A. Field of the Invention
This invention relates to a method and a system for checking whether program instructions have been executed by a portable end device.
B. Related Art
With the increasing spread of electronic end devices, in particular end devices such as for example mobile radio devices, PDAs, tablet PCs, smartphones, etc., there is increased processing on these end devices of personal, confidential, secret data and/or at least data with sensitive content. These data include in particular a user's secrets, for example authorization data, access data, personal identification numbers, payment transaction data, in particular TANs and credit card numbers. If these data are spied out by an attacker, this leads in many cases to financial or personal damage.
In a way comparable to the attack methods on a conventional PC with an Internet connection, the portable end device is more and more frequently becoming the attack target, for example by means of spy software. Hence, the data on such end devices should be subject to a maximum protection, so that spy attacks on such data are fruitless.
A spy attack is achieved by implanting harmful third-party program instructions, for example through so-called Trojans, viruses or worms as malware. Hence, it is necessary that the portable end device checks the respective program instructions to be executed in order to recognize an implanting of the third-party program instruction and to initiate defensive actions, where applicable. The check of the program instructions to be executed can take place here before, during or after the actual execution of the program instructions to be checked.
Program instructions are understood according to the invention to be a sequence of machine-readable instructions, statements and/or commands which a computing unit, in particular a CPU, of a portable end device can execute and process. It is not essential to the invention here whether the program instructions are present as machine code, byte code or source code or whether a compiler or interpreter is inserted as a translating entity for their execution in the CPU.
From the prior art, checking methods for program instructions are known. According to the U.S. Pat. No. 7,191,464-B2 a check is already carried out during the execution of the start program instruction of an end device, the so-called boot code. The program instructions are subdivided here into portions, each portion of program instructions checking for integrity the portion of program instructions to be executed next before it passes control of this next portion to the end device.
A problem of this procedure is that the first portion of program instructions must be trustworthy, because this first portion itself is not checked. This can be solved for example by storing the first portion of the program instructions in a special component, for example a ROM memory, because a ROM memory can no longer be changed after the initial writing. However, this rules out any subsequent updating of the first portion, for example by means of software patches.
In US-2008/0022108-A1 there is again described a method for checking a first portion of program instructions. Here, there is calculated on the basis of the portion of the program instructions a random cryptographic function which is verified in a separate and external cryptographic hardware unit before execution of the portion of the program instructions. In this case it is impossible to do without the separate unit located outside the system.