Patent Application
20240028440
The invention relates to a method, device and computer program product for logging a multiplicity of events in a coded tracer variable in a security-oriented computer.
In security-oriented programs for industrial applications, which typically run on embedded hardware, such as programmable logic controllers (PLCs) or other industrial automation components, it is necessary to ensure that bit errors in variables are identified and that program portions intended to be executed in a cycle are also actually run through completely.
When processing functionally secure data, internal security function errors must be identified and result in a security response (for example, outputting secure replacement values or a warning notification). This is conventionally achieved by hardware replication and result comparison. One alternative is that of coding the security function using arithmetic codes. Simple arithmetic codes do not identify all errors and must be upgraded appropriately. This typically leads to considerable outlay and/or restricts use.
In more advanced security-oriented solutions, a hardware-independent version of coded processing is used. Coded processing involves detecting and propagating error information in all variables. To date, this has led to complex applications that cannot be replicated appropriately.
There is thus a need for a method of linear complexity for detecting and propagating errors in complex software systems for security-oriented programming by way of arithmetic codes.
Examples of complex applications:
According to the current prior art, there are the following solution strategies:
In sum, it may be said that the conventional approaches in accordance with the prior art, with the at present greatly increasing complexity in terms of requirements, are becoming less and less suitable as a general solution for new innovations. They have to be supplemented with complexity management measures.
DE 10 2014 117 971 A1—Fetzer “Method for processing data in order to ascertain if an error has occurred while running a program, and data processing arrangements for generating program code” discloses logging the execution of program blocks by summing the signatures of the program blocks in an accumulator memory and comparing the content thereof with a prescribed value.
One problem is that states, state changes, log information (in particular about the program running), error information or the like, called “events” or “criteria” for short below, which occur synchronously or close in time to one another, are often not logged promptly or simultaneously in a log variable (called “tracer variable” below). This is often due to the fact that associated corresponding instructions in a source code in a computer program can be executed temporally separately from one another following compilation, or for example an interrupt in the program execution occurs in the meantime. This may give rise to inconsistent states, in particular for the tracer variable and structures (in particular control structures) dependent thereon.
In view of the foregoing, it is therefore an object of the present invention to provide a method for improve the logging of events in tracer variables.
This and other objects and advantages are achieved in accordance with the invention by a device, computer program and method in which the securing occurs in the same way as the arithmetic coding. Multiple events (“criteria”) are stored independently from one another within a tracer variable. For each criterion, the value is stored in a manner arithmetically coded in the “tracer”, where, in accordance with the invention, multiple criteria or events are first combined and then, in a computing step and thus at the same time, stored in the tracer variable.
Thus, a method is provided for logging a multiplicity of events in a coded tracer variable in a security-oriented computer program, where each event is logged in the form of a value in the coded tracer variable. Here, a total value is first calculated for simultaneous logging of multiple events from the values for these events and is then logged in the coded tracer variable. This has the advantage of allowing simultaneous processing of multiple independent consistency criteria for detecting and propagating errors or other events. The simultaneity avoids a large number of dynamic effects when detecting and propagating errors/events. This enables the required reduction in the complexity of security programs.
The objects and advantages are also achieved in accordance with the invention by a device including a processor and memory, and by a computer program product for logging a multiplicity of events in a coded tracer variable in a security-oriented computer program, where the device, and the computer program product, when executed, are configured to perform the method in accordance with the invention. This makes it possible to achieve the advantages explained with reference to the method.
In one advantageous embodiment of the method, AN, ANB or ANBD coding is used to code the coded variable. These coding operations are successfully incorporated in security-oriented computer programs, in particular in those used in automation engineering.
In a first advantageous embodiment, the events are logged as a coded value in the coded tracer variable while, in another advantageous embodiment, the events are logged in a signature of the coded tracer variable. Mixed forms are possible, for example, by logging first events in the “payload”, i.e., as a value, and other events in the signature.
Advantageously, a constant is defined for each event, where this constant represents the value for the applicability of the event. Boolean information (true/false) is thus, for example, mapped onto a broad bit value, in which only exactly one value corresponds to “true”, which increases security in the event of bit errors.
In one advantageous embodiment, the computer program performs a consistency check on the tracer variable, where error handling is performed at least in the event of an inconsistency. Error handling is thus possible.
When each event of each type of an event is coded with a separate constant, where the constants of the various events or the various types are selected to be co-prime to one another, it is possible to log multiple events or types of events in a common coded variable, the tracer variable (or “error variable”).
Advantageously, with the event, a respective expected value for the event is logged in the coded tracer variable. As a result, errors, such as program running errors, can be identified just by evaluating the tracer variable, without having to perform a comparison of the content of the tracer variable with externally stored expected values.
Other objects and features of the present invention will become apparent from the following detailed description considered in conjunction with the accompanying drawings. It is to be understood, however, that the drawings are designed solely for purposes of illustration and not as a definition of the limits of the invention, for which reference should be made to the appended claims. It should be further understood that the drawings are not necessarily drawn to scale and that, unless otherwise indicated, they are merely intended to conceptually illustrate the structures and procedures described herein.
One exemplary embodiment of the method in accordance with the invention is explained below with reference to the drawings, which are used simultaneously to explain an exemplary embodiment of a device, and a computer program product of this kind, in which:
In order to check program execution and to log events of all kinds, the prior art uses running variables, so-called tracer variables or “tracer” for short, using the content of which the program path that is run through or the occurrence of criteria, events, states or the like can be logged and thus checked.
With reference to
In the present example, without restricting generality, the variable xc is ANDB-coded in accordance with a rule in the form:
x
c
:=x
f
*A+B
x
+D
x
The complexity of the security program is particularly dependent on the security against errors in the dynamic behavior of the security program.
Typical security measures are:
New information is typically recorded in one of these signatures such that either a constant or a variable with an unambiguous expectation is added. Mixed forms are possible. By way of example, the tracer variable, the main purpose of which is conventionally that of logging the linear program blocks that are run through, may at the same time be used to propagate error information or state information (for example, events or “criteria”).
For complete security, the simultaneous change of multiple independent aspects is often necessary. This simultaneity must also be secured in the compiled program code, it thus being necessary to take into consideration the fact that compilers can perform optimizations that are generally advantageous for the program execution, but on the other hand do not guarantee that instructions that are programmed in relation thereto in the source code are actually executed promptly or quasi-simultaneously in the executable program. A separate solution in this regard is currently sought for each problem.
The securing or security-oriented logging of events or criteria (state information, state changes, trace information, etc.) occurs in the same way as conventional arithmetic coding. Multiple criteria K1 . . . Kn are stored independently within a tracer variable. For each criterion Ki, the value is stored in a manner arithmetically coded in Tracerc.
In a first embodiment, the criteria are represented in coded form. In other words, the sum formed arithmetically in the coded space stores the information to be logged as a coded value of the tracer variable, i.e., as a “payload”:
Tracerc=Ai*Ki+BTracer+DTracer,i
The complete formula for a number i of criteria is:
Tracerc=(ΣDi×LAi*Ki)+BTracer+DTracer
As evident, it holds that:
D
Tracer,i
=D
Tracer+(Σ1j=1Aj*Kj)=(Σ0j=k+1Aj*Kj)
If at the same time Ki should be changed by ΔKi and Kj should be changed by ΔKj, then this results in a change of
ΔTracer=ΔKi*A1*ΔKj+Ai.
In the program,
Tracerc=Tracerc+ΔTracer
is then executed. In many cases, ΔKi and ΔKj are constants. In these cases, ΔTracer is also a constant. If a value Δki with an unambiguous expectation ΔKiexpected should be added, then this takes place through the generally applicable form:
ΔTracer=n*ΔKΔ+ΔKiexpected*(Ai−n)+ΔKj+m*ΔKjexpected*(Aj−m)
In this case, n and m are selected such that the error information defined by the criteria is transmitted securely. Otherwise, there are no restrictions for the selection of n and m.
In a second embodiment, the criteria form the signature of a coded value, and are thus preferably represented in the dynamic signature of the tracer variable:
Tracerc=A1*X+Bi+Ki
For each criterion, a constant Ei is determined, this representing the value 1 for this criterion:
E
i MOD Ai=1
E
i MOD Ai=0 if i≠j
If at the same time Ki should be changed by ΔKi and Kj should be changed by ΔKj, then this results in a change of
ΔTracer=ΔKi*Ei+ΔKj*Ej.
In the program, Tracerc=ΔTracerc+ΔTracer is then executed.
In many cases, ΔKi and ΔKj are constants. In these cases, ΔTracer is also a constant. If a value Oki with an unambiguous expectation ΔKiexpected should be added, then this occurs through the generally applicable form:
ΔTracer=n*ΔK1+ΔKiexpected*(Ei−n)+ΔKj+m*ΔKjexpected*(Ej−m)
In this case, n and m are again selected such that the error information defined by the criteria is transmitted securely. Otherwise, there are no restrictions for the selection of n and m.
In both embodiments, following the addition of ΔTracer, there may be an additional correction in order to avoid systematic errors. By way of example, modulo operations may be used to avoid or “remove” overflows that may occur due to the multiple addition of information in the coded region.
The criteria that are specifically required is not part of this invention. These are given by the security requirements in the specific application case. Typical criteria (or generally: events) are:
The key advantage is that of allowing simultaneous processing of multiple independent consistency criteria for detecting and propagating errors. The simultaneity avoids a large number of dynamic effects when detecting and propagating errors. This enables the required reduction in the complexity of security programs.
x
f
:=x
f+1
where the right-hand part of
The following values are defined:
It holds that:
(Tracerc+ΔTracer)mod A=(KA+ΔKA)mod A=48 mod 13=9
(Tracerc+ΔTracer)mod R=(KR+ΔKR)mod A=48 mod 7=6
Tracerc=((ΣDx)mod A)*A2+(DTracer mod A)*A+BTracer+DProgram
BTracer and Dprogram are not relevant to the invention and are therefore set to 0.
→Tracerc=4*169+10*13=806
Since KR+ΔKR≤13, the overflow must be handled for KR. It is necessary to subtract RR*A=169.
→ΔTracer=715!
It holds that:
(Tracerc+ΔTracer)/A2)mod A=(KA+ΔKA)mod A=9
(Tracerc+ΔTracer)/A)mod A=(KR+ΔKR)mod A=0
In the arithmetic (coded) addition of 1 to xf, the number 1 is represented by 1*A, such that 1*A (=A) is added to xc and the signature of the coded 1 (specifically KA) is added to the previous dynamic signature of xc.
The first criterion is thus given by the correct addition, as a result of which the tracer variable DTracer is supplemented with the corresponding value ΔKA=5 provided previously for a correct addition.
The second criterion is, for example, a dynamic signature (D-signature) and is used to check the correct execution order. In the present case, for this purpose, in accordance with the previous stipulation (ΔKR=3), the number 3 is thus added to DTracer.
Both changes, however, must occur arithmetically; in other words, ΔKA=5 and ΔKR=3 must be “added” in coded form to the tracer variable.
As a result:
ΔTracer=(5*14+3*78)mod(7*13)=304 mod 91=31
Adding the 31 to the original value 17 of the tracer variable Tracerc thus logs both criteria in the tracer variable simultaneously, i.e., in a step also cannot be separated by the compiler or interrupt.
A consistency check may then occur at the end of the program; this is illustrated in the last block on the left-hand side of
These may then be compared with expected values.
In order to avoid/manage overflows, the value of the tracer may be limited, for example by Tracerc:=Tracerc MOD A*R. DTracer is calculated securely in accordance with known methods in coded processing. All execution-relevant conditions are in this case incorporated directly when forming DTracer.
Following a negative result of the consistency check, a corresponding pre-programmed response or error handling may take place. In one simple case, the underlying system is in the process put into a safe state (for example emergency off) and/or a warning notification is output.
Thus, while there have been shown, described and pointed out fundamental novel features of the invention as applied to a preferred embodiment thereof, it will be understood that various omissions and substitutions and changes in the form and details of the methods described and the devices illustrated, and in their operation, may be made by those skilled in the art without departing from the spirit of the invention. For example, it is expressly intended that all combinations of those elements and/or method steps which perform substantially the same function in substantially the same way to achieve the same results are within the scope of the invention. Moreover, it should be recognized that structures and/or elements and/or method steps shown and/or described in connection with any disclosed form or embodiment of the invention may be incorporated in any other disclosed or described or suggested form or embodiment as a general matter of design choice. It is the intention, therefore, to be limited only as indicated by the scope of the claims appended hereto.
| Number | Date | Country | Kind |
|---|---|---|---|
| 20199047.0 | Sep 2020 | EP | regional |
This is a U.S. national stage of application No. PCT/EP2021/074359 filed 3 Sep. 2021. Priority is claimed on European Application No. 20199047.0 filed 29 Sep. 2020, the content of which is incorporated herein by reference in its entirety.
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/EP2021/074359 | 9/3/2021 | WO |
