ICS Software Trust Measurement Method Based on Dynamic Length Trust Chain

Aiming at the real-time requirements for industrial control systems, we proposed a corresponding trust chain method for industrial control system application software and a component analysis method based on security sensitivity weights. A dynamic length trust chain structure is also proposed in this paper. Based on this, the industrial control system software integrity measurement method is constructed. Aimed at the validity of the model, a simulation attack experiment was performed, and the performance of the model was repeated from multiple perspectives to verify the performance of the method. Experiments show that this method can eﬀectively meet the integrity measurement under the condition of high real-time performance, protect the integrity of ﬁles, and improve the software credibility of industrial control system.


Introduction
Industrial control system security, as an important part of the industrial control system, profoundly affects the development of industrial control network-related industries and has a strong degree of industrial relevance and industrial penetration. Information security of industrial control systems has become an important part of the integration of the two industries. e security risks it brings are no longer just "small" problems such as information leakage and unavailability of information systems. With the attack technology and means of industrial control system becoming more and more advanced, complex, and mature, the security threat of industrial control system is becoming more and more serious. erefore, security measures are urgently needed to deal with the security threat of industrial control system. Trusted computing technology is widely concerned by industrial control industry because it can provide security immunity. As an active defense method, trusted computing can improve security of industrial control system from inside [1].
Considerable achievements have been made in the credibility of industrial control systems, but most of these achievements are based on traditional computer systems [2,3]. Because the reliability and real-time requirements of industrial control system are not considered, these methods cannot be directly applied to industrial control system.
For the top-level design of industrial control system security, Cheng et al. [4] proposed a trusted computingbased industrial control security solution.
is solution improves the security of industrial control systems through the cooperation of firewall technology, intrusion detection technology, and trusted computing technology. An et al. [5] realized the application of trusted computing technology in power system, realized higher level security protection of power system, set a precedent, and provided a case worthy of reference for the construction of security immunity engineering in other industries.
In trusted computing field, the traditional construction mode of trust chain is only applicable to a single system. For the dual redundancy system, it causes break of transitive trust. Wang et al. [6] proposed a trust chain structure based on a dual redundant system to implement credibility determination in the automatic switching process when an industrial control computer fails. Shang et al. [7][8][9] discussed the credibility of traditional PLC (programmable logic controller) in industrial control from different angles and achieved specific analysis of common equipment in industrial control systems. e TCG trust chain has great potential in the construction of a trusted operating system [10], but for the measurement process from the operating system to the application, the structure of TCG trust chain is too simple to meet the diverse requirements of the application layer, and there are fewer applications in the application layer.
IMA (integrity metric architecture), as the first integrity measurement architecture based on TCG standard, is of great significance [11]. IMA determines the trustworthiness of software by performing integrity metric before the program runs, but it does not mean the trustworthiness of the program at run time. Shi et al. [12] proposed BIND (binding instructions and data), a fine-grained attestation service for securing distributed systems, which achieves small granularity dynamic verification by measuring the integrity of key code segments. However, it needs to identify key code segments and establish binding relationship between input and output data before running, which is a complex process. Shankar et al. [13] provided a largely automated system for verifying Clark-Wilson interprocess information-flow integrity.
ey defined a weaker version of Clark-Wilson integrity, called CW-Lite, which has the same interprocess information-flow guarantees, but which requires less filtering, only small changes to existing applications. But the formal validation capability of the model is not sufficient to formally validate the system.
Li et al. [14] proposed a dynamic trusted application model for privilege isolation, maintaining flexibility in application loading and improving the trustworthiness of the application layer. Garfinkel et al. [15] enabled the measurement of applications by using DRM (digital rights management) approach to deliver trust. Zhang et al. [16] proposed a trustworthiness analysis method for the application layer, which uses a nondisruptive behavioural approach to achieve real-time application metrics.
Industrial control system is a typical system that does not need to be restarted frequently, which makes the application of TCG trust chain in industrial control system very difficult and cannot meet the actual application requirements [17][18][19]. e purpose of building a trusted operating system is to ensure that the application has a trusted execution environment and that the trust relationship can continue. For industrial control systems, based on meeting the reliability and real-time requirements of industrial control systems, improving the credibility of application programs is a very critical issue [20,21]. In this paper, we start with the static measurement method, focus on real-time, and build a trusted approach at the application layer. Compared with the existing literature, this paper has the following major contributions: (1) A software component analysis method is proposed that takes security sensitivities into account. is approach enables a hierarchical protection scheme for different files by dividing the software components by considering the security sensitivity of the files. e solution can effectively improve the realtime performance of applications when performing integrity checks.
(2) A new dynamic length chain of trust transfer model is proposed. e model can be adapted to different real-time requirements and complete integrity verification on the basis of meeting the real-time requirements of industrial control systems. is new dynamic length chain of trust structure has the features of easy updating, dynamic structure, and adjustable real-time requirements. (3) A software trustworthiness verification model based on dynamic length chains of trust is proposed. Adopt the concept of differentiated design of the application software's own components and the system's common components to achieve classification and management of different components and to optimise the efficiency of integrity verification. Effectively improve the efficiency of system integrity verification, reduce the burden of trusted computing on the system so that trusted computing technology means can continue to be used in the absence of system resources and can be effectively compatible with the old industrial control system, and enhance the system's trustworthiness as much as possible at a lower upgrade cost. e update process of the model is also discussed, which is characterised by easy software updates. e rest of this paper is organized as follows. ICS software analysis is discussed in Section 2. A software trust measurement model based on dynamic length trust chain (DLTC) is proposed in Sections 3. e effectiveness of the algorithm is verified by a simulation experiment in Section 4. Finally, the conclusions are given in Section 5.

ICS Software Analysis
2.1. Real-Time. Industrial control system is facing a large number of new security challenges, and industrial control computer is undertaking more and more information security responsibilities. Information security protection methods generally adopt the combination of active defense and passive defense. As an important technology of active defense, trusted computing is becoming more and more important. Generally, the combination of dynamic and static methods is used to ensure the credibility of the system. Integrity measurement is a common static measurement method. However, it also has an inherent disadvantage: integrity measurement of trusted computing is usually performed before the program runs. For services with real-time requirements, careful consideration must be given to whether to use static measurement methods for integrity measurement [22].
Real-time means that the input, calculation, and output of the signal are completed in a very short time and processed in time according to the changes in the generation process. Real-time is the ability to perform specified functions within a limited time and respond to external asynchronous events. Emphasis is on the specified time, as long as the completion within the specified time is real-time [23].
Specifically, for any stimulus-response system, there is a time from the stimulus input to the response output, that is, the stimulus-response period T, which represents the time response capability of the system.
If the response time T of the system can meet the requirement of the response time t specified by the system, that is, t≤ T, the system is a real-time system.
In industrial control systems, two main factors are affecting the real-time performance of the system: on the one hand, the real-time nature of the unit components in the system. at is, controllers, sensors, and actuators must meet real-time requirements. On the other hand, it refers to the real-time nature of the industrial communication network, and the information interaction between field devices must be completed within a certain time.
According to the requirements of different systems for real-time requirements, field information can be divided into real-time information and nonreal-time information. Real-time information must be processed on time, with high requirements for real-time performance. Priority must be given to prevent system failure. At the same time, the credibility of this operation is higher. e execution of this part of the program is related to the credibility of the system's fault handling behavior. e integrity measurement method usually increases the delay and affects the real-time performance of the system. erefore, for systems with high real-time requirements, integrity is to measure integrity on the premise of meeting real-time requirements.
Integrity measurement and real-time are usually mutually limited. For hard real-time systems, the delay fluctuation in integrity measurement may have a significant impact, resulting in that system cannot operate normally. For soft real-time system, the impact of integrity measurement is less than that of hard real-time system. At the same time, the availability of industrial control system is very important. ere is a strong positive correlation between real-time and availability. Generally speaking, availability and real-time should be considered first when considering the security of industrial control system.

File Type.
Documents have different security sensitivities and different levels of security protection. For securitysensitive files, more security measures need to be added to ensure that they are secure. For security-sensitive files, such as dynamic link library, static link library, and Perl script, this paper analyzes the file characteristics of Linux platform and the emphasis of integrity measurement. is paper mainly analyzes and studies the common file types in Linux system. For example, the binary file is the traditional executable file, while the script language program is generally described as a text file.
is paper considers that security-sensitive files under the Linux platform which can be divided into the following three categories: the first category is executable files, which includes the files that can be executed with executable permission, and the files that can be executed after getting executable permission but have no executable permission at present. ese files include the main files that can be directly run, including dynamic link libraries, static link libraries, binary files, and scripts. e second category is the files containing sensitive data. ese files store information that may be used during program operation, such as files that record the hash value of files. ey need to be verified for integrity to prevent hackers from modifying it after obtaining administrator rights of these files. e third category is the user-defined security-sensitive files. Users can define files as security-sensitive files according to actual needs.

Component Analysis Method Based on Security
Sensitivity.
e previous paper analyses the software requirements and characteristics of industrial control systems from three perspectives. To better describe the internal connections and characteristics of these files, a two-dimensional attribute is constructed to describe the characteristics of the files.
rough cluster analysis of the file characteristics, the internal connections of the files are obtained, and the files are decomposed to meet the needs of establishing a real-time trust chain structure.
Software attributes are constructed from two dimensions: the first is the weight of security sensitivity. Different levels of security sensitive files need different weights, which need to be determined artificially and protected by different protection levels. is is a "hierarchical protection" method [24], which can effectively deal with complex practical situations. e second is the relationship and function between calling and called. e calling relationship in a program is usually organized by function. e granularity of analyzing software behavior based on function is too small, which leads to too many details involved in measurement. Usually, the number of files involved in a program that performs a specific function is fixed, and not all files are involved. By analyzing the calling relationship of a specific function, the number of files that need to be verified when using the function can be effectively reduced, so as to improve the realtime performance of integrity measurement.
Due to the difference of software structure, it is difficult to analyze the calling and called functions with automatic method, and it depends more on experience. Taking OpenPLC as an example, it is mainly based on the inclusion of header files, and the calling relationship of program files is determined by the operation of header files. OpenPLC file structure is clear and easy to identify. Usually, each folder is a file that performs independent functions. Scientific Programming rough the above two attributes, different files can be classified and processed. e software is written with different software structure, and the analysis is slightly different. A well-designed software should meet the requirements of "high cohesion and low coupling." For such software, it is easy to handle at the file and folder level.
According to these two principles, files with similar functions are put in the same "package." e package consists of several files with similar functions and security sensitivity [25]. ese files should show the relationship between the calling and the called. e concept of package essentially defines the delay of component, but the granularity of the component is different from the traditional definition [26,27]. is method puts more emphasis on the security sensitivity of files, which is an improvement of component definition.

Dynamic Length Trust Chain.
In the industrial control system, the software update is slow, and it takes a lot of time to realize the dynamic measurement method in the industrial control system [28]. At present, static method is widely used because of its simple and easy deployment [29].
Generally speaking, these methods are easy to implement and highly customized, and traditional models use TPM as the source of trust. As a trusted root, TPM has been proved to be a feasible solution and has been widely used. Many scholars put forward the construction technology of virtual trusted root in cloud environment [30][31][32]. For some industrial control systems without TPM, the trusted root based on USB can be used, which can also bring the expected effect [33,34]. e trust chain length of TCG organization is fixed, and the measurement time is relatively fixed, which cannot meet the real-time requirements of industrial control system. If we give up the measurement of some documents directly, it is difficult to guarantee their credibility. erefore, we need a dynamic length of trust chain, and cut the length of the trust chain to meet the requirements of trust degree. At the same time, the chain trust transfer model cannot effectively describe the call and transfer of control between applications. Even for entities with measurement capability, with the increase of the number of entities in the computing platform, the chain trust transfer model will become difficult to manage.
In view of these shortcomings, this paper proposes a Dynamic length trust chain (DLTC) structure for real-time industrial control systems. is structure effectively solves the problems of fixed length of trust chain, fixed measurement time, and poor real-time performance. At the same time, this structure can also effectively describe the calling relationship between software. e description of software dependency can adapt to the current software environment. e file package sequence obtained by using the analysis method based on security sensitivity and components is F 0 , F 1 , F 2 , . . . , F n , recorded as Ω, as shown in (1). F 0 is the main function; n is the number of file package; there are n+1 file packages in Ω: (1) For a program, the description of its package is shown in (1), and then a corresponding chain of trust can be described as an ordered sequence as described in (2); φi � 1 means the file package is in TL; φi � 0 means the file package is not in TL; in particular, φ0 � 1 means the trust chain always contains the main function.
e calculation method of the length definition of the trust chain is shown in Equations (1) and (2) describe the elements contained in the trust chain. In essence, the trust chain is still a chain structure trust chain, but because the successor nodes of each node in the trust chain are dynamically determined, it forms a tree structure trust chain.

Real-Time Mathematical Description.
For an entity, the system response time requirement is T, which means that the response time [35] meets the following equation: For an entity, the response time without adding the integrity measurement method is t 1 , and the time required for its integrity measurement is t 2 , and then the total response time satisfies the following equation: en, the expected maximum response time of the chain of trust is defined, which is as shown in equation (6). In equation (6), α is the dynamic coefficient, and 0≤α ≤ 1. Its existence is to leave a margin for the estimation error of the system in the required measurement time, so as to ensure that the system will not fail due to exceeding the response time requirement under hard real-time conditions.
For any package F i (1 ≤ i ≤ n), the files in it are marked as f ij . ere are two attributes for anyone, one is the file size, marked as s ij ; the other is the expected measurement time of the file, marked as τ ij , which describes the end of the comparison of the completeness of the hash calculation value integrity check result of the file. e expected measurement time τ ij for any file satisfies the following equation: e calculation of equation (7) is obtained by least square fitting, which describes a relationship. e time required for a file to perform integrity measurement consists of two parts. One is the file I/O time, and the other is the time required for hash calculation. In equation (7), a describes the fixed overhead time of file I/O, and b describes the measurement time that increases as the file size increases. is part of the time is mainly generated by the hash operation. e actual values of the parameters a and b need to be calculated according to the actual configuration of the system. e calculation process of this parameter in the experimental environment of this paper is detailed in Section 4.2.
en, the integrity measurement time of each file package is j τ ij , which is defined as the measurement time sum of all files contained in the file package. e most time-consuming step in the dynamic generation of a complete trust chain is the hash operation, but other smooth processing also consumes a lot of time. e main steps of trusted chain generation include the following parts: (1) Due to the serial original in the TPM, the backlog of unfinished operations will affect the subsequent operations, which will cause delays, which is recorded as t TPM , as shown in Figure 1.
(2) Processing hash metric list (HML) operations requires time. HML is defined in Section 3.2. is part of the time can be divided into HML reading time, recorded as t HMLr , and time to write HML, recorded as t HMLw . (3) e time consumed to generate the random number, process the random number, and generate the chain of trust is t randm . (4) e time to calculate the integrity of all the files in the chain of trust.
T h max can also be described in the following equation:

Hash Metric List.
For a program, its related information is recorded in a text file, called a hash metric record table, abbreviated as Hash Metric List (HML). It is stored in a trusted storage space controlled by the TPM, it is encrypted by the encryption algorithm contained in the TPM, and the key is stored in the TPM to ensure the security of the HML. e file structure of the HML is shown in Figure 2. e main information stored in HML includes the following contents: the file structure of the software and all files, the number of measurements transferred by each file, total number of measurements, the file size, and the integrity measurement results of each file.
In order to prevent the HML file from being tampered, integrity measurement and report should be carried out before using the HML file every time to determine the credibility of the HML file.
To maintain HML more conveniently and efficiently, we divide HML file into two types, the first one is a system hash metric record table, denoted as SHML (system hash metric list), and the second one is an application hash metric record table, denoted as AHML (application hash metric list). SHML is used to store the hash value measurement results of public resources in the system, and AHML is used to record the hash value measurement results of the application's files. e main reasons for adopting this design method are as follows: (1) Storing all records in a unified HML will lead to too large HML file and low search efficiency, which cannot meet the design goal. e use of large HML files will have a great impact on the real-time performance of the system.
(2) e component-based design method produces a large number of public resources. Many of them are public resources in the system as dynamic link library (DLL). A large number of services call DLL. If each HML stores relevant information, it will cause a great waste of resources.
(3) Credibility of integrity measurement results can be considered as short-term rather than long-term, or invalid after measurement. Whether two integrity measures are needed in two calls to common resources in a short time is worth discussing. By considering the validity period of integrity measurement, we can effectively reduce the time of integrity measurement and improve the real-time performance of the system.
(4) Consider the security principles of "least privilege" and "as needed." ese DLL modules only serve specific programs. If they are all stored in a unified HML file, it may bring information security risks.
In summary, the HML is divided into a system-maintained SHML for controlling common components and an application-specific AHML.
As described in Section 2.3, through the analysis of software components, the files in a complete software are classified, and the loose file structure is changed into a compact file package structure. e granularity of the package can be adjusted according to the measurement requirements. AHML is dynamically formed in the trust chain constructed in this paper. To ensure information security, two files are used to manage AHML, AHML-H, and AHML-F.
AHML-H is used to store software packages, absolute path names and integrity metrics. It stores sensitive information. In order to prevent tampering, it separates the information that needs to be modified from the information that does not need to be modified during the operation. AHML-H stores the integrity measurement results and encrypts them with the encryption function provided by TPM.
AHML-F is used to store packages. e main information it stores is the file package, package size, measurement times, measurement interval, security sensitivity weight, and total measurement times. e file is dynamic when the trust chain is generated. In order not to store sensitive check value information and ensure security, the random number selection algorithm is used to achieve the measurement times, so as to achieve better robustness and ensure the correct operation of the program when the measurement times have problems.

Scientific Programming
Implementing AHML as two files has the following advantages: firstly, the separation of sensitive information and nonsensitive information is realized. AHML-H and AHML-F are stored in trusted storage areas. ere is no sensitive information in AHML-F, and it will be modified dynamically during the running of the program to ensure its security. Once the memory leak occurs, the impact will be very small. AHML-H file stores sensitive integrity measurement results, which can ensure its security by only reading and not modifying.
Secondly, unnecessary information can be hided. AHML-H file itself does not reflect those files that need to be measured, which can reduce the time of file path and integrity measurement results appearing in memory and prevent the information security problem that the software cannot be loaded into memory when using static measurement method.
Finally, the size of related files can be reduced, and the complexity of AHML-H file retrieval can be reduced. It can save time to measure while retrieving. By separating reading AHML-H file from writing AHML-H file, the writing operation of AHML file is independent of measurement, which can save measurement time.

Trust Chain Generation Method Based on Roulette Rules.
For a software, a series of packages are obtained by using the "analysis method based on security sensitivity and component," which maintain an AHML-F file and an AHML-H file.
e operating system maintains a SHML file. For AHML-F, the data item "measures" constitutes an array M of lengths 1×n, where M i is number of times the i-th file package was measured. e combination of arrays M and random numbers determines the generation of trust chains. e random number is generated by the TPM. e random number generator is one of the several functions provided by the TPM. Its data item "security sensitivity weight" constitutes an array W of lengths 1×n, where W i is the weight of the i-th file package.
Each time TPM generates a random number R, the mapping between the random number and the file package is generated by the roulette selection method. e steps of generating trust chain file by roulette selection method are as follows.

Handling Arrays M and Arrays W.
e array W exists in the form of characters and needs to be converted into numeric values. e array W reflects the adjustment of the trust chain structure according to the security sensitivity of the package, which affects the structure of the trust chain in a proportional way. Depending on the sensitivity, the values are 4, 3, 1, and 0.5.
To improve the robustness of the algorithm, restrictions are added. For packages that meet the conditions shown in equation (9), in the selection of trust chain, the probability of being selected is 1, where max-() means calculating the maximum value of the array. k is the limited number of times, which can be adjusted according to the actual situation. In this paper, k � 5.
Equation (9) is to ensure that the difference between the number of times any two packages are measured is not greater than 5, so as to ensure that in extreme cases, nonsecurity sensitive data can also get a limited number of integrity measures. e robustness of the algorithm is improved.

Selection Probability.
Roulette selection method, also known as proportional selection method, is based on the proportion of individuals in the whole. First, the array M is updated by the following equation: en, the probability of selection is calculated by the following equation: 3.3.3. Cumulative Probability. Selection probability of each package is calculated by the following equation:

Repeating the Above Process until Sufficient Data Are
Generated. In this way, the trust chain structure can be generated dynamically. Due to the robustness of the algorithm, the measurement times of the algorithm will not be greatly different.

Trust Chain Update Mechanism.
e trust chain of TCG chain structure adopts the extension operation of hash, which makes it difficult to update. Once the hash value of a node is updated, the trust chain needs to recalculate the hash value and carry out the extension operation, which leads to a lot of calculation work. To solve this problem, the star trust chain stores hash values for different nodes, which can effectively solve the problem of updating. e trust chain structure proposed in this paper has the characteristics of star structure trust chain and is easy to update. e update process of file modification is as follows: (1) Update AMHL-H file. Update the files that need to be updated and modify the corresponding records in the AMHL-H file.

Simulation Platform
Building. e configuration of the experimental platform is shown in Table 1. Due to the limitation of experimental conditions, TPM v1.2 is adopted.
is experiment only verifies the effectiveness, and the performance experiment only represents the running effect in the current experimental environment. e benchmark data measured in Section 4.2 only represent the current experimental platform.

Benchmark Data Measurement.
In order to objectively measure the impact of device configuration on the time Scientific Programming consumption of TPM hash operation, the following experimental scheme is used to test: (1) Randomly generate 1024 files, the file size is from 1 KB to 1024 KB, and the interval is 1 KB.
(2) Hash these files and extend them to PCR through extend operation, and record the time required for each operation, the unit of measurement is ms, and measure 100 times repeatedly.
(3) Processing data: remove the data less than the smaller quartile, remove the data greater than the larger quartile, and calculate the arithmetic mean of the remaining data to replace the whole data. (4) e data calculated in step 3 are fitted by least square method, and the fitting calculation is carried out by where T hash is the time required to hash the file, and the unit of measurement is ms; F s is the size of the file to be measured; the unit of measurement is KB. e determination coefficient of the fitting equation is r 2 � 0.9989, which indicates that the fitting result is good.

Case Analysis Based on OpenPLC.
OpenPLC is an easyto-use programmable logic controller based on open-source protocols [37,38]. For OpenPLC, the first dimension of its file attributes is analyzed in two steps: Step 1: filter the installation file name and authority.
rough the LS command in Linux, output all the file names and related authorities, and filter out the files that can be considered as the security-sensitivity weight of D through reverse filtering. Files with such characteristics are usually as follows: (1) C/C++ language source code, Java source code, Makefile and other files with source code: script files are not included. For OpenPLC, these files are only used in the installation, and do not work in the subsequent software operation. (2) Config files used during software installation: these files serve Linux software installation. Config file used in the software running process is not included. image files can be considered as not security-sensitive. e important premise is that the software has enough robustness and will not fail because of the lack of these image files.
Step 2: through manual measurement, security sensitivity of files can be determined more accurately.
For OpenPLC, some folders are used to store software output files. ese are software outputs and have nothing to do with the operation of the software. e security of these outputs can be guaranteed by data encryption, which is beyond the scope of this article.
According to the above method, the OpenPLC package number and file size are shown in Table 2. As shown in Table 2, the total size of the file package is 1092.5 KB. According to (13), the expected measurement time is 24.0961 ms, the maximum file package size is 861.4 KB, and the expected measurement time is 18.5721 ms, accounting for 77% of the total expected measurement time. e main reason for this problem is that the file package contains files with large memory consumption.

Effectiveness Analysis.
After successful installation of the experimental environment, comparative experiments are designed to verify the effectiveness of the algorithm. e validation of the algorithm mainly considers whether the algorithm can effectively prevent illegal start-up behavior. Table 3 shows the validity of the algorithm. e above analysis shows that the algorithm is effective.

Performance
Analysis. Dynamic length trust chain mainly solves the strict real-time requirements of industrial control system, so the fluctuation of its performance is very important for the credibility of industrial control system software and the performance analysis of model. Real-time First, the test is executed when the real-time requirement is low, all metrics can be executed, and the expected maximum response time is limited. is time limit can fully meet the package distribution shown in Table 2. Under this realtime condition, the experimental data of 100 repeated tests are shown in Figure 3.
In the data shown in Figure 3, the maximum consumption time is 25.6791 ms, the minimum consumption time is 23.0454 ms, the average consumption time is 24.2340 ms, and the variance is 0.3627. From the data fluctuation and variance data shown in Figure 3, we can see that the stability of the algorithm is very good, and the data fluctuation is small. In the process of integrity measurement, the expected maximum response time T h max will not be exceeded, which can meet the requirements of low real-time.
Secondly, test is performed for a situation that the realtime requirement is high and a large number of measurements cannot be carried out. In this case, the scheduling ability of the algorithm determines the number of times the file is measured. e limit dynamic coefficient is α � 0.9, the maximum expected response time is T h max � 24 ms, and the time required for OpenPLC to perform a hash operation is T0 � 24.0961 ms, here T0 > T h max . At the same time, considering the fluctuation of calculation time in the measurement process, the integrity of all files cannot be calculated in the measurement process. In order to meet the real-time and robust requirements of industrial control system, the performance analysis of the algorithm should be carried out from two aspects: (1) considering the fluctuation of the algorithm. e fluctuation of algorithm will lead to timeout and destroy the availability of industrial control system; (2) considering the fluctuation of packet measurement process. e number of times each software package is measured should be as stable as possible to ensure that each file has the opportunity to be measured, so as to improve the credibility of the whole software system.
In Figure 4, the maximum value is 25.3655, and 54% of them is larger than T h max . All samples are less than T h maxα . α � 0.9 is used to describe the margin left by the algorithm. It can be seen that the algorithm does not exceed the limit. e results show that the fluctuation of the algorithm is reasonable and will not cause the program execution to fail beyond the time limit. ./webserver/static 538565 1 7 ./webserver/core 396202 3 8 ./webserver/lib 213255 3 9 ./webserver/scripts 7303 3

Scientific Programming
When dynamic coefficient α � 0.9 and the maximum distribution of the expected maximum response time 25 ms ≥ T h max ≥ 19 ms, distribution of the maximum running time is shown in Figure 5.

Conclusions
According to the real-time requirements of industrial control system, as well as the operating system and application software rarely involved in TCG related research, the corresponding trust chain construction method is proposed in this paper. According to the characteristics of industrial control system software, a component analysis method based on security sensitivity weight is proposed from three aspects of real-time requirements, component characteristics, and file characteristics. Based on the analysis of traditional trust chain structure, a dynamic length trust chain structure is proposed. e generation process of this trust chain structure is described in detail, and an example is analyzed.
e effectiveness of the model is evaluated from two aspects. e effectiveness of the model is verified by simulation attack experiments, and the effectiveness of dynamic length trust chain is analyzed by simulating the impact of different attack behaviors on file changes. Experiments show that this method can effectively deal with various attacks, protect the integrity of the file, and improve the credibility of the program.
e performance of the model is analyzed by repeated experiments. Performance analysis experiments show that the method can meet different real-time requirements.
is paper studies the measurement method of operating system and application in trust chain and proposes a new trust chain structure. However, this method still needs to be further improved. At present, the degree of automation of the analysis process is low, which requires the intervention of human experience, and the process is more complex. e real-time condition is limited, because information security technology will inevitably lead to delay, and the harsh realtime requirements cannot be met. ese are our further research directions.

Data Availability
No data were used to support this study.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.  10 Scientific Programming