Method for protection of computer core from unsanctioned outside changes

FIELD: computers.

SUBSTANCE: method includes, on basis of contents of central processor registers, received after processor performs some sort of command, by means of mathematical logical operation, forming certain finite control sum and storing it in memory, and on basis of contents of registers, received before start of execution by said processor of directly next command, certain starting checksum is formed, while if starting checksum mismatches finite checksum, error message is generated, which can be followed by halting of processor operation or blocking of chip board with its removal from circulation.

EFFECT: higher reliability.

2 cl, 2 dwg

 

The present invention relates to the protection of data of a computing device from unauthorized changes from the outside, primarily to protect the data stored in the core computing device, respectively, the Central processing unit (CPU). The invention can find application, in particular chip cards, as their data must be especially protected from unauthorized changes from the outside.

It is known that the memory of the computing device protects against unauthorized changes, for example, by encoding transmitted over the data bus encoding stored in the data memory, etc. From DE 3709524 C2 is known, for example, the program for controlling the cell content of the program memory. In accordance with this program every time at the beginning or during the progress of the program based on the contents of the memory cells is calculated checksum, which is then compared with previously stored in the program memory checksum, which allows to detect changes in the original content of the memory cells or changes that occur only during device operation, and if there are changes to issue an error message.

The present invention was the provision task is to develop a more effective approach for the protection of the data computing device is VA from unauthorized changes from the outside.

This task is solved according to the invention using the method, a Central processing unit for carrying out the method of computing device, respectively, of chip cards, which have a similar CPU, according to the distinctive features of the independent claims. Preferred embodiments of the invention are provided in the respective dependent claims.

The basic idea of the invention is that the protection of the data stored in the core computing device, i.e. in its Central processing unit (CPU), from unauthorized changes from the outside can increase the degree of protection of this computing device, because the data is stored in the kernel of the computing device in unencrypted form and therefore easily susceptible to unauthorized changes.

To recognize such unauthorized changes after testing the CPU any commands based on the contents of several registers of the CPU using mathematical logical operations, such as exclusive OR operation, is determined by the checksum, which is stored in memory as the final checksum. Before running the following command processor the newly calculated checksum, which is the beginning of the school checksum. Comparison of initial and final checksum, which should be the same, allows you to define made whether the contents of the CPU registers after executing the last command unauthorized changes. As the content of registers is considered the contents of those memory areas of the CPU that can take a state other than the state of logic 0, such as accumulating register, binary accumulating register, the data pointers (DPTR, DPL, DPH), registers (P0-P7) banks of registers, the register word program state (PSW), the stack pointer (SP), the special function register (SPR), etc. in the processor type 8051.

In order to further improve the protection against unauthorized access advanced when entering commands, you can start the counter counting the number of clock cycles required for testing or executing the command. The counter is preferably performed at the hardware level.

Logic, which is based on the operation code of the command being executed receives information about the number of clock cycles necessary to execute the command, converts this information into the meter. After that, the counter operates in parallel with the running command.

In addition, it is checked, does running it through command within a specified number of cycles. In that case, e is whether the command was not executed within a specified period of time, then, for example, stops the supply of clock pulses that prevents further execution of commands. In another embodiment, may also be initiated reset and return thus the Central processor to its original state.

Similar measures can be taken and early completion of the command, i.e. if the counter has not reached the threshold value at the time when it was registered new operation code.

The logical connection between important to protect the data registers can be implemented in hardware or software level. For example, the formation of the checksum in the time interval between two consecutive commands may occur on a random basis or some specific event or calculate this checksum can happen.

Below the invention is described in more detail with reference to the accompanying drawings on which is shown:

figure 1 - structure of the microcontroller on the example processor 8051 and

figure 2 - logical circuit to a logical pairing multiple memory areas of the CPU.

Figure 1 shows the structure of 8051 processor, representing an 8-bit processor. Since the known coding methods provide for the protection of data from nesanktsionirovanno the th changes by encoding when transmitting on the bus or when stored in memory, data is stored in the core computing device, i.e. in the Central processor, in unencoded form. Proposed in the invention method allows to determine the presence of unauthorized changes in one or more registers of the CPU.

Figure 2 as an example of such is important to protect the data memory area of the CPU, the data in which potentially can be subject to unauthorized modification, namely the stack pointer SP, accumulating register AC, binary accumulating register YOU, registers R0-R7, pointers data DPL and DPH, respectively for the lower and upper memory internal memory with random access (NVR). These registers are logically connected to each other to form a checksum. According to figure 2, two 8-bit register is logically linked together by the Exclusive OR gate (XOR). Thus, in particular, by performing a logical Exclusive OR operation on the contents of registers R0 and R2, a new 8-bit code combination, which, in turn, are logically combined in the Exclusive OR gate 8-bit code combination, which is formed as a result of performing a logical Exclusive OR operation on the contents of registers R1 and R7. As a result of executing the subsequent logical operations XOR the hell the corresponding 8-bit code combinations the result is an 8-bit code combination, which serves as a checksum and labeled in figure 2 as the "initial checksum" (AUC). For the formation of a checksum instead of the logical operation Exclusive OR, which is preferred primarily because of the small amount of computation, it is possible, obviously, to use and other options.

In the case when logical operations are performed on the contents of registers in hardware using logic elements, the checksum varies directly with changes in the content of the register. In other words, in the process of performing a working CPU command checksum if necessary repeatedly changed. However, crucial for the implementation of the method has only the checksum obtained after executing any commands before execution directly following command, as both of these checksums (final checksum (CCF), obtained for a specific command, and the initial checksum for the next command) are compared in the comparator.

This comparison is carried out as follows. The checksum received in the end of the execution of the first command, is stored as the final checksum in CPU memory. To determine whether there was done after the Deposit of the first command and before it is loaded into the CPU next, the second command, unauthorized changes to data in the processor, in parallel with the input of this second team is formed, as indicated in the beginning of the description, the initial checksum. At the first step and the initial checksum is compared by the comparator is stored in memory, the final checksum received for completed before the first command.

If the data in the CPU has not been tampered with, then the start and end of the checksum will be the same, and the result of their comparison value will be zero. When the comparator outputs a signal on the basis of which in the second step b) after the execution of the second command current checksum is stored in memory as a new destination checksum, i.e. the execution of the second command in this case is not interrupted. If otherwise, the value obtained when comparing the start and end checksums will be different from zero, this fact would indicate an unauthorized change is stored in the CPU data. In this case, the output signal of the comparator instead of the second step b) is carried out transition to step in), which issued the error message which is presented in figure 2 if stop processing commands. In this case, the example may be suspended by the processor, activated sensor security or lock, or in the case of chip cards, it can be locked in the terminal.

The above protection mechanism can be implemented solely on the software level through the formation and comparison with each other checksums, first, at the end of command, and secondly, at the beginning of executing the next command. The corresponding program may be stored in permanent memory (ROM), erasable programmable ROM (EPROM) processor, and the final checksum can be saved in NVR processor having a bitwise addressing.

The above method is not necessarily to perform before executing each command. In one embodiment, provides for the possibility of implementation of the method depending on the occurrence of any accidental or some specific event. According to a variant implementation of the method may begin, depending on the time.

In another embodiment, implementation of the proposed method operations may begin when the contents of one or more registers of the CPU any predetermined code combination.

In another embodiment, the process may begin after you follow the certain number of teams.

The implementation of the method, it is preferable to start only when between the team, after which the checksum was stored in memory as the target control amount, and the initial checksum received in the beginning of the run directly following command passes a certain, sufficiently long period of time. This approach reduces the load on the computing device during execution of the program, providing for the implementation of a large number of teams. If we proceed from the fact that unauthorized changes to data in the CPU, especially in the case of smart cards, will not occur during program execution, and when withdrawn from the terminal to the smart card, and in this case is the reliable detection of unauthorized changes to the data in the CPU.

1. The remedy having a Central processing unit (CPU) of the computing device from unauthorized changes externally stored in its memory data, wherein based on the contents of the CPU registers, obtained at the end of the execution of this processor any team, by mathematical logical operation generates and stores in memory a certain end checksum, and based on the contents of registers obtained before execution of the decree is owned by the processor directly following command, form some initial checksum, if the discrepancy between the initial checksum with the final checksum generates an error message.

2. The method according to claim 1, characterized in that the input commands start the counter counting the number of clock cycles necessary to execute the command, and issuing an error signal in case that the number of clock cycles is different from the specified number of ticks in a direction more or less.

3. The method according to claim 2, characterized in that the error signal is triggered interrupt or stop flow of clock pulses.

4. The method according to claim 2 or 3, characterized in that the data on the number of clock cycles necessary to execute the command, get with the help of the logical circuit based on the operation code of the command being executed.

5. The method according to any one of claims 1 to 3, characterized in that the mathematical logical operation is to perform the Exclusive OR operation on the contents of the registers.

6. The method according to any one of claims 1 to 3, characterized in that the implementation of the method operations begins upon the occurrence of random or some specified event.

7. The method according to claim 6, characterized in that the implementation of the method begins operations depending on the time.

8. The method according to claim 6, characterized in that the implementation of the SP is way operations begins in that case, when the contents of one or more registers of the CPU corresponds to some predetermined code combination.

9. The method according to claim 6, characterized in that the implementation of the method operations starts every time after the specified number of commands.

10. The Central processing unit (CPU) of a computing device for implementing the method according to claim 1, having a circuit performing logical operations on the contents of several registers of the CPU using the logical elements for the formation of a checksum, a memory for storing generated by the logic elements of the first control amount, a comparator for comparing generated by logic elements of the second control amount stored in the specified memory of the first control amount and a control device that is designed to manage storing the first checksum in the specified storage memory and to control the comparator.

11. The Central processor of claim 10, characterized in that it has a counter designed to count the number of clock cycles necessary to execute commands.

12. The Central processor of claim 10 or 11, characterized in that it has a logic circuit for determining on the basis of the opcode of the command executed the number of clock cycles necessary for testing this is the second team.

13. The Central processor according to any one of p-12, characterized in that it is designed for use in a computing device.

14. The Central processor according to any one of p-12, characterized in that it is designed for use in a smart card.



 

Same patents:

FIELD: technologies for authentication of information.

SUBSTANCE: method includes performing absolute identification for confirming legality of data carrier according to first rule in preset time. Authentication information is recorded on this data carrier in previously set position. Process of arbitrary authentication is performed for confirming legality of said data carrier in accordance to second rule in arbitrary time. First rule includes announcing confirmation of standard match, if information for authentication is detected as registered in selected preset position. Second rule in given arbitrary authentication process includes announcing standard match, if information for authentication is detected as not registered in arbitrary positions, different from given preset position.

EFFECT: higher reliability.

6 cl, 12 dwg

Processor // 2248608

FIELD: computers, data protection.

SUBSTANCE: processor has bus interface device, device for selection/decoding of commands, device for dispatching/execution, program string decoding device, which string is selected from program and loaded in first levels command cash, which contains a set of N two-input elements XOR, keys memory, storing different N-bit decoding keys.

EFFECT: higher efficiency.

2 dwg

The invention relates to computing
The invention relates to computing, and in particular to information and computer systems and networks, and can be used in the network integrity monitoring for protection of information resources in workstations, informational, and functional servers, etc

The invention relates to computer technology and may find application in the organization of authorized access to resources of the computing system

The invention relates to the field of information security with cryptographic transformation of data

The invention relates to the field of authentication objects

The invention relates to methods of protecting computer memory from unauthorized access through an arbitrary communication channels and to the structure of the devices for implementing such methods

The invention relates to the field of computing, and in particular to means of information protection from unauthorized access to electronic computing systems (machines), local area networks (LAN) - based personal computers (PC)

The invention relates to a device for data exchange with setting permissions on data exchange

FIELD: computers.

SUBSTANCE: device has commutation block, checked microcontroller, block of read-only memory devices of checked microcontroller, block of operative memory devices, PC, controlling microcontroller, block 7 of serial interface, indication block, commutation block of serial interface, block for forming a signal of starting setting of block for forming ROM addresses, block for forming addresses of Rom of checked microcontroller, block for decoding control signals, data-reading block, RAM recording block, block of memory access constants for checked microcontroller, block for forming addresses of checked microcontroller, block for forming start setting signal for controlling microcontroller, RAM reading block, block for forming RAM addresses and power buses.

EFFECT: higher efficiency.

3 dwg

The invention relates to a method and device control arithmetic logic module (ALM) in the vehicle

The invention relates to the means of technical diagnostics and can be used in systems for monitoring the technical condition of complex objects, for example, the products of aviation technology

The invention relates to a recording medium for recording audio and video data to the device for editing the specified data to the device for recording these data

The invention relates to the field of computer engineering and can be used to check codes

The invention relates to a device and to generate control commands for the actuators of the aircraft

The invention relates to a memory means containing at least one set of data in memory

The invention relates to the field of automation and computer engineering and can be used in computational structures to control the accuracy of arithmetic operations

The invention relates to the field of automation and computer engineering and can be used in computational structures to control the accuracy of arithmetic operations

The invention relates to the field of communication technology and can be used in data transmission systems, systems, telemetering and telecontrol

FIELD: computers.

SUBSTANCE: device has commutation block, checked microcontroller, block of read-only memory devices of checked microcontroller, block of operative memory devices, PC, controlling microcontroller, block 7 of serial interface, indication block, commutation block of serial interface, block for forming a signal of starting setting of block for forming ROM addresses, block for forming addresses of Rom of checked microcontroller, block for decoding control signals, data-reading block, RAM recording block, block of memory access constants for checked microcontroller, block for forming addresses of checked microcontroller, block for forming start setting signal for controlling microcontroller, RAM reading block, block for forming RAM addresses and power buses.

EFFECT: higher efficiency.

3 dwg

Up!