Many computer systems process sensitive, confidential and/or valuable information such as medical or financial records, proprietary business data, and licensed multimedia content. The software that runs on these systems is often subject to attack by parties who wish to obtain greater access to the information than they would ordinarily be permitted. In other circumstances, the object of a software attack is simply to obtain greater control over the system hardware itself. An example of the latter situation is a general-purpose computer that is restricted to executing software licensed by the manufacturer (this often occurs in the context of game consoles). The manufacturer may sell such a system at a loss, intending to recover the lost revenue through the sale of game software. However, customers may purchase the machine and subvert the restrictions to get a capable, general purpose computer at an attractive price.
Current methods of controlling acceptable uses of information in a system and/or acceptable uses of the system itself include cryptographic verification of software executing on the machine. Programs may be checked and verified before execution to ensure that the user has not tampered with them, and one verified program can verify and then transfer control to another program, thus extending a chain of trust or establishing a “trust boundary.” Unfortunately, current systems are unable to establish a chain of trust that encompasses every instruction executed by the system. Instead, software that executes early in the system boot process (often a Basic Input/Output System, or “BIOS,” stored in a read-only memory) is implicitly trusted, and serves as a root of trust for subsequent programs. However, BIOS instructions may be subverted relatively easily (for example, “mod chips” are available to remove software restrictions from game consoles). Other attacks may also target similar implicitly-trusted software modules.
One security scheme currently in use is described in the TCG Specification Architecture Overview (revision 1.2, published April 2004 by the Trusted Computing Group, Incorporated). This specification (and related technical documents) describe security threat models, platform support features and anticipated usage scenarios for an enterprise-wide computer system security implementation. This architecture provides a specific, concrete example of a chain-of-trust security system, including the implicitly trusted elements (known as Trusted Building Blocks or “TBBs”) that form the roots or beginnings of the security chains.
New approaches to software verification may permit the establishment of stronger trust chains and place more system functionality within a trust boundary to hinder or prevent the unauthorized use of information and/or system resources.