安全引导让嵌入式系统开发者有信心他们部署的产品可以抵御住来自底层的、引导期间的固件攻击。然而风险还是可能存在，老练的攻击者还可以让安全引导过程打折扣。另外，攻击者将发布的要部署产品替换成不良的仿品。例如，可以从电话杆上摘下智能电表，并替换上一个看起来一样的流氓智能电表，偷偷地发送私有的耗能账单信息到不良的网站上。因此，即使有了安全引导，用户和管理者还应确保已部署好的产品运行的是已知且正常的TCB。

当嵌入式系统连接到了管理网络，就可以使用远程认证来获得该项重要的安全功能。再次，TCG向兼容TCG的系统提供 了标准化的机制，以便使用基于TPM的测量来完成远程认证。当连接客户端不能提供正常的认证，网络访问将被阻止。在TCG中，这个功能被叫做可信网络连接（Trusted Network Connect，TNC）[22]。但是，有一个简单的，与硬件无关的方法可以被任何嵌入式系统使用。

让我们假设嵌入式系统可以通过一诸如IKE/IPSec或SSL（它们将在第5章讨论）安全通道与远程认证服务器通信。初始的会话建立会用公钥加密。特别是，代表着远程嵌入式系统身份的静态私钥会被用来签名数据，该数据将由认证者进行鉴别。只要在安全引导期间已验证有效的TCB中包含有该私钥和客户端安全连接协议软件，认证者就可确保该嵌入式系统运行着的是某种已知且正常的固件。因此，成功建立IKE 或 SSL会话只是用于远程认证。该方法可进行改良，以确保了嵌入式系统运行着一组特定的可信固件组件，让客户可以传输一组完整的，根据TCB链的数字签名给在本地存储着一组已知且正常签名的认证者。这个改良实现起来更困难，因为在该嵌入式产品部署前，在制造时就要把相应的签名计算出来并存储好。

参考文献

[ 1 ]　Andersen JP. Computer Security Planning Study, http://csrc.nist.gov/publications/history/ande72.pdf; 1972.

[ 2 ]　Liedtke J. Toward Real Microkernels. Communications of the ACM September 1996;39(9):70-7.

[ 3 ]　DiBona C, Stone S, Ockman M, editors. Appendix A, Open Sources: Voices from the Open Source Revolution. Sebastopol, CA: O`Reilly; 1999.

[ 4 ]　Microsoft Security Advisory (2639658). Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege, http://technet.microsoft.com/en-us/security/advisory/2639658; November 3, 2011.

[ 5 ]　US-CERT/NIST National Vulnerability Database. Vulnerability Summary for CVE-2011-3402, http://web.nvd.nist.gov/view/vuln/detail?vulnld=CVE-2011-3402.

[ 6 ]　Carlsson M. Worst Case Execution Time Analysis, Case Study on Interrupt Latency, for the OES Real-Time Operating System, http://www.astcc.uu.se/publications/2002/Carlsson-WCET_Exjobb.pdf.

[ 7 ]　Jaeger T, Sailer R, Zhang X. Analyzing Integrity Protection in the SELinux Example Policy. Washington DC: Proceedings of the 12th USENIX Security Symposium; August 4-8, 2003.

[ 8 ]　Hardy N. “The Confused Deputy,” ACM SIGOPS Operating Systems Review October 1988;22(4).

[ 9 ]　Whitaker A, et al. Denali: Lightweight Virtual Machines for Distributed and Networked Applications.Boston, MA: USENIX Annual Technical Conference; June 10-15, 2002.

[10]　King S, Peter C, Yi-Min W, Chad V, Helen JW, Jacob RL. SubVirt: Implementing Malware with Virtua Machines. Berkeley, CA: IEEE Symposium on Security and Privacy; May 21-24, 2006.

[11]　Ormandy T. An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments, http://taviso.decsvstem.org/virtsec.pdf; 2006.

[12]　Rutkowska J, Tereshkin A, Wojtczuk R. “Detecting and Preventing the Aen tiypervisor 3uvverscons,”Bluepilling the Xen Hypervisor,” “Subverting the Xen Hypervisor,”.Las Vegas, NV: Black Hat USA; August 7, 2008.

[13]　CVE-2008-2100. National Vulnerability Database. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2100.

[14]　Mijat R, Nightingale A. Virtualization Is Coming to a Platform Near You. White Paper. ARM Ltd; 2010.

[15]　Dowd M. Application-Specific Attacks: Leveraging the ActionScript Virtual Machine, http://documents.iss.net/whitepapers/IBM_ X-Forceee WP final.pdf; April 2008.

[16]　Maxtor Basics Personal Storage 3200 (PS 3200) virus [205131].Seagate Knowledge Base, online URL, http://seagate.custkb.com/seagate/crm/selfservice/search. j sp?DocId=205131.

[17]　Adee S. The Hunt for the Kill Switch. IEEE Spectrum Magazine, http://spectrum.ieee.org/semiconductors/design/the-hunt-for-the-kill-switch/; May 2008.

[18]　Rutkowska J. Subverting Vista Kernel for Fun and Profit. Las Vegas, NV: Black Hat Briefings; August 3, 2006.

[19]　Intel Trusted Execution Technology (Intel TXT). Software Development厂uide/Measured Launched Environment Developer’s Guide; March 2011.

[20]　Wojtczuk R, Rutkowska J. Attacking Intel Trusted Execution Technology. Washington, DC: Black Hat DC;February 18-19, 2009.

[21]　Trusted Computing Group (TCP) Trusted Platform Module (TPM) Main Specification. Level 2, Version 1.2, Revision 116 (in three parts, “Design Principles,” “Structures of the TPM,”“Commands”);March 1，2011.

[22]　Trusted Computing Group (TCG) Trusted Network Connection (TNC) Architecture for Interoperability, Specification Version 1.4, Revision 4, May 18, 2009.

[23]　Sharon G. Security Expert: U.S. Companies Unprepared for Cyber Terror. eSecurity Planet; July 19, 2002; online URL:http://www.esecurityplanet.com/trends/article.php/1429851/Security一Expert-US一Companies-Unprepared-For-Cyber-Terror.htm