Classifications

• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F11/00—Error detection; Error correction; Monitoring
  • G06F11/28—Error detection; Error correction; Monitoring by checking the correct order of processing
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
  • G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
  • G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/60—Protecting data
  • G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
  • G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/60—Protecting data
  • G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
  • G06F21/82—Protecting input, output or interconnection devices
  • G06F21/83—Protecting input, output or interconnection devices input devices, e.g. keyboards, mice or controllers thereof
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
  • G06F2221/033—Test or assess software
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F2221/2101—Auditing as a secondary aspect
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F2221/2151—Time stamp
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F9/00—Arrangements for program control, e.g. control units
  • G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
  • G06F9/44—Arrangements for executing specific programs
  • G06F9/448—Execution paradigms, e.g. implementations of programming paradigms
  • G06F9/4482—Procedural
  • G06F9/4484—Executing subprograms

Definitions

• the present invention relates to a method for securing the program flow according to claim 1.
• secret data can also be accessed by deliberately interrupting the program sequence, so that errors occur in the encryption routines, from which the secret data can be deduced after repeated deliberate interruptions.
• a method for checking the memory cell contents of a program memory in a computer is known from German Patent DE 3709524 C2.
• Several checksums are stored there, which are formed from memory cell contents from different address and data storage areas. The checksums are determined at the beginning and / or during computer operation and compared with the stored checksum. If a deviation is found, an error signal is issued.
• the method known from DE 3709524 C2 is mainly suitable for checking the correctness of data used in a program. It is ignored that also or in particular manipulation of the program sequence can occur especially when program calls are made, ie when executing sub or function programs.
• this object is achieved in that the called program carries out a data check which determines the safe transition of the data to be handed over by the calling program.
• the invention provides additional security, which not only ensures that individual program parts are executed safely and completely, but that the entire program flow can run undisturbed and free of manipulation.
• a check sum is first formed by the calling program, which is stored in a memory area provided for this purpose. After the parameters have been transferred, a check sum is also generated by the program called for the parameters received. In the event that the checksums formed by the calling and called program are different, the program is terminated.
• the memory area which is provided for storing the checksum is preferably created in a RAM or register area.
• a further or alternative embodiment for the formation of the checksum via the parameters to be transferred results from the check of the return addresses.
• the return addresses of the calling functions are entered in a table and the called program can use this table to check whether the return address transmitted by the calling program is present in the table.
• the program can be interrupted if the return address is incorrectly communicated.
• a further alternative or additional security check can be carried out by starting a timer when a subroutine or a function program is called. This timer counts the clock cycles which are necessary for the execution of the program. First, the number of clock cycles required for the regular subroutine sequence is specified as the limit value for the timer. The program is terminated if the number of specified clock cycles has been exceeded before the subroutine has ended.
• the timer value is also read out at certain, predetermined locations in the subroutine and is likewise predetermined Intermediate values compared. In this case too, the program is terminated if the specified intermediate value has been exceeded.
• Figure 1 Sequence diagram for the check by means of a checksum
• Figure 2 Sequence for checking using the return address table
• Figure 3 Sequence for checking using the timer.
• FIG. 1 The sequence of a subroutine call, in particular a function call, is described in FIG. 1, the functional steps 1 to 3 relating to the program to be called and the functional steps 4 to 8 relating to the evaluation of the subroutine.
• step 2 the parameters necessary for the execution of the subroutine are first provided in step 1.
• step 2 a checksum is formed for these parameters, which in the simple case can consist of a parity check.
• CRC Cyclical Redundancy Check
• EDC Electronic Datagram Protocol
• the checksum (checksum) determined in this way is written into a memory area provided for this purpose.
• This memory area can be volatile memory (RAM) or non-volatile, rewritable memory (e.g. EEPROM).
• Step 4 represents the start of the execution. of the subroutine.
• checksum 2 is first formed using the parameters passed. This checksum is formed using the same method with which checksum 1 was determined in the calling program.
• step 6 the checksums PS1 and PS2 are checked for equality. If it is determined in step 6 that the two checksums are not the same, it can be assumed that an error has occurred during the transfer of the program parameters, which can be an indication of an intended fault with the aim of determining secret data. As a measure, the program can be ended in step 7 or corresponding alternative measures are taken, for example an error message to the main program.
• step 6 If it is determined in step 6 that the checksums PS1 and PS2 are the same, the actual function execution is started.
• FIG. 2 shows a possibility of saving the program by checking the return addresses.
• Return addresses are placed on the stack by hardware when the function is called.
• the information from the calling program eg return addresses
• the return addresses are managed in a table 17 and when the subroutine is executed, the return addresses - insofar as they are stored in the RAM - are first checked for consistency in step 12, in order to check them in step 13 using table 17. If it was determined in step 14 that the returned return address is not present in the table, then step 15 the program ends, otherwise the function program is started in step 16.
• FIG. 3 shows an embodiment in which the correct program sequence or the undisturbed program sequence is checked using a timer.
• a timer is started in step 22. This timer is designed to measure the time or to count the act cycles that are required for the execution of the subroutine.
• the function of the subroutine is carried out with step 23 and after the function has ended, the timer is stopped in step 24.
• step 25 it is checked whether the number of clock cycles that were required for the execution of the function program corresponds to the predetermined number of clock cycles. In the event that there is no match, the program is ended with step 26. In the other case, the program execution is continued in step 27, for example by jumping back to the main program.
• FIG. 3 shows that the timer is stopped and checked after the function or the function program has ended.
• safety can be increased by providing certain points in the function program where the timer is also checked. This can be used to prevent the function program from being largely executed despite an error or attack.
• the timer value is continuously compared with a limit value after the start and the program is terminated if this limit value has been reached or exceeded.
• the individual exemplary embodiments according to FIGS. 1 to 3 were shown as independent, alternative measures. Security can be increased by combining the exemplary embodiments. The greatest security is provided by the parallel check using a checksum, return address check and timer check.

Landscapes

• Engineering & Computer Science (AREA)
• Theoretical Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Software Systems (AREA)
• General Engineering & Computer Science (AREA)
• General Physics & Mathematics (AREA)
• Physics & Mathematics (AREA)
• Computer Hardware Design (AREA)
• Health & Medical Sciences (AREA)
• Bioethics (AREA)
• General Health & Medical Sciences (AREA)
• Quality & Reliability (AREA)
• Detection And Correction Of Errors (AREA)
• Storage Device Security (AREA)
• Debugging And Monitoring (AREA)

Priority Applications (4)

Applications Claiming Priority (2)

Publications (1)

Family

ID=7922630

Family Applications (1)

Country Status (8)

Cited By (2)

Families Citing this family (24)

Citations (5)

Family Cites Families (11)

• 1999
  • 1999-09-20 DE DE19944991A patent/DE19944991B4/de not_active Expired - Lifetime
• 2000
  • 2000-09-18 AU AU72884/00A patent/AU7288400A/en not_active Abandoned
  • 2000-09-18 JP JP2001525524A patent/JP4732651B2/ja not_active Expired - Fee Related
  • 2000-09-18 US US10/070,444 patent/US6934887B1/en not_active Expired - Lifetime
  • 2000-09-18 WO PCT/EP2000/009131 patent/WO2001022223A1/de not_active Ceased
  • 2000-09-18 CN CNB008131139A patent/CN1144126C/zh not_active Expired - Fee Related
  • 2000-09-18 RU RU2002109465/09A patent/RU2254608C2/ru not_active IP Right Cessation
  • 2000-09-18 EP EP00960677.3A patent/EP1224546B1/de not_active Expired - Lifetime

Patent Citations (5)

Also Published As

Similar Documents

Legal Events