1. Patent Search
  2. Details

METHOD FOR MODULATING ACCESS TO A RESOURCE, CORRESPONDING PROGRAM AND DEVICE

20170255787 · 2017-09-07

    Inventors

    Cpc classification

    International classification

    Abstract

    A method for controlling access to preliminarily identified resources is disclosed. The method is implemented by an electronic device having means of access to said resources to be controlled. The method has: a step for receiving a request, coming from a program, for access to a current resource; a step for obtaining at least one access parameter for access to said current resource within a resource-characterizing data structure; and a step for modulating access to said current resource as a function of said at least one preliminarily obtained access parameter.

    Claims

    1. Method for controlling access to preliminarily identified resources, the method being implemented by an electronic device comprising means of access to said resources to be controlled, the method comprising: a step for receiving a request, coming from a program, for access to a current resource; a step for obtaining at least one access parameter for access to said current resource within a resource-characterizing data structure; and a step for modulating access to said current resource as a function of said at least one preliminarily obtained access parameter.

    2. Method for controlling access according to claim 1, characterized in that the step for obtaining at least one parameter comprises: a step for identifying the current resource in the resource-characterizing data structure as a function of a resource identifier; and a step for obtaining, within said data structure, a semanticity indicator and at least one modulation parameter.

    3. Method for controlling access according to claim 2, characterized in that, depending on the semanticity indicator, the modulation step comprises: an implementing of a step for masking non-semantic data; or an implementing of a step for masking semantic data; and implementing either one of these two masking steps as a function of the at least one modulation parameters.

    4. Method for controlling access according to claim 3, characterized in that the step for masking non-semantic data comprises: a step for obtaining a code (cA) corresponding to the program; a step for computing an encrypted value C.sub.RX=E(RC, cA) of the current resource (RC) by cA; and a step for transmitting the encrypted value C.sub.RX to said program;

    5. Method for controlling access according to claim 3, characterized in that the step for masking non-semantic data comprises: a step for receiving an encrypted value C.sub.RX of the current resource (RC) coming from the program; a step for obtaining a code (cA) corresponding to the program; a step of decryption RC=E.sup.1(C.sub.RX, cA) delivering the value of the current resource (RC); and a step for implementing an operation required by the program on the current resource (RC).

    6. Module for controlling access to preliminarily identified resources, module implemented within an electronic device comprising means of access to said resources to be controlled, the module comprising: means for receiving a request, coming from a program, for access to a current resource; means for obtaining at least one access parameter for access to said current resource within a resource-characterizing data structure; and means for modulating access to said current resource as a function of said at least one preliminarily obtained access parameter.

    7. Electronic device of the type comprising a processor, a random-access memory and a storage memory, the device also comprising an operating system, executed within the random-access memory and enabling access to resources of said electronic device, characterized in that it comprises at least one module for controlling access to said resources as described in claim 6.

    8. Computer program product downloadable from a communications network and/or stored on a computer-readable carrier and/or executable by a microprocessor, characterized in that it comprises program code instructions for executing a method for controlling access according to claim 1, when it is executed on a computer.

    Description

    5. DRAWINGS

    [0059] Other features and advantages of the proposed technique shall appear more clearly from the following description of a preferred embodiment, given by way of a simple illustratory and non-exhaustive example and from the appended drawings, of which:

    [0060] FIG. 1 is a block diagram of the proposed technique;

    [0061] FIG. 2 is a block diagram representing the modulation of access to the resources;

    [0062] FIG. 3 describes the modulation of access to a non-semantic resource; and

    [0063] FIG. 4 briefly describes an implementing device.

    6. DESCRIPTION

    6.1. Reminder of the General Principle

    [0064] As explained further above, the invention seeks to prevent an application, or a program executed on an electronic device, from transmitting or receiving information from the operating system and/or from other applications or program. The general principle of the technique is presented with reference to FIG. 1. Thus, the invention implements a particular technique that is the object of the present invention. This technique takes the form of a method for controlling access to pre-identified resources, the method comprising a step (10) for receiving a request (RQ), from a program (ApX), for access to a current resource (RC); a step (20) for obtaining at least one parameter (PX) of access to said current resource (RC) within a resource-characterizing data structure (StrCR), a step (30) for modulating access to said current resource (RC) as a function of said at least one preliminarily obtained access parameter (PX). Thus, unlike in the prior art techniques in which barriers to inter-process (or inter-program or inter-application) communications are raised, the method of the invention comprises the implementing of a modulation of access to the resources, in principle the shared resources, of the operating system in order to prevent or make it difficult for a malicious program or application to correlate public information.

    [0065] The data structure on which the present invention is based can take the form of a table comprising an identifier of the resource, a semanticity indicator and one or more access modulation parameters. The semanticity indicator is a representation of the semantic or non-semantic character of a resource. As will be explained further below with reference to the different embodiments and variants, the parameters for modulating access to the resource can take the form of encryption keys, in the form of incrementing or decrementing values or again in the form of random numbers. The type of parameter associated with a resource identifier is pre-defined: the designer of a system that is an object of the present invention decides, when implementing the system, on the type of parameter associated with a given resource identifier. For example, for an access to a process identifier, the type of parameter is, for example, an encryption and the parameter as such (i.e. its value) is either an encryption key predetermined by the designer or a pointer toward an encryption key generator (which generates a key on the fly, and can then store it for future use intended for this resource identifier). In other words, the general principle of the system and of the proposed method consists of the implementation of a specific mechanism of interruption, a mechanism implemented by the operating system which, in a predetermined way, modulates access to these resources which can be apprehended by the operating system as a function of the modulation parameter and a type of resource.

    [0066] In a complementary way, the modulation of access to the resource is accompanied by an access-blocking mechanism. More particularly, the access by a program or a process to a given resource is accompanied by a blocking of access to this resource for the other programs (or processes). This blocking can take several forms. In one particular configuration, the blocking is a two-way blocking: no other process is allowed to write or read a value relative to the resource when it is used by a current process. In another particular configuration, the blocking is a one-way blocking: only one operation of the same nature as the one implemented by the current process is authorized; for example, in the event of an attempt to access the same resource, the access control module does not allow access enabling the current process to read the resource and a second process to write to this same resource at the same time. A detailed implementation of this blocking is presented below.

    6.2. Modulation of Access to the Resources

    [0067] The present invention has a module for controlling access that modulates access to the resources. This module is managed by the operating system. Depending on the configurations, this control module is either independent of the operating system or directly integrated into it. The operating system makes use of this module when it receives a request for access to a resource (for example from a process). The request for access to a resource can take the form of an interruption, as is the case in certain operating systems of a Linux type. Other requesting mechanisms can also be implemented.

    [0068] The module for its part has access to a table of resources in which at least certain resources are identified. This table of resources comprises for example the identifiers of resources that the manufacturer of the device considers to be potential carriers of information enabling concealed-channel attacks to be carried out. Among the resources that can be envisaged, we can cite especially the load of the processor, the process identifiers (PID), the available memory, the date, the time and clock data as a rule as well as sound input, sound output, output peripherals (screen, printer) input peripheral (keyboard, keypad), measured signal power (WiFi, Bluetooth, NFC wireless signal), etc.

    [0069] Within the table of resources, each entered resource has a corresponding resource identifier, an indication of the semantic or non-semantic character of the resource and one or more parameters to modulate access to this resource.

    [0070] The principle implemented in access control is presented with reference to FIG. 2. The step for obtaining a parameter comprises a step (20-1) for identifying the current resource (RC) in the resource-characterizing data structure (StrCR) as a function of the resource identifier (IdX); and a step (20-2) for obtaining a semanticity indicator (SemX) and at least one modulation parameter (PX-1, PX-2, PX-3). Depending on the semanticity indicator (SemX), the modulation step (30) comprises either the implementing of a step (30-1) for masking non-semantic data; or the implementing of a step (30-2) for masking semantic data. Either of these two masking steps is implemented according to modulation parameters (PX-1, PX-2, PX-3).

    [0071] Thus, when a resource is typed as being a semantic resource, the modulation consists in sending the process a flawed or error-containing piece of information (i.e. a piece of information that is incorrect or partially incorrect). Thus, any resource shared by at least two applications, possessing a semantic value (for example available memory), is flawed or contains error. The error is small enough for the operation of the application to be undisturbed but big enough to jam any side channel.

    [0072] When a resource is not distinctly characterized as being a semantic resource, the modulation, in one embodiment, consists of the transmission of a piece of encrypted data. In other words, any resource shared by at least two applications that does not possess any semantic value (for example an identifier) is masked as follows: a code, unique to each known application of the operating system (or control module), serves to encrypt the resource. The operating system (or control module) transmits the encrypted resource to the application. When the application wishes to use the resource, it communicates this piece of encrypted data, which the operating system (or control module) decrypts (and if necessary encrypts again, differently, in order to transmit it to a third-party application). In other embodiments, other masking processes can be used: for example rather than encrypt the non-semantic data, it is possible to provide access to this data by a process of transfer or displacement in which access is provided by a pointer, said pointer representing an address that is modified at each access to the resource. Thus, for example, rather than transmitting a value of a resource, a pointer is transmitted, pointing towards the resource. The ingenious solution here is to copy out the resource, prior to this transmission, into a different memory zone each time. Thus, the method of the invention transmits a pointer that points towards a different memory zone each time so that a current application will receive a pointer pointing towards a memory zone different from the one pointed to by the pointer transmitted to another application. Once it is used by the application, the memory zone containing the resource is erased (for example replaced by zero instructions).

    6.2.1. Masking of a Non-Semantic Data by Encryption

    [0073] In order to mask data that has no semantic value, the operating system uses a symmetrical encryption procedure. This procedure can be an XOR encryption. Each application has a unique code determined by the operating system and kept secret. This code can be determined when the application is launched or when the apparatus is booted, or at the first use of a shared resource. This code can be chosen for example as a random number of a sufficient size. The principle of masking non-semantic data (30-1) is described with reference to FIG. 3.

    [0074] When an application AAp makes a request (RO) for the shared resource RX, the following method is implemented: [0075] the control module retrieves (30-11) (for example from the resource table, see above) the code cA corresponding to the program ApX; [0076] the control module computes (30-12) the encrypted value C.sub.RX=E(X, cA) of the current resource (RC) by cA; [0077] the control module (or operating system) transmits (30-13) C.sub.RX to the program ApX;

    [0078] Thus, it is not the current resource (RC) in itself that is transmitted to the calling application (AAp), but an encrypted value of the resource. For example, when the resource corresponds to a memory address, the application requests the operating system for a location in memory. The operating system (using the control module) transmits not the address but an encryption of this address.

    [0079] When the program ApX wishes (immediately or thereafter) to use the shared resource, the following message is implemented: [0080] program ApX transmits (30-14) the encrypted value C.sub.RX to the operating system (which transmits it to the control module): [0081] the control module (30-15) retrieves the code cA corresponding to the program ApX, for example in the table of resources; [0082] the control module (30-16) decrypts RX=E.sup.1(C.sub.RX, cA) and retrieves the value of RX; [0083] optionally, the control module transmits (30-16-1) the value RX to the operating system (when the control module is independent of the operating system); [0084] the operating system performs (30-17) the operation requested by the program ApX on the current resource (RC).

    [0085] Thus, for example, when the application wishes to write to the memory address RX, it transmits the address C.sub.RX to the operating system (with the value to be written to this address). The operating system or the control module (depending on the configuration) decrypts C.sub.RX and writes to memory.

    [0086] When a second application (for example BAp) wishes to access the current resource (RC), the same steps as those described above are implemented with one difference: the control module takes charge of the encryption (and decryption) of the resource with a code cB corresponding to the application BAp.

    [0087] This masking is transparent for the applications. This masking also substantially disturbs the observation work being done by an attacker because even if this attacker controls the application (for example AAp), he cannot really know really know the values of the non-semantic resources.

    [0088] Shared resources that do not have semantic values are for example: series numbers, identifiers, memory addresses, process number, etc.

    6.2.2. Masking of the Semantic Data

    [0089] For data having a semantic value, the masking consists in transmitting a flawed or error-containing value to the applications. This error is determined by the variability of the data: a piece of data liable to vary rapidly (e.g. a fast clock) will undergo greater correction than a data liable to vary slowly (for example the day of the year).

    [0090] This masking impacts on the applications and cannot necessarily be applied to all the data but it has little effect when the data relates to physical measurements (e.g. the power of the NFC signal). It must be noted that all the applications receive a slightly different piece of information. Thus, for example, for an application that requires information on the quantity of random-access memory available within the terminal, the method described above is implemented. It comprises the identification of the requested resource and the obtaining of a parameter of modulation of this resource. The typical modulation parameter for this resource depends on a random and non-predictable number. Thus, before providing a value relative to this resource, we obtain a random number (possibly bounded); this random number is then added to or subtracted from the real quantity of memory available; to finish the operation, the result of the above computation is transmitted to the calling program. Another calling program thus cannot obtain the same value as the one transmitted previously. This example can also apply to the load of the main processor of the device or to the load of a secondary processor (for example an encryption processor and/or a video data processor).

    [0091] Other shared resources having a semantic value are for example: available mass memory, time, electrical consumption, battery level, etc.

    [0092] Thus, with this modulation of the semantic values, an attacking program (a malicious program) cannot simply follow the progress and/or modifications that occur in the behavior of the device. Thus it is difficult to track the behavior of a specific program executed on the device and it is therefore difficult to carry out a concealed-channel attack.

    6.3. Mutual Blocking of the Processes

    [0093] In this section, we present the mechanism for blocking access to resources.

    [0094] As presented above, there are two types of blocking: either two-way blocking or one-way blocking.

    [0095] In two-way blocking, the resource is completely blocked so long as it is used by a current process. This means that no other process is allowed to obtain access to the resource so long as it is used by the current process. To make up for this absence of access to the resource, the control module, confronted at reception with a request for access to the resource by another resource, implements a waiting loop during which the other process is made to wait for access to the resource. When access to the resource is released by the current process, the control module permits access to the other process.

    [0096] In one-way blocking, a different mutual exclusion is carried out depending on the operation performed by the current process. Thus, in one particular embodiment, the mutual exclusion mechanism is governed by the following rule: for any channel, an application blocks access in read mode (and in write mode respectively) so long as it maintains access in write mode (and in read mode respectively).

    [0097] This notion has to be understood in a broader sense: for example if an application that asks to read the load of the processor has access thereto, then in so doing, it blocks the execution of other applications or processes (that would be likely to modify its value). Through this example, we understand that a process other than a current process does not have direct access to the “processor load”. By contrast, the simple fact of launching a new process can modify the processor load and thus give an indication about the increase in the load of the processor to the current processor which is trying to have access to it.

    [0098] Thus this blocking consists in obliging any application that requests access to a read communications mode to block the other applications that wish to write by this mode and, in a reciprocal manner, it consists in requiring that any write operation should block an attempt to read in the same mode.

    [0099] In general, any resource can be blocked: for example if an application uses a microphone, access to the sound-producing peripherals is blocked for all the other applications (in certain context, the embedded printer of the terminal can produce sound).

    [0100] Exceptions can be allowed when peripherals for capturing or sending have very different domains (for example screen and NFC sensor which both use separate segments of the electromagnetic spectrum).

    [0101] This mutual exclusion is ensured by the access-control module of the operating system. As an alternative, rather than strict blocking, the access-control module of the operating system can defer the execution of the applications at risk.

    6.4. Other Characteristics and Advantages

    [0102] Referring to FIG. 4, we described an electronic device implemented to control the use of resources according to the method described above.

    [0103] For example, the electronic device comprises a memory 41 constituted by a buffer memory, a processing unit 42 equipped for example with a microprocessor and driven by the computer program 43 implementing a control method. At initialization, the code instructions of the computer program 43 are for example loaded in/to a memory and then executed by the processor of the processing unit 42. The processing unit 42 inputs at least one piece of data representing a resource that an application wishes to access. The microprocessor of the processing unit 42 implements the steps of the method according to the instructions of the computer program 43 to modulate access to the resource, if need by adjoining a blocking of said resource for other applications. As explained, the modulation of the access makes use of a data structure comprising, for the resources, modulation parameters.

    [0104] To this end, the electronic device comprises, in addition to the buffer memory 41, communications means such as network communications modules, data transmissions means and as the case may be a dedicated encryption processor.

    [0105] All these means can take the form of a particular modular processor implemented within the device, said processor being a secured processor. According to one particular embodiment, this electronic device implements a particular application which is responsible for carrying out the encryption and the transmission of data, this application being for example given by the manufacturer of the processor in question in order to enable the use of said processor. To this end, the processor comprises unique identification means. These unique identification means ensure the authenticity of the processor.