WO2014090274A1 - Procédé et appareil de traitement de données pour la protection contre l'exécution de programmes utilisateur non autorisés - Google Patents
Procédé et appareil de traitement de données pour la protection contre l'exécution de programmes utilisateur non autorisés Download PDFInfo
- Publication number
- WO2014090274A1 WO2014090274A1 PCT/EP2012/074940 EP2012074940W WO2014090274A1 WO 2014090274 A1 WO2014090274 A1 WO 2014090274A1 EP 2012074940 W EP2012074940 W EP 2012074940W WO 2014090274 A1 WO2014090274 A1 WO 2014090274A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data processing
- processing device
- application
- sta
- application program
- Prior art date
Links
- 238000012545 processing Methods 0.000 title claims abstract description 52
- 238000000034 method Methods 0.000 title claims abstract description 26
- 239000007858 starting material Substances 0.000 claims abstract description 51
- 230000015654 memory Effects 0.000 claims description 27
- 230000005540 biological transmission Effects 0.000 claims description 5
- 230000003287 optical effect Effects 0.000 claims description 2
- 239000004065 semiconductor Substances 0.000 claims description 2
- 239000013589 supplement Substances 0.000 claims 1
- 230000003936 working memory Effects 0.000 abstract description 6
- 238000003860 storage Methods 0.000 description 7
- 238000004891 communication Methods 0.000 description 5
- 230000008901 benefit Effects 0.000 description 4
- 241000700605 Viruses Species 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000001681 protective effect Effects 0.000 description 2
- 230000004913 activation Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000005476 soldering Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/101—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities
- G06F21/1011—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities to devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/107—License processing; Key processing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Definitions
- the invention relates to a method for protecting a data processing device against the execution of unauthorized program code according to the preamble of patent claim 1, and to a data processing device with protection against the execution of unauthorized program code according to the preamble of patent claim 11.
- malware In the operation of data processing equipment, malicious programs, such as computer viruses or so-called “Trojans”, which are often referred to under the collective term “malware”, pose a serious threat to both data security and the functionality of data processing equipment and any applications and applications controlled thereby industrial processes.
- Malware eg As additional processes go unnoticed and unauthorized on data processing devices to expire, even manipulated application programs pose a threat, ie those application programs that are indeed used intentionally, but have been manipulated in the meantime and unnoticed by third parties. All of these unwanted programs or programs, routines, code fragments, etc. introduced and executed on data processing devices in a manipulated manner are to be collectively referred to below as "unauthorized program code”.
- the solution to the problem is based on the recognition that typical application programs have hitherto hardly been protected against manipulation of their own routines, for example the communication libraries or other software components, and thus enable attacks.
- today widespread operating systems such as Windows and Linux are often the target of successful attacks / manipulations.
- the operating system loader that is to say that component of the operating system which is used to transmit an application program from a server, mass memory or the like, is used for this purpose.
- a method for protecting a data processing device against the execution of unauthorized program code, wherein the data processing device is equipped with an operating system, and wherein the operating system is equipped with routines for loading application programs into a working memory of the data processing device.
- the operating system routines for loading the application programs into the main memory are replaced by a starter application, the starter application being loaded by a tamper-proof medium, and the starter application being loaded into the main memory of the application memory during the loading of an application program
- Data processing device checks at least one signature of the application program, wherein in the case of missing or faulty signature loading and / or execution of the application program is interrupted or prevented.
- This procedure can be used to ensure that application programs such as automation or engineering software are only loaded and started via the "starter application", so that the starter application has complete control over the has loading application programs.
- the object is also achieved by a data processing device with protection against the execution of unauthorized program code, wherein the data processing device is equipped with an operating system, and wherein the operating system is equipped with routines for loading application programs into a working memory of the data processing device.
- the data processing device is adapted to functionally replace the routines of the operating system for loading the application programs into the main memory by a starter application, wherein the starter application is stored on a tamper-proof medium, and wherein the starter application is set up in the During the loading of an application program into the main memory of the data processing device to check at least one signature of the application program, wherein the starter application is set up such that loading or / and execution of the application program is interrupted or prevented in the event of missing or incorrect signature.
- An optical data carrier or a semiconductor-based read-only memory (“flash card” or the like) with activated write protection is advantageously used as the tamper-proof medium.
- flash card or the like
- the corresponding operating system's own routines and libraries are not completely replaced by the starter application, but the starter application replaces the original routines only with regard to loading and checking the signed and possibly encrypted application programs.
- the original routines of the operating system may then continue to be used in this embodiment for loading "conventional" unsigned software.
- the signature-certificates required for verifying the signature are also loaded by the tamper-proof medium or, alternatively, on another tamper-proof medium, so that interim manipulation of the signature certificates is made more difficult.
- the aim of known computer viruses and other unauthorized applications and thus of unauthorized program code is to attack as many as possible of data processing devices, e.g. to spread. This is prevented or hampered by encrypting each authorized application program specifically for an authorized computing device and before loading it into memory
- Data processing device is decrypted locally by the starter application.
- TPM Trusted Platform Module
- TPM module is permanently connected to the authorized data processing device.
- TPM Identity Credential can be used, which is not normally intended for encryption of software.
- this key is only accessible subject to conditions, which means that a user of a data processing device with a TPM module has to confirm the read-out of this key with a password, which puts another hurdle in the way of attackers or malware.
- Security is further enhanced by using a secure transmission channel between the TPM module and the engineering system to transmit the public key to the deployed system, which means that the operating system and thus malware, the parts of the operating system or of
- a suitable private key of the TPM module is used for decrypting the application program, in which case advantageously the use of the private key should also be enabled by a user of the data processing device, for example by entering a TPM password.
- the single figure shows a schematic representation of an arrangement of a personal computer as a data processing device and a deployment system as a source for an authorized application program.
- the personal computer PC has a RAM (Random Access Memory) and a hard disk HDD (Mass Storage), both of which components are shown in the figure.
- the illustrated personal computer PC of a common hardware with all the usual (not shown here) components.
- the DPL deployment system offers all applications that are necessary for the diverse tasks of an engineering system are, for example editors for system planning and program creation, visualization means and the like.
- an encryption module VSM and a mass storage HDD eg hard disk
- an authorized and intended for use on the personal computer PC application program is provided on the hard disk HDD of the deployment system DPL.
- the application program may consist of a variety of individual routines, libraries, function blocks, or the like.
- a typical approach of known malware is to exchange and share the communication library (e.g., in a DLL) of a user program of personal computers PC.
- the malicious programs installed in this way work according to the "man-in-the-middle"
- the operating system loader of the conventional operating system of the personal computer PC is functionally replaced by a starter application STA, which fulfills the same functionality but can not or only with difficulty be manipulated by loading from a tamper-resistant medium MSS.
- a tamper-resistant medium MSS is shown outside the personal computer PC in the figure, a read-only medium (eg, a CD-ROM) would most likely be inside a PC case in reality.
- the authorized application program (here: automation software) is started only via the starter application STA and thus transferred into the main memory RAM of the personal computer PC.
- the original loading routines of the operating system for the loading of other programs can be used as long as it is ensured that the safety-critical application program can only be updated by inventively signed and possibly encrypted versions.
- the mentioned starter application STA also includes the required libraries, which are necessary for the code of the application program to be executed
- the starter application STA is loaded and started by an unchangeable medium MSS.
- This may be a CD-ROM or DVD-ROM, or for example also a flash memory medium with activated write protection.
- This provides a hardware-based protection against an unauthorized modification of the starter application STA or its program libraries.
- the medium MSS with the starter application STA also has features that allow a source check, e.g. Holograms, seals, signatures or the like
- the tamper-proof medium MSS can also advantageously be placed in a drive or port protected against access, for example behind a "seal".
- the starter application STA is loaded only once, at a time when the personal computer PC can not yet be infected by "malware", ie in particular before activation of a network connection, and then remains in the memory RAM, which is provided for this by means of conventional methods with access protection.
- the starter application STA loads only code signed by the manufacturer of the automation software, ie authorized application programs the memory.
- the starter application carries out a signature check for each application program or program fragment to be loaded, with the necessary signature certificates also advantageously being provided by an unchangeable medium (here: the tamper-proof medium MSS).
- MSS tamper-proof medium
- the authorized application program could in a simple case also be loaded from the tamper-resistant medium MSS, this represents in practice a less practicable approach because any change in the authorized application program would necessitate a physical exchange of the tamper-resistant medium MSS.
- the method described here makes it possible to transmit the application program via potentially insecure data channels, for example network connections or the Internet.
- the deployment system DPL is provided, where the completed and signed application program, e.g. an engineering system that is present on a mass storage HDD. To use the application program this is transmitted via a network connection or by other means of transmission to the personal computer PC and stored there in a mass storage HDD (hard disk).
- the starter application STA loads the application program from the hard disk HDD and checks the signature by comparison by means of a signature certificate, which was loaded by the tamper-proof medium MSS, and installed in the event of success, the application program in the RAM of the personal computer PC. Caching on an HDD of the personal computer PC makes sense, but the user program loaded from the deployment system DPL can also be loaded directly from the starter application STA into the memory of the personal computer PC. Also in this case, the signature verification is performed.
- the authorized application program or at least relevant code parts become specific to the personal computer to be used PC encrypted; in the exemplary embodiment This is done by an encryption module VSM of the deployment system DPL.
- VSM of the deployment system DPL.
- a "malware" would not only have to overcome the signature check (unique solution for all computers to be infected), but also in the Owning the encryption keys for each individual PC system to be infected, carrying encrypted code for all systems to be infected or generating it dynamically, the starter application
- a query directed to the retrieval of the application program request is sent to a software portal of an automation manufacturer of the personal computer PC ("target PC"), in the present embodiment, the deployment system DPL the target for this query message is.
- target PC software portal of an automation manufacturer of the personal computer PC
- the deployment system DPL the target for this query message is.
- a public key is sent along whose private key (ie the private "counterpart") is firmly bound to the personal computer PC.
- a per se known Trusted Platform module TPM is used for the provision of the key. This is identifiable and firmly connected to the personal computer PC, for example, by "soldering". So-called.
- selungs module VSM encryption software
- the authorized application program eg an engineering SW for PLC's - programmable logic controller
- the public key is removed from the Query message encrypted and signed with the private key of the manufacturer of the automation program (application program such as the engineering SW for PLC's).
- the encrypted and signed application program is then transferred to the "target platform”, ie the personal computer PC, where it is stored in the mass storage device HDD, or directly via the starter application STA after the described checks of the signature and the decryption loaded into memory.
- the public key "TPM Identity Credential” is used directly for the encryption of the application program. This is normal
- TPM Trusted Platform Modules
- TPM password an appropriate password
- the described "target-specific” encryption offers in addition to the manipulation protection by attackers or malware additionally the advantage that such encrypted software (encrypted, authorized application program) could indeed be copied, but nowhere else than on the specific personal computer PC can be executed (license protection ).
- Systems requesting an encrypted copy of the application program can be identified by their TPM.
- no attacker can get to the "plain text" of the authorized registration program, because this is not at all unencrypted on mass storage HDD of potentially accessible personal computers PC.
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Storage Device Security (AREA)
Abstract
L'invention concerne un procédé pour la protection d'un appareil de traitement de données (PC) contre l'exécution de programmes utilisateur non autorisés et un appareil de traitement de données (PC) équipé de manière correspondante, l'appareil de traitement de données étant équipé d'un système d'exploitation et le système d'exploitation étant équipé de routines pour le chargement de programmes utilisateur dans une mémoire vive (RAM) de l'appareil de traitement de données. Les routines du système d'exploitation pour le chargement des programmes utilisateur dans la mémoire vive (RAM) sont remplacées ou complétées par une application de démarrage (STA), l'application de démarrage (STA) étant chargée à partir d'un support empêchant toute manipulation frauduleuse (MSS) et l'application de démarrage (STA) testant, au cours du chargement d'un programme utilisateur dans la mémoire vive (RAM) de l'appareil de traitement de données (PC), au moins une signature du programme utilisateur, l'absence de signature ou une signature erronée empêchant ou interrompant un chargement et/ou une exécution du programme utilisateur. Ce procédé permet de garantir qu'un logiciel d'automatisation ne peut plus être démarré que via "l'application de démarrage (STA)" de manière telle que l'application de démarrage (SPA) a le contrôle complet sur les programmes utilisateur à charger. Grâce à la mise à disposition de l'application de démarrage (STA) sur un support de données à l'abri d'une manipulation frauduleuse ou une source de données à l'abri d'une manipulation frauduleuse, une manipulation de l'application de démarrage (STA) peut être empêchée, tous les autres composants du système d'exploitation restant par ailleurs aptes à la mise à jour.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/EP2012/074940 WO2014090274A1 (fr) | 2012-12-10 | 2012-12-10 | Procédé et appareil de traitement de données pour la protection contre l'exécution de programmes utilisateur non autorisés |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/EP2012/074940 WO2014090274A1 (fr) | 2012-12-10 | 2012-12-10 | Procédé et appareil de traitement de données pour la protection contre l'exécution de programmes utilisateur non autorisés |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2014090274A1 true WO2014090274A1 (fr) | 2014-06-19 |
Family
ID=47594614
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2012/074940 WO2014090274A1 (fr) | 2012-12-10 | 2012-12-10 | Procédé et appareil de traitement de données pour la protection contre l'exécution de programmes utilisateur non autorisés |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2014090274A1 (fr) |
-
2012
- 2012-12-10 WO PCT/EP2012/074940 patent/WO2014090274A1/fr active Application Filing
Non-Patent Citations (2)
Title |
---|
HIMANSHU PAREEK: "Application Whitelisting: Approaches and Challenges", INTERNATIONAL JOURNAL OF COMPUTER SCIENCE, ENGINEERING AND INFORMATION TECHNOLOGY, vol. 2, no. 5, 31 October 2012 (2012-10-31), pages 13 - 18, XP055072037, ISSN: 2231-3605, DOI: 10.5121/ijcseit.2012.2502 * |
MICHAEL EMANUEL: "Tamper free deployment and execution of software using TPM", 18 October 2012 (2012-10-18), XP055072030, Retrieved from the Internet <URL:http://cs.au.dk/fileadmin/site_files/cs/AA_pdf/Tamper_free_software_using_TPM.pdf> [retrieved on 20130718] * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2899714B1 (fr) | Préparation sécurisée d'une clé | |
EP3557463B1 (fr) | Procédé et environnement d'exécution permettant d'exécuter un code de programme sur un dispositif de commande | |
DE102009013384A1 (de) | System und Verfahren zur Bereitstellung einer sicheren Anwendungsfragmentierungsumgebung | |
DE102014208855A1 (de) | Verfahren zum Durchführen einer Kommunikation zwischen Steuergeräten | |
DE102011081421A1 (de) | System zur sicheren Übertragung von Daten und Verfahren | |
EP2193471A1 (fr) | Procédé et système pour empêcher l'accès à un code machine d'un dispositif | |
DE102014208851A1 (de) | Verfahren zum Verhindern eines unbefugten Betriebs eines Kraftfahrzeugs | |
WO2017102295A1 (fr) | Procédé et module de sécurité pour produire une fonction de sécurité pour un appareil | |
EP3403214B1 (fr) | Procédé et dispositif pour fournir une fonction de sécurité cryptographique pour le fonctionnement d'un appareil | |
EP3314339B1 (fr) | Procédé, serveur, pare-feu, appareil de commande et système pour programmer un calculateur d'un véhicule | |
DE102015201298A1 (de) | Verfahren zum kryptographischen Bearbeiten von Daten | |
EP2434424B1 (fr) | Procédé d'augmentation de la sécurité de services en ligne relevant de la sécurité | |
EP3761202B1 (fr) | Système et procédé de mémorisation d'un ensemble de données à protéger | |
DE102015000895B3 (de) | Verteiltes Bearbeiten von zentral verschlüsselt gespeicherten Daten | |
DE102015202215A1 (de) | Vorrichtung und Verfahren zum sicheren Betreiben der Vorrichtung | |
EP3105899B1 (fr) | Procédé de démarrage d'un système informatique de production | |
WO2014090274A1 (fr) | Procédé et appareil de traitement de données pour la protection contre l'exécution de programmes utilisateur non autorisés | |
EP3422234B1 (fr) | Image de conteneur, produit-programme informatique et procédé | |
EP3812938A1 (fr) | Reconfiguration d'un composant matériel d'un appareil technique | |
EP3595256A1 (fr) | Dispositif et procédé de fonctionnement d'une unité de traitement configurée au moyen du logiciel pour un appareil | |
DE102014208853A1 (de) | Verfahren zum Betreiben eines Steuergeräts | |
EP3534282A1 (fr) | Procédé et module de sécurité permettant l'exécution assistée par ordinateur d'un code de programme | |
DE112022001853T5 (de) | Verbesserte kryptographische systeme und verfahren | |
EP3441898B1 (fr) | Procédé et dispositif de protection d'un logiciel contre un utilisateur non-autorisé | |
EP4141722A1 (fr) | Fonctionnement sécurisé d'un dispositif de commande industriel doté d'un module ia |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 12816463 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 12816463 Country of ref document: EP Kind code of ref document: A1 |