1. Field of the Invention
The invention relates generally to the technical field of executing a program that is intended for a virtual machine, on a portable data carrier that has a processor. A portable data carrier of that kind may be especially a chip card in various forms or a chip module. More specifically, the invention relates to the controlled execution of a program in order to detect faults or attacks and in order to prevent the security of the portable data carrier from being compromised by such faults or attacks.
2. Description of the Related Art
Portable data carriers that have a virtual machine for executing programs are known, for example, under the trademark Java Card™. Such data carriers are described in Chapter 5.10.2 of the book “Handbuch der Chipkarten” by W. Rankl and W. Effing, Hanser Verlag, 3rd edition, 1999, pages 261 to 281. A detailed specification of the Java Card standard, the virtual machine JCVM (Java Card Virtual Machine) used therewith and of the programs (Java Card Applets) that are executed is to be found on the Internet pages of the company Sun Microsystems, Inc., at java.sun.com/products/javacard.
Portable data carriers are frequently used for applications where security is crucial, for example in connection with financial transactions or in electronic signature of documents. Techniques for attacking portable data carriers have already become known in which the execution of a program is disrupted by external interference. Such disruption may be caused, in particular, by voltage pulses, by the effect of heat or cold, by electric or magnetic fields, electromagnetic waves or particle radiation. For example, it is possible to alter register contents in the processor or memory contents by directing flashes of light onto the exposed semiconductor chip. Such interference may possibly compromise the security of the data carrier if, for example, the data carrier outputs a defectively encrypted text which, when analysed, allows inferences to be made about a secret key.
There is therefore the problem of safeguarding a data carrier of the kind mentioned in the introduction from being compromised by attacks that interfere with the execution of a program by a virtual machine.
GB 2 353 113 A discloses a computer network that is capable of compensating for software faults to a certain extent. At least two computers, each executing a virtual machine, are provided in that computer network. If one of the virtual machines is found to be operating incorrectly, execution of the program is continued by the other virtual machine or machines.
The system known from GB 2 353 113 A is foreign to the generic type in question here, since it is intended not for a portable data carrier but for a complex network comprising a plurality of computers. The virtual machines are executed by a plurality of processors which are only loosely coupled to one another. Execution of the program is continued even when one virtual machine is disrupted. That teaching is not suitable for application in a portable data carrier having a single processor.