Patent Grant
10642971
The present disclosure generally relates to methods and systems for secure computational applications.
Secure computational applications include applications used in banking, conditional access, and other areas where physical, operational, or financial security is of concern. One concern in secure computational applications is that hardware and software execute pre-defined functionality of such applications as the functionality is intended to be executed, and not in some other fashion. A change in the functionality may generate security holes that can be exploited by attackers and/or hackers.
The present disclosure will be understood and appreciated more fully from the following detailed description, taken in conjunction with the drawings in which:
In one embodiment a device is described, the device including a memory operative to store an program, a storage operative to store a reference check value for at least one operation in the program, a processor operative to execute the program, including, determining a run-time check value upon execution of the at least one operation in the program, comparing the stored reference check value with the run-time check value, storing the run-time check value as a pre-branch run-time check value prior to entering a conditional branch of the program when the compared stored reference check value and the run-time check value are equal values, resetting the run-time check value of the executing program to the pre-branch run-time check value upon exiting the conditional branch of the program, wherein the reference check value, the run-time check value, and the pre-branch run-time check value are determined as a result of a single function. Related apparatus, methods and systems are also described.
Reference is now made to
The processor 130, typically a secure processor, typically comprises dedicated hardware logic circuits, in the form of an application-specific integrated circuit (ASIC), field programmable gate array (FPGA), or full-custom integrated circuit, or a combination of such devices. Alternatively or additionally, the processor 130 may be a programmable processor, such as a microprocessor or digital signal processor (DSP), under the control of suitable software. This software may be downloaded to the processor 130 in electronic form, over a network, for example. Alternatively or additionally, the software may be stored on tangible storage media, such as optical, magnetic, or electronic memory media. The processor 130 may comprise more than one processor 130. The processor 130 may be a special purpose dedicated processor operative to perform the method for ensuring program code flow integrity as described herein.
A memory 150, typically comprising non-transitory computer-readable storage media is available for use by the processor 130. The memory may store instructions, which the processor 130 may execute, in order to perform the method described herein. The computing device 100 also comprises typical and standard hardware and software components as are known in the art. The computing device 100 is provided as an example of a possible platform that may be used in the system described herein, and other types of platforms may be used as is known in the art.
A check value function 160-1 is used by the processor 130 during the operation of the compiler 155, as will be described herein below.
Additionally, before run time, non-compiled code 152 is input into a compiler 155 which is running on a second processor 157. The compiler 155 compiles the non-compiled code 152 into the o-code 120. As noted above, the o-code 120 is then stored in one or both of the storage 110 or memory 150. An iteration of the check value function 160-2 is used by a processor 130 (detailed below) during the execution of the o-code 120, as will be described herein below.
The second processor 157 is depicted as being external to the computing device 100. However, the second processor 157 may be the same processor as the processor 130, or may be a different processor, which is also disposed in the computing device 100. It is also noted that two different configurations of the check value function 160-1, 160-2 are depicted. In one depiction (the run time depiction), the check value function 160-2 is depicted as external to the processor 130. In another depiction (the before run time depiction), the check value function 160-1 is depicted as being executed by the second processor 157 (i.e. both the compiler 155 and the check value function 160-1 are run by the second processor 157).
The operation of the system of
A reference check value 170 for the at least one line of the o-code 120 is returned by the check value function 160-1, and is stored in the storage 110.
It is appreciated that the first stage may be performed off-line, at a single computing device 100, and then the stored o-code 120, and the stored reference check value 170 may then be copied to storage 110 comprised on one or more other computing devices 100.
At a later stage, typically at run-time of the application program, the o-code 120 is executed as an executable application program by the processor 130. During execution of the o-code 120, the at least one line of the o-code 120 is sent to the check value function 160-2. A run-time check value is returned by the check value function 160-2. The run time-check value for the at least one line of the o-code 120 is compared to the reference check value 170 for it corresponding at least one line of the o-code 120. If the two values match, then security of the application program is assumed to be uncompromised. If the two values do not match, then the security of the application program is assumed to be compromised, and the application program may trigger a reset, an interrupt, set a flag, or execute another appropriate response, as is known in the art.
The o-code 120 may comprise code steps which are to be executed linearly, or, alternatively, the steps may branch into at least two paths, each one of which is to be executed under different circumstances, as is known in the art. For example, if one variable is less than a certain amount a loop is to be entered, otherwise the loop is to be skipped or exited from. However, branches present a difficulty in that, at compilation, they typically, because execution flow is not deterministic, it is difficult to know in advance what a correct reference check value 170 would be for a given run time-check value during the execution of the branch. Accordingly, at branch points in the o-code 120, the run-time check value is stored as a pre-branch run-time check value. Upon exiting the branch of the o-code 120, the run-time check value of the executing application program is reset to the pre-branch run-time check value.
The operation of the system of
It is appreciated that function F1( ) 210 requires calculation of the PBRTCV before F2( ) 220 is executed. However, in the example in
It is also appreciated that traps and interrupt events which may be located in the o-code are typically handled by not invoking the check value function 160-2 (
During the execution of function F4( ) 240, the processor 130 (
During the execution of function F5( ) 250, a return (RET) step 259 is reached, and a return value of the function F5( ) 250 is returned to calling function F4( ) 240. Function F4( ) 240 then resets its check value to the PBRTCV 243 stored prior to calling function F5( ) 250. The execution of function F4( ) 240 continues until a return (RET) step is reached, and a return value of the function F4( ) 240 is returned to calling function F3( ) 230. The execution of function F3( ) 230 continues until a return (RET) step 239 is reached, and a return value of the function F3( ) 230 is returned to calling function F2( ) 220. The execution of function F2( ) 220 continues until a return (RET) step 229 is reached, and a return value of the function F2( ) 220 is returned to calling function F1( ) 210. Function F1( ) 210 then resets its check value to the PBRTCV 213 stored prior to calling function F2( ) 220. The execution of function F1( ) 210 continues until complete, and the processor 130 (
Reference is now made to
A loop (item number 340) is entered into by the executing code. As is known in the art, loops typically have a condition, called the “loop condition” (i.e. a branch condition) which is used to determine whether to execute another iteration of the loop or to exit the loop. In the present example, the loop condition is signaled by a jnz instruction (i.e. Jump if Accumulator not Zero instruction) (item number 350). The jnz instruction (item number 350) signals the processor 130 (
Persons of skill in the art will appreciate that there are many other appropriate o-code instructions which might be used prior to invoking the check value function 160-2 (
Reference is now made to
Reference is now made to
Reference is now made to
At step 530 the application program (i.e. the o-code 120 of
It is appreciated that software components of the present invention may, if desired, be implemented in ROM (read only memory) form. The software components may, generally, be implemented in hardware, if desired, using conventional techniques. It is further appreciated that the software components may be instantiated, for example: as a computer program product or on a tangible medium. In some cases, it may be possible to instantiate the software components as a signal interpretable by an appropriate computer, although such an instantiation may be excluded in certain embodiments of the present invention.
It is appreciated that various features of the invention which are, for clarity, described in the contexts of separate embodiments may also be provided in combination in a single embodiment. Conversely, various features of the invention which are, for brevity, described in the context of a single embodiment may also be provided separately or in any suitable subcombination.
It will be appreciated by persons skilled in the art that the present invention is not limited by what has been particularly shown and described hereinabove. Rather the scope of the invention is defined by the appended claims and equivalents thereof:
| Number | Name | Date | Kind |
|---|---|---|---|
| 6560774 | Gordon | May 2003 | B1 |
| 6880149 | Cronce | Apr 2005 | B2 |
| 7844828 | Giraud et al. | Nov 2010 | B2 |
| 8429417 | Salgado et al. | Apr 2013 | B2 |
| 8782434 | Ghose | Jul 2014 | B1 |
| 8782435 | Ghose | Jul 2014 | B1 |
| 9405936 | Hoogerbrugge et al. | Aug 2016 | B2 |
| 20020032822 | Plummer | Mar 2002 | A1 |
| 20050066311 | Hagmeier | Mar 2005 | A1 |
| 20060047955 | Prevost | Mar 2006 | A1 |
| 20090328211 | Abraham | Dec 2009 | A1 |
| 20120066551 | Palus | Mar 2012 | A1 |
| 20130205285 | Pizlo | Aug 2013 | A1 |
| 20150007251 | Johns | Jan 2015 | A1 |
| 20170208150 | Ekbote | Jul 2017 | A1 |
| 20170262657 | Salmon-Legagneur | Sep 2017 | A1 |
| 20170270319 | Salmon-Legagneur | Sep 2017 | A1 |
| 20180307838 | Sharma | Oct 2018 | A1 |
| Entry |
|---|
| Danger, Jean-Luc et al.: HCODE: Hardware-Enhanced Real-Time CFI (2014), In Proceeding of the 4th Program Protection and Reverse Engineering Workshop (PPREW-4), ACM, New York, NY, USA, Article 6, 11 pages. |
| de Clercq, Ruan et al., SOFIA: Software and Control Flow Integrity Architecture; 2016 Design, Automation & Test in Europe Conference & Exhibition (DATE), Dresden, 2016, pp. 1172-1177. |
| Number | Date | Country | |
|---|---|---|---|
| 20190073472 A1 | Mar 2019 | US |
