Computer systems typically use peripheral devices to supplement their functionality. Within this context, the computer system is called a host system and its peripheral devices are called accessories. Accessories are often devices capable of computation, as they are typically built using micro-processors or micro-controllers that can be programmed and re-programmed with program code, micro-code or firmware. The functionality and correct operation of these accessories are reliant on the correctness of the program code that resides in the accessory.
There are occasions when a fielded accessory needs to be upgraded or retrofitted because of a deficiency discovered in the program code. For example, it may be necessary to upgrade a high-risk instrument in high-value applications, such as medical devices. These types of devices are often regulated by the government. When a deficiency is discovered and re-design is underway, a quick stop-gap solution may be available. It may therefore be desirable that such a solution be applied to the devices already deployed in the field.
Individuals may maliciously alter the accessory's program code so that it performs unauthorized operations, from the perspective of the host system, yet fools the host system into believing nothing is amiss by reporting normal behavior. It is desirable that any unauthorized modification of the accessory's program code be detected before an upgrade is applied and that an upgrade is applied only if no such unauthorized modification is detected.
One solution to this problem is to design security into accessories before they are fielded, for example, by using secure micro-controllers that authenticate all micro-code upgrades before being accepted. However, it is sometimes the case that when an accessory is first fielded, security concerns and risk levels are low, but over time, circumstances change such that the risk associated with the unsecured accessory unexpectedly increases. The cost to replace or make hardware changes to the accessory may be deemed too expensive, at which point, the host system has an unsecured accessory in a high-risk environment.
A naïve solution to this problem is to allow the host system to read all of the program code from the accessory, compute a digest using a secure hashing function, and compare the result to some locally maintained digest. There are two problems with this approach. First, the accessory could be reprogrammed such that it maintained a copy of the original program code, usurped read requests from the host system, and returned to the host system the original stored program code image. Second, the program code stored on the accessory may be too large to be effectively transmitted over a slow serial connection, or may not even be remotely accessible. In these instances, it is more effective to calculate a digest to be returned to the host system for validation.
Simply calculating a digest, even using a challenge-response mechanism, may not effectively defeat an altered accessory that is maintaining a copy of the original program code in memory somewhere on the accessory.
It is an object of the present invention to mitigate or obviate at least one of the above mentioned disadvantages.