System and method for validating program execution at run-time

US 9,767,271 B2
Filed: 12/28/2015
Issued: 09/19/2017
Est. Priority Date: 07/15/2010
Status: Active Grant

First Claim

Patent Images

1. A microprocessor comprising:

a multistage instruction processing pipeline, comprising at least one of branch prediction logic elements and speculative execution logic elements, and having a minimum pipeline latency between receipt of a first instruction of a sequence of instructions and readiness for commitment of execution of the first instruction, configured to;

receive a sequence of instructions for processing,concurrently decode the received instructions during the pipeline latency,dispatch the instructions,advance respective instructions of the sequence of instructions to a stage prior to commitment of instruction execution,commit execution of the sequence of instructions to produce at least one execution result comprising alteration of at least one register of the microprocessor external to the instruction processing pipeline in response to execution of at least one instruction and an availability of a verification signal, andrespond to at least one of a misprediction signal and failure of availability of the verification signal, to cause a rollback of the instruction processing pipeline to a state prior to an error which caused the at least one of the misprediction signal and the failure of availability of the verification signal;

a memory configured to store at least a predetermined encrypted reference digital signature;

decryption logic elements configured to decrypt the encrypted reference digital signature in dependence on a decryption key securely stored in, and received from a secure hardware environment to produce a reference digital signature corresponding to an expected digital signature of an authentic sequence of instructions;

verification logic elements configured to match the reference digital signature with a digital signature of the received sequence of instructions; and

authorization logic elements configured, within a first mode of operation, to generate the verification signal within the minimum pipeline latency, contingent upon verifying that the reference digital signature matches the digital signature.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A pipelined processor comprising a cache memory system, fetching instructions for execution from a portion of said cache memory system, an instruction commencing processing before a digital signature of the cache line that contained the instruction is verified against a reference signature of the cache line, the verification being done at the point of decoding, dispatching, or committing execution of the instruction, the reference signature being stored in an encrypted form in the processor'"'"'s memory, and the key for decrypting the said reference signature being stored in a secure storage location. The instruction processing proceeds when the two signatures exactly match and, where further instruction processing is suspended or processing modified on a mismatch of the two said signatures.

2538 Citations

20 Claims

1. A microprocessor comprising:
- a multistage instruction processing pipeline, comprising at least one of branch prediction logic elements and speculative execution logic elements, and having a minimum pipeline latency between receipt of a first instruction of a sequence of instructions and readiness for commitment of execution of the first instruction, configured to;
  
  receive a sequence of instructions for processing,concurrently decode the received instructions during the pipeline latency,dispatch the instructions,advance respective instructions of the sequence of instructions to a stage prior to commitment of instruction execution,commit execution of the sequence of instructions to produce at least one execution result comprising alteration of at least one register of the microprocessor external to the instruction processing pipeline in response to execution of at least one instruction and an availability of a verification signal, andrespond to at least one of a misprediction signal and failure of availability of the verification signal, to cause a rollback of the instruction processing pipeline to a state prior to an error which caused the at least one of the misprediction signal and the failure of availability of the verification signal;
  
  a memory configured to store at least a predetermined encrypted reference digital signature;
  
  decryption logic elements configured to decrypt the encrypted reference digital signature in dependence on a decryption key securely stored in, and received from a secure hardware environment to produce a reference digital signature corresponding to an expected digital signature of an authentic sequence of instructions;
  
  verification logic elements configured to match the reference digital signature with a digital signature of the received sequence of instructions; and
  
  authorization logic elements configured, within a first mode of operation, to generate the verification signal within the minimum pipeline latency, contingent upon verifying that the reference digital signature matches the digital signature.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 15, 16, 17, 18, 19, 20)
- - 2. The microprocessor according to claim 1, further comprising a cache memory signature generator configured to receive the sequence of instructions from a cache memory, and to calculate the digital signature of the received sequence of instructions from a line of the cache memory before receipt of the sequence of instructions by the instruction processing pipeline.
  - 3. The microprocessor according to claim 2, wherein the cache memory is within the microprocessor.
  - 4. The microprocessor according to claim 1, further comprising a memory from which the predetermined encrypted reference digital signature is fetched together with an associated sequence of instructions from a memory.
  - 5. The microprocessor according to claim 1, wherein the secure hardware environment comprises a trusted platform module.
  - 6. The microprocessor according to claim 1, wherein the microprocessor has a second mode of operation in which the verification signal is generated independent of the authorization logic elements.
  - 7. The microprocessor according to claim 1, wherein the decryption logic elements are further configured to decrypt the encrypted reference signature associated with a respective instruction during a period prior to dispatch of the respective instruction.
  - 8. The microprocessor according to claim 1, wherein the authorization logic elements are further configured to permit the instruction processing pipeline to contingently proceed only if the reference digital signature matches the digital signature.
  - 9. The microprocessor according to claim 1, further comprising a table stored in a memory configured to store a plurality of outputs of the verification logic elements corresponding to a plurality of respective reference digital signatures.
  - 10. The microprocessor according to claim 1, wherein the instruction processing pipeline is further configured to suspend processing of a respective instruction of the sequence of instructions until receipt of the verification signal.
  - 11. The microprocessor according to claim 1, further comprising:
    - an interface to a memory storing a checkpoint state representing a predetermined verified state; and
      
      checkpoint logic configured to cause the microprocessor to assume the checkpoint state upon failure of the verification authorization signal.
  - 12. The microprocessor according to claim 1, further comprising:
    - an interface to a memory storing a checkpoint state representing a prior verified state; and
      
      checkpoint logic configured to cause the microprocessor to roll back to the checkpoint state if the selective generation of the authorization upon failure of the verification signal.
  - 15. The microprocessor according to claim 1, wherein the digital signature of the received sequence of instructions is calculated from the cache memory line by a cache memory signature generator during execution of the sequence of instructions by the instruction processing pipeline.
  - 16. The microprocessor according to claim 1, wherein a plurality of predetermined encrypted reference digital signatures are fetched together in advance of associated sequences of instructions from a memory.
  - 17. The microprocessor according to claim 1, further comprising a cache line signature table, configured to store an entry representing the earlier available of the generated signature of the received sequence of instructions and the reference digital signature.
  - 18. The microprocessor according to claim 17, wherein the entry further comprises:
    - (a) an allocation status of the entry;
      
      (b) a type of entry status, selected from the group consisting of the generated signature of the received sequence of instructions and the reference digital signature;
      
      (c) a matching status of whether the generated signature of the received sequence of instructions has been matched to the reference digital signature; and
      
      (d) a verification outcome status of the match of the generated signature of the received sequence of instructions and the reference digital signature.
  - 19. The microprocessor according to claim 1, further comprising a signature generator configured to generate the digital signature of the received sequence of instructions.
  - 20. The microprocessor according to claim 19, wherein the received sequence of instructions are accompanied by the encrypted reference digital signature, which are concurrently fed to the multistage instruction processing pipeline, the decryption logic elements, and the signature generator.

13. A method for verifying instructions executed by a microprocessor, comprising:
- receiving a sequence of instructions for processing by a multistage instruction processing pipeline having a minimum pipeline latency between receiving a first instruction of the sequence of instructions and readiness to commit execution of the first instruction, and comprising at least one of branch prediction logic elements and speculative execution logic elements responsive to at least one of a misprediction signal and failure of an availability of a verification signal to cause a rollback of the multistage instruction processing pipeline to a state prior to an error which caused the at least one of the misprediction signal and the failure of availability of the verification signal;
  
  concurrently decoding, and dispatching a plurality of the sequence of instructions to a stage prior to commitment of instruction execution during the pipeline latency;
  
  committing execution of the sequence of instructions to produce at least one execution result comprising alteration of at least one register of the microprocessor external to the instruction processing pipeline, in response to execution of at least one instruction and the availability of the verification signal;
  
  storing at least a predetermined encrypted reference digital signature in a memory;
  
  decrypting the encrypted reference signature in dependence on a securely received decryption key in a secure hardware environment, to produce a reference digital signature corresponding to an expected digital signature of an authentic sequence of instructions; and
  
  verifying that the reference digital signature matches a digital signature of the received sequence of instructions and generating the verification signal, contingent upon verifying that the reference digital signature matches the digital signature, in a secure hardware environment that generates the verification signal within the minimum pipeline latency.
- View Dependent Claims (14)
- - 14. The method according to claim 13, further comprising:
    - receiving the sequence of instructions from a cache memory; and
      
      calculating the digital signature of the received sequence of instructions from a line of the cache memory by a cache memory signature generator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Research Foundation for The State University of New York (State University of New York)
Original Assignee
The Research Foundation for The State University of New York (State University of New York)
Inventors
Ghose, Kanad
Primary Examiner(s)
Zoubair, Noura

Application Number

US14/981,011
Publication Number

US 20160117501A1
Time in Patent Office

631 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/1407   Checkpointing the instructi...

G06F 11/3612   by runtime analysis perform...

G06F 21/51   at application loading time...

G06F 21/52   during program execution, e...

G06F 21/54   by adding security routines...

G06F 21/72   in cryptographic circuits

G06F 21/79   in semiconductor storage me...

G06F 9/3834   Maintaining memory consistency

G06F 9/3851   from multiple instruction s...

G06F 9/3863   using multiple copies of th...

System and method for validating program execution at run-time

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

2538 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for validating program execution at run-time

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

2538 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links