected content, for example. The content provider delivers a protected version of the digital content to the user, including, for example, a license agreement and integrity profile identification. Integrity profile identifications include, for example, applications and system components that are permitted to be used in conjunction with protected content, and identifications of integrity profiles relating to such systems / applications.

The integrity guarantee and verification apparatus has authentication information from the content consuming system / application provider, for example, upon request of the user system, delivers an integrity profile to the user system. Using this integrity profile, integrity verification of the user system can be performed. Once it is determined that the components / applications of the user system can be authenticated, the user's applications and system access to the digital content provided by the content provider may be made, for example, in accordance with additional profile information.

[0042] The content provider may preferably combine one or more behavioral integrity profile identifications with the digital content. For example, a music content provider who wants music content to be consumed by a device capable of only play-only and copy-once-only copies only play-only and once-limited copies. Possible behavior integrity profile identifications can be combined with the content. The application integrity profile identification is not combined with the protected content, but may be embedded in the applications and system components by the system / application provider. For example, a customer may be able to use the service only when a secure browser is used where the content provider provides the service.

The integrity assurance and verification device retrieves compliance evidence of the behavior integrity profile from the profile verification device using the behavior integrity profile identification value. The integrity assurance and verification device uses the application integrity profile identification to retrieve the integrity profile and deliver it to the user system. With this integrity profile, integrity verification of the user system can be performed to ensure that the components / applications of the user system have not been tampered with. If the components / applications of the user system are determined to be authentic and there is evidence of compliance with the behavioral integrity profile, the digital content provided by the content provider may be consumed by the user's applications and systems. Similarly, if the components / applications are determined to be authentic and there is evidence of compliance with the behavioral integrity profile, the service may be consumed or the application or computer resource may be accessed.

However, it is to be appreciated that the request for integrity assurance does not need to originate from the content provider. For example, a warranty request can be initiated by a software application embedded in profile identification information, which is passed along with the protected content from the content provider to the user's system.

Furthermore, as an illustrative embodiment, the content provider may also serve as an integrity verification and assurance system. For example, a content provider may perform the integrity assurance and verification service itself by collecting appropriate authentication information and defining an integrity profile regarding the content provider's own use.

Further as an example embodiment, the content or service consuming application / system provider may also act as an integrity assurance and verification device. For example, a content or service consuming application / system provider may supply an integrity profile with related applications and / or system components.

The system and method of example embodiments provide assurance and verification services that determine the integrity of the environment for consumption of digital content and services and use or other interaction of a computer system. For example, example systems are provided for the consumption of content and services, including consumer media such as audio, video, online services, and the like. An example system for the consumption of content may include one or more content providers, one or more content consumption systems, and integrity assurance and verification devices introduced between application providers. The integrity assurance and verification device obtains authentication information from the content consuming application and / or system providers. This authentication information allows the content provider to trust the environment in which the content will be presented. In this way, an integrity profile is established based on authentication information obtained from the content consuming application and the system provider. This profile is then passed to the user's system to confirm that the user has not altered or modified the digital content provided by the content provider, or will not potentially manipulate it in an unauthorized manner.

Referring to the drawings below, FIG. 1A shows an example system 100 for performing integrity assurance and verification. In an example embodiment, the integrity assurance and verification system 100 includes an integrity assurance and verification apparatus 200, a content provider and / or distributor 300, a user system 400, a content consumption system / application provider 500, Component database 260, profile database 270, and the like.

In an example operating environment, content consumption system / application provider 500 provides applications, systems, and / or software / hardware components to a user. User system 400 allows consumption of digital content, such as documents, supplied by content providers and distributors 300. In order to verify the integrity of the user system 400, the integrity assurance and verification device 200 obtains authentication information for individual applications, systems and / or software / hardware components from the content consuming system / application provider 500. Collect and register. With this authentication information, integrity assurance and verification device 200 determines and assures the system and / or system components based on the integrity profile of one or more applications, the service request 20 from its content provider 300. . This determined integrity profile 50 may be communicated to the user system 400 to determine the integrity of the user system 400.

In operation, the content provider and distributor 300 provide digital content, such as a document, to the user system 400. User system 400 may include one or more system components, such as hardware components and / or various software applications. These applications and hardware / software components are usually obtained by the user from one or more content consumption system / application providers such as computer providers, software warehouses, application providers, and the like. These applications and hardware and software components are then assembled by the user, if not already assembled or installed, in order to allow the user to consume content such as a document.

Thus, during the process of using applications and hardware / software of the user environment, the user may wish to view protected content such as a document. Accordingly, the user 400 may request one or more contents, such as an e-book, a multimedia file, a presentation, a form template, etc. from the content provider 300. Upon receiving this request, the content provider and distributor 300 can provide the requested content to the end user 400 with the profile identification value 10 in a protected format. This profile identification 10 may include, for example, details about in which application the protected content can be viewed and for example to what extent the provided content can be manipulated within a particular software / hardware environment. have.

In addition, the content provider 300 may forward the service request 20 to the integrity guarantee and verification apparatus 200. The service request 20 includes, for example, a list of software applications and / or components that the content provider 300 wants to cause the user system 400 to consume the distributed protected content. The integrity assurance and verification device 200 determines whether the component and applications / software pointed to by the service request have corresponding authentication information stored in the component database 260 and / or the profile database 270. If the integrity assurance and verification device did not have the authentication information specified in the service request 20, then the integrity assurance and verification device 200, from the providers 500 of one or more content consumption systems / applications, may be selected from the specific application, Authentication information regarding a system, hardware / software component, etc. may be requested. The integrity assurance and verification apparatus 200 accesses such authentication information and stores information related to an application and a system component in the component database 260. Store in As another embodiment of the present invention, the integrity assurance and verification apparatus 200 may develop an integrity profile for one or more applications. With this information confirming the authenticity of applications, systems and system components, integrity assurance and verification device 200 forwards integrity profile 50 to user system 400. This integrity profile 50 is used to verify the authenticity of the system, system components, and / or applications of the user system 400. If it is determined that the user's system components and / or applications are true, the protected content 10 is unprotected so that the user system 400 can view the protected content or not. Can be manipulated according to the integrity profile.

FIG. 1B shows another example system for performing integrity assurance and verification that applies behavioral integrity profile verification in conjunction with application integrity profile verification. Similar to the example system described in FIG. 1A, the user system 400 receives one or more content, such as an e-book, multimedia file, presentation, form template, etc. from the content provider 300. The content provider and distributor 300 may store the content in a protected form with one or more behavioral integrity profile identifications, optional behavioral integrity profile association verification flags and optionally use licenses. 400). The behavioral integrity profile identification represents a specific behavioral integrity profile detailing the set of well known behaviors or terms or conditions that the user system 400 conforms to to consume protected content. The Behavioral Integrity Profile Association Verification flag indicates whether or not a plurality of Behavioral Integrity Profile identification values are specified in connection with this to verify behavioral integrity profile compliance. If the Behavioral Integrity Profile Connection Verification flag is not explicitly specified, the integrity assurance and verification device may initiate verification to verify without connection. For example, if the content provider and distributor 300 specified both a play-only behavior integrity profile identification and a transfer-once-only for protected content, and the behavior Systems and applications that comply with both the play-only behavior integrity profile identification and the transfer-once-only behavior integrity profile identification when the integrity profile connection verification flag is specified. Only etc. can consume the protected content. On the other hand, if the Behavior Integrity Profile Connection Verification flag is not specified, one or both of its play-only Behavior Integrity Profile and Transfer-once-Only Behavior Integrity Profile Branch behavioral integrity profiles such as systems and applications can consume the protected content. As another embodiment of the present invention, the user system 400 does not receive content directly from the content provider 300, but rather one or more behavior integrity profile identification, optional behavior integrity profile connection verification from the content provider 300. Flags and optional use licenses are provided. Under such a scenario, content may exist on user system 400 as referenced by selective use licenses or implied or referenced by other means. On the other hand, in another example, "content" may include any suitable content, service, computer environment, or the like, accessible by the user system 300.

Before the user system 400 is able to consume the protected content, an integrity assurance and verification device (R) to ensure that the applications / systems are authentic and that their behavior conforms to the behavior integrity profile details. 200 verifies the integrity of these applications / systems. If it is determined that the user's system components and / or applications meet both criteria, the protected content 10 is placed in an unprotected state so that the user system 400 can consume the protected content according to the behavioral integrity profile details. Is made. In accordance with the present invention, by assuring applications and systems based on their desired features and behaviors, as well as the applications and systems to be developed and assured, or the applications and systems that exist when they are warranted in the future, The same protected content can also be consumed by existing guaranteed applications and systems.

In order to verify the integrity of the user system 400, the integrity assurance and verification apparatus 200 may be configured to separate applications, systems, and / or software / hardware components from the content consumption system / application provider 500. Collect and register authentication information for. With this authentication information, the integrity assurance and verification device 200 determines and verifies the integrity profile of one or more applications, systems, and / or system components. The application integrity profile 50 is then passed to the user system 400 so that the integrity of the user system 400 can be determined. Once the integrity of the system is verified and determined that the system has not been tampered with, the integrity assurance and verification device 200 verifies that there is proof that the applications conform to the behavior integrity profile details, and the applications perform the behavior integrity. It ensures genuine compliance with the behavioral integrity profile details identified by the profile identification. The integrity assurance and verification device 200 obtains the behavior integrity profile identification value specified in the protected content 10, constructs the application identification information based on the information from the application integrity profile, and obtains evidence of the behavior integrity profile compliance. To use the application identification. The integrity assurance and verification apparatus 200 may dynamically obtain evidence of behavior integrity profile compliance by invoking a profile verification apparatus that retrieves compliance status related to the behavior integrity profile identification value and the application identification information. When both the system's integrity and the system's behaviors are successfully verified using the corresponding application integrity profile and behavioral integrity profile, the user system 400 can consume the protected content.

FIG. 1C shows another example system for performing integrity assurance and verification that requires only behavioral integrity profile verification. In this embodiment, the integrity assurance and verification apparatus 200 is responsible for ensuring that the actions of the applications / systems conform to the behavior integrity profile details before the user system 400 can consume the protected content. Verify the integrity of the systems If it is determined that the user's system components and / or applications are compliant with the behavioral integrity profile details, the protected content 10 may allow the user system 400 to consume the protected content in accordance with the behavioral integrity profile details. It is made to be unprotected. The advantage of this approach is that the application integrity profile verification step does not need to be performed, so it is done faster. However, even when evidence of compliance of the behavioral integrity profile is present in the user system 400, there may be no guarantee that the user system 400 is free from manipulation. For integrity applications, such as in closed systems, application integrity verification does not need to be used.

According to FIG. 1C, the integrity assurance and verification apparatus 200 verifies that there is proof, that is, the applications are truly compliant with the behavior integrity profile details identified by the behavior integrity profile identification. Verifying that the application ensures that the application complies with the behavioral integrity profile details. The integrity assurance and verification device 200 obtains the behavior integrity profile identification value specified in the protected content 10, constructs application identification information based on the information from the user system 400, and evidences of the behavior integrity profile compliance. Use application identification information to get The integrity assurance and verification apparatus 200 may dynamically obtain evidence of behavior integrity profile compliance by invoking a profile verification apparatus that retrieves compliance status related to the behavior integrity profile identification value and the application identification information. When the behavior of the application is successfully verified in using the behavioral integrity profile, the user system 400 is allowed to access the protected content or otherwise the user system 400 is allowed to consume the protected content.

In order to ensure that applications, systems, and / or software / hardware components conform to the Behavioral Integrity Profile, integrity assurance and verification apparatus 200 may determine that the behaviors of the applications / systems are detailed in the Behavioral Integrity Profile. Strict verification can be performed at functional and / or system levels to verify compliance.

At the functional level, the verification process may ensure that all suitable functions provided by the applications / systems operate within the limits defined by the behavioral integrity profile details. The verification process at the functional level may utilize automatic and / or manual tests for the purpose of executing the features. For example, given a play-only behavioral integrity profile, the verification processes can confirm that the applications / systems provide play-only features such as content displayed to the user. Thus, features provided by applications / systems that violate its play-only behavior, such as editing, copying, etc., will be considered noncompliant.

At the system level, the verification process may ensure that applications / systems are unintended or unintended consequences of violating the behavioral integrity profile. For example, use temporary files to cache content in the clear, or write a large amount of clear content to memory and then move it to an exchange file, or clear The application / system may have unintended results, such as by writing content information to a registry or environment variable. Thus, system level verification processes may utilize low level monitoring software to detect file I / O, network I / O, memory tracking, and other results for determining behavior integrity profile compliance.

Functional and system verifications may be performed when the system / application provider 500 registers their application / system for warranty. Verifications may be performed by, and need to be performed by, the component registration device subcomponents of the integrity assurance and verification device. Once the component registration device determines the compliance status of applications / systems with respect to the behavioral integrity profile, the component registration device records the status along with detailed identification information about the applications / systems in the component database. Examples of types of identification information needed to correctly identify an application / system may include an application / system product name or a unique identification value number and / or a full version number. Using the identification value of the applications / systems and the behavior integrity profile identification value, the profile verification device can retrieve the compliance status in response to the verification request from the integrity assurance and verification device. It will be appreciated that the exemplary behavioral integrity profile assurance model described above may be variously modified as needed. It will also be appreciated that the example validation model may be modified as needed elsewhere in the content consumption environment.

In general, behavioral integrity profile details may be generated by institutions such as standards bodies, trade groups, government bodies, etc. Or the like. Each behavior integrity profile detail describes a set of application behaviors or features, security requirements, and detailed information about what sellers can do to create systems, applications, etc. that conform to the profile. Preferably, each behavior integrity profile detail may have a unique behavior integrity profile identification associated with it.

FIG. 2 shows an overview of the components of an integrity assurance and verification environment 100 in accordance with an exemplary embodiment of the present invention. In FIG. 2, integrity assurance and verification environment 100 includes one or more content providers 300, one or more user systems 400, one or more integrity assurance and verification devices 200, and one or more content consumption systems / May include application providers 500.

The content provider 300 may include a controller 310, a memory 320, an input / output controller 330, a content database 340, and the like. As another embodiment of the present invention, content provider 300 may also distribute content in a more traditional manner. For example, the content provider 300 may distribute a compact disc (CD) or the like containing the content. This compact disc may be delivered to a user, for example, via a postal delivery service or the like. In general, any form of distribution and dissemination can be applied equally well to the systems and methods of the present invention.

Integrity guarantee and verification device 200 is a controller 210, memory 220, input and output controller 230, digital signature device 240, component registration device 250, component database 260, The profile database 270, the profile generator 280, the profile distribution device 290, and the profile verification device 295 may be included. The integrity assurance and verification apparatus 200 may provide a component registration service, a behavior integrity profile (BIP) assurance service, an integrity profile service, and the like. The registration service allows applications, systems and / or software / hardware components received from each provider to be registered as authorized, along with their intended features, purposes and / or actions.

An Behavior Integrity Profile Assurance service is provided to ensure that systems, applications, and the like conform to the Behavioral Integrity Profile and provide evidence of the Behavioral Integrity Profile compliance status. During the registration of the system / application, the integrity assurance and verification device 200 verifies the verification test case stored in the profile database 270 that determines the behavior integrity profile compliance status of the system / application registered in the component database 260. Components registration apparatus 250 to execute the system and system monitoring processes. Once the system / application is successfully assured, the Behavioral Integrity Profile Assurance Service creates, publishes and associates an Behavioral Integrity Profile with the assured system / application. Compliance status is recorded and stored in component database 260 along with applications / systems identification information. As part of the Behavioral Integrity Profile Assurance Service, profile verification device 295 provides evidence of compliance by retrieving compliance status associated with some applications / systems identification information.

In an example embodiment, the Behavioral Integrity Profile Assurance service may be implemented using the components of the Integrity Assurance and Verification apparatus 200. Alternatively, the behavior integrity profile assurance service may be implemented as a separate behavior integrity profile assurance service provider. In such a case, the content consumption system / application provider 500 may register the applications for behavior integrity profile assurance directly with the behavior integrity profile assurance service provider. Accordingly, during the verification of the application, the integrity assurance and verification apparatus 200 may send the behavior integrity profile identification value and the application information to the behavior integrity profile online assurance service provider to dynamically obtain evidence of behavior integrity profile compliance. .

An integrity profile service may be provided to a user for the user to build and retrieve an integrity profile. The integrity profile may be in the form of an optionally and digitally signed document, etc. The integrity profile may include a set of registered system components and verifiable information that will consume the content of protected documents. . Once an integrity profile is created, the identity of that integrity profile is returned to the user. The content provider may include an integrity profile identification and may optionally provide a use license for the protected document. When the content of the protected documents is consumed and needs to perform local integrity verification of the user's system and environment, an integrity profile can be retrieved from the integrity assurance and verification device 200 for that user system.

The user system 400 may include a controller 410, a memory 420, an input / output controller 430, a storage device 440, an integrity authentication device 450, and a profile storage device 460. have. Thus, it should be appreciated that this exemplary user system is based on the model of the computer. However, as another embodiment of the present invention, the components of the user system may vary depending on, for example, the type of content or service being consumed, the type of computer environment being accessed, the type of behavior applied, and the like. In general, any user system with parts whose integrity can be verified can equally well be applied to the systems and methods of the present invention.

The system / application provider 500 may include a controller 510, a memory 520, an input / output controller 530, a registered application device 540, an application database 550, a system database 560, and the like. Can be. However, similar to the content provider 300, as another embodiment of the present invention, the system / application provider may take many different forms depending on the type of system and / or application supplied by the system / application provider. For example, if system / application provider 500 supplies special hardware components, system / application provider 500 may not need to maintain application and system databases. As another embodiment of the present invention, for example, the system / device component provider may send authentication information directly to the integrity assurance and verification device 200 on a disk or the like.

As another embodiment of the present invention, the system / application provider 500 may coordinate efforts with the content provider 300 to facilitate determination of the integrity profile. In general, the system / application provider may include any suitable entity capable of supplying hardware or software and authentication information therefor.

In this example embodiment, the system / application provider 500 may include various system components. However, as another embodiment of the present invention, it should be appreciated that system / application provider 500 may include a computer distributor, software developer, software provider, software distributor, and the like. Thus, system / application provider 500 may supply devices and / or software to allow consumption of content provided by content provider 300.

[0073] Various components of the integrity assurance and verification environment 100 may communicate via a link 5 between them, which may provide electronic data between a wired or wireless link, or connected components. It can be any other known or later developed component. For example, the link 5 may be one or more distributed networks, which may be one or more additional integrity assurance and verification environments 100, or alternatively, one or more content providers 300, user systems 400. , In turn, may be connected to multiple instances of the content consumption system / application providers 500 and the integrity assurance and verification devices 200.

In an example operating environment, content consumption system / application provider 500 supplies applications, software, and / or hardware to a user. These applications, software and / or hardware are used by the user to consume content such as viewing documents and the like.

The content provider 300 distributes content, such as a document, to the user system 400, for example, at the request of a user located in the user system 400. In one embodiment of the invention, one request may be received from the user system 400 by the content provider 300. This request, which may be received via the input / output controller 330, is processed by the controller 310 in cooperation with the memory 320 to retrieve the requested content from the content database 340. In an example embodiment, the content provider 300 may include an online content provider, a bookstore, a software provider, or any other content provider that wishes to provide content to the user, such as a document.

Upon receiving a content request from user system 400, content provider 300 returns not only the requested content, but also additional information such as a profile identification value associated with the protected content, to the user system. As another embodiment of the present invention, the additional information may include, for example, information instructing the user system to request a profile and integrity assurance, before activation of the content. The additional information may also include information identifying which system components and / or hardware / software can be executed and / or used on the user's machine when viewing or interacting with the requested content. Accordingly, one or more requested contents, additional information, profile identification values, and the like are received by the user system 400 via the input / output controller 430, and in the direction of the controller 410, the one or more memories 420 and the storage device ( 440.

In one example embodiment, content provider 300 may initiate a service request 20, such as a request for an integrity profile from integrity assurance and verification device 260. The integrity assurance and verification device 260 receives a service request from the content provider 300 via the input / output controller 230 and in cooperation with the controller 210 and the memory 220.

As described above, the integrity assurance and verification apparatus 200 may include a component database 260 and a profile database 270. Component database 260 provides access to authentication information related to systems and system components that may be distributed by one or more content consumption system / application providers 500. Similarly, profile database 270 stores verifiable information and a set of registered system components intended to consume the content of a protected document for one or more individual content providers 300. The verifiable information may include verification test cases used to ensure behavioral integrity profile compliance for registered systems and applications.

Thus, upon receipt of a request for an integrity profile from the content provider 300, the integrity assurance and verification apparatus 200, with the help of the memory 220 in the direction of the controller 210, causes a component database 260. And the profile database 270 to determine whether authentication information corresponding to the information in the service request already exists.

As another embodiment of the present invention, the integrity assurance and verification apparatus 200 may perform an online verification service. The online verification service is provided for performing integrity verification online, such as in the integrity assurance and verification apparatus 200 in real time. To initiate this service, some software, called an integrity authenticator, is delivered to the user system 400. Integrity authenticators allow the gathering of local software and / or hardware components to be performed.

As another embodiment of the present invention, the integrity authenticator may be a dedicated device such as the integrity authentication device 450 illustrated in FIG. 2. The information collected about the local software and / or hardware components may be returned to the integrity assurance and verification device 200 along with the integrity profile identification to perform online integrity verification. The component registration apparatus 250 inspects a software / hardware component provided from each provider and stores identification value information in the component database 260. Information related to the software / hardware component may be hashed, for example, and the hash value may be used as an authenticated software / hardware identification value. However, as another embodiment of the present invention, it should be appreciated that the information identifying each software / hardware component may be any known or later developed structure that allows identification of hardware and / or authorized portions of software. have.

As an example embodiment, the registration of a particular software and / or hardware component is a content consumption system / application provider in communication with an identification and certification verification device 200 to request a registration service. 500 may be achieved. As another embodiment of the present invention, the identification and warranty verification apparatus 200 may communicate with the content consumption system / application provider 500 to obtain authentication information. The registration application device 540 cooperates with the controller 510, the memory 520, and the input / output controller 530 to search the one or more application databases 550 and the system database 560 to serial, serial, version and manufacturing numbers. Obtain information about specific software and / or hardware, including component identification values, including build numbers, etc., provider names, and the application itself.

In an example operating scenario, instead of obtaining authentication information from a particular content consumption system / application provider 500, the integrity assurance and verification device 200 may be a software program or the like from the content consumption system / application provider 500. You can request the same specific application directly. In this way, the integrity assurance and verification device 200 may not require authentication information, because the integrity assurance and verification device 200 may be able to directly access a particular software application from the content consumption system / application provider 500. This is because it can be secured.

The component registration apparatus 250 verifies the information of the component and optionally calculates a hash value that can be used, for example, as authentication software and / or hardware identification. The component registration apparatus 250 then stores the component information and, for example, the hash value in the component database 260.

In this case, where the system / application provider registers the application / system for behavior integrity profile assurance, component registration device 250 is functional and to determine the compliance status of the application / system associated with the behavior integrity profile. System verifications are also performed. The component registration device 250 then records the compliance status in the component database 260 along with detailed identification information about the application / system.

[0086] Further as an example embodiment, instead of sending software and / or hardware components to the registration application device 540, the content consuming system / application provider 500 also connects to the component registration device 250. To download small software applications, such as registration applications, plug-ins, applets, and the like, and to run them locally. This registration application can examine the target software / hardware component and return information related to the target software / hardware component to component registration device 250, with integrity values, such as hash values or the like. And may store authentication information about the component in the component database 260.

As another embodiment of the present invention, profile generation device 280 builds integrity profiles for software. For example, integrity values such as hash values of each software application may be retrieved from the component database and stored. Optional interaction relationships between components can also be included in this profile. This relationship is used to identify the calling and return order of components to prevent unintended interaction with other components. The content of the integrity profile is then digitally signed, for example, and the signature result is added to the integrity profile. Each integrity profile is associated with a unique identification value.

The profile generation device 280 may also build behavioral integrity profiles for systems and applications that have registered and successfully passed the behavioral integrity profile guarantee. Profile generation device 280 may retrieve the behavior integrity profile compliance status of each application from component database 260 and may generate a behavior integrity profile for the application if the compliance status indicates a successful compliance assurance. The profile generation device can optionally record the compliance status in the behavioral integrity profile. Each behavior integrity profile may also include a unique behavior integrity profile identification value and application / system identification information associated with the behavior integrity profile details. The content of the integrity profile is then digitally signed, eg, and the signature result is attached to the behavioral integrity profile.

FIG. 3 shows an example workflow of inputs, outputs, and services and operations provided by the integrity assurance and verification apparatus 200. As an exemplary embodiment, the component identification value and optionally, meta information about a specific component is transmitted to the component registration apparatus 250 for the component registration service. The component registration apparatus 250 registers, for example, a component having intended features, objects, and actions in the component database. The component registration apparatus 250 then returns an identification value of the registered component to the content consuming system / application provider, for example, and makes the identification value available to the content provider 300, for example.

Profile generation device 280 for generating a profile receives the identification value of the registered components. The identification values of the registered components, if combined with the information about the relevant components, if any, are digitally signed and stored in the profile database. Then, the integrity profile identification is returned to the requestor.

The profile generation device 280 may also generate a separate behavioral integrity profile for each pair that includes a system / application and behavioral integrity profile details that have been registered and successfully passed the behavioral integrity profile assurance. The behavioral integrity profile may include a unique behavioral integrity profile identification associated with the behavioral integrity profile details. The identification values of registered components, when combined with information about related components, such as compliance status to behavioral integrity profile details, are recorded in the behavioral integrity profile, digitally signed and stored in the profile database. The unique behavioral integrity profile identification and the application / system identification are used as the primary key to uniquely identify a particular behavioral integrity profile within the profile database.

Similarly, profile distribution device 290 receives an integrity profile identification value. Profile database 270 then receives the query to determine whether an integrity profile corresponding to the integrity profile identification is available. If an integrity profile is available, the integrity profile is returned to the requestor. If not, the integrity profile can be determined with the help of profile generator 280.

The profile verification apparatus 295 receives information identifying one or more components and an integrity profile identification value. The profile verifier 295 compares the component identification values, the integrity profile identification value, and the corresponding integrity file to determine the verification data. If the profiles, components and identifications match, the integrity of the system is verified. Otherwise, the system is determined not to be specified in the integrity profile or to be modified in some way.

In the case of behavioral integrity profile verification, the profile verification device 295 receives information identifying one or more components and some unique behavioral integrity profile identification. Using these identifications, profile verifier 295 retrieves the appropriate behavioral integrity profile from profile database 270. The verification device 295 then checks the compliance status of the component to determine evidence of behavioral integrity profile compliance. Compliance status indicates whether the actions of applications / systems conform to the details in a behavioral integrity profile.

4A shows an example integrity profile. This example integrity profile can be generated by the profile generator 280. In order to build an integrity profile for an authenticated content provider, a request is initiated to create an integrity profile. For example, the provider may contact the integrity assurance and verification device 200 to request the creation of an integrity profile. The provider then sends a list of names of software and / or hardware components to integrity assurance and verification apparatus 200. The profile generator 280 then retrieves from the component database 260 the identification values of each of the components, such as integrity values, hash values, and the like. Then, the profile generator 280 determines the integrity profile, which includes authentication information such as integrity values, hash values, and the like of each of the components. It may be included together with other information such as a content provider name, etc., and may optionally further include an interaction relationship between any software and / or hardware components.

The profile generator 280 delivers the determined integrity profile to the digital signer 240, after which the digital signer 240 can sign the content of the profile. Profile generator 280 then stores the signed profile in profile database 270 and returns the profile identification to content provider 300.

4B shows an example behavioral integrity profile. Profile generation device 280 generates a behavioral integrity profile when the system / application provider registers the system / application to pass compliance assurance on the behavioral integrity profile details. The profile generation device builds the behavioral integrity profile by retrieving from the component database 260 application identification information and compliance status corresponding to the system / application. An exemplary behavioral integrity profile includes details related to the behavioral integrity profile identification value (s), the version number of the behavioral integrity profile, the date of creation of the behavioral integrity profile, the name of the organization that created the behavioral integrity profile, and the behavioral integrity profile identification (s). It may include the URL (s) of the item, the application identification information of the registered system / application, the digital signature of the behavioral integrity profile, and the like, and may optionally include the compliance status of the registered system, application, and the like. When a behavioral integrity profile includes multiple behavioral integrity profile identifications, the system / application must conform to all appropriate behavioral integrity profile details associated with the specified behavioral integrity profile identifications.

For example, when generating a usage license for the content of a protected document, content provider 300 may optionally include its integrity profile identification within the usage license. On the user system 400, the integrity profile can be used to verify all suitable software / hardware components in the paging stack. This ensures that sensitive information can only be consumed by authorized software / hardware components or any combination thereof. As another embodiment of the present invention, the content provider 300 may optionally include an integrity profile identification value corresponding to the behavioral integrity profile details. In this case, similar to the process described above, the integrity profile associated with the specified application to verify all software / hardware components in the environment call stack is first used in the user system 400. Once the integrity of the system / application is verified, the behavior integrity profile is used to prove that the behavior of the system / application conforms to the behavior integrity profile details identified by the behavior integrity profile identification.

The profile distribution device 290 accepts a request to obtain integrity profiles and retrieves them from the profile database 270 and returns the integrity profiles to each requester. Similarly, profile verifier 295 accepts requests to verify user systems for one or more system environments. Profile verification device 295 gathers information about software / hardware components according to integrity profiles, verifies the information against the profiles, and returns the verification results to the requestors. The profile verification apparatus 295 also derives compliance from the behavioral integrity profile in response to the behavioral integrity profile verification request.

User system 400 may include an integrity authentication device 450. The integrity authentication device 450 is executed at the top of a content consumption application, for example.

In this way, FIG. 5 shows an exemplary system environment stack on a user device 400 for verifying system integrity. In one embodiment of the invention, the user system environment stack may include an integrity authenticator, one or more system components, and the like.

FIG. 6 shows an example of an environment stack, wherein the environment stack includes an integrity authenticator, a plug-in, a rendering application, an operating system (OS), an operating system bootstrap (OS boot strap), and each Hardware and the like.

In an exemplary operating environment, the integrity authentication device 450 may include its own crypto / decryption key pair and an identification value assurance and verification key of the verification device. These keys may be hidden and / or embedded within the integrity authenticator 400 to provide manipulation-resistance. For those applications requiring the use of a user's private information or containing sensitive documents and data, integrity authenticator 450 may use an associated integrity profile to verify software / hardware components on the call stack of the user's system environment. can do.

Integrity authentication device 450 may verify the signature of the profile using the integrity assurance and verification device verification key. As illustrated in Figures 7-9, once the signature is verified, the integrity authenticator 450 examines the current call stack and uses each piece of software / hardware component on the call stack using the information provided in the integrity profile. Start authenticating. The call stack may consist of a contiguous block of memory that may contain memory images, included functions or procedures, and the like. The stack can operate on the concept of last-in-first-out, and the basic operations of the stacks can include a stack "push" and a stack "pop". Push can be used to store images on a stack and advance the top of the stack to a location. The pop can be used to remove the data from the stack and restore the top of the stack to its previous position.

In the case of a call stack, an image of the function currently being executed is on top of the stack. When the currently executing function calls or calls the next function, the memory image of the next function is pushed to the top of the call stack and the top of the call stack points to the image of the next function. Each part of the stacked images may include an address or a return instruction after the called function has finished its execution.

10 illustrates how the execution environment is protected. In an exemplary embodiment, to protect the Integrity Authenticator (IA), the execution of that IA is monitored by a trusted application that is part of the IA. Monitoring processes, such as applications, may include debuggers, special processes, and the like, which may prevent the IA from being monitored by any other process or application in the system. In some circumstances, when a processor can only be debugged by one process, the trusted monitoring program can be run as a debugger or the like. Since the monitoring program is a trusted application, the integrity of the monitoring program can be included in the current integrity profile. Thus, the IA will verify the integrity of the trusted application before loading and executing. The function of a trusted monitoring application is to prevent the IA from being monitored, controlled and captured by other processes. Another function of trusted monitoring applications is to monitor the current environment and determine if changes in the environment are valid. However, like the IA, a trusted monitoring application can also be protected, and the IA can act as a monitor to prevent the trusted monitoring application from being monitored, captured and / or controlled by other applications. This double protection mechanism creates a closed system that prevents other applications from monitoring the execution of the integrity authenticator.

FIG. 11A shows an example method of operation of an integrity assurance and verification apparatus. FIG. In one embodiment of the invention, control begins at step S100 and continues to step S110. In step S110, an integrity profile is determined. Next, in step S120, the integrity profile is guaranteed. Then, in step S130, the integrity profile is delivered to the user. Control continues to step S140.

In step S140, the integrity of the user system is verified. Next, in step S150, a determination is made as to whether the user system is eligible for authentication. If the user system is eligible for authentication, control continues to step S160 where the user is given access to the selected content. Otherwise, control jumps to step S170, where content access is denied or disabled. Control then continues to step S180, where the control sequence ends.

[00109] FIG. 11B shows an exemplary method of operation of an integrity assurance and verification apparatus that uses behavioral integrity profile (s) in conjunction with an application integrity profile. In an exemplary embodiment, control begins at step S800 and continues to step S810. In step S810, an application integrity profile is determined. Next, in step S820, the application integrity profile is guaranteed. Then, the application integrity profile is delivered to the user in step S830. Control then continues to step S840.

In step S840, the integrity of the user system is verified. Next, in step S850, it is determined whether the user system is true. If the user system is not authentic, control jumps to step S930, where content access is denied or disabled. Control then continues to step S940, where the control sequence ends. However, if there is authenticity in the user system at step S850, control continues to step S860 to determine whether the behavior integrity profile connection verification flag is explicitly specified.

If the behavior integrity profile connection verification flag is specified, control passes to step S870 where the user system is verified with respect to compliance with the specified behavior integrity profile detail (s). In step S880, it is determined whether the user system has evidence (s) that conforms to the behavior integrity profile (s). If the user system has proof (s) of compliance, control continues to step S890 so that the user can access the selected content. If not, control jumps to step S930, where content access is denied or disabled. Control then continues to step S940, where the control sequence ends.

However, if the behavior integrity profile connection verification flag is not specified in step S860, control passes to step S910, where the user system verifies compliance with any of the specified behavior integrity profile detail (s). do. In step S920, it is determined whether the user system has evidence that it complies with one of the behavioral integrity profile (s). If the user system has proof of compliance, control continues to step S890 so that the user can access the selected content. If not, control jumps to step S930, where content access is denied or disabled. Control then continues to step S940, where the control sequence ends.

FIG. 11C shows an example method of operation of an integrity assurance and verification apparatus that uses behavioral integrity profile (s). In particular, control begins in step S1000 and continues to step S1010. In step S1010, the behavior integrity profile connection verification flag is checked to determine whether it is explicitly specified. If the behavior integrity profile connection verify flag is specified, control passes to step S1020, where the user system is verified for compliance with the specified behavior integrity profile detail (s). In step S1030, it is determined whether the user system will have evidence (s) that conforms to the behavior integrity profile (s). If the user system has proof (s) of compliance, control continues to step S1080 to allow access to the content selected by the user. If not, control jumps to step S1040, where content access is denied or disabled. Control then continues to step S1050, where the control sequence ends.

However, if the behavior integrity profile connection verification flag is not specified in step S1010, control passes to step S1060, where the user system verifies for compliance with any of the specified behavior integrity profile detail (s). do. In step S1070, it is determined whether the user system will have evidence that it complies with one of the behavioral integrity profile (s). If the user system has proof of compliance, control continues to step S1080 to allow access to the content selected by the user. If not, control jumps to step S1040, where content access is denied or disabled. Control then continues to step S1050, where the control sequence ends.

12 illustrates an exemplary method for registering components / hardware and / or software in accordance with the present invention. Specifically, control begins at step S200 and continues to step S210. In step S210, the registration service is started. Next, in step S220, the component provider provides authentication information regarding a specific component / hardware and / or software. Then, in step S230, information about that particular component / hardware and / or software is verified. Control then continues to step S240.

In step S240, a determination is made as to whether the integrity value should be determined. If the integrity value should be determined, control passes to step S250 where the integrity value is determined. If not, control jumps to step S260 where authentication information regarding the component / hardware and / or software is stored.

Next, in step S270, a determination is made as to whether the integrity value should be stored. If the integrity value is to be stored, control continues to step S280 where the integrity value is stored. Otherwise, if the integrity value will not be stored, control jumps to step S290 where the control sequence ends.

13 shows an exemplary method of determining a profile according to the present invention. Specifically, control begins in step S300 and continues to step S310. In step S310 integrity profile determination is started. Next, in step S320 a name is obtained, such as an identification value of the component and / or hardware or software. Then, in step S330, an identification value for the component / hardware or software is retrieved. Control then continues to step S340.

In step S340, an integrity profile is determined. Next, in step S350, the integrity profile is digitally signed. Then, in step S360 the digitally signed integrity profile is stored. Control then continues to step S370.

In step S370, the signed integrity profile is delivered to the requestor, such as a content consumption system / application provider. Control then continues to step S380, where the control sequence ends.

[00121] FIG. 14 illustrates an example method of verifying the integrity of an integrity authenticator. Specifically, control begins in step S400 and continues to step S410. In step S410, the integrity of the integrity authenticator is verified. Next, a determination is made as to whether the integrity authenticator is valid at step S420. If the integrity authenticator is valid, control continues to step S430. Otherwise, control jumps to step S540.

In step S430, a tamper-resistant environment is set. Next, the integrity profile is verified in step S440. Then, in step S450, a determination is made as to whether the integrity profile is valid. If the integrity profile is valid, step S460 is reached. Otherwise, control jumps to step S540.

In step S460, the integrity profile is loaded. Next, in step S470, the call stack of the current execution environment is constructed as illustrated in relation to FIG. At the bottom of the call stack is a set of hardware and / or devices, with software components facing the top of the stack. The relationship of the components on the stack is that the lower component calls the component immediately above it. Once the call stack has been built, the top of the call stack containing the execution image of the last executed component is positioned. Thus, the executable image of each component on the stack helps to identify the calling component. Then, in step S480, the identification value for calling the component is retrieved. Control then continues to step S490.

In step S490, the integrity of the component is verified against the integrity profile. Next, in step S500, a determination is made as to whether the component is valid. If the component is valid, control continues to step S510. Otherwise, control jumps to step S540.

In step S510, it is determined whether the stack is empty. If the stack is empty, control jumps to step S520. Otherwise, control jumps to step S530. In step S520, the next component in the stack is located and this next component is set as the current stack frame. Control then returns to step S480 for verification.

In step S530, the integrity is verified and control continues to step S550 where the control sequence ends. In step S540, the integrity check fails and control continues to step S550 where the control sequence ends.

In this way, a content provider, such as a document publisher or distributor, provides, for example, protected content to a user for consumption within a trusted user environment. By providing integrity assurance and verification services, the authenticity of content consumption environments can be verified. The content provider delivers a protected version of the digital content to the user, including, for example, a license agreement and an integrity profile identification. For example, a profile includes applications and system components that are permitted to be used with protected content. In addition, the content provider initiates a request for an integrity profile. This request for the integrity profile is forwarded to the integrity assurance and verification device. For example, the integrity assurance and verification device supplies system components to a content consuming system / application provider, such as a user, if an integrity profile does not already exist for the requested applications and / or systems components. You can ask the person who The content consuming system / application provider returns authentication information about specific applications or system components back to the integrity assurance and verification device. The authentication information permits comparison or integrity verification between the application and / or system components on the user's system and the original application or system components distributed by the content consuming system / application provider.

[00128] Furthermore, as an exemplary embodiment of the present invention, the content provider delivers a protected version of the digital content to the user, including, for example, a license agreement and behavioral integrity profile identification. The application integrity profile identification is not related to the protected content, but by the content consuming system / application provider the application integrity profile identification is embedded into the applications and system components. Unlike the Application Integrity Profile, which is bound to a specific application, the Behavior Integrity Profile is bound to standard details that refine the set of behaviors and / or consumption terms and conditions that all compliant applications follow. Using application integrity profile identification, integrity assurance and verification services first verify the authenticity of content consumption systems, applications, and the like. Once the integrity of the content consuming system / application is verified and determined that it has not been tampered with, the integrity assurance and verification device verifies that the evidence is present, that is, the applications are compliant with the behavioral integrity profile details to ensure that the content consuming system / application is compliant. It ensures compliance with this behavioral integrity profile. The integrity assurance and verification device then allows the content consumption system / application to consume the protected content. By assuring applications and systems based on a behavioral integrity profile identification, the consumer can use any suitable content consumption system or application that conforms to certain behavioral integrity profile details enforced by the content provider to consume the protected content. . In this way, the use of content can be controlled without limiting consumption for a particular application or system.

As illustrated in FIGS. 1-14, the integrity assurance and verification method and system may be executed on a single programmed general purpose computer or separate programmed general purpose computers. The exemplary embodiments of FIGS. 1-14 also include hard-drives such as special purpose computers, programmed microprocessors or microcontrollers, and peripheral integrated circuit (IC) elements, ASICs, or other integrated circuits, digital signal processors, distributed element circuits. It may also be performed in programmable logic devices such as hard-wired electronics and logic, PLA, PLD, FPGA, PAL, and the like. In general, any suitable system, apparatus, software, combination thereof, or the like that may execute the processes (via a finite state machine, etc.) of the example embodiments of FIGS. 1-14 may be applied.

[00130] The example embodiments of FIGS. 1-14 are software that uses object or object-oriented software development techniques in an environment that provides portable source code that can be used on various computer or workstation hardware platforms. Can be run as. The example embodiments of FIGS. 1-14 may also be implemented partly or wholly in hardware using standard logic circuits or VLSI designs. Whether software and / or hardware is used to implement the systems and methods according to the present invention depends upon the speed and / or efficiency requirements of the system, the special functionality, and the particular hardware or software system or microprocessor or microcomputer being used. Depends on the computer system However, the integrity assurance and verification apparatus and methods described above, along with general knowledge of computer technology, may be used to identify any known or later developed system or structure, apparatus, and / or techniques based upon the functional description set forth herein by those skilled in the art. It can also run on hardware or software that uses software that can be created without experimentation. Moreover, the disclosed methods may be willing to run on devices such as general purpose computers, special purpose computers, microprocessors, servers, etc., programmed as software. In this case, the methods and apparatuses of the present invention are devices, such as dedicated integrity assurance and verification devices, web browsers, web TV interfaces, PDA interfaces, multimedia presentation devices, etc., on personal computers or servers, such as JAVA or CGI scripts. As a built-in routine, it can be run as an embedded routine, such as a resource residing on a server or graphics workstation. The integrity assurance and verification device may also be implemented by physically integrating systems and methods to software and / or hardware system, such as a hardware and software system of a graphics workstation or a dedicated integrity assurance and verification device.

Thus, the apparatuses and systems accordingly described in the example embodiment of FIGS. 1-14 may perform, for example, any suitable servers, workstations that may perform the processes of the example embodiments of FIGS. 1-14. Stations, PCs, laptop computers, PDAs, Internet devices, handheld devices, cellular phones, wireless devices, other devices, and the like. The apparatuses and systems accordingly of the example embodiments of FIGS. 1-14 can communicate with each other using any suitable protocol and can be implemented using one or more programmed computer systems or devices.

One or more interface mechanisms include, for example, example embodiments of FIGS. 1-14 that include Internet access, communications in any suitable form (voice, modem, etc.), wireless communication media, and the like. Can be used with For example, the communications networks or links employed may be one or more wireless communications networks, cellular communications networks, G3 communications networks, public switched telephone networks (PSTNs), packet data networks (PDNs) Data Networks), the Internet, intranets, combinations thereof, and the like.

The apparatuses and resulting systems of the example embodiments of FIGS. 1-14 are those that will be understood by those skilled in the art, and vary in a variety of specific hardware used to practice the example embodiments. It is to be understood that the form is for illustrative purposes. For example, the functionality of one or more devices and thus systems of the example embodiments of FIGS. 1-14 may be achieved through one or more programmed computer systems or devices.

In order to implement such changes as well as other changes, a sole computer system may be programmed to perform functions with the specific purpose of one or more devices and thus systems of the example embodiments of FIGS. 1-14. have. On the other hand, two or more programmed computer systems or devices may replace any one or more of the devices and systems of the example embodiments of FIGS. 1-14. Thus, the principles and advantages of distributed processing, such as redundancy, repetition, and the like, may be implemented as intended to enhance the robustness and performance of the devices of the exemplary embodiments of FIGS. 1-14 and thus systems.

The apparatuses and systems according to the example embodiments of FIGS. 1-14 may store information related to the various processes described herein. This information may be stored in one or more memories, such as a hard disk, optical disk, magneto-optical disk, RAM, etc., of the devices of the exemplary embodiments of FIGS. 1-14 and thus systems. One or more databases of the apparatuses and thus systems of the example embodiments of FIGS. 1-14 may store information used to achieve the example embodiments of the present invention. Databases can be constructed using data structures (such as records, tables, arrays, fields, graphs, trees, lists, etc.) contained in one or more memories or storage devices listed herein. The processes described with respect to the example embodiments of FIGS. 1-14 are collected and / or calculated in one or more databases thereof by the processes of the apparatuses and thus systems of the example embodiments of FIGS. 1-14. It may include data structures suitable for storing data.

[00136] One or more general purpose computer systems, microprocessors, all or some of the apparatuses and thus systems of the example embodiments of FIGS. 1-14 programmed according to the teachings of the example embodiments of the present invention, It will be understood by those skilled in the computer and software arts that it can be readily accomplished using digital signal processors, microcontrollers and the like. As will be appreciated by those skilled in this software technology, suitable software can be prepared in advance by programs of ordinary skill in the art based on the teachings of the exemplary embodiments. Furthermore, the apparatuses and resulting systems of the example embodiments of FIGS. 1-14 may be implemented on a World Wide Web. In addition, the apparatuses and resulting systems of the example embodiments of FIGS. 1-14 provide application-specific integrated circuits or conventional component circuits, as understood by those skilled in the art of electricity. May be achieved by interconnecting a suitable network. As such, the exemplary embodiments are not limited to any particular combination of hardware circuitry and / or software.

Exemplary embodiments of the invention, stored on a combination of computer readable media or any one thereof, control, drive, and / or control the devices and systems thereof according to the example embodiments of FIGS. 1-14. It may include software for enabling interaction. Such software may include, but is not limited to, device drivers, firmware, operating systems, development tools, application software, and the like. Such computer readable media may further comprise the computer program product of one embodiment of the invention for performing all or part (if processing is distributed) of the processing performed to implement the invention. Computer code devices of exemplary embodiments of the present invention include scripts, interpreter programs, Dynamic Link Libraries (DLLs), Java classes and applets, complete execution. It may include any suitable interpretable or executable code mechanism, including but not limited to these possible programs, objects of the Common Object Request Broker Architecture (CORBA), and the like. . In addition, the processing portions of exemplary embodiments of the present invention may be distributed for better performance, reliability and cost savings.

As mentioned above, the apparatuses and systems according to the exemplary embodiments of FIGS. 1-14 retain data programmed, instructions, and / or data structures in accordance with the teachings of the present invention. Computer-readable media or memories may be included to hold the other data described herein. Computer-readable media can include any suitable media that participates in providing instructions to a processor for execution. Such a medium may take various forms, including but not limited to non-volatile media, volatile media, transmission media, and the like. Non-volatile media may include, for example, optical or magnetic disks, optical-magnetic disks, and the like. Volatile media can include dynamic memories and the like. Transmission media may include coaxial cables, copper wire, fiber optics, and the like. Transmission media may also take the form of acoustic, optical, electromagnetic waves, and the like, generated in radio frequency (RF) communications, infrared (IR) data communications, and the like. Common forms of computer readable media include, for example, floppy disks, flexible disks, hard disks, magnetic tapes, any other suitable magnetic media, CD-ROMs, CDRWs, DVDs, any other suitable optical media, punch cards ( punch cards, paper tapes, optical mark sheets, holes or any other suitable physical medium having other optically recognizable markings, RAM, PROM, EPROM, FLASH-EPROM, any other suitable memory chip or cartridge, computer May include a readable carrier or any other suitable medium.

While the invention has been described in terms of many exemplary embodiments and implementations, the invention is not limited thereto but rather encompasses various modifications and equivalents that fall within the scope of the appended claims.

Claims (87)

A method of ensuring and verifying integrity in a computer environment based on the features and behavior of one or more applications, systems or system components compared to a profile of features and behaviors, Determining a Behavioral Integrity Profile (BIP) that details the features and behaviors of the one or more applications, systems or system components; Determining based on the behavior integrity profile whether the features and behavior of the one or more applications, systems or system components conform to the features and behaviors defined in the details of the behavior integrity profile; Determining access rights to the one or more applications, systems or system components based on the determining compliance. The method of claim 1, Determining an application integrity profile (AIP); Determining the authenticity of the one or more applications, systems or system components based on the application integrity profile; And determining the access right based on the authenticity determining step. The method of claim 2, Using at least one said application integrity profile and at least one said behavior integrity profile in association with each other. The method of claim 2, Providing integrity assurance and verification devices, And the integrity assurance and verification device accesses the application integrity profile to determine authentication information for the one or more applications, systems or system components. The method of claim 1, Determining a compliance state of the behavioral integrity profile by verifying, through a component registration device, features and behaviors of the one or more applications, systems or system components against the details of the behavioral integrity profile Integrity assurance and verification methods. The method of claim 2, The behavior integrity profile includes at least one behavior integrity profile identification value, an identification value of a registered application, a system or a system component, and a compliance state. The method of claim 6, And maintaining said behavioral integrity profile with said behavioral integrity profile identification, said registration application identification, and said system or system component through a profile database. The method of claim 1, Verifying the integrity of the behavioral integrity profile by checking compliance of the application, system or system component to which the behavioral integrity profile is delivered via a profile verification device; Way. The method of claim 1, And obtaining authentication information about the one or more applications, systems, or system components from an application, system, or system component provider through a registration application device. The method of claim 6, Using the behavioral integrity profile identification with the distributed information. The method of claim 1, Distributing content information associated with the behavioral integrity profile through a content provider. The method of claim 1, And providing an application, system, or system component provider. The method of claim 10, When the behavioral integrity profile identification value is used with the distributed information, if the profile verification device determines that the one or more applications, systems or system components are not authentic or are not compliant with the details of the behavioral integrity profile And denying access to content associated with the one or more applications, systems, or system components. The method of claim 1, Constructing the behavioral integrity profile by obtaining, from a component database, application identification information and compliance status corresponding to the one or more applications, systems or system components through a behavioral integrity profile generating device; Integrity assurance and verification methods. The method of claim 1, Evaluating the behavioral integrity profile for allowing determining whether a feature and behavior of the one or more applications, systems or system components conform to the features defined in the details of the behavioral integrity profile; And determining the access right based on the evaluation step. The method of claim 15, Verifying the behavior integrity profile compliance of the one or more applications, systems or system components. The method of claim 15, And wherein said access right comprises at least one of a grant right and a deny right to access content associated with said one or more applications, systems or system components. The method of claim 15, And obtaining authentication information for at least one of the one or more applications, systems, or system components. The method of claim 1, Digitally signing the behavioral integrity profile. The method of claim 19, Delivering the digitally signed behavioral integrity profile to a consumer system. The method of claim 1, Verifying the integrity of the integrity authenticator associated with the one or more applications, systems or system components. The method of claim 2, Providing an integrity assurance and verification device for accessing authentication information for the one or more applications, systems or system components; Providing the application integrity profile used to determine authenticity of the one or more applications, systems or system components. The method of claim 22, And determining, via the component registration device, the application integrity profile from the authentication information, the application integrity profile comprising at least one of a system or system components and verifiable information and an identification value of a registered application. And verification method. The method of claim 22, And maintaining an identification of the system or system components and the application integrity profile and the registered application through a profile database. The method of claim 22, By comparing the identification value of the system or system components and the identification value of one or more applications with the profile verification device, the one or more applications, system or system components, the application integrity profile, and / or application integrity profile identification value Integrity assurance and verification method further comprising the step of verifying authenticity. The method of claim 22, Obtaining authentication information for one or more applications, systems, or system components from an application, system, or system component provider via a registered application device. The method of claim 22, And said application integrity profile comprises an identification of said one or more applications, systems or system components that can be used with the distributed information. The method of claim 22, Distributing content information associated with the one or more applications, systems or system components through a content provider. The method of claim 22, And providing an application, system, or system component provider. The method of claim 22, If the profile verification device determines that the one or more applications, systems or system components are not authentic, then access to one or more documents associated with the one or more applications, systems or system components is denied. Integrity assurance and verification methods. The method of claim 22, And determining the application integrity profile through a profile generation device based on verifiable information about the one or more applications, systems or system components. The method of claim 2, And assuring said application integrity profile. The method of claim 2, And authenticating the authenticity of one or more applications, systems, or system components. The method of claim 2, And wherein said access right comprises at least one of a grant right and a deny right to access content associated with said one or more applications, systems or system components. The method of claim 2, And obtaining authentication information regarding at least one of said application, system, or system component. The method of claim 2, Digitally signing the application integrity profile. The method of claim 36, Delivering the digitally signed integrity profile to a consumer system. The method of claim 2, Verifying the integrity of the integrity authenticator associated with the application integrity profile. The method of claim 1, Establishing an tamper resistant environment associated with the one or more applications, systems or system components. The method of claim 2, And verifying the application integrity profile. The method of claim 2, And loading a valid application integrity profile. The method of claim 38, Verifying the integrity of the integrity authenticator comprises verifying that the integrity authenticator is not at least one of being monitored, controlled or recorded. The method of claim 1, The integrity assurance and verification method is an integrity assurance and verification method embedded in a computer readable medium, wherein the one or more computer processors are executed as one or more readable instructions configured to perform each step listed in the integrity assurance and verification method. . The method of claim 1, The integrity assurance and verification method is implemented with one or more computer software and / or hardware devices configured to perform the respective steps listed in the integrity assurance and verification method. A system for integrity assurance and verification in a computer environment based on features and behavior of one or more applications, systems or system components compared to a profile of features and behaviors, Means for determining a Behavioral Integrity Profile (BIP) that details the features and behaviors of the one or more applications, systems or system components; Means for determining, based on the behavior integrity profile, whether the features and behavior of the one or more applications, systems, or system components conform to the features and behaviors defined in the details of the behavior integrity profile; Means for determining access rights to the one or more applications, systems or system components based on the compliance determination. The method of claim 45, Means for determining an application integrity profile (AIP); Means for determining the authenticity of the one or more applications, systems or system components based on the application integrity profile; Means for determining the access right based on the authenticity determination. 47. The method of claim 46 wherein And means for interoperating one or more of said application integrity profile and one or more said behavioral integrity profile. 47. The method of claim 46 wherein Further includes an integrity assurance and verification device, And the integrity assurance and verification device accesses the application integrity profile to determine authentication information for the one or more applications, systems or system components. The method of claim 45, And a component registration device for determining a compliance state of the behavioral integrity profile by verifying features and behaviors of the one or more applications, systems or system components against details of the behavioral integrity profile. System for Warranty and Verification. 47. The method of claim 46 wherein And wherein said behavior integrity profile comprises at least one of a behavior integrity profile identification value, an identification value of a registered application, a system or system component, and a compliance state. The method of claim 6, And a profile database for maintaining the behavioral integrity profile with the behavioral integrity profile identification, the registered application identification, and the system or system component. The method of claim 45, And a profile verification device for verifying a behavior integrity profile compliance proof by checking the compliance status of the application, system or system component to which said behavior integrity profile is delivered. system. The method of claim 45, And a registration application device for obtaining authentication information about the one or more applications, systems or system components from an application, system or system component provider. 51. The method of claim 50, And means for using the behavioral integrity profile identification with the distributed information. The method of claim 45, And a content provider for distributing content information associated with the behavioral integrity profile. The method of claim 45, The system for integrity assurance and verification further comprising a provider of an application, system or system component. The method of claim 54, Further comprising a profile verification device, wherein when the behavioral integrity profile identification is used with the distributed information, the one or more applications, systems or system components are not authentic or compliant with the details of the behavioral integrity profile. And if the profile verifying device determines not to, access to content associated with the one or more applications, systems, or system components is denied. The method of claim 45, Integrity assurance, characterized in that it further comprises a behavior integrity profile generation device for building the behavior integrity profile by obtaining application identification information and compliance status corresponding to the one or more applications, systems or system components from a component database. And a system for verification. The method of claim 45, Means for evaluating the behavioral integrity profile for allowing determining whether a feature and behavior of the one or more applications, systems or system components conform to the features defined in the details of the behavioral integrity profile; Means for determining the access right based on the evaluation. The method of claim 59, And means for verifying said behavior integrity profile compliance of said one or more applications, systems or system components. The method of claim 59, And wherein said access right includes at least one of an grant right and a deny right to access content associated with said one or more applications, systems or system components. The method of claim 59, And means for obtaining authentication information for at least one of the one or more applications, systems or system components. The method of claim 45, And means for digitally signing the behavioral integrity profile. The method of claim 63, wherein And means for delivering said digitally signed behavioral integrity profile to a system of a consumer. The method of claim 45, And means for verifying the integrity of an integrity authenticator associated with the one or more applications, systems or system components. 47. The method of claim 46 wherein An integrity assurance and verification device for accessing authentication information for the one or more applications, systems or system components; And means for providing the application integrity profile used to determine the authenticity of the one or more applications, systems or system components. The method of claim 66, And a component registration device for determining said application integrity profile from said authentication information, said application integrity profile comprising at least one of a system or system components and verifiable information and an identification value of a registered application. System. The method of claim 66, And a profile database for maintaining system or system components and identification values of said application integrity profile and a registered application. The method of claim 66, To verify authenticity by comparing an identification of a system or system components and an identification of one or more applications with the one or more applications, system or system components, the application integrity profile, and / or an application integrity profile identification. The system for integrity assurance and verification, further comprising a profile verification device. The method of claim 66, And a registration application device for obtaining authentication information for one or more applications, systems or system components from an application, system or system component provider. The method of claim 66, The application integrity profile includes an identification of the one or more applications, systems or system components that can be used with the distributed information. The method of claim 66, And a content provider for distributing content information associated with the one or more applications, systems or system components. The method of claim 66, The system for integrity assurance and verification further comprising a provider of an application, system or system component. The method of claim 66, And further comprising a profile verification device, wherein if the profile verification device determines that the one or more applications, systems or system components are not authentic, System for integrity assurance and verification, characterized in that access is denied. The method of claim 66, And a profile generation device for determining the application integrity profile based on verifiable information about the one or more applications, systems or system components. 47. The method of claim 46 wherein And means for assuring said application integrity profile. 47. The method of claim 46 wherein And means for verifying the authenticity of one or more applications, systems or system components. 47. The method of claim 46 wherein And wherein said access right comprises at least one of an allowance and a deny permission to access content associated with said one or more applications, systems or system components. 47. The method of claim 46 wherein And means for obtaining authentication information regarding at least one of said application, system, or system component. 47. The method of claim 46 wherein And means for digitally signing the application integrity profile. The method of claim 80, And means for delivering the digitally signed integrity profile to a system of a consumer. 47. The method of claim 46 wherein And means for verifying the integrity of the integrity authenticator associated with the application integrity profile. The method of claim 45, And means for establishing an tamper resistant environment associated with the one or more applications, systems or system components. 47. The method of claim 46 wherein And means for verifying the application integrity profile. 47. The method of claim 46 wherein And means for loading a valid application integrity profile. 83. The method of claim 82, And means for verifying includes means for verifying that the integrity authenticator is not at least one of being monitored, controlled or recorded. The method of claim 45, And the system is implemented with one or more computer software and / or hardware devices.

Images