[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN118591804A - Method for detecting attempted linear extraction of memory contents - Google Patents

Method for detecting attempted linear extraction of memory contents Download PDF

Info

Publication number
CN118591804A
CN118591804A CN202280088087.5A CN202280088087A CN118591804A CN 118591804 A CN118591804 A CN 118591804A CN 202280088087 A CN202280088087 A CN 202280088087A CN 118591804 A CN118591804 A CN 118591804A
Authority
CN
China
Prior art keywords
instruction
circuit
code
counter
memory
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202280088087.5A
Other languages
Chinese (zh)
Inventor
J-M·杜特特雷
T·古瑟洛特
J-B·里戈
O·波坦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institut Mines Telecom IMT
Original Assignee
Institut Mines Telecom IMT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institut Mines Telecom IMT filed Critical Institut Mines Telecom IMT
Priority claimed from PCT/EP2022/081057 external-priority patent/WO2023083776A1/en
Publication of CN118591804A publication Critical patent/CN118591804A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/75Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/79Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Debugging And Monitoring (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a method for detecting an attempted linear extraction of a program code recorded in a memory (10) of an electronic circuit (1), said code comprising program instructions which, for being read by a microprocessor core (14), are loaded in sequence through an instruction bus (11) into an instruction register (12) for storing instructions, said instruction register being controlled by at least a clock signal (clk) and a reset signal (reset), each instruction being loaded into said instruction register (12) on an edge of said clock signal (clk), said code comprising interrupt instructions and/or "security mark" instructions interposed between said program instructions so as to be read during execution of the program, said method comprising triggering a predetermined alarm action (300) according to a predetermined monitoring rule without detecting an interrupt instruction or a security mark.

Description

Method for detecting attempted linear extraction of memory contents
Technical Field
The present invention relates to a method for detecting attempted linear fetches of the contents of a memory of a microcontroller or processor, and an electronic circuit configured to detect such attempted fetches.
Background
Smart card piracy has become a common phenomenon. Almost all types of smart card processors used in the european, american and asian pay tv conditional access systems have been successfully redesigned since the beginning of the 90 s of the 20 th century. Illegal clone cards that are able to decrypt television channels without introducing revenue to broadcasters are already on the market. The industry has updated secure processor technology many times, but the challenges have not ended far.
O.Examples of integrated circuit attacks and some countermeasure techniques are presented in article "DESIGN PRINCIPLES for Tamper-RESISTANT SMARTCARD Processors" published by the society of smart card technology in 1999 USENIX.
Two main attack categories can be distinguished: invasive attacks and non-invasive attacks.
In the case of a non-invasive attack, the card being attacked is not physically damaged, and the devices used in the attack can often be disguised as a normal smart card reader.
With respect to invasive attacks, these attacks are probe-based physical attacks that include using probes (using micromanipulators to position metal pins on metal tracks) to access interconnects of logic portions of integrated circuits.
The probe may be connected to an oscilloscope (via an amplifier if necessary) to be able to read the internal data manipulated by the target circuit.
The probe may also be driven by a signal generator and used to force an arbitrary logic value on the internal node of the target circuit (e.g., by setting the value of a control signal to force the circuit into a given unsafe state).
Such attack techniques may be passive (for eavesdropping purposes only) and/or active and create errors in the circuit.
Ion guns (focused ion beams, FIBs) are commonly used to access the interconnections to be probed. Ion guns are fault analysis instruments used in microelectronics to hole, cut interconnect tracks in integrated circuits, and (re) create electrical contacts between tracks.
Dmitry Nedospasov, a doctor paper entitled "Security of the IC backsid" describes invasive attacks, in particular linear code extraction techniques.
Publications "The past,present,and future of physical security enclosures:From battery-backed monitoring to PUF-based inherent security and beyond", hardware and system safety journal of Johannes Obermaier and VINCENT IMMLER, month 8 of 2018, and publications "Tamper Proof, TAMPER EVIDENT Encryption Technology" of PHIL ISAACS et al, the general pacific seminar, SMTA,2013, illustrate examples of countermeasures for using protective covers.
The program code of the security circuit comprises a plurality of parts stored in its flash memory or ROM memory (the program code may be executed from ROM, flash memory or RAM memory). This code prevents replay attacks, which might otherwise jeopardize the security of the range of security circuits under consideration.
Knowing these codes makes it possible to develop hardware and software attacks. The manufacturer or user of the security circuit must protect the confidentiality of the code by preventing the code from being extracted or dumped.
For an attacker, linear code extraction involves replaying the code of the circuit in the correct order from the first memory address to the last memory address (otherwise the code is not available).
Playback of the code of the circuit is prevented until the code is released to the market. This is why an attacker uses invasive attack techniques for linear code extraction.
It should be noted that linear code extraction may also be used to extract keys and other confidential information stored in the circuit.
In the above papers, some techniques are mentioned to prevent linear code extraction, such as embedding security related signals in the underlying metal layers of the circuit, adding sensors or using the execution of register redundancy randomization programs, etc.
Disclosure of Invention
Further improvements in methods for detecting attempted linear fetches of the contents of electronic memories are needed, particularly in terms of ease of implementation and efficiency.
Detection method
The present invention aims at solving this object and according to one aspect thereof relates to a method for detecting an attempted linear extraction of a program code recorded in a memory of an electronic circuit, the code comprising program instructions for being read by a microprocessor core, which program instructions are loaded in sequence through an instruction bus into an instruction register for storing said instructions, which instruction register is controlled by at least a clock signal and a reset signal, each instruction being loaded into the instruction register on an edge of the clock signal, the code comprising interrupt instructions and/or so-called "security tag" instructions interposed between the program instructions for being read during execution of the program, the method comprising triggering a predetermined alarm action according to a predetermined monitoring rule in the absence of detection of an interrupt instruction or a security tag.
An interrupt instruction is defined as a set of program instructions capable of controlling the flow of program execution (conditional and unconditional branches, jumps, function calls and returns, etc.). Generally, an interrupt instruction interrupts linear execution of a program such that execution of the interrupt instruction results in a transition to an instruction having an address that is not consecutive to the address of the interrupt instruction.
"Linear execution" of a program is understood to mean that the instructions are executed in the order of their consecutive memory addresses.
"Security tag" is understood to mean a specific instruction inserted into a code recorded in a memory to protect its content from being linearly extracted. The security tag has the same structure as the instructions of the instruction set used by the considered electronic circuit. If the security tag is used in a circuit that uses an instruction size of, for example, 32 bits, the security tag includes 32 bits of information.
For an attacker, linear code extraction includes instructions that continually read the code.
The linear code fetch may include probing the instruction bus and activating a reset signal so that the microprocessor core reads only the null instruction.
By means of the invention such a linear code extraction attack can be easily detected, in particular by detecting the absence of an interrupt instruction or a security tag.
The predetermined monitoring rule may be that no interrupt instruction or security flag is detected within a predetermined period of time and/or after a predetermined number of program instructions are read and/or after a predetermined number of clock cycles.
Security tag
Preferably, the security mark is inserted into the code with a variable period. Which makes them difficult to detect and/or identify by an attacker.
The period of insertion of the security mark may be pseudo-random.
The security marks are preferably inserted into the code such that execution of program instructions located between consecutive two security marks corresponds to a number of clock cycles less than the clock cycle resulting in triggering the predetermined alarm action.
The two security marks in succession are preferably arranged such that the number of clock cycles resulting in triggering the predetermined alarm action is greater than the maximum number of clock cycles required to execute a program instruction located between the two security marks.
In fact, the number of clock cycles required to execute an instruction may be variable (which may be unknown a priori in some cases). Thus, the number of clock cycles resulting in triggering the predetermined alarm action is preferably envisaged for a worst case scenario which is greater than the maximum number of clock cycles required to execute program instructions located between two consecutive security marks.
At least one security mark is preferably inserted at the beginning and end of the code of the function forming part of the program.
Preferably, at least one security tag is inserted at the destination address of the branch instruction.
At least one security mark is preferably inserted at the beginning or end of the code of the loop forming part of the program.
Inserting security marks in the case of a function, branch or loop reduces the number of instructions executed between consecutive two security marks and avoids unnecessary triggering of a predetermined alarm action.
In one embodiment, the security tag is encoded with at least one specific bit having a significance corresponding to the same significance as the significance of at least one feature bit of the branch instruction, the specific bit having the same encoded value as the encoded value of the feature bit, so as to trigger a predetermined alert action upon occurrence of an attack based on the forced setting of the complementary binary value of the feature bit.
In fact, for some instruction encodings (depending on the manufacturer), the branch instruction has a characteristic value on a particular bit.
If, for example, the instruction set encoded on 16 bits is considered (the same reasoning applies to instructions on 32 bits and 64 bits as well), it may be inferred, for example, taking into account that the most significant index bit (bit 15 in this case) of all branch instructions is a value of 1. However, it is the branch instruction that introduces an interrupt in executing code (thus preventing linear fetching).
Thus, an attacker can perform an invasive linear code extraction attack by forcing this feature bit (bit 15, most significant bit) of the instruction (including the branch instruction) to 0 when executing the code. Because this bit is reset to zero, the branch instruction of the code is no longer interpreted as a branch instruction. The instruction pointer (which is intended to contain the memory address of the instruction to be executed) is then incremented so as to read all instructions of the code in turn (as long as the feature bit is forced to be set to 0). Thus, the attacker does not need to force the instruction register reset signal. This attack is better suited to the case where the instruction register does not have a reset signal.
If the bit-level encoding of the security tag is characterized by a most significant bit of 0, it is not corrupted by forcing the most significant bit to 0. Thus, the detection method is ineffective for linear fetching based on the forced set bits (allowing disabling of branch instructions).
Selecting an appropriate encoding of the security tag enables the validity of the detection method to be guaranteed to prevent the forced setting of bits to a given level that leads to a vulnerability.
With reference to the previous example, selecting to encode the most significant bit of the security tag as a1 (which is the same as the value and feature bits of the branch instruction) ensures that forcing that bit to 0 prevents the security tag from being recognized. Thus triggering a predetermined alarm action in case no security marker is detected.
The security tag may be inserted into the code at the compilation stage of the code and then loaded into memory during programming of the circuit.
Alternatively, the security mark is inserted into the code during execution of the code, in particular when the program instructions are read from the memory.
In this case, the memory contains control logic with logic blocks that periodically insert security marks between program instructions as they are read.
In particular, when the security tag is loaded into the instruction register, the logic block sends a wait cycle command to the microprocessor core, causing the microprocessor core to insert a wait cycle into the execution stream upon receipt of the security tag. In another embodiment, the microprocessor core is configured to identify the security tag and update the request to read the instruction that has been shifted by the insertion of the security tag. This mode of operation enables saving of memory space and also allows a simpler implementation of the detection method, since the program does not have to be modified since no security marks are inserted therein.
Preferably, the security marks differ from each other in terms of their payloads. This can confuse an attacker and make it more difficult to bypass the detection method.
In one embodiment, the program instructions and security marks are stored in memory in encrypted form and decrypted before being loaded into the memory registers.
Interrupt instruction
The absence of a security tag may not be detected, but rather the absence of an interrupt instruction. Thus, it is no longer necessary to include a security tag in the code, which results in less extension of the execution time than if the security tag were used in the program, since the execution of the security tag requires at least one clock cycle. Furthermore, the detection method according to the modification can be applied without modifying the compiler.
In one embodiment, the method includes, in the step of analyzing the code prior to loading the code into the register, inserting at least one linear execution interrupt instruction into a portion of the code that includes program instructions whose execution corresponds to a number of clock cycles that can cause a predetermined alarm action to be triggered. This allows avoiding triggering a false alarm when no attack is in progress.
"Linear execution interrupt instruction" is understood to mean an interrupt instruction that causes linear execution of a program. The insertion of a linear execution interrupt instruction into the code portion does not affect the sequential execution of instructions of the code portion that are located consecutively in memory.
A linear execution interrupt instruction may be inserted during compilation of code, the instruction being stored in memory and having a memory address. In this case, the linear execution of the interrupt instruction causes the unit of memory address of the following instruction to increment.
Alternatively, the linear execution interrupt instructions are inserted after the instructions to be loaded have been read from memory and before the instructions are loaded into the instruction registers. In this case, then, the linear execution interrupt instruction has no memory address, and the memory address of the instruction following it is made to be reserved. This option allows not modifying the compiler, nor increasing the memory surface area.
The predetermined alert action may include at least one of the following actions: resetting the electronic circuit; erasing the memory; resetting the read address in the memory to zero; the read address in the memory adopts a discontinuous value, so that the extraction of codes becomes nonlinear; and skipping a section of code, in particular a sensitive section to be protected.
In one embodiment, the detection method is always implemented to protect the entire program code, the first instruction of which may be an interrupt instruction or a security tag. In this case, the attack detection logic is always activated (and, depending on the design, cannot be deactivated (disengage)).
In a further embodiment, the detection method is implemented in a parametrizable manner by configuring a fuse, in particular a one-time programmable fuse, in a programming phase of the circuit, or configuring a variable in a non-volatile memory, in particular a flash memory or an EEPROM memory, reading a value stored in the fuse or the non-volatile memory when the circuit is started, in particular when the circuit is powered up or when the circuit is woken up after a reset, said value enabling activation of the detection method, and if the method is activated, the first instruction of the program code is an interrupt instruction or a security flag. In the case of such parametrizable implementations, when the circuit is started (wakened up after power-up or reset), the stored value (the value stored in the fuse or non-volatile memory) is read and enabled or kept inactive. The choice is explicit for the whole duration of use of the circuit.
The detection method may be implemented to protect at least a portion of the program code defined by a start address and an end address, the method being activated upon reading a program instruction whose address is located between the start address and the end address for execution, and deactivated upon reading a program instruction not belonging to said code portion for execution. In this case, the detection method for the at least one code section is always activated and cannot be deactivated, that is to say, the detection method is activated each time an instruction belonging to the code section is executed.
The detection method is applicable to any type of memory that may contain program code for execution by a microprocessor core.
The memory may be embedded in the same integrated circuit as the microprocessor core executing the instructions, such as an embedded flash memory or RAM memory, or the memory may be an external DRAM memory.
Electronic circuit
According to a further aspect, the invention also relates to an electronic circuit comprising at least a memory, a microprocessor core, an instruction bus, a read bus, an address bus, and an instruction register for storing instructions, the instruction register being controlled by at least a clock signal and a reset signal, the memory being connected to the instruction register via the instruction bus, the instruction register being connected to the microprocessor core via the read bus, the microprocessor core comprising an instruction pointer intended to contain a memory address of an instruction to be executed, the microprocessor core being connected to the memory via the address bus, the circuit being configured to detect an attempted linear extraction of program code recorded in the memory, the code comprising program instructions, which program instructions are loaded in sequence into the instruction register via the instruction bus under command of a clock signal for being read by the microprocessor core, the code comprising interrupt instructions and/or so-called "security tag" instructions interposed between the program instructions, in order to be read during execution of the program, the microprocessor core comprising a protection circuit for preventing the attempted linear extraction of the interrupt instructions or the security tag, the protection circuit being able to trigger a predetermined alarm action according to a predetermined monitoring rule in case no interrupt instructions or security tag are detected.
Instruction load or clock cycle counter
The protection circuit preferably comprises an instruction load or clock cycle counter, which is preferably decremented, in particular configured to decrement after each instruction load into the instruction register or after each clock cycle, which is in particular configured to be periodically reset to a parametrizable value, which is in particular periodically reset by the security flag before it reaches an alarm threshold value, in particular zero, which protection circuit is preferably configured to trigger a predetermined alarm action when the instruction load or clock cycle counter reaches the alarm threshold value.
Continuous instruction counter
In an embodiment, the circuit according to the invention comprises a continuous instruction counter configured to decrement after each execution of a continuous instruction, the continuous instruction counter preferably being configured to be periodically reset to a parametrizable value, the continuous instruction counter being periodically reset by executing an interrupt instruction before it reaches an alarm threshold (in particular zero), the protection circuit being configured to trigger a predetermined alarm action when the continuous instruction counter reaches the alarm threshold.
"Continuous instructions" are understood to mean instructions that cause a program to execute linearly, not interrupt instructions.
The parametrizable reset value of the sequential instruction counter may be set in an initialization phase prior to program execution or dynamically during program execution.
Alternatively, the counter is reset to a value explicitly set in the hardware design of the circuit.
If the continuous instruction counter reaches the alarm threshold, the absence of an interrupt instruction is detected and a predetermined alarm action is triggered.
As a variation, the consecutive instruction counter is incremented rather than decremented.
The sequential instruction counter may be located in the microprocessor core, in particular in the protection circuit. Alternatively, the sequential instruction counter is located in the microprocessor core but outside the protection circuitry. The sequential instruction counter may also be located external to the microprocessor core, such as between the memory and the core.
Multiple counters may be distributed in different locations. This has the advantage that attacks can be countered, which disable the signal used by the counter, so that it remains frozen and no longer can be detected. Multiple counters are used to detect the predetermined alarm actions, and if the counters take different values, such attacks may be thwarted. In fact, the diversity of the counters and their different locations complicate the task of the attacker, who would have to spoof each counter.
The information that the instructions have been executed may come from any internal source: such as control signals, status signals, instruction address changes.
Linear execution interrupt instruction insertion block
The circuit according to the invention may comprise a linear execution interrupt instruction insertion block, which is a circuit external to the memory, in communication with the memory and the instruction register, configured to insert at least one linear execution interrupt instruction into a portion of the code read comprising program instructions whose execution corresponds to the number of clock cycles that can cause triggering of the predetermined alarm action. This allows to avoid triggering a false alarm by resetting the counter before reaching the alarm threshold when no attack is made, in particular when the reset value of the consecutive instructions counter is fixed.
Alternatively, the linear execution interrupt instruction insertion block is integrated into the memory.
The program is analysed before being loaded into the program memory of the circuit so that the reset value of the successive instruction counter (if this value is configurable) can be selected appropriately or it is determined whether it is necessary to insert a linear execution interrupt instruction and where to place them appropriately. If the reset value of the consecutive instruction counter is fixed and not high enough, it may be useful to insert at least one linear execution interrupt instruction into a code portion containing a long consecutive instruction sequence that is prone to trigger a false alarm. An alternative is to add a hardware linear execution interrupt instruction insertion block as described above.
Linear execution interrupt instruction counter
In one embodiment, the circuit according to the invention comprises, in addition to a continuous instruction counter, a linear execution interrupt instruction counter configured to decrement after each execution of a linear execution interrupt instruction, the linear execution interrupt instruction counter preferably being configured to be periodically reset to a parametrizable value, the linear execution interrupt instruction counter being periodically reset by executing a non-linear execution interrupt instruction before it reaches an alarm threshold (in particular zero), the protection circuit being configured to trigger a predetermined alarm action when the linear execution interrupt instruction counter reaches the alarm threshold.
Of course, in contrast to a linear execution interrupt instruction, a "non-linear execution interrupt instruction" is an interrupt instruction that causes a non-linear change in instruction address. In other words, after executing the nonlinear execution interrupt instruction, the instruction address is not incremented in units.
The parametrizable reset value of the linear execution interrupt instruction counter may be set in an initialization phase prior to program execution or dynamically during program execution.
Alternatively, the linear execution interrupt instruction counter is reset to a value explicitly set in the hardware design of the circuit.
As a variation, the linear execution interrupt instruction counter is incremented rather than decremented.
The information that the instruction is an interrupt instruction may come from any internal source: such as control signals, status signals, instruction address changes. In particular, the information that interrupts instructions to cause linear execution may desirably come from a change in instruction address. However, this information may be cross-correlated with other information sources such as: control signals and status signals. For example, on the cv32e40p core (RISC-V instruction set), there is a "branch_token" signal to identify if the execution of a branch instruction is linear when it is executed.
If the linearly executing interrupt instruction counter reaches the alarm threshold, a miss of the interrupt instruction causing a nonlinear change in instruction address is detected and a predetermined alarm action is triggered.
The linear execution interrupt instruction counter makes it possible in particular to detect attacks that include injecting only interrupt instructions to the core that cause linear execution, such as branch instructions that never meet their condition. This type of attack can disable the write-enable signal (write_enable) of the instruction register, so that the instruction contained in the register (in this case, it is a linear execution interrupt instruction) is stored there as long as the write-enable signal is disabled. The sequential instruction counter alone will not detect such an attack because it will be permanently reset by the stored interrupt instruction.
The linear execution interrupt instruction counter also enables detection of an attack that includes forcing a linear change in instruction address (e.g., an attack that includes forcing a control signal that sets a multiplexer that provides instruction addresses) in order to select an input that causes a linear change in instruction address independent of instructions executing in the core. In fact, the effect of this attack is that all interrupt instructions are linear execution interrupt instructions. The sequential instruction counter alone cannot detect such an attack because it resets after each interrupt instruction enters the core. However, the linear execution interrupt instruction counter will never reset and will decrement after each (linear execution) interrupt instruction, so the attack will be detected.
Cycle counter
In addition to a continuous instruction counter, the circuit according to the invention may further comprise a cycle counter for detecting that no instruction is executed, configured to increment after each clock cycle, the cycle counter being periodically reset, in particular reset to zero, by executing an instruction before it reaches an alarm threshold, in particular a parametrizable value, the protection circuit being configured to trigger a predetermined alarm action when the cycle counter reaches the alarm threshold.
The alarm threshold of the counter may be a threshold defined based on a core specification considering the maximum number of cycles required to execute an instruction of code. If the threshold is reached, no execution of the instruction is detected.
The cycle counter is reset after each instruction executed (based on the same signal as the signal that decrements the interrupt instruction counter).
The cycle counter may be used in combination with a continuous instruction counter and possibly a linear execution interrupt instruction counter.
In the event of an attack that disables a signal containing information that an instruction has been executed (an internal signal that can be disabled along with the write enable signal of the instruction register), the continuous instruction counter will not decrement nor will the linear execution interrupt instruction counter. Thus, no such attack can be detected by the sequential instruction counter alone or in combination with the linear execution interrupt instruction counter, where applicable. However, the cycle counter will detect that no instruction is being executed and will trigger a predetermined alarm action to signal that an attack is in progress.
Linear execution sequence length counter
In an embodiment, the circuit according to the invention comprises a linear execution sequence length counter for detecting a sequence of linear execution consecutive instructions and/or interrupt instructions of length exceeding a given length and configured to increment after each execution of an instruction or after each clock cycle, the linear execution sequence length counter being periodically reset, in particular to zero, by changing at least one microprocessor core signal indicating the end of execution of the linear execution sequence before it reaches an alarm threshold, the protection circuit being configured to trigger a predetermined alarm action when the linear execution sequence counter reaches the alarm threshold.
The linear execution sequence length counter enables detection of a linear execution sequence that is disproportionate with respect to the length of the instruction set used.
The counter measures the length of the linear execution sequence. In fact, the number of linear load instructions from memory is counted.
Variations with linear execution sequence length counters no longer require the addition of new instructions. It relates only to observation-based detection. Therefore, the execution time and size of the program in the memory do not change. The cost is that the detection delay of the attack will be greater.
Variations with a linear execution sequence length counter make it possible to detect in particular all the attacks described above (activating a reset of the instruction register, storing the instruction in the instruction register, forcing a linear change of the instruction address, etc.).
The at least one microprocessor core signal indicating the end of execution of the linear execution sequence may be from an observation of a read address sent by the microprocessor core to the memory.
The alarm threshold may be a parametrizable value or a value explicitly set in the hardware design of the circuit. If the threshold is a parametrizable value, the threshold may be set dynamically at the time the program is compiled or during program execution (the threshold may be applied to each code portion to ensure low detection delay).
The alarm threshold of the linear execution sequence length counter may be set to not cause any detection upon normal execution of a program representing the selected instruction set.
If the threshold is reached, a linear execution sequence of disproportionate length is detected.
Alternatively, the linear execution sequence length counter is decremented (rather than incremented).
In addition to measuring the length of the linear execution sequence based on changes in instruction addresses, it is also possible to check the consistency of changes in instruction addresses with changes in other core signals, for example based on changes in control signals, status signals or control signals etc. of the multiplexer providing the instruction addresses.
The linear execution sequence length counter may have different positions in the circuit.
A linear execution sequence length counter may be coupled to the instruction address bus. Thus, the length of the linear execution sequence may be counted by reading the addresses (incremented in units when consecutive addresses are one after the other).
The linear execution sequence length counter may be coupled to an internal signal of the core. Thus, the length of the linear execution sequence may be counted by observing these signals, e.g., the linear execution sequence may continue as long as the address multiplexer command is maintained by selecting the "linearly incremented address" input.
A linear execution sequence length counter may be coupled to the instruction bus. Thus, the length of the linear execution sequence may be counted by observing particular bits of the instruction (e.g., bits in function 3 (funct) and opcode field of the code of the RISC-V core instruction) to determine if the instruction is an interrupt instruction.
The memory may be flash memory, ROM, RAM or DRAM memory. In the last case, the memory is external, that is, not embedded in the same integrated circuit as the microprocessor core executing the instructions.
The circuitry may include decryption circuitry located between the memory and the instruction register for decrypting program instructions and security marks before they are loaded into the register. This applies to the case where the program instructions and the security marks are stored in encrypted form in the memory.
In one embodiment, at least a portion of the program code defined by the start address and the end address is protected from linear extraction by a protection circuit, and when the circuit is programmed, the start address and the end address are stored in a non-volatile memory that is protected from erasure and modification.
The protection circuit preferably comprises a register for loading said start address and end address, said addresses being loaded into said register when the circuit is started, said protection circuit being especially configured to determine whether an instruction whose address is comprised in the instruction pointer belongs to said at least one code portion, wherein the determination is made by comparing the address with the start address and the end address. If this is the case, the detection method is activated. The selection of the protected code portion may involve, for example, an initial stage (start-up stage) of the circuit and/or a code portion implementing a security function (e.g., using a cryptographic tool).
In one embodiment, the circuit comprises a circuit referred to as a "watchdog" circuit for restarting the circuit in the event of a program failure, the watchdog circuit comprising a watchdog counter that is incremented on an edge of a clock provided by an oscillator internal to the circuit, the watchdog circuit being configured to be in a reset mode to output a signal to the circuit that resets to zero when the watchdog counter reaches a predetermined value, the watchdog counter being periodically reset to zero by executing an instruction to reset the counter.
The circuit may include a hardware fuse that enables the watchdog circuit to be activated at all times, such that when the fuse is blown during circuit programming, the watchdog circuit is permanently activated in a reset mode.
According to another aspect, the invention also relates to the use of an electronic circuit comprising a hardware fuse enabling the watchdog circuit to be activated at all times, the fuse being blown and a watchdog counter reset instruction being used as a security flag.
Protection method
According to another aspect, the invention also relates to a method for protecting program code, comprising inserting in the code an interrupt instruction or a security marker for implementing the detection method according to the invention.
In one embodiment, the insertion is performed during code programming.
In another embodiment, the insertion is performed during or after code compilation.
Alternatively, the insertion is performed after the instructions to be loaded are read from the memory storing the code and before the instructions are loaded into the instruction register.
Drawings
The invention will be better understood from reading the following detailed description of a non-limiting exemplary implementation of the invention, and from viewing the accompanying drawings, in which:
fig. 1 schematically shows an example of a circuit in the prior art, which cannot prevent a code contained in a memory of the circuit from being linearly extracted;
FIG. 2 is a view similar to FIG. 1, schematically illustrating one example of a linear code extraction attack;
FIG. 3 is a view similar to FIG. 2, schematically illustrating decryption of code instructions;
Fig. 4 is a view similar to fig. 3, schematically showing a first example of a circuit according to the invention;
FIG. 5 schematically illustrates a second example of a circuit with modified memory control logic according to the present invention;
FIG. 6 schematically illustrates one example of a protected code portion according to the present invention;
FIG. 7 schematically illustrates a function call in code at risk of triggering a false alarm;
FIG. 8 is similar to FIG. 7 with the addition of a security tag to avoid triggering a false alarm;
fig. 9 schematically shows branches in code at risk of triggering a false alarm;
FIG. 10 is similar to FIG. 9 with the addition of a security tag to avoid triggering a false alarm;
FIG. 11 schematically shows a cycle of code at risk of triggering a false alarm;
FIG. 12 is similar to FIG. 11 with the addition of a security tag to avoid triggering a false alarm;
FIG. 13A third example of a circuit according to the present invention is schematically illustrated in FIG. 13, in which instruction registers form part of a microprocessor core;
fig. 14 schematically shows a fourth example of a circuit according to the invention, wherein the memory is external;
Fig. 15 shows a fifth example of a circuit according to the invention, which is identical to the circuit of fig. 4, but without decryption circuitry;
FIG. 16 schematically illustrates one example of a code portion for inserting a linear execution interrupt instruction;
fig. 17 schematically shows two examples of code sections in which a linear execution interrupt instruction is inserted inside (right-hand example) and outside (left-hand example) a memory storing code;
Fig. 18 schematically shows a sixth example of a circuit according to the invention with a continuous instruction counter and a linear execution interrupt instruction insertion block;
fig. 19 schematically shows an example of an instruction sequence to be executed after an attack that stores an interrupt instruction causing linear execution in an instruction register;
fig. 20 schematically shows a seventh example of a circuit with a linear execution interrupt instruction counter and one example of an attack of forcing a control signal setting a multiplexer providing an instruction address according to the present invention;
fig. 21 schematically shows an eighth example of a circuit with a cycle counter according to the invention and one example of an attack against a signal that an instruction has been executed; and
Fig. 22 schematically shows a ninth example of a circuit according to the invention, showing different positions of a linear execution sequence length counter.
Detailed Description
Fig. 1 schematically shows an electronic circuit 1 according to the prior art. The circuit 1 comprises a memory 10, a microprocessor core 14, an instruction bus 11, a read bus 13, an address bus 15, and an instruction register 12 for storing instructions, the instruction register 12 being controlled by a clock signal clk and a reset signal reset for resetting the content of the instruction register 12 to zero.
The memory 10 is connected to an instruction register 12 via an instruction bus 11.
The memory 10 contains program code whose instructions are transferred from the memory 10 via the instruction bus 11 to be loaded into the instruction register 12 in sequence on an edge of the clock signal clk, for example on a rising edge of the clock.
The instruction register 12 is connected to the microprocessor core 14 through a read bus 13, and instructions to be executed are transferred to the microprocessor core 14 via the read bus 13.
Microprocessor core 14 includes an instruction pointer 140 for a memory address containing an instruction to be executed.
Microprocessor core 14 is connected to memory 10 by address bus 15. The address bus contains the memory addresses of instructions to be executed following the instruction currently being executed.
Fig. 2 is a view similar to fig. 1, schematically illustrating one example of a linear extraction attack on code contained in memory 10.
In a preliminary step, an attacker has to find the interconnection of the circuit 1.
In a first step, an attacker places probe 200 on a reset signal to force instruction register 12 to reset to zero. Thus, the microprocessor core 14 receives a null instruction: 00000 … 0, and interpret the null instruction as a no operation (nop) instruction. Thus, microprocessor core 14 translates into fetching subsequent instructions, and so on. The attacker successfully completes an instruction-by-instruction linear and gradual fetch of the program code contained in memory 10.
In a second step, the attacker finds the interconnect of the instruction bus 11 and places one or more probes 201 on the interconnect. Thus, an attacker tries to read code instructions bit by bit in sequence.
In an optional third step, an attacker places probe 202 on clock signal terminal clk to find out when to read the data on instruction bus 11.
This is one example of an extremely difficult attack, as an attacker replaces all instructions read from memory in the instruction register 12 with null instructions (nops) by forcing the instruction register 12 to reset to zero.
Furthermore, the code of the security circuit is typically encrypted. However, this cannot prevent the use of probes to linearly extract the code because the code must be decrypted before it can be executed.
Fig. 3 is a view similar to fig. 2, schematically illustrating decryption circuitry 16 for decrypting code instructions. As shown, probes 200, 201, 202 are placed downstream of decryption circuitry 16, allowing an attacker to read the decrypted instructions.
Fig. 4 is a view similar to fig. 3, schematically showing a first example of a circuit 1 according to the invention.
The circuit 1 has the same architecture as described above, i.e. has a memory 10, a microprocessor core 14, an instruction bus 11, a read bus 13, an address bus 15, and an instruction register 12 for storing instructions, the instruction register 12 being controlled by a clock signal clk and a reset signal reset for resetting the content of the instruction register 12 to zero. Decryption circuitry 16 is still optional and decryption circuitry 16 is present if the instructions are stored in memory in encrypted form. Fig. 15 shows the circuit of fig. 4 without decryption circuit 16.
In the embodiment shown in FIG. 13, instruction register 12 forms a portion of microprocessor core 14.
The memory 10 is, for example, a flash memory, a ROM, a RAM or a DRAM memory. In the last case shown in fig. 14, the memory 10 is external, that is, the memory 10 is not embedded in the same electronic circuit 1 as the microprocessor core 14 executing the instructions.
The program code recorded in the memory 10 is modified to include protection instructions called "security marks" which are inserted into the program instructions to be read during program execution. For example, the security mark is inserted into the code at variable periods, thereby making the security mark difficult to detect and/or identify. To fool the observer and to complicate detecting and/or identifying the security marks, these security marks may differ from each other, in particular in terms of their payload.
The microprocessor core 14 includes a protection circuit 18 for preventing attempted linear extraction that is capable of triggering a predetermined alarm action 300 if no security tag is detected according to a predetermined monitoring rule.
The predetermined monitoring rule may be that no security mark is detected within a predetermined period of time and/or after a predetermined number of program instructions are read.
For example, as shown, the protection circuit 18 includes a decremented instruction load or clock cycle counter 20, the counter 20 being configured to decrement after each instruction load into the instruction register 12 or after each clock cycle and be periodically reset to a parametrizable positive value.
Instruction load or clock cycle counter 20 is periodically reset by a security tag before it reaches zero. If the instruction load or clock cycle counter 20 reaches zero, the protection circuit 18 is configured to trigger a predetermined alarm action 300.
Alternatively, the instruction load or clock cycle counter 20 may be incremented from zero, in which case the predetermined alert action 300 is triggered when the instruction load or clock cycle counter 20 reaches a predetermined (optionally parameterizable) value. The predetermined parametrizable value may be a value contained in the payload of a previously executed security tag.
The predetermined alert action 300 may be: reset circuit 1, erase memory 10, reset the read address in memory to zero (in which case the attacker infinitely reads the same short starting instruction sequence), allocate non-uniform non-consecutive values to the read address in memory (in particular by loading random values into address registers in memory after each clock cycle (in which case the code extraction becomes non-linear)), skip a section of code (in particular a sensitive section to be protected (in which case the attacker extracts useless code)), etc.
The security tag may be inserted into the code at the compilation stage of the code and then loaded into memory during circuit programming.
Alternatively, the security mark is inserted into the code during execution of the code, in particular when the program instructions are read from the memory.
This embodiment is shown in fig. 5, where memory 10 contains control logic with logic blocks 100, which logic blocks 100 periodically insert security marks between program instructions as they are read. In this case, the code stored in the memory 10 does not include a security tag, and the control logic of the memory is modified to dynamically insert the security tag when program instructions are read from the memory.
When the security tag is loaded into instruction register 12, logic block 100 sends a wait cycle command 115 to microprocessor core 14, causing microprocessor core 14 to insert a wait cycle into the execution stream upon receipt of the security tag. Thus, instead of receiving an instruction to provide its address via address bus 15, microprocessor core 14 is alerted to the receipt of the security tag.
Fig. 6 shows a schematic example of a portion of protected code according to the present invention.
The security marks are preferably inserted into the code with a variable period such that execution of program instructions located between consecutive two security marks corresponds to a number of clock cycles less than the clock cycle resulting in triggering the predetermined alarm action.
It should be noted that the number of clock cycles required to execute an instruction may be variable (which may be unknown a priori in some cases). Thus, the number of clock cycles resulting in triggering the predetermined alarm action is preferably envisaged for a worst case scenario which is greater than the maximum number of clock cycles required to execute program instructions located between two consecutive security marks.
As with any binary instruction, the security tag basically includes two fields: an opcode that enables identification of the tag and a payload that can be changed, for example, to spoof the observer, making it difficult to bypass detection of the attack. For example, the initial value employed by the counter may be set in the payload, or the payload value applied according to specific logic (increment, decrement, alternation, unique value, etc.) to introduce variability to spoof an attacker. In fact, the usefulness of the payload is optionally the usefulness of being able to vary the maximum number of clock cycles to be observed between the two security marks, otherwise a predetermined alarm action will be triggered.
Furthermore, if the program code includes special instructions, such as function calls, branches (jumps), loops, etc., security marks should be inserted while taking care not to trigger false alarms.
Fig. 7 schematically shows a function call in this type of code.
Function 2 is embedded in the "function 1" code and is called between instruction 7 and instruction 8.
Executing function 2 results in an increase in the number of instructions executed between the two security marks (and thus in an increase in the number of clock cycles elapsed), there is a risk of unnecessarily triggering the predetermined alarm action 300 if no precautions are taken.
One solution to this problem is shown in fig. 8, where two security marks are added to the beginning and end of the function 2 code, respectively, thereby reducing the number of clock cycles separating the two security marks below the activation threshold of the predetermined alarm action 300.
Fig. 9 schematically shows branches in the code that risk triggering a false alarm.
In the example shown, a branch is performed from instruction 3 to instruction 7, that is to say a jump of 4 addresses.
Upon execution, the jump instruction prevents execution of a security tag placed before instruction 6. This results in an increased number of instructions being executed between the two security marks (and thus in an increased number of clock cycles elapsed), and thus there is a risk of the predetermined alarm action 300 being triggered unnecessarily.
One solution to this problem is shown in fig. 10, where a security tag is inserted at the destination address of the branch instruction.
Fig. 11 schematically shows a cycle of code at risk of triggering a false alarm.
In the example shown, the validity of the condition following instruction 8 will read back to the address of instruction 5 (this corresponds to a jump back of 4 addresses).
In fact, as long as the condition is verified, the loop is executed, each time instructions 5 to 8 are executed again, resulting in an increase in the number of instructions executed between the two security marks (and thus in the number of clock cycles elapsed), thus risking an unnecessary triggering of the predetermined alarm action 300.
One solution to this problem is shown in fig. 12, where a security mark is added at the beginning of the cycle. In this case, jumping to the beginning of the loop corresponds to returning 5 addresses.
Alternatively, a security mark may be added at the end of the cycle.
The absence of an interrupt instruction may also be detected according to the same principle without the need to add a security tag to the code.
In fact, the circuit 1, and in particular the protection circuit 18 of the microprocessor 14, may comprise a continuous instruction counter 21 instead of having an instruction load or clock cycle counter 20, as shown in fig. 18. The counter 21 may be configured to decrement after each execution of a consecutive instruction, the consecutive instruction counter 21 preferably being configured to be periodically reset to a parametrizable value, the consecutive instruction counter 21 being periodically reset by executing an interrupt instruction before it reaches an alarm threshold (in particular zero), the protection circuit 18 being configured to trigger the predetermined alarm action 300 when the consecutive instruction counter 21 reaches the alarm threshold.
If the example of the code portion shown in fig. 16 is considered and exemplified by a decreasing consecutive instruction counter 21 set to 4 and having an alarm threshold value of zero, this counter will be reset by the linear execution interrupt instruction at address 6. When executing instructions 7 to 10, this counter will decrease and will reach zero after executing instruction 10, which will trigger a false alarm, as there is no attack. To avoid this, it is useful to increment the initial value of the counter 21 or to insert a linear execution interrupt instruction between the program instructions 7 to 10, the execution of which corresponds to the number of clock cycles that might result in an unnecessary triggering of a predetermined alarm action. In this case, a linear execution interrupt instruction is inserted between instructions 9 and 10.
Fig. 17 shows two possibilities of inserting a linear execution interrupt instruction into the code portion of fig. 16: during code compilation (right side of fig. 17), or outside of memory and prior to loading of instructions into instruction registers (left side of fig. 17).
When a linear execution interrupt instruction is inserted during code compilation, the linear execution interrupt instruction is stored in memory and has a memory address. In the example shown on the right side of fig. 17, a linear execution interrupt instruction is inserted between instructions 9 and 10. Thus, the linear execution interrupt instruction adopts the memory address 10, and in this case, causes the memory address of the instruction following it to increment in units, as shown on the right side of fig. 17.
When a linear execution interrupt instruction is inserted outside the memory and before the instruction is loaded into the instruction register, the linear execution interrupt instruction then has no memory address and the memory address of the instruction following it remains unchanged. On the left side of fig. 17, a linear execution interrupt instruction is inserted between instructions 9 and 10 while the microprocessor core waits to receive instruction 10. Thus, the microprocessor core receives an interrupt instruction instead of instruction 10, thereby avoiding an undesirable alarm trigger. A mechanism is then triggered that causes the core to continue requesting instructions 10. The core is configured, for example, to identify a linear execution interrupt instruction and update a request to read instruction 10 that is shifted by the insertion of the linear execution interrupt instruction. The core ultimately receives an instruction 10 to execute the instruction 10. In this case, each instruction maintains its memory address. Interrupt instructions are inserted into the instruction stream read from memory for execution by the core.
Fig. 18 schematically illustrates a linear execution interrupt instruction insertion block 400, which is a circuit external to memory 10, in communication with memory 10 and instruction register 12. This variant enables not modifying the compiler, nor increasing the memory surface area.
Fig. 19 schematically shows an example of an instruction sequence to be executed after an attack that stores an interrupt instruction causing linear execution in an instruction register. In this case, this is a branch instruction that never satisfies the condition: beq r0, r1, imm (beq means "branch if equal"). Since registers r0 and r1 are different, branching to address imm never occurs. This type of attack disables the write enable signal (write _ enable) of instruction register 12 so that the instruction (beq R, r1, imm, in this case a linear execution interrupt instruction) contained in the register is stored there as long as the disabling of the write enable signal continues. The consecutive instruction counter 21 alone will not be able to detect such an attack because it is permanently reset by the stored interrupt instruction (beq r, r1, imm).
Thus, the linear execution interrupt instruction counter 22 (shown in FIG. 20) enables, among other things, detection of such an attack, which involves injecting only the interrupt instruction into the core that caused the linear execution. In addition to the continuous instruction counter 21, the circuit 1, in particular the protection circuit 18, may further comprise a linear execution interrupt instruction counter 22 configured to decrement after each execution of the linear execution interrupt instruction, the linear execution interrupt instruction counter 22 preferably being configured to be periodically reset to a parametrizable value, the linear execution interrupt instruction counter 22 being periodically reset by executing a non-linear execution interrupt instruction before it reaches an alarm threshold (in particular zero), the protection circuit 18 being configured to trigger the predetermined alarm action 300 when the linear execution interrupt instruction counter 22 reaches the alarm threshold.
Taking the code portion of fig. 19 as an example, the reduced continuous instruction counter 21 is set to 4, the reduced linear execution interrupt instruction counter 22 is set to 8, and the alarm threshold of both counters is zero. Counter 21 will be reset to 4 after each "beq r, r1, imm" instruction and will not decrease, while counter 22 will decrement after each instruction until the instruction at address 9, at which point its alarm threshold is reached, triggering a predetermined alarm action.
The combination of counters 21 and 22 also enables combating another type of attack, including forcing instruction addresses to vary linearly. Fig. 20 schematically shows an example of such an attack. The control signal 203 of the multiplexer 25 contained in the core 14 and providing the instruction address is forced to be set to select the input that causes the instruction address to change linearly.
Thus, regardless of the instruction (continuous or interrupted), it will always be a linear execution instruction. The sequential instruction counter 21 alone cannot detect such an attack because the sequential instruction counter 21 is reset after each interrupt instruction enters the core. However, the linear execution interrupt instruction counter 22 will never be reset and will decrement after each (linear execution) interrupt instruction, so the attack will be detected.
Fig. 21 shows the case of an attack of disable signal 204, which signal 204 contains information that the instruction has been executed, internal signal 204 can be disabled together with the write enable signal write _ enable of the instruction register (probe 200 is no longer placed on reset (this is not shown for simplicity) but on the write _ enable signal of instruction register 12). In this case, the continuous instruction counter 21 will not be decremented, nor will the linear execution interrupt instruction counter 22 be decremented. Thus, the continuous instruction counter 21 alone or in combination with the linear execution interrupt instruction counter 22, where applicable, cannot detect such an attack, and therefore non-execution of instructions can be detected with the cycle counter 23.
Thus, the circuit 1, in particular the protection circuit 18, may comprise a period counter 23 for detecting the non-execution of an instruction, the counter 23 being configured to increment after each clock period, the period counter 23 being periodically reset, in particular reset to zero, by the execution of the instruction before it reaches an alarm threshold, in particular a parametrizable value, the protection circuit 18 being configured to trigger the predetermined alarm action 300 when the period counter 23 reaches the alarm threshold.
The cycle counter 23 may be used in combination with a continuous instruction counter 21 and an optional linear execution interrupt instruction counter 22 (shown in dashed lines in fig. 21, indicating that it is optional).
Furthermore, in another embodiment, a linear execution sequence that is disproportionate to the instruction set length used may be detected by the linear execution sequence length counter 24.
Thus, the circuit 1 may comprise a linear execution sequence length counter 24 for detecting a sequence of linear execution consecutive instructions and/or interrupt instructions of length exceeding a given length and configured to increment after each execution of an instruction or after each clock cycle, the linear execution sequence length counter 24 being periodically reset, in particular reset to zero, by varying a signal of the at least one microprocessor core 14 indicating the end of execution of the linear execution sequence before it reaches an alarm threshold, the protection circuit 18 being configured to trigger a predetermined alarm action when the linear execution sequence counter reaches the alarm threshold.
This variant with a linear execution sequence length counter makes it possible in particular to detect all the attacks described above (activating a reset of the instruction register, storing the instruction in the instruction register, forcing a linear change of the instruction address, etc.).
The linear execution sequence length counter 24 may have different positions in the circuit 1 as shown in fig. 22.
A linear execution sequence length counter 24 may be connected to the instruction address bus 15. Thus, the length of the linear execution sequence may be counted by reading the addresses (incremented in units when consecutive addresses are one after the other).
The linear execution sequence length counter 24 may be connected to the internal signals of the core. Thus, the length of the linear execution sequence may be counted by observing these signals, e.g., the linear execution sequence may continue as long as the address multiplexer command is maintained by selecting the "linearly incremented address" input.
A linear execution sequence length counter 24 may be connected to the instruction bus 12. Thus, it may be determined whether an instruction is an interrupt instruction by counting the length of the linear execution sequence by observing certain bits of the instruction (e.g., bits in the funct and opcode fields of the code of the RISC-V core instruction).
The variants described above in fig. 13 (instruction register forming part of the microprocessor core) and fig. 14 (external memory) can be reproduced in embodiments intended to detect interrupt instructions instead of the absence of a security tag.
An example of an application area of the invention is the protection of security circuits (e.g. smart cards, secure microcontrollers, etc.) from extracting their programs and the sensitive data they contain (cryptographic keys, various rights, etc.).
One example of a market affected by linear code extraction is the market for a printer's cartridge (linear extraction of the code of the manufacturer's cartridge to sell its compatible copy), which can therefore be protected by a security chip according to the invention.
The present invention is not limited to the above-described exemplary embodiments. For example, the detection method according to the invention may be implemented purely on a software basis by implementing it in a so-called watchdog microcontroller, in particular a real-time watchdog microcontroller, by using an intrinsic reset to zero mechanism of the watchdog circuit. The counter described above may be incremented, decremented, or any other variation.

Claims (29)

1. A method for detecting an attempted linear extraction of a program code recorded in a memory (10) of an electronic circuit (1), the code comprising program instructions which, for reading by a microprocessor core (14), are loaded in sequence through an instruction bus (11) into an instruction register (12) for storing the instructions, the instruction register being controlled by at least a clock signal (clk) and a reset signal (reset), each instruction being loaded into the instruction register (12) on an edge of the clock signal (clk), the code comprising interrupt instructions and/or so-called "security tag" instructions interposed between the program instructions so as to be read during execution of the program, the method comprising triggering a predetermined alarm action (300) according to a predetermined monitoring rule without detecting an interrupt instruction or a security tag.
2. Method according to the preceding claim, wherein the predetermined monitoring rule is that no interrupt instruction or security marker is detected within a predetermined period of time and/or after a predetermined number of program instructions have been read and/or after a predetermined number of clock cycles.
3. Method according to any of the two preceding claims, wherein the security marks are inserted into the code with a variable period and/or the security marks are inserted into the code such that execution of a program instruction located between two consecutive security marks corresponds to a number of clock cycles smaller than the number of clock cycles leading to triggering the predetermined alarm action (300), the two consecutive security marks preferably being arranged such that the number of clock cycles leading to triggering the predetermined alarm action is larger than the maximum number of clock cycles required to execute the program instruction located between the two security marks.
4. Method according to any of the preceding claims, wherein at least one security marker is inserted at the beginning and end of the code of the function forming part of the program and/or at least one security marker is inserted at the destination address of a branch instruction and/or at least one security marker is inserted at the beginning or end of the code of the loop forming part of the program.
5. The method according to any of the preceding claims, wherein the security tag is encoded with at least one specific bit having a significance corresponding to the same significance as the significance of at least one characteristic bit of a branch instruction, the specific bit having the same encoded value as the encoded value of the characteristic bit in order to trigger the predetermined alarm action (300) upon occurrence of an attack based on a forced setting of the complementary binary value of the characteristic bit.
6. The method according to any of the preceding claims, wherein the security tag is inserted into the code during execution of the code, in particular when the program instruction is read from the memory (10), the memory (10) preferably containing control logic with a logic block (100), the logic block (100) periodically inserting security tags between the program instructions when the program instruction is read, in particular when security tags are loaded into the instruction register (12), the logic block (100) sending a wait period command (115) to the microprocessor core (14) such that the microprocessor core (14) inserts a wait period into an execution stream when the security tag is received.
7. A method according to any one of the preceding claims, wherein the security marks differ from each other in terms of their payloads.
8. The method according to claim 1 or 2, comprising: in the step of analysing the code before loading it into the register, at least one linear execution interrupt instruction is inserted into a portion of the code comprising program instructions whose execution corresponds to the number of clock cycles that can cause the triggering of the predetermined alarm action (300).
9. Method according to the preceding claim, wherein the linear execution interrupt instruction is inserted during compilation of the code, the linear execution interrupt instruction being stored in the memory (10) and having a memory address.
10. The method according to claim 8, wherein the linear execution interrupt instructions are inserted after instructions to be loaded have been read from the memory (10) and before these instructions are loaded into the instruction register (12).
11. The method according to any of the preceding claims, wherein the predetermined alert action (300) comprises at least one of the following actions: resetting the electronic circuit (1); -erasing the memory (10); resetting the read address in the memory (10) to zero; causing the read address in the memory to take a non-continuous value such that the extraction of the code becomes non-linear; and skipping a section of the code, in particular the sensitive section to be protected.
12. Method according to any of the preceding claims, wherein the method is always implemented in order to protect the entire program code, the first instruction of the program code being in particular an interrupt instruction or a security marker.
13. Method according to any of the preceding claims, wherein the method is implemented in a parametrizable manner by configuring a fuse, in particular a one-time programmable fuse, in a programming phase of the circuit, or configuring a variable in a non-volatile memory, in particular a flash memory or an EEPROM memory, reading a value stored in the fuse or the non-volatile memory when the circuit is started, in particular when the circuit is powered on or when the circuit is awakened after a reset, the value enabling activation of the detection method, and if the method is activated, the first instruction of the program code is an interrupt instruction or a security flag.
14. Method according to any of claims 1 to 12, wherein the method is implemented to protect at least a portion of the program code defined by a start address and an end address, the method being activated upon reading a program instruction whose address is located between the start address and the end address for execution and deactivated upon reading a program instruction not belonging to the code portion for execution, the code portion in particular corresponding to a start-up phase of the circuit, or a code portion implementing a security function, in particular a cryptographic tool.
15. An electronic circuit (1) comprising at least a memory (10), a microprocessor core (14), an instruction bus (11), a read bus (13), an address bus (15), and an instruction register (12) for storing instructions, said instruction register being controlled by at least a clock signal (clk) and a reset signal (reset), said memory (10) being connected to said instruction register (12) via said instruction bus (11), said instruction register (12) being connected to said microprocessor core (14) via said read bus (13), said microprocessor core (14) comprising an instruction pointer (140) intended to contain a memory address of an instruction to be executed, said microprocessor core (14) being connected to said memory (10) via said address bus (15), said electronic circuit (1) being configured to detect a linear extraction of program code recorded in said memory (10), said program instruction comprising program instructions for being read by said microprocessor core (14), said program instructions being inserted in said sequence between said instructions (11) via said clock signal (clk) and said program code to be read by said microprocessor core (12) in order of "program code is inserted in order of said program code" during execution of said instructions to be executed, the microprocessor core (14) includes a protection circuit (18) for preventing attempted linear extraction, the protection circuit being capable of triggering a predetermined alarm action (300) according to a predetermined monitoring rule without detecting an interrupt instruction or a security tag.
16. Circuit according to the preceding claim, wherein at least a part of the program code defined by a start address and an end address is protected against linear extraction by the protection circuit (18), which start address and end address are stored in a non-volatile memory protected against erasing and modification when the circuit (1) is programmed, the protection circuit (18) preferably comprising a register for loading the start address and the end address, into which register the start address and the end address are loaded when the circuit (1) is started, in particular the protection circuit (18) is configured to determine whether an instruction whose address is comprised in the instruction pointer (140) belongs to the at least a part of the program code, wherein the determination is made by comparing the address with the start address and the end address.
17. Circuit according to any of the two preceding claims, comprising a circuit called a "watchdog" circuit for restarting the circuit (1) in case of a program failure, comprising a watchdog counter that is incremented on an edge of a clock provided by an oscillator inside the circuit (1), the watchdog circuit being configured in a reset mode so as to output a signal to the circuit (1) reset to zero when the watchdog counter reaches a predetermined value, the watchdog counter being periodically reset to zero by executing an instruction to reset the counter.
18. Circuit according to the preceding claim, comprising a hardware fuse enabling the watchdog circuit to be activated at all times, so that when the fuse is blown during programming of the circuit, the watchdog circuit is permanently activated in a reset mode.
19. Use of a circuit according to the preceding claim, the fuse being blown and the watchdog counter reset instruction being used as a security flag.
20. The circuit of any of claims 15 to 18, wherein the protection circuit (18) comprises an instruction load or clock cycle counter (20) configured to decrement after each instruction load into the instruction register (12) or after each clock cycle, the instruction load or clock cycle counter (20) being configured to be periodically reset to a parametrizable value, the instruction load or clock cycle counter (20) being periodically reset by a security flag before it reaches an alarm threshold, in particular zero, the protection circuit (18) being configured to trigger the predetermined alarm action (300) when the instruction load or clock cycle counter (20) reaches the alarm threshold.
21. The circuit of any of claims 15 to 18, comprising a continuous instruction counter (21) configured to decrement after each execution of a continuous instruction, the continuous instruction counter (21) preferably being configured to be periodically reset to a parametrizable value, the continuous instruction counter being periodically reset by executing an interrupt instruction before it reaches an alarm threshold, in particular zero, the protection circuit (18) being configured to trigger the predetermined alarm action (300) when the continuous instruction counter (21) reaches the alarm threshold.
22. The circuit of any of claims 15 to 21, except claim 20, comprising a linear execution interrupt instruction insertion block (400), which is a circuit external to the memory (10), in communication with the memory and the instruction register (12), the block being configured to insert at least one linear execution interrupt instruction into a portion of the read code comprising program instructions whose execution corresponds to the number of clock cycles that can result in triggering the predetermined alarm action (300).
23. The circuit of claim 21, comprising a linear execution interrupt instruction counter (22) configured to decrement after each execution of a linear execution interrupt instruction, the linear execution interrupt instruction counter (22) preferably being configured to be periodically reset to a parametrizable value, the linear execution interrupt instruction counter (22) being periodically reset by executing a non-linear execution interrupt instruction before it reaches an alarm threshold, in particular zero, the protection circuit (18) being configured to trigger the predetermined alarm action (300) when the linear execution interrupt instruction counter (22) reaches the alarm threshold.
24. The circuit of claim 21 or 23, comprising a cycle counter (23) for detecting that no instruction is executed, configured to increment after each clock cycle (clk), the cycle counter being periodically reset, in particular reset to zero, by executing an instruction before it reaches an alarm threshold, in particular a parametrizable value, the protection circuit (18) being configured to trigger the predetermined alarm action (300) when the cycle counter (23) reaches the alarm threshold.
25. The circuit according to any one of claims 15 to 19, comprising a linear execution sequence length counter (24) for detecting a sequence of linear execution consecutive instructions and/or interrupt instructions of length exceeding a given length and configured to increment after each execution of an instruction or after each clock cycle, the linear execution sequence length counter (24) being periodically reset, in particular reset to zero, by changing at least one microprocessor core (14) signal indicating the end of execution of a linear execution sequence before it reaches an alarm threshold, the protection circuit (18) being configured to trigger the predetermined alarm action (300) when the linear execution sequence counter (24) reaches the alarm threshold.
26. A method for protecting program code, comprising inserting in the code an interrupt instruction or a security marker for implementing the method according to any one of claims 1 to 14.
27. Method according to the preceding claim, wherein the insertion is performed during programming of the code.
28. The method of claim 26, wherein the inserting is performed during or after compilation of the code.
29. The method of claim 26, wherein the inserting is performed after reading instructions to be loaded from the memory (10) storing the code and before these instructions are loaded into the instruction register (12).
CN202280088087.5A 2021-11-09 2022-11-08 Method for detecting attempted linear extraction of memory contents Pending CN118591804A (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
EP21306569.1 2021-11-09
FR2209624A FR3140186A1 (en) 2022-09-22 2022-09-22 Method for detecting an attempt to linearly extract the contents of a memory
FRFR2209624 2022-09-22
PCT/EP2022/081057 WO2023083776A1 (en) 2021-11-09 2022-11-08 Process for detecting an attempted linear extraction of the content of a memory

Publications (1)

Publication Number Publication Date
CN118591804A true CN118591804A (en) 2024-09-03

Family

ID=87889362

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202280088087.5A Pending CN118591804A (en) 2021-11-09 2022-11-08 Method for detecting attempted linear extraction of memory contents

Country Status (2)

Country Link
CN (1) CN118591804A (en)
FR (1) FR3140186A1 (en)

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
ATE417325T1 (en) * 2004-06-07 2008-12-15 Proton World Int Nv PROGRAM EXECUTION CONTROL
FR2990533B1 (en) * 2012-05-09 2015-02-13 Morpho METHOD FOR MONITORING THE EXECUTION OF A SOFTWARE AND SOFTWARE FOR THE IMPLEMENTATION OF THE METHOD

Also Published As

Publication number Publication date
FR3140186A1 (en) 2024-03-29

Similar Documents

Publication Publication Date Title
US10762210B2 (en) Firmware protection and validation
US6272637B1 (en) Systems and methods for protecting access to encrypted information
US20080235796A1 (en) Circuit Arrangement with Non-Volatile Memory Module and Method for Registering Attacks on Said Non-Volatile Memory Switch
US8239963B2 (en) Method of protecting a password from unauthorized access and data processing unit
US20050251708A1 (en) Microprocessor comprising error detection means protected against an attack by error injection
TWI449392B (en) Software execution randomization
US7516902B2 (en) Protection of a microcontroller
US6965977B2 (en) Tamper-resistant method and data processing system using the same
CN102968392A (en) Microprocessor for preventing memory dump
EP2996034B1 (en) Execution flow protection in microcontrollers
US8495734B2 (en) Method and device for detecting an erroneous jump during program execution
US7447916B2 (en) Blocking of the operation of an integrated circuit
KR20170102285A (en) Security Elements
EP1295200A2 (en) Data processing method and device for protected execution of instructions
CN118591804A (en) Method for detecting attempted linear extraction of memory contents
US7747935B2 (en) Method and device for securing the reading of a memory
US8161293B2 (en) Protection of the execution of a program executed by an integrated circuit
US20090300339A1 (en) Lsi for ic card
JP2007004456A (en) Portable electronic device and data output device of portable electronic device
US8806109B2 (en) Protection of secret keys
US20070234149A1 (en) Checking the integrity of programs or the sequencing of a state machine
JP2009015651A (en) Information storage medium
US20080040812A1 (en) Method and Device for Security Loading a Memory and an Associated Memory
JP2020013249A (en) IC chip and IC card
EP4177780A1 (en) Method for detecting an attempt at linear extraction of the contents of a memory

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination