Search

EP-4736046-A1 - COMPACT REPRESENTATION OF TRANSITION SEQUENCES FOR SINGLE-STATE STORAGE

EP4736046A1EP 4736046 A1EP4736046 A1EP 4736046A1EP-4736046-A1

Abstract

A system-implemented (e.g., computer-implemented) method for generating a set of hashes representing known-good state sequences, in accordance with one aspect of the present invention, includes determining, a priori, all known-good state sequences of a system. Valid paths for the determined known-good state sequences are enumerated by constructing history-incorporating aggregate hashes that represent the states along the paths, whereby the resulting set of hashes represents all valid states as the system traverse through the known-good sequences. The history-incorporating aggregate hashes are stored. A state- advancing call is received from the system, and in response to receiving the call, the stored history- incorporating aggregate hashes are sent to the system.

Inventors

  • PALMER, ELAINE R.
  • VISEGRADY, TAMAS

Assignees

  • International Business Machines Corporation

Dates

Publication Date
20260506
Application Date
20240523

Claims (20)

  1. 1 . A system-implemented method, comprising: determining known-good state sequences of a system; enumerating valid paths for the determined known-good state sequences by constructing historyincorporating aggregate hashes that represent the states along the paths; storing the history-incorporating aggregate hashes; receiving a call from the system; and in response to receiving the call, sending the stored history-incorporating aggregate hashes to the system.
  2. 2. The system-implemented method of claim 1 , wherein the history-incorporating aggregate hashes are stored in a tree structure.
  3. 3. The system-implemented method of claim 2, comprising normalizing the tree structure.
  4. 4. The system-implemented method of claim 2, wherein the tree structure is a Merkle tree structure.
  5. 5. The system-implemented method of claim 1 , wherein the history-incorporating aggregate hashes representing terminal states are specially marked.
  6. 6. The system-implemented method of claim 1 , wherein at least some the history-incorporating aggregate hashes are constructed by sequentially combining hashes for states along the respective paths.
  7. 7. The system-implemented method of claim 1 , comprising adding a second hash-sized register to the system.
  8. 8. A computer program product for generating a set of hashes representing known-good state sequences, the computer program product comprising: one or more computer readable storage media, and program instructions collectively stored on the one or more computer readable storage media, the program instructions comprising: program instructions to perform the method of claim 1.
  9. 9. A system, comprising: a processor; and logic integrated with the processor, executable by the processor, or integrated with and executable by the processor, the logic being configured to perform the method of claim 1 .
  10. 10. A system-implemented method, comprising: in response to receiving a request to transition to a new state, requesting a set of historyincorporating aggregate hashes; receiving the history-incorporating aggregate hashes; and evaluating, within the system, whether to transition to the new state by: calculating a hash for the requested new state, comparing the calculated hash to the received history-incorporating aggregate hashes, and allowing the transition to the new state in response to determining that the calculated hash matches one of the history-incorporating aggregate hashes, else not allowing the transition to the new state in response to determining that the calculated hash does not match one of the history-incorporating aggregate hashes.
  11. 11 . The system-implemented method of claim 10, wherein the history-incorporating aggregate hashes are received as a tree structure.
  12. 12. The system-implemented method of claim 11 , wherein the tree structure is only retained as a transient copy within the system.
  13. 13. The system-implemented method of claim 11 , wherein the system stores only a root of the tree structure persistently.
  14. 14. The system-implemented method of claim 10, wherein the hash for the requested new state is generated using a hash for a current state.
  15. 15. The system-implemented method of claim 10, comprising replacing, in a persistent register, a hash for a current state of system with the calculated hash for the new state in response to transitioning to the new state.
  16. 16. The system-implemented method of claim 15, comprising replacing the calculated hash with a hash of a final state reached in response to execution in a state machine being terminated in the system.
  17. 17. The system-implemented method of claim 10, wherein the calculated hash is stored in a second persistent register.
  18. 18. The system-implemented method of claim 10, wherein the history-incorporating aggregate hashes are in a form of a Merkle tree, and comprising using at least a hash identifying a current state of the system to generate the calculated hash; and comparing the calculated hash to the Merkle tree to determine whether the requested state transition matches a valid state transition sequence of the Merkle tree.
  19. 19. A computer program product for verifying whether a state transition is allowed and/or valid, the computer program product comprising: one or more computer readable storage media, and program instructions collectively stored on the one or more computer readable storage media, the program instructions comprising: program instructions to perform the method of claim 10.
  20. 20. A system, comprising: a processor; and logic integrated with the processor, executable by the processor, or integrated with and executable by the processor, the logic being configured to perform the method of claim 10.

Description

COMPACT REPRESENTATION OF TRANSITION SEQUENCES FOR SINGLE-STATE STORAGE BACKGROUND [0001] The present invention relates to system security, and more specifically, this invention relates to protecting systems by providing a compact representation of the state of a system and the valid transitions the system may go through. [0002] It is common practice to monitor the current configuration of systems. As used herein, the term “system” also includes subsystems and devices within systems, and may be a device, a computer, a cooperating device and computer, etc. The terms “system” and “device” are used interchangeably. The goal of monitoring is to determine whether the configuration of a system is in an acceptable or compliant state and to take remedial action if necessary. An example of such monitoring is to determine if the latest updates to software have been applied or if a system is running a vulnerable version of software. [0003] Monitoring, however, has its limitations. Without additional data, a snapshot in time of the current configuration does not reflect the history of updates to the system. If the monitoring system does capture additional data, such as activity logs, the data can become quite large and difficult to analyze, and in some cases, it is buried within unbounded logs. Furthermore, if monitoring detects that a system is out of compliance, such as after a cyber-attack, the damage is already done. [0004] Systems compliant with the U.S. Government’s Platform Firmware Resiliency Guidelines, as specified by the National Institute of Standards and Technology (NIST) branch of the U.S. Department of Commerce, must implement three security and integrity principles: protect, detect, and recover. Monitoring systems for misconfigurations is one method of providing detection. Protection, however, seeks to prevent misconfigurations in the first place, before they become effective. [0005] While monitoring can provide detection, it does not satisfy requirements for protection. To implement protection under the above-referenced NIST guidelines, the system must allow only valid transitions to a new state or configuration, and it must prevent invalid ones. For example, in an encryption device, a valid transition is to erase keys from the previous owner before adding keys for a new owner. An invalid transition is to add keys for a new owner before erasing the previous owner’s keys. While simple transitions such as this example can be “hardwired” or programmed into firmware, valid sequences of events will change over time. [0006] ATTEMPTED SOLUTIONSAND THEIR DRAWBACKS [0007] Hardware Security Modules (HSMs) [0008] HSMs are tamper-protected processing units which perform sensitive operations, such as protecting encryption operations, encrypting financial transactions, and verifying the firmware running inside the HSM. The data they protect is of extremely high value. Some users requiring very high security may want to prevent a transition from the original vendor’s firmware verification keys to anyone else’s keys. They also want to know the history of all such transitions. [0009] Current HSMs cannot support this functionality. With limited programmability and storage inside the tamper-protected enclosure, they cannot prevent a successfully authenticated but invalid transition, and they can only report the most recent transition. Another problem is that HSMs may not be able to prevent rollback of firmware to a buggy or vulnerable version. [0010] Sustainability and Circular Economy [0011] When data center equipment reaches a certain stage in its lifecycle, it is either scrapped, salvaged, or sold for reuse. If the equipment contains an owner’s firmware verification keys, there is no simple and secure way to erase or replace the keys prior to decommission and resale of thousands of systems. Buyers may want to install their own keys, but that operation typically must be authorized by the seller or original vendor of each unique device. There is no infrastructure for making these ownership transitions at scale. Currently, equipment that contains the owner’s firmware verification keys must be scrapped, which is an unsustainable solution. [0012] Telecommunications and Satellites [0013] Cellular network providers operate hundreds of thousands of small servers to support their networks. Although these systems are behind locked doors, they are still vulnerable to physical and logical attacks. Initial setup and remote support are often provided by companies such as RedHat. Once initialized, these systems support remote system updates and monitoring. The systems are configured as “appliances,” meaning that many thousands of them have identical hardware, firmware, and software. If someone installs unauthorized software on a system, it may only be detected after the fact. Detecting the attack would involve processing system logs and looking for anomalies as compared to databases of permissible software. Satellites operate in