TECHNICAL FIELD

The disclosure relates to security technology. More specifically, the disclosure relates to a data processing apparatus and method for runtime attestation. Moreover, the present disclosure relates to a remote attestation system including such a data processing apparatus.

BACKGROUND

A key challenge in loT security is the vulnerability of constrained microcontrollers against malicious modification of their firmware. This can be a result of reprogramming attacks performed by an adversary with physical access to the device or remote attacks which use vulnerabilities in the software implementation. A popular approach to mitigate such attacks is known as attestation allowing to verify that a device runs known firmware, i.e. , it is in a trusted state. Attestation is usually defined as a process between two parties: a prover and the verifier. The prover may be, for instance, a resource constrained loT device and the verifier is generally a computational more powerful device, e.g., a server back-end. From the prover’s perspective attestation consists of two stages: (1) generation of an evidence about its trustworthiness and (2) a secure protocol for conveying this evidence to the verifier. It is often desirable that these two stages and in particular the first stage of the attestation process, i.e. the generation of the attestation evidence are performed during runtime, in order to detect attacks that may have affected the integrity of the software during its execution.

Some runtime attestation approaches are known as “Dynamic Integrity Measurement” and “Control Flow Attestation”. In the “Dynamic Integrity Measurement” approach a hash (fingerprint) is periodically taken of the predictable/static memory (i.e. code segment) of a process, running on a “prover” device, and is compared on a “remote verifier” device with a reference fingerprint generated at build time. The “Control Flow Attestation” approach tries to monitor the execution flow of a process and log the sequence of edges (branches) taken by the process, in order to see if the execution flow is as intended according to a known-good control flow graph generated at build time. It intends to cover mainly return-oriented or jump- oriented programming attacks, which are a mainstream type of memory-based attacks today.

SUMMARY

It is an objective to provide improved data processing apparatus and method for runtime attestation. The foregoing and other objectives are achieved by the subject matter of the independent claims. Further implementation forms are apparent from the dependent claims, the description and the figures.

According to a first aspect a data processing apparatus for performing a plurality of tasks is provided. The data processing apparatus may be, for instance, an IOT device, a smartphone, a network device, an electronic control unit and the like. The plurality of tasks may comprise, for instance, a sensor task for controlling one or more sensors of the data processing apparatus, an actuator task for actuating one or more actuators of the data processing apparatus, and a network task for providing wireless communication between the data processing apparatus and other network devices.

The data processing apparatus comprises a processing unit configured to operate a real-time operating system, RTOS, based on a security capability architecture. The processing unit may comprise, for instance, one or more central processing units, CPUs, and/or one or more microcontrollers. The RTOS implements a kernel, an attestation core and the plurality of tasks, wherein each task of the plurality of tasks, when executed, uses one or more of a plurality of capabilities defined by the security capability architecture. As used herein, a security capability architecture may comprise an instruction set and data structures in the form of capabilities as well as hardware and/or software supporting such an architecture. The security capability architecture of the data processing apparatus may comprise, for instance, the instruction set known as capability hardware enhanced RISC instructions, CHERI.

Moreover, the data processing apparatus comprises a memory with a plurality of isolated memory compartments (sometimes also referred to as “protection domains”), including an isolated memory compartment for the attestation core and a respective isolated memory compartment for each task. The isolated memory compartment of each task is defined by the one or more of the plurality of capabilities of the respective task as well as data operated on by the one or more of the plurality of capabilities of the respective task. Each isolated memory compartment of each task can be considered to fully encapsulate the respective task.

The processing unit of the data processing apparatus is further configured to monitor the integrity of the isolated memory compartments of the plurality of tasks for generating task integrity measurement data indicative of the integrity of the isolated memory compartments of the plurality of tasks thereby providing a data processing apparatus capable of ensuring its integrity during runtime. As used herein, the attestation core is a dedicated security task running in its own memory compartment fully isolated from the other tasks or the RTOS kernel. More specifically, the attestation core is a dedicated task isolated from the rest of the system, which may be invoked by means of a trampoline module during an exchange of capabilities between other tasks for logging and reporting the exchanged capabilities securely to a remote verifier.

In a further possible implementation form, the data processing apparatus further comprises a communication interface configured to transmit the task integrity measurement data (either in the form as initially generated by the processing unit or in a further processed form) to an attestation server. This allows a run-time attestation of the integrity of the isolated memory compartments of the plurality of tasks of the data processing apparatus by the attestation server based on the task integrity measurement data.

In a further possible implementation form, the attestation core is configured to record the task integrity measurement data for the memory compartment of each task and to transmit the task integrity measurement data for the memory compartment of each task via the communication interface to the attestation server periodically and/or event-driven. Thus, the reporting of the task integrity measurement data may be efficiently implemented.

In a further possible implementation form, the attestation core is configured to cryptographically secure the transmitted task integrity measurement data based on one or more cryptographic keys, wherein the communication interface is configured to transmit the cryptographically secured task integrity measurement data to the attestation server. This allows to cryptographically protect the task integrity measurement data against any attacks.

In a further possible implementation form, the communication interface is configured to receive a nonce from the attestation server, wherein the attestation core is further configured to cryptographically secure the task integrity measurement data together with the nonce with the one or more cryptographic keys and wherein the communication interface is configured to transmit the cryptographically secured task integrity measurement data and nonce to the attestation server. This allows to detect replay attacks.

In a further possible implementation form, the one or more cryptographic keys are stored in the isolated memory compartment for the attestation core. By storing the cryptographic keys in the highly secure attestation core the cryptographic keys are well protected against any attacks trying to extract these keys from the data processing apparatus. In a further possible implementation form, the processing unit is configured to define the plurality of isolated memory compartments. For instance, the processing unit may securely manage the address ranges of the plurality of isolated memory compartments. Thus, the memory of the data processing apparatus may be a cost-efficient type of memory without a dedicated memory management unit.

In a further possible implementation form, the processing unit is configured to monitor the integrity of the isolated memory compartments of the plurality of tasks based on a trampoline module implemented by a trampoline code. The trampoline module is invoked at each transition between the isolated memory compartments of the plurality of tasks and configured to report one or more capabilities exchanged between the isolated memory compartments of the plurality of tasks to the attestation core. This allows to efficiently monitor the integrity of the isolated memory compartments of the plurality of tasks.

In a further possible implementation form, the processing unit is further configured to initially scan the memory for determining the plurality of isolated memory compartments of the memory. This allows to efficiently determine the memory compartments, i.e. protection domains of the plurality of tasks.

In a further possible implementation form, the processing unit is further configured to store the task integrity measurement data in the isolated memory compartment for the attestation core. By storing the task integrity measurement data in the highly secure memory compartment of the attestation core the task integrity measurement data is protected against any attacks, for instance, from a corrupted task of the apparatus under the control of an attacker trying to modify the task integrity measurement data.

In a further possible implementation form, the task integrity measurement data comprises for each of the plurality of tasks the one or more capabilities of the respective task. This allows for an efficient generation of the task integrity measurement data based on the security capability architecture of the data processing apparatus.

In a further possible implementation form, the one or more of the plurality of capabilities of each task comprise a pointer and pointer metadata (also known as a “fat pointer”). This allows for an efficient generation of the task integrity measurement data based on the security capability architecture of the data processing apparatus. In a further possible implementation form, the RTOS of the data processing apparatus is a single address space RTOS. Thus, the data processing apparatus may implement a RTOS not requiring sophisticated and costly processing resources.

In a further possible implementation form, the security capability architecture is based on hardware and/or software. As already mentioned above, the security capability architecture may comprise an instruction set and data structures in the form of capabilities as well as hardware and/or software supporting such an architecture. The security capability architecture of the data processing apparatus may comprise, for instance, the instruction set known as capability hardware enhanced RISC instructions, CHERI.

According to a second aspect a remote attestation system is provided. The remote attestation system according to the second aspect comprises at least one data processing apparatus according to the first aspect and an attestation server configured to receive the task integrity measurement data from the at least one data processing apparatus and to attest the integrity of the at least one data processing apparatus based on the task integrity measurement data.

In a further possible implementation form, one or more reference capabilities of each task of the at least one data processing apparatus are defined by a task policy, wherein the attestation server is configured to attest the integrity of the at least one data processing apparatus based on the task integrity measurement data and the task policy. This allows to efficiently attest the integrity of the at least one data processing apparatus based on the task integrity measurement data and the task policy.

According to a third aspect a method for attesting the integrity of a data processing apparatus is provided. The data processing apparatus is configured to perform a plurality of tasks and comprises a processing unit configured to operate a real-time operating system, RTOS, based on a security capability architecture, wherein the RTOS implements a kernel, an attestation core and a plurality of tasks, wherein each task, when executed, uses one or more of a plurality of capabilities defined by the security capability architecture, and a memory. The method comprises the steps of: providing a plurality of isolated memory compartments of the memory, including an isolated memory compartment for the attestation core and a respective isolated memory compartment for each task, wherein the isolated memory compartment of each task is defined by the one or more of the plurality of capabilities of the task and data operated on by the one or more of the plurality of capabilities of the task; and monitoring the integrity of the isolated memory compartments of the plurality of tasks for generating task integrity measurement data indicative of the integrity of the memory compartments of the plurality of tasks.

The method according to the third aspect of the present disclosure can be performed by the data processing apparatus according to the first aspect of the present disclosure. Thus, further features of the method according to the third aspect of the present disclosure result directly from the functionality of the data processing apparatus according to the first aspect of the present disclosure as well as its different implementation forms described above and below.

According to a fourth aspect a computer program product is provided, comprising a computer- readable storage medium for storing program code which causes a computer or a processor to perform the method of according to the third aspect when the program code is executed by the computer or the processor.

Details of one or more embodiments are set forth in the accompanying drawings and the description below. Other features, objects, and advantages will be apparent from the description, drawings, and claims.

BRIEF DESCRIPTION OF THE DRAWINGS

In the following, embodiments of the present disclosure are described in more detail with reference to the attached figures and drawings, in which:

Fig. 1 shows a schematic diagram illustrating an attestation system according to an example of the embodiments of the disclosure including a data processing apparatus and an attestation server;

Fig. 2 shows a schematic diagram illustrating isolated memory compartments of a memory of a data processing apparatus according to an example of the embodiments of the disclosure;

Fig. 3 shows a schematic diagram illustrating a plurality of tasks implemented by the data processing apparatus according to an example of the embodiments of the disclosure;

Fig. 4 shows a schematic diagram illustrating a trampoline module and an attestation core implemented by a data processing apparatus according to an example of the embodiments of the disclosure for monitoring the integrity of memory compartments of the plurality of tasks;

Fig. 5 shows a schematic diagram illustrating a security architecture implemented by a data processing apparatus according to an example of the embodiments of the disclosure for cryptographically securing task integrity measurement data; and

Fig. 6 shows a flow diagram illustrating a method for attesting the integrity of a data processing apparatus according to an example of the embodiments of the disclosure. In the following, identical reference signs refer to identical or at least functionally equivalent features.

DETAILED DESCRIPTION OF THE EMBODIMENTS

In the following description, reference is made to the accompanying figures, which form part of the disclosure, and which show, by way of illustration, specific aspects of embodiments of the present disclosure or specific aspects in which embodiments of the present disclosure may be used. It is understood that embodiments of the present disclosure may be used in other aspects and comprise structural or logical changes not depicted in the figures. The following detailed description, therefore, is not to be taken in a limiting sense, and the scope of the present disclosure is defined by the appended claims.

For instance, it is to be understood that a disclosure in connection with a described method may also hold true for a corresponding device or system configured to perform the method and vice versa. For example, if one or a plurality of specific method steps are described, a corresponding device may include one or a plurality of units, e.g. functional units, to perform the described one or plurality of method steps (e.g. one unit performing the one or plurality of steps, or a plurality of units each performing one or more of the plurality of steps), even if such one or more units are not explicitly described or illustrated in the figures. On the other hand, for example, if a specific apparatus is described based on one or a plurality of units, e.g. functional units, a corresponding method may include one step to perform the functionality of the one or plurality of units (e.g. one step performing the functionality of the one or plurality of units, or a plurality of steps each performing the functionality of one or more of the plurality of units), even if such one or plurality of steps are not explicitly described or illustrated in the figures. Further, it is understood that the features of the various exemplary embodiments and/or aspects described herein may be combined with each other, unless specifically noted otherwise.

Figure 1 shows a schematic diagram illustrating an attestation system 100 according to an embodiment including a data processing apparatus 110 (referred to as device 110 in figure 1) according to an embodiment and an attestation server 120 (referred to as verifier 120 in figure 1). The attestation system 100 may further comprise a provisioning server 130 of the vendor or manufacturer of the data processing device 110 configured to provision the data processing apparatus 110 with software 135, for instance, a firmware or software image. The data processing apparatus 110 may be, for instance, an IOT device, a smartphone, a network device, an electronic control unit and the like. As illustrated in figure 1 and will be described in more detail below, the data processing apparatus 110 comprises a processing unit 111 , which may comprise, for instance, one or more central processing units, CPUs, and/or one or more microcontrollers. The processing unit 111 may be implemented in hardware and/or software and may comprise digital circuitry, or both analog and digital circuitry. Digital circuitry may comprise components such as application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), digital signal processors (DSPs), or general-purpose processors. Moreover, the data processing apparatus 110 comprises an electronic memory 115 configured to store data, for instance, a FLASH memory 115. The memory 115 may store executable program code which, when executed by the processing unit 111 , causes the data processing apparatus 110 to perform the functions and methods described herein. The data processing apparatus 110 may further comprises a communication interface 113, in particular a wireless and/or wired communication interface allowing the data processing apparatus 110 to communicate with the attestation server 120, the provisioning server 130 and/or other network devices.

Under further reference to figures 2 and 3, the processing unit 111 is configured to perform a plurality of software tasks, which, by way of example, may comprise a sensor task 305a for controlling one or more sensors of the data processing apparatus 110, an actuator task 305b for actuating one or more actuators of the data processing apparatus 110, and a network task 305c for providing (together with the communication interface 113) wireless communication between the data processing apparatus 110 and other network devices. As illustrated in figure 3, the processing unit 111 is configured to operate a real-time operating system, RTOS, 300 based on a security capability architecture for implementing the software environment for a kernel 301 , an attestation core 303 and the plurality of tasks 305a-c. In an embodiment, the RTOS 300 of the data processing apparatus 110 is a single address space RTOS 300.

Each of the plurality of tasks 305a-c, when executed, uses one or more of a plurality of capabilities defined by the security capability architecture. As used herein, the security capability architecture may comprise an instruction set and data structures in the form of capabilities as well as hardware and/or software supporting such an architecture. The security capability architecture of the data processing apparatus may comprise, for instance, the instruction set known as capability hardware enhanced RISC instructions, CHERI. Further details about CHERI may be found in “Capability Hardware Enhanced RISC Instructions: CHERI Instruction-Set Architecture (Version 8)”, Technical Report, Number 951 , UCAM-CL- TR-951 , ISSN 1476-2986, University of Cambridge, which is fully incorporated by reference herein. As illustrated in figures 2 and 3, because of the security capability architecture, in particular the CHERI-based architecture of the data processing apparatus 110 the memory 115 of the data processing apparatus 110 comprises a plurality of isolated memory compartments (sometimes also referred to as “protection domains”), including an isolated memory compartment for the attestation core 303 and a respective isolated memory compartment 115a-c for each task 305a-c. The isolated memory compartment of each task is defined by the one or more of the plurality of capabilities of the respective task as well as data operated on by the one or more of the plurality of capabilities of the respective task. In an embodiment, each of the one or more of the plurality of capabilities of each task 305a-c may comprise a pointer and pointer metadata (also known as a “fat pointer”).

As schematically illustrated in figure 2, each isolated memory compartment 115a-c of each task 305a-c can be considered to fully encapsulate the respective task 305a-c. In an embodiment, the processing unit 111 of the data processing apparatus 110 is configured to define the plurality of isolated memory compartment of the attestation core 303 and the isolated memory compartments 115a-c of the plurality of tasks 305a-c. For instance, the processing unit 111 may be configured to securely manage the address ranges of the plurality of isolated memory compartments 115a-c.

As will be described in more detail below, the processing unit 111 of the data processing apparatus 110 is further configured to monitor the integrity of the isolated memory compartments 115a-c of the plurality of tasks 305a-c for generating task integrity measurement data 125 indicative of the integrity of the isolated memory compartments 115a-c of the plurality of tasks 305a-c. In an embodiment, the processing unit 111 of the data processing apparatus 110 may be further configured to store the task integrity measurement data 125 in the isolated memory compartment for the attestation core 303. As will be described in more detail below, in an embodiment, the task integrity measurement data 125 may comprise for each of the plurality of tasks 305a-c the one or more capabilities, e.g. fat pointers of the respective task 305a-c.

As illustrated in the embodiment of figure 1 , the communication interface 113 of the data processing apparatus 110 may be configured to transmit the task integrity measurement data 125 (either in the form as initially collected and/or generated by the processing unit 111 or in a further processed form) to the attestation server 120. This allows a run-time attestation of the integrity of the isolated memory compartments 115a-c of the plurality of tasks 305a-c of the data processing apparatus 110 by the attestation server 120 based on the task integrity measurement data 125 and, in an embodiment, reference values defined by a task policy 145 provided, for instance, by the provisioning server 130.

In the following further embodiments of the data processing apparatus 110 and the attestation system 100 will be described in more detail under further reference to figures 4 and 5.

As already described above, embodiments disclosed herein allow a “runtime attestation” of the data processing apparatus 110, i.e. provide an attestation system 100 capable of proving the integrity of the plurality of tasks 305a-c and the operating system kernel 301 of the data processing apparatus 110 during the execution thereof. For instance, if a task 305a-c is behaving as expected after being started, the attestation system 100 is capable of providing trustworthy and verifiable evidence about its integrity and an external verifier instance may validate the evidence and decide whether to trust the data processing apparatus 110 and/or the task 305a-c running thereon. If the task 305a-c of the data processing apparatus 110 is not behaving as expected, the data processing apparatus 110 (which might be under the control of a malicious attacker) will not be able to falsify such evidence. Furthermore, according to an embodiment, the data processing apparatus 110 may even provide context information about where an unknown (potentially malicious) task behavior is deviating from the expected one.

As already mentioned above, according to embodiments disclosed herein, the data processing apparatus 110 may be a low-end, microcontroller (MCU)-based device 110 which supports a security capability architecture, such as CHERI, and implements a microcontroller-class realtime OS 300, such as FreeRTOS or Huawei LiteOS. According to further embodiments, the data processing apparatus 110 may be a high-end, CPU-based device 110 which supports a similar security capability architecture and implements a more sophisticated RTOS 300, such as the Linux operating system 300.

Embodiments disclosed herein adopt a new approach in evaluating the runtime integrity of a program, i.e. the plurality of tasks 305a-c. Instead of the conventional approach of looking inside the task/program memory and trying to make sense of it, which is difficult, complex and computationally very intensive, embodiments of the data processing apparatus 110 disclosed herein allow monitoring what goes on inside a given task/program 305a-c from the perspective of the other processes operating within the data processing apparatus 110. This fundamentally different approach is illustrated in figure 2. According to embodiments disclosed herein, it may be inferred that a given task 305a-c acts as intended (i.e. has not been tampered with by a malicious attacker), if there is no other task 305a-c or process on the data processing apparatus 110 that tries to access portions of the memory 115 beyond the one that it is allowed to, namely its respective isolated memory compartment 115a-c. Differently put, according to embodiments disclosed herein, the data processing apparatus 110 is configured to detect whether during run-time the isolation between the different memory compartments 115a-c of the plurality of tasks 305a-c is being broken. Thus, efficient runtime attestation is made possible by providing evidence in the form of the task integrity measurement data 125 on the isolation among the plurality of tasks 305a-c and whether it is preserved or not.

As already described above, the processing unit 111 of the data processing apparatus 100 is configured to implement a security capability architecture, for instance a CHERI-based architecture, which provides spatial memory safety and memory isolation through so called “capabilities”. A security capability architecture like the CHERI-based architecture extends conventional Instruction Set Architectures (ISA) to enable fine-grained memory protection and highly scalable software compartmentalization. For instance, in the case of a single-address space, the CHERI-based architecture implemented by the data processing apparatus 110 according to an embodiment is capable of providing memory isolation without the need for a Memory Management Unit (MMU). In an embodiment, the RTOS 300 of the data processing apparatus 110 may be CHERI FreeRTOS 300, which is a variant of FreeRTOS and provides isolation between the different memory compartments 115a-c of the plurality of tasks 305a-c in a single-address space system. CHERI FreeRTOS 300 makes use of features of the CHERI- based architecture to restrict the set of memory regions accessible by each memory compartment 115a-c. In an embodiment, each memory compartment 115a-c may be as small as a function or as big as some code spanning several source files.

As already described above, each task 305a-c is restricted to its “protection domain”, i.e. isolated memory compartment 115a-c. For a security capability architecture, such as a CHERI- based security capability architecture, the protection domain, i.e. memory compartment 115a- c refers to the set of capabilities that the task 305a-c can access. For example, if the task 305a- c has a capability pointing to the stack in one of its registers, the data processing apparatus 110 according to an embodiment is configured to check the pointed memory region for determining any other capabilities pointing to other regions of the memory 115. The data processing apparatus 110 according to an embodiment may be configured to recursively look into these other pointed memory regions, until the complete set of all the capabilities has been found that the respective task 305a-c can access. This is the protection domain, i.e. isolated memory compartment 115a-c of the respective task 305a-c. All the protection domains, i.e. memory compartments 115a-c are distinct, i.e. isolated from each other, meaning that a task 305a-c cannot access the memory compartment 115a-c of another task 305a-c. In an embodiment, a task 305a-c may have control of an exclusive region of the memory 115. Moreover, a task 305a-c can have a pointer to jump into a specific function of another task 305a-c. two tasks 305a-c may share some portion of the memory 115, provided that the capabilities to this memory region prohibit reading or storing a capability. In an embodiment, the kernel 301 may have full access to the memory 115 (except to the memory compartment associated with the attestation core 303).

Usually, the protection domain, i.e. the isolated memory compartment 115a-c of each task 305a-c is known in advance. For instance, the network task 305c might, by way of example, share a buffer with another task 305a, b, but cannot share its internal state. In that case there can be a policy about how the protection domains, i.e. memory compartments 115a-c are setup.

In an embodiment, all the memory compartments 115a-c may be initially measured and determined by scanning the whole memory 115 and deducing the different compartments based on the register files of each task 305a-c.

In a security capability architecture, such as a CHERI-based security capability architecture, it is by definition impossible for a task 305a-c to extend its own isolated memory compartment 115a-c, i.e. protection domain without passing control to another isolated memory compartment. This inherent feature of a security capability architecture, as implemented by the data processing apparatus 110, makes it possible that the isolated memory compartments do not have to be monitored continuously, but only when a task 305a-c is passing control to another isolated memory compartment, i.e. in an event driven manner.

In an embodiment, if a task 305a-c is only communicating with the kernel 301 , the kernel 301 may be configured to log the capability passed to another task 305a-c. As illustrated in figure 4, if, for instance, the task 305a calls the malloc function, the kernel 301 of the data processing apparatus 110 is configured to allocate some portion of the memory 115 and construct a capability therefore. Furthermore, the kernel 301 of the data processing apparatus 110 may update the isolated memory compartment 115a of the task 305a to take into account this new capability that the task 305a has obtained. The capability may then be passed on to the task 305a. As will be appreciated, this approach may lead to an over-approximation of the isolated memory compartment 115a of the task 305a. However, detecting the deletion of a capability by a task 305a-c is more complex, because this may require scanning the whole memory 115. Thus, depending on the specific use case, one of these two approaches may be implemented by the data processing apparatus 110 according to an embodiment. More specifically, as indicated in figure 4 by the circle with the number 1 inside, a task 305a-c may have capabilities pointing to its code and stack. As indicated in figure 4 by the circle with the number 2 inside, the task 305a-c may call the malloc function and switch to the kernel memory compartment via the trampoline module 401 . As indicated in figure 4 by the circle with the number s inside, the malloc function may generate a new capability bounded to the size of the request region and returns the capability. As indicated in figure 4 by the circle with the number 4 inside, the trampoline module 401 is configured to provide the capability to the attestation core 303, which updates the protection domain measurement, i.e. the task integrity measurement data 125. The trampoline module 401 may then return. The blocks referred to as “pcc”, “csp”, and “cao” in figure are exemplary CPU registers implemented by the CHERI- based architecture according to an embodiment of the data processing apparatus 110.

As already described above, the attestation core 303 of the data processing apparatus 110 is associated with a secure region of the memory 115, i.e. its own isolated memory compartment (similar to a resilience engine). In an embodiment, the attestation core 303 has full control over the memory 115 of the data processing apparatus 110, but the kernel 301 and the plurality of tasks 305a-c cannot tamper with the isolated memory compartment of the attestation core 303. In an embodiment, the memory compartment of the attestation core 303 is configured to securely store the task integrity measurement data 125 (even if the kernel 301 cannot be trusted). In an embodiment, for transitioning into the memory compartment of the attestation core 303, the respective task 305a-c or the kernel 301 may use the “Clnvoke” mechanism provided by the CHERI-based architecture, which allows performing a secure transition between different memory compartments.

As already described above, in an embodiment, a task policy 145 may be defined by the vendor by listing all the expected memory compartments 115a-c, i.e. protection domains of the data processing apparatus 110. In an embodiment, the task policy 145 may define what each memory compartment 115a-c should have access to. The task policy 145 may be created and made available by the vendor, for instance, via the provisioning server 130. As already described above, the attestation server 120 may compare the task policy 145 against the current task integrity measurement data 125 (provided by the data processing apparatus 110) for detecting any integrity violation of the isolated memory compartment zones 115a-c of the plurality of tasks 305a-c.

In a CHERI-based architecture, which may be implemented by the data processing apparatus 110 according to an embodiment, the so-called “Reachable Capability Monotonicity” property means that during the execution of any task 305a-c, the memory compartment 115a-c of the respective task 305a-c cannot increase, until execution is yielded to the memory compartment of another task 305a-c. As will be appreciated, this is an implicit and, thus, always valid property of a security capability architecture, in particular a CHERI-based security capability architecture, which may be implemented by the data processing apparatus 110 according to an embodiment. Thus, as already described above, for monitoring each isolated memory compartment 115a-c, embodiments disclosed herein can be considered starting from a reference point and then monitor, i.e. measure all the capabilities going into the respective memory compartment 115a-c at runtime. As will be appreciated, although these measurements may be taken at discrete points in time, this provides a continuous view of the respective memory compartment, because due to the above-described inherent property of a CHERI-based security capability architecture the respective isolated memory compartment cannot increase by itself.

As already described above, the monitoring of the respective memory compartments 115a-c implemented by the data processing apparatus 110 according to an embodiment may provide an overestimate of the actual respective memory compartment 115a-c. However, as already described above, this is usually not an issue, because it is very likely that the embedded tasks 305a-c very rarely use dynamic allocation resulting in free memory.

As will be appreciated, the monitoring of the respective memory compartments 115a-c implemented by the data processing apparatus 110 according to an embodiment should intercept all capabilities going into the respective memory compartment 115a-c. In an embodiment, this may be achieved by a trampoline module 401 , which may be implemented by the data processing apparatus 110 according to an embodiment and will be described in more detail in the following in the context of figure 4. In the embodiment shown in figure 4, the processing unit 111 of the data processing apparatus 110 is configured to monitor the integrity of a respective isolated memory compartment 115a-c of the plurality of tasks 305a-c based on the trampoline module 401 implemented by a trampoline code. As illustrated in figure 4, the trampoline module 401 is invoked at each transition between the isolated memory compartments 115a-c of the plurality of tasks 305a-c and configured to report one or more capabilities exchanged between the isolated memory compartments 115a-c of the plurality of tasks 305a-c to the attestation core 303.

In an embodiment, the communication interface 113 of the data processing apparatus 110 is configured to transmit the current task integrity measurement data 125 to the attestation server 120 each time when one of the memory compartments 115a-c of the plurality of tasks 305a-c is decreased for allowing the attestation server 120 to check the current task integrity measurement data 125 against the reference values defined by the task policy 145.

As already described above, in comparison with a conventional RTOS the RTOS 300 implemented by the data processing apparatus 110 according to an embodiment adds the attestation core 303 and the trampoline module 401 for generating the task integrity measurement data 125. As already described above, the attestation core 303 is associated with its memory compartment, i.e. a secure region of the memory 115 isolated from everything else in the system (including the RTOS kernel 301). In an embodiment, the memory compartment of the attestation core 303 is configured to store the task integrity measurement data 125 as well as one or mor cryptographic keys 503 (illustrated in figure 5) for digitally signing the task integrity measurement data 125. Thus, the attestation core 303 may be considered to provide an interface for adding a capability to a respective memory compartment 115a-c of the plurality of tasks 305a-c.

As the isolation between different memory compartments 115a-c or between a memory compartment 115a-c and the kernel 301 may be breached, for instance, by a malicious attacker, the purpose of the attestation core 303 of the data processing apparatus 110 according to an embodiment is to ensure the integrity of the task integrity measurement data 125 in such a scenario (which would not be possible if the task integrity measurement data 125 would be stored, for instance, in the kernel 301).

As already described above, in an embodiment the trampoline module 401 implemented by the processing unit 111 of the data processing apparatus 110 may be invoked at each transition between the isolated memory compartments 115a-c of the plurality of tasks 305a-c and configured to report one or more capabilities exchanged between the isolated memory compartments 115a-c of the plurality of tasks 305a-c to the attestation core 303. In other words, the trampoline module 401 is a special function for securely switching to another memory compartment, i.e. protection domain during runtime. During this switching process the trampoline module 401 is further configured to record each capability that is passed to the new memory compartment by passing the respective capabilities to the attestation core 303 for generating the task integrity measurement data 125.

In an embodiment, the processing unit 111 of the data processing apparatus 110 is configured to pass control from a memory compartment 115a-c of a respective task 305a-to another memory compartment 115a-c by jumping to the trampoline module 401. As already described above, in an embodiment, the capabilities passed in this process to the new memory compartment may be forwarded to the attestation core 303. The processing unit 111 of the data processing apparatus 110 is configured to add those capabilities to the portion of the task integrity measurement data 125 associated with the new memory compartment. In an embodiment illustrated in figure 4, the task integrity measurement data 125 may be provided in the form of a memory compartment, i.e. protection domain table 125 describing what memory region each memory compartment 115a-c can access as well as the corresponding permissions. This data structure in the form of the memory compartment table 125 may be updated with new capabilities and stored in the memory compartment of the attestation core 303. One embodiment of storing the protection domain measurement efficiently can be a list of memory regions and the permissions over them as defined by the capabilities recorded by the attestation core 303. When a new capability is added to it, the list is updated in place and always maintains its optimal representation.

As already described above, remote attestation is a process of conveying trustworthy evidence to a remote third-party verifier for attesting the integrity of a device, e.g. the data processing apparatus 110. In an embodiment, the communication interface 113 of the data processing apparatus 110 is configured to transmit the task integrity measurement data 125 indicative of the integrity of the memory compartments 115a-c of the plurality of tasks in a way that allows the attestation server 120 to check the authenticity of the task integrity measurement data 125.

As illustrated in figure 5, in an embodiment, at boot time, the device’s code may be measured, and a cryptographic key tied to a hardware root of trust may be built from this measurement. The vendor 130 may endorse the device 110 by emitting a certificate. The key is stored in the attestation core 303, and cannot be accessed from anywhere else in the system. As will be appreciated, in order to trust what the attestation core 303 says, the remote verifier 120 would need a proof of the integrity of the attestation core 30 itself. To this end, embodiments disclosed herein may make use of a known DICE (device identifier composition engine) implementation 501 , which derives the signing key of the attestation core 303 based on a unique device identity (Unique Device Secret) and the hashes (representing the measurements) of the code loaded sequentially by each boot component up to and including the attestation core 303 itself. Given the attestation core 303 is isolated from any other task 305a-c and the kernel 301 , it can be trusted that once loaded, its integrity remains preserved. Therefore, the loaded attestation core can use the thus-derived key to truthfully sign the measured/recorded capabilities. Based on this signature, the remote verifier 120 can verify them, once it has verified the combined device and attestation core identity based on the signed device certificate provided by the manufacturer 130. At runtime, the attestation server 120 may initiate a challenge-response mechanism, and the data processing apparatus 110 digitally signs the task integrity measurement data 125 along with a nonce received from the attestation server 120 and required for the challenge response mechanism. The attestation server 120 receives the data 125 and checks that the key 503 used by the data processing apparatus 110 for digitally signing the data 125 and the nonce is based on a certificate received from the vendor, e.g. the provisioning server 130. In a final stage of the attestation procedure the attestation server compares the task integrity measurement data 125 with the reference values defined by the task policy 145 provided by the vendor, e.g. the provisioning server 130.

In an embodiment, the attestation scheme implemented by the data processing apparatus 110 and the attestation server 120 is based on a Root of Trust for Measurement (RTM) for anchoring the attestation measurements, i.e. task integrity measurement data 125 in immutable hardware and reporting the task integrity measurement data 125 in a trustworthy way. To this end, in an embodiment, the Device Identifier Composition Engine (DICE) RTM standard may be employed, as already described above and illustrated in figure 5. Alternatively, a Trusted Platform Module (TPM) may be employed as the RTM standard. As illustrated in figure 5, according to the DICE RTM standard a unique and random key (also referred to as the Unique Device Secret) is stored on the data processing apparatus 110 with a mechanism to block a reading attempt of this key after the execution of the DICE engine.

Figure 6 is a flow diagram illustrating a method 600 for attesting the integrity of the data processing apparatus 110 according to an embodiment. As already described above, the data processing apparatus 110 is configured to perform the plurality of tasks 305a-c and comprises the processing unit 111 configured to operate the RTOS 300 based on a security capability architecture, wherein the RTOS 300 implements the kernel 301 , the attestation core 303 and the plurality of tasks 305a-c, wherein each task 305a-c, when executed, uses one or more of a plurality of capabilities defined by the security capability architecture. Moreover, the data processing apparatus 110 comprises the memory 115. The method 600 comprises a step 601 of providing the plurality of isolated memory compartments of the memory 115, including the isolated memory compartment for the attestation core 303 and the respective isolated memory compartment 115a-c for each task 305a-c, wherein the isolated memory compartment 115a-c of each task 305a-c is defined by the one or more of the plurality of capabilities of the task 305a-c and data operated on by the one or more of the plurality of capabilities of the task 305a- c. Moreover, the method 600 comprises a step 603 of monitoring the integrity of the isolated memory compartments 115a-c of the plurality of tasks 305a-c for generating the task integrity measurement data 125 indicative of the integrity of the memory compartments 115a-c of the plurality of tasks 305a-c.

As the method 600 can be implemented by the data processing apparatus 110, further features of the method 600 result directly from the functionality of the data processing apparatus 110 and its different embodiments described above and below.

The person skilled in the art will understand that the "blocks" ("units") of the various figures (method and apparatus) represent or describe functionalities of embodiments of the present disclosure (rather than necessarily individual "units" in hardware or software) and thus describe equally functions or features of apparatus embodiments as well as method embodiments (unit = step).

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus, and method may be implemented in other manners. The described embodiment of an apparatus is merely exemplary. For example, the unit division is merely logical function division and may be another division in an actual implementation. For example, a plurality of units or components may be combined or integrated into another system, or some features may be ignored or not performed. In addition, the displayed or discussed mutual couplings or direct couplings or communication connections may be implemented by using some interfaces. The indirect couplings or communication connections between the apparatuses or units may be implemented in electronic, mechanical, or other forms.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one position, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.

In addition, functional units in the embodiments disclosed herein may be integrated into one processing unit, or each of the units may exist alone physically, or two or more units are integrated into one unit.