RU2775157C1 - System and methods for verifying the integrity of software install image - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: according to the implementation variant, a method for verifying the integrity of the software install image is used before installing the software, consisting of: setting the value of the state of the software image indicating the permission to access the software image only for the verification tool, wherein the state of the software image is used by the security policies to grant permission or deny access to the software image to the verification tool, the installation tool; granting access to the software image upon request of the verification tool, provided that the security policies are implemented; verifying the integrity of the software image according to the granted access; if it is established that the integrity of the software image is intact, renewing the value of the state of the software image so as to indicate that access to the software image is granted to the installation tool and denied to the verification tool; granting access to the software image upon request from the installation tool when implementing the security policies.

EFFECT: ensured security of the process of software installation due to the provided access to the software image by a security monitor using security policies.

17 cl, 6 dwg

Description

Technical field

The invention relates to the field of information security.

State of the art

On modern computer devices of users, a large amount of software (hereinafter referred to as software) is installed, designed to perform a variety of functions. At the same time, software developers are constantly working on fixing bugs and improving the functionality of the software. Therefore, on the computer devices of users, it is quite common to install new software or install updates for existing software. One way to install the software is to deliver a file containing the installation image of the software to the computer, authenticate the software image, and then install the software from the file of said software image.

However, the components of the software installation systems involved in the software installation process are vulnerable to various types of computer attacks and errors in the software. For example, the verification component responsible for authenticating the software image may skip said verification if it was not called by the component that manages the update process. And if the mentioned check was performed, its result can be ignored by the component responsible for performing the software installation from the mentioned software image. Thus, if the verification result shows that the software image is not genuine, the software will still be installed from the non-genuine software image. That is, even if the verification component is considered a trusted component, vulnerabilities in other untrusted components can affect the installation process.

Another problem is that the contents of the software image can be modified after the software image has been authenticated, but before the software image is read by the component responsible for installing the software. The described situations can arise for various reasons. For example, due to the presence of a software error in one or more components that implement the software installation process, due to the exploitation of vulnerabilities of the mentioned components by malware, due to the occurrence of a critical error in the operating system (OS), due to erroneous reading or writing to software image by a third-party application.

Thus, a technical problem arises, which consists in the vulnerability of untrusted components involved in the software installation process.

In the prior art, various systems are known that implement the installation and updating of software on a computer. For example, US10735184 describes a software update system using blockchain technology to independently verify the result of a software update. US10225426 describes how to update software by verifying and updating software with a verified updater.

However, known technologies do not allow solving the claimed technical problem, since if there are vulnerabilities in the components involved in the software installation process, the software installation will be carried out incorrectly and unsafely. Therefore, there is a need for a technical solution capable of solving the claimed problem, namely the present invention.

Disclosure of the essence of the invention

The present invention is intended to verify the integrity of a software installation image before performing a software installation.

The technical result consists in ensuring the security of the software installation process by providing access to the software image by a security monitor using security policies.

According to an implementation variant, a method is used to check the integrity of the software installation image (hereinafter referred to as the software) before performing the installation of the software, in which: using the security monitor, the state value of the software installation image (hereinafter referred to as the software image) is set, indicating that access to the software image is allowed only for the checker, while the state of the software image is a parameter used by security policies to allow or deny access to the software image to components, including: the checker, the installer; using the security monitor, provide access to the software image upon request from the scanner, subject to the implementation of security policies; using the verification tool, check the integrity of the software image according to the access granted; when it is determined that the integrity of the software image is not violated, using the security monitor, change the status value of the software image to a new one, indicating that access to the software image is allowed for the installer and that access to the software image is denied for the checker; using the security monitor, provide access to the software image upon request from the installer when executing security policies.

According to one of the private options for implementing the security policy, a state machine is used, where the state of the state machine is the state of the software image, while the security policy determines whether access to the software image is allowed or denied depending on the state of the state machine and in accordance with the state transition table of the state machine.

According to another particular implementation of the security policy, temporal logic is used.

According to another particular implementation variant, said software image contains one or more of the following: software; Software Update; nested software image.

According to one of the particular implementation options, the integrity of the software image is checked by checking the integrity of the objects contained in the mentioned software image, while the integrity of the software image is considered intact if the integrity of at least one object contained in the software image is not violated.

According to another particular implementation variant, the installer performs the installation of the software contained in said software image.

According to another private implementation variant, using the installer, only the software is installed, the integrity of which is not violated.

According to one of the private implementation options, the integrity of the software image is checked in one of the following ways: by checking the digital signature of the said software image; by receiving confirmation from the user; by using message authentication codes, in particular imitation insertion; by checking that the user's role meets the specified requirements; by checking the specified attributes of the software image.

According to another private implementation variant, a software installation image is loaded from a remote resource using a bootloader.

According to another particular implementation variant, said access includes reading data.

According to an implementation variant, a method is used to check the integrity of a software installation image before performing the installation of the software, in which: using the security monitor, the following are set: the values of the integrity levels of the checker and the installer (hereinafter referred to as components) are higher than the value of the integrity level of the software image; the value of the access level of the verification tool is equal to the value of the integrity level of the software image, the value of the access level of the installer is equal to the value of the integrity level of the installer; security policies that allow access of one component to another component, provided that the value of the access level of one component is not higher than the value of the integrity level of another component; using the security monitor, provide access to the software image upon request from the scanner, subject to the implementation of security policies; using the verification tool, check the integrity of the software image according to the access granted; when establishing that the integrity of the software image is not violated, using the security monitor, change the value of the integrity level of the software image to a value equal to the value of the access level of the installer; using the security monitor, provide access to the software image upon request from the installer when executing security policies.

According to an implementation variant, a system is used to check the integrity of the software installation image before performing the software installation, comprising: a security monitor designed to provide, according to security policies, permission or prohibition of access to the software image to components, including: a checker, an installer; said verification tool for performing integrity checks on the software image according to the granted access; said installer for performing the installation of the software contained in the software image.

According to one of the private implementation options, the security monitor is additionally designed to: set the value of the state of the software image, indicating the permission to access the software image only for the scanner, while the state of the software image is a parameter used by security policies to grant access to the software image mentioned components; changing the status value of the software image to a new one, indicating that the installer is allowed access to the software image and the verification tool is denied access to the software image.

According to another particular implementation of the security policy, a state machine is used, where the state of the state machine is the state of the software image, while the security policy determines whether access to the software image is allowed or denied depending on the state of the state machine and in accordance with the state transition table of the state machine.

According to another particular implementation of the security policy, temporal logic is used.

According to one of the private implementation options, the security monitor is further designed to: set the values of the integrity levels of the checker and installer higher than the value of the integrity level of the software image; setting the value of the access level of the checker equal to the value of the integrity level of the software image, the value of the access level of the installer equal to the value of the integrity level of the installer; setting security policies to allow access of one component to another component, provided that the value of the access level of one component is not higher than the value of the integrity level of the other component, where said access includes reading data; changing the value of the integrity level of the software image to a value equal to the value of the access level of the installer, provided that the integrity of the software image is not violated.

According to another particular embodiment, said access to the software image includes reading the software image.

Brief description of the drawings

Additional objects, features and advantages of the present invention will become apparent from reading the following description of an embodiment of the invention with reference to the accompanying drawings, in which:

On FIG. 1 shows a diagram of interprocess communication using the example of an operating system with a microkernel architecture.

On FIG. 2 shows a diagram of the system for checking the integrity of the installation image of the software.

On FIG. 3 shows a variant of the method for checking the integrity of the software installation image before performing the software installation.

On FIG. 4 shows another way to check the integrity of a software installation image before performing a software installation.

On FIG. 5 is a diagram of a state machine for an implementation of security policies using a state machine.

Fig. 6 represents an example of a general purpose computer system.

Implementation of the invention

The objects and features of the present invention, methods for achieving these objects and features will become apparent by reference to exemplary embodiments. However, the present invention is not limited to the exemplary embodiments disclosed below, but may be embodied in various forms. The gist of the description is nothing but specific details provided to assist the person skilled in the art in a thorough understanding of the invention, and the present invention is defined within the scope of the appended claims.

Glossary

Process (English process) - a sequence of operations when executing a program or part of it, along with the data used, includes one or more threads (English thread) and system resources associated with them.

Inter-process communication (IPC) is a set of methods for exchanging data between multiple threads in one or more processes. Processes can run on one or more computers connected by a network. IPC methods are divided into messaging, synchronization, shared memory, and remote call methods.

An asynchronous process is a process in which an operation does not require a response to continue execution.

A synchronous process is a process in which an operation requires a response in order to continue execution.

An operation is an elementary action performed within the framework of the process under consideration. An operation can be, for example, an API function.

Modern operating systems use both synchronous and asynchronous operations when exchanging data between two processes using interprocess communication methods.

Data integrity is the consistency, completeness and safety of data. For example, the integrity of the data stored in the database means that the data in it must be fully consistent with each other, contain all the information necessary to perform the functions assigned to the database, and their accidental destruction (erasure) or distortion must be excluded. . All this is provided by the database management system.

Finite State Machine is a model of a discrete device characterized by states and transitions from one state to another. Each state of the finite automaton characterizes one of the possible situations in which the finite automaton can be.

On FIG. 1 shows a diagram of inter-process communication on the example of an operating system (hereinafter referred to as OS) 100 with a microkernel architecture. OS 100 includes isolated processes 131 - 132 that interact with each other, as well as with the OS kernel 110 , through programming interfaces by exchanging messages. Security monitor (also called call monitor) 120 is an OS component 100 designed to monitor interactions, also called OS events, including: process 141 start 131 , request 142 from process 131 or response 143 from another process 132 , process 132 call to the monitor security 120 (security request 144 ). Using the security monitor 120 , each OS event is analyzed for compliance with security policies 121 , as a result of which the execution of this OS event is allowed or prohibited. In this case, the security monitor 120 may be part of the OS kernel 110 or a separate application. The security monitor 120 runs in the privileged mode of the OS kernel 110 .

On FIG. 2 is a diagram of a system for verifying the integrity of a software installation image 230 on a computer with OS 100 , an example of the architecture of which was presented in FIG. 1 . The process of installing software from a software installation image 230 is carried out using the installation system 200 . The software installation image 230 (hereinafter referred to as the software image) is a file located in the permanent or random access memory of the computer and includes at least one of the following objects: software, software update, embedded software image. In addition, the software image 230 may contain a combination of the listed items, such as one software and one sub-image of the software, which in turn may contain, for example, another software. However, the software image 230 may use any implementation of software storage known in the art. The software image 230 , for example, may be an archive or an installation package. An installation package is an archive file that includes software files, control files, and optional files for customizing the software installation process. The mentioned files may be present in source code, in intermediate code, or in executable code.

System 200 includes components such as a checker 240 and an installer 250 . The software image 230 may be delivered to the computer in various ways. The software image 230 , for example, may be pre-stored to the computer when the OS 100 is installed. In addition, the software image 230 can be downloaded using the downloader 220 from the remote resource 210 and stored on the computer. It is worth noting that all interactions between the tools of the system 200 are performed using OS kernel system calls 110 and under the control of the security monitor 120 . In a particular implementation, the software image 230 is stored on file storage 260 , which is also a component of the installation system 200 . In this case, the interaction of the loader 220 , the checker 240 , and the installer 250 with the software image 230 may be through interaction with the file store 260 .

Since the technical problem is the vulnerability of untrusted components involved in the software installation process, possible vulnerabilities in the components of the installation system 200 are discussed below. The most vulnerable and, therefore, untrusted component is the most difficult to implement component - the installation system 200 , in particular, the component of system 200 (not shown in the figure) that controls the software installation process. The downloader 220 is also an untrusted and vulnerable component, in particular due to interaction with the external network. The trusted components are the checker 240 and the installer 250 , which are specialized components that can be verified to work correctly. This is why there is a need for a security monitor 120 that uses security policies to verify the integrity of the software installation image 230 after it has been downloaded by an untrusted component (loader 220 ) and before the software from the software image 230 is installed by a trusted component (installer 250 ). This allows to achieve the claimed technical result.

The security monitor 120 is configured to allow or deny access to the software image 230 to the components of the installation system 200 according to the security policies 121 . However, access to the software image 230 is an interprocess communication and includes reading the software image 230 . The checker 240 is designed to perform an integrity check on the software image 230 according to the granted access. The integrity of the software image 230 refers to the integrity of the data of the software image 230 during the software installation process. Thus, if at one stage of the software installation process the software image file 230 has been modified or replaced, its integrity is considered to be violated. The installer 250 is designed to install the software contained in the software image 230 '. Direct installation of the software can take place by any method known from the prior art, in particular, by extracting all files related to the installed software from the software image 230 , then saving the mentioned files to the computer file system, then creating and modifying configuration files for the correct operation of the installed software.

In one particular implementation, the integrity of the software image 230 is considered intact if the integrity of at least one object contained in the software image 230 is intact. For example, if the software image 230 contains two software, and the file data of the software image 230 related to the first of the software has been changed, while the data related to the second of the software has not been changed, then the integrity of such a software image 230 will be considered not broken. In this embodiment, the installer 250 installs only the software that is intact, that is, only the second software. Thus, the said particular implementation option ensures that the software is installed from the software image 230 , the integrity of which is not compromised. At the same time, the system 200 blocks the installation of software from the corrupted software image 230 , thereby securing the OS 100 and the computer.

In one of the private implementation options, using the checker 240 , the integrity of the software image 230 is checked in one of the following ways:

by checking the digital signature (hereinafter referred to as the EDS) of the software image 230 or by checking the digital signature of objects contained in the software image 230 ;

by receiving confirmation from the user;

by using message authentication codes, in particular imitations (eng. message authentication code - message authentication code);

by checking that the user's role meets the specified requirements (for example, the device from which the user is authorized must have the specified characteristics, location, or data for authorization);

by checking the specified attributes of the software image 230 .

In another particular implementation, the checker 240 performs a check on the integrity of the software image 230 using a combination of two or more of the approaches specifically described above. In another particular embodiment, during the specified check, various schemes for using the specified approaches are specified, for example, selective use of two or more approaches, use of at least a given number of approaches, use of a given number of approaches, etc.

Security policies 121 are pre-defined rules that allow or deny access of one component (eg, checker 240 ) to another component (eg, software image 230 of system 200 ) when a condition of the corresponding security policy 121 is met.

In one particular implementation, the security monitor 120 is further configured to set a state value of the software image 230 indicating that access to the software image 230 is allowed only to the verifier 240 . The state of the software image 230 is a setting used by security policies 121 to grant or deny access to system 200 components to the software image 230 . In addition, the security monitor 120 is configured to change the state value of the software image 230 to a new value indicating that the installer 250 can access the software image 230 and that the checker 240 does not have access to the software image 230 . For example, the state of the software image 230 "state 1" indicates access to the software image 230 only for the checker 240 , "state 2" indicates the permission to access the software image 230 to the installer 250 and the prohibition of access to the software image 230 to the checker 240 and etc.

In another particular embodiment, security policies 121 are implemented using a state machine, where the state of the state machine is the state of the software image 230 , while the security policy 121 determines whether access to the software image 230 is allowed or denied depending on the state of the state machine and in accordance with the table state transitions of the finite automaton. An exemplary implementation of security policies 121 using a state machine will be presented later in the description of FIG. 5 .

In another particular embodiment, the security policy 121 is implemented using the Mandatory integrity control model. The Mandatory Integrity Control Model provides a mechanism for controlling access to securable objects, which in the claimed invention are the components of the system 200 . According to the security monitor mandated access control model, the 120 components of system 200 are assigned two numbers called an integrity level and an access level. At the same time, to control access of one component (access subject) to another component (access object), security policies 121 are used based on mandatory access control, that is, using the values of integrity levels and access levels of components. For example, security policy 121 can be used, according to which one component is allowed read access to another component if the value of the integrity level of the first component is not lower than the value of the integrity level of the other component, or if this condition is not met, then in the case when the value of the access level of the first component is not higher than the value of the integrity level of another component. A distinction should be made between "software image integrity 230" , which refers to the immutability of the software image data 230 , and "integrity level" and "access level", where integrity level and access level values are used by security policies 121 and security monitor 120 to determine permission or prohibition of access to the software image 230 in accordance with the mentioned security policies 121 .

In the exemplary embodiment, the security monitor 120 is further configured to set the integrity levels of the verifier 240 and the installer 250 higher than the integrity level of the software image 230 . The security monitor 120 is also configured to set the verifier 240 access level to the software image integrity level 230 and the installer 250 access level to the installer 250 integrity level. It is worth noting that the software image 230 is a passive component (an access object) that does not itself request access to other components, but which can be accessed by other components. Therefore, the software image 230 has only an integrity level, but no access level. The security monitor 120 is also designed to set security policies 121 that allow one component to access another component, provided that the access level value of one component is not higher than the integrity level value of another component. In addition, in this implementation, the security monitor 120 is used to change the value of the integrity level of the software image 230 to a value equal to the value of the access level of the installer 250 , provided that the integrity of the software image 230 is not violated.

In yet another particular implementation of the security policy 121 , temporal logic is used. More details about the use of temporal logic will be written below.

On FIG. 3 shows an embodiment of a method for verifying the integrity of a software installation image 230 before performing a software installation.

At step 310 , the security monitor 120 sets the status value of the software image 230 , indicating that access to the software image 230 is allowed only for the checker 240 . Then, in step 320 , the software image 230 is made available by the security monitor 120 upon request from the verifier 240 , provided that the security policies 121 are followed. At step 330 , the verification tool 240 performs an integrity check on the software image 230 according to the granted access. When it is determined that the integrity of the software image 230 has not been violated, at step 340 , using the security monitor 120 , change the state value of the software image 230 to a new one, indicating the permission to access the software image 230 to the installer 250 and deny access to the software image 230 to the scanner 240 . Finally, in step 350 , the security monitor 120 provides access to the software image 230 upon request from the installer 250 while executing the security policies 121 . Thereafter, in step 360 , the software contained in the software image 230 is installed using the installer 250 .

Thus, at each step, the security monitor 120 , using the security policies 121 , provides control over the software installation process from the software image 230 . Therefore, even if there are vulnerabilities in individual components of the system 200 , the software installation process will be secure. In particular, steps 310 - 320 ensure that the software image 230 is only accessible by the verifier 240 , which in step 330 performs an integrity check on the software image 230 . In summary, steps 340 - 350 ensure that only the installer 250 accesses the software image 230 that has not been compromised by the checker 240 . Accordingly, if the result of the check at step 330 shows that the integrity of the software image 230 is broken, then the result of such a check will not be ignored by the installer 250 , and the software contained in the software image 230 will not be installed. In addition, the software image 230 cannot be tampered with after its integrity has been verified in step 330 but before the software image 230 is read by the installer 250 in step 350 . This is ensured by changing the state value of the software image 230 to a new value in step 340 using the security monitor 120 , indicating that the installer 250 can access the software image 230 and that the checker 240 does not have access to the software image 230 . Therefore, the invention shown in FIG. 1-3 solves the claimed technical problem and achieves the claimed technical result.

Particular embodiments of the system for verifying the integrity of the software image 230 disclosed in the description of FIG. 1-2 are also applicable to the method described in FIG. 3 .

On FIG. 4 shows another method for verifying the integrity of a software installation image 230 before performing a software installation.

At step 410 , the security monitor 120 sets:

the values of the integrity levels of the checker 240 and the installer 250 are higher than the value of the integrity level of the software image 230 (hereinafter referred to as components);

the value of the access level of the checker 240 is equal to the value of the integrity level of the software image 230 , the value of the access level of the installer 250 is equal to the value of the integrity level of the installer 250 ;

security policies 121 allowing access of one component to another component, provided that the value of the access level of one component is not higher than the value of the integrity level of another component, where said access includes reading data.

At step 420 , the software image 230 is made available by the security monitor 120 upon request from the verifier 240 , provided that the security policies 121 are followed. Next, at step 430 , the checker 240 performs an integrity check on the software image 230 according to the granted access. When it is determined that the integrity of the software image 230 has not been violated, at step 440 , using the security monitor 120 , change the value of the integrity level of the software image 230 to a value equal to the value of the access level of the installer 250 . Finally, at step 450 , the security monitor 120 provides access to the software image 230 upon request from the installer 250 while executing the security policies 121 . Thereafter, in step 460 , the software contained in the software image 230 is installed using the installer 250 .

Thus, at each step, the security monitor 120 , using the security policies 121 , provides control over the software installation process from the software image 230 . Therefore, even if there are vulnerabilities in individual components of the system 200 , the software installation process will be secure. In particular, steps 410 - 420 ensure that the software image 230 is only accessible by the verifier 240 , which in step 430 will perform an integrity check on the software image 230 . Finally, steps 440 - 450 ensure that only the installer 250 has access to the software image 230 that has not been compromised by the checker 240 . Accordingly, if the result of the check at step 430 shows that the integrity of the software image 230 is broken, then the result of such a check will not be ignored by the installer 250 , and the software contained in the software image 230 will not be installed. In addition, the software image 230 cannot be tampered with after its integrity has been confirmed in step 430 but before the software image 230 is read by the installer 250 in step 450 . This is ensured by the fact that at step 440 , using the security monitor 120 , change the value of the integrity level of the software image 230 to a value equal to the value of the access level of the installer 250 .

Therefore, the invention shown in FIG. 1-4 solves the claimed technical problem and achieves the claimed technical result.

Particular embodiments of the system presented in the description of FIG. 1-2 apply also to the methods presented in the description of FIG. 3-4 .

An example of the implementation of security policies 121 using the mandatory integrity control model (according to the method in Fig. 4 ).

In this example, the integrity level and access level of system 200 components can take one of three values: low, medium, high.

Security policies 121 may be defined using a specification language such as PSL (policy specification language). In the PSL example, mandatory integrity control is defined by the mandatory_integrity_control policy class. The security policy class defines a set of rules that correspond to the rules of the model used in the security policy. The mentioned model can be one of the following: state machine, mandatory integrity check, temporal logic. The specification of the security policy defines the conformity of the mentioned rules and interactions in the system. With each interaction attempt, the security monitor 120 executes rules to determine if the interaction is acceptable. To use a policy class, a policy object is created based on it, for which the configuration is specified. For example, for a model of mandatory integrity control, integrity levels and access levels are specified. Thus, to set integrity levels, an integrity policy object is defined, which is an instance of the mandatory_integrity_control class:

The integrity policy object configuration defines three integrity levels LOW (low), MEDIUM (medium) and HIGH (high) in ascending order. That is, LOW < MEDIUM < HIGH.

Next, the security policy 121 is set to create processes that implement the components of the system 200 :

where level is the integrity level.

The execute directive is specified to specify the rules that will be executed by the security monitor 120 when the corresponding processes are created, as well as to provide the security monitor 120 with the necessary context by the OS kernel 110 (exec method of the execute interface). Message.image specifies the file image from which the system component 200 is created. In addition, the identifier of the process that called the OS kernel 110 to create a new process dst is transmitted.

According to the security policy above, using the security monitor 120 , the downloader 220 is set to an integrity level of LOW. Since the value of the access level of the loader 220 is not set, it is considered that it is equal to the set value of the integrity level of the loader 220 - LOW. Thus, once the software image 230 is loaded, said software image 230 will also have its integrity level set to LOW, equal to the integrity level of the loader 220 that downloaded it.

where levelA is the access level.

According to this security policy, using the security monitor 120 , the verifier 240 is set to an integrity level value of HIGH and an access level value of LOW.

According to this security policy, using the security monitor 120 , the installer 250 is set to an integrity level value of HIGH. Because the value of the installer access level 250 is not set, it is considered to be equal to the set value of the integrity level - HIGH.

According to this security policy, using the security monitor 120 , the file store 260 (FileSystem), if present on the installation system 200 , is set to an integrity level value of HIGH. Because the value of the file storage access level 260 is not set, it is considered to be equal to the set value of the integrity level — HIGH.

Thus, according to the presented example, at step 410 using the security monitor 120 set the values of integrity levels and security policies 121 . According to the security policies 121 described, the downloaded software image 230 has an integrity level of LOW. At step 420 , the checker 240 is given access to the software image 230 by means of the security monitor 120 , because the value of the access level of the verifier 240 is LOW, which is the same as the value of the integrity level of the software image 230 . Thus, in step 430 , the checker 240 performs an integrity check on the software image 230 according to the granted access. After that, if the integrity of the software image 230 is not violated, at step 440 , using the security monitor 120 , change the value of the integrity level of the software image 230 to a value equal to the value of the access level of the installer 240 , i.e. to the value HIGH. Next, at step 450 , the security monitor 120 provides access to the software image 230 upon request from the installer 250 while executing the security policies 121 , that is, if the access level of the installer 250 is not higher than the integrity level of the software image 230 . In this case, they will match, taking the value HIGH. Therefore, at step 460 , the installer 250 will install the software contained in the software image 230 .

It is worth noting that if there were a fake file storage 280 with a MEDIUM integrity level, then using the methods (services) of the fake file storage 280 , the loader 220 would write the fake software image 270 to the fake file storage 280 with the LOW integrity level. Such a fake software image 270 will pass an integrity check by the checker 240. Although the integrity level of the fake software image 270 will be increased to the maximum allowed value, this value will not exceed the value of the integrity level of the fake file store 280 , i.e. the value MEDIUM<HIGH. As a result, the installer 250 will not access the fake software image 270 and will not install the software from the fake software image 270 because the integrity level value of the fake software image 270 will be MEDIUM<HIGH.

The present example of security policies 121 shows how the claimed invention solves a technical problem in the presence of a vulnerability of untrusted components involved in the software installation process. It also follows that the claimed invention achieves the claimed technical result, ensuring the security of the software installation process by providing access to the software image by the security monitor using security policies.

An example of implementing security policies 121 using a state machine (FIG. 5).

On FIG. 5 is a diagram of a state machine for an implementation of security policies 121 using a state machine. It is worth noting that both one (global) state machine and several state machines, different for each specific software image 230 , can be used in the case when more than one software image 230 is present in the system 200 . At the same time, when using several state machines, each of them is additionally transferred with the identifier of the corresponding software image 230 .

The following is a description of the install_checker state machine:

The install_checker state machine can be in one of the following states: initialized 510 (initial), sealed 520 (sealed), and verified 530 (verified). The install_checker state machine transition table is represented in the transitions structure. When the install_checker state machine is initialized, it is in the initialized 510 state. From the initialized state 510 , the state machine can only transition to the sealed state 520 , which corresponds to the state of the software image 230 indicating that only the verifier 240 can access the software image 230 .

From the sealed 520 state, the state machine can only transition to the verified 530 state, which corresponds to the state of the software image 230 indicating that the installer 250 is allowed access to the software image 230 and that the verifier 240 is denied access to the software image. From the verified 530 state, the install_checker state machine can transition to the same verified 530 state or to the initialized 510 state.

The following are examples of security policies 121 using the install_checker state machine.

According to this security policy, the installer 200 (Manager) is allowed to request 142 (request) to the install method of the installer 250 (installer) provided that the install_checker state machine is in the verified state 530 . The install method then installs the software from the software image 230 .

According to this security policy, the verifier 240 (verifier) is allowed to issue a security request 144 (security) to change the state (confirm method) of the install_checker state machine to verified. In this case, the state machine state change will be performed by the security monitor 120 if the specified state machine state change is in accordance with the state machine transition table.

According to this security policy, the installation system 200 (Manager) is allowed to request 142 to the write method of file storage to write the software image 230 , provided that the install_checker state machine is in the initialized state. In this case, the boot loader 220 will begin the process of burning the software image 230 .

According to this security policy, the installation system 200 (Manager) is allowed to request 142 to call the commit method (confirmation of the completion of writing the software image 230 ) of the storage file storage. This will change the state of the install_checker state machine from initialized to sealed.

According to this security policy, the verification tool 240 (Verifier) is allowed to request 142 to the file storage (Storage) to read (read method, that is, read access is allowed) of the software image 230 , provided that the install_checker state machine is in the sealed state 520 .

According to this security policy, the installer 250 (Installer) is allowed to request 142 to the file storage to read (the read method, that is, read access is allowed) of the software image 230 , provided that the install_checker state machine is in the verified state 530 .

The present example of security policies 121 shows how the claimed invention solves a technical problem in the presence of a vulnerability of untrusted components involved in the software installation process. It also follows that the claimed invention achieves the claimed technical result, ensuring the security of the software installation process by providing access to the software image by the security monitor using security policies.

An example of implementing security policies 121 using temporal logic.

In this approach, certain interactions between processes 131-132 in OS 100 are mapped to state events of the software image 230 from a set that is defined in accordance with security goals. In a particular implementation example, such a set includes the events {seal, verify, apply}, where seal is the event of "sealing" the software image 230 , verify is the event of checking the integrity of the software image 230 , apply is the event of installing software from the software image 230 . Security properties (requirements) are formulated using a temporal logic formula, for example, as follows:

Feature 1 : Whenever a software image integrity check 230 is performed, it must be guaranteed that after the software image integrity check 230 process, said software image 230 will not be modified. Using the same scheme as in the case of a state machine, this property can be written as a formula:

G (verify => P seal),

where G is the "always in the future" temporal operator, P is the "at least once in the past" temporal operator.

Property 1 means that whenever the integrity of the software image 230 is checked, the file storage method 260 must be called in the past to ensure that no further data is written to the software image 230 .

Property 2: Installing software from the software image 230 is possible only if the integrity of the software image 230 is confirmed. This property can be written as a formula:

G (apply => P verify).

Creating a policy class object that implements access control based on temporal logic can be implemented in PSL as the following construct:

It should be noted that other formulations of properties are also possible. For example, property 2 could be set as follows: software image 230 is not applied until the integrity of software image 230 is verified:

!apply U verify,

where U is the temporal operator "until the specified event occurs".

The following is an example of implementing security policy 121 using temporal logic when installing software.

The control policy associates an apply event with this interprocess communication and checks the validity of the formula specified in the policy object configuration. If the formula is true, the policy allows the interaction; if it is false, it denies it.

The verifier 240 notifies the security monitor 120 of the successful verification of the software image 230 - the verify event:

The restart method deletes the entire event history of the tl class object.

When the commit method is called, the software image is "sealed" 230 .

Since the installer 250 (Installer) is considered a trusted component, it will only read the software image 230 upon command from the installer 200 (Manager), for which the security policy was previously set.

Fig. 6 shows an example of a general purpose computer system, a personal computer or a server 20 ', comprising a central processing unit 21 ', system memory 22 ', and a system bus 23 ', which contains various system components including memory associated with the central processing unit 21 '. The system bus 23 is implemented as any bus structure known in the art, in turn comprising a bus memory or bus memory controller, a peripheral bus, and a local bus capable of interfacing with any other bus architecture. The system memory contains read-only memory (ROM) 24 , random access memory (RAM) 25 . The main input/output system (BIOS) 26 contains the basic procedures that ensure the transfer of information between the elements of a personal computer 20 , for example, at the time of booting the operating system using ROM 24 .

The personal computer 20 in turn comprises a hard disk 27 for reading and writing data, a magnetic disk drive 28 for reading and writing to removable magnetic disks 29 and an optical drive 30 for reading and writing to removable optical disks 31 such as CD-ROM, DVD -ROM and other optical storage media. The hard disk 27 , the magnetic disk drive 28 , the optical drive 30 are connected to the system bus 23 via the hard disk interface 32 , the magnetic disk interface 33 , and the optical drive interface 34 , respectively. Drives and related computer storage media are non-volatile means of storing computer instructions, data structures, program modules, and other personal computer data 20 .

The present description discloses an implementation of a system that utilizes a hard disk 27 ', a removable magnetic disk 29 ' and a removable optical disk 31 ', but it should be understood that other types of computer storage media 56 ' that are capable of storing data in a computer-readable form (solid state drives, flash memory cards, digital disks, random access memory (RAM), etc.), which are connected to the system bus 23 through the controller 55 .

The computer 20 has a file system 36 that stores the recorded operating system 35 as well as additional software applications 37 , other program modules 38 and program data 39 . The user has the ability to enter commands and information into the personal computer 20 through input devices (keyboard 40 , mouse 42 ). Other input devices (not shown) may be used: microphone, joystick, game console, scanner, etc. Such input devices are normally connected to the computer system 20 through a serial port 46 , which in turn is connected to the system bus, but may be connected in other ways, such as through a parallel port, game port, or universal serial bus (USB). A monitor 47 or other type of display device is also connected to the system bus 23 via an interface such as a video adapter 48 '. In addition to the monitor 47 , the personal computer may be equipped with other peripheral output devices (not shown), such as speakers, a printer, and the like.

The personal computer 20 is capable of operating in a networked environment using a network connection to another or more remote computers 49 . The remote computer (or computers) 49 are the same personal computers or servers that have most or all of the elements mentioned earlier in the description of the nature of the personal computer 20 shown in FIG. 6 . Other devices may also be present in the computer network, such as routers, network stations, peer-to-peer devices, or other network nodes.

The network connections may form a local area network (LAN) 50 and a wide area network (WAN). Such networks are used in corporate computer networks (also information systems), internal networks of companies and, as a rule, have access to the Internet. In LAN or WAN networks, the personal computer 20 is connected to the local network 50 via a network adapter or network interface 51 . When using networks, personal computer 20 may use a modem 54 or other means to communicate with a wide area network, such as the Internet. The modem 54 , which is an internal or external device, is connected to the system bus 23 via the serial port 46 . It should be clarified that the network connections are only indicative and are not required to represent the exact network configuration, i.e. in fact, there are other ways to establish a connection by technical means of communication from one computer to another.

As described, the components, execution steps, data structure described above can be executed using various types of operating systems, computer platforms, programs.

In conclusion, it should be noted that the information given in the description are examples that do not limit the scope of the present invention defined by the formula.

Claims (47)

1. A method for checking the integrity of the software installation image (hereinafter referred to as the software) before installing the software, in which: a) using the security monitor, set the value of the state of the software installation image (hereinafter referred to as the software image), indicating that access to the software image is allowed only for the scan tool, while the state of the software image is a parameter used by security policies to allow or deny access to the image Software components, including: verification tool, installer; b) using the security monitor, provide access to the software image upon request from the scanner, subject to the implementation of security policies; c) using the verification tool, check the integrity of the software image according to the access granted; d) when it is determined that the integrity of the software image has not been violated, using the security monitor, change the value of the state of the software image to a new one, indicating that access to the software image is allowed for the installer and that access to the software image is denied for the checker; e) using the security monitor, provide access to the software image upon request from the installer when executing security policies. 2. The method according to claim 1, wherein the security policies use a state machine, where the state of the state machine is the state of the software image, while the security policy determines whether access to the software image is allowed or denied depending on the state of the state machine and in accordance with the state transition table finite automaton. 3. The method of claim 1, wherein the security policies use temporal logic. 4. The method of claim 1, wherein said software image contains one or more of the following: • ON; • Software Update; • nested software image. 5. The method according to claim 4, in which the software image integrity is checked by checking the integrity of the objects contained in the mentioned software image, while the integrity of the software image is considered intact if the integrity of at least one object contained in the software image is not violated . 6. The method of claim 1, wherein the installer performs installation of the software contained in said software image. 7. The method of claim 5, wherein the installer installs only the software contained in said software image that is intact. 8. The method according to claim 1, in which the integrity of the software image is checked in one of the following ways: • by checking the digital signature of the said software image; • by receiving confirmation from the user; • by using message authentication codes, in particular imitation insertion; • by checking whether the user's role meets the specified requirements; • by checking the specified attributes of the software image. 9. The method according to claim 1, in which, using the bootloader, the software installation image is loaded from a remote resource. 10. The method of claim 1, wherein said access includes reading data. 11. A method for checking the integrity of the software installation image before performing the software installation, in which: a) using the security monitor set: • the values of the integrity levels of the scan tool and the installer (hereinafter referred to as components) are higher than the value of the integrity level of the software image; • the value of the access level of the checker equal to the value of the integrity level of the software image, the value of the access level of the installer is equal to the value of the integrity level of the installer; • security policies that allow access of one component to another component, provided that the value of the access level of one component is not higher than the value of the integrity level of another component; b) using the security monitor, provide access to the software image upon request from the scanner, subject to the implementation of security policies; c) using the verification tool, check the integrity of the software image according to the access granted; d) when it is determined that the integrity of the software image is not violated, using the security monitor, change the value of the integrity level of the software image to a value equal to the value of the access level of the installer; e) using the security monitor, provide access to the software image upon request from the installer when executing security policies. 12. The system for checking the integrity of the software installation image before performing the software installation, containing: a) a security monitor designed to provide, according to security policies, permission or prohibition of access to the software image to components, including: a checker, an installer, while the security monitor is configured to allow access to the software image first only to the checker, and after being established by the checker that the integrity of the software image has not been violated, allowing access to the software image to the installer and denying access to the software image to the verification tool; b) said verification tool for performing integrity checks on the software image according to the granted access; c) said installation tool, designed to install the software contained in the software image. 13. The system according to claim 12, in which the security monitor is additionally designed to: • setting the value of the state of the software image, indicating that access to the software image is allowed only for the scanner, while the state of the software image is a parameter used by security policies to allow or deny access to the software image to the mentioned components; • changing the value of the software image state to a new one, which indicates that the installer can access the software image and that the verification tool does not have access to the software image. 14. The system of claim 13, wherein the security policies use a state machine, where the state of the state machine is the state of the software image, wherein the security policy determines whether access to the software image is allowed or denied depending on the state of the state machine and in accordance with the state transition table finite automaton. 15. The system of claim 12, wherein the security policies use temporal logic. 16. The system according to claim 12, in which the security monitor is additionally designed to: • setting the values of the integrity levels of the checker and the installer higher than the value of the integrity level of the software image; • setting the value of the access level of the checker equal to the value of the integrity level of the software image, the value of the access level of the installer equal to the value of the integrity level of the installer; • setting security policies that allow access of one component to another component, provided that the value of the access level of one component is not higher than the value of the integrity level of another component, where said access includes reading data; • changing the value of the integrity level of the software image to a value equal to the value of the access level of the installer, provided that the integrity of the software image is not violated. 17. The system of claim 12, wherein said access to the software image includes reading the software image.

Images