FR3075430A1 - DATA PROCESSING METHOD AND ASSOCIATED ELECTRONIC DEVICE - Google Patents

Abstract

 A data processing method implemented in an electronic device (1) equipped with a processor (2) comprises a step of execution of a first set of instructions by the processor (2) and a step of execution a second set of instructions by the processor (2).  Between the step of executing the first set of instructions and the step of executing the second set of instructions, a sequence of instructions randomly selected from among a plurality of sequences of instructions having execution times is executed. different.  At least one of the instruction sequences of said plurality includes instructions designed to perform an operation verification operation of the electronic device (1) when these instructions are executed by the processor (2).

Description

Technical field to which the invention relates

The present invention relates generally to the field of data processing by means of the execution of instructions by a processor of an electronic device.

It relates more particularly to a data processing method and an associated electronic device.

Technological background

The data processing methods are commonly implemented by the execution of sets of instructions by a processor of an electronic device.

In this context, malicious people can seek to understand the functioning of the electronic device (or to have access to the manipulated data) by observing the electrical consumption of the electronic device, which is linked to the instructions executed.

For example, when an attacker wishes to carry out a fault attack by disrupting the operation of the processor (typically by means of a laser), the attacker observes the power consumption in order to inject the fault at a specific time of execution instructions by the processor.

In order to counter this type of attack, it has already been proposed to have the processor execute portions of program having variable durations (generally randomly) from one execution to another.

Thus, the attacker cannot predict when the instruction he wishes to disrupt will be executed.

Object of the invention

In this context, the present invention provides a data processing method implemented in an electronic device equipped with a processor, this method comprising a step of execution of a first set of instructions by the processor and a step of execution of a second set of instructions by the processor, characterized in that, between the step of executing the first set of instructions and the step of executing the second set of instructions, a sequence is executed instructions selected randomly from a plurality of instruction sequences having different execution durations, and in that at least one of the instruction sequences of said plurality includes instructions designed to perform an operation verification operation of the electronic device when these instructions are executed by the processor.

Thus, the respective instants of execution of the first set of instructions and of the second set of instructions are separated by a duration which changes (randomly) with each implementation of the method, so that the attacker cannot predict when the second set of instructions will be implemented. This variable duration between the execution of the first set of instructions and the execution of the second set of instructions is also used to perform at least one operation for verifying the operation of the electronic device.

The aforementioned method can also comprise the following steps:

- random determination of a number;

- launching of the execution of the sequence of instructions associated with the number determined among the sequences of instructions of said plurality.

Other non-limiting and advantageous characteristics of the data processing method according to the invention, taken individually or in any technically possible combination, are the following:

- each sequence of instructions from the plurality performs a corresponding operation to verify the operation of the electronic device;

- at least one sequence of plurality instructions performs a combination of operations to verify the operation of the electronic device;

the verification operation is an integrity verification operation of at least part of a memory of the electronic device, or an verification operation of a value of a variable stored within the electronic device, or a operation for verifying a measurement supplied by a sensor fitted to the electronic device, or else an operation for verifying receipt of a correct operating signal coming from a component of the electronic device (the aforementioned combination being able to combine several of these operations ).

It can also be provided that the method comprises the following steps:

- during the execution of the sequence of instructions randomly selected, storage of an indicator of achievement of at least one verification operation associated with the sequence of instructions concerned;

- during a subsequent phase of the operation of the electronic device, implementation of said at least one verification operation only in the absence of said performance indicator.

Such an achievement indicator is thus provided for at least one of the instruction sequences. When a plurality of verification operations are implemented during the execution of the sequence of instructions concerned, the performance indicator can target the entire sequence (that is to say all the operations of plurality check); according to another possibility, one can provide such a performance indicator for each plurality checking operation.

In a subsequent security phase, only verification operations which have not been carried out between the execution of the first set of instructions and the execution of the second set of instructions are carried out.

The invention also provides an electronic device comprising a processor and a unit for storing instructions executable by the processor, characterized in that said instructions are designed so that between a step of executing a first set of instructions and a step of executing a second set of instructions, is executed a sequence of instructions randomly selected from a plurality of sequences of instructions having different execution durations, and in that at least one of the sequences instructions of said plurality includes instructions designed to perform an operation verification operation of the electronic device when these instructions are executed by the processor.

Detailed description of an exemplary embodiment

The description which follows with reference to the appended drawings, given by way of nonlimiting examples, will make it clear what the invention consists of and how it can be carried out.

In the accompanying drawings:

- Figure 1 schematically shows the main elements of an electronic device in which the invention is implemented;

- Figure 2 shows, in the form of a flow diagram, a first example of a process according to the invention;

- Figure 3 shows a first example of a redirection table usable in the context of the invention;

- Figure 4 shows a second example of a redirection table usable in the context of the invention; and

- Figure 5 shows, in the form of a flow diagram, a second example of a method according to the invention; and

- Figure 6 shows a possible example for the storage of instructions able to implement a method according to the invention.

FIG. 1 schematically represents the main elements of an electronic device 1 (or electronic entity) within which the invention is implemented. In the examples described here, this electronic device 1 is a secure module.

Such a secure module 1 is for example a microcircuit card, such as a universal integrated circuit card (or UICC for Universal Integrated Circuit Card '). Alternatively, it could be a secure element (or SE for Secure Element ') - for example a secure microcontroller.

Alternatively, the electronic device could be a computer or a portable electronic device (or hand-held electronic device according to the Anglo-Saxon designation) - for example a communication terminal or an electronic passport.

The electronic device 1 comprises a processor 2 (here a microprocessor), a random access memory 4 and a rewritable non-volatile memory 6 (for example of the EEPROM type for Electrically Erasable and Programmable Read-Only Memory). The electronic device 1 could possibly also comprise a read-only memory. The random access memory 4 and the rewritable nonvolatile memory 6 (as well as the read-only memory if necessary) are each linked to the processor 2 so that the processor 2 can read or write data in each of these memories.

One of these memories, for example the rewritable non-volatile memory 6, stores computer program instructions (for example with a structure such as that presented in FIG. 6) which allow the implementation of at least one of the methods described below with reference to FIGS. 2 and 5 when these instructions are executed by processor 2.

The memories 4, 6 also store data representative of values used during the implementation of the methods described below. For example, in the example described here where the electronic device 1 is designed to implement a cryptographic algorithm (as explained below), the rewritable non-volatile memory 6 stores a cryptographic key K.

The random access memory 4 also stores, for example within variables, data processed during the methods described below.

The electronic device 1 here further comprises a communication interface 8 with external electronic devices. For example, when the electronic device 1 is a microcircuit card, the communication interface 8 comprises, for example, contacts which are flush with one face of the microcircuit card. As a variant, the communication interface 8 could be produced by a contactless communication module. In general, the communication interface 8 can be a communication module (wired or wireless) with another electronic entity.

The processor 2 can thus receive data, for example a message M, from the other electronic entity via the communication interface 8 and transmit other data, for example a result of application of the aforementioned cryptographic algorithm to the message M, to the other electronic entity via the communication interface 8.

As already indicated, the invention is not limited to this example, however, and can be applied to other types of electronic device (even without cryptographic processing).

FIG. 2 represents, in the form of a flow diagram, a first example of a process according to the invention. This method is for example implemented due to the execution by the processor 2 of instructions shown diagrammatically in FIG. 6. Of course, the invention is not however limited to such an organization of the instructions in the memory.

This method begins at step E2 at which the processor 2 receives data, for example a message M to be processed, via the communication interface 8. This step E2 of reception is for example implemented due to the execution of INSTR _rec instructions shown in Figure 6.

As already indicated, the invention is not limited to the example described here and also applies to electronic devices without means of communication with external devices (in which case step E2 is not implemented) .

The processor 2 then performs in step E4 an initialization of its operation, here due to the execution by the processor 2 of INSTRinit instructions stored in the rewritable non-volatile memory 6.

The initialization step E4 can include for example:

- operations to update or initialize variables (stored in RAM 4) used in the cryptographic processing step E10 described below, and / or

- operations to verify the content of at least part of the RAM 4 and or the rewritable non-volatile memory 6; and or

an operation for detecting (at a predetermined location in the rewritable non-volatile memory 6) the possible presence of blocking data (the processor 2 controlling the stopping of the operation of the electronic device 1 in the event of effective detection of this blocking data).

The processor 2 then determines in step E6 a value A, here by random drawing. In the example described here, the value A is an integer (random) value between 1 and a predetermined number N (the random drawing used preferably making it possible to obtain with an identical probability each of the integer values between 1 and N) . (This determination step E6 is for example implemented due to the execution of certain instructions from INSTRapp instructions stored in the non-volatile memory 6.)

The processor 2 implements a desynchronization step E8, the duration of which is variable according to the value A obtained in step E6.

Specifically, during the desynchronization step E8 is executed by the processor 2 a sequence of instructions chosen from N sequence of instructions on the basis of the value A obtained in step E6.

According to a first possibility, each of the N sequences of instructions comprises instructions INSTR _PRO ti, INSTR _PRO t2, INSTR _PRO tn designed to perform an operation verification operation of the electronic device 1 when these instructions are executed by the processor 2.

As a variant, only part of the N instruction sequences could include instructions designed to perform an operation verification operation of the electronic device 1 when these instructions are executed by the processor 2.

Thus, sequences of instructions without verification operation, can be used to ensure good dispersion of the desynchronization times and in particular the presence of short desynchronization times. These are, for example, sequences of instructions corresponding to desynchronization times which are less than the execution time of each possible verification operation.

The different verification operations respectively implemented due to the execution by processor 2 of the N possible instruction sequences can each, for example, be chosen from:

- an integrity verification operation of at least part of the random access memory 4 or of the rewritable non-volatile memory 6,

- an operation for verifying a value of a variable stored in the electronic device 1,

- a verification operation of a measurement supplied by a sensor (for example a light sensor or a temperature sensor) equipping the electronic device 1 and

- an operation for verifying receipt of a correct operating signal from a component (for example a random number generator or a crypto-processor) of the electronic device 1.

In practice, a redirection table T stores, for each value between 1 and N, an address PROT1, PROT2, PROTN where one of the sets of instructions INSTR _PRO ti, INSTR _PRO t2, INSTR _PRO tn is stored, as shown in figure 3.

In this case, the desynchronization step E8 is implemented by calling (due to the execution by the processor 2 of the INSTRa _PP instructions) of a subroutine stored at the address PROTi associated with the random value A in the redirection table T (this subroutine being formed of the instructions INSTR _P rotî concerned).

The different sets of instructions INSTR _P roti, INSTR _P rot2, INSTR _P rotn, and therefore the different sequences of instructions, have different execution durations so that the duration necessary for the implementation of the desynchronization E8 varies from one implementation to another of the method of FIG. 2.

According to a second possibility, each of the N instruction sequences includes instructions designed to perform a combination of a plurality of operations for verifying the operation of the electronic device 1 when these instructions are executed by the processor 2.

Each verification operation can in practice be of one of the types envisaged above.

As shown in FIG. 4, it is possible, for example, to provide a redirection table T 'associating, with each of the integer values between 1 and N, a plurality of addresses PROTi in which sets of instructions INSTR _P rotî are respectively stored allowing each the implementation of an operation verification operation of the electronic device 1 (when the set of instructions concerned is executed by the processor 2). Note that, as shown in FIG. 4, the number of addresses PROTi associated with the different integer values between 1 and N can be variable from one integer value to another.

Preferably, in order to ensure a good variation of the trace of the electrical consumption from one implementation to another, the verification operations (if they are common for several whole values) must be executed in different orders according to the integer value with which they are associated. In particular, the first verification operation and / or the last verification operation must be different for the different integer values that can be used (between 1 and N).

In the case described here, the desynchronization step E8 is thus for example implemented due to successive calls (due to the execution by the processor 2 of the INSTRapp instructions) of subroutines respectively stored at the different addresses PROTi associated with the random value A in the redirection table T '(each subroutine being formed of instructions INSTRprotî stored at the address PROTi concerned).

The duration of implementation of the desynchronization step E8 therefore corresponds in this case to the sum of the durations of execution of the different sets of instructions INSTRprotî rnis implemented in accordance with what is provided for the current random value A in the redirection table T '.

We can provide for example that the duration of implementation of the desynchronization step E8 associated with each possible value for the random value A (that is to say with each value between 1 and N) is included in a duration range among several duration ranges T1, T3, TM (as shown in FIG. 4). It is noted here that the duration ranges T1, T3, TM are not used by the processor 2 (but only for the clarity of the present description) and could therefore in practice not be included in the redirection table T ’.

As shown in FIG. 4, it can then be provided, for example, for the duration of implementation of the desynchronization step E8 to be in the same duration range (for example T3) for several possible values of the random value A (here for values 7, 8 and 9).

In this case, provision is preferably made to associate an identical number of possible values (between 1 and N) with each duration range T1, T3, TM so that, the value A being chosen randomly, all the duration ranges have a uniform probability of being used.

Note however that, as already indicated, the number of PROTi addresses associated with the various integer values between 1 and N can be variable from one integer value to another (even for integer values associated with the same duration range ).

According to a third possibility, the first and second possibilities which have just been described can be combined: part of the N sequences of instructions then comprises instructions designed to perform a combination of a plurality of operations verification operations and a other part of the N instruction sequences includes instructions designed to perform a (single) verification operation. This ensures good dispersion of the desynchronization times.

In any case, the duration of execution of the desynchronization step E8 will be variable according to the value A obtained in step E8 and will therefore be different each time the method of FIG. 2 is executed.

The processor 2 then performs in step E10 an operation for processing sensitive data, here a cryptographic processing applied to the received data (here at the message M), for example by implementing a cryptographic algorithm (possibly using the cryptographic key K) such as an encryption algorithm, a decryption algorithm, a signature algorithm or a signature verification algorithm. This cryptographic processing step E10 is carried out here due to the execution by the processor 2 of INSTRcrypto instructions stored in the non-volatile memory 6 as shown in FIG. 6.

Due to the variation in the duration of the desynchronization step E8 from one implementation of the method of FIG. 2 to the other, an attacker cannot predict when the cryptographic processing step E10 begins when of the current implementation of the method of FIG. 2 and therefore cannot create a malfunction which affects the cryptographic processing (attack by fault).

Optionally, the processor 2 can implement a security step E12 (here due to the execution of INSTRsecur instructions by Ιθ processor 2). This security step can include all or part of the operations for verifying the operation of the electronic device 1 mentioned above (for example by calling at least some of the addresses PROT1, PROT2, PROTN where the instructions INSTR _PRO ti, INSTR _PRO t2 are stored. , INSTR _PRO tn allowing the implementation of these verification operations).

During the security step E12, provision may be made to terminate the method of FIG. 2 (without implementing the emission step E14 described below) if one of the verification operations carried out detects a risk of attack. (i.e. for example in practice a fault in the integrity of a part of memory, an incorrect value of a variable stored in the electronic device, a fault in the functioning of a component or an unusual measurement supplied by a sensor).

In the absence of a fault at the safety step E12 (when such a step is carried out), the method of FIG. 2 ends with a step E14 at which the processor 2 controls the transmission of data (here of the result of the cryptographic processing of step E10) via the communication interface 8 (here due to the execution by the processor 2 of instructions INSTR _EM stored in the non-volatile memory 8).

FIG. 5 represents, in the form of a flow diagram, a second example of a method according to the invention.

This process begins at step E20 in which the processor 2 receives data to be processed, for example a message M to be processed.

The processor 2 then implements an initialization step E22. This initialization step E22 is of the same type as the step E4 described above with reference to FIG. 2, but here also comprises a sub-step of initialization (here of zeroing) of a set of variables (here binaries) INDi respectively associated with the operations for verifying the operation of the electronic device 1, as explained below.

The processor 2 then determines a value A by random drawing in step E24. This step is identical to step E6 described above with reference to FIG. 2.

The processor 2 then implements a desynchronization step E26 by executing a sequence of instructions selected as a function of the value A from a plurality of sequences of instructions having different durations of execution.

As in the case of FIG. 2, the sequence of instructions selected and executed in particular allows the implementation of at least one operation for verifying the operation of the electronic device 1. Reference may be made to the description given above in reference to FIGS. 2 to 4 (in particular with regard to step E8) for more details on the practical implementation of this step of desynchronization E26.

In the example described here, the desynchronization step E26 further comprises, for each verification operation implemented during this step E26, a substep for storing an indicator for performing the verification operation concerned, here by setting to the value 1 the binary variable INDi associated with the verification operation concerned.

As a variant, when a combination of verification operations is implemented during the desynchronization step, one could store an indicator of performance of this combination of verification operations.

According to yet another variant, it would be possible to memorize performance indicators (as proposed above) only for certain of the verification operations implemented during step E26.

The processor 2 then continues its operation in step E28 by implementing cryptographic processing, as described above with respect to step E10 with reference to FIG. 2. As already indicated, the invention s 'however applies to any type of data processing, not necessarily cryptographic.

As in the case of FIG. 2, the duration of implementation of the desynchronization step E26 varies from one implementation of the method of FIG. 5 to another so that an attacker will not be able to predict the precise moment of execution of the cryptographic processing step E28.

As described now, the method then continues with a security processing during which only the operations for verifying the operation of the electronic device 1 are implemented, which were not carried out during the desynchronization step E26.

To do this, the processor initializes an index i in step E30.

The processor 2 then determines in step E32 whether an indicator for carrying out the verification operation associated with the current index i is present. In the example described here, the processor 2 determines for this purpose if the variable INDi associated with the operation of checking current index i is equal to 1.

If so in step E32 (arrow P), the verification operation associated with the current index i has already been carried out during the desynchronization step E26 and the process continues in step E36 (described lower).

If not in step E32 (arrow N), that is to say in the absence of an indicator for carrying out the verification operation associated with the current index i, the processor 2 performs at step E34 the verification operation associated with the current index i, here by calling the subroutine stored at the address PROTi and containing the instructions INSTR _P rotî allowing the implementation of the verification operation concerned (when these INSTRprotî instructions are executed by processor 2).

The method then determines in step E36 whether the current index has scanned all the indices respectively associated with verification operations. For example, in the case where a verification operation is used for each possible value of the random value A as described above with reference to FIG. 3, the processor 2 determines in step E36 if the current index i is equal to the last possible index (equal to the predetermined number N).

If not in step E36 (arrow N), the processor 2 increments the current index i (step E38) and the process loops in step E32 already described.

If so in step E36 (arrow P), all of the verification operations have been carried out (either during the desynchronization step E26, or during the security processing in step E34) and the processor 2 proceeds, in the example described here, to the transmission of data (for example the result of the application of the cryptographic processing to the data received) via the communication interface 8 (step E40).

The operations for verifying the operation of the electronic device 1 may include, in addition to what has been indicated above, the implementation of certain security actions in the event of the detection of a malfunction. These security actions may include, for example, writing data indicative of the fault detected in a log file (or log file according to the commonly used Anglo-Saxon designation) and / or writing blocking data at a predetermined location of the non-volatile memory 6 (in order to prevent any new implementation of the cryptographic processing, as explained above with regard to step E4) and / or the (immediate) stop of the operation of the electronic device 1 (in particular without emission of data).

Note that FIG. 6 is represented in the case where as many sets of instructions INSTR _PRO ti, INTSTR _PRO t2, INSTR _PR otn are stored as there are possible values for the random value A (ie N sets d 'TRG _PR oti instructions INTSTR ot2 _{PR, PR} TRG otn and N possible values). In certain embodiments, such as that described above with reference to FIG. 4, the number of sets of instructions stored can be distinct from the number of possible values for the random value A (i.e. the number instruction sequences among which an instruction sequence is randomly selected to be executed).

Claims (10)

1. A method of processing data implemented in an electronic device (1) equipped with a processor (2), this method comprising a step (E4; E22) of execution of a first set of instructions (INSTRinit) by the processor (2) and a step (E10; E28) of execution of a second set of instructions (INSTR _C rypto) by the processor (2), characterized in that, between step (E4; E22 ) of execution of the first set of instructions (INSTRinit) and the step (E10; E28) of execution of the second set of instructions (INSTRcrypto), is executed a sequence of instructions randomly selected from among a plurality of sequences of instructions having different execution durations, and in that at least one of the instruction sequences of said plurality includes instructions designed to perform an operation verification operation of the electronic device (1) when these instructions are executed by the processor (2 ). 2. Method according to claim 1, comprising the following steps: - random determination (E6; E24) of a number (A); - launching of the execution of the sequence of instructions associated with the determined number (A) among the sequences of instructions of said plurality. 3. Method according to claim 1 or 2, wherein each sequence of instructions of the plurality performs a corresponding operation verification of the operation of the electronic device (1). 4. Method according to one of claims 1 to 3, wherein at least one plurality of instruction sequence performs a combination of operations to verify the operation of the electronic device (1). 5. Method according to one of claims 1 to 4, comprising the following steps: - during the execution of the randomly selected sequence of instructions, storage of a performance indicator (INDi) of at least one verification operation associated with the sequence of instructions concerned; - during a subsequent phase of the operation of the electronic device, implementation (E34) of said at least one verification operation only in the absence of said performance indicator. 6. Method according to one of claims 1 to 5, wherein the verification operation is an integrity verification operation of at least part of a memory (4; 6) of the electronic device (1). 7. Method according to one of claims 1 to 5, wherein the verification operation is a verification operation of a value of a variable stored in the electronic device (1). 8. Method according to one of claims 1 to 5, wherein the verification operation is a verification operation of a measurement provided by a sensor fitted to the electronic device (1). 9. Method according to one of claims 1 to 5, wherein the verification operation is a verification operation of receipt of a correct operating signal from a component of the electronic device (1) · 10. Electronic device comprising a processor (2) and a storage unit (6) of instructions executable by the processor (2), characterized in that said instructions are designed so that between a step (E4; E22) d execution of a first set of instructions (INSTRinit) and a step (E10; E28) of execution of a second set of instructions (INSTR _C ry _P to), is executed a sequence of instructions selected randomly from a plurality of instruction sequences having different execution durations, and in that at least one of the instruction sequences of said plurality includes instructions designed to perform an operation verification operation of the electronic device (1) when these instructions are executed by the processor (2).