DE102009005764A1 - Method for monitoring execution of program in e.g. chip card, involves determining whether addressed programs or addresses are assigned to subprogram or destination address, and executing subprogram when assignment is correct - Google Patents

Abstract

The method involves creating a table in a memory (14), and storing addresses of addressed programs or identifiers of the programs or identifiers of the addresses in the table. The programs or the addresses are assigned to an addressable subprogram or an addressable destination address. A determination is made to find whether the addressed programs or the addresses are assigned to the subprogram or the destination address before skipping into the subprogram. The subprogram is executed when the assignment is correct, and error handler is called when the assignment is incorrect. An independent claim is also included for a processor for executing a method for monitoring execution of a program.

Description

The The invention relates to a method for monitoring the intended use Execution of a program by a processor running on accesses a memory. The invention further relates to a Processor as well as a portable data carrier. Special is the invention is intended for applications where aspects the safety and correctness of the programs executed and the reliability of the program execution have special meaning.

typically, For example, a program running on a processor includes several functions, which are called by a main program. The functions or Subroutines are programmed with specific program commands, eg. Eg CALL, ECALL, etc., called. Techniques for executing subroutines are Well known in a variety of configurations. In the execution A subroutine call command CALL will be the current one, among other things Status of the program counter stored in a stack. The program execution is then at a in the subroutine call command continued address. Once in the course of subroutine execution the first subroutine return instruction, e.g. B. RET recognized becomes, the program counter with the youngest Loading an entry in the stack. This entry is from the stack removed by changing the stack pointer accordingly, for example, is decremented. The effect of the subroutine return command is thus that the program execution in the calling program continues with the instruction that is the subroutine call instruction follows.

Becomes the course of the program, z. B. by a light attack, disturbed, so it can happen that a subroutine call is generated, not on the correct starting address of the called subroutine lands. Alternatively it is possible that calls are generated which in themselves are not within the correct program flow allowed are.

From the DE 102 52 347 A1 a method is known in which during the program execution at least a plausibility check is made with regard to the assignment of a subroutine return instruction to be executed to a call command provided by the programmer. For this purpose, not only the return destination address, but also a return instruction address is stored in a stack memory when a subroutine is called. From the return instruction address, by evaluating a predetermined relationship, it can be deduced at which point, according to the intention of the programmer, the subroutine return instruction associated with the currently executed subroutine call instruction is to be expected if the program execution is correct. Both mentioned addresses are stored in the stack. Upon execution of each subroutine return instruction, it is checked whether the memory address of this instruction is in the predetermined relation to the return instruction address located in the stack. This has the disadvantage that there is no check as to whether the execution of a subprogram is permissible at all.

From the WO 98/32072 A1 a method for monitoring the intended execution of software programs is known in which the overwriting of stored for later use return addresses and / or the use of incorrectly stored or overwritten return addresses are prevented as a return address. However, the method described in this publication does not provide sufficient protection for a faulty or unauthorized subroutine call.

Finally, out of the EP 1 507 185 A1 a method is known, according to which in a callable subroutine a reference to the calling program is included, so that a check is feasible, whether the call of the subroutine takes place in a permitted manner. At the beginning of a subroutine, several commands with permitted jump sources can be provided one after the other in order to enable entry into the subroutine of various points of the main program. A disadvantage of the presented in this document solution, however, is the static assignment of jump sources to called subroutines.

It It is therefore an object of the present invention to provide a method for monitoring the intended execution of a Specify a program that allows a review, whether calling a subprogram is correct and reliable he follows. It is a further object of the present invention to provide a Processor for carrying out the invention Method as well as a portable data carrier with a specify processor according to the invention.

These objects are achieved by a method having the features of claim 1, a Processor with the features of claim 12 and a portable data carrier with the features of claim 13.

The Invention provides a method for monitoring the intended Execution of a program by a processor running on accesses a memory. In the method is in the memory a Table provided or is created there, in which table one callable subprogram or an addressable destination address Identifiers of a calling program or a calling one Address to be stored. Before jumping to the subroutine is checked by means of the table whether the calling program or the calling address in the table to the subroutine or the callable destination address is assigned. If the assignment is correct is, the subroutine is executed. If the assignment does not exist, an error handler is called.

The inventive method allows a correct program sequence with regard to calling subroutines. The program sequence is determined by the invention Proceed constantly for correctness in case of jumps in subprograms or subprograms back in Calling program checked. In particular a so-called flash of jumps or skipping subprograms are no longer possible. This will Improved the safety of the program. So, for example No unintentional program started by a light attack or there can be no illegal sections be executed. The assignment of identifiers or Addresses of a calling program to a callable subroutine or a callable destination address in a table a great flexibility in the creation of the program. In addition, the program flow can be perform with a high efficiency.

In An embodiment of the invention is the subroutine in the table or the callable destination address as verifiable Table name saved or saved there.

Further is according to another embodiment of the prior the program counter or a checksum of a program code of the calling program is stored in the table or is in this saved. Instead of using addresses of a program counter can also checksums for review the correct program sequence are used. These checksums For example, you can use code ranges (for example, Opcode Fetch). of the subprogram or of the calling program (main program) be formed.

the Entry of the calling program or the calling address assigned a given address within the table, in the a predetermined value is stored if no address of the calling Program is stored within the address of the table. Through this additional review can the security of the correct program continues to improve become. In particular, before storing the address of the calling Program checks if the default value in the memory address of the table is included, where in the positive Case the address of the calling program in the memory address the table is written and in the negative case to a faulty one Program execution is closed. Only after successful verification the jump source in the subprogram becomes the corresponding address value written in the table.

According to one alternative embodiment includes the table for each calling subroutine to the return address calling program. It is checked if the return address in the memory, in particular a Stacked memory or nonvolatile memory (NVM), is stored. If so, the called subfunction will be run through. Otherwise, the program will be locked or a Error message issued.

In Another training is before the return to the Calling program checks if the return address in the memory with that called in the program sequence of the subroutine Return address matches. This second review is appropriate, since it is also possible over a light attack in the middle of a subroutine and jump to do this partially.

alternative is called by a calling subprogram Program the address of the calling program when calling the subroutine passed and stored in the memory. It is expediently a comparison between the transferring and stored (Entry) address and the program counter, wherein the subroutine is continued when in the comparison a match of the addresses was detected. The Subroutine will not continue if the comparison matches the addresses could not be determined.

additionally may be on a return from the subroutine to the Calling program to be checked if the Call of the subfunction was done correctly. In particular, this is checked whether the function call was permissible because, as already mentioned, You can also jump to the middle of the function. For This check may, for example, be the review to the presence of a fixed value, since the starting point, d. H. the starting address of the subroutine is known.

The The invention further provides a processor adapted thereto is a method according to any one of the preceding claims perform. In addition, the invention creates a portable data carrier, in particular a chip card or a chip module comprising an inventive Processor has.

The Invention will be described in more detail below with reference to FIGS. Show it:

1 a block diagram of a portable data carrier having a processor according to an embodiment of the invention, and

2 an exemplary program flow of the method according to the invention.

In 1 is a portable data carrier 10 shown, which is designed for example as a chip card or chip module. In known manner, the disk contains 10 a semiconductor chip on which a processor 12 , a store 14 and an interface 16 are designed for wired or wireless communication. The memory 14 has several different areas, namely in the present embodiment designed as a RAM memory 18 , a nonvolatile memory configured as an EEPROM 20 and a read-only memory configured as a mask-programmed ROM 22 ,

The read-only memory 22 contains essential parts of the operating system of the disk 10 and the programs run by this operating system. Two program sections are in 1 exemplified, namely a calling program or main program 24 and a called program or subroutine 26 , The processor 12 has a program counter designed in the form of a processor register 28 on, which indicates the address of the respectively executed or to be executed program command. Further sections of the programs to be executed can be stored in non-volatile memory 20 be included. Primary are in this store 20 however, a file system accessed by the programs, as well as other data managed by the operating system.

The terms "main program" and "subroutine" in the present case merely describe the relationship of the program sections 24 and 26 relative to each other. It is understood that the main program 24 in turn can be called from a parent program section, and that the subroutine 26 in turn can call other subroutines and thus is to be regarded as the main program for these other subroutines.

The working memory 18 is used to temporarily store values during calculations. In particular, is in memory 18 a stack 30 (stack), which contains, inter alia, subroutine return addresses. The current fill level of the stack 30 That is, in various embodiments, either the most recent entry or the first remaining free space is indicated by a stack pointer 32 specified as the register of the processor 12 is designed.

The inventive method allows safe program jumps from a calling program to a callable subroutine, and vice versa, for example, using the microcontroller commands JMP and CALL. A typical program sequence is shown by way of example below: MOV R6, # 0 × 01 MOV R7, # 0 × FF CALL Test_Param ; Call of the subroutine CJNE R7, # 0 × 34, WrongResult MOV Result, R7 RET Wrong Result: SJMP $ ; endless loop

Becomes the program sequence z. B. disturbed by a light attack, so the subroutine call becomes Test_Param and the check (CJNE) skipped.

For example, another typical subroutine looks like this: PIN_CHECK: MOV A, R6 XRL A, R7 JNZ Wrong Pin CALL PIN_IS_VALID RET WrongPin: MOV R7, # 0 × FF RET

If the subroutine PIN_CHECK is executed, then there is no check whether the call is permissible. In order to make the call of the subroutine by means of the command CALL or JMP safe, the value of the current program counter in a memory area, eg. As the register, the stack or a non-volatile memory, secured. This can be done, for example, as follows: MOV R2, # 0x01 MOV R3, # 0 × FF MOV R6, #High JUMP_QUELLE MOV R5, #Low JUMP_QUELLE SPRUNG_QUELLE: CALL Test_Param ; Call of the subroutine CJNE R7, # 0 × 34, WrongResult MOV Result, R7 RET Wrong Result: SJMP $ ; endless loop

When entering the subroutine function, it is checked whether the function call is permissible. This check takes place by means of a table (not shown), which is stored, for example, in the non-volatile memory area. If it is found in the table that the address of the calling program exists, the call of the subroutine is accepted and the program execution continues. Otherwise, an invalid jump was detected, whereupon program execution is stopped. An exemplary program flow for the check is shown below: CheckJMP_CALL_ADDR: MOV DPTR, #TABLE ; Loading the TAB address CLR A MOVC A, @A + DPTR ; Check if table for subpro MOV R0, SP ; heard XRL A, @ R0 ; Test_Param_Start (high byte) MOV R1, A INC. DPTR DEC R0 CLR A MOVC A, @A + DPTR XRL A, @ R0; ; Test_Param_Start (low byte) XRL A, R1 JNZ NO_TABLE_FOUND Check_Entry: ; Check the jump source INC. DPTR CLR A MOVC A, @A + DPTR XRL A, R6 ; Jump source (high-byte) MOV R1, A INC. DPTR CLR A MOVC A, @A + DPTR XRL A, R5 ; Jump source (low-byte) XRL A, R1 JNZ NO_TABLE_FOUND ; no valid entry found RET NO_TABLE_FOUND: SJMP $

A further review is that for the jump source entry is assigned a fixed RAM / NVM address becomes. In this is, if no address is stored, for example the value 0 × 55AA. Now the address of the calling program (Jump source) are saved, will be checked first, whether the predefined value 0 × 55AA is in this memory. If this is not the case, a faulty program execution has occurred carried out and aborted the program or a Error handling routine performed. After successful verification the address of the calling program in the called subroutine the address of the calling program becomes the RAM / NVM address written. Here, instead of the addresses of the program counter Also checksums are used for verification. These checksums can be from code ranges (eg Opcode-Fetch) of the subroutine or of the caller.

In another embodiment, it is expedient if there is a table for each subroutine to be called is created, the return addresses to the or the containing main calling programs. Will now be a subroutine called, is first checked, whether the return address in the stack for the respective CALL is present. If so, it will Go through subroutine. Otherwise the program will be blocked or an error message is issued. Before the return from the called subroutine is expediently again checks if the return address is up the stack matches the address of the calling program. This second review is appropriate since it is also possible, via a light attack in the middle of an executed subroutine and to do this partially.

alternative to the table with the return addresses can also be Procedures are used, in which the address of the calling Program is passed with the call. The address for the start address of the called subroutine can z. B. on be stored in the stack. When entering the subroutine is first the stored entry address with the current value of the program counter (program counter PC) compared. If this address is correct, the program will continue. Otherwise, the program is terminated or an error message is output or a NME triggered.

Also Here, in a return first again a review whether the function call is allowed was. This is preferably done because of how mentioned earlier, also a jump to the middle of the subprogram can be done. For this review can be checked for a fixed value since the starting point of the subroutine is known.

In 2 the schematic sequence of the method according to the invention for monitoring the intended execution of a program by a processor is shown. In accordance with a step S1, a table is created in which a subroutine (or a callable destination address) is assigned and stored addresses of a calling program or a calling address. According to step S2, before the jump into the subroutine, a check is made as to whether the calling program is assigned to the subroutine. In step S3, it is checked whether the assignment is correct. If this is the case, the subroutine is executed in step S4. If the assignment is incorrect, an error handling routine is called in accordance with step S5.

QUOTES INCLUDE IN THE DESCRIPTION

This list The documents listed by the applicant have been automated generated and is solely for better information recorded by the reader. The list is not part of the German Patent or utility model application. The DPMA takes over no liability for any errors or omissions.

Cited patent literature

• - DE 10252347 A1 [0004]
• WO 98/32072 A1 [0005]
• - EP 1507185 A1 [0006]

Claims (13)

Method for monitoring the execution of a program as intended by a processor ( 10 ), which points to a memory ( 30 ) in which - in the memory ( 30 ) a table is provided or is created in which are stored addresses of calling programs or identifiers of calling programs or identifiers of calling addresses belonging to a callable subroutine ( 26 ) or an addressable destination address are assigned; - before jumping to the subprogram ( 26 ) is checked by means of the table whether the calling program ( 24 ) or the calling address in the table to the subprogram ( 26 ) or the callable destination address is assigned; - if the assignment is correct, the subroutine ( 26 ) is performed; and if the assignment does not exist, an error handler is called. Method according to Claim 1, in which the subroutine ( 26 ) or the callable destination address is or will be stored as a verifiable table name. Method according to Claim 1 or 2, in which the status of the program counter ( 28 ) or a checksum of a program code of the calling program ( 24 ) is or is stored in the table. Method according to one of the preceding claims, in which the entry of the calling program ( 24 ) or the calling address is assigned a predetermined address within the table in which a predetermined value is stored, if no address of the calling program ( 24 ) is stored within the address of the table. Method according to Claim 4, in which before the address of the calling program ( 24 ) is checked whether the predetermined value in the memory address of the table is included, in the positive case, the address of the calling program ( 24 ) is written into the memory address of the table and in the negative case, an erroneous program execution is concluded. Method according to one of the preceding claims, in which the table for each calling subprogram contains a return address to the calling program ( 24 ). Method according to Claim 6, in which it is checked whether the return address in the memory ( 30 ), in particular a stack, is stored. Method according to Claim 6 or 7, in which, prior to the return to the calling program ( 24 ) checks whether the return address in the memory ( 30 ) with the program sequence of the subprogram ( 26 ) recalls return address. Method according to Claim 6, in which, when the subprogram is called by the calling program ( 24 ) the address of the calling program ( 24 ) when calling the subprogram ( 26 ) and stored in the memory. Method according to Claim 9, in which a comparison between the transferred and stored (entry) address and the program counter ( 28 ), the subroutine ( 26 ) is continued if a match of the addresses has been determined in the comparison and wherein the subroutine ( 26 ) is not continued if in the comparison the match of the addresses could not be determined. Method according to Claim 9 or 10, in which a return from the subprogram ( 26 ) to the calling program ( 24 ) checks whether the call of the subfunction was done correctly. Processor ( 12 ) arranged to carry out a method according to any one of claims 1 to 11. Portable data carrier ( 10 ), in particular chip card or chip module having a processor according to claim 12.