SFSV

Small Footprint Signature Verification (SFSV)

Today embedded devices are running more and more critical software and thus need to be protected against malicious attempts to sneak in unwanted features (malware, backdoors). In general the software running on the devices takes care of protecting itself; there are however two scenarious where it is easy to let the device execute arbitary commands:

  • To fix flaws in the software or to add new features an Internet connected devices provides a way to update its software online.
  • The device always loads its software from a server on power-up through a simple boot loader.

In both scenarios the new software gets retrieved via FTP or TFTP from a hardwired site. There are several ways for an attacker to fake the addresses and thus trick the device into getting unauthorized software updates.

There is a simple countermeasure against this by digitally signing files used for an update. On the downside the required verification software takes away a lot of precious space. When using a simple boot loader it is usually not possible to run standard software like GnuPG to do the verification because the required operating system has not already been loaded. In the first scenario extra RAM is required to download the new software and run the verification on it before actually replacing the running software.

SFSV is a solution to this. It is software optimized to run digital signature verification with a very small memory footprint (around 18k text size on a PPC chip). Obviously the verification takes longer than with code optimized for speed — for a boot loder this tradeoff is acceptable because a verification is only once during boot or software update. Spending a few hundred milliseconds for integrity checks is after all better than risking a compromise.

In its standard configuration, the SFSV software is available as code to verify the signature on ELF files. The signature itself has been embedded in the ELF file using tools coming with SFSV. Usage of SFSV in a boot loader is pretty easy: Use the provided makekeys tool to create a C language header file with the public key to be used for signature verification, integrate the sources into the build system of the boot loader, add a call to the verification function after loading the image file into memory and build as usual.

For digitally signing images with the released software, the elfsigtool is to be used. There is no need to change the build process of the actual image as the elfsigtool is able to embed a signature into any ELF file.

SFSV is written in C and portable across most platforms. Other versions of the software to better fit into the architecture of the system or for non ELF platforms are available on request.

SFSV is available under the terms of the GNU General Public License or alternatively on to be negotiated terms so that it can be used with your proprietary code.

Copyright 2011 g10 Code GmbH. Verbatim copying and distribution is permitted in any medium, provided this notice is preserved.