The present subject matter relates generally to systems and methods for securely validating and protecting firmware software while maintaining authorized reprogrammability of the firmware software. More specifically, the present subject matter provides systems and methods in which a secure logic device is inserted between a firmware device and a microprocessor-based system, wherein the secure logic device is responsible for validating the firmware in hardware logic before the microprocessor is allowed to start executing the firmware code.
There are many computer systems in which one or more firmware devices control various systems within the computer system. While there are nearly limitless variations of such systems and environments in which they are used, the disclosure provided herein discussed the subject matter in the context of gambling machines. While described in the gambling machine context, it is understood that the teachings provided herein are applicable to any system which incorporate one or more firmware devices with one or more processing devices.
Computer systems for use in gaming and gambling machines are often referred to as “slot machines.” It is usually necessary for slot machines to comply with certain standards defined by government, state, or other regulatory bodies relating to the security of the slot machines, as they handle significant revenue streams. It is usual for there to be security requirements to ensure the machines are not tampered with, for example, to prevent manipulation of payouts to users or prevent tampering with the recording of transactions for the purpose of collecting government gaming taxes from machine operators. Of course, in other contexts, there may be additional or alternative regulatory security requirements.
Slot machine manufacturers also have a strong interest in security in order to protect their intellectual property and prevent cloning of their systems or designs and/or the use of legitimate machines outside of the agreed terms, for example installation of a newer game on a machine without payment. Again, in other contexts, there may be additional or alternative commercial security requirements.
As part of these security requirements (whether commercial or regulatory), it is usually necessary to be able to validate the various software modules associated with a slot machine in order to detect any attempt at tampering or unauthorized change and to prevent the machine from operating when any alteration is detected.
Presently implemented slot machine security is usually complex in nature and comprises many layers to increase the overall strength of the security measures. Virtually all modern slot machines are controlled by some form of computer system internal to the machine. Typically, these computer systems are architecturally compatible with the IBM PC standard.
In electronic systems using microprocessors, there is normally an initial piece of software that is responsible for configuring the hardware and setting up the basic functioning of the system when power is turned on. This form of software is generally referred to as “firmware” as it is generally not changed during system use and is usually stored in non-volatile memory devices so that it is present and available to be used as soon as a system is powered up. A given computer system (or peripheral device) may contain one or more processing devices, so there may be more than one set of firmware and one or more memory devices containing the firmware.
In slot machine based on PC architecture, the firmware for the main processor is referred to as a BIOS (Basic Input-Output System). When a computer system having a BIOS is powered on, the BIOS first configures the hardware and environment. Then, once the BIOS completes its configuration of the hardware and environment, the system “boots” a computer operating system (OS). Finally, the OS executes the game program, which will be responsible for the behavior of the slot machine.
Slot machine manufacturers often incorporate security features inside their game programs. However, these can be reverse-engineered or defeated if not supplemented by additional security measures. For example, it is common for the game program to be located on a different storage device to the OS. The OS is then configured such that it performs a verification of the game storage media before it executes any program contained on it. If this verification fails, then the system halts. This security feature prevents alteration of the media containing the game and potential modification or insertion of malicious software. However, this can be defeated if an attacker is able to modify the OS media and either remove or modify the software responsible for verifying the game media. Therefore, it is necessary to also verify the integrity of the OS media before it is booted. To do this, it is usual for the BIOS to verify the OS media before it attempts to boot the OS contained on it. Again, if a change is detected the system halts, preventing any unauthorized use.
Finally, it is further necessary to verify that the BIOS itself has not been altered in any way, for example to remove the verification of the OS media to allow the booting of altered software. As the BIOS is the first piece of software to be executed after the system is started up, there has been no alternative other than to modify the BIOS so that it performs a check on itself. There are several drawbacks to this approach.
First, any program that is responsible for validating itself is open to attack. If an attacker can identify the code that performs the self-validation, it is possible to alter or eliminate it and allow the execution of further unauthorized code, namely modified OS software and/or game software. Second, modifying a BIOS to add the code to verify itself is often a complex procedure, as BIOS software requires expert knowledge of computer hardware and low-level programming.
As can be understood from the explanation above, providing strong security to the computer system within a slot machine is a complex process and can be defeated by an attack on the lowest piece of software in the chain—the BIOS. Accordingly, there is a need for systems and methods to improve firmware security whilst providing a simple mechanism by which authorized updates to the BIOS can be performed.