Secure watchdog for embedded systems

US 20040193884A1
Filed: 03/26/2003
Published: 09/30/2004
Est. Priority Date: 03/26/2003
Status: Abandoned Application

First Claim

Patent Images

1. A method of maintaining valid processing functionality, the method comprising:

a. forming a secure status request message by a first processor, wherein the status request message is signed using a digital certificate of the first processor;

b. sending the secure status request message to a second processor;

c. validating an authenticity of the status request message by the second processor;

d. forming a secure status response message by the second processor if the status request message is valid, wherein the status response message is signed using a digital certificate of the second processor;

e. sending the secure status response message to the first processor; and

f. validating an authenticity of the status response message by the first processor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A watchdog controller securely interrogates a main system CPU of an application module to determine if the main system CPU and its associated programming software are trustworthy. The watchdog controller and the application module preferably reside within a set top box. The watchdog controller includes a watchdog CPU which generates a digitally signed status request message using a watchdog certificate. The status request message is received by the main system CPU and validated for authenticity. The main system CPU then generates a status response message using a system certificate. The status response message is received by the watchdog processor and validated for authenticity. If the status response message is not valid then the watchdog controller preferably triggers a system reset. After the system is reset, a similar attempt is made to receive a valid status response message from the main system CPU. If the status response message is again not valid, then the watchdog CPU triggers the launching of a retrieval software program. The retrieval software accesses a remote content source to download a trusted version of a software stack used to operate the set top box. The trusted version of the software stack replaces a current version of the software stack stored in memory of the application module.

23 Citations

View as Search Results

71 Claims

1. A method of maintaining valid processing functionality, the method comprising:
- a. forming a secure status request message by a first processor, wherein the status request message is signed using a digital certificate of the first processor;
  
  b. sending the secure status request message to a second processor;
  
  c. validating an authenticity of the status request message by the second processor;
  
  d. forming a secure status response message by the second processor if the status request message is valid, wherein the status response message is signed using a digital certificate of the second processor;
  
  e. sending the secure status response message to the first processor; and
  
  f. validating an authenticity of the status response message by the first processor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein the status response message indicates that an operating software associated with the second processor is functioning correctly.
  - 3. The method of claim 1 wherein the status response message indicates that an application software associated with the second processor is functioning correctly.
  - 4. The method of claim 1 wherein the status response message indicates that a software stack associated with the second processor is functioning correctly.
  - 5. The method of claim 1 wherein if the status response message is not valid, the method further comprises:
    - g. resetting the second processor; and
      
      h. performing a-f above.
  - 6. The method of claim 5 wherein if the status response message is not valid, the method further comprises:
    - i. retrieving a trusted version of a software stack for the second processor; and
      
      j. replacing a current version of the software stack on the second processor with the trusted version of the software stack.
  - 7. The method of claim 6 wherein retrieving the trusted version of the software stack comprises accessing a remote content source and downloading the trusted version of the software stack from the remote content source.
  - 8. The method of claim 7 further comprising activating a retrieval program, wherein the retrieval program performs the process of accessing the remote content source and downloading the trusted version of the software stack.
  - 9. The method of claim 7 wherein the remote content source is accessed via the Internet.
  - 10. The method of claim 1 wherein if the status response message is not valid, the method further comprises:
    - g. retrieving a trusted version of a software stack for the second processor;
      
      h. replacing a current version of the software stack on the second processor with the trusted version of the software stack;
      
      i. resetting the second processor; and
      
      j. performing a-f above.

11. A device to maintain valid processing functionality, the device comprising:
- a. a watchdog controller including a first processor; and
  
  b. an application module including a second processor, wherein the application module is coupled to the watchdog controller such that in operation the first processor generates a secure status request message, wherein the status request message is signed using a digital certificate of the first processor, the first processor sends the secure status request message to a second processor, the second processor validates an authenticity of the status request message, the second processor generates a secure status response message if the status request message is valid, wherein the status response message is signed using a digital certificate of the second processor, the second processor sends the secure status response message to the first processor, and the first processor validates an authenticity of the status response message.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 12. The device of claim 11 wherein the first processor comprises an embedded processor within the watchdog controller.
  - 13. The device of claim 11 wherein the digital certificate of the first processor is an embedded certificate from the first processor.
  - 14. The device of claim 11 wherein the digital certificate of the second processor is an embedded certificate from the second processor.
  - 15. The device of claim 11 wherein the digital certificate of the first processor is stored within a trusted area of the watchdog controller, and the digital certificate of the second processor is stored within a trusted area of the application module.
  - 16. The device of claim 11 wherein the watchdog controller comprises a board micro controller.
  - 17. The device of claim 11 wherein the second processor comprises a main system central processing unit (CPU).
  - 18. The device of claim 11 wherein the device comprises a consumer electronic device.
  - 19. The device of claim 11 wherein the device comprises a set top box.
  - 20. The device of claim 11 wherein the application module further comprises a secondary memory to store a software stack used to operate the device.
  - 21. The device of claim 20 wherein the status response message from the second processor indicates that the software stack is functioning correctly.
  - 22. The device of claim 20 wherein the application module further comprises an input/output (I/O) interface to couple the device to a remote content source such that if the status response message is not valid, then the application module retrieves a trusted version of a software stack from the remote content source and replaces a current version of the software stack in the secondary memory of the application module with the trusted version of the software stack.
  - 23. The device of claim 22 wherein the secondary memory of the application module includes a retrieval program which is used to perform the process of retrieving the trusted version of the software stack from the remote content source and replacing the current version of the software stack in the secondary memory with the trusted version of the software stack.
  - 24. The device of claim 23 wherein the retrieval program is stored within a trusted area of the secondary memory.
  - 25. The device of claim 22 wherein the I/O interface is coupled to the remote content source via the Internet.
  - 26. The device of claim 11 wherein if the status response message is not valid, then the application module is reset.

27. A set top box to maintain valid processing functionality, the device comprising:
- a. a watchdog controller including a first processor; and
  
  b. an application module including a second processor, wherein the application module is coupled to the watchdog controller such that in operation the first processor generates a secure status request message, wherein the status request message is signed using a digital certificate of the first processor, the first processor sends the secure status request message to a second processor, the second processor validates an authenticity of the status request message, the second processor generates a secure status response message if the status request message is valid, wherein the status response message is signed using a digital certificate of the second processor, the second processor sends the secure status response message to the first processor, and the first processor validates an authenticity of the status response message.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 28. The set top box of claim 27 wherein the first processor comprises an embedded processor within the watchdog controller.
  - 29. The set top box of claim 27 wherein the digital certificate of the first processor is an embedded certificate from the first processor.
  - 30. The set top box of claim 27 wherein the digital certificate of the second processor is an embedded certificate from the second processor.
  - 31. The set top box of claim 27 wherein the digital certificate of the first processor is stored within a trusted area of the watchdog controller, and the digital certificate of the second processor is stored within a trusted area of the application module.
  - 32. The set top box of claim 27 wherein the watchdog controller comprises a board micro controller.
  - 33. The set top box of claim 27 wherein the second processor comprises a main system central processing unit (CPU).
  - 34. The set top box of claim 27 wherein the device comprises a consumer electronic device.
  - 35. The set top box of claim 27 wherein the device comprises a set top box.
  - 36. The set top box of claim 27 wherein the application module further comprises a secondary memory to store a software stack used to operate the device.
  - 37. The set top box of claim 36 wherein the status response message from the second processor indicates that the software stack is functioning correctly.
  - 38. The set top box of claim 36 wherein the application module further comprises an input/output (I/O) interface to couple the set top box to a remote content source such that if the status response message is not valid, then the application module retrieves a trusted version of a software stack from the remote content source and replaces a current version of the software stack in the secondary memory of the application module with the trusted version of the software stack.
  - 39. The set top box of claim 38 wherein the secondary memory of the application module includes a retrieval program which is used to perform the process of retrieving the trusted version of the software stack from the remote content source and replacing the current version of the software stack in the secondary memory with the trusted version of the software stack.
  - 40. The set top box of claim 39 wherein the retrieval program is stored within a trusted area of the secondary memory.
  - 41. The set top box of claim 38 wherein the I/O interface is coupled to the remote content source via the Internet.
  - 42. The set top box of claim 27 wherein if the status response message is not valid, then the application module is reset.

43. A network of devices to maintain valid processing functionality, the network of devices comprising:
- a. a remote content source;
  
  b. a watchdog controller coupled to the remote content source, wherein the watchdog controller comprises a first processor; and
  
  c. an application module including a second processor, wherein the application module is coupled to the watchdog controller such that in operation the first processor generates a secure status request message, wherein the status request message is signed using a digital certificate of the first processor, the first processor sends the secure status request message to a second processor, the second processor validates an authenticity of the status request message, the second processor generates a secure status response message if the status request message is valid, wherein the status response message is signed using a digital certificate of the second processor, the second processor sends the secure status response message to the first processor, and the first processor validates an authenticity of the status response message.
- View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58)
- - 44. The network of devices of claim 43 wherein the first processor comprises an embedded processor within the watchdog controller.
  - 45. The network of devices of claim 43 wherein the digital certificate of the first processor is an embedded certificate from the first processor.
  - 46. The network of devices of claim 43 wherein the digital certificate of the second processor is an embedded certificate from the second processor.
  - 47. The network of devices of claim 43 wherein the digital certificate of the first processor is stored within a trusted area of the watchdog controller, and the digital certificate of the second processor is stored within a trusted area of the application module.
  - 48. The network of devices of claim 43 wherein the watchdog controller comprises a board micro controller.
  - 49. The network of devices of claim 43 wherein the second processor comprises a main system central processing unit (CPU).
  - 50. The network of devices of claim 43 wherein the watchdog controller and the application module comprise a single device.
  - 51. The network of devices of claim 50 wherein the single device comprises a set top box.
  - 52. The network of devices of claim 43 wherein the application module further comprises a secondary memory to store a software stack used to operate the device.
  - 53. The network of devices of claim 52 wherein the status response message from the second processor indicates that the software stack is functioning correctly.
  - 54. The network of devices of claim 52 wherein the application module further comprises an input/output (I/O) interface to couple the application module to the remote content source such that if the status response message is not valid, then the application module retrieves a trusted version of a software stack from the remote content source and replaces a current version of the software stack in the secondary memory of the application module with the trusted version of the software stack.
  - 55. The network of devices of claim 54 wherein the secondary memory of the application module includes a retrieval program which is used to perform the process of retrieving the trusted version of the software stack from the remote content source and replacing the current version of the software stack in the secondary memory with the trusted version of the software stack.
  - 56. The network of devices of claim 55 wherein the retrieval program is stored within a trusted area of the secondary memory.
  - 57. The network of devices of claim 54 wherein the I/O interface is coupled to the remote content source via the Internet.
  - 58. The network of devices of claim 43 wherein if the status response message is not valid, then the application module is reset.

59. An apparatus to maintain valid processing functionality, the apparatus comprising:
- a. means for forming a secure status request message by a first processor, wherein the status request message is signed using a digital certificate of the first processor;
  
  b. means for sending the secure status request message to a second processor;
  
  c. means for validating an authenticity of the status request message by the second processor;
  
  d. means for forming a secure status response message by the second processor if the status request message is valid, wherein the status response message is signed using a digital certificate of the second processor;
  
  e. means for sending the secure status response message to the first processor; and
  
  f. means for validating an authenticity of the status response message by the first processor.
- View Dependent Claims (60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71)
- - 60. The apparatus of claim 59 wherein the status response message indicates that an operating software associated with the second processor is functioning correctly.
  - 61. The apparatus of claim 59 wherein the status response message indicates that an application software associated with the second processor is functioning correctly.
  - 62. The apparatus of claim 59 wherein the status response message indicates that a software stack associated with the second processor is functioning correctly.
  - 63. The apparatus of claim 59 further comprising means for resetting the second processor if the status response message is not valid.
  - 64. The apparatus of claim 59 further comprising:
    - i. means for retrieving a trusted version of a software stack for the second processor if the status response message is not valid; and
      
      j. means for replacing a current version of the software stack on the second processor with the trusted version of the software stack.
  - 65. The apparatus of claim 64 wherein the means for retrieving the trusted version of the software stack comprises means for accessing a remote content source and means for downloading the trusted version of the software stack from the remote content source.
  - 66. The apparatus of claim 65 further comprising means for activating a retrieval program, wherein the retrieval program performs the process of accessing the remote content source and downloading the trusted version of the software stack.
  - 67. The apparatus of claim 65 wherein the remote content source is accessed via the Internet.
  - 68. The apparatus of claim 59 wherein the first processor is included within a board micro controller.
  - 69. The apparatus of claim 59 wherein the second processor is included within a main system. central processing unit (CPU).
  - 70. The apparatus of claim 59 wherein the device comprises a consumer electronic device.
  - 71. The apparatus of claim 59 wherein the device comprises a set top box.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sony Corporation (Sony Group Corp.), Sony Electronics Inc. (Sony Group Corp.)
Original Assignee
Sony Corporation (Sony Group Corp.), Sony Electronics Inc. (Sony Group Corp.)
Inventors
Dunn, Ted, Molaro, Donald

Application Number

US10/402,167
Publication Number

US 20040193884A1
Time in Patent Office

Days
Field of Search
US Class Current

713/175
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/71   to assure secure computing ...

H04N 21/4113   PC

H04N 21/426   Internal components of the ...

H04N 21/42692   for reading from or writing...

H04N 21/4424   Monitoring of the internal ...

H04N 21/4432   Powering on the client, e.g...

H04N 21/8166   involving executable data, ...

Secure watchdog for embedded systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

23 Citations

71 Claims

Specification

Solutions

Use Cases

Quick Links

Secure watchdog for embedded systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

71 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links