WO2002027500A1 - Protection contre l'exploitation abusive d'une instruction dans une memoire - Google Patents
Protection contre l'exploitation abusive d'une instruction dans une memoire Download PDFInfo
- Publication number
- WO2002027500A1 WO2002027500A1 PCT/FR2001/002982 FR0102982W WO0227500A1 WO 2002027500 A1 WO2002027500 A1 WO 2002027500A1 FR 0102982 W FR0102982 W FR 0102982W WO 0227500 A1 WO0227500 A1 WO 0227500A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- memory
- instruction
- adr
- condition
- adrm
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/14—Protection against unauthorised use of memory or access to memory
- G06F12/1416—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
- G06F12/1425—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block
Definitions
- the present invention relates generally to the protection against abuse, that is to say unauthorized, of a sensitive instruction recorded in a memory. More particularly, it relates to protection against writing, reading or modification of secret data in the ROM read-only memory of a microcontroller, for example installed in a smart card, also known as a microcontroller card, or any other portable electronic object.
- a smart card may contain data or sensitive programs whose knowledge led him to discover the industrial know-how 'and manufacturer technical or programming tools such as API (Application Programming Interface).
- API Application Programming Interface
- a smart card refers to a security matrix according to which any read access, particularly to data in the ROM memory. is prohibited by instructions which are located in the non-volatile EEPROM memory or the RAM memory of the card microcontroller, or in any other RAM memory to which the microcontroller is connected, for example an external RAM memory to the card and included in the card reception terminal. Under these conditions, the reading of data in the ROM memory is apparently only possible by means of instructions written in the ROM memory itself.
- FIG. 1 5 shows an example of partial contents of the EEPROM memory and of the ROM memory in a microcontroller according to the prior art containing a microprocessor 80C51 from INTEL (registered trademark).
- CB code Code Byte
- CPU central processing unit
- a return instruction RET is positioned at the address Adr (m + 1) in the ROM memory and thus immediately follows the movement instruction MOVC.
- the pointer DPTR has received the value p following the execution of a first part of the program (not shown) written in the memories, in particular at addresses in the ROM memory preceding Adrm address. '
- 35 MOVC operational instruction at Adrm is executed to read and transfer to the accumulator A the data CB which is used during a second part of the program following the return instruction RET.
- the COM sequence consists of three successive instructions.
- the first instruction [CLR A] sets the contents of accumulator A to zero.
- the second instruction [MOV DPTR, n] sets the DPTR data pointer to the value n corresponding to the address Adrn.
- the third instruction [CALL m] invokes a procedure call to directly execute the MOVC instruction at the address Adrm in the ROM memory.
- the present invention aims to inhibit this type of threat without prohibiting the writing of "dangerous" instructions in the ROM memory, in order to avoid abuse of the result of such a dangerous investigation.
- a method for protecting an operational instruction included in a sequence of instructions written in a memory means against an execution command from a control means to access the result of the operational instruction executed, in response to a end of sequence instruction is characterized in that the sequence comprises a test immediately executed following the operational instruction on a condition linked to at least one operand of said operational instruction, a transfer of the result of the operational instruction executed from the memory means to the control means when the condition is satisfied, and a non-execution of the end of sequence instruction when the condition is satisfied.
- the test comprises a calculation, such as difference, depending on the operand and on a predetermined value, the condition being a comparison of the result of the calculation with at least a predetermined threshold, such as the zero value.
- the result of the operational instruction is then transferred to the control means when the result of the calculation is included in a first interval having the threshold as one of lower and upper limits, and the end instruction is not executed when the calculation result is included in a second interval having the threshold like the other of the lower and upper limits of this second interval.
- the operational instruction can be a reading, a writing or a modification of a data item in the memory means, and the operand can be a data address pointer.
- the non-execution of the end instruction may result from a jump from an instruction to itself executed following the dissatisfaction with the condition, or else conventionally an error message or a rejection of a card.
- the operational instruction is a transaction
- the test condition is an authorization of the transaction.
- the operational instruction is the modification of a balance following a reading thereof in the control means, the condition is applied to the balance or a balance increment, and the transfer comprises a writing of the modified balance. from the memory means in the control means.
- the invention also relates to a portable electronic object comprising a microcontroller whose non-rewritable memory on the one hand and the programmable non-volatile memory and / or the random access memory on the other hand are included respectively in the memory means and the means control for the implementation of the method according to the invention.
- at least one of the operational instructions written in the non-rewritable memory for reading, writing or modifying data in the non-volatile memory and / or the random access memory is immediately followed by a test written in the non-volatile memory.
- rewritable, on a condition linked to at least one operand of said operational instruction in order to invalidate the object when the condition is not satisfied.
- FIG. 1 shows an attack written in an EEPROM memory, of a sequence written in a ROM memory illustrating the prior art already commented on;
- - Figure 2 is a block diagram of a smart card in which the attacked sequence written in ROM memory is modified according to the method of. protection of the invention for a first embodiment;
- - Figure 3 shows the instructions of a "dangerous" sequence written in ROM memory according to a second known embodiment;
- a microcontroller in particular of a chip card CP, or of any other portable electronic object, contains a processing unit CPU constituted in practice by a microprocessor of the aforementioned type 80C51.
- the CPU unit includes in particular an arithmetic and logic unit UAL with in particular an accumulator A, an instruction address counter CP and a current instruction register RI.
- the microcontroller also conventionally comprises a non-rewritable memory ME of the ROM type, a memory MC of the non-volatile type programmable EEPROM, and a memory MA of the random access type RAM for exchanging data. data with the outside world to the microcontroller, such as a reception terminal of the smart card CP.
- the memories interact with the processor CPU during the course of a program or application written at least partly in ROM memory and partly in EEPROM memory, by means of requests and responses, containing "results" of instructions executed, to through a BU bus.
- the COM execution command sequence with three instructions written by an attacker in the EEPROM MC memory which, according to the invention, constitutes a control means which is capable of accessing the result of a "dangerous" Operational instruction called in the ME memory.
- the three instructions thus relate to erasing the contents of accumulator A, to setting the memory pointer DPTR to the value n of the address Adrn targeting the secret datum DS in the memory ME, and to the call of the instruction deemed "dangerous" written in box m at the address Adrm of the ROM memory.
- the instruction sequence SQ in the memory ME has been completed so that the execution of the instruction END RET of the sequence SEQ to again execute instructions in the memory MC is conditioned by a test on a condition applied to an operand of the previous dangerous instruction pointed to the address Adrm.
- This additional sequence essentially includes the following two instructions: SUBB DPTR, # M JC $ written in the memory ME at the successive addresses Adr (m + 1) and Adr (m + 2) immediately after the "dangerous" instruction [MOVC A, @ A + DPTR] and before the RET instruction now written to the address Adr (m + 3).
- the first additional instruction SUBB subtracts the value M of the highest address AdrM from the memory ME, from the last value of the pointer DPTR, in this case that normally used. to point the data CB read in the memory MC during the execution of the previous operational instruction MOVC.
- the difference DPTR- M is positive.
- the JP instruction skips the sequence of the SUBB instruction with address Adr (m + 1) at the end instruction RET address Adr (m + 3) so as to continue the current program.
- the additional instructions in the address boxes Adr (m + 1) and Adr (m + 2) are replaced by a comparison of the pointer DPTR with two values MIN and MAX of the two addresses of the memory ME designating boxes between which a memory space contains confidential data to be protected. Any pointer value between MIN and MAX, attempted by an attacker, leads to JC infinite looping.
- the chip card CP covers all known types of chip sensor, also called microcontroller cards, such as contact or contactless cards set out below by way of nonlimiting example: credit cards, payment cards, prepaid cards, phone cards, SIM cards, "additional" cards, central purchasing cards, game cards, etc. More generally, the invention relates not only to smart cards but also to other portable electronic objects designated either by electronic data processing means, such as electronic assistants or organizers, electronic purses, tokens, calculators, etc.
- electronic data processing means such as electronic assistants or organizers, electronic purses, tokens, calculators, etc.
- the ROM and EEPROM memories are included in a smart card serving as an electronic purse for this second embodiment.
- the test checks that the wallet is in a normal or abnormal operating context.
- the condition may be a superiority of the balance of the bank account of the owner of the electronic purse at the ⁇ SO increment, or else may be an inferiority of the ⁇ SO increment at an upper limit, and / or an inferiority of the . sum of such increments for a predetermined period at a maximum authorized credit.
- the verification of the condition can be preceded by an identification of the user and / or an authentication of the electronic purse through a dialogue with the reception terminal of a merchant's point of sale, and / or a bank server. .
- the attacker can thus increment the balance with the increment of his choice, despite the satisfaction of the condition from the Adr test (m- 2) in a previous step, and recover the credit wallet credited after the Return instruction.
- the attacker can write a sequence in the EEPROM MC memory which repeats the sequence of instructions Adr (ml) to Adr (m + 2) as many times as the attacker wishes.
- the invention protects this sequence by introducing into the memory MEa the test for crediting.
- conditional instruction Adr (m + 1) If the conditional instruction Adr (m + 1) is not satisfied, the following instructions at the addresses Adr (m + 2) and Adr (m + 3) are not executed. No incremented balance is written to the EEPROM MC memory, and the sequence is connected to the emission of an error message or the like to invalidate the holder. electronic money and possibly eject it from the reception terminal.
- control means within the meaning of the invention may include not only the EEPROM MC, but also the access memory random RAM MA of the microcontroller.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
Description
Claims
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU2001292002A AU2001292002A1 (en) | 2000-09-27 | 2001-09-26 | Protection against abusive use of a statement in a storage unit |
EP01972216A EP1325418A1 (fr) | 2000-09-27 | 2001-09-26 | Protection contre l'exploitation abusive d'une instruction dans une memoire |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR00/12487 | 2000-09-27 | ||
FR0012487A FR2814557B1 (fr) | 2000-09-27 | 2000-09-27 | Protection contre l'exploitation abusive d'une instruction dans une memoire |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2002027500A1 true WO2002027500A1 (fr) | 2002-04-04 |
Family
ID=8854861
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/FR2001/002982 WO2002027500A1 (fr) | 2000-09-27 | 2001-09-26 | Protection contre l'exploitation abusive d'une instruction dans une memoire |
Country Status (6)
Country | Link |
---|---|
US (1) | US20020174309A1 (fr) |
EP (1) | EP1325418A1 (fr) |
CN (1) | CN1392980A (fr) |
AU (1) | AU2001292002A1 (fr) |
FR (1) | FR2814557B1 (fr) |
WO (1) | WO2002027500A1 (fr) |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2790844B1 (fr) * | 1999-03-09 | 2001-05-25 | Gemplus Card Int | Procede et dispositif de surveillance du deroulement d'un programme, dispositif programme permettant la surveillance de son programme |
US20040177259A1 (en) * | 2003-03-05 | 2004-09-09 | Volk Steven B. | Content protection system for optical data storage disc |
US8417916B2 (en) * | 2008-01-11 | 2013-04-09 | International Business Machines Corporation | Perform frame management function instruction for setting storage keys and clearing blocks of main storage |
JP5521455B2 (ja) * | 2009-09-15 | 2014-06-11 | セイコーエプソン株式会社 | 記録装置、記録装置の制御方法、及び、プログラム |
KR102316279B1 (ko) * | 2015-10-19 | 2021-10-22 | 삼성전자주식회사 | 비휘발성 메모리 장치 및 이를 포함하는 에스에스디 |
CN107016277B (zh) * | 2017-04-11 | 2018-08-28 | 北京深思数盾科技股份有限公司 | 信息处理方法和信息安全设备 |
CN110569205A (zh) * | 2018-06-06 | 2019-12-13 | 旭景科技股份有限公司 | 安全系统单芯片及其操作方法 |
CN110598405B (zh) * | 2018-06-12 | 2022-05-31 | 杨力祥 | 一种运行时访问控制方法及计算装置 |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4625276A (en) * | 1983-08-31 | 1986-11-25 | Vericard Corporation | Data logging and transfer system using portable and resident units |
EP0623879A1 (fr) * | 1993-05-06 | 1994-11-09 | Schlumberger Industries | Microprocesseur avec mémoire sécurisée |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP3520102B2 (ja) * | 1993-12-28 | 2004-04-19 | 株式会社東芝 | マイクロコンピュータ |
US6484946B2 (en) * | 1997-12-22 | 2002-11-26 | Hitachi, Ltd. | IC card information display device and IC card for use therewith |
-
2000
- 2000-09-27 FR FR0012487A patent/FR2814557B1/fr not_active Expired - Fee Related
-
2001
- 2001-09-26 CN CN01802933A patent/CN1392980A/zh active Pending
- 2001-09-26 EP EP01972216A patent/EP1325418A1/fr not_active Withdrawn
- 2001-09-26 US US10/130,943 patent/US20020174309A1/en not_active Abandoned
- 2001-09-26 AU AU2001292002A patent/AU2001292002A1/en not_active Abandoned
- 2001-09-26 WO PCT/FR2001/002982 patent/WO2002027500A1/fr active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4625276A (en) * | 1983-08-31 | 1986-11-25 | Vericard Corporation | Data logging and transfer system using portable and resident units |
EP0623879A1 (fr) * | 1993-05-06 | 1994-11-09 | Schlumberger Industries | Microprocesseur avec mémoire sécurisée |
Also Published As
Publication number | Publication date |
---|---|
US20020174309A1 (en) | 2002-11-21 |
EP1325418A1 (fr) | 2003-07-09 |
CN1392980A (zh) | 2003-01-22 |
FR2814557A1 (fr) | 2002-03-29 |
AU2001292002A1 (en) | 2002-04-08 |
FR2814557B1 (fr) | 2002-12-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1389759B1 (fr) | Mise en antémémoire de données d'une carte à puce | |
EP1062633B1 (fr) | Dispositifs pour masquer les operations effectuees dans une carte a microprocesseur | |
US7392404B2 (en) | Enhancing data integrity and security in a processor-based system | |
EP1605333B1 (fr) | Contrôle de l'exécution d'un programme | |
JP2001500999A (ja) | 複数データ使用可能記憶隔室を複数個備えたスマートカード読取り器 | |
FR2681165A1 (fr) | Procede de transmission d'information confidentielle entre deux cartes a puces. | |
FR2713803A1 (fr) | Carte à mémoire et procédé de fonctionnement. | |
FR2666671A1 (fr) | Procede de gestion d'un programme d'application charge dans un support a microcircuit. | |
EP0785514A1 (fr) | Procédé de mise en oeuvre d'un programme sécurisé dans une carte à microprocesseur et carte à microprocesseur comportant un programme sécurisé | |
EP1240570A2 (fr) | Controle d'acces pour des applications cooperantes dans une carte a puce | |
FR2686171A1 (fr) | Carte a memoire de masse pour microordinateur avec facilites d'execution de programmes internes. | |
EP2565810A1 (fr) | Microprocesseur protégé contre le vidage de mémoire | |
WO2002027500A1 (fr) | Protection contre l'exploitation abusive d'une instruction dans une memoire | |
FR2642544A1 (fr) | Systeme de traitement de donnees a programme de securite | |
EP3198540B1 (fr) | Procédé d'auto-détection d'une tentative de piratage d'une carte électronique de paiement, carte, terminal et programme correspondants | |
EP2252958A2 (fr) | Procede de securisation d'une execution d'un programme | |
EP1507185A1 (fr) | Méthode et dispositif de protection contre l'accès non-autorisé à une routine sensible | |
EP2091028B1 (fr) | Procédé de détection de cartes à microprocesseur non authentiques, carte à microprocesseur, terminal lecteur de carte et programmes correspondants | |
EP1155389B1 (fr) | Dispositif d'acces securise a des applications d'une carte a puce | |
EP1713023B1 (fr) | Protection de données contenues dans un circuit intégré | |
EP3203405B1 (fr) | Procede d'execution d'instructions d'applications orientees objet par un interpreteur | |
EP3317832B1 (fr) | Procede de controle mis en oeuvre par un dispositif electronique au cours d'une transaction, et dispositif correspondant | |
EP1129430B2 (fr) | Procede et dispositif de controle du cycle de vie d'un objet portatif, notamment d'une carte a puce | |
EP2812864B1 (fr) | Système de paiement, terminal de paiement de ce système, et procédé de paiement associé | |
EP2280380A1 (fr) | Procédé de personnalisation d'une entité électronique, et entité électronique mettant en oeuvre ce procédé |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PH PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2001972216 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 10130943 Country of ref document: US |
|
WWE | Wipo information: entry into national phase |
Ref document number: 018029337 Country of ref document: CN |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWP | Wipo information: published in national office |
Ref document number: 2001972216 Country of ref document: EP |
|
REG | Reference to national code |
Ref country code: DE Ref legal event code: 8642 |
|
NENP | Non-entry into the national phase |
Ref country code: JP |