When a processor is executing a program (referred to below as the “calling program”), it is common practice for at least one of the program instructions to call a subprogram (or called function) in order to perform certain functions (generally processing data) by using the subprogram.
A call to a subprogram generally involves passing data as parameters, which technique enables the calling program to communicate the data for processing to the subprogram.
Parameter passing is nevertheless a particular target for attacks by fault injection. If data that is passed in the form of parameters is changed in passing (e.g. as a result of an attacker physically disturbing the processor), that can be detected neither by the calling program (which issued correct data) nor by the subprogram (which has knowledge only of the modified data).
In order to combat attacks of this type, proposals have already been made, e.g. in Document EP 1 739 519, for the subprogram to produce an additional result that depends on the data it receives and to return the additional result to the calling program in order to verify the integrity of the data as processed.