United States Patent (19)
`Jablon et al.
`
`USOO5421006A
`5,421,006
`Patent Number:
`11
`{45) Date of Patent: May 30, 1995
`
`54
`
`75
`
`(73)
`
`21
`22
`
`63
`51
`52)
`58
`
`METHOD AND APPARATUS FOR
`ASSESSING INTEGRITY OF COMPUTER
`SYSTEMI SOFTWARE
`Inventors: David P. Jablon; Nora E. Hanley,
`both of Shrewsbury, Mass.
`Assignee: Compaq Computer Corp., Houston,
`Tex.
`Appl. No.: 231,443
`Filed:
`Apr. 20, 1994
`
`Related U.S. Application Data
`Continuation of Ser. No. 880,050, May 7, 1992.
`Int. Cl. ........................ G06F11/00; H04K 1/00
`
`Field of Search ............... 395/575, 700, 750, 425;
`380/4
`
`was 88 was w8 x 8 is 395/575; 380/4
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`4,309,569 1/1982 Merkie.
`4,388,695 6/1983 Heinemann ......................... 364/900
`4,590,552 5/1986 Guttag.
`4,651,323 3/1987 Goodman et al. .................. 364/900
`4,661,991 4/1987 Logemann .
`4,685,056 8/1987 Barnsdale, Jr. et al. ............ 364/200
`4,698,750 10/1987 Wilkie et al...........
`... 364/200
`4,747,040 5/1988 Blanset et al.....
`... 364/200
`4,819,267 4/1989 Cargile et al. ....
`... 380/23
`4,825,358 4/1989 Letwin et al......
`... 364/200
`4,885,788 12/1989 Takaragi et al....................... 380/23
`4,908,861 3/1990 Brachtl et al. ...
`... 380/25
`4,930,073 5/1990 Cina .................................... 364/300
`4,970,504 11/1990 Chen
`4,975,950 12/1990 Lentz ...................................... 380/4
`5,022,077 6/1991 Bealkowski et al. .
`... 380/4
`5,050,212 9/1991 Dyson ...........
`... 380/25
`5,073.934 12/1991 Matyas et al.
`... 380/30
`5,121,345 6/1992 Lentz .................................. 364/550
`5,138,706 8/1992 Melo et al. .
`5,144,659 9/1992 Jones ....................................... 380/4
`5,161,122 11/1992
`... 365/195
`5,175,840 12/1992
`... 395/425
`5,204,966 4/1993
`... 395/800
`5,265,164. 11/1993
`... 380/30
`5,278,973 1/1994 O'Brien et al. ...................... 395/500
`
`
`
`OTHER PUBLICATIONS
`Intel 386 SL Microprocessor SuperSet Programmer's
`Reference manual, 1990, ISBN 1-55512-129-2.
`Compaq Computer Corporation, Security Standard for
`Hardware Configuration, pp. 1-6, 1990.
`Flowchart of Operations of Computers According to
`the Security Standard for Hardware Configuraiton.
`Chap. 13, Real Time Clock Interface, 386 SL Micro
`processor Superset System Design Guide by Intel Cor
`poration, pp. 13-1 to 13-2, 1990.
`Using Password Security, Operations Guide for Com
`paq Deskpro 386s Personal Computer by Compaq
`ter. Corp., pp. 3-5 to 3-7, 1988.
`$25; tEiPPR35 W. Beausoliel, Jr.
`Assistant Examiner-Joseph E. Palys
`Attorney, Agent, or Firm-Pravel, Hewitt, Kimball &
`Seger
`ABSTRACT
`A method and device for reliably assessing the integrity
`of a computer system's software prevents execution of
`corrupted programs at time of system initialization,
`enhancing system security. Programs and data compris
`ing the system's trusted software, including all startup
`processes, are verified before being utilized. Methods to
`verify the trusted software use a hierarchy of both mod
`ification detection codes and public-key digital signa
`ture codes. The top-level codes are placed in a protecta
`ble non-volatile storage area, and are used by the startup
`program to verify the integrity of subsequent programs.
`A trusted initialization program sets a hardware latch to
`protect the codes in the non-volatile memory from
`being overwritten by subsequent untrusted programs.
`The latch is only reset at system restart, when control
`returns to the bootstrap program. Software reconfigu
`ration is possible with trusted programs that write new
`top-level codes while the latch is open. The mechanism
`itself is immune to malicious software attack when the
`write-protect latch is closed before running untrusted
`software. Preferred embodiments in an IBM-compatible
`personal computer uses the reset switch to initiate a
`trusted path between the user and a program. Damage
`from certain classes of computer virus and trojan horse
`attacks is prevented. A system recovery process is de
`scribed. A related improved method for user authenti
`cation uses a read-and-write memory protection latch
`to prevent access to sensitive authentication data.
`19 Claims, 8 Drawing Sheets
`RAYERY
`
`IPR2020-01218
`Sony EX1011 Page 1
`
`

`

`U.S. Patent
`
`May 30, 1995
`
`Sheet 1 of 8
`
`5,421,006
`
`
`
`
`
`
`
`
`
`SSENCICIW
`
`
`
`\!ECIO OEC)
`
`4.k.
`
`IPR2020-01218
`Sony EX1011 Page 2
`
`

`

`U.S. Patent
`
`May 30, 1995
`
`Sheet 2 of 8
`
`5,421,006
`
`BOOTRECORD WAS READ
`INTO MEMORY
`
`F
`
`50
`
`COMPATIBLE
`
`YES
`
`52
`
`BOOT CODE =
`COMPUTEDMDC
`OF BOOT RECORD
`
`
`
`CLOSE WRITE
`PROTECTLATCH
`
`
`
`RUN BOOT
`RECORD
`PROGRAM
`
`64
`
`IPR2020-01218
`Sony EX1011 Page 3
`
`

`

`U.S. Patent
`
`May 30, 1995
`
`Sheet 3 of 8
`
`5,421,006
`
`ASECURE CONFIGURATION:
`
`VARABLE
`COMPATIBLE
`USERENABLED
`USER CODE
`CONFIGENABLED
`CONFIG CODE
`
`VALUE
`FALSE
`TRUE
`A6339DE4DBE72231
`TRUE
`15088423267FOOBA
`
`COMPATIBLE CONFIGURATION:
`
`VARABLE
`COMPATIBLE
`USERENABLED
`USERCODE |
`CONFIGENABLED
`CONFIGCODE |
`
`VALUE
`TRUE
`UNDEFINED
`UNDEFINED
`UNDEFINED
`UNDEFINED
`FC
`
`
`
`110
`111
`112
`113
`114
`
`u120
`u21
`U122
`U123
`u124
`
`PUBLICKEY
`PRIVATE KEY
`168
`
`t
`
`OFFLINESTORAGE OF
`TRUSTEDAUTHORITYX
`
`IPR2020-01218
`Sony EX1011 Page 4
`
`

`

`U.S. Patent
`
`May 30, 1995
`
`Sheet 4 of 8
`
`5,421,006
`
`70
`
`BIOS
`
`80
`
`72 ? BOOTRECORD
`
`READ ONLY MEMORY
`
`96
`
`
`
`WRITE PROTECTABLE
`NON-VOLATILE MEMORY
`
`MDC OF BOOTRECORD
`
`74 (DOS 84
`86
`f
`
`LMDCOF APP.
`N
`
`
`
`
`
`76
`
`
`
`TRUSTED APPLICATION
`
`90
`
`92
`
`UNTRUSTED APPLICATION
`
`VULNERABLE MEMORY
`
`TRUSTED SOFTWARE t 98
`
`UNTRUSTED SOFTWARE
`
`IPR2020-01218
`Sony EX1011 Page 5
`
`

`

`U.S. Patent
`
`May 30, 1995
`
`Sheet 5 of 8
`
`5,421,006
`
`PROGRAMC
`
`146
`
`(PROGRAMD
`MDC OF LISTL
`V
`
`
`
`138
`
`148
`
`MDCOFE
`MDC OFF
`J
`
`140
`
`142
`
`PROGRAME
`
`PROGRAMF
`
`FC 6
`
`IPR2020-01218
`Sony EX1011 Page 6
`
`

`

`U.S. Patent
`
`May 30, 1995
`
`Sheet 6 of 8
`
`5,421,006
`
`
`
`it. L
`
`
`
`
`
`
`
`
`
`so
`
`SN
`
`st
`
`IPR2020-01218
`Sony EX1011 Page 7
`
`

`

`U.S. Patent
`
`May 30, 1995
`
`Sheet 7 of 8
`
`5,421,006
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`BOOT RECORD
`PROGRAM
`
`
`
`READDOS INTO
`MEMORY
`
`
`
`
`
`
`
`DOSMDC =
`COMPUTEDMDCOF
`DOS READ INTO
`MEMORY
`
`
`
`
`
`
`
`
`
`PRINTERROR
`MESSAGE
`
`FC 9
`
`RUN DOS
`
`READAPPLICATION
`INTO MEMORY
`
`
`
`APPL MDC =
`COMPUTED MDC OF
`APPL READ INTO
`MEMORY?
`
`RUNAPPLICATION
`
`IPR2020-01218
`Sony EX1011 Page 8
`
`

`

`U.S. Patent
`
`May 30, 1995
`
`Sheet 8 of 8
`
`5,421,006
`
`BOOT RECORD
`PROGRAM
`
`READDOS INTO
`MEMORY
`
`
`
`
`
`
`
`
`
`DOSMOC =
`COMPUTEDMDC OF
`DOS READ INTO
`MEMORY
`
`
`
`
`
`PRINTERROR
`MESSAGE
`
`F.G. O
`
`
`
`
`
`
`
`
`
`
`
`APPLICATION
`1 OR22
`
`
`
`READ APPLICATION 1
`INTO MEMORY
`
`APPL. 1 MDCS
`COMPUTEDMDC OF
`APPL. 1 READ INTO
`MEMORY
`
`READ APPLICATION 2
`INTO MEMORY
`
`COMPUTEDMDCOF
`APPL2 READ INTO
`
`YES
`
`RUNAPPLICATION 2
`
`IPR2020-01218
`Sony EX1011 Page 9
`
`

`

`1.
`
`METHOD AND APPARATUS FOR ASSESSING
`INTEGRITY OF COMPUTER SYSTEMSOFTWARE
`
`O
`
`This is a continuation of co-pending application Ser.
`No. 07/880,050 filed on May 7, 1992.
`BACKGROUND
`1. Field of the Invention
`This invention relates to an improved method and
`device for assessing the integrity of computer software
`during the system initialization process, and preventing
`incorrect programs from executing. Preferred embodi
`ments of this invention relate to an improved user au
`thentication method, and generally improved computer
`15
`system security. The invention is useful for preventing
`damage from certain computer virus and Trojan horse
`attacks.
`2. Background Discussion
`The field of computer security spans many interre
`20
`lated areas, addressing many different problems. Defen
`sive security protective measures can often be quite
`complex, and in complex systems, an attacker can ex
`ploit a "weak link' in the system to circumvent the
`protective measures. The security of one aspect of the
`25
`system can thus depend on the strength of protection
`provided in other areas. This invention primarily asses
`ses software integrity at startup time, and it is intended
`to enhance rather than replace other security methods.
`Since it can compensate for other security weaknesses
`30
`of the system, the resulting benefits go beyond integrity
`assessment to improve user authentication and other
`security functions.
`As this invention provides the greatest benefit in
`personal computer systems, the IBM-compatible per
`35
`sonal computer (herein after referred to simply as the
`“PC”) running the DOS operating system will be used
`as an example for much of this discussion. But the same
`benefits can be realized in other computer operating
`systems and hardware, and appropriately modified in
`plementations will be apparent to those skilled in the
`art.
`As this invention is related to the fields of software
`protection, software integrity assessment, cryptogra
`phy, memory protection, and user authentication, we
`45
`will discuss relevant prior artin each of these areas. The
`invention includes a unique application of prior art in
`cryptography and integrity assessment. To clarify the
`relationship between the relevant fields, we first define
`some concepts in computer security as used herein,
`SO
`including "trusted software', software "integrity” and
`software "protection'. We will also review some spe
`cific security threats including "Trojan horse' and
`"software virus' attacks, and review the prior art in
`addressing these threats, distinguishing between protec
`55
`tion methods and integrity assessment methods, and
`describing the useful concept of a "trusted path'.
`“Trusted software”, as used here, is defined to be the
`subset of all the software used in a system, which is
`responsible for the correct and reliable operation of the
`system, and responsible for enforcing a system's secu
`rity policy. The security policy may include rules for
`how to authorize access to the system, and rules for
`determining who can access particular data within the
`system. The “trust' here is an abstract relative measure.
`65
`The determination of which software is trusted, and the
`functions which it is trusted to perform, can vary
`widely from system to system. Our usage of the term
`
`5,421,006
`2
`“trusted software' is closely related to the usage in
`standard computer security literature, including the
`U.S. Department of Defense Trusted Computer System
`Evaluation Criteria (TCSEC). In this literature, the
`term "trusted computing base' is often used, which is
`comprised of the trusted software, plus any supporting
`hardware.
`Software "integrity', as used in this discussion, refers
`to whether the software is as trustworthy as when it
`was initially installed. We assume that the system is in its
`most reliable state immediately after a proper installa
`tion. System software that has been changed, whether
`through a deliberate act by unauthorized person, or
`through an accidental system malfunction, is said to
`have undergone an "integrity violation'. In such cases,
`the software should no longer be presumed to operate
`correctly. Maintaining the integrity of the trusted soft
`ware is especially important. "Integrity assessment' is
`the art of determining whether a system's integrity is
`intact or has been violated. The "trusted software'
`referred to throughout this discussion is generally
`trusted at least to not violate the integrity of other parts
`of the system.
`We now introduce an extension to the concept of
`trusted software, to be called "transient trusted soft
`ware'. This concept applies to systems that startup in a
`highly trusted state and degrade over lime. At a certain
`point in the operation of a system, the set of trusted
`software may become vulnerable to attack, and can no
`longer be relied upon to perform trusted operations.
`When the system is restarted, integrity assessment mea
`sures can be used to revalidate the transient trusted
`software. In the rest of this document, our use of
`"trusted software' will generally refer to this “transient
`trusted software'.
`Software "protection' is defined here as the art of
`preventing violations of software integrity. Although
`this invention is primarily an integrity assessment
`method, rather than a software protection method, a
`review of some protection methods will help frame the
`invention in the context of prior art. The discussion will
`show how software protection methods in actual use
`are less than perfect, and how a stronger layer of integ
`rity assessment is needed. (The field of software "pro
`tection' should not be confused with the field of soft
`ware "copy-protection', which addresses the problem
`of software theft.)
`One general class of threat to system security is a
`"Trojan horse' attack. This is a program that is de
`signed or has been modified to perform some hostile act,
`but is disguised as a familiar or non-threatening pro
`gram, or it may be hidden within trusted system pro
`grams.
`Another general class of security threat is the "soft
`ware virus'. These are hostile software programs, often
`introduced into systems using a Trojan horse method,
`with the additional ability to replicate by attaching
`copies of themselves into other modified programs.
`These attacks first violate the integrity of software, and
`then perform a hostile action at a later time.
`Whereas the wide-spread threat from software vi
`ruses is a relatively new phenomenon, historically,
`much attention in the computer security field has fo
`cused on methods to protect computer system integrity
`while allowing untrusted programs to run. The field of
`software protection has generated many mechanisms
`for securing access to software and data within a sys
`tem. Multi-ring architectures were designed both to
`
`IPR2020-01218
`Sony EX1011 Page 10
`
`

`

`10
`
`15
`
`5,421,006
`4.
`3
`effective, especially in typical PC systems. Software
`segregate user processes from each other in multi-user
`time sharing systems, and to protect trusted operating
`only protective measures can only offer a limited form
`systems from less-trusted applications. In these systems,
`of assurance against malicious attack, generally because
`the protection software and the virus must share the
`special hardware and software mechanisms segregate
`same address space. The protection software is thus
`the software address space into two or more protection
`vulnerable to a virus attack designed to specifically
`"rings'. The innermost ring contains the system's most
`target the protection program. Thus, even if an existing
`trusted software, and can enforce some of the security
`software product perfectly protects against all current
`policy even in the face of failures of software in outer
`rings. A good background discussion of protection
`viruses, there is no guarantee that a new virus will not
`be developed to circumvent the product, and escape
`rings, and a description of an advanced multi-ring archi
`detection. Some of the anti-virus products on the mar
`tecture can be found in U.S. Pat. No. 4,787,031.
`ket use special hardware to address the problem, but
`However, despite the architectural strength of some
`these generally focus on preventing virus infection,
`systems, in actual use, the integrity of trusted Software
`cannot always be guaranteed. In the UNIX operating
`rather than assessing integrity. And both hardware and
`software-only products often rely on the secrecy of the
`system, which uses a two-ring architecture, there is a
`product design or implementation. A virus developer
`facility for "root” access for processes running in the
`can discover secret design details by reverse engineer
`less-privileged outer ring. With root access, much of the
`ing the product, and a software attack can be designed
`architectural surrounding the inner ring can be by
`passed, and any user or process running as root can
`to circumvent these solutions.
`modify any trusted software. In theory, root access is
`The field of virus detection provides another level of
`20
`only used for special security-sensitive operations, but
`defense against viruses. If a virus infection has already
`in practice, preventing unauthorized root access is a
`occurred, it is often possible to detect and remove the
`well-known security problem of the system.
`virus before more serious damage can occur. This field
`In IBM-compatible PC system running DOS, which
`is related to the more general field of software integrity
`uses the processor's ringless "real' addressing mode,
`assessment. Some methods of virus detection, such as
`25
`searching for data patterns indicating the presence of
`the problem is much worse. There is no architectural
`constraint preventing any application from corrupting
`specific viruses, cannot be used as a general integrity
`test. But a strong integrity assessment test can offer
`the rest of the system software. Since all DOS programs
`strong proof that no virus has infected a given program.
`have access to the same address space as DOS itself, all
`writable storage areas of the machine are vulnerable to
`The use of “modification detection codes', discussed
`further below, provides a strong test for integrity and
`attack. This problem remains even in PC operating
`systems that switch between real and protected address
`viruses.
`ing modes of the Intel 386 family of microprocessors,
`Software viruses are only one class of security threats
`that can be introduced to a system with a Trojan horse
`which is discussed in U.S. Pat. No. 4,825,358. (This
`patentis also cited below in the discussion of prior artin
`attack. Other threats include attacks directed at obtain
`35
`ing security-sensitive data, such as passwords.
`memory-protection devices.) Since such systems gener
`Accidental corruption of the PC system is also a
`ally still provide access to real mode, and for other
`common problem, typically resolved by a system re
`compatibility reasons, there is always a back-door for
`bypassing the security features set up in protected
`start. Somewhat less commonly, a copy of an operating
`system on disk becomes corrupted, and if the system
`node.
`The threat of very sophisticated deliberate attacks
`restarts without detecting the corruption, further dam
`against system security has also become a common
`age may occur. Our invention can also detect such
`problem. There is much literature about the problem of
`accidental system failures.
`The “trusted path” feature is an important compo
`PC viruses, and many products have been designed to
`nent of secure systems, designed specifically to elimi
`mitigate their threat. A particularly troublesome form
`45
`nate Trojan horse and other threats during security
`of virus attack is one that is carefully designed to bypass
`normal system security features. And though there may
`critical operations, such as a login process. A trusted
`path unambiguously establishes a secure connection
`be no deliberate attempt to infect a given system, there
`between the user's input device and a trusted program,
`is still a high risk of inadvertent infection.
`Because PC DOS systems have no solid memory
`such that no other hardware or software component
`50
`protection architecture, all writable storage areas of the
`can intervene or intercept the communication. This is
`sometimes implemented with a reserved keyboard key
`machine are thus vulnerable to attack. Some examples
`of vulnerable areas in a PC include the following:
`known as the "secure attention key', as is described in
`U.S. Pat. No. 4,918,653. Trusted path is a required fea
`a writable hard disk;
`ture of systems evaluated against higher levels of the
`a removable disk, where unauthorized substitution of,
`U.S. Department of Defense TCSEC security standard.
`or access to the disk is possible;
`an inadequately protected storage area on a network
`The European ITSEC has similar requirements, and
`there is recent recognition that "trusted path' is needed
`server that contains a program to be downloaded to a
`as a minimal requirement for secure general-purpose
`PC;
`a PC which loads downloads a program into memory
`commercial systems. One form of this invention pro
`60
`vides a trusted path to a login program, using the PC's
`from another machine across a network, where the
`network or the network download protocol has inad
`reset switch as a secure attention key.
`equate protection.
`Much of the preceding background has suggested a
`To mitigate the virus threat, a wide variety of prod
`need for integrity assessment methods, and there is
`ucts have been designed to detect, prevent, and remove
`relevant prior art in this field as well. A widely used
`65
`technique is to compute an integrity assessment code on
`viruses. Though prevention of a virus attack is beyond
`a program, and verify that the code matches a predeter
`the scope of this invention, part of the need for this
`invention is that no purely preventive solution is 100%
`mined value before executing the program. We will
`
`40
`
`30
`
`55
`
`IPR2020-01218
`Sony EX1011 Page 11
`
`

`

`O
`
`15
`
`5,421,006
`5
`6
`discuss two different approaches for computing the
`Modification detection codes have also been applied
`integrity assessment code, namely checksums and modi
`to the problem of virus protection on PCs. Recent soft
`ware products compute modification detection codes
`fication detection codes.
`on programs and verify them prior to program execu
`Within the PC, the BIOS program which resides in
`read-only memory (ROM) is the first program to run
`tion. But software-only protection schemes for PCs
`when the system starts up. As part of its initialization it
`suffer from the problem of residing in the unprotected
`looks for other ROM extensions to BIOS, and verifies
`address space. A potential solution is to embed the mod
`the checksum of these extensions programs before al
`ification detection code in a permanent read-only mem
`ory device, but this makes system reconfiguration quite
`lowing them to be used. This is described in "IBM PC
`Technical Reference-System BIOS. U.S. Pat. No.
`difficult. Other methods used in software products keep
`5,022,077, also uses checksums to validates extensions to
`the modification detection code algorithm secret, and
`the PC BIOS program where the extensions reside out
`take measures to hinder the "reverse engineering' of
`side of the ROM. But the real focus of their patent is on
`the protection software. The weaknesses here are that it
`protecting the storage area where BIOS extensions are
`is difficult to predict how secrecy will be maintained,
`kept, rather than verifying their integrity. And their
`especially since reverse engineering is not a mathemati
`storage protection method shares the architectural
`cally intractible problem. Other product announce
`weakness of most software-controlled protection
`ments have described software-only verification sys
`tems using public-key digital signatures, in addition to
`schemes on the PC.
`modification detection codes, to verify programs.
`U.S. Pat. No. 4,975,950 claims the invention of check
`ing a system for the presence of a virus at system initial
`Our invention uses a combination of known tech
`20
`ization, and preventing operation if a virus is found.
`niques, as described above, but it further incorporates a
`But, rather than defining a virus-detection technique, or
`new hardware memory protection latch to make secu
`an integrity assessment method as in our invention, it
`rity mechanisms immune to software attack. One result
`uses only "known techniques for checking file size, file
`is that our integrity assessment method is immune to the
`checksum, or file signature'.
`kind of violations it is intended to detect. A review of
`25
`Although checksums are adequate for detecting acci
`prior artin memory protection is therefore appropriate.
`dental modifications of data, they are an insecure de
`In this field, a wide variety of software and hardware
`fense against deliberate modification. It is in fact very
`methods allow the memory address space to be parti
`easy to modify a message such that it retains the same
`tioned and allow control over which software has ac
`checksum value, and whole classes of more complex
`cess to individual regions of the memory. These meth
`30
`algorithms, including cyclic redundancy checks, suffer
`ods generally allow trusted software to both enable and
`from the same problem. To address this problem, "mod
`disable the protection mechanism for a given region of
`ification detection codes' have been designed to specifi
`memory, and these methods are often tied to central
`cally detect deliberate corruption of data, and are supe
`features of the architecture of the systems central pro
`cessor unit (CPU). The memory protection method in
`rior to earlier methods, such as checksums. Whereas
`35
`our invention is partly distinguished by only allowing
`data can be intentionally modified in a manner that
`preserves a chosen checksum, it is intended to be com
`software control in one direction: from unprotected to
`putationally infeasible to modify data so as to preserve
`protected mode.
`An add-on memory protection method, structurally
`a specific modification detection code value. The secu
`rity of a good modification detection code algorithm
`similar to the one in our invention, but allowing two
`may depend on solving a particularly difficult unsolved
`way switching, is described in U.S. Pat. No. 4,388,695.
`mathematical problem, one that has withstood pro
`The previously mentioned U.S. Pat. No. 4,825,358 also
`longed serious attention by experts in cryptography and
`briefly describes memory protection hardware for aPC,
`mathematics. Modification detection codes are also
`which uses software to enable and disable the protec
`known by other names in the literature, including:
`tion.
`45
`"cryptographic checksum", "cryptographic hash', 'se
`Other patented, memory protection schemes that
`cure hash algorithm', and "message digest'. There has
`have used a one-way switching latch have been either in
`also been recent progress in finding strong, yet efficient
`the opposite direction, that is only from protected mode
`algorithms, including a recent proposed standard algo
`to unprotected mode, as in U.S. Pat. No. 4,651,323, or
`have been designed for a different purpose and are trig
`rithm described in “National Institute of Standards and
`50
`Technology-Proposed FIPS for Secure Hash Stan
`gered by a different mechanism, as in U.S. Pat. No.
`dard', Federal Register, Jan. 1992, page 3747.
`4,685,056.
`Modification detection codes are also commonly
`In the field of user authentication, many methods
`used in conjunction with the use of "public-key digital
`have been developed, including the common, and often
`signatures', which can authenticate the originator of a
`controversial, use of passwords. Rather than review
`55
`message. Creating a digital signature for a message often
`these methods in detail here, the relevant fact is that
`involves computing a modification detection code for
`almost all methods require access to secret user-specific
`the message, and then a further computation that
`authentication data during the authentication process.
`"signs” the code with a private key held only by the
`To minimize the threat of secret passwords being re
`originator of a message. A public-key that corresponds
`vealed, it is generally recognized that passwords should
`to the originator's private key is made widely available.
`be stored in a one-way hashed form to thwart attacks
`The signature can be then be verified by any person
`that look for them. But even one-way hashed passwords
`who has access to the originator's public-key, with a
`should be kept secret in order to thwart "brute-force'
`computation that uses the modification detection code,
`computational attacks on the known hashed password.
`the signature, and the public-key. The digital signature
`Such attacks are especially easy if the password is
`technique, a popular example of which is described in
`poorly chosen. The Department of Defense Password
`Management Guideline-CSC-STD-002-85, April
`U.S. Pat. No. 4,405,829 (“RSA'), is used in an enhanced
`1985, discusses many of these issues.
`form of our invention.
`
`65
`
`IPR2020-01218
`Sony EX1011 Page 12
`
`

`

`5
`
`O
`
`5,421,006
`8
`7
`It is another object of this invention to allow the set
`In PC systems, there are many products that use
`of trusted software to be arbitrarily large, and to effi
`passwords. Of particular interest here are systems that
`ciently assess the integrity of software components.
`require a password for initial startup of the system,
`It is another object of this invention for the hardware
`sometimes implemented within the ROM BIOS. Some
`component to be fully compatible with existing system
`BIOS password implementations keep a hashed form of
`software, meaning that the new mechanism can be dis
`the password in an unprotected readable and writable
`abled by software if it's not needed in a specific configu
`non-volatile memory used to store configuration data,
`ration.
`known as the "CMOS RAM', and thus the stored
`It is another object of this invention to allow a trusted
`hashed passwords are vulnerable to being read or writ
`path to be established between the user and a program
`ten by untrusted applications.
`in response to a signal initiated by the user.
`In general, integrity assessment is needed in many
`It is another object of this invention to enhance the
`systems because no purely preventive measures can
`secrecy of authentication data used in an access-control
`guarantee that a system will never be corrupted. Even
`mechanism, when user authentication software is con
`systems that use protected addressing modes have com
`tained within the trusted initialization software.
`15
`plexities that can be explored to attack system integrity.
`In accordance with the above objects, embodiments
`A natural time to check system integrity is at startup,
`of the invention highlight different uses of a hardware
`and a startup integrity check is particularly beneficial
`latch memory protection mechanism. One or more re
`for personal computers since they can be restarted fre
`gions of non-volatile memory are provided, in which
`quently.
`security-relevant data are stored. Access to a protecta
`20
`The concept of transient trusted software has been
`ble memory region is controlled with a latch mecha
`introduced to allow systems without a strong protection
`nism, such that the memory is always both readable and
`architecture to nevertheless use strong security meth
`writable when the computer is first started. But during
`ods during system initialization. Our invention assesses
`system initialization trusted software closes the latch to
`the integrity of the trusted software, to discover any
`protect the memory, and thus prevent all subsequently
`25
`corruption as the system starts. The combined hard
`run programs from reading and/or writing the security
`ware and software approach used here makes this
`relevant data during normal operation. Once closed, the
`method immune to software-only attack, and the secu
`latch can not be opened by software control. The latch
`is only re-opened when the system is restarted, which
`rity of this method does not depend on keeping secret
`can occur by either momentarily turning off the power
`the design details of either the software or the hard
`30
`switch, or by pushing a reset switch. When the system
`ware. This additional integrity guarantee is best used in
`is restarted, control of the CPU returns to a trusted
`combination with traditional protection methods to
`startup program in read-only memory.
`enforce a wide range of security policies.
`The memory protection latch mechanism prevents
`Standards for evaluating computer system security,
`software-only attacks on the stored data during normal
`such as the TCSEC, require a high level of assurance
`35
`operation. This protection remains even if complete
`for a product to be rated at the upper levels. Such sys
`knowledge of the system design is available to an at
`tems may be analyzed against a mathematical model of
`tacker.
`security, and may involve formal proof techniques. The
`Embodiments of the invention store data in a protect
`nature of the design of this mechanism suggests that
`40 able memory region during a software configuration
`such an analysis may be possible.
`process, and use this data to verify system initialization
`In light of this discussion of the prior art, the afore
`programs before they are run. The computer starts up in
`mentioned problems with existing security solutio