BITS: A Smartcard Protected Operating System

Secure processors u a t&nolo8 ojjti a grout deuljirr @,tAications that repire enhanced computer securig. In pwral, these processors contain not only

computational capability, but memmy capacity as well [17]. This self- containment makes secure processors resistant to attack, as thq need not dt@nd

upon potentially vulnerable external resources.

Inrrlligrnr tokm* arr a cla,* of porkrr-Grrd sccurc prorcwxs that consist of an intrgratrd cir- cuit (IC) mormrrd upon a transporr mrdium. such a~ plastic. They ma also include downsixd peripherals necessarv for the token’s applicarion. Examples of such prriphrrals are kr)pads, dis

I

plays and hiomrtrir dnicrs (r.g., thumhpr-inr xannrr~). Thr porrahiliw of rhrsr rokrni lends

rself to a myriad of srcul-irwmsiti\r applications, iome of which are desrrihrd lawr.

I h subclass of inwlligenr tokens are IC cads known as snrartcards. The physical characwistics of smartcards arc specified hv The Imrmadonal Standards Organization (ISO) [a]. In brief, thr amdard defines a vnartral-d a* a rrcdit-canl-sired

pircc of flcxilrlr ljlastic with an IC embrddcd in rhr upper left-hand Cdr. Corn- municarion with the smartcard is accomplished through connct~ that overl;r\ thr IC LCJ]. Further, IS0 also defines multiple communicaGon protocols for issuing commands to a vnar-ward [lo]. -Ul references to smartcards in this ar- tirlr rcfcr to IS0 standard smarrcards. Howe\-er, the concepts and applications arc valid for inrelligent tokens in general.

The capability of a smartcard is defined hy its IC. As the name implies, an in- wgrated circuit consist5 of multiple components comhincd within a single chip. Some possible components are a microprocessor, nonstatic random ac- cess memory (RAM), read only memory (ROM), erasahlr programmable rrad only memory (EPROM), other nonvolatile memory (memory that retains its star when current is removed) such as electrically erasable programmable read onI\ memor! (EEPROM), and special purpose coprocessor(s) (see Figure 1). ‘The chip designer selects the components as nredcd and designs the chip mask. Thr chip mask is burned onto the substrate material,

‘The current substrate of choicr is silicon. Unfortunatrl?. silicon, likr glass, is not particularly flexible; thus to avoid hrrakagc when thr smart- card is hcnt, the IC is limited m onl) a few millimeters on a sidr. The six of drr chip correspondingly limits the mrmory and procasing resources rlnt may be placed on ir. For exam plr, EEPROM occupies twice the space of ROM, while RN requires twice the space of EEPRO>l. Another Cartor is thr mortality of the EEP- ROM used for data stol-agr, which is generally rated for 10,000 writ? cycles and deemed unreliahlr after 100,000 wl-itr q&s.

Sevcral chip \-mdors provide ICs TOI- UC in smartcards. In gmrral. these \-cndor-s hare adaptrd X-hit microcontrollers with clock rates of approximately 4 MHz for USC in smartcards. However, higher- perfor- mance chips are under development. Himchi’s H8/310 is representative of’ the capahilitirs of today’s basic smart- card chips. It pro\<des 256 bytes of RAW, 10 KB of ROM, and 8 KB of EEPROM. The su~ce~s”r to the H8/310, not yzr released, claims a l&hit, 10MHz processor and twice the memory of the H8/310. It is likel) that the other vendors have Gmilar chips in various stages of drvelopmmt.

Because of these and other limits imposed hy current technology, smartcards (and smart-tokens in gen- rral) are often built to application- specific standards. For example, while

which 1s A,, mhrrentty tune-consu,w ing process. It is expected that user) may be willing to accrpt some initial

performance degradation in return for greatly enhanced security. Fur- ther, after comptrting a clean boot, BITS in no way impedes system us- ability.

During sysrem start-up, BITS will degrade performance in two ways. First, the I/O bandwidth of the smartcard and its interface are ex-

pected to be inferior to a modern hard drive. Thus for the information stored on thr card the transfer speed will be slower. For the currem proto- type, less than 1 KH of information ib stored on the card, which at Y,600 baud requires less than one srcond to upload. The second arra of dcgrada~ tion occurs in thr verification of the operating-system files. The severity of

this degradation depends upon the processing capacity of the host com- puter, together with six of the oper- ating system tiles to be verified, and the complexity of the hash and/or sig- nature algorithm that is choarn.

The effectiveness of BITS is linr- ited by the feasibility of storing of all boot-relevant information on a smartcard. To the extent this is possi- ble, boot integrity will be prcscrvzd. BITS is not a virus checker; howcvcr,

for those tiles whose checksums are stored on the smartcard, it is possible to detect the modiiication of the tilt on the host system. The user may be notified that an executable is suspect before it is run. In general, BITS will provide enhanced computer security by utilizing thr sccurc storage and processing capabilities inherent in

the smartcard.

BITS “5 Other Technologies Here we compare BITS with othcl boot integrity and access control solu- tions. In the process ofexamining the advantages and disadvantages of the BITS system, many frequently asked questions are addressed.

Because of the mode in which

BITS is used, it is often compared with a boot from a floppy disk. White it is true that inserting a smartcard is similar to inserting a floppy, the in- teraction during the boot sequence is entirely different. The smartcard- based system incorporates two sepa-

step Ac,ion

,I

I

4

Authentlcatr the car-d to the hosr

Upload boot information

ToI1le2. BITS smartcard configuration

1

rate uthrntications. user-to-card and card-to-host, which are rntircty ab- sent from the floppy boot. Further,

the integrity of the boot information on a floppy is protected by an rarity removed writr-protrct-tab, while thr smartcard requires the authentica- tion of the security officer in order LO update boot information. One may atso wish to consider the ease of car- rying a smartcard as compared with a floppy disk.

Another solution to the boot-integ- rity problem is to place the operating

system in ROM. This approach wilt prevent modifications to boot infor- mation, but at the cost of updatability. Any upgrades to the system require

ph)aicai XLC~~ to thr hardw~~ c and rcplaccmrnt of ROM chips. It usa authentication is added to rhe boot program, pawords may be diff&lt to change, and exist on a prr~ machine rather than a per-user hasir.

If the user wishes to rel) upon anti-

viral software, new issues are raised. The host machine mut complete its boot srquencr prior to executing the antiviral program. This mrans that a boot-infector virus will ahead? have been executed by the time the dc- fenses are in place. This situaCon ma) be anatogircd to locking the door w your house after the burglar is inside.

Log-in programs, whether stand- atom or integrated with an antiviral

White it is ctrar that software de- frnsrs are suhvn-tibtc, hardware-

based svbtcms like BITS al-r not v.itll- our tt&ir drawbacks. tnsratlation of BtlS requires the installation of an add-in board and smartcard accep- tor. Also, indi\,idual cards must bc configured. The time for setup, par- riculart) ti,r a first-time user, is ccl- tain tu be non-nominal. The en- hancrd arcwit? provided by UITS requires physic;,l accc% to the hard- ware to circumvent. Wbitc this situa- tion is consistent with the BITS sys- trm objectives, it does imply a xverc penalty to 1he User sol- a lost smartcard <II forgotten password. Suitable administrative procedures,

such as configuring multiple cards, hecamr important to minimix thr risk of a lost or damaged card.

The BITS system provides ex- tremely powertilt security at relatively tow cost, mraaured both in terms of purchase prier and setup rime. The additional hardware required is nom inat, initial setup is one time only, and upgrades require no hardware ac-

cess-provided the user has the propel- authentication. As with most computer systems, there arc trade- offs between security and usability. It is uttimatrty incumbent upon the sys- tem administrators to evaluate their own application and weigh the costs.

The Future Systems like the Bt’t S reprcxnr tbr next step in a trend toward Smalley personal-computing rrsources. From a security pcrspcctivr, the less that a user depends upon from a shared environment, the better-. Any shared writablc executable may potentially contain malicious code. Fortunately, advances in technology are likely to permit the storage of rntire oprrating systems as well as utititics on a

smartcard, thus obviating the neces- sity of sharing most executable alto- gether.

The amartcards themsct\,es m*y also be made more secure. Currrntly, authentication to the smartcard ia limited to user-supplied passwords.

In ,,l”b, ~)\WI”S, thrr ~“IIx‘““vr

Ihlsc prrsentatiuns result in thy

smartcard account being disabled. However, if biometric authentication is incwporatcd into the card, it will be possible to acbie\,c highrr assorancr in user authentication.

.th date, the sire requirements of smartcards have imposrd the greatcsr limitation upon their utility; ttlr cur- rent state of tire xt is a 0.7.micrwl

resolution in the burning of chip masks. HO~KYX, chip drvrlopcr\ have recently annmmcrd the dwct- opmrnt of 0.5.micron technology a> well as plans for even higher rcsolu- tions. Kegardtess of these ad\anre*, thr chips are still roarrntly limited (0

a tew mittimcter~ on a side due to thr brittle nature of the silicon substrate

from which they are made. A flcxibtc substrate might allow ctrips that I)C~ cupy the entire surfacc of the smartcard, resulting in an exponcn- tiat gain in computing resouIccs_

A smartcard with these enhanced capabilities could ~rrrult in a trul)

portable (wallet-Gad) personal corn- puter, which could be made wide11 available ar relatively low cost. In tbib type of computing environment ont) the bulky truman interface nerd be shared. A computing station might rventuatty consist ofa monitor, a key- board, a network connrction, and a

smartcard interface. A usrr could walk up, supply the CPU and mrmm ory, and begin work. It would be as il you were able to supply your own engine, with a known reliability and maintrnancr history, for a ~rental cam

The implications of this technolog) are impressive. The existence of in- stant PC access for- millions regardtea

of location would greatly enhancr the utility of computers. Thr ability LO use the same environment whrrcvrr one chooses to work would eliminate time spent customizing, and increasr productivity. The security provided by smartcards would also result in increased security for sensitive data by decreasing the likelihood of corn- promise or loss. R