CN114489657A - System and process for compiling source code - Google Patents

System and process for compiling source code Download PDF

Info

Publication number
CN114489657A
CN114489657A CN202111336977.7A CN202111336977A CN114489657A CN 114489657 A CN114489657 A CN 114489657A CN 202111336977 A CN202111336977 A CN 202111336977A CN 114489657 A CN114489657 A CN 114489657A
Authority
CN
China
Prior art keywords
instruction
additional
code
source code
instructions
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111336977.7A
Other languages
Chinese (zh)
Inventor
M·让
S·雷罗伊
M·杰尔加德
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
STMicroelectronics Grand Ouest SAS
Original Assignee
STMicroelectronics Grand Ouest SAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from FR2011657A external-priority patent/FR3116356B1/en
Application filed by STMicroelectronics Grand Ouest SAS filed Critical STMicroelectronics Grand Ouest SAS
Publication of CN114489657A publication Critical patent/CN114489657A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/41Compilation
    • G06F8/44Encoding
    • G06F8/447Target code generation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Abstract

Embodiments of the present disclosure relate to systems and processes for compiling source code. According to one aspect, a method for compiling source code into computer executable code by a compilation tool includes: receiving source code as input to a compilation tool; translating the source code into object code comprising machine instructions executable by a processor; then introducing additional instructions selected from illegal instructions and non-operation instructions between machine instructions of the object code to obtain executable codes; the executable code is then passed as the output of the compilation tool.

Description

System and process for compiling source code
Cross Reference to Related Applications
The present application claims the benefit of french application No. 2011657 filed on 13/11/2020, which is incorporated herein by reference.
Technical Field
Implementations and embodiments of the present disclosure relate to security of certain aspects of a computer system, such as, for example, the set of instructions executed by the computer system, and in particular to security or security aspects that are resistant to fault injection attacks.
Background
Embodiments advantageously, but not exclusively, apply to computer systems whose processing unit comprises, for example, a microcontroller or a microprocessor.
A program comprises at least one object code composed of a plurality of machine instructions (or simply "instructions").
Machine instructions are the basic operations of object code that can be executed by a processor.
The machine instructions may be obtained from source code by means of a compilation tool.
A compilation tool (or "compiler") is a program that converts source code into object code. In particular, source code may include functions that are translated into instructions in target code.
In addition, execution of the target code instructions by the processor is clocked by the clock.
Disturbances may occur on the electronic components of the clock. Such interference may affect the execution of instructions and may reduce the security of the program.
To ensure that the program executes correctly, execution of the sequence of instructions may be controlled at least in certain strategic steps of the program. This requires the application of specific coding rules. These particular encoding rules require a high level of technical skill. Furthermore, the application of these coding rules requires time.
Therefore, a solution to avoid specific coding needs to be proposed.
Furthermore, misled persons may successfully disrupt execution of program instructions by causing a clock used to clock execution of the instructions to go wrong through a false injection attack.
In particular, by making the clock faulting, certain instructions may be jumped and therefore not executed. Other instructions may be executed multiple times. When some function-ending branch instructions are not executed, the executive may execute subsequent functions in the code without the function being invoked.
Thus, by making the clock go wrong, the execution of the program may not be controlled, which may cause a security problem.
Specifically, by interfering with the execution of program instructions, a misguided person may successfully corrupt the program.
To combat error injection attacks, the instructions executed may be controlled. Function calls may also be replicated to ensure that they are executed correctly.
The disadvantage of these solutions is that they interfere very much with the development of the program code.
These solutions also have the disadvantage that all possible outcomes of a fault injection into the program execution cannot be predicted. In practice, it is still possible to have the error injection affect some parts of the assembly code for which control is not being performed. Thus, the erroneous injection may not be detected.
Furthermore, the compiled code is the same for any computer system that uses common code. In particular, the compiled code is the same for the same compilation tool using the same level of compilation optimization. Thus, error injection attacks can be easily reproduced on multiple platforms based on the same code.
Therefore, there is a need to make programs more robust to error injection attacks and/or external disturbances.
There is also a need to propose a solution for detecting uncontrolled execution of a program that may in particular be caused by a false injection attack.
Disclosure of Invention
According to one aspect, a method for compiling source code into computer executable code by a compilation tool or compiler, the compilation tool implemented within a computer processing unit, the method comprising: receiving source code as input to a compilation tool and storing the source code in a memory of a processing unit; the compilation tool translates the source code into object code comprising machine instructions executable by the processor; then, introducing additional instructions selected from illegal instructions and non-operation instructions among machine instructions of the object code by the compiling tool to obtain executable codes; the executable code is then passed as output of the compilation tool.
Such a compiling method may be implemented by a compiling tool, which may particularly be executed by a computer. Such a compilation method may be implemented to obtain a plurality of executable codes that can be linked to obtain a compiler for execution by a computer system comprising a processing unit.
Such a compilation method thus makes it possible to obtain a modified object code comprising translated instructions of the source code and additional instructions introduced by the compilation tool.
The compilation method is performed by a processor that expects the obtained executable code to be executed. For example, the processor that desires to execute the obtained executable code may be a processor having an ARM type architecture. The source code is then translated into instructions that such a processor can read.
In particular, the executable code may be executed by a processor of a microcontroller of a processing unit of the computer system.
Introducing additional instructions between translated instructions of the source code may improve the robustness of the obtained executable code with respect to security and resistance to fault injection attacks.
Such a compilation method may be implemented by a compilation tool. In particular, the compilation tool may automatically implement the proposed compilation method during compilation of the source code.
Such a compilation method may facilitate the development of executable code because the insertion of additional instructions is automatically performed by the compilation tool.
Furthermore, execution of the obtained executable code may be performed by using a flash memory instead of a Random Access Memory (RAM).
An illegal instruction is an instruction with an invalid operation code. The operation code is invalid because it does not correspond to any type of instruction that can be executed by the processor on which the executable code is executed.
When an illegal instruction is read by the processor, the processor cannot execute the instruction. An illegal instruction exception is then issued.
Thus, by introducing illegal instructions from translated instructions of source code, faults in the execution of executable code can be detected by detecting illegal instruction exceptions.
In particular, a control device may be used that is configured to detect an illegal instruction exception caused by an additional illegal instruction introduced from a translated instruction of the source code.
The control device may also be configured to stop uncontrolled execution of the executable code after detecting the illegal instruction exception, and then perform a security action to prevent a security problem. The security action to prevent security issues may be, for example, reinitializing the processor executing the executable code or erasing sensitive data, such as encryption keys. The security action may also be writing to a Real Time Clock (RTC) register in order to attempt to store the error injection attack in memory. The processor speed may also be slowed to slow the attack attempt.
Only additional illegal instructions may be introduced. It is also possible to introduce only additional non-operational instructions. These different types of additional instructions may also be combined.
The object code may include a function having a set of machine instructions. These functions were originally written in source code.
In an advantageous implementation, additional illegal instructions are introduced between the functions of the object code.
The introduction of illegal instructions has the advantage of simple implementation and does not disturb the execution of the executable code strongly.
In an advantageous implementation, at least one additional illegal instruction is introduced after the branch instruction of the target code translated from the source code.
For example, when at least one illegal instruction is inserted between two functions of the target code, the at least one illegal instruction is inserted after an unconditional branch instruction marking the end of the first of the two functions of the target code.
Thus, when the code executes normally, the function end branch instruction is executed and at least one additional illegal instruction is not read. Further, when the code execution is abnormal and when the function ends the branch instruction jump, at least one additional illegal instruction may be read. The reading of the at least one additional illegal instruction then generates an illegal instruction exception indicating that the execution of the executable code is faulty.
Furthermore, unconditional branch instructions may already be included in some functions of the target code. At least one instruction may then also be inserted after a branch instruction included within the function.
Thus, when the code executes normally, branch instructions within the function are executed and at least one additional illegal instruction is not read. Further, when the branch instruction is jumped following a failure in execution of the executable code, at least one illegal instruction is read and an illegal instruction exception is generated, thereby indicating that a failure in execution of the executable code occurs.
Additional illegal instructions may also be introduced after the conditional branch instruction when it is ensured that the condition of the execution branch will be checked during normal execution of the executable code.
In an advantageous implementation, an additional branch instruction followed by at least one additional illegal instruction is introduced between two machine instructions of the translated target code of the source code.
The introduction of the branch instruction and the subsequent at least one illegal instruction may be performed at any location within the function between the two instructions.
In particular, the branch instruction is introduced after the first of the two translated instructions of the source code. The branch instruction has as an operand the address of the second of the two translated instructions from the source code.
Thus, when the code executes normally, the introduced branch instruction is executed and at least one additional illegal instruction is not read. The subsequently executed instruction is the next translated instruction of the source code.
Further, when the branch instruction is jumped to after a fault occurs in the execution of the executable code, at least one illegal instruction is read and an illegal instruction exception is generated, thereby indicating the fault in the execution of the executable code.
A branch instruction may be unconditional or conditional when it is ensured that the condition under which the branch is executed will be checked during normal execution of the executable code.
In particular, in an advantageous embodiment, the translated target code of the source code includes a compare instruction followed by a conditional branch instruction. Further, an additional compare instruction and a subsequent additional conditional branch instruction are introduced into the target code upstream of the source code translated compare instruction or subsequent to the source code translated conditional branch instruction, the additional compare instruction being the same as the source code translated compare instruction and the additional conditional branch instruction being opposite the conditional branch instruction subsequent to the source code translated compare instruction. And, at least one additional illegal instruction is introduced after an additional conditional branch instruction of the source code and a last conditional branch instruction of the translated conditional branch instruction.
Furthermore, in an advantageous embodiment, after the function call branch instruction at least one additional illegal instruction is introduced and at least one addition instruction is introduced into the function, the addition instruction being configured to be able to modify the return address stored in the link register by adding to the return address the number of additional illegal instructions introduced after the call function branch instruction.
In an advantageous implementation, at least two consecutive additional illegal instructions are introduced between at least two machine instructions of the translated target code of the source code.
During uncontrolled execution of the executable code, reads of additional illegal instructions may be jumped.
Thus, by introducing several consecutive illegal instructions greater than two, the chance of reading additional illegal instructions during uncontrolled execution of the executable code is higher. Thus, the chance of detecting a fault in the execution of the executable code is higher.
In an advantageous implementation, the number of consecutive additional illegal instructions introduced between at least two machine instructions of the translated target code of the source code is randomly selected.
By introducing a random number of consecutive additional illegal instructions, a different executable code can be obtained for each compilation of the same source code.
Since each executable code obtained from the same source code is different, an error injection attack having the same effect on the execution of each executable code is more difficult.
Thus, the introduction of a random number of consecutive additional illegal instructions can complicate the replication of error injection attacks on multiple different computer systems.
In an advantageous implementation, the introduction of the additional instructions is performed on only a part of the object code.
In an advantageous implementation, additional instructions are introduced into the object code at the location of the object code that is at least partially randomly selected.
In particular, additional instructions are introduced at randomly selected locations from various possible locations.
By introducing additional instructions randomly, a different executable code can be obtained for each compilation of the same source code.
Since each executable code generated by the same source code is different, it is more difficult to execute an error injection attack having the same effect for the execution of each obtained executable code.
Thus, the introduction of additional instructions at least partially randomly can complicate the replication of fault injection attacks on multiple different computer systems.
According to another aspect, a compilation tool is proposed, the compilation tool being configured to implement the compilation method as described above.
According to another aspect, a computer-readable recording medium is proposed, on which a compiling tool is recorded as described previously.
According to another aspect, a computer system comprises: a memory comprising executable code obtained from the compilation method as previously described; and a processor configured to execute the executable code.
In an advantageous implementation, the computer system further comprises a control device configured to receive an illegal instruction exception that can be generated by said processor when said processor reads additional illegal instructions during execution of said executable code, and to stop executing the executable code after receiving the illegal instruction exception.
Drawings
Other advantages and features of the present invention will become apparent after examining the detailed description of non-limiting implementations and embodiments and the accompanying drawings, in which:
FIG. 1 illustrates an embodiment compilation tool;
FIG. 2 illustrates an embodiment compilation method that may be implemented by a compilation tool; and
FIG. 3 illustrates an embodiment computer system including non-volatile memory including executable code obtained from a compiled method.
Detailed Description
Fig. 1 illustrates a compilation tool CMP according to an embodiment. The compilation tool CMP is a compiler or compiler program implemented within a computer processing unit, for example a PC-type computer.
The compiler CMP includes an input IN and an output OUT. The input IN of the compilation tool CMP is configured to receive the source code CS. The source code CS is stored in a memory of the processing unit. The compilation tool CMP is configured to implement a compilation method according to an embodiment and described below. The compilation method makes it possible to obtain the computer executable code PRG as the output OUT. The code PRG is specifically a program executable by a processor.
The processor on which the executable code may be executed may have an ARM type architecture. The processor may be a processor of a microcontroller. The processor may also be a microprocessor.
The source code is written according to a programming language, such as C. The source code includes instructions written according to the programming language. The source code may define a plurality of functions, each function including at least one instruction.
The executable code PRG comprises binary instructions executable by the processor.
A compilation method according to an embodiment that can be implemented by the compilation tool CMP is illustrated in fig. 2. The compilation method makes it possible to compile the source code CS into the computer executable code PRG.
First, the method comprises a receiving step 20, wherein the compilation tool receives the source code as input.
The compiling method comprises a step 21 of translating the source code CS received as input to a compiling tool CMP. During this step 21, the compilation tool translates the instructions of the source code into machine instructions executable by the processor, with which the executable code PRG must be executed.
The compilation method then comprises a step 22 of introducing additional instructions. During this step 22, additional instructions are introduced between the translated machine instructions of the source code. This introduction step 22 makes it possible to obtain the executable code PRG.
The executable code PRG thus comprises the translated instructions of the source code in step 21 and the additional instructions introduced in step 22.
Additional instructions that can be introduced can include illegal instructions and/or non-operational instructions. In particular, additional instructions of the same type or of a plurality of different types may be introduced.
The additional instructions are introduced at a location where the machine instruction code can be selected from a plurality of possible locations, in particular in or between functions of the code. The location at which the additional instruction is introduced may be randomly selected.
Additional instructions may be introduced into the entire machine instruction code or only certain portions of the code. The number of which may also vary and be chosen randomly.
Furthermore, the introduction of additional instructions or the movement of a pool of text to be described later may require updating the address of the translated instruction of the source code, particularly in and for function calls. In examples 3-1 to 3-8 in the appendix below, for ease of understanding and comparing the example of fig. 2, the address of the translation instruction of the source code is not updated.
The introduction of additional instructions makes it possible to obtain robust executable code PRG, in particular against fault injection attacks or disturbances outside the processor.
The compilation method then comprises a passing step 23, in which the executable code PRG is passed as output of the programming tool.
According to the C language source code shown in example 1 in the appendix, the various executable codes shown in examples 3-1 to 3-8 in the appendix can be obtained, according to various embodiments, by various implementations M1 to M8 of step 22 of the compilation method.
The illustrated source code is used only to facilitate understanding of the compilation method.
The source code includes a "main" function, a "function _ a" function, and a "function _ b" function.
The "function _ b" function is written after the "function _ a" function.
The "main" function is written after the "function _ b" function.
The main function includes a "function _ a" function call.
The source code is translated into executable binary instructions by a processor having an ARM architecture. These translation instructions are shown in assembly language in example 2 of the appendix to facilitate understanding of the compilation method.
As shown in example 2 of the appendix, the translated instruction of the "function _ b" function follows the translated instruction of the "function _ a" function.
Furthermore, the "function _ a" and "function _ b" functions each include a function end branch instruction, shown in assembly language by the "bx lr" ARM instruction (see instructions 5C and 94), which translates the "return" instruction into C language as shown in example 1 in the appendix.
Additional instructions are then introduced into the translated instruction sequence of the source code. Various examples of additional instructions introduced in the translated instruction sequence of the source code are illustrated in examples 3-1 through 3-8 in the appendix. For ease of understanding, the instructions are shown in assembly language in these examples.
In the embodiment M1 of step 22 shown in example 3-1, additional illegal instructions are introduced between the functions. Specifically, these additional illegal instructions are introduced for each function after the function-ending branch instruction (i.e., the "bx lr" instruction).
These illegal instructions are shown by the expression "< UNDEFINED >".
In this embodiment M1, the same number of additional illegal instructions are introduced after the function-ending branch instruction of each function. In particular, in the present embodiment, three additional illegal instructions are introduced after the function-ending branch instruction. Preferably, at least two additional illegal instructions are added after the function-ending branch instruction.
Alternatively, in embodiment M2 of step 22 shown in example 3-2, a random number of additional illegal instructions are introduced after the function-ending branch instruction for each function. Here, for example, 2 additional illegal instructions are introduced after the function end branch instruction of the "function _ a" function, 4 additional illegal instructions are introduced after the function end branch instruction of the "function _ b" function, and 5 additional illegal instructions are introduced after the function end branch instruction of the "function _ a" function. Preferably, at least two additional illegal instructions are added after the function ends branch instruction.
The additional illegal instructions introduced may be read by the processor on which the executable code PRG is executed. Reading the additional illegal instructions generates an illegal instruction exception.
When the executable code PRG is running correctly, the function end branch instruction is executed so that additional illegal instructions are not read.
These additional instructions may be fetched if the end-of-function branch instruction is not executed by the processor. The function-ending branch instruction may be particularly jumped when the processor experiences a fault injection attack or a disturbance external to the processor.
When a function-ending branch instruction of a function is jumped, the processor may execute the function located after the jump function. For example, if a function end branch instruction of the "function _ a" function is not executed, the processor may execute the "function _ b" function.
However, the reading of the additional illegal instruction located after the function-ending branch instruction makes it possible to generate an illegal instruction exception. Since the additional illegal instruction is read only when the function end branch instruction is not executed, generating an illegal instruction exception after the additional illegal instruction is read may indicate an execution failure of the executable code PRG.
The introduction of at least two additional illegal instructions may reduce the chance that the additional illegal instructions are all jumped when the execution of the executable code PRG fails.
Additional illegal instructions may also be introduced within the function, such as in the implementations illustrated in examples 3-3 and 3-4.
As shown in implementation M3 of step 22 shown in example 3-3, the compilation method may be adapted to introduce at least one additional unconditional branch instruction between two translated instructions of the source code, followed by at least one additional illegal instruction. Thus, the additional unconditional branch instruction is located after the first of the two translated instructions of the source code and takes the address of the second of the two instructions as an operand. Preferably, after the additional branch instruction, at least two additional illegal instructions are introduced. The number of additional illegal instructions following the additional unconditional branch instruction may also be randomly selected.
The introduction of a random number of consecutive additional illegal instructions can complicate the replication of error injection attacks on multiple different computer systems.
In particular, in the example shown, these additional instructions are introduced between instructions 34 and 38 of the "function _ a" function. An additional unconditional branch instruction points to the address of instruction 38 of the "function _ a" function, and it is followed by two additional illegal instructions.
Therefore, when the executable code PRG executes normally, the additional branch instruction is executed so that the additional illegal instruction is not read.
However, when additional branch instructions are not executed after a fault occurs in the execution of the executable code PRG, additional illegal instructions located after these additional branch instructions are read. An illegal instruction exception is then generated. Illegal instruction exceptions may thus be used to detect faults in the execution of the executable code PRG.
Furthermore, as shown in implementation M4 of step 22 shown in examples 3-4, at least one additional illegal instruction may be introduced within the function following the translated unconditional branch instruction of the source code. Preferably, at least two additional illegal instructions are added after the translated unconditional branch instruction of the source code. The number of additional illegal instructions following the translated branch instruction of the source code may also be randomly selected.
In particular, in the example shown in examples 3-4, two additional illegal instructions are added after the unconditional branch instructions 2c, 4c and 50 of the "function _ a" function.
The unconditional branch instruction 2c is used before the "return" instruction of the first "if" structure of the "function _ a" function in the source code. The branch instruction 2c then makes it possible to execute a function-ending branch instruction 5c that translates the "return" instruction.
The branch instruction 4c is therefore used before the "return" instruction of the second "if" structure of the "function _ a" function in the source code. The branch instruction 2c then makes it possible to execute a function-ending branch instruction 5c that translates the "return" instruction.
The branch instruction 50 is used to translate the "while (1)" structure of the "function _ a" of the source code.
Thus, when the executable code PRG executes normally, the translated branch instruction of the source code is executed so that the additional illegal instructions following it are not read.
However, when a translated branch instruction of the source code is not executed after a fault occurs in the execution of the executable code PRG, additional illegal instructions located after the branch instruction are read. An illegal instruction exception is then generated. These illegal instruction exceptions may thus be used to detect faults in the execution of the executable code PRG.
Furthermore, some literal pools may also be used as additional illegal instructions within the function, such as in implementation M5 of step 22 shown in examples 3-5.
The literal value is an immediate value that can be stored in the executable code area. These literal values are not instructions to be executed by the processor and are processed as illegal instructions when read. Thus, the literal value may be used as an illegal instruction to detect a fault in the execution of the executable code PRG. For example, a literal value may be used as an illegal instruction by moving the pool of literal values after an additional branch instruction introduced from the translated instruction of the source code, or after the translated branch instruction of the source code.
In the example shown in examples 3-5, two literal values are used as illegal instructions: a literal value stored at address < function _ a +0x60> and a literal value stored at address < function _ a +0x6c >. Additional illegal instructions are also introduced after the last literal value.
In particular, as can be seen in examples 3-5, the literal pool has been moved to be placed after the function end branch instruction.
Thus, the two literal values and the additional illegal instruction may be used to detect a fault in the execution of the executable code PRG.
More specifically, when the executable code PRG executes normally, the translated function ending branch instruction of the source code is executed so that the literal values and the additional illegal instructions that follow them are not executed.
However, when the function end branch instruction is not executed after a fault occurs in the execution of the executable code PRG, the literal value may be read and interpreted as an illegal instruction. In which case an illegal instruction exception is generated. Similarly, the reading of the additional illegal instruction results in the generation of an illegal instruction exception. These illegal instruction exceptions may thus be used to detect faults in the execution of the executable code PRG.
Using a literal value as an illegal instruction may reduce the number of additional illegal instructions inserted into the executable code PRG. This thus makes it possible to reduce the size of the executable code PRG.
Furthermore, as shown in implementation M6 of step 22 shown in examples 3-6, at least one additional illegal instruction may be introduced after the function call. Preferably, at least two additional illegal instructions may be introduced after the function call. The number of additional illegal instructions introduced after the function call may also be randomly selected.
Specifically, in the examples shown in examples 3-6, three additional illegal instructions are added in the "main" function after the branch instruction b4 ("bl 0< function _ a >") used as a "function call.
Adding an illegal instruction after a function call instruction involves modifying the Link Register (LR) at the end of the function call. In particular, the link register is modified to point to the instruction address following the additional illegal instruction introduced after the function call instruction.
For example, in the examples shown in examples 3-6, to modify the Link Register (LR), an additional instruction is added to the "function _ a" function before the function-ending branch instruction 5c ("bx LR") makes it possible to return to the "main" function (the "return" instruction in the translation source code). This additional instruction is an add instruction ("add LR, LR, # 12") so that the number of additional illegal instructions introduced after the function call instruction b4 can be added to the address contained in the Link Register (LR). Specifically, in examples 3-6, 12 is added to the value of the Link Register (LR) since three additional illegal instructions are introduced, each of which is four bytes in size.
Therefore, when the executable code PRG is normally executed, the branch instruction b4 for calling the "function _ a" function is executed. Then, at the end of the execution of the "function _ a" function, the processor executes instruction b8 following the addition of the illegal instruction. The additional instructions are therefore not read.
However, when the branch instruction b4 for calling the "function _ a" function is not executed after a fault occurs in the execution of the executable code PRG, the "function _ a" function is not executed and additional illegal instructions located after the branch instruction are read. An illegal instruction exception is then generated. These illegal instruction exceptions may thus be used to detect faults in the execution of the executable code PRG.
Furthermore, as shown in an implementation M7 of step 22 shown in examples 3-7, at least one additional illegal instruction may be introduced into the function after the conditional branch instruction (particularly after the "beq" or "bne" instruction). The conditional branch instruction may be a translated instruction of the source code or even an instruction added from the translated instruction of the source code. In this last case, a conditional branch instruction is thus introduced, followed by at least one additional illegal instruction from the translated instruction of the source code.
In particular, during normal execution of the executable code PRG, additional illegal instructions are added after conditional branch instructions, the condition of these branches being inevitably checked.
More specifically, conditional branch instructions may be used, for example, after compare instructions.
A compare instruction makes it possible to compare two values to see if the values are equal and then execute some other instruction according to the result obtained from the comparison. The selection of these other instructions is performed due to the conditional branch instruction.
To ensure that during execution of the executable code PRG, the translated compare instruction of the source code and the following first conditional branch instruction are executed correctly, the same compare instruction and the following second conditional branch instruction, which is the inverse of the first conditional branch instruction, may be introduced. The compare instruction and the subsequent second branch instruction may be introduced before or after the translated compare instruction and the subsequent first branch instruction in the source code.
In the order of execution of the instructions of the executable code PRG additional illegal instructions are introduced at the farthest place after the compared conditional branch instruction. Thus, if neither the first conditional branch nor the second conditional branch is executed, additional illegal instructions are read. This means that the execution of the executable code PRG does not occur correctly. In fact, since the two conditional branch instructions are opposite, during normal execution of the executable code PRG, at least one of the two conditional branches must be executed.
The reading of the additional illegal instruction generates an illegal instruction exception. This illegal instruction exception may thus be used to detect a fault in the execution of the executable code PRG.
In particular, in the examples shown in examples 3-7, additional instructions are introduced from the translated instructions of the source code to check whether the compare instruction c4 and the conditional branch instruction c8 were executed correctly during execution of the executable code PRG.
Specifically, a first series of additional instructions S1 is introduced between translated instructions c0 and c4 of the source code. A first series of additional instructions is introduced to initialize the zero flag to "1". In particular, the value of the zero flag is defined by the result of each compare instruction. The zero flag is used by the conditional branch instruction to determine whether the branch must be executed.
The first series of additional instructions includes a compare instruction for comparing the value of register r3 with the same value of register r 3. Register r3 is a register used to compare translated instruction c4 of the source code. The two comparison values are the same and the introduced compare instruction can determine that the two values are equal. Thus, the introduced compare instruction may initialize the zero flag to "1" when executed.
The first series of additional instructions further includes comparing the conditional branch instruction following the instruction with additional illegal instructions following the conditional branch instruction. The conditional branch instruction is of the type "beq" (if equal, branch) and therefore a branch may be taken when the result of the comparison before the branch may determine equality between the two test values. Conditional branch instructions read the zero flag to determine if the branch must be executed. If the compare instruction introduced prior to the conditional branch instruction has been executed correctly, the zero flag is "1" so that a branch is inevitably taken if the executable code PRG executes normally and the next instruction that must be executed is instruction c 4. However, if the compare instruction is not executed, after the fault occurs, the branch is not executed and additional illegal instructions are read. Reading the additional illegal instruction generates an illegal instruction exception. This illegal instruction exception makes it possible to detect a fault in the execution of the executable code PRG.
Instruction c4, which follows the first series of additional instructions, is a translation compare instruction in source code such that the value of register r3 may be compared to a value of "0".
This instruction is followed by a conditional branch instruction c8 of the type "bne" (if not equal, branch). If the values of the comparison tests performed from instruction c4 are not equal, then the instruction may execute a branch.
Following the source code translated instruction c8, a second series of additional instructions S2 is introduced.
The second series of additional instructions includes a compare instruction for comparing the value of register r3 with the value "1". The introduced compare instruction may thus set the zero flag to "0".
The second series of additional instructions further includes a conditional branch instruction following the compare instruction and an additional illegal instruction following the conditional branch instruction. The conditional branch instruction is of the type "bne" (if not equal, branch) and therefore a branch may be executed when the result of the comparison before the branch may determine the difference between the two test values. Conditional branch instructions read the zero flag to determine if the branch must be executed. If the compare instruction introduced prior to the conditional branch instruction has been executed correctly, the zero flag is "0" so that a branch is inevitably taken if the executable code PRG executes normally and the next instruction that must be executed is instruction yy. However, if the compare instruction is not executed, after the fault occurs, the branch is not executed and additional illegal instructions are read. Reading the additional illegal instruction generates an illegal instruction exception. This illegal instruction exception makes it possible to detect a fault in the execution of the executable code PRG.
After the second series of additional instructions S2, a third series of additional instructions S3 is introduced.
The third series of additional instructions includes a compare instruction that is identical to the translated compare instruction c4 in the source code.
The third series of additional instructions further includes a conditional branch instruction following the compare instruction and an additional illegal instruction following the conditional branch instruction.
The conditional branch instruction is of the "beq" (branch if equal) type, and is therefore the opposite of conditional branch instruction c 8.
During normal execution of the executable code PRG, the compare instruction of the third series of instructions may be executed only if the comparison performed from instruction c4 results in a determination that register r3 is equal to "0". Thus, during normal execution of the executable code PRG, a comparison performed from a compare instruction introduced into the third series of additional instructions must determine that the value of register r3 is unmodified, still equal to "0". Thus, during normal execution of the executable code PRG, the condition of the conditional branch instruction of the third series of additional instructions is checked and the branch must be executed. Therefore, the following instruction that must be read is instruction cc.
However, if an additional illegal instruction of the third series of additional instructions is read, this means that the execution of the executable code PRG fails. Reading the additional illegal instruction generates an illegal instruction exception. This illegal instruction exception makes it possible to detect a fault in the execution of the executable code PRG.
In an implementation in which additional illegal instructions are introduced from the translated instructions of the source code, a control device DCTRL is provided in the computer system SYS, with which the executable code can be executed.
Such a computer system SYS is shown in fig. 3. The computer system SYS comprises a non-volatile memory MEM comprising executable code PRG obtained from the previously described compilation method.
The computer system SYS further comprises a processor PROC configured to execute the executable code PRG.
The control device DCTRL is configured to detect illegal instruction exceptions. The control device DCTRL is configured to stop the uncontrolled execution of the executable code PRG after detecting these illegal instruction exceptions and then to perform a security action.
The security action may be, for example, a re-initialization of the processor executing the executable code PRG or an erasure of sensitive data, such as encryption keys. The security action may also be writing to a Real Time Clock (RTC) register to attempt to store the error injection attack in memory. The processor speed may also be slowed to slow the attack attempt.
The computer system on which the executable code PRG is executed may comprise such a control device.
The control device may be implemented by software means or hardware means, for example by logic circuits.
Furthermore, as seen previously, the additional instruction introduced in step 22 of the compilation method may be a no-operation ("nop") instruction. Such an implementation M8 of step 22 is shown in examples 3-8.
These additional non-operational instructions are introduced within the function at randomly selected locations from the translated instructions of the source code.
In fact, the random introduction of non-operational instructions makes it possible to obtain a different executable code PRG for each compilation, thus complicating the replication of fault injection attacks on multiple computer systems based on the same software implementation.
The introduction of additional instructions between the translated instructions of the source code makes it possible to improve the robustness of the compiled executable code PRG in terms of security and against fault injection attacks.
Such a compilation method may facilitate the development of executable code because the insertion of additional instructions is performed automatically by the compilation tool.
Furthermore, execution of the executable code may be performed by using a flash memory instead of a Random Access Memory (RAM).
Appendix
Example 1: source code (C language):
Figure BDA0003350902760000181
example 2: translation of Source code object code (ARM Assembly language) for example 1
Figure BDA0003350902760000191
Example 3-1: executable code (translated into ARM assembly language) obtainable by compiling a first implementation of step 22 of the method M1
Figure BDA0003350902760000201
Example 3-2: executable code (translated into ARM assembly language) obtainable by compiling a second implementation M2 of step 22 of a method
Figure BDA0003350902760000211
Examples 3 to 3: executable code (translated into ARM assembly language) obtainable by compiling a third implementation of step 22 of the method M3
Figure BDA0003350902760000221
Examples 3 to 4: executable code (translated into ARM assembly language) obtainable by compiling a fourth implementation of step 22 of the method M4
Figure BDA0003350902760000231
Examples 3 to 5: executable code (translated into ARM assembly language) obtainable by compiling a fifth implementation M5 of step 22 of the method
Figure BDA0003350902760000241
Examples 3 to 6: executable code (translated into assembly language) obtainable by compiling a sixth implementation of step 22 of the method M6
Figure BDA0003350902760000251
Examples 3 to 7: executable code (translated into assembly language) obtainable by compiling a seventh implementation of step 22 of the method M7
Figure BDA0003350902760000261
Examples 3 to 8: executable code (translated into assembly language ARM) obtainable by compiling an eighth implementation of step 22 of the method M8
Figure BDA0003350902760000271

Claims (25)

1. A method of compiling source code into computer executable code by a compilation tool implemented within a computer processing unit, the method comprising:
receiving the source code as input to the compilation tool;
storing the source code in a memory of the computer processing unit;
translating, by the compilation tool, the source code into object code comprising machine instructions executable by a processor;
after the translating, introducing, by the compilation tool, additional instructions selected from additional illegal instructions or additional non-operational instructions among the machine instructions of the object code to obtain the computer-executable code; and
after the importing, passing the computer-executable code as an output of the compilation tool.
2. The method of claim 1, wherein the object code comprises a function comprising a set of machine instructions, and the method comprises: introducing the additional illegal instructions between the functions of the object code.
3. The method of claim 1, further comprising: at least one additional illegal instruction is introduced after a branch instruction of the target code translated from the source code.
4. The method of claim 1, further comprising: introducing an additional branch instruction and subsequently at least one additional illegal instruction between two machine instructions of the target code translated from the source code.
5. The method of claim 1, wherein the target code translated from the source code comprises a translated compare instruction followed by a translated conditional branch instruction, and further comprising:
introducing in the target code, upstream of the source code translated compare instruction or subsequent to the source code translated conditional branch instruction, an additional compare instruction that is the same as the source code translated compare instruction and subsequent to the source code translated conditional branch instruction, the additional conditional branch instruction being opposite the source code translated conditional branch instruction subsequent to the source code translated compare instruction; and
at least one additional illegal instruction is introduced after the additional conditional branch instruction from the source code and a last conditional branch instruction of the translated conditional branch instruction.
6. The method of claim 1, further comprising:
introducing at least one additional illegal instruction after the function call branch instruction; and
introducing at least one add instruction in the function, the at least one add instruction configured to modify a return address stored in a link register by adding to the return address a plurality of additional illegal instructions introduced after the function call branch instruction.
7. The method of claim 1, further comprising: introducing at least two consecutive additional illegal instructions between at least two machine instructions of the target code translated from the source code.
8. The method of claim 7, further comprising: randomly selecting a number of consecutive additional illegal instructions to be introduced between the at least two machine instructions of the target code translated from the source code.
9. The method of claim 1, further comprising: performing the introducing of the additional instruction on only a portion of the object code.
10. The method of claim 1, further comprising: introducing the additional instruction into the object code at a location of the object code that is at least partially randomly selected.
11. A non-transitory computer-readable recording medium, comprising:
a compilation tool for compiling source code into computer executable code, the compilation tool configured to:
receiving the source code as input;
storing the source code in a memory of a computer processing unit;
translating the source code into object code comprising machine instructions executable by a processor;
after the translation, introducing additional instructions selected from additional illegal instructions or additional non-operational instructions between machine instructions of the target code to obtain the computer-executable code; and
after the introducing, the computer-executable code is passed as an output.
12. The non-transitory computer-readable recording medium of claim 11, wherein the object code comprises functions comprising a set of machine instructions, and wherein the compilation tool is configured to introduce the additional illegal instructions between the functions of the object code.
13. The non-transitory computer-readable recording medium of claim 11, wherein the compilation tool is configured to introduce at least one additional illegal instruction after a branch instruction of the object code translated from the source code.
14. The non-transitory computer-readable recording medium of claim 11, wherein the compilation tool is configured to introduce an additional branch instruction and subsequently at least one additional illegal instruction between two machine instructions of the object code translated from the source code.
15. The non-transitory computer-readable recording medium of claim 11, wherein the object code translated from the source code comprises a translated comparison instruction followed by a translated conditional branch instruction, and wherein the compilation tool is configured to:
introducing in the target code, upstream of the source code translated compare instruction or subsequent to the source code translated conditional branch instruction, an additional compare instruction that is the same as the source code translated compare instruction and subsequent to the source code translated conditional branch instruction, the additional conditional branch instruction being opposite the source code translated conditional branch instruction subsequent to the source code translated compare instruction; and
at least one additional illegal instruction is introduced after the additional conditional branch instruction from the source code and a last conditional branch instruction of the translated conditional branch instruction.
16. The non-transitory computer-readable recording medium of claim 11, wherein the compilation tool is configured to:
introducing at least one additional illegal instruction after the function call branch instruction; and
introducing at least one add instruction in the function, the at least one add instruction configured to modify a return address stored in a link register by adding to the return address a plurality of additional illegal instructions introduced after the function call branch instruction.
17. The non-transitory computer-readable recording medium of claim 11, wherein the compilation tool is configured to introduce at least two consecutive additional illegal instructions between at least two machine instructions of the object code translated from the source code.
18. A computer system, comprising:
a non-transitory memory comprising computer executable code obtained from source code by a compilation tool configured to:
receiving the source code as input;
storing the source code in a memory of the computer processing unit;
translating the source code into object code comprising machine instructions executable by a processor;
after the translation, introducing additional instructions selected from additional illegal instructions or additional non-operational instructions between machine instructions of the target code to obtain the computer-executable code; and
after the introducing, passing the computer-executable code as an output; and
a processor configured to execute the computer executable code.
19. The computer system of claim 18, further comprising a control device configured to:
during execution of the computer-executable code, receiving an illegal instruction exception generated by the processor in response to the processor reading additional illegal instructions; and
stopping the execution of the computer-executable code after receiving the illegal instruction exception.
20. The computer system of claim 18, wherein the object code comprises functions comprising a set of machine instructions, and wherein the compilation tool is configured to introduce the additional illegal instructions between the functions of the object code.
21. The computer system of claim 18, wherein the compilation tool is configured to introduce at least one additional illegal instruction after a branch instruction of the target code translated from the source code.
22. The computer system of claim 18, wherein the compilation tool is configured to introduce an additional branch instruction and subsequently at least one additional illegal instruction between two machine instructions of the target code translated from the source code.
23. The computer system of claim 18, wherein the target code translated from the source code comprises a translated comparison instruction followed by a translated conditional branch instruction, and wherein a compilation tool is configured to:
introducing in the target code, upstream of the source code translated compare instruction or subsequent to the source code translated conditional branch instruction, an additional compare instruction that is the same as the source code translated compare instruction and subsequent to the source code translated conditional branch instruction, the additional conditional branch instruction being opposite the source code translated conditional branch instruction subsequent to the source code translated compare instruction; and
at least one additional illegal instruction is introduced after the additional conditional branch instruction from the source code and a last conditional branch instruction of the translated conditional branch instruction.
24. The computer system of claim 18, wherein the compilation tool is configured to:
introducing at least one additional illegal instruction after the function call branch instruction; and
introducing at least one add instruction in the function, the at least one add instruction configured to modify a return address stored in a link register by adding to the return address a plurality of additional illegal instructions introduced after the function call branch instruction.
25. The computer system of claim 18, wherein the compilation tool is configured to introduce at least two consecutive additional illegal instructions between at least two machine instructions of the object code translated from the source code.
CN202111336977.7A 2020-11-13 2021-11-12 System and process for compiling source code Pending CN114489657A (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
FR2011657 2020-11-13
FR2011657A FR3116356B1 (en) 2020-11-13 2020-11-13 METHOD FOR COMPILING A SOURCE CODE
US17/451,394 2021-10-19
US17/451,394 US11893370B2 (en) 2020-11-13 2021-10-19 System and process for compiling a source code

Publications (1)

Publication Number Publication Date
CN114489657A true CN114489657A (en) 2022-05-13

Family

ID=81492966

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111336977.7A Pending CN114489657A (en) 2020-11-13 2021-11-12 System and process for compiling source code

Country Status (1)

Country Link
CN (1) CN114489657A (en)

Similar Documents

Publication Publication Date Title
JP4777903B2 (en) Method of controlling program execution consistency by verifying execution trace print
US8694977B2 (en) Distributed compiling process with instruction signature support
JP7154365B2 (en) Methods for securing software code
WO2018063562A1 (en) Technologies for deterministic code flow integrity protection
CN110088736B (en) Self-tuning method and system
JP6435834B2 (en) Instruction execution control device and instruction execution control method
Wang et al. Translingual obfuscation
Padaryan et al. Automated exploit generation for stack buffer overflow vulnerabilities
US9129137B2 (en) Method, computer program and device for providing security for intermediate programming code for its execution by a virtual machine
TWI801505B (en) Branch target variant of branch-with-link instruction
JP4754635B2 (en) Control flow protection mechanism
Kyle et al. Application of domain-aware binary fuzzing to aid Android virtual machine testing
US20200257805A1 (en) Method for executing a machine code of a secure function
US11256786B2 (en) Method to secure a software code
CN114489657A (en) System and process for compiling source code
Lehniger et al. Combination of ROP Defense Mechanisms for Better Safety and Security in Embedded Systems
CN111309444B (en) Method, device, system and storage medium for anti-debugging by using process virtual machine
US11893370B2 (en) System and process for compiling a source code
Le Bon et al. DAMAS: Control-Data Isolation at Runtime through Dynamic Binary Modification
KR20210108848A (en) Cfi-based protection device and method for defending against got overwrite attacks
US20230418950A1 (en) Methods, Devices, and Systems for Control Flow Integrity
CN111045658B (en) Method and apparatus for accessing static members of a class
US20230040093A1 (en) Method for verifying an execution of a software program
Vigna Reliable Software Group, University of California, Santa Barbara vigna@ cs. ucsb. edu

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination