A programmable computing unit is typically designed to process a sequence of instructions to perform a certain task. The sequence of instructions may also be referred to as program code. The program code is typically stored in a memory and provided to the computing unit at runtime. With a view to information security, it may be desired to protect the instructions from being analyzed while they are stored in the memory or transmitted from the memory to the computing unit. On the other hand, errors may occur during an execution of the program code if the instructions reaching the computing unit differ from desired instructions. Differences between the instruction actually processed by the computing unit and the desired instructions may have a random cause or could be deliberately provoked by an intruder. In any event, errors caused by altered instructions should be detected early.
Control flow checking methods may be used to detect such differences between the instructions actually processed by the computing unit and the desired instructions. The underlying principle of control flow checking methods that are based on instruction signatures is to sum up the instructions executed during runtime of a program in a checksum (i.e., the signature) during the runtime of the program and to verify at predetermined program points whether the checksum matches a reference value. A difference between the checksum and the reference value indicates a possible deviation between the actual program execution and an intended program execution.
When a program supporting control flow checking is created or compiled, most of the commonly known control flow checking methods require that so-called update values are inserted at specific points in the program. If, for example, a program jump or branching point occurs and the two different paths (different in the sense that different instruction sequences are executed and lead to different signatures) merge again, the signatures resulting from an execution of the paths need to be consistent at the merge point. To this end, an update value is inserted into at least one of the paths. Branches occur at conditional (direct) jumps, indirect jumps, direct and indirect function calls. Furthermore, reference values are required at the program point where the comparison of the signature calculated during runtime and the reference value are performed. These reference values need to be introduced at the appropriate program points into the program, as well.