Patent Grant
10481888
The present application claims priority to French Patent Application Serial No. 1402700 filed Nov. 27, 2014, the contents of which are hereby incorporated by reference in its entirety.
The present invention relates to a method for managing an architecture. The present invention also relates to the associated architecture.
The field of application of the invention corresponds to reconfigurable systems carrying out processing operations with different sensitivity levels and having to partition said processing operations.
Products are notably known integrating safety and cryptographic functions. The functions of an agent for configuring services are an example of safety functions while ciphering, generation of random or pseudo-random numbers and the management of sensitive goods are examples of cryptographic functions.
The safety mechanisms used are generally the subject of evaluation of safety. For their part, the aforementioned products target approvals or certifications. Such products are therefore integrated into reconfigurable safety architectures.
The application of partitioning in products targeting high safety levels comes up against limits of software solutions and involves the use of material properties.
This requires the definition of an architecture combining software functionalities based on mechanisms provided by the hardware executing the software and controlled hardware functionalities.
Thus, there exists a need for a method for managing an architecture giving both the possibility of guaranteeing the obtaining of flexibility provided by a piece of software and robustness provided by the hardware in the field of the partitioning.
For this, a method for managing an architecture is proposed, the architecture including:
the method including at least one step:
According to particular embodiments, the method comprises one or several of the following features, taken individually or according to all the technically possible combinations:
Further, the invention also relates to an architecture including:
each partition including a specific driver, each driver ensuring a secured link between the partition and at least one processing member with which the partition is associated.
According to a particular embodiment, each partition is able to apply a man-machine interface allowing a user to access to a service.
Other features and advantages of the invention will become apparent upon reading the description which follows of embodiments of the invention, only given as an example and with reference to the drawings which are:
An architecture 10 is illustrated in
The architecture 10 includes a main platform 12 and a secondary platform 14. Alternatively, the architecture 10 includes a plurality of secondary platforms 14.
The main platform 12 provides functional services for the account of one or several ‘user’ systems and is the master platform of the architecture 10.
The main platform 12 is able to produce an entire and authentic programming (and reprogramming) mechanism, an entire and authentic starting mechanism, a mechanism for partitioning the processing operations which the main platform 12 executes and a mechanism for communicating with the secondary platform 14.
The main platform 12 is able to partly execute interpreted logic instructions (i.e. its operation is particularized as computer programs). These programs execute on platform resources including one or several GPP (acronym of «general purpose processor») processors themselves integrating one or several cores or a SOC (acronym of «system on chip») integrating one or several cores associated with native functionalities: peripherals, ports, GPU . . .
Certain functions and certain resources ensure security performing operations for the account of the main platform 12 and relying on specific resources such as cryptographic accelerators.
The main platform 12 is a software platform.
As an example, the main platform 12 is a programmable microprocessor.
The main platform 12 includes a plurality of partitions 16 for executing the software.
According to an embodiment, each partition 16 is able to simultaneously operate with the other partition 16.
According to another embodiment, each partition 16 is able to operate independently under the control of an intra-platform partitioning mechanism.
A hypervisor is an example of intra-platform partitioning mechanism.
Further, each partition 16 is able to operate according to a first policy, the first policy managing the partitioning between the partitions 16.
According to a particular embodiment, each partition 16 is able to apply a man-machine interface allowing a user to access a service.
In the particular case of
Generally, in the computer background, the first transceiver element 18 is referred to as a “handler”.
The secondary platform 14 is able to provide additional services (to the services executed by the main platform 12).
The secondary platform 14 is able to apply an entire and authentic programming (and reprogramming) mechanism, an entire and authentic starting mechanism, a mechanism for partitioning the processing operations which the secondary platform 14 executes and a mechanism for communication towards the main platform 12.
The main platform 12 is a hardware platform.
According to a particular example, the secondary platform 14 is a programmable logic circuit.
As an illustration, the main platform 12 implements wired logic (ASIC) or pseudo-wired logic (FPGA) giving the possibility of carrying out specific processing operations (typically cryptographic engines) for which execution may be guaranteed and confined.
Each secondary platform 14 comprises a plurality of processing members 20.
Each processing member 20 is able to apply secured processing operations for the account of at least one partition 16.
More specifically, each processing member 20 is able to apply security mechanisms for the account of applications executing on the main platform 12.
Further, each processing member 20 is physically partitioned relatively to the other processing members 20.
Such physical partitioning is compliant with a second policy, the second policy managing the partitioning between the processing members 20.
Each processing member includes a second transceiver element 22.
Like for the first transceiver element 18, the second transceiver element 22 is commonly referred to as a «handler».
Further, each partition 16 includes a specific driver 24, each driver 24 ensuring a secured link between the partition 16 and at least one processing member 20 with which the partition 16 is associated.
By the expression of «secured link», is meant a security link of the cryptographic type.
In the particular case of
More specifically, the communication between the first transceiver element 18 and a second transceiver element 22 is a communication controlled and protected by the cipher.
According to the example illustrated by
Preferably, the communication interface also ensures non-circumvention of the exchange data.
The application of the transceiver elements 18 and 20 in cut-off on the exchange flows between the main platform 12 and a secondary platform 14 allow the application of a policy for controlling flows and for protecting with the cipher the flows between the partitions 16 and the processing members 20. The application of the flow control policy and cipher-protection gives the possibility of extending the partitioning policies between the partition 16 and between the processing members 20 on the whole of the exchanges between the main platform 12 and the secondary platform 16.
The operation of the architecture 10 of
The method includes a first step 100 for partitioning the main platform 12.
During the first step, the main platform 12 is partitioned into a plurality of partitions 16 under the control of a hypervisor.
The method also comprises a second step 102 for partitioning the secondary platform 14.
During the second step, the secondary platform 14 is partitioned into a plurality of processing members 20.
The method also includes a third association step 104.
During the third step, each partition of the main platform 12 is associated with at least one processing member 20.
Such an association is applied by installing, for each partition 16 and each processing member 20, the driver 24 specific to the relevant partition 16.
The driver 24 ensures a secured link between the relevant partition 16 and the processing member(s) 20 with which the partition 16 is associated.
According to the specific example of architecture 10 of
Preferably, each partition 16 is associated with one or several processing members 20, said processing members 20 not being associated with other partitions 16.
According to a particular example, each partition 16 is associated with a single processing member 20. In such a case, in a specific embodiment, certain processing members 20 are not associated with any partition 16.
Thus it appears that the method for managing an architecture gives the possibility of both guaranteeing the obtaining of the flexibility provided by a piece of software and the robustness provided by the hardware in the field of the partitioning.
More specifically, the architecture 10 is a security architecture by distributed co-partitioning of the hardware and of the software.
The architecture 10 proposed has the advantage of being reconfigurable according to the desires of the user.
By comparison, the conventional architectures of the known state of the art produce logical partitionings, the range of which is limited to the capabilities of the hardware provided by the used COTS. Certain types of processing and certain sensitivity levels of processing operations will imply the out-sourcing of these processing operations in specific peripherals having the suitable hardware capabilities.
These architectures are notably those deployed in terminals ensuring cryptographic processing operations locally of the platform (for example secured storage) or for the account of an application (for example control of transactions). The multilevel and reconfigurable architectures also imply the implementation of partitionings on the processing operations. These partitioning architectures are however limited to the software perimeter executing on the processors (GPP for example) and are limited to the external interfaces of these processors. Such a limitation is reinforced by the reconfigurability of the relevant architectures. Moreover, the application of specific hardware resources to certain processing operations is considered as establishing a peripheral (co-processor) not linked with any possible partitioned processing operations at the main processor.
The proposed architecture 10 therefore gives the possibility of both achieving confidence areas with the benefit of strong partitionings based on hardware properties, software confidence areas benefiting from software partitionings based on hardware properties and making consistent both previous partitioning levels.
More specifically, the architecture 10 ensures a consistent and homogenous distribution between the partitionings of the processing operations supported by the main platform 12 and the processing operations ensured by the secondary platforms 14.
Thus, consistency of the configurations of the mechanisms for communicating with the configurations of the partitioning mechanisms is ensured for processing operations executed on the main platform 12 and the secondary platforms 14. A consistent distribution gives the possibility of ensuring that the exchanges are secured, the processing operations executed on the main platform 12 and the secondary platforms 14. This securization is achieved by intercepting the flows leaving a platform 12, 14 and protection (confidentiality/integrity/anti-replay) by the ciphering in cut-off and end-to-end between a main or secondary platform transmitting towards the main platform 12 or the intended secondary platform 14.
Advantageously, the architecture 10 also allows authentication of the drivers 24 sharing the same partitioning level.
Further, the cryptographic mechanisms desired for the protection are executed in specific and partitioned memory areas. This memory partitioning is obtained by physical partitioning mechanisms specific to programmable logic circuits of the FPGA or ASIC type.
The partitioning of the main platform is, as for it, achieved via mechanisms of the memory management unit (MMU) type or by a specific hardware partitioning (filtered and specific memory addressing) applied by the piece of software being executed on the main platform.
According to a preferred embodiment, the partitioning of the main platform may be reinforced by using a mechanism of the input-output memory management unit (IOMMU) type.
Any direct access between the inter-platform processing operations is also forbidden, i.e. without any preliminary processing operation by protection by the ciphering in cut-off. The consistency between the partitions and the exchanges is reinforced by the consistency of the share of the cryptographic keys ensuring protection by the ciphering of the exchanges.
The distribution of the keys may be handled by a main platform ‘system’ (mandatory access control) or left to the discretion of the main platforms using the processing operations of the secondary platforms (discretionary access control). The main platform 12 and the secondary platforms 14 allow to communicate share one or several cryptographic keys for protecting the exchanges. These keys are pre-placed keys or negotiated between the platforms and observing the consistency of the configurations. The keys may also request the platform to randomly generate cryptographic data for establishing protection keys. These requests may resort to mechanisms of the random generator type or physically unclonable function (PUF).
As a summary, the architecture 10 proposed as well as the management method allow flexible and distributed utilization of the resources. Further, the flows of exchanged data via the secured link are protected, which allows limitation of the impact of the sharing of resources on the security. Further, portability on different hardware architectures is allowed. In particular, this results in a multiplicity of the possible applications, notably for computer phones, tablets, portable mini-computers or servers.
| Number | Date | Country | Kind |
|---|---|---|---|
| 14 02700 | Nov 2014 | FR | national |
| Number | Name | Date | Kind |
|---|---|---|---|
| 8468535 | Keagy | Jun 2013 | B1 |
| 9037511 | Roth | May 2015 | B2 |
| 9165139 | Wade | Oct 2015 | B2 |
| 9235707 | Zimmer | Jan 2016 | B2 |
| 9389895 | Oshins | Jul 2016 | B2 |
| 9501315 | Desai | Nov 2016 | B2 |
| 9684545 | Beale | Jun 2017 | B2 |
| 9836295 | Hoffman | Dec 2017 | B1 |
| 10019273 | Robinson | Jul 2018 | B2 |
| 10296392 | Heil | May 2019 | B2 |
| 20080005791 | Gupta | Jan 2008 | A1 |
| 20080022094 | Gupta | Jan 2008 | A1 |
| 20090113202 | Hidle | Apr 2009 | A1 |
| 20090172328 | Sahita | Jul 2009 | A1 |
| 20100031325 | Maigne | Feb 2010 | A1 |
| 20100132046 | Saliba | May 2010 | A1 |
| 20120117614 | Sahita | May 2012 | A1 |
| 20120124572 | Cunningham | May 2012 | A1 |
| 20120159245 | Brownlow | Jun 2012 | A1 |
| 20130085880 | Roth | Apr 2013 | A1 |
| 20130160001 | Graham | Jun 2013 | A1 |
| 20150135255 | Theimer | May 2015 | A1 |
| 20150199213 | Desai | Jul 2015 | A1 |
| 20150381658 | Poornachandran | Dec 2015 | A1 |
| 20160149877 | Kancharla | May 2016 | A1 |
| 20180189479 | Dam | Jul 2018 | A1 |
| Number | Date | Country |
|---|---|---|
| 1906333 | Apr 2008 | EP |
| 2677425 | Dec 2013 | EP |
| 2006103687 | Oct 2006 | WO |
| Entry |
|---|
| Rajalakshmi et al., Integer partitioning based encryption for privacy preservation in data mining, 6 pages (Year: 2012). |
| Ganapathy et al., Distributing data for secure database services, 10 pages (Year: 2011). |
| French Search Report and Written Opinion dated Oct. 19, 2015 issued in corresponding French Patent Application No. 1402700. |
| Number | Date | Country | |
|---|---|---|---|
| 20160154640 A1 | Jun 2016 | US |
