Error detection/correction and fault detection/recovery – Data processing system error or fault handling – Reliability and availability
Reexamination Certificate
1999-07-15
2001-03-13
Wright, Norman M. (Department: 2184)
Error detection/correction and fault detection/recovery
Data processing system error or fault handling
Reliability and availability
C714S039000, C714S702000, C711S152000, C712S234000
Reexamination Certificate
active
06202176
ABSTRACT:
BACKGROUND OF THE INVENTION
Field of the Invention
The present invention relates to a method for monitoring the correct execution of software programs in which the overwriting of return addresses is prevented.
The correct execution of software programs is a constant aim that is being achieved to an ever increasing extent through the provision of a wide range of measures.
Whereas, previously, unreliable hardware and programming errors were the primary causes of software programs being executed incorrectly, deliberate manipulation of program execution is now taking on an ever greater significance.
Deliberate manipulation of program execution means that it is possible, for example, to skip particular program parts, which allows checks establishing access authorization to be bypassed, for example.
This may become a serious problem in smart cards, to quote a by no means exclusive example, because, on the one hand, such cards are becoming more and more widespread in security-related areas (for example for access checks, monetary transactions etc.), in particular, and, on the other hand, they can readily be made a target for attempts at manipulation, owing to the fact that it is naturally impossible for them to be constantly monitored or supervised.
A multiplicity of security precautions already built into the smart card results in a very slim chance of a successful improper manipulation. Nevertheless, improper manipulations cannot be entirely eliminated.
The present invention is therefore based on the object of finding a method of monitoring the correct execution of software programs, by use of which, in particular, deliberate manipulation of program execution can be largely eliminated.
SUMMARY OF THE INVENTION
It is accordingly an object of the invention to provide a method of monitoring the correct execution of software programs which overcomes the above-mentioned disadvantages of the prior art methods of this general type.
With the foregoing and other objects in view there is provided, in accordance with the invention, a method of monitoring a correct execution of software programs, which includes:
providing a safeguard memory, the safeguard memory being a memory that cannot be deliberately addressed from outside a system executing a software program being monitored; and
preventing an overwriting of return addresses stored for later use and preventing a use of incorrectly stored return addresses and incorrectly overwritten return addresses as a return address, by protecting the return addresses from being overwritten and from being used by evaluating safeguard information generated when the return addresses are stored and storing the safeguard information in the safeguard memory.
Accordingly, the invention provides that overwriting return addresses stored for later use and/or using incorrectly stored or overwritten return addresses as a return address are prevented.
The method steps can be implemented, in practical terms, in a wide variety of ways. In the simplest case, when a function or the like is called that requires the return address to be stored, not only the return address itself but also additional safeguard information is stored which makes it possible to recognize whether the stored return address is still required and therefore must not be overwritten and/or whether the stored return address is the return address originally stored or to be stored.
In the former case, i.e. when return-address overwrite protection is implemented, the safeguard information may contain a write-protection identifier, for example, such as a write-protection bit or the like which is set when a return address is stored and is reset after the stored return address has been used as a return address.
In the second case mentioned, i.e. when return-address use protection is implemented, the safeguard information can contain, by way of example, the return address itself or data which represents or characterizes the return address in another way.
The safeguard information is stored in a memory area that preferably cannot be accessed externally; “normal” storage of the return addresses can, as previously, be in the so-called stack.
If a check is run, before every attempt at writing to the stack, to determine whether the area to be written to is identified by the write-protection bit as being a write-protected area, then it is possible to prevent overwriting data that is to be used later as a return address.
If, alternatively or in addition, a check is run to determine whether data that is to be used as a return address corresponds to the return address originally stored or to be stored, then it is possible to prevent data that has been changed (manipulated) after the return address was stored from being used as a return address.
In both cases, in order to prevent further attempts at manipulation, the program currently being executed can be terminated and/or the system executing the program can be reset and/or an alarm can be triggered and/or security-related data can be deleted and/or other protective measures can be taken.
This can be used to ensure that deliberate manipulation of return addresses cannot result in the correct execution of a program from being changed.
A method has therefore been found which further prevents attempts at deliberate manipulations of program executions.
Other features which are considered as characteristic for the invention are set forth in the appended claims.
Although the invention is illustrated and described herein as embodied in a method of monitoring the correct execution of software programs, it is nevertheless not intended to be limited to the details shown, since various modifications and structural changes may be made therein without departing from the spirit of the invention and within the scope and range of equivalents of the claims.
The construction and method of operation of the invention, however, together with additional objects and advantages thereof will be best understood from the following description of specific embodiments when read in connection with the accompanying drawings.
REFERENCES:
patent: 4296404 (1981-10-01), Sheldon
patent: 5274817 (1993-12-01), Stahl
patent: 5349655 (1994-09-01), Mann
patent: 5978915 (1999-11-01), Lisart et al.
patent: 6076149 (2000-06-01), Usami et al.
patent: 4315732 C1 (1994-06-01), None
patent: 19614904 A1 (1997-10-01), None
patent: 0010186 A1 (1980-04-01), None
patent: 0011136 A1 (1980-05-01), None
“Compiler Assisted Self-Checking of Structural Integrity Using Return Address Hashing”, Uwe Wildner, XP-002068242, pp. 161-177.
Japanese Patent Abstract No. 2-304365 (Sakai), dated Dec. 18, 1990.
Japanese Patent Abstract No. 3-223938 (Kamigaki), dated Oct. 2, 1991.
Japanese Patent Abstract No. 62-28836 (Fujimori), dated Feb. 2, 1987.
Baldischweiler Michael
Pfab Stefan
Greenberg Laurence A.
Infineon - Technologies AG
Lerner Herbert L.
Stemer Werner H.
Wright Norman M.
LandOfFree
Method of monitoring the correct execution of software programs does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method of monitoring the correct execution of software programs, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method of monitoring the correct execution of software programs will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2542474