+

WO2001097010A2 - Procede et dispositif de traitement de donnees servant a proteger l'execution d'instructions - Google Patents

Procede et dispositif de traitement de donnees servant a proteger l'execution d'instructions Download PDF

Info

Publication number
WO2001097010A2
WO2001097010A2 PCT/EP2001/005560 EP0105560W WO0197010A2 WO 2001097010 A2 WO2001097010 A2 WO 2001097010A2 EP 0105560 W EP0105560 W EP 0105560W WO 0197010 A2 WO0197010 A2 WO 0197010A2
Authority
WO
WIPO (PCT)
Prior art keywords
program
sequence
program instructions
accumulated
signature register
Prior art date
Application number
PCT/EP2001/005560
Other languages
English (en)
Other versions
WO2001097010A3 (fr
Inventor
Thorwald Rabeler
Original Assignee
Koninklijke Philips Electronics N.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koninklijke Philips Electronics N.V. filed Critical Koninklijke Philips Electronics N.V.
Priority to JP2002511070A priority Critical patent/JP2004503860A/ja
Priority to EP01936364A priority patent/EP1295200A2/fr
Publication of WO2001097010A2 publication Critical patent/WO2001097010A2/fr
Publication of WO2001097010A3 publication Critical patent/WO2001097010A3/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/30Arrangements for executing machine instructions, e.g. instruction decode
    • G06F9/30098Register arrangements
    • G06F9/30101Special purpose registers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/341Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/0806Details of the card
    • G07F7/0813Specific details related to card security
    • G07F7/082Features insuring the integrity of the data on or in the card
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1008Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/12Card verification
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/12Card verification
    • G07F7/122Online card verification

Definitions

  • This invention generally relates to a method and data processing device for the execution of instruction sequences. Specifically, the present invention pertains to a method and data processing device for ensuring that a program portion has not been altered and is running in the proper sequence.
  • a smart card is a flat card that contains a data processing device in the form of a microprocessor as well as a memory.
  • the smart card is operated in conjunction with a host device (e.g., a read apparatus) utilizing contacts or a wireless contact medium.
  • a host device e.g., a read apparatus
  • Smart cards of this kind may be utilized for banking applications where data in the smart card memory may be read out and/or modified only under stringently defined conditions.
  • typically given other data e.g., security-related data
  • security-related data is only exchanged between the smart card and the read apparatus and may not be externally disseminated or discerned.
  • security-related data may also be involved in other applications of smart cards, for example their use as a health care card, a set top box access card, etc.
  • the program present in these smart cards is often modified or supplemented in order to add data to the smart card, to adapt the smart card to various applications, and/or to create further possibilities for use.
  • the originator of the smart card should realize these modifications or supplements.
  • unauthorized persons may attempt to modify the instruction sequences present in the microprocessor or in the program memory thereof, in order to carry out unauthorized reading or fraudulent modification of data.
  • German Patent Application No. 19804784.3 incorporated herein by reference, a smart card is proposed that offers a high degree of protection against this type of manipulation.
  • the program portion that controls the smart card and reading apparatus interaction is subdivided into essentially two instruction sequences, with one instruction sequence being stored so that it cannot be modified. All accesses to essential, notably security-relevant data, are only possible in one instruction sequence that is referred to as the system program.
  • the other instruction sequence is referred to as the application program. Both instruction sequences and programs may consist of a respective number of individual instruction sequences.
  • a jump is made to the system program. Thereafter, a jump is made back to the application program and the execution thereof is continued.
  • intended entry and exit portions may be circumnavigated for the purposes of entering the system program in such a way as to either gain external access to security-relevant data or to cause the system program to run in an unauthorized manner.
  • a signature register is utilized to accumulate a sequence of addresses or instructions.
  • the accumulated addresses or instructions from the signature register are compared to a value contained in an instruction portion to determine if the intended instruction flow has been improperly modified.
  • the value stored in the signature register will not correspond to the value in the instruction portion and operation of the device is terminated.
  • an encryption device is utilized at times to modify the value in the signature register in a secret way.
  • the security of the device may be compromised. Accordingly, it is an object of the present invention to overcome the disadvantages of the prior art.
  • a device to determine whether an application program has been unduly manipulated is provided with a signature register that is coupled to the output of the instruction register and or to the addresses of the program memory.
  • the signature register is also coupled to a mode bit of a processor having two operating modes. In a first mode, the signature register accumulates the output of the instruction register and/or the addresses of the program memory, yet the output of the signature register is not externally discernable. In a second mode, the signature register is set to no longer accumulate inputs. In the second mode, the signature register content is checked by a comparison with a specified value. This comparison value can be effectively contained in an instruction at relevant positions in the program or may be stored in an unalterable memory location. In one embodiment, the signature value is not compared directly but is only compared after the value is encrypted to ensure that in the case of unauthorized manipulation of the program, the comparison value cannot be readily modified.
  • the signature register is coupled to the addresses of the program memory through a memory management unit.
  • the signature register may accumulate virtual addresses of the program memory in place of the actual addresses of the program memory thereby facilitating characterization of the program flow.
  • the virtual addresses may correspond to self-relative addresses.
  • the first mode of the processor is reserved for untrusted application program sequences while the second mode of the program is reserved for trusted system program sequences.
  • Untrusted program sequences are program sequences that are changeable and discernable by intervention outside the device.
  • Trusted program sequences are program sequences that are unchangeable and not discernable by intervention outside the device.
  • the device may correspond to a smart card.
  • Fig. 1 is a block diagram of a data processing device in accordance with an embodiment of the present invention.
  • Fig. 2 shows a flow chart for the execution of instruction sequences in accordance with an embodiment of the present invention.
  • FIG. 1 shows a block diagram of a data processing device 100 in accordance with the invention.
  • a memory 10 contains sequences of instructions that are addressed by an address generator 12 via a lead 13A and thereby read out successively.
  • the instructions read out are applied to an instruction register 14 which stores each time at least one instruction.
  • the instructions or at least parts thereof, are applied to various elements via the lead 15.
  • the instruction decoder 16 notably decodes the operation part of the instruction and conducts signals, via corresponding control leads, to other elements that are in this case shown in general as an execution device 18.
  • the execution device 18 includes notably a processor, such as a central processing unit (“CPU”) as well as registers (not shown).
  • a lead 19 from the execution device 18 to the address generator 12 conducts control signals to the address generator 12 when the execution of an instruction is to be terminated and the next instruction is to be called. Additionally, the lead 19 conducts control signals to the address generator 12, for example, in response to an instantaneous instruction (e.g., an interrupt instruction) or when on a state of the execution device 18, a different instruction portion is requested from the address generator 12.
  • the new address of the different instruction portion is preferably indicated, via the lead 15, by a part of the instruction present in the instruction register 14. In this case, this new address together with the control signal on lead 19 triggers a jump in the instruction sequence.
  • the lead 15 is also connected to an input of a signature register 20.
  • the signature register 20 is also connected, via a lead 13B, to the output of the address generator 12. In other embodiments it is also possible for only one of these two leads 13B and 15, to be connected to the signature register 20.
  • the signature register 20 accumulates newly received values from either or both of the address generator 12 and the instruction register 14 with the value stored in the signature register 20.
  • the signature register 20 stores the accumulated value in response to a received relevant signal from the instruction decoder 16 via a lead 17 A. It should be clear that the signature register 20 may accumulate all received values or any portion thereof to confound any intentional malicious intervention.
  • the signature register 20 may accumulate values in many known ways such as maintaining a checksum of the accumulated data, an exclusive-or (XOR) of accumulated data, or other known accumulation methods.
  • bits of incoming values may be combined/accumulated and thereafter may be accumulated to stored accumulation result.
  • accumulation methods may be known in the art, the particular method selected may be unknown to further foil attempts at concealing an unauthorized modification or supplementation of instructions.
  • all bits of incoming values may be accumulated wherein in other embodiments, only selected bits may be accumulated or even some combination thereof to further provide unpredictability (apparent random behavior) of the accumulated data.
  • the output 21 of the signature register 20 is illustratively connected to an input of a comparator 22.
  • a second input of the comparator 22 is connected to the lead 15 in the illustrative embodiment.
  • the comparator 22 outputs, via the lead 23, a value and a control signal to the address generator 12.
  • the address generator 12 is set to a given address so that a predetermined instruction sequence is executed.
  • the predetermined instruction sequence may, for example, be an interrupt instruction sequence that inhibits further functions of the device.
  • the signature register 20 may also contain an encryption device 24 that generates a new value from the combined value stored in the signature register 20 using a secret algorithm. This new value is stored in the signature register 20 in the presence of a relevant control signal on the lead 17A.
  • the signature register 20 then commences the further signature formation on the basis of a value that cannot be predicted by a person not knowing the encryption algorithm in the encryption device 24. Consequently, it is rendered difficult to modify the value applied to the comparator 22 by a relevant instruction in such a manner that in the case of a modification of the previous instruction sequence, the comparator 23 does not produce a signal or perform a jump into an interrupt instruction sequence. In this way, it can be checked whether the instruction sequences and the instructions contained therein are executed in the correct order and whether instructions therein have been modified.
  • a mode signal output from the execution device 18 on lead 17C acts as a hardware protection that excludes the application mode from accessing and/or modifying the signature register 20.
  • the device 100 such as a smart card, has distinct operating modes as determined by a hardware constraint in the form of the mode signal.
  • the exclusion of the interrupt code from the result of the signature register 20 is desirable to facilitate characterization of the application program and its flow by a unique signature. Inclusion of the interrupt code portions in the result renders the result dependent on the exact time or instruction portion where the interrupt code was executed with respect to the application program. This makes it more difficult to properly characterize the instruction flow by the result contained in the signature register 20 since the occurrence of an interrupt is not restricted to a given particular portion of the application program.
  • the system program In the system mode, the system program has full control over the result of the signature register 20. There is no need to protect the signature register 20 from alteration by the system program, since the system program is "TRUSTED” code, that is not modifiable from the "NONTRUSTED” application program, as controlled by a hardware protection mechanism as described in the German Patent Application No. 19804784.3. As shown therein, the system program is also in full control of the memory protection hardware, so the system program can protect itself from access by the application program.
  • the address generator 12 acts as a memory management unit that performs relocation of the addresses for accessing the memory 10 and for controlling addresses that may be output to the signature register 20 via the lead 13B. This is desirable since the signature register 20 may, in one embodiment, perform a checksum of the addresses, yet application programs may be loaded on the fly without defined (e.g., fixed) memory locations.
  • the addresses such as those referenced within the program (e.g., JUMP to address XX) should be changed for the final location of the program in memory.
  • a relocating loader may perform this change in the addresses.
  • the checksum in the signature register may no longer characterize the program, but the program at its new address.
  • the relocating loader is a utility program that typically modifies the address portion of a program, while it is brought into memory, e.g., before execution.
  • the relocation loader prior to program execution goes through the program and changes all references from a symbolic address (e.g., an address relative to the program flow and not relative to the actual location in memory where the program is stored) to the actual addresses where the program is stored.
  • the address generator 12 may solve this problem.
  • the program flow may at times refer to virtual addresses that are unchanged prior to execution.
  • the virtual addresses are output by the address generator 12 to the signature register 20 via the lead 13B so that the checksum in the signature register is unaffected by the actual addresses where the program is located in the memory 10.
  • the memory management unit performs the change of virtual addresses to the actual addresses and outputs these actual addresses via the lead 13 A to the memory 10.
  • the memory management unit or other means of address independence is desirable to facilitate the characterization of the program by the programs address sequence.
  • the memory management unit is under full control of the system program.
  • the system mode program "knows" the correspondence of application program virtual address to actual address. In this way, the application program only refers to the virtual addresses, which are unchanged, regardless of the location of the application program in memory. In this way, the signature register may characterize the program flow (by the virtual addresses) without being affected by the actual addresses.
  • the program portion may utilize self-relative addressing. Self-relative addressing renders the program portion "position-independent". This approach utilizes addressing modes in the CPU, like relative jumps, to ensure that the checksum in the signature register 20 characterizes the program flow.
  • self relative addressing the application program addresses are relative to some basis address, e.g., reflecting only the distance of a branch target from the current instruction. As long as the application program is moved in one piece, all branches inside the application program are unchanged, as the relative location of start and end of a branch move together.
  • the device 100 shown in Fig. 1 constitutes the control device of a smart card as described in the cited German patent application 19804784.3.
  • the control signal on the lead 17b may activate the comparator 22 and is generated preferably for each jump instruction whereby a jump to the described system program is executed.
  • the signature register 20 is set to not accumulate by a change in the mode signal from the CPU.
  • the system program is preferably stored in a part of the memory 10 that cannot be modified as discussed above.
  • the signature register 20 is released to accumulate again by the mode signal only upon a return jump to the application program.
  • the card reader 28 may form a further signature from said received value and may return this further signature to the signature register 20 via the lead 29.
  • the smart card may thus check whether it is cooperating with an appropriate, notably non-manipulated card reader.
  • Fig. 2 shows an illustrative flow chart of an execution of instruction sequences in accordance with an embodiment of the present invention.
  • the execution commences with a start 30 that symbolizes the introduction of the smart card into the card reader thereby establishing a conductive connection or a contactless connection.
  • a start program 31 is performed during which the card and the card reader exchange various data, for example in order to determine the nature of the card, whether authorization tests have to be performed, etc.
  • the processing proceeds with a program sequence 32 that forms a portion of an application program.
  • the mode signal of the CPU of the execution device 18 is cleared to zero thereby setting the signature register 20 to begin accumulating.
  • the program sequence 32 contains, in a predetermined position, a jump instruction to the system program.
  • the CPU sets the mode bit, thereby setting the signature register 20 to stop accumulating.
  • the processing proceeds with a sequence 33 of system instructions.
  • the sequence 33 verifies the signature previously formed during the processing of the program sequence 32.
  • further predetermined system instructions 34 are carried out, after which a return jump to the application program is made and the CPU clears the mode bit setting the signature register 20 to accumulate.
  • the application program continues at sequence 35 during which new signatures are formed by the signature register 20.
  • a jump is made to the system program and the CPU sets the mode bit, thereby setting the signature register 20 to stop accumulating.
  • the processing then proceeds with system instructions at sequence 36 and the signature formed is again tested. Additional system instructions may continue at sequence 37.
  • the sequence 37 may incorporate the generation of a new initial value, being an erasure or other alteration of the checksum stored in the signature register such as an encryption of the previously formed checksum.
  • the altered checksum may be written to the signature register 20 by the system program during sequence 37 of the system program. In this case, the altered checksum may be utilized as the basis for further checksum generation upon a return to an application program sequence.
  • the interruption program inhibits all further external operations of the card and directly leads to the end 42.
  • the system program may dispatch control to several application programs in a controlled fashion (e.g. in a cyclic mode for timesharing).
  • the system program may save and restore the corresponding intermediate results from/to the signature register 20, such that each separate application program execution only updates the result of the corresponding application program.
  • the system program may load a checksum A into the signature register 20, execute instructions of an application program A and accumulate to the checksum A, then save the accumulated checksum A. Thereafter, the system program may load a checksum B into the signature register 20, execute part of an application program B and accumulate to the checksum B, and then save the checksum B. The system program may then restore the checksum A into the signature register 20 and resume execution of the application program A, and so on. After both (or more) application programs are executed to some known point, the cumulative checksum of each of the application programs may be evaluated. This enables "timesharing" of not only the processor for several application programs at quasi the same time, but also “timesharing" of the checksum mechanism, such that the signature register 20 operates independently for all of the application programs involved at quasi the same time.
  • FIG. 1 shows separate functional blocks for the identified functions, one or more of these functions may be combined into a single block or divided into separate functional blocks.
  • any one or more of these functional blocks may be performed via an instruction sequence of a processor, may be performed by a hardwired integrated circuit, may be performed by a re-programmable integrated circuit, or any other known means or combination thereof.
  • Numerous alternative embodiments may be devised by those having ordinary skill in the art without departing from the spirit and scope of the following claims.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Mathematical Physics (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Accounting & Taxation (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Storage Device Security (AREA)
  • Executing Machine-Instructions (AREA)
  • Debugging And Monitoring (AREA)

Abstract

Selon l'invention, un dispositif permettant de déterminer si un programme applicatif a été manipulé frauduleusement est muni d'un registre de signatures couplé à la sortie du registre d'instructions et/ou aux adresses de la mémoire du programme. Le registre de signatures est également couplé à un bit modal d'un processeur fonctionnant selon deux modes opératoires. Dans un premier mode, le registre de signatures accumule la sortie du registre d'instructions et/ou des adresses de la mémoire du programme, sans toutefois que la sortie du registre de signatures soit visible à l'extérieur. Dans un deuxième mode, le registre de signatures est configuré de manière à ne plus accumuler des entrées. Dans ce deuxième mode, le contenu du registre de signatures est vérifié par comparaison avec une valeur déterminée. Cette valeur de comparaison peut effectivement être contenue dans une instruction à des possitions pertinentes dans le programme. Dans une autre forme de réalisation, la valeur de signature n'est pas comparée directement, mais seulement après chiffrement de la valeur afin de s'assurer qu'en cas de manipulation non autorisée du programme, la valeur de comparaison ne puisse pas être modifiée facilement.
PCT/EP2001/005560 2000-06-12 2001-05-14 Procede et dispositif de traitement de donnees servant a proteger l'execution d'instructions WO2001097010A2 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2002511070A JP2004503860A (ja) 2000-06-12 2001-05-14 データ処理方法及び保護された命令の実行のための装置
EP01936364A EP1295200A2 (fr) 2000-06-12 2001-05-14 Procede et dispositif de traitement de donnees servant a proteger l'execution d'instructions

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US59206000A 2000-06-12 2000-06-12
US09/592,060 2000-06-12

Publications (2)

Publication Number Publication Date
WO2001097010A2 true WO2001097010A2 (fr) 2001-12-20
WO2001097010A3 WO2001097010A3 (fr) 2002-03-21

Family

ID=24369117

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2001/005560 WO2001097010A2 (fr) 2000-06-12 2001-05-14 Procede et dispositif de traitement de donnees servant a proteger l'execution d'instructions

Country Status (3)

Country Link
EP (1) EP1295200A2 (fr)
JP (1) JP2004503860A (fr)
WO (1) WO2001097010A2 (fr)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1357459A1 (fr) * 2002-04-23 2003-10-29 STMicroelectronics S.A. Processeur securisé contre les deroutements
FR2849226A1 (fr) * 2002-12-20 2004-06-25 Oberthur Card Syst Sa Procede et dispositif de securisation de l'execution d'un programme informatique.
EP1548537A1 (fr) * 2003-12-23 2005-06-29 STMicroelectronics Limited Agencement d'un processeur sécurisé
EP1777622A2 (fr) * 2005-10-24 2007-04-25 Robert Bosch Gmbh Sécurisation de mémoire d'instruction par Control Flow Checking
WO2009021789A1 (fr) * 2007-08-16 2009-02-19 Siemens Aktiengesellschaft Procédé et dispositif de protection d'un programme contre une manipulation des flux de contrôle et contre un déroulement erroné du programme
EP3043232A1 (fr) * 2003-08-26 2016-07-13 Panasonic Intellectual Property Corporation of America Dispositif d'exécution de programme
US9646142B2 (en) 2003-02-07 2017-05-09 Acer Cloud Technology Inc. Ensuring authenticity in a closed content distribution system
EP3301600A1 (fr) * 2016-09-29 2018-04-04 Commsolid GmbH Procédé et appareil de suivi de signature
US11329663B2 (en) 2018-08-21 2022-05-10 Commsolid Gmbh Analog to digital converter
US11698969B1 (en) * 2021-06-25 2023-07-11 Amazon Technologies, Inc. Boot security of integrated circuit device

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7322042B2 (en) * 2003-02-07 2008-01-22 Broadon Communications Corp. Secure and backward-compatible processor and secure software execution thereon

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0935214A2 (fr) 1998-02-06 1999-08-11 Philips Patentverwaltung GmbH Carte à puce avec circuit intégré
EP0977160A1 (fr) 1998-07-31 2000-02-02 Philips Corporate Intellectual Property GmbH Méthode et dispositif de traitment de données pour l'exécution fiable des instructions

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH0484348A (ja) * 1990-07-27 1992-03-17 Nec Corp Romデータ保護方式
US5754762A (en) * 1997-01-13 1998-05-19 Kuo; Chih-Cheng Secure multiple application IC card using interrupt instruction issued by operating system or application program to control operation flag that determines the operational mode of bi-modal CPU

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0935214A2 (fr) 1998-02-06 1999-08-11 Philips Patentverwaltung GmbH Carte à puce avec circuit intégré
DE19804784A1 (de) 1998-02-06 1999-08-12 Philips Patentverwaltung Chipkarte mit integrierter Schaltung
EP0977160A1 (fr) 1998-07-31 2000-02-02 Philips Corporate Intellectual Property GmbH Méthode et dispositif de traitment de données pour l'exécution fiable des instructions

Cited By (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1357459A1 (fr) * 2002-04-23 2003-10-29 STMicroelectronics S.A. Processeur securisé contre les deroutements
US7533412B2 (en) 2002-04-23 2009-05-12 Stmicroelectronics S.A. Processor secured against traps
US9092618B2 (en) 2002-12-20 2015-07-28 Oberthur Technologies Method and device for making secure execution of a computer programme
FR2849226A1 (fr) * 2002-12-20 2004-06-25 Oberthur Card Syst Sa Procede et dispositif de securisation de l'execution d'un programme informatique.
WO2004066127A1 (fr) * 2002-12-20 2004-08-05 Oberthur Card Systems S.A. Procede et dispositif de securisation de l'execution d'un programme informatique
US10263774B2 (en) 2003-02-07 2019-04-16 Acer Cloud Technology, Inc. Ensuring authenticity in a closed content distribution system
US9985781B2 (en) 2003-02-07 2018-05-29 Acer Cloud Technology, Inc. Ensuring authenticity in a closed content distribution system
US9646142B2 (en) 2003-02-07 2017-05-09 Acer Cloud Technology Inc. Ensuring authenticity in a closed content distribution system
US9524404B2 (en) 2003-08-26 2016-12-20 Panasonic Intellectual Property Corporation Of America Program execution device
EP3798874A1 (fr) * 2003-08-26 2021-03-31 Panasonic Intellectual Property Corporation of America Dispositif d'exécution de programme
US12019789B2 (en) 2003-08-26 2024-06-25 Panasonic Holdings Corporation Program execution device
EP3043232A1 (fr) * 2003-08-26 2016-07-13 Panasonic Intellectual Property Corporation of America Dispositif d'exécution de programme
US11651113B2 (en) 2003-08-26 2023-05-16 Panasonic Holdings Corporation Program execution device
US10970424B2 (en) 2003-08-26 2021-04-06 Panasonic Intellectual Property Corporation Of America Program execution device
US9811691B2 (en) 2003-08-26 2017-11-07 Panasonic Intellectual Property Corporation Of America Program execution device
US10607036B2 (en) 2003-08-26 2020-03-31 Panasonic Intellectual Property Corporation Of America Program execution device
US10318768B2 (en) 2003-08-26 2019-06-11 Panasonic Intellectual Property Corporation Of America Program execution device
US10108821B2 (en) 2003-08-26 2018-10-23 Panasonic Intellectual Property Corporation Of America Program execution device
EP1548537A1 (fr) * 2003-12-23 2005-06-29 STMicroelectronics Limited Agencement d'un processeur sécurisé
US7895447B2 (en) 2003-12-23 2011-02-22 Stmicroelectronics Limited Secure processor arrangement
EP1777622A2 (fr) * 2005-10-24 2007-04-25 Robert Bosch Gmbh Sécurisation de mémoire d'instruction par Control Flow Checking
EP1777622A3 (fr) * 2005-10-24 2009-04-22 Robert Bosch Gmbh Sécurisation de mémoire d'instruction par Control Flow Checking
US8843761B2 (en) 2007-08-16 2014-09-23 Siemens Aktiengesellschaft Method and apparatus for protection of a program against monitoring flow manipulation and against incorrect program running
WO2009021789A1 (fr) * 2007-08-16 2009-02-19 Siemens Aktiengesellschaft Procédé et dispositif de protection d'un programme contre une manipulation des flux de contrôle et contre un déroulement erroné du programme
EP3301600A1 (fr) * 2016-09-29 2018-04-04 Commsolid GmbH Procédé et appareil de suivi de signature
US11329663B2 (en) 2018-08-21 2022-05-10 Commsolid Gmbh Analog to digital converter
US11698969B1 (en) * 2021-06-25 2023-07-11 Amazon Technologies, Inc. Boot security of integrated circuit device

Also Published As

Publication number Publication date
JP2004503860A (ja) 2004-02-05
EP1295200A2 (fr) 2003-03-26
WO2001097010A3 (fr) 2002-03-21

Similar Documents

Publication Publication Date Title
JP4172745B2 (ja) プロセッサによる命令シーケンスの実行を監視する方法および監視装置
US9767271B2 (en) System and method for validating program execution at run-time
US7849315B2 (en) Method for managing operability of on-chip debug capability
US6952778B1 (en) Protecting access to microcontroller memory blocks
US10509568B2 (en) Efficient secure boot carried out in information processing apparatus
US7392404B2 (en) Enhancing data integrity and security in a processor-based system
CN108885663A (zh) 用于使处理器抵御瞬时故障攻击的自适应系统和程序
CN102968392A (zh) 防止存储器转储的微处理器
US10223117B2 (en) Execution flow protection in microcontrollers
JP2006522968A (ja) 携帯型データ・キャリアのバーチャル・マシン向けプログラムの制御実行
EP1295200A2 (fr) Procede et dispositif de traitement de donnees servant a proteger l'execution d'instructions
US7451485B2 (en) Information processing unit having tamper-resistant system
EP3454216A1 (fr) Procédé pour protéger l'accès non autorisé aux données dans une mémoire
US7516902B2 (en) Protection of a microcontroller
US7447916B2 (en) Blocking of the operation of an integrated circuit
EP1465038B1 (fr) Dispositif de mémoire sécurisée pour des environnements logiciel flexibles
JP2003504740A (ja) モノリシック安全保護モジュールにおける敏感な情報の処理の安全保護方法、および関連する安全保護モジュール
KR100300794B1 (ko) 칩카드에정보를입력하는방법
US20060265578A1 (en) Detection of a sequencing error in the execution of a program
US20130268934A1 (en) Dynamic method for controlling the integrity of the execution of an executable code
WO2007020758A1 (fr) Lsi pour carte ci
EP3667533A1 (fr) Procédé de sécurisation d'un système en cas de perte d'alimentation indésirable
US11847203B2 (en) Method, system and device for managing an execution of a program relating to part or all of a first application
JP7247638B2 (ja) 電子情報記憶媒体、icカード、改竄チェック方法、及びプログラム
CN117786699A (zh) 芯片初始化方法、装置、模块、电子设备和存储介质

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): JP

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR

WWE Wipo information: entry into national phase

Ref document number: 2001936364

Country of ref document: EP

121 Ep: the epo has been informed by wipo that ep was designated in this application
AK Designated states

Kind code of ref document: A3

Designated state(s): JP

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR

WWP Wipo information: published in national office

Ref document number: 2001936364

Country of ref document: EP

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载