A smart card based trusted monitor program implementation method

1 Overview

1.1 Introduction to Smart Cards

Smart Card, also known as IC Card (Integrated Circuit Card), has temporary or permanent data storage capabilities as well as encryption and data processing capabilities. Since the integrated circuit in the CPU card includes the CPU, EEPROM, random access RAM, and on-chip operating system (COS) in the cured read-only memory ROM, it constitutes a complete computer system. COS is built on hardware such as CPU and memory. It is an operating system that manages chip resources and implements security and confidentiality. Its main functions are: controlling the exchange of information between the smart card and the outside world, managing the memory in the smart card, and completing the processing of various commands inside the card. The COS system consists of four functional modules: transmission management, file management, security management, and command interpretation.

1.2 monitor program

Because of its cost sensitivity, limited resources, and frequent human-computer interaction, smart card systems are more susceptible to physical and logical attacks during application [2-3]. The focus of their attacks is often considered from the monitoring of command behavior. Therefore, the literature proposes a monitor subsystem whose structure is shown in Figure 1.

Monitor subsystem for embedded systems

The system analyzes the static binary code to form all possible instruction sequence path diagrams or state transition diagrams, which are saved by the monitor subsystem. At runtime, all submitted instruction series must be compared with the pre-stored path map. Based on the comparison result, it can be judged whether there is an illegal operation series, and at the same time, it can be judged whether an attack is generated. Once this is detected, the monitor causes an interrupt, terminates the current processor's instruction execution, and takes appropriate recovery actions. It can be seen that the execution of instructions in a desired way is the legal flow of instructions, which is consistent with the concept of trusted computing.

2 Trusted and enhanced COS design method

This paper carries out security transformation from the smart card COS architecture for financial applications, constructs a trusted chain containing soft trust roots, and implements trusted verification of the smart card COS platform environment and COS operation command behavior through the trusted chain to achieve trusted enhancement. the goal of. Due to the limited resources of the card, and considering the versatility and cost of the actual application, it does not specifically add additional hardware chips or circuits to the card, but fully utilizes the resources of the card itself to simulate and design and be trusted from the perspective of software. Compute the metrics and storage mechanisms to provide a reference for the future use of embedded systems that actually include TPM chips.

2.1 Soft Trust Root

Trusted computing platforms usually include a dedicated TPM chip, which contains secret storage and cryptographic functions. The root of trust in the platform is RTM (trusted metric root), which is often stored in the secret storage area of ​​the TPM [5], called hardware. The root of trust in form.

Considering the actual situation of the card, this paper proposes the concept of soft trust root. The idea is to store the integrity value of the COS kernel, key files of the card, and the main parameters of the chip as the trusted root of the card trust chain in the OTP area of ​​the card NVM (NotVolatile Memory). The value is in the card. Write at initialization, the card life cycle can not be changed, called Soft-based RTM. The metric of the soft trust root is not implemented by the TPM, but by the code of a Soft-based Trust Measurement Module (STMM). The code of the soft metric module is stored in the ROM area of ​​the NVM provided by the card. .

2.1.1 Basis for use

The theoretical and practical basis for a soft trust root to act as a source of trust in a card is:

(1) The OTP area of ​​the card NVM cannot be changed once it is written, and it is considered to be sufficiently reliable when it is physically reliable.

(2) The soft trust root starts to measure after the BOOTROM code of the card itself is executed (after the card's hardware self-test has passed completely) before entering the COS core code execution. The purpose is to additionally verify the integrity of the chip and detect the integrity of the COS to be executed to provide a trusted software platform for subsequent applications.

(3) The soft metric module STMM verifies the soft trust root SRTM. If the verification passes, the security state of the initialization card is an initial value S0, which is different from the initial value of the security state of the ordinary card login MF, and it is The only legal starting state (such as S0->Sx) in the state machine that is switched from MF to ADF. In other words, if the state transition from MF to ADF does not start with S0, it will be rejected by the access control in the application or the monitor program (Section 2.2). It can be seen that the verification operation of the soft trust root cannot be bypassed.

2.1.2 Integrity Collection and Measurement

The integrity data source of the soft trust root SRTM is mainly related to the characteristics of the card itself and the COS code. The following parameters can be used as the data source for calculating the integrity value of the soft trust root: chip unique serial number, product identifier, publisher identifier, manufacturing Vendor identifier, COS version number, COS kernel code checksum, initial release date, master file (MF) header, soft metric module, monitor program. The integrity trust metric of the soft trust root first uses the integrity detection algorithm to verify the selected parameter or data file, and the check value is numbered and written into the OTP area when the card is initialized. Repeat the above process and get a new check value before the card powers up into the COS application. The two sets of check values ​​are compared one by one. If the results are consistent, the system environment is safe and the core file is complete. If it is inconsistent, the system core file may be illegally tampered with and destroyed, or illegally transplanted. The detection process is mainly to monitor changes in the data environment of the system environment and core files, and is a basic and credible verification process before entering the COS platform.

2.2 Trust chain mechanism

TCPA's trust chain often starts from a physical trusted root source, CRTM, and passes control of the system step by step. The whole process is inseparable from the measurement, storage and reporting of the TPM chip. This section analyzes the trusted delivery on the basis of the soft trust root, corresponding to the stage after the POST (power-on self-test) of the TCPA trust chain. This stage is mainly to measure COS code, card files and application operation behavior, and lack of specific TPM chip, mainly using alternative soft metric module and monitor program (Monitor), which can also achieve better credibility. verification. Its feasibility is based on the following specific factors:

(1) In place of the TPM chip, a number of trusted storage areas defined in the NVM are used to store trusted initial values, and the trusted area corresponds to DDF (including MF) one by one, which is shielded and transparent to the user. The secret storage function of the TPM chip.

(2) The soft metric module STMM first measures the integrity of the soft trust root SRTM (including the integrity of the STMM itself and the integrity of the Monitor) to determine whether it can enter the COS platform; thereafter, the STMM continues to apply to the card. The application integrity value is measured to determine if it can enter a specific application. These application integrity values ​​are mainly derived from information such as file structure, application core code, and trusted policy table for each application, called AIVM (Application Integrity Value for Measurement).

(3) Combining the credibility policy table based on the state machine to detect the credibility of the instruction series, and realizing the trusted measurement function of the operation behavior.

(4) Select cards with security components such as asymmetric cryptographic coprocessor, random number generator, crypto accelerator and security sensor. These security components can completely replace the TPM chip for corresponding security calculation.

(5) Although the trust chain lacks the credible measure before the system is loaded, considering the security features of the smart card chip and the read/write device itself and the reliability guarantee measures in the application, the sensitive information is before the COS system is loaded. It is impossible to leak from the card.

In summary, the structure of the trust chain with the soft metric module is shown in the solid line part of Figure 2, where STMM is the soft metric module; SRTM is the soft trust root; AIVM is the application integrity value; and Monitor is the monitor program. BOOTROM starts the self-test code for the chip. The storage distribution of each part in the chip memory is shown in Figure 3.

In conjunction with Figure 2 and Figure 3, there are three questions to point out:

(1) The soft metric module and the monitor program are uniquely present in the system, and their integrity is measured by the soft trust root.

(2) The soft metric module verifies the integrity of the file structure, core code, and trusted policy table under each application and checks whether it matches the corresponding preset initial value to determine whether the application can be entered. Preset initial values ​​are stored in the trusted storage area under each application.

(3) After entering the application, the monitor program monitors all instructions or sequences of instructions related to the security state change in conjunction with the trusted policy table under the application to ensure the authenticity of the operational behavior.

2.3 Trusted Authentication Mechanism

This trusted and enhanced smart card operating system focuses on providing effective verification tools for the trusted aspects of behavioral and computing environments to ensure that user behavior is as intended.

(1) Computational environment credibility guarantee: The computing environment of smart card COS mainly refers to the application environment in which COS is used and executed. The soft trust root is specified above. Only after the integrity verification of the key parameters in the soft trust root can the specific application be entered. These parameters reflect the basic characteristics of the card and the card operating system, and can be considered as one. The most basic platform computing environment. After verifying that the platform computing environment is trusted, the trust can be passed to the next trusted module, the soft metric module. The soft metric module is responsible for integrity verification of all applications of the card, including verifying the file structure under the application, the application core code, and the integrity value of the trusted policy to determine whether the application can be accessed. This phase is actually a trusted authentication of the specific application computing environment.

(2) Behaviour guarantee: In the security enhancement of smart card COS, this paper proposes a state machine based monitor program, which is combined with the trusted strategy table under the application, and is responsible for monitoring the execution process/operation behavior of the instruction. Is it credible? The basic working principle of this monitor is shown in Figure 4.

The monitor mainly includes an interrupt input interface, a response output interface, and a decision module. The interrupt input interface is responsible for receiving the trusted metric request from the main program (application code); the decision module performs a table lookup, makes a judgment according to the policy of the trusted policy table, and outputs the response to the main program by the response output interface. In fact, the monitor program shares the CPU and other resources with the main program and runs in an interrupted manner. There is no requirement for the card to add any facilities on the hardware, just to increase the interrupt request speed, borrowing a certain security sensor bit of the chip (called The Action Measurement Request (AMR) triggers the interrupt request from the monitor.

The monitor needs to rely on the trusted policy table for credible judgment. This paper designs a practical trusted strategy table, as shown in Table 1.

In Table 1, the “Status Switching” column lists all legal security state switching forms; the “Sequence Counter” and “Instruction Sequence” record the number of key instruction steps that have passed through the transition from the initial state to a target state, respectively. The opcode for all key instructions; the "destination address" records the physical address of the memory to be accessed during the operation of the instruction sequence. The safe state switch in the COS main program (such as switching from state A to state B is: SA→SB) triggers the monitor interrupt. The monitor workflow is as follows:

(1) When an instruction execution in the COS main program causes a change or switch of the safety status, the system is performing safety-related operations, which causes the AMR bit of the safety sensor to be set, triggering the monitor interrupt, ie requesting monitoring. The device performs a measure of behavioral trust.

(2) After receiving the AMR interrupt, the monitor starts the service program that performs the behavioral trust metric. First, the current state SB and the previous state SA are read, and SA→SB is obtained, and the SA→SB is used as an index to search for the state switching column of the trusted policy table. If the item corresponding to SA→SB cannot be found in the policy table, Explain that the operation is illegal and switch to error handling; if the corresponding item is found, assume the kth item and proceed to the next step.

(3) The monitor reads the current sequence counter value (SCV). If the value is m, the monitor compares the sequence counter value of the kth item in the policy table. If it does not match, the error processing is turned; otherwise, the next step is continued. .

(4) The monitor reads the most recent instruction queue and analyzes whether there is a memory access operation from the queue. If so, the physical address of the memory is stored as PA=x. If there is no memory access operation, record PA=Null; if in the queue The most recent instruction sequence is Ir(I1, I2, ..., In), and the "instruction sequence" of the kth item in the strategy table is Is(I1, I2, ..., Im), if Ir(I1, I2, ... , In) contains and matches Is (I1, I2, ..., Im), and proceeds to the next step; otherwise, it turns to error processing.

(5) The monitor reads the “destination address” value of the kth item in the policy table and compares it with the PA value recorded in step (4). If it is not the same, it turns to the error processing; otherwise, it goes to the next step.

(6) The monitor clears the AMR bit of the safety sensor, ends the interrupt service process, and transfers control to the main program.

In addition, the steps of error processing include: clearing the AMR bit of the security sensor, giving a warning, exiting the system application, or restarting the chip, or even locking the application until the card is locked. Of course, the choice of these mandatory processes is based on the user's security decision-making body.

3 Conclusion

The soft trust root of the smart card operating system records the static data and code integrity of the platform environment, and the metrics are well solved to solve the trusted authentication of the platform environment. For the dynamic behavior of the smart card application, that is, the sequence of operation instructions, a monitor program is combined with the pre-stored trusted behavior strategy to monitor it in real time, and the trusted verification of key security behaviors is realized, thereby achieving the predictability of behavior. The development and test experiments prove that the soft trust root and the monitor subsystem occupy less system storage space, have little effect on system performance, and achieve better results at lower cost.

(Text / School of Computer, Wuhan University, Tu Guoqing)

Wooden Kitchen Utensil

Wooden Kitchen Utensil,Wooden Cooking Utensils,Wooden Kitchen Spatula,Wooden Kitchen Tools

YangDong Q-Bamboo Houseware Co.,Limited , https://www.q-bamboo.com