Data processing devices are controlled using programs which includes a sequence of instructions that can be executed in order to achieve a particular functionality. The high flexibility of data processing devices is based on the fact that, in programs, individual steps can be executed not only sequentially but also with branches in the sequence. For a data processing device to operate correctly, the correct program flow, that is the correct order in which the individual instructions are executed, is required. Unexpected changes in the sequence lead to incorrect results or even to operation of the data processing device being stopped. Such changes may be caused, for example, by faults in the hardware or in the programs. Furthermore, external attacks in which the correct operation of a data processing device is deliberately disrupted in order to gain an advantage are conceivable.
In order to avoid faults during the operation of a data processing device, hardware and software are verified, that is, they are checked for the correct method of operation. Unfortunately, some faults remain undiscovered during verification since not all possible situations can be covered. These include, in particular, limiting cases which occur when different parts of a program interact, in which case it is not possible to verify the individual parts together. Faults in the program flow may result in failure of the data processing device or in security gaps which can be exploited.
External attacks which influence the operation of a data processing device may be detected using suitable hardware measures. These include checkpoint registers, in which values are compared with expected values during operation, glitch sensors, which detect very brief voltage dips or increases in the current or clock supply, frequency sensors, which are used to detect changes in the clock frequency, in particular underfrequencies, or single-step operation, and light sensors, which can be used to detect manipulation of the chip during optical analysis. Hardware measures can be used only in specialized safety processors, the use of analog sensors frequently requiring redesign, in particular.