Example embodiments relate in general to a method for executing a program on a data processing device.
In security-critical applications, such as in many applications for chip cards, microcontrollers are intended to execute only program code whose integrity has been successfully checked, due to security and reliability requirements.
However, requirements in terms of the execution time of program code, in particular at startup, such as when starting NFC (near-field communication) communication using a chip card, may prevent the use of various program code checking approaches. One typical approach requires, for example, reading the program code twice (once to check it, and once more to execute it), computing a check value (for example a checksum or a signature), and comparing the check value with a reference value. This process may take too much time in practice.
Approaches for guaranteeing the integrity of executed code with a small time overhead are therefore desirable.
Disclosed herein are techniques, apparatuses, and systems directed to this problem. According to one example embodiment, a method for executing a program on a data processing device, comprising storing multiple program instructions and data to be processed by a processor of the data processing device in one or more memories of the data processing device, the data processing device receiving, from an external data processing device, a reference value for a check of the multiple program instructions and storing the reference value in the data processing device, computing a check value from the multiple program instructions for the check by way of the data processing device when the program instructions are loaded from the one or more memories into an instruction buffer memory of the data processing device or by way of read access to the instruction buffer memory after the program instructions have been loaded into the instruction buffer memory from the one or more memories, and the processor executing at least some of the program instructions if the check value matches the received reference value.
According to a further embodiment, provision is made for a data processing device in accordance with the method described above. According to a further embodiment, provision is made for a data processing system that contains the data processing device and the external data processing device that is configured to generate the reference value and to supply it to the data processing device. It should be noted that embodiments that are described in connection with the method apply analogously to the data processing device and vice versa.
The figures do not reflect the actual proportions but are intended to illustrate the principles of the various example embodiments. Various embodiments are described in detail below with reference to the following figures.
The following detailed description relates to the attached figures, which show details of example embodiments. These example embodiments are described in such great detail that a person skilled in the art is able to carry out the invention. Other embodiments are also possible and the example embodiments may be modified in structural, logic and electrical terms without departing from the subject matter of the invention. The various example embodiments are not necessarily mutually exclusive; rather, various embodiments may be combined with one another to produce new embodiments. Within the scope of this description, the terms “linked”, “connected” and “coupled” are used to describe both a direct and an indirect link, a direct or indirect connection, and direct or indirect coupling.
The data processing device 100 has a CPU (central processing unit) 101 and various memories, here a ROM (read-only memory) 102, a non-volatile memory (NVM) 103 and a RAM (random access memory) 104.
An (instruction) cache memory (or generally an (instruction) buffer memory for instructions), shown in
Provision is made similarly for a (data) cache memory 106 for data, here between NVM 103 and CPU 101 and RAM 104 and CPU 101, which enables fast processing of data by the CPU 101.
When the data processing device 100 is started (for example when a smart card is introduced into a reader field), the CPU 101 executes starting program code (that is, program instructions for starting the data processing device) that is stored in the ROM 102 (or else in the NVM 103 or a combination of both).
The CPU 101 executes this start code in a special starting mode. It then switches to a user mode in which it retrieves user program code from the NVM 103 and executes said code.
However, program code stored in the NVM 103 is able to be changed, in particular by an attacker. Therefore, in the case of security-critical applications, it is possible to check the integrity of program code from the NVM 103 by executing corresponding program code from the ROM 102 (which is not able to be changed and may therefore be assumed to be secure) before it is executed. This may be achieved, for example, by virtue of the program code in the ROM 102 making provision to compute a checksum (generally a check value that is computed in accordance with a predefined check value computing function, such as for example including a hash value or a signature) for the program code in the NVM 103 that is intended to be executed and comparing this with a saved reference value stored in the data processing device. The CPU 101 executes the program code from the NVM 103 only if the check value matches the reference value.
The program code that carries out the check may also be stored (at least in part) in the NVM 103, but is in this case checked before it is executed so that it is trustworthy.
The program code in the NVM 103 is checked for example in blocks (that is, each block has its own associated reference value for such a check).
If this procedure is adopted, in order to check the user program code, this is first loaded into the data cache memory 106, since the CPU 101 processes it as data in accordance with the check program code from the ROM (which is loaded into the instruction cache memory 105). In the event of a successful check (that is, the check value is the same as the reference value), the user program code is then treated as instructions and loaded into the instruction cache memory 105 for execution thereof. The user program code is thus loaded into a cache memory twice. To speed up the process, the checksum may also be generated by a hardware circuit (that is, not by way of a checking program executed by the CPU 101). However, in this case, additional data transfers between the CPU 101 and this hardware circuit (for example a peripheral module) are necessary.
For applications in which little time is available, for example when a user program has to be executed within the short time for which a smart card is located in an NFC (near-field communication) field, a program code check is therefore not possible (or at least not in full) in such a procedure.
According to various embodiments, a description is given of an approach that enables a faster program code integrity check than the approach described above with reference to
The data processing device 200 may be any type of data processing device, such as for example a computer or a smartphone, a chip card (with any form factor) or a control apparatus (for example with a microcontroller) that is used in a vehicle, for example.
Similarly to the data processing device 100, the data processing device 200 has a CPU 201, a ROM 202 and an NVM 203. The data processing device 200 may also have a RAM. The data processing device 200 furthermore has a data cache memory. However, since this is not involved in the program code check, it is not shown in
The checking unit 204 may be implemented at least in part as a (dedicated) hardware circuit, or it may also be a software-implemented checking engine (whose program instructions are stored for example in the ROM 202) that is executed by the CPU 201 or else another programmable component of the data processing device 200. The term “checking circuitry” may be used to refer to either sort of implementation or to a combination thereof. i.e., a dedicated hardware circuit, or a processing circuit configured with program instructions to carry out the checking operation, or some combination of both.
The program code to be checked is stored in an NVM 303, which corresponds to the NVM 203, and consists for example of two program code blocks 306, 307.
The sequence illustrated by the circles numbered (1) to (7) in
In (1), the data processing device is started by executing starting program code from the ROM 202, as described with reference to
In (2), the CPU 301 initializes the checking unit 304 for the program code check.
In (3), the checking unit 304 configures the instruction cache memory 305 for aiding the program code check.
In (4a) and (4b), the instruction cache memory 305 reads in the first program code portion 306 to be checked via the checking unit 304 and locks this program code portion 306 in the instruction cache memory 305 (that is, a cache lock is implemented for the first program code portion 306 in the instruction cache memory 305).
The checking unit 304 in the process (that is, while the program code portion 306 is being read in via it) computes the check value for the first program code portion 306.
In (5), the checking unit 304 reads the reference value for the first program code portion 306 and compares the read reference value with the computed reference value.
If the check is successful (that is, check value same as reference value), then the CPU 301 executes the first program code portion 306 in (6). If the CPU 301 has executed the first program code portion 306 and it is necessary to execute a further program code portion, here the second program code portion 307, (4a), (4b) and (5) are also performed for the second program code portion 307 and the CPU 301 executes the second program code portion 307 (following successful checking of this program code portion as well).
If the checking unit 304 detects a discrepancy between check value and reference value for a program code portion, then it outputs a (fault or alarm) signal, for example to reset (that is, trigger a security reset of) the data processing device 200. The CPU 301 may execute the respective program portion even in the event of a discrepancy (that is, a discrepancy may be accepted), with an appropriate response to the signal then however taking place, for example taking a security measure such as for example checking processing results.
If all program code portions have been successfully checked and executed, the checking unit may be deactivated. This may be brought about by the last program code portion of the respective program.
Since, in the procedure described with reference to
Security is also increased since the program code is checked when it is loaded into the instruction memory 304 and no further loading, during which or prior to which it could be changed again, takes place. The program code portions, at least until they are executed, are locked in the cache.
In the event that a program portion that has already been checked and executed once has to be executed once more, markings (for example a flag) may be provided for the program portions, said markings making it possible to mark such a program portion as already checked. In this case, it is not necessary for the checking unit 304 to check the program portion again.
The instruction cache memory 304 may also be another (buffer) memory or memory region that speeds up the execution of program code, such as for example a TCM (tightly coupled memory), for example a tightly coupled RAM, in particular a memory with a dedicated connection to the CPU 301 for transmitting program instructions. This memory (or memory region), which is also referred to as instruction buffer memory, may be a memory (or memory region) dedicated to instructions.
A key value that is stored on the data processing device 200 and that is represented for example by logic cells concealed under other logic cells may be used in the computing of the check value. This makes it possible to prevent an attacker being able to compute the correct check value for malicious code. This secret key value is used to compute the reference values (which takes place for example at the manufacturer). The check value computing function may also be based on asymmetric cryptography, that is, the check value is a signature that is computed by way of a private (secret and for example concealed) key, and the comparison with the reference value (that is, the checking of the correctness of the check value) is performed using a public key (for example stored in the firmware).
The reference value may for example be stored in a write-protected region 308 of the NVM 303 (that is able to be written to for example only by the manufacturer, by way of a flash loader or for which write access is blocked in user mode). The reference values may in particular be located in other memory regions than the program code to be checked.
If the checking mechanism described above is used, it is not necessary to use an EDC (error detection code) to protect program code in the memory (but this may also be provided as an additional measure, for example with a reduced number of check bits). It is thus possible to reduce the overhead for protection, for example of the NVM 303, since larger blocks (multiple memory cells instead of one per EDC) are protected by a single reference value. It is thus possible to achieve a better ratio between program code and reference values. Since it is thereby possible to save on overhead, provision may then also be made for a more complicated check value computation (with check values having a high number of bits), thereby making it possible to guarantee high security. The number of bits may also be optimized better, since EDC is applied to the complete memory and the checking mechanism described above may also be applied to only a small code region. Furthermore, the above checking mechanism, in contrast to EDC, offers protection against the insertion of malicious code by an attacker through internal write access.
The checking mechanism may be aided by an MMU (memory management unit) and/or by an MPU (memory protection unit) that is or are provided in the data processing device.
In this embodiment, the program code portions are not checked when they are loaded into the instruction cache memory 405, but rather the program code portions are loaded into the instruction cache memory 405, the checking unit 404 computes the check value by way of read access to the instruction cache memory 405 and, in the event of a successful check of a program code portion, the CPU executes it (from the instruction cache memory 405).
In this case,
Provision is made for the CPU to perform the comparison, as in
In this case, the checking unit 1005 may compute the check value for the code portion including the reference value with which the code portion is provided. The reference value is thereby also protected against manipulation.
In summary, according to various embodiments, provision is made for a data processing device as illustrated in
The data processing device 1100 has a processor 1101, one or more memories 1102 that are configured to store multiple program instructions and data to be processed by a processor of the data processing device, an instruction buffer memory 1103 for buffer-storing the program instructions to be executed by the processor 1101 and a data buffer memory 1104 for buffer-storing the data to be processed.
The data processing device 1100 furthermore has a communication interface 1106 to an external data processing device 1107, which communication interface is configured to receive a reference value for a check of the multiple program instructions from the external data processing device 1107.
The data processing device 1100 furthermore has a checking unit 1105 that is configured to compute a check value for the check when the program instructions are loaded from the one or more memories 1102 into an instruction buffer memory 1103 of the data processing device or by way of read access to the instruction buffer memory 1103 after the program instructions have been loaded into the instruction buffer memory from the one or more memories 1102.
The processor 1101 is configured to execute at least some of the program instructions if the check value matches the received reference value.
The external data processing device 1107 is external in relation to the data processing device 1100, that is, they are separate devices, for example in separate housings. By way of example, the reference value may be linked to the external data processing device 1107 via the communication interface 1106 (for example via corresponding contacts or else contactlessly) when the data processing device 1100 is manufactured (for example before delivery to a customer), and it may receive and store (beforehand) the reference value. By way of example, the data processing device 1100 may receive the reference value together with the program instructions (that is, program code) and then ensure during operation that the program instructions are not changed. To this end, it stores the reference value in for example a write-protected (possibly secure) memory region.
The instruction buffer memory and the data buffer memory do not necessarily need to be implemented by way of separate memories (for example memory chips); they may also be (separate) memory regions of a memory (or of a memory arrangement).
The instruction buffer memory and the data buffer memory are for example buffer memories at least in the sense that they are volatile memories, while the memory (which may have multiple memory devices) is for example a non-volatile memory. The instruction buffer memory is for example a buffer memory dedicated to buffer-storing instructions (that is, program instructions) and the data buffer memory is for example a buffer memory dedicated to storing data to be processed (that is, data that are not executed as instructions by the processor, that is, do not specify processor instructions that the processor executes, but rather that are processed by executed processor instructions).
In 1201, multiple program instructions and data to be processed by a processor of the data processing device are stored in one or more memories of the data processing device.
In 1202, the data processing device receives a reference value for a check of the multiple program instructions from an external data processing device and stores said reference value.
In 1203, a check value for the check is computed by the data processing device from the multiple program instructions when the program instructions are loaded from the one or more memories into an instruction buffer memory of the data processing device or by way of read access to the instruction buffer memory after the program instructions have been loaded into the instruction buffer memory from the one or more memories.
In 1204, at least some of the program instructions are executed by the processor if the check value matches the received reference value.
The data processing device may be configured such that the reference value and the check value are not able to be generated by the user of the data processing device, for example. According to one embodiment, this includes the check value that is computed in the data processing device (that is, in the checking unit) not being known to the processor or to an executed program and to the user.
Various example embodiments are stated below.
Although the invention has been shown and described primarily with reference to specific embodiments, it should be understood by those familiar with the technical field that numerous modifications may be made with regard to configuration and details thereof, without departing from the essence and scope of the invention as defined by the claims hereinafter. The scope of the invention is therefore determined by the appended claims, and the intention is for all modifications to be encompassed which come under the literal meaning or the scope of equivalence of the claims.
Number | Date | Country | Kind |
---|---|---|---|
102022116869.7 | Jul 2022 | DE | national |