HIGH ASSURANCE CONFIGURATION SECURITY PROCESSOR (HACSP) FOR COMPUTING DEVICES

US 20180034793A1
Filed: 08/01/2016
Published: 02/01/2018
Est. Priority Date: 08/01/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for providing a High Assurance Configuration Security Processor (HACSP) for a computing device, comprising:

ensuring, by the HACSP, security of a user application bitstream load and update during computing device configuration; and

implementing security mechanisms, by the HACSP, for independent secure trusted attestation and integrity measurement mechanisms to report and provide reliable evidence about trustworthiness of the computing device during user bitstream execution without stopping operation and between load and updates

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A High Assurance Configuration Security Processor (HACSP) for a computing device may perform real-time integrity measurements of an actual bitstream run-time performance against what is expected. The HACSP may be self-contained and have a relatively small footprint. The HACSP may be vendor-agnostic, and may be a trusted system application for the computing device. The HACSP may ensure the security of user application bitstream load and update during device configuration, and may implement security mechanisms for independent secure trusted attestation and integrity measurement mechanisms to report and provide reliable evidence about the “trustworthiness” of the system during user bitstream execution.

38 Citations

47 Claims

1. A computer-implemented method for providing a High Assurance Configuration Security Processor (HACSP) for a computing device, comprising:
- ensuring, by the HACSP, security of a user application bitstream load and update during computing device configuration; and
  
  implementing security mechanisms, by the HACSP, for independent secure trusted attestation and integrity measurement mechanisms to report and provide reliable evidence about trustworthiness of the computing device during user bitstream execution without stopping operation and between load and updates
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 2. The computer-implemented method of claim 1, wherein the HACSP is implemented as a trusted system application for the computing device.
  - 3. The computer-implemented method of claim 1, further comprising:
    - implementing, by the HACSP, a secure, verifiable Root of Trust (RoT) for computing device loading, boot-up, initialization, configuration, and during operation.
  - 4. The computer-implemented method of claim 1, further comprising:
    - implementing, by the HACSP, a secure, verifiable Root of Trust (RoT) for secure continuous real-time monitoring of both its own operation and user software execution, for secure continuous real-time internal monitoring of the computing device environment, and for secure continuous real-time internal monitoring of user bitstream execution.
  - 5. The computer-implemented method of claim 1, further comprising:
    - implementing, by the HACSP, a secure, verifiable Root of Trust (RoT) for secure audit/log to track its key, operations, alerts, and execution control alternatives incurred during HACSP operation, and for secure attestation to a remote system security appraiser on its operational status and the status of a user system using secure light cryptography and attestation protocols.
  - 6. The computer-implemented method of claim 1, further comprising:
    - autonomously alarming to a safe state, by the HACSP, based on one or more measurements that reveal critical malfunctions in computing device operations or an active tamper condition.
  - 7. The computer-implemented method of claim 6, wherein the safe state comprises locking down all user operations, but retaining HACSP communication to allow updates for reconfiguration and quotes to provide integrity reports to support appraiser assessment, analysis, and corrective response to malfunction or attack.
  - 8. The computer-implemented method of claim 1, further comprising:
    - receiving, by the HACSP, configuration data for the HACSP and a user application;
      
      using the HACSP configuration data, by the HACSP, to boot up and run; and
      
      subsequently initiating user configuration using the user application configuration data, by the HACSP.
  - 9. The computer-implemented method of claim 8, further comprising:
    - registering of user application monitoring activities, by the HACSP, for user-specific integrity reporting.
  - 10. The computer-implemented method of claim 1, further comprising:
    - after the HACSP is operational, receiving separate encrypted user bitstreams, by the HACSP, for partial computing device configuration using SKAP.
  - 11. The computer-implemented method of claim 1, wherein the HACSP provides a mechanism for building an arbitration layer between a non-secure Rich Execution Environment (REE) and a secure Trusted Execution Environment (TEE).
  - 12. The computer-implemented method of claim 11, wherein the HACSP runs independently of a mission application in the REE.
  - 13. The computer-implemented method of claim 12, wherein the HACSP is non-blocking to the mission application.
  - 14. The computer-implemented method of claim 1, further comprising:
    - performing continuous self-integrity measurements, periodic quotes, and periodic updates, by the HACSP.
  - 15. The computer-implemented method of claim 1, further comprising:
    - performing trusted services for measure, update, and attestation, by the HACSP, for mission bitstream load/operations.
  - 16. The computer-implemented method of claim 15, wherein the trusted services for measure, update, and attestation are performed in real-time.
  - 17. The computer-implemented method of claim 1, further comprising:
    - self-measuring integrity and responding in real-time to computing device alerts, by the HACSP, via a real-time integrity monitor process that is continuously running
  - 18. The computer-implemented method if claim 17, further comprising:
    - invoking updates, logging update responses, invoking quotes, and logging quote responses, by the real-time integrity monitor.
  - 19. The computer-implemented method of claim 1, further comprising:
    - transmitting attestation information, by the HACSP, to a mission proxy appraiser, whereinthe attestation information comprises verification and reporting of bitstream authenticity.
  - 20. The computer-implemented method of claim 1, further comprising:
    - providing, by the HACSP, Environment Security Monitoring (ESM) functionality, Trojan horse Hardware Detection (THD) functionality, Physical Unclonable Functions (PUFs) providing a device authentication randomizer and key generation, or any combination thereof.
  - 21. The computer-implemented method of claim 20, wherein a real-time monitor of the HACSP extends into a mission application Rich Execution Environment (REE) through a TrustZone to enable more precise monitoring of the REE THD, ESM, or both.
  - 22. The computer-implemented method of claim 1, further comprising:
    - providing near real-time monitoring, by the HACSP, to support quotes, lower impact anomalies, and service update and quote processes.
  - 23. The computer-implemented method of claim 1, further comprising:
    - initiating a real-time monitoring function, by the HACSP;
      
      checking a reboot status, by the HACSP, to determine whether a reboot is caused by an error;
      
      when the reboot caused the error, and the error mandates an alert, issuing the alert, by the HACSP; and
      
      when the error is sufficient to mandate an alarm, issuing the alarm, by the HACSP.
  - 24. The computer-implemented method of claim 23, further comprising:
    - resetting a software watchdog timer, by the HACSP, before the real-time monitoring function returns.
  - 25. The computer-implemented method of claim 1, further comprising:
    - performing, by HACSP, integrity measurements hashing for bitstreams and configurations.
  - 26. The computer-implemented method of claim 25, further comprising:
    - obtaining, by the HACSP, a programmable logic (PL) peripheral control registers hash, a PL address control registers hash, a PL memory configuration hash, a HACSP bitstream hash, a TrustZone configuration hash, and a computing device DNA hash; and
      
      performing, by the HACSP, a user-specific measurement process with hash and a user bitstream hash.
  - 27. The computer-implemented method of claim 25, further comprising:
    - hashing, by the HACSP, user bitstreams; and
      
      computing, by the HACSP, an extended hash quote including the hashed user bitstreams.
  - 28. The computer-implemented method of claim 27, wherein the computing of the extended hash quote further comprises including user-specific measure processes that the user has incorporated as registered specific integrity checks are measured.
  - 29. The computer-implemented method of claim 27, wherein device environment variables are measured, hashed, and updated as part of the extended hash quote.
  - 30. The computer-implemented method of claim 1, further comprising:
    - responding, by the HACSP, to real-time critical interrupt-driven error conditions.
  - 31. The computer-implemented method of claim 30, wherein the real-time critical interrupt-driven error conditions comprise a tamper detection loop being broken, program logic fabric memory causing a CRC error, a watchdog timer timeout, a supply voltage or device temperature exceeding a threshold, a user-designated integrity base interrupt deemed critical for ensuring trusted mission operation, or any combination thereof.
  - 32. The computer-implemented method of claim 30, wherein the responding to the real-time critical interrupt-driven error conditions comprises disabling a portion or all of the computing device and requiring a reset to the portion or entirety of the computing device to restore operation.
  - 33. The computer-implemented method of claim 30, further comprising:
    - hashing user bitstreams, user-specific measure processes that the user has incorporated as registered specific integrity checks, and computing device environment variables, by the HACSP; and
      
      computing an extended hash quote, by the HACSP, by including the hashes from the user bitstreams, user-specific measure processes, and computing device environment variables.
  - 34. The computer-implemented method of claim 1, further comprising:
    - initializing the HACSP by loading an initial bitstream;
      
      running a HACSP self-test to verify the initial bitstream with a reference in non-volatile memory (NVM);
      
      storing the measurement and performing attestation measurements;
      
      when the self-test does not pass, providing an alert if an associated problem is resolvable, or an alarm if not resolvable; and
      
      when the self-test passes or the alert is resolvable, initializing dynamic logic to load partial bitstreams, measure partial configurations, and store measurements.
  - 35. The computer-implemented method of claim 1, wherein the HACSP and the user application reside in separate processing cores.

36. A High Assurance Configuration Security Processor (HACSP) computer program embodied on a non-transitory computer-readable medium, the program configured to cause at least one processing core of a computing device to:
- implement security mechanisms for independent secure trusted attestation and integrity measurement mechanisms to report and provide reliable evidence about trustworthiness of the computing device during user bitstream execution without stopping operation.
- View Dependent Claims (37, 38, 39, 40, 41)
- - 37. The computer program of claim 36, wherein the program is further configured to cause the at least one processing core to:
    - implement a secure, verifiable Root of Trust (RoT) for computing device loading, boot-up, initialization, configuration, and during operation.
  - 38. The computer program of claim 36, wherein the program is further configured to cause the at least one processing core to:
    - autonomously alarm to a safe state based on one or more measurements that reveal critical malfunctions in computing device operations or an active tamper condition, whereinthe safe state comprises locking down all user operations, but retaining HACSP communication to allow updates for reconfiguration and quotes to provide integrity reports to support appraiser assessment, analysis, and corrective response to malfunction or attack.
  - 39. The computer program of claim 36, whereinthe HACSP provides a mechanism for building an arbitration layer between a non-secure Rich Execution Environment (REE) and a secure Trusted Execution Environment (TEE), andthe HACSP runs independently of a mission application in the REE.
  - 40. The computer program of claim 36, wherein the program is further configured to cause the at least one processing core to:
    - perform continuous self-integrity measurements, perform updates, and perform attestation for mission bitstream load/operations.
  - 41. The computer program of claim 36, wherein the program is further configured to cause the at least one processing core to:
    - respond to real-time critical interrupt-driven error conditions by disabling a portion or all of the computing device and requiring a reset to the portion or entirety of the computing device to restore operation, whereinthe real-time critical interrupt-driven error conditions comprise a tamper detection loop being broken, program logic fabric memory causing a CRC error, a watchdog timer timeout, a supply voltage or device temperature exceeding a threshold, a user-designated integrity base interrupt deemed critical for ensuring trusted mission operation, or any combination thereof.

42. A computing device, comprising:
- a High Assurance Configuration Security Processor (HACSP) residing as a software application in a first processing core associated with a Trusted Execution Environment (TEE), the HACSP configured to;
  
  monitor user applications in software that runs on a second processing core, andimplement security mechanisms for independent secure trusted attestation and integrity measurement mechanisms to report and provide reliable evidence about trustworthiness of the FPGA during user bitstream execution without stopping operation.
- View Dependent Claims (43, 44, 45, 46, 47)
- - 43. The computing device of claim 42, wherein the HACSP is further configured to:
    - implement a secure, verifiable Root of Trust (RoT) for computing device loading, boot-up, initialization, configuration, and during operation.
  - 44. The computing device of claim 42, wherein the HACSP is further configured to:
    - autonomously alarm to a safe state based on one or more measurements that reveal critical malfunctions in computing device operations or an active tamper condition.
  - 45. The computing device of claim 42, whereinthe HACSP provides a mechanism for building an arbitration layer between a non-secure Rich Execution Environment (REE) and a secure Trusted Execution Environment (TEE), andthe HACSP runs independently of a mission application in the REE.
  - 46. The computing device of claim 42, wherein the HACSP is further configured to:
    - perform continuous self-integrity measurements, perform updates, and perform attestation for mission bitstream load/operations.
  - 47. The computing device of claim 42, wherein the HACSP is further configured to:
    - respond to real-time critical interrupt-driven error conditions by disabling a portion or all of the computing device and requiring a reset to the portion or entirety of the computing device to restore operation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Aerospace Corporation
Original Assignee
Aerospace Corporation
Inventors
Kibalo, Thomas, Scrofano, Ronald, Deeds, Andrew

Granted Patent

US 10,402,566 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/575 Secure boot

HIGH ASSURANCE CONFIGURATION SECURITY PROCESSOR (HACSP) FOR COMPUTING DEVICES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

38 Citations

47 Claims

Specification

Use Cases

Quick Links

Others

HIGH ASSURANCE CONFIGURATION SECURITY PROCESSOR (HACSP) FOR COMPUTING DEVICES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

47 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others