System and method for validating program execution at run-time using control flow signatures
First Claim
1. A secure computing method, comprising:
- storing a set of precomputed, encrypted reference signatures for a plurality of basic blocks of an executable program terminating in a control flow instruction in a first memory;
during execution of the executable program, retrieving a respective basic block of the executable program from a second memory;
partially processing instructions of the respective basic block of the executable program in a multistage instruction processing pipeline, and concurrently computing a signature of the instructions of the respective basic block with a signature generator, to generate a signature for the respective basic block along an execution path of the instructions to the terminating control flow instruction;
predictively fetching, based on a previously determined pattern of instruction fetching, at least one encrypted reference signature from the first memory;
securely decrypting the at least one encrypted reference signature from the first memory;
storing the securely decrypted at least one encrypted reference signature in a signature cache;
if;
(a) the control flow instruction terminating an execution path of the instructions of the respective basic block of the executable program is pending completion, and(b) the decrypted reference signature of the respective basic block is available in the signature cache,then;
verifying the signature for the respective basic block against the decrypted reference signature;
else;
stalling commitment of the control flow instruction terminating the execution path of the instructions of the respective basic block of the executable program, the multistage instruction processing pipeline comprising at least one stage provided as a buffer for a delay incurred by said stalling, until the decrypted reference signature of the respective basic block is available in the signature cache; and
verifying the signature for the respective basic block against the decrypted reference signature; and
if the signature for the respective basic block matches the decrypted reference signature, committing execution of the control flow instruction terminating the execution path of the instructions of the respective basic block of the executable program, else preventing commitment of the control flow instruction terminating the execution path of the instructions of the respective basic block of the executable program and flushing uncommitted instructions from the multistage instruction processing pipeline.
1 Assignment
0 Petitions
Accused Products
Abstract
A processor comprising: an instruction processing pipeline, configured to receive a sequence of instructions for execution, said sequence comprising at least one instruction including a flow control instruction which terminates the sequence; a hash generator, configured to generate a hash associated with execution of the sequence of instructions; a memory configured to securely receive a reference signature corresponding to a hash of a verified corresponding sequence of instructions; verification logic configured to determine a correspondence between the hash and the reference signature; and authorization logic configured to selectively produce a signal, in dependence on a degree of correspondence of the hash with the reference signature.
-
Citations
20 Claims
-
1. A secure computing method, comprising:
-
storing a set of precomputed, encrypted reference signatures for a plurality of basic blocks of an executable program terminating in a control flow instruction in a first memory; during execution of the executable program, retrieving a respective basic block of the executable program from a second memory; partially processing instructions of the respective basic block of the executable program in a multistage instruction processing pipeline, and concurrently computing a signature of the instructions of the respective basic block with a signature generator, to generate a signature for the respective basic block along an execution path of the instructions to the terminating control flow instruction; predictively fetching, based on a previously determined pattern of instruction fetching, at least one encrypted reference signature from the first memory;
securely decrypting the at least one encrypted reference signature from the first memory;
storing the securely decrypted at least one encrypted reference signature in a signature cache;
if;(a) the control flow instruction terminating an execution path of the instructions of the respective basic block of the executable program is pending completion, and (b) the decrypted reference signature of the respective basic block is available in the signature cache, then; verifying the signature for the respective basic block against the decrypted reference signature; else; stalling commitment of the control flow instruction terminating the execution path of the instructions of the respective basic block of the executable program, the multistage instruction processing pipeline comprising at least one stage provided as a buffer for a delay incurred by said stalling, until the decrypted reference signature of the respective basic block is available in the signature cache; and verifying the signature for the respective basic block against the decrypted reference signature; and if the signature for the respective basic block matches the decrypted reference signature, committing execution of the control flow instruction terminating the execution path of the instructions of the respective basic block of the executable program, else preventing commitment of the control flow instruction terminating the execution path of the instructions of the respective basic block of the executable program and flushing uncommitted instructions from the multistage instruction processing pipeline. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A microprocessor configured for secure computing execution, comprising:
-
a signature cache configured to store a plurality of respective reference signatures of respective basic blocks of at least one executable program each terminating in a control flow instruction; a multistage instruction processing pipeline comprising at least one stage provided as a buffer for a delay incurred by a presence of a control signal to stall execution of at least one instruction of a basic block in the multistage instruction processing pipeline, responsive to; at least a first control signal to stall execution of the at least one instruction, at least a second control signal to flush uncommitted instructions from the multistage instruction processing pipeline, and at least a third control signal to commit execution of the at least one instruction; a signature generator configured to determine a signature of the basic block of instructions within the multistage instruction processing pipeline, in parallel with instruction execution within the multistage instruction processing pipeline; predictive fetching logic, configured to; fetch at least one encrypted reference signature, based on a previously determined pattern of instruction fetching, securely decrypt the at least one encrypted reference signature with secure hardware decryption logic, and store the securely decrypted at least one encrypted reference signature in the signature cache; verification logic configured to; determine a match of the determined signature of the basic block of instructions with the decrypted reference signature in the signature cache, produce the at least the second control signal to flush uncommitted instructions from the multistage instruction processing pipeline in event of a failure to match, and produce the at least the third control signal to commit the execution of the at least one instruction in event of success of the match; and flow control logic configured to determine presence of the control flow instruction terminating the basic block in the multistage processing pipeline, and to produce the at least the first control signal to stall execution of the instruction if the control flow instruction terminating the basic block is pending execution and the decrypted reference signature corresponding to the basic block is not available to the verification logic, and to resume execution of the instruction after the decrypted reference signature corresponding to the basic block becomes available to the verification logic. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A secure computing microprocessor, comprising:
-
a multistage instruction processing pipeline comprising a buffer stage configured to buffer a delay incurred by a stall in execution of an instruction of a basic block of an executable program, the basic block terminating in a control flow instruction, responsive to; a first control signal, to stall the execution of the instruction, a second control signal, to flush uncommitted instructions from the multistage instruction processing pipeline, and a third control signal, to commit the execution of the instruction; a signature generator configured to generate a signature of the basic block, in parallel with instruction execution within the multistage instruction processing pipeline; a signature cache configured to store a plurality of reference signatures of respective basic blocks of the executable program; predictive fetching logic, configured to; fetch at least one encrypted reference signature, based on a previously determined pattern of instruction fetching; securely decrypt the at least one encrypted reference signature with secure hardware decryption logic; and securely store the decrypted at least one encrypted reference signature in the signature cache; verification logic configured to; compare the generated signature of the basic block, with a respective decrypted encrypted reference signature securely stored in the signature cache to determine a match; produce the second control signal to flush uncommitted instructions from the multistage instruction processing pipeline in event of a failure to determine the match, and produce the third control signal to commit the execution of the at least one instruction in event of a success to determine the match; and flow control logic configured to determine presence of the control flow instruction terminating the basic block in the multistage processing pipeline, and to produce the first control signal to stall execution of the instruction if the control flow instruction terminating the basic block is pending execution and the decrypted reference signature corresponding to the basic block is not available to the verification logic, and to resume execution of the instruction by cessation of the first control signal after the decrypted reference signature corresponding to the basic block becomes available to the verification logic.
-
Specification