Search

CN-114761957-B - Apparatus and method for controlling access to data stored in untrusted memory

CN114761957BCN 114761957 BCN114761957 BCN 114761957BCN-114761957-B

Abstract

The present invention provides an apparatus and method for controlling access to data stored in an untrusted memory. The apparatus has a memory access circuit for controlling access to data stored in the untrusted memory, and a memory security circuit for verifying the integrity of the data stored in the untrusted memory. The memory security circuit has an authentication code generation circuit for generating an authentication code to be associated with the data stored in the untrusted memory for use in verifying the integrity of the data. The apparatus also has a trusted storage and the authentication code generation circuit is arranged to generate a different authentication code depending on whether the authentication code is to be stored in the untrusted memory or in the trusted storage. Specifically, for a given data block for which an associated authentication code is to be generated, the authentication code generation circuit is arranged to generate a first authentication code having a first size as the associated authentication code when the associated authentication code is to be stored in the non-trusted memory and to generate a second authentication code having a second size smaller than the first size as the associated authentication code when the associated authentication code is to be stored in the trusted memory. This makes it possible to more effectively use the resources of the trusted storage.

Inventors

  • H. Montana MAS
  • A. L. Sandberg
  • R. AVANZI

Assignees

  • ARM有限公司
  • ARM有限公司

Dates

Publication Date
20260421
Application Date
20201112
Priority Date
20191210

Claims (20)

  1. 1. An apparatus for controlling access to data stored in an untrusted memory, the apparatus comprising: memory access circuitry for controlling access to data stored in the untrusted memory; A memory security circuit for verifying the integrity of data stored in the untrusted memory, and A trusted storage; the memory security circuit has an authentication code generation circuit to generate an authentication code to be associated with the data stored in the untrusted memory for use in verifying the integrity of the data; Wherein for a given block of data for which an associated authentication code is to be generated, the authentication code generation circuitry is arranged to generate a first authentication code having a first size as the associated authentication code when the associated authentication code is to be stored in the non-trusted memory and to generate a second authentication code having a second size smaller than the first size as the associated authentication code when the associated authentication code is to be stored in the trusted memory.
  2. 2. The apparatus of claim 1, wherein: the device residing within a trust domain and the untrusted memory being outside of the trust domain, and The authentication code generation circuitry is arranged to generate the second authentication code in a manner that ensures that the second authentication code cannot be inferred from information residing outside the trust domain.
  3. 3. The apparatus of claim 1 or claim 2, wherein: the authentication code generation circuit is arranged to employ an authentication code generation process which depends on which of the first and second authentication codes is being generated to ensure that the second authentication code generated for the given data block cannot be inferred from the visibility of the first authentication code for the given data block.
  4. 4. The apparatus of claim 3 wherein the authentication code generation process is dependent on an entry of secret data and the authentication code generation circuit is arranged to cause a first item of secret data to be used when generating the first authentication code and to cause a second item of secret data to be used when generating the second authentication code, wherein the second item of secret data is different from the first item of secret data.
  5. 5. An apparatus according to claim 1 or claim 2, wherein the authentication code generation circuit is arranged to generate the second authentication code by applying an algorithm using the given data block as an input.
  6. 6. An apparatus according to claim 1 or claim 2, wherein the authentication code generation circuit is arranged to generate the second authentication code by applying an algorithm using the first authentication code as one input.
  7. 7. An apparatus according to claim 1 or claim 2, wherein the authentication code generation circuit is arranged to generate the second authentication code by employing an algorithm that generates an intermediate authentication code of the first size and then applying another procedure to generate the second authentication code of the second size from the intermediate authentication code.
  8. 8. The apparatus of claim 7, wherein the other process is a truncated process such that the second authentication code is a truncated version of the intermediate authentication code.
  9. 9. The apparatus of claim 1 or claim 2, wherein the trusted storage is organized as a cache to store a second authentication code for a subset of the data blocks stored in the untrusted memory.
  10. 10. The apparatus of claim 9, wherein when generating the second authentication code to be stored in the trusted storage, the authentication code generation circuitry is arranged to also generate the first authentication code and store the generated first authentication code in the untrusted memory, whereby upon eviction of any second authentication code from the trusted storage, the corresponding first authentication code is present in the untrusted memory.
  11. 11. The apparatus of claim 9, wherein when generating the second authentication code to be stored in the trusted storage, the authentication code generation circuitry is arranged not to store the first authentication code in the untrusted memory, and when evicting any second authentication code from the trusted storage, the authentication code generation circuitry is arranged to generate a corresponding first authentication code for storage in the untrusted memory.
  12. 12. The apparatus of claim 1 or claim 2, wherein: When reading a data block from the non-trusted memory, the memory security circuit is arranged to determine whether the associated authentication code is stored as a second authentication code in the trusted storage and if so to verify the integrity of the read data block using the second authentication code in the trusted storage.
  13. 13. The apparatus of claim 1 or claim 2, wherein: The memory security circuit is arranged to retrieve the first authentication code from the non-trusted memory when a data block is read from the non-trusted memory and upon determining that the associated authentication code is not stored as a second authentication code in the trusted memory device, and to employ the retrieved first authentication code when verifying the integrity of the read data block.
  14. 14. The apparatus of claim 13, wherein: The memory security circuit is arranged to employ the authentication code generation circuit to: applying a second code generation algorithm to generate a reference second authentication code from the retrieved first authentication code, and Generating a comparison second authentication code by first generating a comparison first authentication code from the read data block and then applying the second code generation algorithm using the comparison first authentication code; wherein the memory security circuit is arranged to verify the integrity of the read data block by comparing the reference second authentication code with the comparison second authentication code.
  15. 15. The apparatus of claim 1 or claim 2, wherein: The authentication code generation circuit being arranged to generate the second authentication code by applying an algorithm using the first authentication code as an input, and The authentication code generation circuit is responsive to the first authentication code retrieved from the non-trusted memory to generate a corresponding second authentication code for storage in the trusted storage without reference to the associated data block.
  16. 16. The apparatus of claim 1 or claim 2, wherein: The authentication code generation circuit is arranged to apply a first process to generate the first authentication code and a second process to generate the second authentication code, the first and second processes sharing a common initial portion.
  17. 17. The apparatus of claim 16, wherein: the common initial portion includes performing a hash function on the data block using an input key to produce an intermediate value; the authentication code generation circuit is arranged to complete the first process by encrypting the intermediate value using first secret data to generate the first authentication code, and The authentication code generation circuit is arranged to complete the second process by encrypting the intermediate value using second secret data to generate the second authentication code.
  18. 18. The apparatus of claim 17, wherein: The authentication code generation circuit being arranged to generate the second authentication code by applying an algorithm using the first authentication code as an input, and The authentication code generation circuitry is responsive to the first authentication code retrieved from the non-trusted memory to generate a corresponding second authentication code for storage in the trusted storage without reference to the associated data block, Wherein the authentication code generation circuit is arranged to generate the second authentication code by decrypting the first authentication code using the first secret data to generate the intermediate value and then encrypting the intermediate value using the second secret data to generate the second authentication code.
  19. 19. A method of controlling access to data stored in an untrusted memory, the method comprising: generating an authentication code to be associated with the data stored in the untrusted memory using an authentication code generation circuit; verifying the integrity of the data with reference to the authentication code; Providing trusted storage means, and For a given block of data for which an associated authentication code is to be generated, the authentication code generation circuitry is arranged to generate a first authentication code having a first size as the associated authentication code when the associated authentication code is to be stored in the non-trusted memory and to generate a second authentication code having a second size smaller than the first size as the associated authentication code when the associated authentication code is to be stored in the trusted memory.
  20. 20. An apparatus for controlling access to data stored in an untrusted memory, the apparatus comprising: memory access means for controlling access to data stored in the untrusted memory; A memory security device for verifying the integrity of data stored in the untrusted memory, and A trusted storage; the memory security device has authentication code generation means for generating an authentication code to be associated with the data stored in the untrusted memory for use in verifying the integrity of the data; Wherein the authentication code generating means is responsive to a given data block for which an associated authentication code is to be generated for generating a first authentication code having a first size as the associated authentication code when the associated authentication code is to be stored in the non-trusted memory and for generating a second authentication code having a second size smaller than the first size as the associated authentication code when the associated authentication code is to be stored in the trusted memory.

Description

Apparatus and method for controlling access to data stored in untrusted memory Background The present technology relates to memory security, and more particularly, to an apparatus and method for controlling access to data stored in untrusted memory. Some data processing systems may need to run software that is involved in processing confidential or sensitive information that should not be exposed to potential attackers. However, it may not be feasible to provide sufficient capacity to store all such information in memory that an attacker cannot tamper with, and thus it may sometimes be necessary to export some sensitive information to vulnerable memory. For example, while data stored on-chip may prevent attacks, on-chip memory storage may be limited, and thus may require writing data to off-chip external memory. An attacker may be able to read data from the external memory or intercept it as it passes to the external memory and/or tamper with the data values stored in the external memory in an attempt to cause incorrect behaviour when such externally stored data is subsequently brought back into the processing system. To provide security for data stored in potentially unsecure memory, authentication codes may be generated in association with the data and then referenced in performing verification to check that the data has not been modified since it was stored to memory when it was read from unsecure memory. Although the authentication codes are smaller than the data that they are used to authenticate (e.g., 64 to 128 bits for a 64 byte data block), they need to be large enough to suppress the possibility of collisions that might be exploited by an attacker, i.e., collisions that occur if two different data values produce the same authentication code. Otherwise, in case of a conflict, an attacker monitoring the non-trusted memory may replace the current value with a different value and thus corrupt the memory, since the verification performed using the authentication code will result in a false positive (i.e. the verification will pass despite the different data). Thus, the set of authentication codes used in association with data stored in the untrusted memory is typically larger in size than the set of authentication codes that may be stored on-chip, and thus may also be stored in the untrusted memory. To improve performance, a limited number of authentication codes that may be used in the future may be stored in a trusted storage (such as an on-chip cache), with access times less than in the case of authentication codes accessed in untrusted memory. However, the size of such trusted storage devices is typically relatively small, and it is desirable to more efficiently utilize the trusted storage devices. Disclosure of Invention In a first example arrangement there is provided an apparatus comprising a memory access circuit for controlling access to data stored in an untrusted memory, a memory security circuit for verifying the integrity of the data stored in the untrusted memory, and trusted storage means, the memory security circuit having an authentication code generation circuit to generate an authentication code to be associated with the data stored in the untrusted memory for use in verifying the integrity of the data, wherein for a given block of data for which an associated authentication code is to be generated, the authentication code generation circuit is arranged to generate a first authentication code having a first size as the associated authentication code and to generate a second authentication code having a second size smaller than the first size as the associated authentication code when the associated authentication code is to be stored in the trusted storage means. In a second exemplary arrangement there is provided a method of controlling access to data stored in an untrusted memory, the method comprising employing an authentication code generation circuit to generate an authentication code to be associated with the data stored in the untrusted memory, verifying the integrity of the data with reference to the authentication code, providing trusted memory means, and for a given block of data to generate an associated authentication code, arranging the authentication code generation circuit to generate a first authentication code having a first size as the associated authentication code when the associated authentication code is to be stored in the untrusted memory, and to generate a second authentication code having a second size smaller than the first size as the associated authentication code when the associated authentication code is to be stored in the trusted memory means. In yet another exemplary arrangement, an apparatus is provided comprising memory access means for controlling access to data stored in an untrusted memory, memory security means for verifying the integrity of the data stored in the untrusted memory, and trusted memory means, the memory security means having auth