-
信息技术的高速发展,在带来信息产业空前繁荣的同时,危害信息安全的事件也不断发生,信息安全形势日益严峻。目前有多种保障系统安全的技术,比如系统访问控制、入侵检测技术和防病毒体系等[1],这些技术大都只能提高系统应用层的安全。一个系统能够正常运行的前提是系统本身是安全的,如果系统在启动之前就由于被篡改或破坏等原因进入一种不可信的状态,则基于该系统而建立的任何安全机制都无法确保系统的可信性。传统嵌入式系统的设计很少考虑系统安全问题,存在较多的安全隐患,如用户可通过刷机进入一种不确定的系统状态,或者内核被恶意程序植入而遭篡改,这些操作都可能给用户带来严重的损失和破坏。
目前,已经有一些研究成果可以做到防止内核等关键信息被篡改。本文将现有的可信启动相关研究方法分为两类:一类是需要增加额外硬件辅助,如在PC机领域添置可信平台模块[2, 3, 4](TPM)以及在移动设备终端添置移动可信模块[5, 6, 7, 8, 9, 10](mobile trusted module,MTM)这类安全芯片,在安全芯片中存储启动实体初始的预期度量值,启动时将实体加载到内存中,通过比较初始预期度量值和当前计算值的一致性,确定启动过程是否可以安全继续。该方法为了保护可信启动预期度量值,需要增加额外的可信硬件模块,这将增加硬件开销和成本。而对成本控制非常严格的嵌入式设备,大多没有这样的可信模块。因此,该类方法对于嵌入式系统而言,具有很大的局限性。
另一类可信启动方法是设计只读的块设备存储启动实体[11],启动时从该设备中读取未受更改的实体。因为只读设备中实体在出厂时一次性烧写,所以启动中实体无法被篡改,可保证启动实体的完整性。此方法需要加载的实体一次性烧写,无法实现正常的系统更新。
针对上述问题,本文提出了一种无需增加额外的硬件模块,便可有效保障嵌入式系统启动时可信性的方法。该方法利用完整性验证技术和数字签名技术建立嵌入式可信启动信任链,并可有效地保护预期度量值。这种通过验证签名的技术可以验证启动实体内容的完整性和来源的真实性,简化了硬件设计难度,缩减了开销,在保障可信启动的前提下降低了开发难度,同时做到实体可更新。
-
在计算机系统中,启动过程是系统一切行为的基础。为创建可信执行环境,首先需要明确可信的定义。可信计算组织(trusted computing group,TCG)将可信定义为[12]:如果一个实体的行为总是以预期的方式朝着预期的目标前进,那么这个实体就是可信的。以TCG定义为基础,本文结合嵌入式系统的特征提出了可信启动模型。
定义1 每个启动阶段为一个实体E。
定义2 第一个启动的实体E0,称为信任根,是可信启动信任的基础。
定义3 在启动过程中,实体Ei-1启动实体Ei,其中1≤i≤n。如果启动链中的每一个实体都被验证为可信,则整个启动过程是可信的。在可信启动中,为了确保实体Ei的可信性,必须首先信任Ei-1。可信启动的验证模型为:
$${{E}_{i-1}}\xrightarrow{{{v}_{i-1}}}{{E}_{i}}\text{ }(1\le i\le n)$$ (1) 式中,vi-1作为一个可信验证模块,用于实体Ei-1对Ei的可信性验证。
以信任根为基础逐级验证,最终得到一个可信启动信任链:E0→E1→E2→…→En。
Research on the Trusted-Boot Technology Using Digital Signature Technique
-
摘要: 为保障嵌入式设备系统启动时的可信性,分析了现有可信启动技术对硬件模块严重依赖的现状,结合可信度量和可信链理论,提出了一套基于嵌入式Linux的可信启动方法。该方法以固件IROM作为信任根,利用数字签名和完整性验证技术检查启动实体的完整性和真实性,建立了一条从设备开机到内核启动的信任链。实验结果表明:该方法能有效地验证启动实体的完整性和真实性;与采用硬件模块保护启动实体预期度量值的方法比较,该方法无需增加任何硬件开销便可有效地保护预期度量值;同时保证实体更新时的可信检测。Abstract: Device booting is a critical step and the foundation of trust for embedded systems. Through analyzing related work we find that most current trusted boot technologies rely heavily on the hardware modules such as trusted platform module (TPM). A new trusted boot method is proposed in this paper for embedded Linux system, which is based on the trusted measurement policy and trust chain mechanism. Firstly, this approach takes the firmware IROM as root of trust, which is used to check the integrity and authenticity of the next booting step like BootLoader. Then the BootLoader do the same to the Kernel. So the chain of trust is established from the top of booting to the Kernel. Using the technology of digital signature and Hash algorithm, we implemented the integrity and authenticity checking for each booting entity. The results show that this method can verify the integrity and authenticity of booting entity, and protect the expected metric easily and effectively without other hardware modules. Besides, it ensures the integrity and authenticity of booting entity when they are updated.
-
[1] 冯登国. 可信计算理论与实践[M]. 北京:清华大学出版社, 2013. FENG Deng-guo. Trusted computing theory and practice[M]. Beijing:Tsinghua University Press, 2013. [2] ASOKAN N, EKBERG J E, KOSTIAINEN K, et al. Mobile trusted computing[J]. Proceedings of the IEEE, 2014, 102(8):1189-1206. [3] YU Chao, YUAN Men-ting. Security Bootstrap based on trusted computing[C]//2010 Second International Conference on Networks Security Wireless Communications and Trusted Computing. Washington D C, USA:IEEE Computer Society, 2010:486-489. [4] YU Fa-jiang, ZHANG Huan-guo. Design and implementation of a bootstrap trust chain[J]. Wuhan University Journal of Natural Sciences, 2006, 11(6):1449-1452. [5] Trusted Computing Group. TCG mobile trusted module specification, specification version 1.0, revision 6[EB/OL].[2014-11-26]. http://www.trustedcomputinggroup.org/files/resource_files/87852F33-1D09-3519-AD0C0F141CC6B10D/Revision_6-tcg-mobile-trusted-module-1_0pdf. [6] KAI Tang, XIN Xu, GUO Chun-xia. The secure boot of embedded system based on mobile trusted module[C]//2012 International Conference on Intelligent System Design and Engineering Application. New York, USA:IEEE, 2012:1131-1134. [7] 赵波, 费永康, 向騻, 等. 嵌入式系统的安全启动机制研究与实现[J]. 计算机工程与应用, 2014, 50(10):72-77. ZHAO Bo, FEI Yong-kang, XIANG Shuang, et al. Research and implementation of secure boot mechanism for embedded systems[J]. Computer Engineering and Applications, 2014, 50(10):72-77. [8] 张焕国, 李晶, 潘丹铃, 等. 嵌入式系统可信平台模块研究[J]. 计算机研究与发展, 2011, 48(7):1269-1278. ZHANG Huan-guo, LI Jing, PAN Dan-ling, et al. Trusted platform module in embedded system[J]. Journal of Computer Research and Development, 2011, 48(7):1269-1278. [9] PARNO B, MCCUNE J M, PERRIG A. Bootstrapping trust in commodity computers[C]//2010 IEEE Symposium on Security and Privacy. Oakland, USA:IEEE, 2010:414-429. [10] KHALID O, ROLFES C, IBING A. On implementing trusted boot for embedded systems[C]//2013 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST). New York, USA:IEEE, 2013:75-80. [11] CLARK P C, HOFFMAN L J. A smartcard protected operating system[J]. Communications of the ACM, 1994, 37(11):67-70. [12] Trusted Computing Platform Alliance. TCG PC specific implementation specification, Version1.1[EB/OL].[2014-12-10]. http://www.trustedcomputinggroup.org/files/resource_files/87B92DAF-1D093519AD80984BBE62D62D/TCG_PCSpecificSpecification_v1_1.pdf. [13] SHEN Chang-xiang, ZHANG Huang-guo, FENG Deng-guo, et al. Survey of information security[J]. Science in China Series F:Information Seiences, 2007, 50(3):273-298. [14] FENG Deng-guo, QIN Yu, FENG Wei, et al. The theory and practice in the evolution of trusted computing[J]. Chinese Science Bulletin, 2014, 59(32):4173-4189.