1. Field of the Invention
The present invention generally relates to the field of microcontrollers integrated in electronic components and, more specifically, the checking of the atomic character of the commands or transactions (instruction series) executed by this microcontroller.
2. Discussion of the Related Art
The atomic character of a transaction means that one or several variables implemented by this transaction do not risk being provided with any state in case this transaction is interrupted. The simplest case is a variable having an initial state and a final state. The atomicity of a transaction implementing this variable then means that, even in case of an interruption of the transaction, the variable does not risk being provided in an intermediary state.
An example of application of the present invention is the field of smart cards with or without contacts equipped with a microcontroller.
FIG. 1 schematically shows a card 1 with chips 2 of the type to which the present invention applies. In the example of FIG. 1, the smart card is a card with contacts 3. However, the presence or the absence of a contact by no means modifies the present invention. In the case of a contactless smart card, contact recovery metal pads 3 are replaced or completed by an antenna of an oscillating circuit for communicating with a terminal emitting an electromagnetic field.
As illustrated in FIG. 1, a microcontroller chip 2 essentially comprises a central processing unit 4 communicating, via one or several buses 5, with memories among which, especially, a rewritable non-volatile memory (NVM) 6, for example, of type E2PROM. Chip 2 also comprises a RAM 7 for executing current calculations and a ROM 8 generally containing the programs executed by central unit 4. Eventually, central unit 4 is also connected (in this example by bus 5) to an input/output circuit 9 (I/O) which is here further connected to contacts 3. In the case of a contactless chip (electromagnetic transponder), the input/output circuit modulates a carrier and is thus connected to the oscillating circuit forming an antenna.
Of course, the smart card (more generally, the electronic component comprising the integrated microcontroller) may comprise other components and circuits according to the applications.
FIGS. 2A and 2B very schematically illustrate the atomic character of a command executed by a microcontroller. FIG. 2A illustrates the development of the command with no interrupt. FIG. 2B illustrates this development in the presence of an interrupt. The interrupt is generally, in the case of a contactless smart card, a disappearing of the microcontroller power supply. More generally, it is any disturbance resulting in a malfunction of the microcontroller and causing its reset.
In the example of FIG. 2A, a command implementing two variables VAR1 and VAR2 respectively having initial states Ainit and Binit and supposed to take, at the end of the execution of the command, final states Afin and Bfin, is assumed.
Variables VAR1 and VAR2 are stored in non-volatile memory 6. At the beginning of the command execution (block 10), variables VAR1 and VAR2 are in their respective initial states Ainit and Binit. Assuming that the command (block 11, COMMAND) is normally executed, the non-volatile memory contains, at the end of the execution for variables VAR1 and VAR2, their respective final states (block 12).
In the case (FIG. 2B) where an interrupt INTERRUPT occurs during execution of command 11, for example, by the removal of the smart card power supply, a specific procedure is then implemented.
This procedure consists, on reset (block 13, RESET) due to the powering back on of the card, in a recovery of the atomicity (block 14, ATOMICITY RECOVERY) of the transaction. This procedure results in this example in finding back, in the non-volatile memory, either the final states (block 12) of the variables, or their initial states (block 15).
In the above example, it is assumed that, for the considered command, the transaction is considered as being atomic, provided for the updating of variables A and B to be performed for the two variables or not at all. Accordingly, an intermediary state in which a single one of the two variables is updated is considered as an invalid or unauthorized state. It should be noted that the updating of a variable or data is performed in practice by one or several operations of writing into the non-volatile memory.
Intermediary states may if desired be considered as coherent or authorized. For example, assuming a transaction processing four variables A, B, C, and D distributed in two groups, a respecting of the atomic character of the transaction may consist of an updating of variables two by two. In this case, four situations are considered as being logically coherent: the four variables A, B, C, and D have their initial values (no updating); the four variables A, B, C, and D have their final values (correct updating); variables A and B have their final values and variables C and D have their initial values; and variables C and D have their final values while variables A and B have their initial values.
For the atomic character of the transaction to be respected, the states of the variables in the non-volatile memory and their combination must correspond to states considered as being logically coherent. In case of a transaction interrupt, the processor must thus be capable of restoring one of the coherent states or combinations.
There exist many techniques for recovering the atomicity of a transaction. For example, U.S. Pat. No. 6,535,997, which is incorporated herein by reference, describes a processor of execution of data transactions between an external system and a smart card in which a procedure for recovering the atomic character of the transaction is implemented.
A problem which is posed is to check the efficiency of such transaction atomicity recovery procedures.
A known technique consists of repetitively interrupting the smart card power supply at a regular interval, and of ensuring that the logically coherent states are always observed on powering back on.
A disadvantage of such a method is that, even by multiplying test operations, it brings no guarantee of reliability.
Further, the multiplication of test operations results in an often extended test time. This disadvantage is further increased by the significant number of commands to be tested.