| 摘要 |
A method and device for reliably assessing the integrity of a computer system's software prevents execution of corrupted programs at time of system initialization, enhancing system security. Programs and data comprising the system's trusted software, including all startup processes, are verified before being utilized. Methods to verify the trusted software use a hierarchy of both modification detection codes and public-key digital signature codes. The top-level codes are placed in a protectable non-volatile storage area, and are used by the startup program to verify the integrity of subsequent programs. A trusted initialization program sets a hardware latch to protect the codes in the non-volatile memory from being overwritten by subsequent untrusted programs. The latch is only reset at system restart, when control returns to the bootstrap program. Software reconfiguration is possible with trusted programs that write new top-level codes while the latch is open. The mechanism itself is immune to malicious software attack when the write-protect latch is closed before running untrusted software. Preferred embodiments in an IBM-compatible personal computer uses the reset switch to initiate a trusted path between the user and a program. Damage from certain classes of computer virus and trojan horse attacks is prevented. A system recovery process is described. A related improved method for user authentication uses a read-and -write memory protection latch to prevent access to sensitive authentication data. |
