JP2005285133A - Information processing apparatus - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a malfunction detector appropriately continuing or stopping processing even if an information processing apparatus malfunctions. <P>SOLUTION: An information processing apparatus which receives branch destination information, performs conditional branching dependent upon the branch destination information and performs processing corresponding thereto on data. At such a time, in a conditional branching destination, processing corresponding to the conditional branching destination is performed on data J different from processing data I, and a result is outputted to perform a check later, so that it can be judged whether or not conditional branching is rightly performed. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to an information processing apparatus, and more particularly, an attack intended to acquire information used inside the apparatus by causing malfunction due to electromagnetic waves, radiation, instantaneous interruption of power supply, or other physical means, and its information acquisition. The present invention relates to a tamper resistant device having a means to counter the analysis of the device.

  In the present day when electronic devices are widespread, various devices emit electromagnetic waves of various frequencies. For example, when a speaker is installed next to a television, a phenomenon such as blurring in the television image occurs. In addition, as represented by computers installed in cars, there is a need for a device that does not malfunction even in environments such as high-intensity vibrations and unstable power supplies, or that has means for reliably returning from non-standard operation. It is said that. To describe these phenomena, terms such as `` tamper evident '', `` tamper response '', `` tamper free '' (also tamper resistant) are used, Each of them means detection of an unspecified operation, responsiveness after the detection, and resistance to the operation.

  A general apparatus has an operation margin that is set in advance assuming malfunction factors such as noise in an actual operating environment in order to normally achieve the original purpose of the apparatus. Since a device having tamper evidence can record a history of whether or not the device has been exposed to a malfunction environment outside of the assumed operation environment by an appropriate means, the device manager constantly monitors the device. There is no need, and by checking the history periodically, appropriate measures for preventing malfunction can be taken. Furthermore, a device having a tamper response property can independently observe whether a malfunction has occurred other than that assumed at the time of design, and can perform a response such as an alarm using necessary means. The manager of the device only needs to perform the confirmation work when the device issues a warning. A tamper-free device can be automatically restored even if sufficient consideration is given so that it does not fall outside the specified range, or even if it falls outside the specified range. Alternatively, if the term tamper is interpreted as an attack from a Service-to-Self, a device having a mechanism for completely protecting the Service-to-Self object can also be called a tamper-free device. For example, when a bank terminal or the like equipped with a storage device that holds secret information is illegally opened, the device itself is protected by automatically erasing or destroying the storage contents of the storage device. be able to. A tamper-free device does not need to be monitored by an administrator.

  Here, tampering means changes in the environment and aggressive attacks by Service-to-Self.

  When the intensity of electromagnetic waves, radiation, heat, vibration, etc. exceeds the range intended at the time of design, the device tends to fall into a so-called malfunction or stop state. This is because the device is operating electrically and mechanically. If the device has a small number of parts, the cost of identifying the cause and taking countermeasures can be kept relatively low even with simple round robin, but when the parts are combined with each other, It is impossible to exhaustively check all the methods, so it is very difficult to ensure that they do not malfunction. For this reason, devices that must rely on a large number of components for the safety of the entire system need to pay more attention to tamper resistance. For example, microprocessors such as central processing units (CPUs) that use highly integrated semiconductors on the order of hundreds of thousands to millions of units, CPUs, memories, external interfaces, etc., are integrated in several mm squares or less. An example is an IC card. Conventionally, when operating such a system, the upper system has been designed by fully trusting the safety of the lower system, but this is due to the failure or malfunction of the lower system. Means that there is a possibility of unexpected stoppage or malfunction.

  FIG. 1 shows an IC card. The IC card (101) is equipped with a contact terminal (102), and exchanges with the outside through this terminal. Power is supplied to Vcc, a reset signal is transmitted to RST, a clock signal is transmitted to CLK, and an I / O signal is transmitted to I / O. GND is a ground terminal. In the case of an IC card or the like that requires a high level of security, the central processing unit (201) in FIG. 2 is used to perform operations such as cryptographic processing using a secret key. In the IC card, only the I / O port (207) connects the inside and the outside, and the calculation data of the CPU is not output to the outside. Therefore, the data ( 206) has been considered extremely safe. However, Mr. Biham and Mr. Shamir said that the internal secret key information can be acquired by observing the operation result by causing malfunction by applying stress such as radiation and electromagnetic waves from the outside to the IC card It was shown in non-patent literature. As shown here, it is possible to generate an error in a part of the operation value and specify the secret key from the operation result. Therefore, it is not always sufficient that the IC card system continues to operate. Thus, it is necessary to know whether the device itself is operating “correctly” as intended by the system designer.

Differential Fault Analysis of Secret Key Cryptosystems '' (Lecture Notes in Computer Science, Advances in Cryptology, proceedings of CRYPTO'97, Springer-Ferlag, pp513-525, 1997)

  Conventional devices sometimes malfunction due to external radiation, electromagnetic waves, vibration, or the like, and as a result of the malfunction, unscheduled information leakage or failure may occur. When the power supply of the device is made unstable, there is a tendency that malfunctions start from the portion of the device that is most vulnerable to abnormal voltage. Since this varies depending on the connection relationship and design of the device, it is difficult to determine which part of the highly integrated device is weak. It is also very expensive to track the interrelationships of highly combined devices and it is difficult to predict the malfunctions that are caused.

  One of the objects of the present invention is to provide an information processing apparatus in which the information processing apparatus can appropriately continue or stop processing according to the type of malfunction.

I. Write a conditional branch instruction continuously several times.

  As one countermeasure against the glitch attack, the embodiment of the present invention adopts a configuration in which a conditional branch instruction is continuously described multiple times.

  This is a countermeasure for a case where a conditional branch instruction that encounters a glitch attack is not executed correctly and is not executed.

The configuration related to this is as follows.
1. The input password is compared with the correct password to determine the correctness of the input password to obtain the right to access one application or one information in the IC card chip. A first branch instruction that executes a branch instruction if there is a mismatch is stored in the storage device, and a second branch instruction that is the same instruction is stored after the first branch instruction. An information processing apparatus stored in a storage device.
2. An error processing instruction is provided at a branch destination of a branch instruction executed based on the determination result of the first and second branch instructions. The information processing apparatus described.
3. Routine for granting the access right to the instruction next to the second branch instruction or the instruction ahead thereof when the next instruction is executed without branching based on the determination result of the second branch instruction 2. The information processing apparatus according to 1 above, wherein the information processing apparatus is included.
4). The input password has a sequence of a plurality of characters, numbers, signs, or symbols, and the correctness of the input password is determined by comparing one unit of the letters, numbers, signs, or symbols with one unit of a correct password. The information processing apparatus according to claim 1.
5). When the second branch instruction is executed subsequent to the first branch instruction, the time interval from the execution start time of the first branch instruction to the execution start time of the second branch instruction is 1 microsecond. It is comprised so that it may become the following. The information processing apparatus described.
6). When the correct password consists of n character strings (n is a natural number), there are n first and second branch instructions, and the first branch instruction and the second branch instruction Are coded so as to be executed alternately. The information processing apparatus described.
7). 5. The other instructions are arranged between the first branch instruction and the second branch instruction. The information processing apparatus described.
8). If the branch condition is satisfied, the branch instruction is executed. If the branch condition is not satisfied, a first branch instruction for executing the next instruction is stored in the storage device, and the first branch instruction is stored. And a second branch instruction which is the same instruction is stored in the storage device.
9. The second branch instruction is stored in a predetermined address in the storage device subsequent to the first branch instruction. The information processing apparatus described.
10. The first and second branch instructions are used to determine whether or not the input password is correct. When it is determined that the input password is correct, the IC card chip is determined after the determination. 7. A process for accessing one application or one piece of information is executed. The information processing apparatus described.

The above description basically describes the same branch instruction in succession. On the other hand, the following describes different branch instructions successively.
11. A first branch instruction that is executed when the value of a certain condition flag F1 is 0 or 1, and a second branch instruction that is executed when the value of the condition flag F1 is 1 or 0 When the branch process is not performed based on the value of the condition flag F1 when the first branch instruction is executed, the value of the condition flag F1 is inverted in the subsequent process and then the second branch instruction An information processing apparatus configured to be executed.
12 The first and second branch instructions are used to determine whether or not the input password is correct. When it is determined that the input password is correct, the IC card chip is determined after the determination. 10. A process for accessing one application or one piece of information is executed. The information processing apparatus described.
13. A first branch instruction that is executed when the value of a certain condition flag F1 is 0 or 1, and a second branch instruction that is executed when the value of the condition flag F2 is 0 or 1 When the branch processing is not performed based on the value of the condition flag F1 when the first branch instruction is executed, the value of the condition flag F1 is copied to the condition flag F2 in the subsequent processing, and thereafter An information processing apparatus configured to execute the second branch instruction.
II. The following relates to grasping the branch path. When branching according to a branch instruction, the branch destination to be branched to before branching is known immediately before execution of the branch instruction at the latest. On the other hand, it may be necessary to check whether the branch instruction has been executed correctly. In this case, the following configuration has the function of checking whether or not the branch has been performed correctly by performing a specific process at each branch destination and comparing and comparing the processing result with the branch destination stored in advance. is there.
14 If a branch instruction that specifies one of a plurality of branch destinations based on the branch condition and a series of instructions coded at the branch destination are executed, which branch of the plurality of branch destinations is executed An information processing apparatus comprising: means for storing whether or not a destination route has been passed as first data, and comparing the branch destination data serving as a reference for determining the branch condition with the first data.
15. The branch destination data serving as a reference for determining the branch condition is configured to perform subsequent processing when the first data matches the first data, and to perform error processing when the data does not match. 14. above. The information processing apparatus described.
III. The present invention relates to a function for limiting the number of loop processing.

This relates to processing that suppresses an abnormal operation of the information processing apparatus by limiting the number of loop processing. A plurality of counters are provided, and for example, the same countdown process is performed in the loop, and when each counter value becomes 0 or a mismatch occurs between the values of the plurality of counters, a process to exit from the loop process is performed. This suppresses execution of loop processing more than the specified number of times. The following is a specific configuration example.
16. The first and second counter values are initialized, the first and second counter values are counted down in a loop, and the first and second counters after the countdown with respect to the first and second counters are performed. When the counter values of the first and second counters do not match or when both the first and second counter values after the countdown with respect to the first and second counters are both the first predetermined value, a process of exiting the loop is performed. When both the first and second counter values after the countdown with respect to the first and second counters are the second predetermined value, the processing in the loop is repeated. Information processing apparatus.
17. 16. The above-mentioned 16.5, wherein the first predetermined value is 0, and the second predetermined value is a natural number. The information processing apparatus described.
18. The first and second counter values are initialized, the first and second counter values are updated in a processing loop, and the first counter value and the second counter value after the update process are performed. Is not matched or when both the first and second counter values after the update processing are at the first predetermined value, the process exiting from the loop is performed. An information processing apparatus configured to repeat the process.
19. 18. The updating of the counter value is a process of counting down from a counter value before updating or a process of counting up. The information processing apparatus described.
20. 18. The above-mentioned 18., wherein the first predetermined value is 0. The information processing apparatus described.
IV. Means for preventing an act of separating a part of the information processing apparatus and continuing to use the part will be described. This is because a unique counter related to such a part is provided in the device, and the counter value of the unique counter is updated every time the part is used. A function to prevent use is provided. A specific configuration is shown below.
21. A counter for storing the number of times of use of a part of the device; means for updating the counter value in accordance with the number of times of use of the part of the device; When the number of times has been reached, the counter value is set by means for restricting the subsequent use of a part of the device, and when the use of a part of the device is restricted, an instruction from the other part of the device. An information processing apparatus having means for releasing the use restriction by updating.
22. 21. The apparatus according to 21., wherein when the cumulative number of times of use of a part of the device reaches the use limit number of times, subsequent use of a part of the device is rejected. The information processing apparatus described.
23. 21. The apparatus according to 21., wherein the use restriction is canceled by inputting a command to the apparatus. The information processing apparatus described.
24. The above 23. characterized in that means for confirming the validity of the command input is provided together with the command input. The information processing apparatus described.

  According to the embodiment of the present invention, it is possible to detect a malfunction of the information processing apparatus.

Now consider an arithmetic unit. When the power supply is unstable, malfunction may occur in a part of the arithmetic unit rather than the whole. In other words, if the instruction execution part of the arithmetic unit that has received a certain instruction is in a silent state, but other parts are operating normally, it can be regarded as an arithmetic unit that does not execute a certain instruction from the outside. Such a malfunction becomes a significant problem when performing conditional branching.
(1) Countermeasure for preventing malfunction by arranging a plurality of similar conditional branch instructions FIG. 3 is a processing flow of password verification generally used. If it is determined in the determination part (301) that the password is incorrect, the password determination device (300) tries to return to the password input process again (302).
If the above malfunction (silence of conditional branch instruction) occurs at this time, the process proceeds to the next process without performing the process of the determination part (301). There is a possibility of proceeding to the processing (303).

  Also, as shown in FIG. 4, when an apparatus has an error, it is generally performed to make an infinite loop (400) in order to prompt the user of the apparatus to reset the apparatus. Consider the case where the device malfunctions during operation in an infinite loop (401). Then, the unconditional jump instruction (402) for staying in the infinite loop may not be executed. In this case, there is a possibility that the apparatus exits the infinite loop, transitions to the program (403) described at the address subsequent thereto, and sequentially executes the programs described thereafter. This is an operation that is not anticipated by the creator of this program and is undesirable.

  As shown in FIG. 5, by repeating the conditional branch instruction a plurality of times (502, 503, 504), the problem described with reference to FIG. 4 can be prevented from occurring. Repeating a branch instruction under the same condition a plurality of times does not affect the processing flow, and if it is a sudden malfunction, one of the plurality of times is processed normally. Here, the second and subsequent conditional branch destinations (503, 504) can be set to a device that performs control for stopping the processing of the device or a device that warns of malfunction (506). This is because branching in the second and subsequent conditional branches is none other than in the case of malfunction as described above. At this time, the device can be said to have tamper evidence. If no malfunction occurs, process A (505) or process B (507) is executed.

  A general information processing apparatus operates based on a program counter, and sequentially executes a program at a location indicated by the program counter. A storage device that stores programs and data generally consumes power when reading and writing. In addition, due to a complicated procedure, there is a case where a program or data cannot be read normally when a malfunction occurs due to an unstable power supply. In the case of this malfunction, the device without special consideration passes through the program step indicated by the program counter without processing, but the program counter is updated with a simple operation with less power consumption than the storage device. Therefore, the program step may proceed to the next program step as it is. Passing the conditional branch process without processing is equivalent to the case where the condition is false in the condition determination, and brings a result unintended by the designer. For example, consider a process of returning to the input process again if the input value is a negative number, and proceeding to the next process if not. If the input value is not determined due to a malfunction and the process proceeds to the next process, the subsequent program assumes that the input value is a positive number, which causes an unexpected malfunction. By installing conditional branch instructions two or more times as in this embodiment, it is possible to reduce the probability that a conditional branch instruction passes without processing and moves to the next state. Since conditional branch processing generally does not change the system, no new problem occurs even if executed multiple times. Also, different conditional branch instructions can be mixed by using an instruction with inverted conditions or by performing a condition determination using another condition flag. When a malfunction due to an environmental factor depends on the instruction itself, the present invention can effectively reduce the probability of being affected by the same homogeneous malfunction.

The information processing apparatus shown in FIG. 5 refers to the condition flag Z (zero flag), and performs branch processing (502) if Z = 0. In the present invention, the same branch process (503) is performed again after the branch process (502). In this embodiment, the same branching process (504) is further performed. This is a protection mechanism when branch processing is not performed due to a malfunction of the processing device, and the conditional branch instruction is an instruction that does not change the internal state of the processing device. As can be seen, the process is not limited to three times, but can be performed any number of times. Since branching occurs in the second and subsequent branch processing only when the first branch processing is passed due to a malfunction, the branch destination of the second and subsequent branch processing can be set to error processing (506). If the connection is made to the process B (507) as in the first branch process without using the error process, the process can be continued even in a malfunction environment. The condition Z = 0 shown in FIG. 5 indicates that the result of the calculation is zero, and a general arithmetic unit is provided with a condition flag indicating the result of such a calculation. In the present embodiment, the Z flag is referred to, but other flags may be used.
(2) Measures to prevent malfunction by using other branch instructions together As described above, even if the power supply is unstable, the entire device does not necessarily become unstable, and tends to start malfunctioning from the weakest point. For this reason, the influence is different for each instruction of the arithmetic unit, and a certain instruction may operate normally even if it operates normally. By the way, two types of instructions (602 and 604 in FIG. 6) can be implemented in the arithmetic unit according to 0/1 of each condition flag. For example, there are an instruction (602) that branches when the Z flag (zero flag) is 0, and an instruction (604) that branches when the Z flag is 1. Therefore, the bit value of the condition flag is inverted (603), and a conditional branch is performed again with a different instruction. This can be countered by enumerating the same branch instruction if it is a temporary malfunction, but if it is a steady malfunction, all of the same instruction series will pass, so different instructions will be interwoven. Can increase the malfunction detection probability. The main procedure is as follows.
1. Executes a conditional branch instruction.
2. Inverts the value of the condition flag.
3. Executes a conditional branch instruction that reverses the condition in 1 above.

To obtain the same effect, copy the status register value that stores a certain condition flag to the status register that stores another condition flag, and perform a condition determination process using another instruction. Also good. in this case,
1. Executes a conditional branch instruction.
2. Move the condition flag value used in 1 above to the status register holding another condition flag.
3. The conditional branch instruction corresponding to the movement destination in 2 above is executed.
Process according to the procedure. Again, for the same reason as above, tamper evidence can be obtained by setting the branch destination of the second and subsequent branch instructions to a warning device or a stop device (608). By the way, the occurrence probability and occurrence state of malfunctions differ between different instructions. Therefore, performing equivalent processing by various methods is a countermeasure against malfunction. As shown in FIG. 6, by inverting the branch condition (603) after the branch process (602), a different instruction (604) can be used for the branch process, and a malfunction can be effectively avoided. . Although the condition flag Z has been described here, the same processing can be performed using other condition flags.

Furthermore, it is also possible to reflect the result of a certain condition flag stored in the status register by a bit shift instruction or the like to other condition flag positions, and use the result to make a condition determination with various conditional branch instructions. . The status register (condition code register: CCR) is a register that reflects the status of data handled by the computing unit. In general, there are an H flag, an N flag, a Z flag, a V flag, and a C flag, which respectively represent half carry, negative, zero, overflow, and carry. The half carry is set to 1 when a carry or borrow occurs for the central bit in the operation, the negative flag is set to 1 when the operation result is a negative number, and the zero flag contains the operation result. When it is zero, 1 is set, the overflow flag is set to 1 when an operation result overflows, and the carry flag is set to 1 when a carry occurs in the operation. These occupy one bit position in the status register and are arranged in order. Since the arrangement may differ depending on the CPU, it is assumed here that they are arranged in the order of HNZVC, and the upper 3 bits of the 8-bit status register are always 0 here. FIG. 7 shows a case where the process B (709) is desired to be performed when the zero flag is 0. In the first branch process, a conditional branch is performed using a zero flag as usual (702). Next, by shifting the status register (arrangement is “000HNZVC” as described above) to the right by one bit, the bit at the position of the Z flag is moved to the position of the V flag (703). That is, the determination of the V flag is substantially performed to determine the previous Z flag (704). When the status register is further shifted to the right by 1 bit, the bit at the position of the V flag moves to the position of the C flag (705). By determining the C flag, it is possible to determine the previous Z flag (706). By using a plurality of different instructions in this way, it is possible to detect malfunctions of some instructions.
(3) Grasping the processing path If the CPU's program counter malfunctions due to a malfunction due to noise, etc., the conditional branch is not necessarily processed according to the condition as intended by the designer, or processing that should normally be processed in order from the beginning. The order can change due to malfunctions. Assuming that such a situation occurs, it is necessary to provide means for determining whether or not the processing in each branch path has been performed correctly. The determination is made according to the following procedure.
1. Stores branch information (branch destination information about where to branch).
2. Execute branch instruction.
3. Execute processing instruction at branch destination.
4). Information depending on the branch destination is saved in memory.
5). After completion of the processing at the branch destination, the above 1. Branch information saved in step 4 above and 4. Compare the information saved in.

  Process 5 above. If the comparison result is inconsistent, it means that the branch process has not been processed as expected. Therefore, in that case, post-processing such as stopping the apparatus as error processing or performing reprocessing retroactively before branching can be appropriately performed.

  FIG. 8 shows a processing flow according to the present embodiment. In executing the branch instruction, information for determining the branch destination is stored in the storage device (801). The branch instruction determines a branch path based on the branch destination information (802). If the route A is selected based on the branch destination information, the branch route performs processing fa (803) depending on the route, and further stores information Ia specific to the branch route in the storage device (804). After the processing is completed, it is confirmed that the correct branch path is selected by comparing the branch destination information with the branch path information. If it is determined that the branch path is not correct, the processing is immediately terminated or an error message is displayed (807).

  Consider a case where a program in a bank terminal executes a deposit process, for example. Prior to branch processing, information for determining the branch destination is saved. As an example, the character string “payment process” is stored in the storage device. Next, the branch instruction reads the character string “deposit process” and selects a deposit process path. In the deposit processing path, the actual deposit process is performed, and the character string “deposit process path selection” indicating that the deposit process path has been processed is stored in the storage device. After the above processing route processing is completed, the character string “payment processing” stored prior to the branch processing is compared with the character string “payment processing route selection” stored in the actual processing route, and the desired route Can be confirmed to have been correctly selected and executed. If a branching instruction is executed due to a malfunction at the time of execution of a branch instruction, for example, if a branch is made to a withdrawal processing path, the character string “withdrawal processing path selection” is stored during the path processing. Therefore, in the comparison performed after processing of the processing path is completed, it is possible to find that the “payment processing” and “withdrawal processing path selection” are inconsistent. For example, the processing is interrupted or the branch processing is performed again. You can take measures such as starting over. Here, the character string is stored as information unique to the processing path, but a numerical value may be used if the processing path can be specified later.

  FIG. 9 shows an example of means for detecting whether or not the conditional branch is normally performed in the conditional branch processing. In the deposit processing route, “1” is stored as route information (903). In the attendance processing route, “2” is stored as route information (905). In the inquiry processing route, “3” is stored as route information (907). The user of the apparatus can know whether the intended processing route has been selected by confirming which value of 1, 2, or 3 is stored as the route information (909). In this way, the result of route selection can be held by setting a simple value. Further, by limiting the route information to values unique to the device, the procedure when the device user uses the output result of the information processing device can be standardized, so that convenience can be improved. This standardization makes it possible to share inspection processing and save program memory, and it is possible to increase the speed by implementing hardware as general-purpose inspection processing.

  The process for storing information unique to the processing path may be performed any number of times after branching to the processing path. As an example, FIG. 10 shows a case where two numerical calculations are performed in the processing path.

  A numerical value “1” is set at the top of the deposit process (1003), a numerical value “2” is set at the top of the withdrawal process (1006), and a numerical value “3” is set at the top of the inquiry process (1009). Also, the numerical value is multiplied by 3 at the end of the deposit process (1005), the numerical value is multiplied by 4 at the end of the withdrawal process (1008), and the numerical value is multiplied by 5 at the end of the inquiry process (1011). At this time, if the last obtained value is “3”, it indicates that the deposit processing path has been processed correctly, and if the number is “4”, the process proceeds to the withdrawal processing path due to a malfunction in the middle of the deposit processing path. If the numerical value is “5”, it indicates that the inquiry processing path has been shifted due to a malfunction in the middle of the deposit processing path. If the value is “8”, it indicates that the withdrawal processing path has been processed correctly, and if the value is “10”, the process proceeds to the inquiry process due to a malfunction in the withdrawal processing path. If the numerical value is “9”, it indicates that the processing has shifted to deposit processing due to a malfunction in the middle of the inquiry processing path. If the numerical value is “12”, the withdrawal processing is performed due to malfunction in the middle of the query processing path. Indicates that it has migrated, and the value is “1” "If, show that the query processing has been performed correctly. No other numbers can occur. If a value that cannot occur is obtained, it means that a malfunction has occurred. Suppose now that you want to execute the deposit process. After storing the character string “payment process” which is information for determining the branch destination (1001), the branch instruction is executed (1402). Processing is shifted to the deposit processing path by the branch instruction, and the numerical value “1” is stored at the head of the deposit processing path (1003). The deposit process is terminated (1004), and at the end of the deposit process path, a process of multiplying the previous numerical value “1” by three is performed, and the result “3” is stored (1005). After the processing of the processing path is completed, the numerical value to be compared is obtained as “3” from the character string “payment processing” stored before the branch processing. If it is confirmed that the numerical value set during the processing of the processing path is “3” (1012), it can be confirmed that the deposit processing has been performed. In this way, by selecting the processing method so that all possible processing paths have their own values, it is possible to check what path was processed after the end of the processing path. It is also possible to detect a malfunction during the process. If many inspection processes are performed during the path processing at the branch destination, the processing path can be grasped more finely.

FIG. 11 is an information processing apparatus B that includes the information processing apparatus A shown in FIG. 10 and the like, and when the operation is correctly performed by examining the output of the information processing apparatus A, the correct operation result is output. When the calculation is not performed correctly, information indicating an error is output. For verification of the branch processing, the input value to the information processing apparatus B (in this embodiment, the input value to the information processing apparatus A is used as it is) and the output data K and L as the result of the branch processing in the information processing apparatus A are used. use. If the verification process is implemented in hardware, the time required for verification can be saved even if complicated processing is performed on the data J. In addition, when the information processing device B malfunctions, the device user can obtain an output result to that effect and perform appropriate post-processing such as re-execution accordingly. Including the check process has a great effect. The information processing apparatus B inputs the input data (1101) as it is to the input unit of the information processing apparatus A (1102), and performs a verification process together with the output (1106) of the information processing apparatus A. If it is determined that the result of the information processing apparatus A is correct as a result of the processing, the data output unit is set to output normal data (1111). The data shown is set to be output (1110), and the data set by the data output means is output (1112). Now, when input data I and J are given, the information processing apparatus A performs an operation on I and J. For example, suppose that the process f is an encryption operation in a method corresponding to the operation path, the process G ₀ is ₀ for J, the process G ₁ is ₁ for J, and the process G ₂ is an operation for adding 2 to J. To do. The information processing apparatus B determines from the input / output values of the information processing apparatus A whether the path is correctly selected depending on the value of the input J. In the verification process (1107), an assumed path is determined using an operation equivalent to the path selection process (1103) in the information processing apparatus A, the process G in that case is performed on J, and the determination process (1108) Then, a comparison is made with K which is the output value of the information processing apparatus A. If the results match, it is determined that the route has been correctly selected, and the output data is set to the correct data in (1111). If the results do not match, it is determined that the processing has not been performed correctly, and data representing processing fraud is set according to (1110). The information processing apparatus B is provided with a process for detecting the presence or absence of malfunction from the result of the information processing apparatus A, thereby eliminating the need for the user to independently detect the presence or absence of malfunction. In FIG. 11, the verification process is further performed a plurality of times, and if all verifications are passed (1109), the correct calculation result is output, and if the calculation is not performed correctly, information indicating an error is output. Information processing apparatus. Since the probability of occurrence and timing of malfunctioning vary depending on the installation environment of the information processing apparatus and the type of attack from the Service-to-Self, the one check process is not always processed normally. Therefore, the probability of malfunction of the verification process itself can be effectively reduced by performing the verification process a plurality of times. For example, in the case where it is determined that one verification process is erroneously performed with a probability of 50%, the probability that two verification processes output an error is 25%. Thus, the probability of mistakes in seven check processes is 1% or less. Further, when the information processing apparatus detects a malfunction, the entire apparatus can be stopped instead of outputting that the calculation is an error. When malfunctions are concentrated due to changes in the environment or the intentions of the Service-to-Self, output data representing malfunctions may not be normally transmitted to the outside. In such a case, issuing a stop command to the entire apparatus on the information processing apparatus side provides the best method for minimizing system malfunction. The stoppage of the device may be temporary or permanent.
(4) Counter processing A counter is important in defining a limit such as the number of times a certain service is provided, and is essential in a service operation system that provides use of a processing device. If the countdown function malfunctions due to a malfunction, the user can continue to use the device more than the specified number of times, and thus it is necessary to reliably perform the count process. In addition, due to malfunction of the countdown function, if the user can use less than the specified number of times, the service cannot be operated. It is common to use a certain number of loop processes for adjusting the end waiting time of external processing. However, if the number of loop processes changes due to a malfunction, the consistency of exchange cannot be obtained, which is a fatal problem. In addition, when using stream cipher, there is a problem that if the synchronization is lost in the middle, the entire ciphertext after that is decrypted.

Therefore, two or more counters are prepared, the count process is performed for each counter, and the process is terminated only when all the counters reach the end condition. On the way, if only some of the counters reach the end condition, it means a malfunction, and processing such as issuing an error warning or stopping the operation is performed. The procedure is shown in FIG. 12 and below.
1. Initialize the counter.
2. Perform processing in the loop.
3. Count down the counter.
4). Determine the end of each counter.
5). Save the end judgment result of each counter.
6). If the end determination is No for all the counters, return to 2.
7). For all counters, if the end determination is Yes, the process ends.
8). If none of the above 6. or 7., error processing is performed.

  In this countermeasure process, two or more counters are prepared, and first, they are initialized (1201). Next, a loop process is entered and an in-loop process is performed (1202). Each counter is counted down (1203), and end determination is performed for each counter (1204). The end determination result of each counter is stored (1205). This end determination result is read, and if all the determination results are uniformly No, loop processing is continued (1202). If all determination results are uniformly Yes, the loop processing is terminated (1210). In other cases, only some of the counters have reached the end state, so it is determined that a malfunction has occurred and error processing is performed (1209).

The conventional iterative processing device subtracts the input counter value and repeatedly performs the operation until the operation result becomes zero. With reference to FIG. 13, a description will be given of an embodiment for preventing the repetition process from being finished before the counter value reaches a specified value when the counter value changes due to a malfunction during the repetition process. Here, it is assumed that the input data I is a numerical value less than 256 (1301). J is generated as J = 256-I (1302). It is assumed that the countdown process is I = I-1 (1303), J = J + 1 (1304), that is, a decrement and increment that are common in a computer. It is checked whether the counter I is 0 as in the normal loop processing (1306).
If I is not 0, then the operation I + J is performed. If it is 0, it is determined that no error has occurred, and the process proceeds to the next loop (1309). If it is determined that there is an error (I + J ≠ 0), data indicating that the device is abnormal is output as necessary so that the device does not perform any further processing, and processing such as resetting is performed. (1310). Even if I = 0 in 1806, it is confirmed whether I + J is 0. If 0, the process proceeds to an end process (1308), and if not 0, the process proceeds to an error process (1310). The reason why the counter is set to less than 256 is that an 8-bit numerical value is easy to use in an actual CPU, and this limitation is not important.

  Here, an example in which two counters are used has been described, but the same processing can be performed for three or more counters. Further, although decrement and increment are used as the countdown process, other operations may be used.

As an example, FIG. 14 shows a case where multiplication and division are used. Here, 256 loop processes are performed. First, a non-zero number I is generated (1402). The reciprocal number modulo I 257 is set as J (1403). In the count processing, 257 is used as a modulus, I is doubled, and J is divided by 2 (1404 and 1405). The counter termination condition is I = 1 (1407). After checking the count end condition, in order to check the consistency with another counter J, it is checked whether I × Jmod 257 is 1 (1408, 1410). Processing is performed (1411). If the counting is completed and the consistency between the counters I and J is correct, the loop processing is terminated (1409). In this embodiment, Euler's theorem is used. According to the identification theory, ^{yφ (p)} mod p = 1 for y where 1 ≦ y <p, where p is a prime number. Here, φ (x) represents the Euler number. That is, for the modulus 257 used in this embodiment, 257 and a prime number I (because 257 is a prime number, any number other than 256 that is less than 256 is prime to 257) is φ (257). = 256, it becomes 1.
(5) Device-specific counter An information processing device that limits the number of calls from the user will be described below. The information processing apparatus independently holds a counter and counts down for each call. When the number of calls exceeds a certain number, the processing execution is refused for subsequent calls. Thereby, it is possible to prevent the execution of processing more than the expected number of times due to a malfunction not intended by the designer. For example, if a malfunction occurs when calling a processing device that outputs data, more data than necessary may be output to the outside. This may lead to the leakage of important information in a device that holds information important for security (for example, an IC card or a cash processing terminal device), and may cause a fatal problem, so protection according to the present invention is necessary. It is. Furthermore, by restricting the number of executable times, it is possible to prevent unauthorized use in which the processing device part is taken out alone and used in another device. The operation of the device is as follows.
1. Based on the initialization data, a counter in the apparatus is initialized to a certain value.
2. Each time the processing device is called, it counts down and checks whether the counter has reached an end condition.
3. If the counter is not in an end state, processing is performed.
4). If the counter is in an end state, the process is rejected and the process ends.
5). The control system sends initialization data to the device in response to an external request.

  As shown in FIG. 15, the user (1501) makes an apparatus initialization request to the control system (1505). In response to the request, the control system sends an initialization code for initializing the device internal counter (1506) to the device. The device initializes the internal counter according to the initialization code. When the user calls the processing device (1502), the device counts down (1503) and determines whether the counter has reached an end condition (1504). If the counter does not reach the end condition, the process is executed (1507). If the counter reaches the end condition, the process ends without executing the process. In order to initialize the counter of the device, encrypted password verification or the like is used in consideration of security.

  As shown in FIG. 15, the control system (1505) receives a device initialization request from the user (1501). After verifying the validity of the user request, the control system sends a counter (1506) initialization code to the device (1502). After verifying the validity of the counter initialization code, the device sets the counter to the requested value. Next, the user makes an execution call of the device. In response to this, the apparatus counts down the internal counter (1503), and if the counter has not ended (1504), executes the processing (1507). If the counter has ended, the process ends. If no processing is performed for the call, the user makes an initialization request to the control system again. The same applies to the following.

  The internal counter of the device may be initialized at a specific interval without a user request. In this case, as shown in FIG. 16, the control system (1607) determines the initialization timing by counting down (1607) independently (for example, in synchronization with the clock), and transmits the counter initialization code at a specific interval. If a method protected by an encrypted password or the like is used as the counter initialization code of the device, safety against unauthorized use of the device can be improved. As a result, the device provider can limit the resources used by the device user. The device provider can adjust the size of the value of the counter initialization data when the device user obtains an appropriate qualification, or can perform initialization again at an appropriate timing.

  As described above, the tamper evidence due to warning or control stop is emphasized, but the apparatus can continue to operate by shifting control to recalculation processing instead. If the abnormal environment continues, there is a possibility of falling into an infinite loop, but if the environment keeps changing, it is expected that the process will eventually continue normally. The choice of whether to stop or continue operation in the event of an abnormality in the embodiment of the present invention can be left to the system designer. If it is a high security system, it may be stopped with a warning, and if it is an advanced unmanned system, it can be set to make a continuous recovery effort as much as possible. By using the above in combination as necessary, it is possible to obtain higher detectability for malfunction.

IC card external view. IC card system diagram. Password verification process flow. The figure which shows an infinite loop and the infinite loop omission by malfunction. Malfunction detection flow by executing conditional branch multiple times. A malfunction detection flow that uses two types of branch instructions together. Malfunction detection flow that uses branch condition data to move to another flag. A branch processing flow equipped with a mechanism for checking whether or not a route has been selected correctly by storing information dependent on the branch route. A processing flow in which a numerical value specific to a route is set as branch route information. A processing flow for detecting a route transition during route processing by providing inspection processing at the beginning and end of the route as branch route information. A processing flow that improves the abnormality detection rate by inspecting the correctness of branch processing multiple times. Loop processing flow using multiple counters. A loop processing flow for detecting counter malfunction by using the sum of two counters. A loop processing flow for detecting a counter malfunction by using the product of two counters. The figure showing the operation method of a processing apparatus provided with the processing frequency limiting mechanism using an apparatus original counter. The figure which shows the operation method of the control system which initializes a counter automatically, and the processing apparatus which has the frequency | count limit of execution by a counter.

Claims (4)

Means for executing a branch instruction based on the input branch information;
Means for recording the information for identifying the branched path in a memory and performing each branched process;
An information processing apparatus comprising: information for identifying a route recorded in the memory; and means for comparing the input branch information, and detecting an error in branch processing. The means for performing each of the branched processes is as follows:
Set the information to identify the branched route at the beginning of the process,
Execute the above processes,
Predetermined calculation of the set information at the end of the process,
2. The information processing apparatus according to claim 1, wherein the comparing means performs comparison using the predetermined calculated information. An information processing apparatus that executes loop-based repetitive processing,
Calculate a value having a certain relationship with the counter value by a predetermined calculation using the input counter value,
Perform a countdown process for each of the counter value and the calculated value,
Perform the above loop processing,
An error is determined using the counter value and the calculated value,
An information processing apparatus, wherein if an error is determined by the error determination, error processing is executed, and if it is determined that there is no error, the processing returns to the countdown processing and repeats the processing. A value having a certain relationship with the counter value is calculated by subtracting a predetermined value from the counter value,
The countdown process performs incrementing and decrementing on the counter value and the calculated value,
The information processing apparatus according to claim 3, wherein the error determination is based on an addition of the counter value and the calculated value.

Images