Secure watchdog for embedded systems
First Claim
1. A method of maintaining valid processing functionality, the method comprising:
- a. forming a secure status request message by a first processor, wherein the status request message is signed using a digital certificate of the first processor;
b. sending the secure status request message to a second processor;
c. validating an authenticity of the status request message by the second processor;
d. forming a secure status response message by the second processor if the status request message is valid, wherein the status response message is signed using a digital certificate of the second processor;
e. sending the secure status response message to the first processor; and
f. validating an authenticity of the status response message by the first processor.
1 Assignment
0 Petitions
Accused Products
Abstract
A watchdog controller securely interrogates a main system CPU of an application module to determine if the main system CPU and its associated programming software are trustworthy. The watchdog controller and the application module preferably reside within a set top box. The watchdog controller includes a watchdog CPU which generates a digitally signed status request message using a watchdog certificate. The status request message is received by the main system CPU and validated for authenticity. The main system CPU then generates a status response message using a system certificate. The status response message is received by the watchdog processor and validated for authenticity. If the status response message is not valid then the watchdog controller preferably triggers a system reset. After the system is reset, a similar attempt is made to receive a valid status response message from the main system CPU. If the status response message is again not valid, then the watchdog CPU triggers the launching of a retrieval software program. The retrieval software accesses a remote content source to download a trusted version of a software stack used to operate the set top box. The trusted version of the software stack replaces a current version of the software stack stored in memory of the application module.
23 Citations
71 Claims
-
1. A method of maintaining valid processing functionality, the method comprising:
-
a. forming a secure status request message by a first processor, wherein the status request message is signed using a digital certificate of the first processor;
b. sending the secure status request message to a second processor;
c. validating an authenticity of the status request message by the second processor;
d. forming a secure status response message by the second processor if the status request message is valid, wherein the status response message is signed using a digital certificate of the second processor;
e. sending the secure status response message to the first processor; and
f. validating an authenticity of the status response message by the first processor. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A device to maintain valid processing functionality, the device comprising:
-
a. a watchdog controller including a first processor; and
b. an application module including a second processor, wherein the application module is coupled to the watchdog controller such that in operation the first processor generates a secure status request message, wherein the status request message is signed using a digital certificate of the first processor, the first processor sends the secure status request message to a second processor, the second processor validates an authenticity of the status request message, the second processor generates a secure status response message if the status request message is valid, wherein the status response message is signed using a digital certificate of the second processor, the second processor sends the secure status response message to the first processor, and the first processor validates an authenticity of the status response message. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A set top box to maintain valid processing functionality, the device comprising:
-
a. a watchdog controller including a first processor; and
b. an application module including a second processor, wherein the application module is coupled to the watchdog controller such that in operation the first processor generates a secure status request message, wherein the status request message is signed using a digital certificate of the first processor, the first processor sends the secure status request message to a second processor, the second processor validates an authenticity of the status request message, the second processor generates a secure status response message if the status request message is valid, wherein the status response message is signed using a digital certificate of the second processor, the second processor sends the secure status response message to the first processor, and the first processor validates an authenticity of the status response message. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
-
-
43. A network of devices to maintain valid processing functionality, the network of devices comprising:
-
a. a remote content source;
b. a watchdog controller coupled to the remote content source, wherein the watchdog controller comprises a first processor; and
c. an application module including a second processor, wherein the application module is coupled to the watchdog controller such that in operation the first processor generates a secure status request message, wherein the status request message is signed using a digital certificate of the first processor, the first processor sends the secure status request message to a second processor, the second processor validates an authenticity of the status request message, the second processor generates a secure status response message if the status request message is valid, wherein the status response message is signed using a digital certificate of the second processor, the second processor sends the secure status response message to the first processor, and the first processor validates an authenticity of the status response message. - View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58)
-
-
59. An apparatus to maintain valid processing functionality, the apparatus comprising:
-
a. means for forming a secure status request message by a first processor, wherein the status request message is signed using a digital certificate of the first processor;
b. means for sending the secure status request message to a second processor;
c. means for validating an authenticity of the status request message by the second processor;
d. means for forming a secure status response message by the second processor if the status request message is valid, wherein the status response message is signed using a digital certificate of the second processor;
e. means for sending the secure status response message to the first processor; and
f. means for validating an authenticity of the status response message by the first processor. - View Dependent Claims (60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71)
-
Specification