System and method for image authentication of a resource-sparing operating system

US 7,571,484 B2
Filed: 12/04/2003
Issued: 08/04/2009
Est. Priority Date: 12/04/2003
Status: Active Grant

First Claim

Patent Images

1. A method of file system protection for a resource-sparing operating system image, comprising:

loading, with a client computing device, a first image of the resource-sparing operating system (OS) that includes processor instructions into random access memory (RAM), the first image including an embedded second image of a catalog file comprising client device attributes;

creating, with the client computing device, a first hash of the first image;

extracting with the client computing device a second hash from the second image of the catalog file;

comparing with the client computing device the first hash and the second hash; and

validating with the client computing device the use of the first image to boot the computing device if the first hash and the second hash match.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A file system protection mechanism for an operating system image for a portable computing device is provided to assist in ensuring a good user experience. A signed catalog file is embedded in a resource-sparing operating system (OS), such as a Windows CE image, for security enhancement and load verification purposes. The invention performs various checks on the image and the signature of the image to ensure that image has not been maliciously modified and that it complies with a release standard. Such a mechanism is important to protect image loads from external threats made possible by, e.g. recent incorporation of broadband wireless and wireline connectivity for portable computing devices. The signing technique includes creating a signed catalog of the image and embedding that catalog into the image as it is loaded onto the portable computing device.

28 Citations

View as Search Results

20 Claims

1. A method of file system protection for a resource-sparing operating system image, comprising:
- loading, with a client computing device, a first image of the resource-sparing operating system (OS) that includes processor instructions into random access memory (RAM), the first image including an embedded second image of a catalog file comprising client device attributes;
  
  creating, with the client computing device, a first hash of the first image;
  
  extracting with the client computing device a second hash from the second image of the catalog file;
  
  comparing with the client computing device the first hash and the second hash; and
  
  validating with the client computing device the use of the first image to boot the computing device if the first hash and the second hash match.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the comparing includes determining that the first hash and the second hash do not match and blocking the use of the first image to boot the computing device if the first hash and the second hash do not match comprising determining that an operational mode of the computing device is set to a run mode of operation.
  - 3. The method of claim 1, wherein the comparing includes determining that the first hash and the second hash match, and wherein the validating the use of the first image to boot the computing device if the first hash and the second hash match further includes validating a signature certification of the first image.
  - 4. The method of claim 1, further comprising:
    - evaluating a signature certification of the catalog file in the second image to determine if the signature certification of the catalog file is valid and blocking the use of the first image to boot the computing device if the first hash and the second hash do not match including blocking the use of the first image to boot the computing device if the signature certification of the catalog file cannot be validated.
  - 5. The method of claim 4, further comprising determining whether an operational mode of the computing device is set to a run mode of operation.
  - 6. The method of claim 1, further comprising:
    - extracting first make and model attributes from the second image of the catalog file, comparing the first make and model attributes from the second image of the catalog file with second make and model attributes of the computing device, and blocking the use of the first image to boot the computing device if the first hash and the second hash do not match including blocking the use of the first image to boot the computing device if the first make and model attributes do not match the second make and model attributes.
  - 7. The method of claim 6, further comprising determining whether an operational mode of the computing device is set to a run mode of operation.
  - 8. The method of claim 1, further comprising booting the computing device from a third image of a prior resource-sparing OS already loaded in flash memory of the computing device.

9. A portable computing device, comprising:
- flash memory, the flash memory including a protected area and an unprotected area;
  
  a bootloader stored in the protected area of flash memory, the bootloader containing a cryptographic module;
  
  an operating system (OS) image installed in the unprotected area of flash memory;
  
  random access memory (RAM); and
  
  wherein the cryptographic module of the bootloader is operative to examine an update image to the OS image to determine if the update image should be programmed into the unprotected area of flash memory to boot the computing device, wherein a signed catalog image is an image of a signed catalog file and is embedded in the update image, wherein the signed catalog file is derived by signing a catalog file, and wherein the cryptographic module is operative to program the update image into the unprotected area of flash memory boot the computing device based on a determined relationship between information extracted from the embedded signed catalog file and one of information about the components of the computing device and information determined from the update image.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 10. The device of claim 9, wherein the cryptographic module programs the update image into the unprotected area of flash memory when the device is in test mode.
  - 11. The device of claim 9, wherein the bootloader stores the update image in the RAM until the cryptographic module determines that the update image should be programmed into the unprotected area of flash memory to boot the device.
  - 12. The device of claim 11, wherein the cryptographic module calculates a first hash of the update image, extracts a second hash from the catalog file image, and compares the first hash and the second hash, the cryptographic module blocking use of the update image when the first hash and the second hash do not match.
  - 13. The device of claim 11, wherein the cryptographic module extracts a signature certification from the catalog file and attempts to validate the signature certification, the cryptographic module blocking use of the OS image update when the signature certification cannot be validated.
  - 14. The device of claim 11, wherein the operating system (OS) image is an image of an operating system, wherein the update image is an image of an update file to the OS, wherein the cryptographic module is operative to program the update image into the unprotected area of flash memory boot the computing device based on a determined relationship between information extracted from the signed catalog file and information about the components of the computing device by:
    - extracting make and model attributes from the catalog file and comparing them to make and model information for the computing device, andblocking use of the update image when the make and model attributes of the catalog file do not match the make and model attributes of the computing device.
  - 15. The device of claim 11, wherein the bootloader erases a current device image from the unprotected area of flash memory and programs the update image into the unprotected area of flash memory when the cryptographic modules determines that the update image may be used to boot the device.
  - 16. The device of claim 9, wherein a second cryptographic module of a Mira shell is operative upon a reset of the computing device to examine the installed operating system image to determine if the installed operating system image should be used to boot the computing device based on information included in the signed catalog file.
  - 17. The device of computing claim 16, wherein the cryptographic module in the Mira shell calculates a first hash of the installed operating system image, extracts a second hash from the catalog image, and compares the first hash and the second hash, the cryptographic module in the Mira shell blocking use of the update image when the first hash and the second hash do not match.
  - 18. The device of computing claim 16, wherein the cryptographic module in the Mira shell extracts a signature certification from the catalog file and attempts to validate the signature certification, the cryptographic module in the Mira shell blocking use of the installed operating system image when the signature certification cannot be validated.
  - 19. The computing device of claim 16, wherein the cryptographic module in the Mira shell extracts make and model attributes from the catalog file and compares them to make and model information for the computing device, wherein the operating system image is an image of an operating system for the computing device, the cryptographic module in the Mira shell blocking use of the installed operating system image when the make and model attributes of the installed operating system do not match the make and model attributes of the computing device.
  - 20. The computing device of claim 16, wherein the cryptographic module in the Mira shell allows the installed operating system image to be used to boot the computing device when the computing device is in test mode.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Prabhu, Sudhakar, Kraus, Mark
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
TRUVAN, LEYNNA THANH

Application Number

US10/727,479
Publication Number

US 20050125407A1
Time in Patent Office

2,070 Days
Field of Search

711/100, 711/101, 711/104, 711/163, 711/216, 382/268, 358/3.28, 726/2, 726 26- 27, 726/1, 713 1- 2, 713/152, 713/165, 713/189, 380/202, 370/229, 370/255, 370/395.32
US Class Current

726/26
CPC Class Codes

G06F 21/575 Secure boot

System and method for image authentication of a resource-sparing operating system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for image authentication of a resource-sparing operating system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links