Method to verify the execution integrity of an application in a target device

Abstract

The present invention concerns the field of software verification, in particular to check whether the run-time integrity of a software application can be demonstrated. It is therefore proposed a method to verify, by a verification server, the execution integrity of an application in a target device wherein the verification server receives an application signature generated from run time application information on the target device, said signature being used to verify the execution integrity of the application in the target device, said application comprising an array of blocks, each block producing a digest, thus producing an array of digests related to the array of blocks, comprising the steps of: —sending to the target device a message comprising a challenge and a first function, said first function defining an aggregation method, said challenge defining an aggregation instruction, —receiving an attestation from the target device, this attestation being generated by the target device by determining for each block, the corresponding digest for said block, aggregating the digests of the blocks according to the aggregation method of the first function and the challenge to produce the attestation related to the application, —applying a second function to the attestation by the verification server, said second function undoing the effect of the challenge thus producing an application signature independent of the challenge, —verifying the execution integrity of the application by comparing the produced application signature with a reference signature.