WO2017008133A1 - Architecture sécurisée pour systèmes embarqués - Google Patents

Architecture sécurisée pour systèmes embarqués Download PDF

Info

Publication number
WO2017008133A1
WO2017008133A1 PCT/BR2016/000066 BR2016000066W WO2017008133A1 WO 2017008133 A1 WO2017008133 A1 WO 2017008133A1 BR 2016000066 W BR2016000066 W BR 2016000066W WO 2017008133 A1 WO2017008133 A1 WO 2017008133A1
Authority
WO
WIPO (PCT)
Prior art keywords
memory
architecture
line
address
architecture according
Prior art date
Application number
PCT/BR2016/000066
Other languages
English (en)
Portuguese (pt)
Inventor
Guido Costa Souza DE ARAÚJO
Mário Lúcio CORTÊS
Caio HOFFMAN
Original Assignee
Universidade Estadual De Campinas - Unicamp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Universidade Estadual De Campinas - Unicamp filed Critical Universidade Estadual De Campinas - Unicamp
Publication of WO2017008133A1 publication Critical patent/WO2017008133A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/14Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/73Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2129Authenticate client device independently of the user

Definitions

  • the present invention relates to a secure architecture for authentication and iniquity checking of cache memory lines by means of PUFs for embedded systems and is intended to prevent malicious code from being inserted into these systems. Signs protects the integrity of code and data and makes it possible to detect any program changes to an embedded system (including the operating system, when present).
  • PUFs Physical Uncountable Functions
  • embedded systems are classified into two categories, Simple Embedded Systems (SES) and Complex Embedded Systems (SEC).
  • SES Simple Embedded Systems
  • SEC Complex Embedded Systems
  • an SEC is capable of having an operating system that can incorporate external storage units as part of the system so that programs and data can be loaded from or stored on these drives.
  • This is well exemplified by today's Smartphones and Tahets that are as powerful and have as many functions as some personal computers.
  • AEGiS proposed in [1] and [2] is a robust architecture capable of maintaining code and data integrity through PUF-based authentication.
  • the major difference with AEGiS architecture is that it can be a secure architecture in a way. independent of any software - including the operating system (OS) - or otherwise only when part of the operating system is reliable.
  • OS operating system
  • the kernel [or kernei ⁇ is reliable, the difference between the two modes lies in the additional hardware one implementation has of the other.
  • the OS is unreliable, operations similar to those performed by the OS have to be implemented in hardware, which makes this implementation more complex and costly to manufacture.
  • SECs have computational power for the use of OSs capable of having different layers of security, one of which will house the secure core.
  • a program that does not have its authenticity validated is still allowed to run. While all unvalidated code executes in an environment that the architecture considers unsafe, that is, in an environment that may not have access to secure data, an attacker may want to exactly inhibit a program from doing its job. For example, if a particular program is critical to the operation of an embedded system, a lack of access to protected data can lead to critical failures during its operation and even then the system remains active. Thus, the number of possible system failure situations can increase significantly due to the combination of failures that one or more programs can cause simply because their authentications have not been validated.
  • a model of secure coprocessor architectures is presented by WO2014138626 Al.
  • This architecture features the use of PUFs for key generation from cryptographic primitives, thus making the security of each instance of the architecture unique.
  • the system provides full time integrity !.
  • the architecture is not completely transparent to the software of a computer system, as it depends on new instructions that it specifies for its operation and thus subject to the presence of these instructions in the programs.
  • the architecture allows external memory to be reliable or not, it is possible to use the proposal for applications as certified execution.
  • the biggest differential of architecture compared to other architectures .as now seen, is to have two specific hardware that control the input and output of data. Because of this hardware it is possible to use speculative execution: while data and code obtained from the input hardware are in the process of integrity checking, the processor can execute all the instructions contained in the ⁇ code read and write the data, but the output hardware only allows data outputs when integrity and authenticity are confirmed.
  • US8918647 deals with device authentication, organized as a root server and multiple child nodes, which can be authenticated, but also does not deal with authentication and code and data integrity checking on embedded systems.
  • US814Q824 deals with authenticating an iterative boot code snippet with a hash function. The accumulated final hash value is compared to a stored value. However, because the code only starts after iterative verification, there is a big performance issue. Especially if the scheme is expanded to other system codes than the boot code. Still, the question of data integrity is not addressed, ie whether boot code data can be updated, and what this process is like.
  • the present invention relates to a secure architecture for simple embedded systems, which contemplates a memory controller which is used of PUFs to generate digital authentication tags for cache memory lines. These tags are stored in a new memory that does not allow them to be accessed via software.
  • the architecture can utilize commercially available processors without requiring changes to software already available to processors.
  • the architecture prevents code and data modifications by preventing malicious agents from modifying the operation of a simple embedded system.
  • authenticated memory regions with data can be updated with new authenticity tags generated completely securely, thus allowing the use of architecture in different simple embedded system applications.
  • FIG. 1 Schematic illustrating the proposed architecture, highlighting the processor and MCTRL
  • Figure 2 illustrates a first possible configuration for PTAG-GEN, by combining FPAs with PUFs in PTAG generation.
  • Figure 3 illustrates a second possible configuration for PTAG-GEN.
  • Figure 4 illustrates a third possible configuration for PTAG-GEN.
  • the present invention relates to a secure architecture for simple embedded systems, which contemplates a memory controller that uses PUFs to generate digital authentication tags for cache memory lines. These tags are stored in a new memory that does not allow their access via software.
  • the architecture can utilize commercially available processors without requiring changes to software already available to processors.
  • the architecture prevents code and data modifications by preventing malicious agents from modifying the operation of a simple embedded system.
  • authenticated memory regions with data can be updated with new authenticity tags generated completely securely, thus allowing the use of architecture in different simple embedded system applications.
  • PTAG physical tag
  • MTRL memory controller
  • PTAG-MEM PTAG memory
  • FIG. 1 shows the architecture proposed by the present invention. Inside the chip are the processor and the memory controller (MCTRL). The processor displays its main components and MCTRL only displays the added circuits for safety purposes: the comparator and the PTAGs generator (PTAG-GEN). The MCTRL is the one who receives and sends the data to external memories as well as it passes it to the processor. The cache lines (or blocks of memory) obtained from these data buses are taken to PTAG-GEN by SViCTRL. In addition, it is shown that the physical address of the external memory and the PTAG memory is the same, and both are triggered. at the same time.
  • MCTRL memory controller
  • PTAG-MEM is a physical memory isolated by the PTAG bus, which connects the chip to the bus. Its physical address is the same as the main memory, so access to a memory block results in concomitant access to that block's PTAG-MEM block.
  • PTAG memory is at the same level as main memory in the system memory hierarchy.
  • PTAG-MEM technology does not have to be the same as main memory, but it is a design decision to ensure that the time PTAG takes from PTAG-MEM to MCTRL cannot be longer than the time PTAG-GEN takes. to generate a PTAG (taking into account the time required for PTAG-GEN to obtain the Cache Memory Line or bus memory block), as this would delay cache line (or memory block) authentication,
  • PTAG generation is performed by PTAG-GEN which uses either a bus memory cache line or a memory block brought from main memory. Note that in this document it is assumed that a memory block is the bit size equivalent to a Cache memory line, so the terms "memory block” and "cache line of memory” are used in an equivalent manner in this document.
  • This line of cache memory is concatenated to the physical or virtual address. obtained directly from the processor (without intermediates) and this composition is used with input by PTAG-GEN to generate the PTAG associated with said block.
  • PTAG-GEN uses is a PUF in combination with one or more pseudo-random functions (FPAs) to generate PTAGs.
  • FPAs pseudo-random functions
  • Pseudo-random functions serve to blur the composition formed by the virtual (or physical) address and the memory block, while the PUF adds false-entropy entropy) and uniqueness.
  • FPAs pseudo-random functions
  • the memory controller has two functions: checking and storing PTAGs. At verification, the PTAG generated by PTAG-GEN is compared to that brought from PTA6-MEM simultaneously to the memory block. If the two are different a non-masking interrupt (PTAG-NMS) will be issued to the processor by MCTRL. If the PTAGs are equal nothing happens. In storage, the memory controller uses the cache memory line being transferred to main memory at the same time as the processor's line address, so PTAG-GEN demands the generation of PTAG that MCTRL will send to PTAG -MEM.
  • PTAG-NMS non-masking interrupt
  • the PTAG-NM interrupt it must be connected to some extra interrupt pin available on modern processors.
  • an interrupt puts the processor in a state of exception, in which it takes some specific action for treatment. These actions are programmed by the firmware as an interrupt handling routine.
  • MCTRL By monitoring the MCTRL control bus it is possible to identify which hardware has made a request and what is the request. In this way, MCTRL is able to identify when the processor requests a memory block that is not in cache memory, thus indicating that a search has to be taken to the main memory. This way, MCTRL can simultaneously access PTAG memory.
  • the processor communication with the I / O devices inside the chip is arbitrated by the memory controller.
  • One way to do this is to place buffers that intercept this communication and only allow the I / O device to receive data sent by the processor if MCTRL allows it. In this way, MCTRL can directly pass data received from memory to the processor to avoid any performance loss. Meanwhile, MCTRL proceeds with checking the integrity of the memory block that was sent to the processor. If the processor has an input and output instruction, it will be buffered until the memory controller authorizes it. This prevents malicious code from exposing any data outside the secure area (ie outside the chip).
  • memory data blocks when changed may have their digital tag updated.
  • these chips are inside the chip, such as cache lines, they are in a safe environment and updating PTAGs is not susceptible to fraud.
  • PTAG-GEN can be designed in at least three ways, in which the interaction between FPA (s) and PUF (s) maintains the security robustness that computer systems currently demand.
  • FPAs can be set with fixed keys that can be the same for all instances of the architecture, thus making them equivalent to hash functions. Among them may be one or more PUFs. The number will depend on the output size of the first FPA chosen, the type of PUF used, and the number of output bits of the second FPA chosen.
  • the PUF chosen is of type Referee PUF
  • the output of the second FPA is 64-bit.
  • the PTAG-GEN input is the composition of a memory block and its address, as this composition for modern processors is longer than 128 bits, this does not affect the entropy of the output of the first FPA, ie the The amount of information coming in is greater than the information coming out. Thus, it remains an important security property of digital authentication !.
  • the second FPA has output 64-bit, to ensure security properties, the entry must be at least 64-bit, so 64 Referee PUFs are required. Each of these will receive a 128-bit challenge and has a one-bit response.
  • the first FPA will be the challenge of each PUF as well. Since PUFs are unique in each of their instances, it is not possible to predict the response bits, ie the input of the second FPA is totally random in nature. By fine !, the output of the second FPA is the digital label of the memory block and its address.
  • a malicious agent obtains such a machine and attempts to modify the code contained therein so that credit card data is transferred to some peripheral device. He intends to return the modified machine to the restaurant with the intention of stealing sensitive customer data. It will only be able to do this if, in addition to entering malicious code, it also changes the PTAGs in the PTAG-MEM. Which, as discussed earlier, will only work with Irrisible probability. Note that all credit card machine secrecy apparatus is not modified using the architecture proposed here. No difference works! on a card machine with or without the use of this proposal, however, this attack would be blocked. Finally, any success of the malicious agent on one instance of the machine does not open the way for trivial fraud. All the hard work of applying the attack once must be repeated.
  • a company sells GPS with paid monthly updates.
  • a malicious agent tries to take advantage by reselling GPS with the modified software so that updates are downloaded and installed for free. This in the black market should attract people interested in not paying the monthly service charged by the company that originally made the GPS.
  • the malicious agent attempts to resell the product, it has already had all program memory authenticated by PTAGs. The malicious agent will not be able to modify the code successfully. Since, as in the previous example, you will need to modify the PTAG memory with the PTAGs that would give authenticity to your malicious code. Therefore, the malicious agent will not succeed in this endeavor.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Technology Law (AREA)
  • Multimedia (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention concerne une architecture sécurisée d'authentification et de vérification d'intégrité de lignes de mémoire cache au moyen de PUF pour systèmes embarqués, et vise à éviter l'insertion d'un code malveillant dans ces systèmes. Elle protège ainsi l'intégrité de code et de données et permet la détection de toute modification éventuelle dans les programmes d'un système embarqué (y compris le système d'exploitation, s'il y a lieu). Elle trouve une application dans le domaine des systèmes informatique, plus particulièrement dans l'architecture de systèmes embarqués et dans la sécurité de l'information.
PCT/BR2016/000066 2015-07-14 2016-07-12 Architecture sécurisée pour systèmes embarqués WO2017008133A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
BR102015016831-4A BR102015016831B1 (pt) 2015-07-14 2015-07-14 Arquitetura segura para sistemas embarcados
BRBR1020150168314 2015-07-14

Publications (1)

Publication Number Publication Date
WO2017008133A1 true WO2017008133A1 (fr) 2017-01-19

Family

ID=57756589

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/BR2016/000066 WO2017008133A1 (fr) 2015-07-14 2016-07-12 Architecture sécurisée pour systèmes embarqués

Country Status (2)

Country Link
BR (1) BR102015016831B1 (fr)
WO (1) WO2017008133A1 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090113136A1 (en) * 2007-10-30 2009-04-30 Sandisk Il Ltd. Caching for structural integrity schemes
US20140082721A1 (en) * 2012-09-19 2014-03-20 Nuvoton Technology Corporation Secured computing system with asynchronous authentication
WO2014138626A1 (fr) * 2013-03-08 2014-09-12 Robert Bosch Gmbh Systèmes et procédés permettant de conserver une intégrité et une confidentialité dans des plates-formes informatiques non sécurisées

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090113136A1 (en) * 2007-10-30 2009-04-30 Sandisk Il Ltd. Caching for structural integrity schemes
US20140082721A1 (en) * 2012-09-19 2014-03-20 Nuvoton Technology Corporation Secured computing system with asynchronous authentication
WO2014138626A1 (fr) * 2013-03-08 2014-09-12 Robert Bosch Gmbh Systèmes et procédés permettant de conserver une intégrité et une confidentialité dans des plates-formes informatiques non sécurisées

Also Published As

Publication number Publication date
BR102015016831B1 (pt) 2022-12-06
BR102015016831A2 (pt) 2017-01-24

Similar Documents

Publication Publication Date Title
US11374967B2 (en) Systems and methods for detecting replay attacks on security space
KR102573921B1 (ko) 바이러스/멀웨어로부터 안전한 저장 장치, 그것을 포함한 컴퓨팅 시스템 및 그것의 방법
CN107092495B (zh) 平台固件铠装技术
JP5500458B2 (ja) プロセッサメインメモリのメモリコンテンツのセキュリティ保護
US11256797B2 (en) Remote attestation for multi-core processor
JP4883459B2 (ja) ポイントツーポイント相互接続システム上のセキュアな環境初期化命令の実行
US10999081B2 (en) Dynamic certificate management for a distributed authentication system
Vasudevan et al. CARMA: A hardware tamper-resistant isolated execution environment on commodity x86 platforms
KR20170095161A (ko) 시큐어 시스템 온 칩
US10360370B2 (en) Authenticated access to manageability hardware components
US10558589B1 (en) Secure data access between computing devices using host-specific key
US9935768B2 (en) Processors including key management circuits and methods of operating key management circuits
EP3757838B1 (fr) Atténuation des attaques au démarrage à chaud pour les modules de mémoire non-volatile
CN116049825A (zh) 管理基板管理控制器的存储器中的秘密的存储
US20130002398A1 (en) Apparatus, System, and Method for Providing Attribute Identity Control Associated with a Processor
CN113946881A (zh) 安全串行外围接口(spi)闪存
US20230010319A1 (en) Deriving independent symmetric encryption keys based upon a type of secure boot using a security processor
WO2017008133A1 (fr) Architecture sécurisée pour systèmes embarqués
WO2021037344A1 (fr) Dispositif sécurisé et système informatique
US20230015334A1 (en) Deriving dependent symmetric encryption keys based upon a type of secure boot using a security processor
US20220358208A1 (en) Systems and methods for enabling accelerator-based secure execution zones
Chilingirian Hashing hardware: identifying hardware during boot-time system verification

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16823571

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16823571

Country of ref document: EP

Kind code of ref document: A1