Computer systems require programs (also known as code) in order to function. As time goes on, new code needs to be installed, and existing code needs to be updated or deleted. In practice, scenarios arise where these changes occur in a somewhat or completely automatic fashion. This is often under the control of someone who is not the direct user of the system, and who is remotely connected to the system via a network or some other means. In these scenarios, this process is called code downloading [or code loading].
As an example, consider a secure coprocessor such as a high-end smart card. Such a device is a small computer system designed to be secure and robust against attack by potentially hostile users or other parties. This security requirement complicates the problem of code installation and update in that code downloading needs to occur only when permitted by an appropriate authority often not colocated with the card. Furthermore, the smart card itself might be physically encapsulated to prevent tamper. This encapsulation generally prevents any maintenance access besides via the computer I/O. It is even difficult to even know how to tell with certainty as to what really is loaded in the card.
It is recognized that a smart card dedicated to a single application might have a simple code structure for enabling permanent code downloads, and to restart a single unit of application code. However, a general-purpose computer (GPC) system introduces more complications in that the code structure is usually very complex. Thus, permanent code in a GPC might support several layers of downloadable code. These may include the program or code that does the downloading, the operating system, and one or more applications. Furthermore, each piece of code might be controlled by a different authority. Since these programs are designed for long-lived operation, code-downloading should preserve the state associated with the execution of existing code. This may include even the code that is being replaced and/or updated.
Code downloading raises two fundamental security issues. Firstly, how to prevent the new code from attacking code that is already installed in the system. Secondly, how to prevent code that is already installed in the system from attacking the new code.
Consideration of general-purpose computer systems raises the additional challenge of providing these properties in a fully general context. This includes conditions when the structure of downloadable code on the system can be fairly complex (and include very fundamental code), and when this structure might include different code-owners who might not trust each other. This has to be accomplished while preserving the operational state of the code whenever possible and reasonable.
Most previous work addresses downloading only for a single level of application code. This is the situation for code-signing work which protects a system from downloaded application code by having developers sign their own code so as to establish its origin. It is also so, for a technique which allows a single application to be downloaded from the same authority that controls the system while additionally having options to retain application state and to somewhat protect the application from a rogue system.
A system may support downloading a linear hierarchy of code. However, replacing one level of code often requires erasing everything associated with that level and above. Furthermore, this approach does not protect the various programs from each other.