Reliable State Machine (RSM)

One of the core goals of trustworthiness is to ensure the integrity of systems and applications, thereby determining that the system or software is running in the trusted state desired by the design goals.

Trustworthiness is mainly achieved through the technical means of measurements and validation. The measurement is to collect the state of the software or system under test, and the validation is to compare the measurement result with the reference value to see if it is consistent. If it is consistent, it means the validation passes; If it is inconsistent, it means the validation fails.

There are two types of measurement: static measurement and dynamic measurement. Static measurement usually refers to the measurement of the image when the runtime environment is first installed or restarted. Dynamic measurement and validation refer to the dynamic acquisition of the running characteristics of the system, and the analysis of rules or models to determine whether the system is running properly.

Trustworthy constraints

After detecting a breach of its trustworthiness, a method based on trusted roots is used for the trusted validation of system bootloaders, system programs, key configuration parameters, and communication applications. And the dynamic trusted validation is applied to all execution aspects of the application. Output monitored untrusted status:

The state information output from RSM can be collected in a category list, such as the hash root of the program code.

The architecture of the RSM is based on the noninterference model with a software real-time trustworthiness measurement approach.

The idea is to treat system calls as micro actions. α is the various software processes running in the RSM. Based on the expected behaviors β between the security domains belong to which all system calls in α.

Consider the real software behavior α as a sequence of system calls. After obtaining α and β, the noninterference equation is used to determine whether there is a bias between them so that the trusted state of the application running in the environment can be determined.

And there is an effective noninterference property validation algorithm.

Trustworthiness determination based on noninterference has three attributes: (1) output consistency (2) weak single-step consistency (3) local noninterference

Definition of noninterference theoretical model:

Let the actions in the security domains ui, uf, ue and un be denoted by ai, af, ae and an, respectively. Without loss of generality, suppose there is a sequence of actions (i.e., behaviors) as follows: α = ai1∘af1∘ai2∘ae∘af2, then the corresponding behavior β = wexpected(α, un) in WEMA is calculated according to the security policy. It can be calculated by the definition: β = ai1∘af1∘Λ∘ae∘Λaf2.

The automated validation process of whether the behavior α is trusted is shown in Figure 1. The circles in Figure 1 indicate the states, the arrows between the circles indicate the actions that trigger the state change, and the dashed lines between the circles indicate the process of simultaneous execution of EMA and WEMA.

The trustworthiness validation process for α = ai1∘af1∘ai2∘ae∘af2 is as follows.

(1) First, both EMA and WEMA run synchronously from the same initial state s0=t0.

According to the symbol interpretation of Theorem 2:

● For EMA: At this point, α0=α=ai1∘af1∘ai2∘ae∘af2. After EMA executes the first action ai1, it changes from state s0 to state s1 and will continue to execute the sub-action α1=af1∘ai2∘ae∘af2.

● For WEMA: At this point, β0=β=ai1∘af1∘Λ∘ae∘Λaf2. After executing the first action ai1, WEMA changes from state t0=s0 to state t1, and will continue to execute the sub-action β1=af1∘Λ∘ae∘Λaf2.

Recursively validate whether the state is trustworthy. Calculate and substitute "(s2,ISα2,t2)(s2,ISα2,t2) and (s3,ISα3,t3)(s3,ISα3,t3)" and "(s3,ISα3,t3)(s3,ISα3,t3) and (s4,ISα4 ,t4)(s4,ISα4,t4)",) is sufficient for validation. The specific procedure is omitted.

RSM Protection Solutions

Trusted State

RSM presents easy-to-read information to the outside world about whether the application is trusted

The state parameters for the RSM trusted state judgment are as follows.

appid, pid, starttimestemp, curstarttimestemp, truststatus, serverip

Snapshot Data

Application Image

An image is a special file system that contains some configuration parameters (such as anonymous volumes, environment variables, users, etc.) prepared for runtime, in addition to providing files such as programs, libraries, resources, and configuration required for container runtime. The image does not contain any dynamic data, and its contents are not changed after the build.

State Snapshot

Save the system state and application state as a snapshot, containing the running state of the system, the running state of the application, the memory data mapping, and the configuration of the data source. Its essence is to record the disk and memory data of the virtual machine at a point in time.


A database snapshot is a read-only static view of the database (the source database). It is transactionally consistent with the source database from the time the snapshot is created. Multiple snapshots can exist in a given source database.

Each database snapshot is retained until it is explicitly deleted by the database owner. Database snapshots run at the data page level, copying the original pages from the source database to the snapshot before modifying the source database pages for the first time. The snapshot will store the original pages, retaining the data records they had at the time the snapshot was created. Repeat this process for each page that is to be modified for the first time.

Last updated