System and method for protecting integrity of alterable ROM using digital signatures

US 5,802,592 A
Filed: 05/31/1996
Issued: 09/01/1998
Est. Priority Date: 05/31/1996
Status: Expired due to Term

First Claim

Patent Images

1. A system, comprising:

a processor;

a storage device storing an operating system program for execution on the processor;

an alterable read only memory for storing data; and

a corruption detection device for detecting unauthorized changes to data in the alterable read only memory, the corruption detection device reading a signature, encrypted with a private key, that represents a non-corrupted version of data in the alterable read only memory, and further reading, from a secure memory location, a public key for decrypting the signature, the corruption detection device operating to compare the decrypted using public key, signature to a computed signature for detecting an occurrence of an unauthorized change to the data in the alterable read only memory.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for verifying the integrity of a computer system'"'"'s BIOS programs stored in alterable read only memory (such as FLASH ROM), and preventing malicious alteration thereof. The system and method regularly check the contents of the alterable read only memory using a digital signature encrypted by means of an asymmetrical key cryptosystem.

Citations

28 Claims

1. A system, comprising:
- a processor;
  
  a storage device storing an operating system program for execution on the processor;
  
  an alterable read only memory for storing data; and
  
  a corruption detection device for detecting unauthorized changes to data in the alterable read only memory, the corruption detection device reading a signature, encrypted with a private key, that represents a non-corrupted version of data in the alterable read only memory, and further reading, from a secure memory location, a public key for decrypting the signature, the corruption detection device operating to compare the decrypted using public key, signature to a computed signature for detecting an occurrence of an unauthorized change to the data in the alterable read only memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, further comprising:
    - an unalterable read only memory for storing the public key and for storing a first portion of a bootstrap program for controlling the system during a system initialization and subsequently transferring control of the system to the operating system.
  - 3. The system of claim 2, wherein the data stored in the alterable read only memory comprises a second portion of the bootstrap program.
  - 4. The system of claim 3, further comprising means for validly altering the second portion of the bootstrap program.
  - 5. The system of claim 4, wherein the means for validly altering comprises means for:
    - computing a hash of data constituting a proposed alteration;
      
      reading an encrypted form of a signature representing the data constituting the proposed alteration;
      
      decrypting the signature representing the data constituting the proposed alteration using the public key;
      
      comparing the hash and the decrypted signature and if they match, writing the data constituting the proposed alteration to the second portion of the bootstrap program.
  - 6. The system of claim 5, wherein the means for validly altering comprises a computer program stored in the unalterable read only memory.
  - 7. The system of claim 3, wherein the corruption detection device comprises means, responsive to a triggering event, for:
    - computing a hash of the second portion of the bootstrap program;
      
      reading the encrypted form of the signature and the public key from their storage locations;
      
      decrypting the encrypted form of the signature using the public key; and
      
      comparing the decrypted signature with the hash.
  - 8. The system of claim 7, further comprising means, if the decrypted signature matches the hash, for transferring control from the first portion of the bootstrapping program to the second portion of the bootstrapping program.
  - 9. The system of claim 8, wherein the triggering event is a power-up of the system.
  - 10. The system of claim 8, wherein the triggering event is the actuation of a system reset switch.
  - 11. The system of claim 8, wherein the triggering event is the actuation of a combination of keys on a keyboard coupled to the processor.
  - 12. The system of claim 1, wherein the alterable read only memory is a FLASH ROM.
  - 13. The system of claim 1, further comprising means for actuating the corruption detection device periodically while the system is in operation.
  - 14. The system of claim 1, further comprising means for replacing the public key with a new authorized public key.

15. A method, comprising the steps of:
- storing data in an alterable read only memory of a computer system;
  
  storing in a first memory location in the system an encrypted signature representing a valid copy of the data in the alterable read only memory;
  
  storing in a second memory location in the system a public key to the encrypted signature;
  
  in response to a triggering event, computing a current signature for the data stored in the alterable read only memory, decrypting the signature representing the valid copy using the public key, and comparing the decrypted signature and the current signature to determine the validity of the data stored in the alterable read only memory.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 16. The method of claim 15, wherein the alterable read only memory is a FLASH ROM.
  - 17. The method of claim 15, wherein the triggering event is a power up of the computer system.
  - 18. The method of claim 15, wherein the triggering event is the actuation of a system reset switch.
  - 19. The method of claim 15, wherein the triggering event is the actuation of a combination of keys on a keyboard coupled to the system.
  - 20. The method of claim 15, further comprising a step of storing a first portion of a system bootstrapping program in an unalterable read only memory;
    - and wherein the data stored in the alterable read only memory comprises a second portion of the system bootstrapping code.
  - 21. The method of claim 20, wherein the steps of computing a current signature, decrypting the signature and comparing the decrypted signature and the current signature are performed while the system is under the control of the first portion of the system bootstrapping program.
  - 22. The method of claim 21, further comprising, if the data in the alterable read only memory are valid, passing control of the system from the first portion of the bootstrapping program to the second portion of the bootstrapping program.
  - 23. The method of claim 20, further comprising a step of replacing data in the alterable read only memory with valid replacement data.
  - 24. The method of claim 23, further comprising a step of determining whether a group of candidate replacement data is valid replacement data by:
    - computing a hash of the data constituting the candidate replacement data;
      
      decrypting an encrypted signature representing the data constituting the candidate replacement data;
      
      comparing the hash and the decrypted signature, and if they match, designating the candidate replacement data as valid replacement data.
  - 25. The method of claim 20, wherein the first and second memory locations are in the unalterable read only memory.
  - 26. The method of claim 15, wherein the triggering event is executed periodically during operation of the system.

27. A method for operating a data processing system, comprising steps of:
- partitioning a bootstrap program between an unalterable read only memory device and an alterable memory device;
  
  storing, in the alterable memory device, private key encrypted validity data representing a portion of the bootstrap program stored in the alterable memory device;
  
  storing, in the unalterable read only memory device, a public key for decrypting the private key encrypted validity data;
  
  in response to a triggering event, executing a portion of the bootstrap program stored in the unalterable read only memory device, the executed portion of the bootstrap program first computing validity data for at least some of the content of the alterable memory device, then using the stored public key to decrypt the private key encrypted validity data, and then comparing the decrypted validity data to the computed validity data; and
  
  transferring control of the bootstrap program from the portion stored in the unalterable read only memory device to the portion stored in the alterable memory device only if the result of the comparison indicates that no unauthorized modifications have been made to the content of the alterable memory device.
- View Dependent Claims (28)
- - 28. A method as in claim 27, wherein the alterable memory device is a FLASH ROM.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
International Business Machines Corporation
Inventors
Sorkin, Gregory Bret, White, Steve Richard, Chess, David M.
Primary Examiner(s)
Chan, Eddie P.
Assistant Examiner(s)
BRAGDON, REGINALD GLENWOOD

Application Number

US08/656,626
Time in Patent Office

823 Days
Field of Search

711/102, 711/163, 711/103, 711/164, 395/651-653, 395/186, 395/188.01, 395/183.09, 395/183.12, 395/183.14, 395/183.21
US Class Current

711/164
CPC Class Codes

G06F 11/1004   to protect a block of data ...

G06F 21/572   Secure firmware programming...

G06F 21/64   Protecting data integrity, ...

G06F 2201/83   the solution involving sign...

G06F 2211/008   Public Key, Asymmetric Key,...

G06F 2211/1097   Boot, Start, Initialise, Power

G06F 9/4401   Bootstrapping security arra...

System and method for protecting integrity of alterable ROM using digital signatures

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for protecting integrity of alterable ROM using digital signatures

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links