It is well known that a program used by a microcontroller or a microprocessor is made up of a set of instructions, themselves made up of an operation code (opcode) and possibly of one or several operands. The first octet of an instruction (“opcode”) plays an important role as it defines the function desired. According to the instruction, one or several octets will be necessary to form an instruction.
According to the type of processor, the size of an opcode can for example be 8, 12, 16 or 32 bits. An opcode can also be temporarily of a greater length.
As it is also known, the processor executes the instructions according to the value contained in a program counter.
When a processor is out of synchronisation, for example following a programming error or an external disturbance, it is possible for its program counter (PC) to indicate a position in the memory that is not an operation code, but rather an operand.
These disturbances can originate, for example, from micro-interruptions in the power supply, from voltage peaks on the connection bus, from hot or cold thermal shocks, from exposition to a magnetic field, from exposition to a laser light, from alpha particles, etc.
When this type of external disturbance is produced, which can be carried out voluntarily on the processor by an ill-intentioned individual for example, this interrupts the normal execution of one or several instructions. Through this type of disturbance, it is possible for an execution program to jump in a place not provided in this program. It is also possible that such a disturbance will change the content of the program counter in such a way that the further running of this program will take place without passing through the instructions provided previously and without passing through the associated access conditions. Therefore, this leads to a situation in which the verification and authentication procedures are not carried out or in which a communication port of the microcontroller module releases information that should not normally leave the security module or the microcontroller, such as for example keys, data and the program parts.
The French patent application FR-A-2 790 844 intends to resolve this problem by proposing a process and a device for controlling the running of a program. According to this process, it is verified that all the instructions comprised in a block of instructions that must be executed by a processor have been transmitted correctly. It is also verified that certain values obtained at the time of the execution of the instructions correspond to pre-registered values.
According to this process, the running of the entire program is not controlled. In particular, there is no verification of the instructions or the blocks of instructions that can be executed legitimately after the last instruction or the last block of instructions carried out.