1. Field of the Invention
The present invention relates to a device and a method for a secure execution of a program and, in particular, to a device and a method for executing a program having checking commands enabling a control of the program execution.
2. Description of Related Art
Chip cards have a wide continuously extending spectrum of use. Frequently, they contain trusted information. Examples are payment and credit cards, insurance cards or access control cards. The area of use and the acceptances of such chip cards substantially depend on their security features. The trusted data contained on the chip cards have to be protected from being read out by unauthorized persons.
Chip cards usually comprise a chip card controller on which a software program is executed. In an activation, the program usually executes authentication processes protecting the chip card from being accessed by unauthorized persons. If an attacker succeeds in skipping the authentication process, then he obtains authorized access to the data stored on the chip card and to functions controlled by the chip card. In order to skip the authentication process or another process, the course of the program execution is interfered with by the attacker by invasive attacks. One possible invasive attack is the provision of an interference pulse to a voltage supply of a chip card. This has the consequence that a program command counter of the chip card controller is changed in an unspecified way not planned by the designer. A change of the command counter caused by an attacker causes a change of the program course, as the chip card controller continues executing the program after the attack at a location predetermined by the changed command counter. This way it is possible to determinedly skip individual program sections, like for example an authentication process, and provide a side entry into a program section which is originally protected by the authentication process.
Conventionally used programs and chip card controllers for executing such programs already include a series of features offering protection from an attack targeting to an interference with the program course.
Conventional program courses contain mutual dependencies of different program sections offering a protection from changes of the program course. For example, program initializations or program results are needed in later program sections and an incorrect presence of such values would lead to a program breakdown. Such dependencies have the disadvantage, however, that they are not equally distributed across a program course. In order to effectively protect a program course against attacks, thus additional artificial dependency constructions are required in the program course. However, such dependencies as a protection of a program course are not supported by the conventional programs for generating a software. This makes program changes difficult, as the dependencies between individual program parts which are necessary as a protection have to be manually inserted and checked.
Frequently, the time period a program needs for initializing is checked and secured by a monitoring circuit (“watch dog”). Such a solution is not flexible enough, however, to adapt to different time periods of the initialization course, and offers no protection against changes in the control course during the setup procedure. Only the execution of the terminal portion of the initialization is protected this way. A further disadvantage is that a monitoring solution based on a temporal monitoring may hardly be checked during the manufacturing test of a device. A further disadvantage is that the timer of the monitoring circuit is not necessarily resistant enough in order to not be influenced by the interference pulse as well.
A further possibility for a protection against interference pulses provided onto the voltage supply is to integrate an interference pulse sensor into a chip card. The interference pulse sensor should detect attacks from the fact that a voltage peak is located outside the specified operation conditions. The main problem of such an approach is that the sensor has to be set exactly to the limiting values of the operating conditions. This again means that the operating conditions of the circuit to be protected have to be characterized very precisely in order to prevent a security hole. Both the setting of the sensor and the exact characterizing of the circuit are very time consuming and costly.
In EP 1 305 708 B1, a method is presented enabling a correct temporal course of code blocks of a computer program in a multi processor system. Here, the multi processor system includes a computer and a manipulation-secure device connected to the computer. The computer program is performed on the computer. The code blocks, however, are performed as sub-programs within the manipulation-secure device. A temporally correct course of the code blocks is guaranteed by the fact that the code blocks include sequence data identifying the respective code block and indicating which code blocks are to be executed before or after the code block, respectively. The manipulation-secure device is implemented to determine in response to the sequence data whether a code block may be performed. This approach requires a high expense regarding both software and hardware, as the sequence data may conventionally not automatically be established and integrated into the code blocks and as a second processor is required on which the secured code blocks are executed.
US 2003/0131210 describes a possibility for checking security values of an EEPROM. It is assumed that with a change of EEPROM contents due to an attack also the contents of the EEPROM backups are changed. During the reset phase, a boot sequence is executed reading out the backups. The boot sequence is a program enabling a computer or controller to perform an automatic checking of the backups. The read-out backup values may be accumulated and compared to a reference value for example in the form of a signature register or a further backup value.
U.S. Pat. No. 5,018,146 describes a system for checking a plug-in card of a processor system. The plug-in card includes a memory in which a first error checking word and starting parameter data words are arranged. After the plug-in process, the first error checking word and the starting parameter data words are read out. From the starting parameter data words using a predetermined algorithm a further error checking word is formed and compared to the first error checking word. If the first and the second error checking words do not match, the card is not allowed a further operation in the system.