1. Field of the Invention
The invention relates to a method for accessing a memory by a microprocessor in which a cache memory is provided in which portions of the contents of the memory can be buffered. The microprocessor requests a stored data value. Then the system ascertains whether or not the requested stored data value is contained in the cache memory. If the data value is not contained in the cache memory, the data value is read from the memory. A control signal is generated which, if the data value is contained in the cache memory, reads the data value either from the cache memory or from the memory, in dependence upon the control signal.
The invention also relates to a circuit configuration for carrying out such a method.
Microprocessor systems require a memory in order to permanently or temporarily store data or programs that are to be processed. In the running of the program, the microprocessor accesses the memory in order to load currently required program components. The memory is typically arranged next to the microprocessor as a separate external circuit block in an integrated semiconductor chip. Accesses of the external memory are therefore relatively slow.
So-called cache memories are utilized to accelerate memory accesses. They serve for avoiding latency times when the external memory is accessed, in that frequently required data or instructions are buffered in the cache memory. The caches are smaller than the external memories and are wired so that they respond rapidly to a request. Cache memories can be integrated on the same chip with the microprocessor. Both read and write accesses are handled by the cache.
A read request to the memory by the microprocessor with the aid of the external memory and a cache memory proceeds as follows: First, whether the requested item of data is contained in the cache memory is checked. If it is ascertained that the data item is not buffered in the cache (known as a cache miss), the data item is loaded from the slower external memory into the cache and thereby made available to the microprocessor. If the data item is contained in the cache memory (known as a cache hit), it is immediately read to the microprocessor and processed by same.
Microprocessors are utilized in security systems such as chip cards, among other applications. There, the microprocessor serves, among other functions, for encrypting the data traffic between the chip card and a read device, so that sufficient security against fraudulent attacks aimed at spying out restricted information is guaranteed. One type of attack consists in measuring the characteristic of the power consumption of the microprocessor. Inferences about the program sequence can be drawn from the characteristic current profile. Cache miss and cache hit events can be pinpointed with the aid of the current profile. From these, it is possible to deduce the coding and decoding algorithm that is being utilized, on the basis of the number and position of utilized memory accesses; it would then be possible to draw further inferences about the specific program sequence, and thereby to determine, with the aid of the current profile, trigger points at which other measuring procedures attach.
The current profile differs for a cache hit and a cache miss. While data from the cache memory are read immediately to the microprocessor in a cache hit, in a cache miss some time passes while the cache memory is loaded from the external memory. The current consumption is therefore smaller in the initial phase in a cache miss than in a cache hit. The current consumption in a cache miss rises during the loading of the cache memory owing to the numerous switching processes in the chip during loading. The current consumption can be measured by way of the external terminal pins of the integrated circuit or the current supply terminals of the chip card.
A data access with a cache miss thus lasts relatively long, and the loading operation brings about a relatively large current consumption of the central unit of the microprocessor. The result of cache hit and cache miss events is that the central unit must wait for different lengths of time for the data to become available. The wait process has a characteristically low power consumption of the central unit. The total power consumption in a cache miss is greater than in a cache hit. From this it is possible, by means of statistical evaluation methods utilizing correlations with the activity pattern of the current profile, to draw inferences about the processing steps within the microprocessor and the data being processed. The application of such conventional microprocessors in systems which process secret, security-related information is therefore problematic.
U.S. Pat. No. 5,765,194 describes a cache memory in which a cache miss is signaled instead of a cache hit. This prevents possible access collisions with respect to the cache memory. Given a cache hit, a deterministic control switches over to a cache miss.
U.S. Pat. No. 0.4,932,053 describes a random access to dummy memory cells for the purpose of disguising the current profile. U.S. Pat. No. 5,500,601 generally relates to the problem of the detectability of the current profile by monitoring.
It is accordingly an object of the invention to provide a method for accessing a memory by a microprocessor with the aid of a cache memory which overcomes the above-mentioned disadvantages of the heretofore-known devices and methods of this general type and which further improves the security against monitoring. A further object is to lay out a circuit configuration which guarantees better security against monitoring.
With the foregoing and other objects in view there is provided, in accordance with the invention, a method of accessing a memory with a microprocessor and having a cache memory wherein portions of memory contents of the memory can be intermediately stored, the method which comprises:
upon receiving a request from the microprocessor for a stored data value, determining whether the requested stored data value is contained in the cache memory;
if the data value is not contained in the cache memory, reading the data value from the memory;
generating a control signal in random fashion and, if the data value is contained in the cache memory, reading the data value either from the cache memory or from the memory in dependence on the control signal.
In other words, the objects laid out in connection with the method are achieved by a method for the accessing of a memory by a microprocessor with a cache memory in which portions of the contents of the memory can be temporarily stored. The microprocessor requests a stored data value and, whether the requested value is contained in the cache memory is ascertained. It is it not, the data value is read from the memory. A control signal is generated, which, if the data value is contained in the cache, reads the value either from the cache memory or from the memory, depending on the control signal. The control signal is a random signal, which is randomly generated.
The object in connection with the circuit configuration is achieved by a circuit configuration comprising: a central processing unit, a memory, a cache memory, and a control device which is connected to the CPU and the cache memory; whereby the control device contains: a random generator for generating a random signal, a device for ascertaining whether or not a data value that has been requested by the CPU is contained in the cache memory, a terminal for releasing a signal indicating that the data value is not contained in the cache, and a changeover device, which is controllable by the random generator, and which is connected on the input side to the terminal and the device for making the determination and coupled on the output side with the CPU for the purpose of a read operation is controllable either from the memory or from the cache in dependence upon a signal at the changeover device on the output side.
One or more cache memories can be provided. The described circuit configuration and method can be advantageously applied with any cache memory. Said control device can either be shared by all caches as a central device or can be present in multiple form and individually allocated to single caches. Caches for data that are to be processed, caches for instructions, and caches for data and instructions together are all known under the common heading unified caches. The term data value encompasses both data that are to be processed and instructions.
In the inventive method and circuit configuration, the correlation between current signatures emerging with cache hits and misses and the program sequence is disguised. To accomplish this, the invention provides a control signal by means of which an additional intervention into the memory access control is possible. This way, when a cache hit is detected, the memory access can nevertheless be handled as a cache miss. For all practical purposes, cache hits are suitably replaced by cache misses. Besides its dependency on the cache contents and the access address, intervention in the cache control logic also occurs by means of the control signal for the purpose of the additional insertion of cache misses. The control signal is controlled by parameters other than the hit rate for cache hits. As a result, the externally measurable current profile of the microprocessor and the sequence of cache misses and cache hits no longer correspond to the program sequence. This makes it substantially more difficult to deduce the program sequence by measuring the current profile.
The control signal is generated with the aid of random patterns. The utilization of random patterns is sufficiently known. Numeric series which are generated in such a way that they are physically random or pseudo-random are suitable.
The random series is generated by a random number that is outputted by a random generator or random number generator. It is advantageous to additionally modify the randomness. For instance, the cache control can log the number of cache misses and hits within a definite period of time and set the additional cache miss events so that, averaged over the period, a uniform distribution of cache misses and cache hits corresponding to a prescribed value sets in. Additional cache misses are generated in dependence on this statistic. The cache miss rate is dynamically adjusted according to the statistic, so that a fixed ratio between the number of cache misses and the number of cache hits within a defined time interval is achieved in the steady state. It is then no longer possible to draw inferences about the program sequence of the microprocessor on the basis of the sequence of cache miss and cache hit events.
A cache miss leads to a large workload on the microprocessor. The computing power of the system then drops. It is therefore expedient when cache misses are additionally generated precisely when the load on the microprocessor is small. Given a high load on the microprocessor, the cache miss rate is reduced. The insertion of additional cache misses is expediently performed in dependence upon the software to be executed. In this embodiment, an application-specific compromise between computing power and security can be reached by means of the software.
Other features which are considered as characteristic for the invention are set forth in the appended claims.
Although the invention is illustrated and described herein as embodied in a memory access method and circuit configuration, it is nevertheless not intended to be limited to the details shown, since various modifications and structural changes may be made therein without departing from the spirit of the invention and within the scope and range of equivalents of the claims.
The construction and method of operation of the invention, however, together with additional objects and advantages thereof will be best understood from the following description of specific embodiments when read in connection with the accompanying drawing.