1. Field of the Disclosure
This disclosure relates generally to security of an information processing system and, more specifically, to integrity checking in an information processing system.
2. Description of the Related Art
Run-time integrity checking (RTIC) provides a security feature where the contents of memory are checked at load time, and then periodically re-checked later to verify that the contents have not changed. However, while some uses of memory, such as a program image, may be static (i.e., not changing over time), other uses of memory may involve changing data, such as stack memory or heap, where such changes are normal and do not indicate a memory integrity problem. Thus, RTIC can yield a false error result when normally changing data is stored in the memory being checked. This type of constantly changing data is not a good candidate for conventional methods of performing run-time integrity checking. Also, changes to memory may occur normally, for example, under an operating system providing virtual memory, in which memory pages are swapped into physical memory when their data are to be accessed and may be swapped out of physical memory into storage, such as on a hard disk drive, when their data do not need to be accessed immediately (where physical memory, as used herein, refers to the main randomly accessible memory of a processing system or a view of that main randomly accessible memory as presented by a cache memory system). If RTIC attempts to check physical memory used for paging of virtual memory, it may find a different virtual memory page swapped into physical memory where a previously resident virtual memory page had been and may indicate that the contents of memory have changed even when the respective virtual memory pages remain unchanged and have merely been swapped in and out of physical memory under the normal operation of the virtual memory system.
Run-time integrity checking is accomplished by generating a hash value over a block of memory and retaining that hash value as a reference hash. Such a hash value may be obtained from a hash function. A hash function mathematically generates a small amount of information (i.e., the hash value) from a large amount of information (e.g., the contents of the block of memory on which the hash function is being performed) in a manner that makes it unlikely that changes, even deliberate changes, to the large amount of information will result in the hash value remaining unchanged. Periodically, a new hash value is generated over the same block of memory, and the new hash value is compared with the reference hash value. If the two hash values are identical, then the memory contents have not changed since the reference hash was generated. A difference between the two hash values indicates that the memory contents have changed. This is typically taken to mean memory corruption, and an error indication is generated (e.g., an interrupt or hardware failure indicator). Calculation of a hash value may also be used to provide secure boot functionality, where the calculated hash value may be compared against a stored hash value of a boot software image to assure that the boot software image has not been altered. However, incompatibility of the hash value used for the RTIC and the hash value used for the secure boot operation, as well as the false error indications that may result from comparison of hash values when data have changed or when virtual memory paging operations have occurred impair the use of such hash values in many situations.
The use of the same reference symbols in different drawings indicates similar or identical items.