The design of verification function is based on the Pioneer primitive. The verification function consists of three main components: the checksum function, send function, and the hash function.
The checksum function computes a checksum over the entire verification function and sets up an environment in which the send function, the hash function, and the executable are guaranteed to run un-tampered by any malicious software on the RTU. The checksum function needs to be designed such that even if a single byte of the verification function is modified, the checksum will be different. A correct checksum assures the external verifier that the code has not been modified. An adversary could presumably modify the verification function, and calculate the checksum over a valid copy of the verification function code, thus generating the correct checksum.
A cryptographic hash function that is second pre-image resistant is used to perform the integrity measurement of the executable. A random nonce received from the external verifier and codes for the executable are hashed and resulting digest is returned to the external verifier. The external verifier can compare this digest to expected one to ensure that the executable has not been modified. The hash function proceeds to invoke the executable when it is done.
The send function sends the checksum and hash digest to the external verifier.