Virtual file-based tamper resistant repository

摘要

A technique adds virtual file anchoring functionality to a platform by mounting a virtual file system (“system”) to store an anchor file. Binary code to create and run the system is embedded into a trusted application's binary code. Thus, whenever the trusted application executes, the embedded code ensures the system is validated and started or restarted as required. To interrogate the existence of the anchor, it can be read like any other file. To modify the status of the anchor, the name of the associated file is decorated such that instead of modifying the file, foo, the trusted application modifies a pseudo-file, foo#decoration. The decoration varies for each modification operation. To generate the decoration, the algorithm takes as input a time component, e.g. in the form of the last accessed time field of the parent directory where the secure file anchors files reside, and the name of the anchor.

主权项

1. A computer-implemented method for creating and using a virtual file-based tamper resistant repository, comprising:
running code embedded in a trusted application, the embedded code creating and running a virtual file system; sending, by the embedded code, a command to the virtual file system to check the presence of an anchor file in a predefined directory of a persistent store that is communicably coupled to the virtual file system; when the anchor file is present, the embedded code causing the trusted application not to continue to execute or not to run an application of interest; when the anchor file is not present, the embedded code:
sending a command to the virtual file system to return a current access time of the predefined directory; wherein the command causes the virtual file system to store the directory access time to the persistent store;responsive to receiving the directory access time, the embedded code using the directory access time and a known name of the anchor file as input and generating therefrom a unique decoration string intended for the anchor file;adding, by the embedded code, the unique decoration string to the name of the anchor file to create a decorated anchor file name; andsending, by the embedded code, the decorated anchor file name to the virtual file system, causing the virtual file system to validate the decorated anchor file name and to store a decorated anchor file of the same name in the persistent store; wherein one or more steps are performed on at least a processor coupled to at least a memory.