MXPA99006559A - Method for monitoring the execution of software programmes as prescribed - Google Patents

Abstract

The invention relates to a method, characterized in that the overwriting of return addresses memorized for later use and/or the use as return addresses of incorrectly memorized or overwritten return addresses are prevented. This means that in particular deliberate manipulations of the programme flow of software programmes can be excluded as far as possible.

Description

PROCEDURE FOR THE SURVEILLANCE OF THE REALIZATION ACCORDING TO THE PROVISIONS OF SOFTWARE PROGRAMS FIELD OF THE INVENTION The present invention relates to a method according to the preamble of claim 1, that is, to a method for monitoring the embodiment according to the provisions of software programs.

BACKGROUND OF THE INVENTION The realization in accordance with the provisions of software programs is a permanent objective, to which it approaches more and more providing the most diverse measures. Whereas hardware and unreliable programming errors were previously the primary cause of software program realization not as intended, meanwhile, targeted manipulation of the program's course plays an increasingly important role. By means of a directed manipulation of the courses of the programs it is possible, for example, to skip certain parts of the programs, with which the revisions that determine the authorization of access can be evaded. The foregoing can become a serious problem in the case, for example, but not very exclusively, chip cards, because, on the one hand, these are increasingly disseminated mainly in areas relevant to security (for example , access control, monetary affairs, etc.), and on the other, since by their nature they can not be under permanent surveillance, they can easily become the object of manipulation attempts. Due to the large number of security measures already taken, the likelihood of successful manipulation aimed at misusing is very small. Even so, it is not completely ruled out.

OBJECTIVES AND ADVANTAGES OF THE INVENTION Therefore, the present invention is based on the objective of finding a procedure for the monitoring of the embodiment according to the provisions of software programs, with which can be excluded to a large extent especially the directed manipulations of the course of the program. This object is achieved according to the invention by means of the features claimed in the characterizing part of claim 1. Accordingly, it is envisaged to avoid the overwriting of stored backward hop directions for later use and / or use as Jump addresses in backspace of backward skip addresses stored or overwritten erroneously. The practical realization of this variant of the method can be carried out in many different ways. In the simplest case, in a function call that requires a storage of the backward jump address, or similar, not only is the backward jump address itself stored, but also additional safety information, which allows to recognize whether the stored backward hop direction is still needed and, therefore, should not be overwritten and / or if the backward hop stored address is the backward hop stored address, or, for originally stored. In the first cited case, that is, in the performance of an overwrite protection of the backward hop directions, the security information may consist of, for example, a write protection identification, such as a write protection bit. , or the like, which is provided by storing a backward jump address and is removed after using the backward hopped stored address as the backward skip address. In the second case cited, that is to say, in the realization of a protection of use of the directions of backward jump, the security information can consist, for example, of the direction of jump backwards or of data that represent or characterize otherwise the direction of jump backward. The aforementioned security information is stored in a memory area, to which access from outside is preferably not possible; the "normal" storage of the backward jump addresses can be carried out as previously in the so-called stack (stack memory). If, before each write attempt on the stack, it is examined whether the zone to be written is identified as a write-protected zone by means of the write protection bit, an overwriting of data to be used later can be avoided as the backward-hop direction. If, alternatively or additionally, it is examined whether the data to be used as a backward jump address is in accordance with the backward jump address stored or originally stored, the modified (manipulated) data may be prevented after storage of the jump address in Recoil are used as such. In both cases, to avoid other tampering attempts, the program running at that moment and / or re-initialize the system running the program and / or trigger an alarm and / or delete data relevant to safety and / or safety can be interrupted. Take other protective measures.

In this way, it can be guaranteed that manipulations of backward jump addresses can not cause a modification of the normal course of the program. Accordingly, a procedure was found, by which the manipulations directed from the course of the program can be largely excluded. Advantageous embodiments of the invention are subject of the sub-claims.

BRIEF DESCRIPTION OF THE DRAWINGS In the following, the invention is illustrated in more detail with the help of exemplary embodiments, with reference to the drawing. They show: Figure 1, a schematic sectional representation of a system for carrying out protection of use of directions of backward jump. And Figure 2, a schematic representation to illustrate a protection against overwriting of backward hop directions and a modified usage protection of backward hop directions.

DETAILED DESCRIPTION OF THE INVENTION The system shown in section in Figure 1, is a system designed for the realization of software programs, which may be contained entirely or partially in a microprocessor, a microcontroller, a signal processor or the like. The section shown is the part of the system relevant to the handling of backward jump directions. The backward jump addresses must be stored, for example, when the program to be executed contains a call to a function. In this case (for example, in the LCALL command on the Intel 8051 microcontroller): - a jump (address) is made in the program memory to the place where the program is stored for the function to be performed, - executes the function program in question, and - returns to the place in the memory of the program, from where the jump was made to the function program. The address mentioned at the end, that is, the address where the execution of the program should continue after the realization of the function program, is the mentioned address of backward jump. In order for the device running the software program to know where to jump after the performance of the function, a temporary storage of the backward hop address is required. It should be mentioned at this point that function calls are not the only events in which storage of the backward hop address is required. Just to mention some examples, it requires a storage of the direction of jump backwards, for example, also in the case of "interrupts" (interruptions of the program) or in the changes of tasks in operating systems of multiple tasks. The storage of the backward jump addresses is usually done in a so-called stack, or stack memory. A stack like this is indicated in Figure 1 with reference 1. The stack 1 is controlled, or else, managed by a logic stack 2. This generates, among other things, a so-called stack pointer, which points towards that part of stack 1 that must be written or read as follows. The stacks themselves and the work with them are of general knowledge, so that here you can dispense with a more detailed description. In stack 1 you can store not only backward jump addresses, but also any other data (record contents, local variables, etc.). However, the present explanations refer almost exclusively to the handling of backward jump directions. If, for example, in the case of an LCALL command, an attempt is made to store a backward jump address in stack 1, this is done by the stack 2 logic. Unlike in the usual systems, in the system that the deposited address is studied here, or, by depositing in stack 1, it is additionally stored as security information in another memory. This, hereinafter referred to as security memory, is indicated in Figure 1 with reference 3. Security memory 3 is assigned to security memory 3, through which, similarly to stack 1 by means of stack 2 logic, it is controlled or managed. Unlike stack 1, the security memory 3 can not be accessed from outside the system running the software program. In other words, the data recorded there can not be manipulated in a targeted manner, or at least not with reasonable work. Contrary to the logic of stack 2, the security memory logic 4 is only activated in the example in question when a backward jump address must be entered or read. However, alternatively it can also be foreseen, of course, that the logic of the security memory 4 is also activated with other events (except writing and reading processes executed from the outside). When the course of the program reached a point at which a backward jump must be made to a previously stored backward jump address, that is, for example, in the case of a RET command, the reverse backward direction required it can be recovered by reading the stack 1. However, before using the data obtained as the backward hop address, it is examined whether the data obtained with identical to the backward hop address stored as security information in the security memory 3 For this, a comparator 5 is provided, which receives the data that must be compared from stack 1 and from security memory 3, and submits them to a comparison. If in this comparison in comparator 5 it turns out that the data in question is identical, this implies that the data obtained from stack 1 agree with the direction of backward jump originally to be stored, that is, that they are not manipulated nor, due to a hardware and / or software error, incorrect or recorded, or read in or from an incorrect place. The data stored in stack 1 can be considered and used, therefore, as the proper backward jump direction. This conclusion is possible since, as mentioned before, a targeted impairment of the contents of the security memory 3 is practically impossible. If, however, in the comparison made by the comparator 5 it turns out that the data to be compared with each other are not identical, this implies with high probabilities that the data obtained from stack 1, either, were manipulated or, as a result of a hardware and / or software error, were stored, or, read in, or, from an incorrect place. Regardless of the cause of the non-identity, the data stored in stack 1 can not be used as a backward jump address, as it would result in a variation of the course of the program as it should be. In this case, the comparator 5 generates an NMI signal, which is carried to an NMI 6 logic. This causes an immediate interruption of the program and / or a re-initialization of the system that executes the software program and / or triggers an alarm and / or delete data relevant to security. In the example in question, the comparator 5 is activated by commands, which, for example, the RET command, result in a reading of data from stack 1 that must be interpreted as the backward jump direction. The rest of the time, the comparator is inactive. With the measures described, it is possible to achieve that the software program to execute can only be executed when it is not detected and as long as a backward jump direction error is not detected, whatever its origin. The example described with reference to Figure 1 can be considered as a practical embodiment of a protection of use of directions of backward jump that is activated if necessary. Although not described in more detail with the help of examples, it is not necessarily required that the security information assigned to the corresponding reverse skip addresses are the same backward skip addresses. Alternatively, it can be envisaged that only selected parts of the reverse skip address or data representing or otherwise characterizing the reverse skip address are used as safety information. The comparator 5, of course, it would have to be replaced by a modified comparison device according to the circumstances. An alternative embodiment of the intended monitoring of the course of the program is the overwrite protection of backward hop directions described with reference to Figure 2. Figure 2 shows among other things a memory 11, which can be divided into a first zone of memory in the form of a stack lia and a second memory area in the form of a security memory 11b. The stack lia agrees with the stack 1 shown in Figure 1. The security memory 11b roughly matches the security memory 3 shown in Figure 1; however, in the security memory 11b other security information is entered than in the case of the security memory 3. Like the security memory 3, the security memory 11b can not be accessed from outside the device that executes either the software program to watch. That is to say, that in this variant of the monitoring of the course of the program, the information stored in the safety memory can not be manipulated, or can be manipulated with reasonable work. The security information stored in the security memory 11b consists of a write protection bit, which is set to "1" if the content of the assigned stack area should not be overwritten, and is "0" if the content of the assigned stack area can be overwritten. If, for example, in the case of an LCALL command, a backward jump address must be stored in stack a, this is usually done. Likewise, in the area of the security memory assigned to the stack area in which the backward jump address was entered, a "1" is entered, to mark so that the corresponding zone of the stack must not be overwritten. In the example in question, the stack a is divided into zones comprising 8 bits, respectively, wherein a write protection bit stored in the security memory 11b is assigned to each 8-bit zone. If one starts from working with 16-bit addresses, then for the storage of a backward-hop address, two stack zones are required. According to the representation in Figure 2, a backward hop address is stored in the stack lia. It consists of a part that covers the eight high-value bits (PCH) and a part that covers the eight lowest-value bits (PCL). Both the area of the stack containing the PCH and the area of the stack containing the PCL are assigned "1" as security information, or as a write protection bit. The corresponding safety information or the corresponding write protection bits are set to "0" when the data stored in the assigned stack area was used as the backward jump direction. Before each attempt to write data in the stack (or overwrite data stored there), the security information (the assigned write protection bit) assigned to the stack area to be written is evaluated to determine if stack writing is allowed here. If the assigned security information, or the assigned write protection bit, has the value "1", then writing the stack in this place is not allowed; the attempt to write is recognized as attempted manipulation or hardware or software error. If the assigned security information, or the assigned write protection bit, instead, has the value "0", then the stack writing is allowed in this place. The decision on the authorization of the writing of a certain stack area is checked by means of a writing protection revision circuit, which is carried out in the example in question by means of a Y 12 member. In it the input signals are used as input signals. write protection bit assigned to the stack area to be written and a Write_Stack signal that indicates the desire to write, where Write_Stack would adopt the value "1" if there is a desire to write and the value "0" if not. The output signal Valid_Write of member Y 12 then indicates whether the intended write of the stack area in question is allowed (Valid_Write = "0") or not (Valid_Write = "1"). The output signal Valid_ rite of the member Y 12, like the output signal NMI of the comparator 5 in Figure 1, can be used to immediately interrupt the program and / or reinitialize the system executing the program and / or trigger an alarm and / or delete data relevant to safety.

In addition to this override protection for backward-hopping addresses, in the system according to FIG. 2, a modified backward-direction hopper protection can be integrated with respect to the embodiment according to FIG. 1. This additional protection mechanism it consists in that the data read from the stack lia, before being used as the backward hop direction, are inspected as to whether they represent a backward hop direction. The above can be seen in the safety information, or writing protection bits assigned to the corresponding stack zones. Only when the safety information or the write protection bits assigned to the stack area to be read have the value "1", the data stored in the corresponding stack area represents a backward jump direction. The condition for this is then, of course, that the security information, or the write protection bits, have data written exclusively representing backward hop directions, ie, for example, in relation to a CALL command or similar, data that in the stack lia are written as "1". This additional protection mechanism is realized according to the representation in Figure 2 by means of a member Y 13. In member Y 13, the write protection bit assigned to the stack area to be read and a Read_Stack signal are used as input signals. indicates the purpose of using the read data, where Read_Stack adopts the value "1" when, for example, if there is a RET command, it is intended as a backward jump address, and where Read_Stack adopts the value "0" when another use is intended. The output signal Valid_Read of member Y 13 then indicates whether the use of the required data as the backward hop direction is allowed (Valid_Read = "1") or if it is not allowed (Valid_Read = "0"). If in the case of a request for a backward jump address it happens that the use of the required data of the stack as the backward jump address is classified as not allowed by a Valid_Read = "0", this can be interpreted as an attempt of handling and be considered as a reason for the introduction of adequate protection measures. These measures can be in particular an immediate interruption of the program and / or a re-initialization of the system executing the software program and / or triggering an alarm and / or deleting data relevant to security. According to the above description, the security information protected against an external access consists of a write protection bit. It is understood by itself that instead of this an identification can be used that consists of any number of bits that have any meaning, by means of which not only the directions of jump in recoil, but also any other data to protect, can be submitted to a special treatment for the protection of them against manipulation and errors. The security memory, in which the various security information is stored, is, as was said several times before, a memory that is not accessed from the outside. Preferably, it is housed in the device executing the software program to be monitored, that is, usually a microprocessor, a microcontroller or a signal processor itself; in this place it is protected especially well against external access. The realization of a memory not accessible from the outside within a microprocessor, a microcontroller or a signal processor (for example, in the form of a hidden stack or shadow stack) is relatively simple. This requires only a corresponding modification of the Kernel software. The use of one of the procedures described above does not require any other hardware or software modifications. In particular, the stack can continue to be used as before. Accordingly, a method was found for monitoring the implementation according to the provisions of software programs, by means of which, in a simple manner and without software modifications, the directed manipulations of the course of the program can be largely excluded in particular. but in part also hardware and software errors.

Claims (10)

NOVELTY OF THE INVENTION Having described the above invention, it is considered as a novelty, and therefore, the content of the following is claimed as property: CLAIMS

1. A method for monitoring the implementation according to the software program provisions, in which the overwriting of stored backward hop directions for later use and / or the use as backward directions of backward directions is avoided erroneously stored or overwritten, characterized in that the protection of overwriting of the directions of backward jump and the protection of use thereof are made by evaluating safety information, which are generated when storing the directions of backspace and stored in a Security memory, and because as such a memory is used that can not be activated directly from outside the system that executes the software program to be monitored.

2. A method according to claim 1, characterized in that a memory arranged in the microprocessor, microcontroller or signal processor running the software program is used as the security memory.

3. A method in accordance with claim 1 or 2, characterized in that the return address itself or data representing or characterizing it is used as security information.

4. A method according to claim 3, characterized in that the stored data, before being used as the backward hop direction, are compared with the assigned security information, only allowing the use of the data as the address of the user. jump backwards if it is observed that the security information represents or characterizes the stored data.

5. A method according to claim 3 or claim 4, characterized in that when in the requirement of data representing a backward jump address it is observed that the security information does not represent or characterize the data obtained with the requirement, an immediate interruption of the program and / or a reinitialization of the system executing the software program is carried out and / or an alarm is triggered and / or data relevant to safety is erased.

6. A method according to claim 1 or 2, characterized in that a write protection flag indicating a write protection is stored as security information.

7. A method according to claim 6, characterized in that an overwriting of areas of the memory for which the write protection marks signal a write protection is avoided.

8. A method according to claim 6 or 7, characterized in that when in the attempt to overwrite an area of the memory it is observed that the assigned security information signals a write protection, an immediate interruption of the program and / or a reboot of the system running the software program and / or an alarm is triggered and / or data relevant to safety is deleted.

9. A method according to claim as claimed in any of claims 6 to 8, characterized in that before using stored data as the backward hop address, the assigned security information is evaluated, only allowing the use of the data as the address of jump backwards when it is observed that the security information signals a write protection.

10. A method according to claim 9, characterized in that when in a request for data representing a backward jump address, it is observed that the assigned security information does not signal write protection, an immediate effect is made interruption of the program and / or a reinitialization of the system that executes the software program and / or an alarm is triggered and / or data relevant to safety is deleted.