Method and Device for Securing Access to Encoded Variables in a Computer Program

Abstract

A method, device and computer program product for securing access to an encoded variable in a computer program with a plurality of encoded variables that each having its own dynamic signature, wherein when the encoded variable is accessed, the dynamic signature of the variable is modified, where the sum value for all dynamic signatures of all other encoded variables is controlled in an encoded tracer variable, the sum value being controlled in the tracer variables is adapted if a dynamic signature of one of the encoded variables is modified, the encoded variable is compared with the sum value stored in the encoded tracer variable to monitor the sum of the dynamic signatures, and where an error handling process is initiated in the event of a discrepancy such that all signatures in an arithmetically encoded program can be managed in a high-performance manner regardless of the complexity of the program.

Claims

1-13. (canceled)

14. A method for securing access operations to at least one coded variable in a computer program comprising a multiplicity of coded variables, a large number of or each coded variable including a respective dynamic signature, each respective dynamic signature being changed in a prescribed manner in an event of an access operation to the at least one coded variable, and a sum value for all dynamic signatures of all other coded variables being carried in a coded tracer variable, the method comprising: modifying, in an event of a change in a dynamic signature of one of the coded variables, the sum value carried in the tracer variable in the same way as the prescribed manner; comparing, for a check, the sum of the dynamic signatures of the coded variables with the sum value stored in the coded tracer variable; and triggering, in an event of a discrepancy, error handling; wherein the sum value of all dynamic signatures is formed during said check; and wherein prior to said comparison, a respective modulo operation comprising system constants utilized to code all coded variables and to code the coded tracer variable is applied to the sum of the dynamic signatures and is applied to the sum value carried in the tracer variable.

15. The method as claimed in patent claim 14, wherein the coded variables are coded based on AN, ANB or ANBD coding.

16. The method as claimed in claim 14, wherein a new or changed dynamic signature is defined for this variable upon each write access operation to a coded variable.

17. The method as claimed in claim 16, wherein a new or changed dynamic signature is defined for a coded variable upon each read access operation to the coded variable.

18. The method as claimed in claim 14, wherein the prescribed way comprises either always adding or always subtracting a defined value other than zero to or from the previous dynamic signature of the respective coded variable.

19. The method as claimed in claim 14, wherein a sum of all signatures each give a correctly coded value in accordance with the selected coding.

20. The method as claimed in claim 14, wherein the computer program comprises an automation program of an industrial automation component; and wherein the check is performed at least once in a cycle of the automation program.

21. The method as claimed claim 20, wherein the check is performed at least once at an end of the cycle.

22. The method as claimed in claim 14, wherein the complete execution of all program portions intended to be executed in a respective cycle of the computer program is defined as a securement of access operations via the signature changes.

23. A device for securing access operations to at least one coded variable in a computer program comprising a multiplicity of coded variables which is executed on the device, a large number or each coded variable including a respective dynamic signature, the device comprising: a processor; and memory; wherein the processor is configured to: modify, in an event of a change in a dynamic signature of one of the coded variables, a sum value carried in the tracer variable in the same way as a prescribed manner via which each respective dynamic signature is being changed; compare, for a check, a sum of the dynamic signatures of the coded variables with a sum value carried in the coded tracer variable; and trigger, in an event of a discrepancy, error handling; wherein the sum value of all dynamic signatures is formed during said check; and wherein, prior to said comparison, a respective modulo operation comprising system constants utilized to code all coded variables and to code the coded tracer variable is applied to the sum of the dynamic signatures and is applied to the sum value carried in the tracer variable.

24. The device as claimed in claim 23, wherein the device comprises a computer or an industrial automation component.

25. A computer program product for securing access operations to at least one coded variable in a computer program comprising a multiplicity of coded variables which, when executed on a computer or on an industrial automation component, causes access operations to at least one coded variable in a computer program comprising a multiplicity of coded variables, the computer program comprising: program code for modifying, in an event of a change in a dynamic signature of one of the coded variables, a sum value carried in the tracer variable in the same way as a prescribed manner via which each respective dynamic signature is being changed; program code for comparing, for a check, a sum of the dynamic signatures of the coded variables with a sum value carried in the coded tracer variable; and program code for triggering, in an event of a discrepancy, error handling; wherein the sum value of all dynamic signatures being formed during said check; and wherein, prior to said comparison, a respective modulo operation comprising system constants utilized to code all coded variables and to code the coded tracer variable is applied to the sum of the dynamic signatures and is applied to the sum value carried in the tracer variable.

26. The computer program product as claimed in claim 25, wherein the computer comprises an industrial automation component.

27. The computer program product as claimed in the claim 25, wherein the computer program product forms part of an upgrade to firmware or part of or an upgrade to an operating system of a computer.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0043] One exemplary embodiment of the method in accordance with the invention is explained below with reference to the drawings, which are used simultaneously to explain an exemplary embodiment of a device and a computer program product of this kind, in which:

[0044] FIG. 1 shows the securing of an addition to form a coded variable in accordance with the invention; and

[0045] FIG. 2 is a flowchart of the method in accordance with the invention.

DETAILED DESCRIPTION OF THE EXEMPLARY EMBODIMENTS

[0046] In order to check a program sequence, the prior art uses running variables, so-called tracer variables or “tracer” for short, using the content of which the program path that is run through can be logged and thus checked.

[0047] With reference to FIG. 1, in the present example, the tracer variable Tracer.sub.c is used to check the dynamic signatures of all coded variables of a computer program and the access operations to all coded variables of the computer program. The present example in this regard shows the coded variable x.sub.c.

[0048] In the present example, without restricting generality, the variable x.sub.c is ANDB-coded in accordance with a rule in the form:

[00002]${\text{x}}_{\text{c}}{\text{:= x}}_{\text{f}}{\text{*A + B}}_{\text{x}}{\text{+ D}}_{\text{x}}$

[0049] In this case, D.sub.x is the dynamic signature of x. D.sub.x changes at regular or irregular intervals, for example, in each cycle of a program, or in a time-controlled manner. The change of D.sub.x is often predefined externally in the prior art, which means that the dynamic signature is changed in the prior art asynchronously with the execution of a computer program, in particular an automation program. In the prior art, the dynamic signature D.sub.x is often constant during a cycle. In the present exemplary embodiment, D.sub.x however changes upon each access operation (read or write) to the coded variable xc; in other embodiments, Dx may, for example, change only upon write access operations. In other words, based on the starting value (initialization value or the like) of Dx and the change value used for the change upon each access operation, the number of access operations in a basic block, i.e., a program section to be run through linearly of a computer program, can be calculated from the current value of Dx and compared with an expected value, such that it is possible to check the complete execution of a program step.

[0050] In accordance with the invention, the D-signatures are then allocated such that the sum of all signatures (B.sub.x; D.sub.x) always gives a correctly coded ANBD-coded value.

[0051] It thus holds that:

[00003]$\left({\text{Σ}}_{\text{x}}{\text{B}}_{\text{x}}\right){\text{mod A = B}}_{\text{sum}}$

[00004]$\left({\text{Σ}}_{\text{x}}{\text{D}}_{\text{x}}\right){\text{mod A = D}}_{\text{sum}}$

[0052] It is assumed that, for each coded variable, the respective currently applicable values of the signature constants Bx and Dx are stored in a separate variable, memory, register or bit range reserved therefor of the coded variable.

[0053] The B-signatures are constant. The sum B.sub.sum is therefore also constant. The value of the sum is in this case unimportant.

[0054] This sum of the dynamic signatures D.sub.sum is compared with a coded value Tracer.sub.c, the signature of which differs either only by a fixed value from the signature of the sum or stores the signature correctly in coded form; the variants thus have the form:

[00005]${\text{Tracer}}_{\text{c}}\text{}{\text{= A*X + B}}_{\text{tracer}}\text{}{\text{+ D}}_{\text{sum}}$

or

[00006]${\text{Tracer}}_{\text{c}}\text{}{\text{= A*D}}_{\text{sum}}{\text{+ A}}^2{\text{*X + B}}_{\text{tracer}}\text{}{\text{+ D}}_{\text{tracer}}$

[0055] The value of X in both embodiments is unimportant for the concept of the invention. It is used, as is conventional, to simplify the calculation of Tracer.sub.c. It may also be used to satisfy additional security requirements.

[0056] In accordance with the invention, the sum D.sub.sum of the D-signatures of all coded variables is calculated at a checkpoint of a computer program, such as at the end of a cycle of an automation program. D.sub.sum is additionally calculated in a diversified manner from the content of a coded tracer variable Tracer.sub.c, the value thereof being changed in the same way upon each access operation to xc in which the associated value of Dx is changed.

[0057] A basic block under consideration here consists of a linear sequence of computing steps; in the present example from FIG. 1, a basic block is shown on the right-hand side and adds, in coded arithmetic, the number “1” to the coded variable xc.

[0058] Each computing step of a basic block has a fixed number of access operations to coded values. D.sub.sum therefore changes by a constant value. The change of D.sub.sum is therefore also constant for the entire basic block (as it is referred to in the literature). This change (possibly multiplied by A) also must be added to the tracer, i.e., the tracer variable Tracer.sub.c. The tracer is thus coded such that it can be checked for correctness.

[0059] It holds that, in the error-free case, depending on the selected structure of the tracer variable:

[00007]${\text{Tracer}}_{\text{c}}\text{}{\text{= A*X + B}}_{\text{tracer}}\text{}{\text{+ D}}_{\text{sum}}$

or

[00008]${\text{Tracer}}_{\text{c}}\text{}{\text{= A*D}}_{\text{sum}}{\text{+ A}}^2{\text{*X + B}}_{\text{tracer}}\text{}{\text{+ D}}_{\text{tracer}}$

[0060] This method means that now only Tracer.sub.c still needs to be secured using the conventional methods up to now, ti.e., for example, Tracer.sub.c must be stored and processed in coded form; in the case of lower security requirements, Tracer.sub.c may also be uncoded. An action that changes the program sequence or the data therefore must be supplemented with a fixed command sequence to provide security only for Tracer.sub.c, so that the number of access operations remains compliant with the expected value. Up until now, the supplementing occurred separately for each impacted coded variable.

[0061] In one advantageous embodiment, the D-signatures are corrected such that D.sub.sum corresponds to the ID of the basic block at a clearly defined location in the basic block (for example, end of the basic block). This results in a simple checking option. D.sub.sum repeats cyclically. Accordingly, this check is not suitable for higher SIL (security levels).

[0062] At the end of the cycle or program, a consistency check then occurs with 2 criteria: [0063] 1. Tracer.sub.c is coded correctly and [0064] 2.

[0065] It is assumed here that the B-signature may change; in the consistency check, the last valid value for B, i.s., B.sub.tracerload (“last valid B of the tracer variable”) then has to be used. It is also the case in this example that the D-signature in one cycle is constant, and therefore D is used as D.sub.cyc here (D from the current cycle).

[0066] In order to avoid/manage overflows, the value of the tracer variable may be limited, for example, by the operation

[00010]${\text{Tracer}}_{\text{c}}{\text{:= Tracer MOD A}}^2$

when it holds that

[00011]${\text{B}}_{\text{tracerload}}-{\text{D}}_{\text{cyc}}<\text{A}\text{.}$

[0067] It bears noting the usual way of keeping the signature of coded variables consistent is that of addition of a constant in empty paths of branches or loops. If this is performed exclusively for Tracer.sub.c, then the complexity of the coded processing remains linear with respect to the standard.

[0068] It is less important to secure the calculation of Tracer.sub.c here. For lower security levels, security may possibly be dispensed with.

[0069] FIG. 1 illustrates the execution of the coded operation to give x.sub.f := x.sub.f +1.

[0070] Here, the left-hand part of FIG. 1 shows the influence of the addition operation on the tracer variable Tracer.sub.c, while the right-hand part of the figure illustrates the addition of 1 to the variable x.sub.c in the coded space.

[0071] The variable x.sub.c is defined as a coded variable, where the non-coded variable x.sub.f1 or the value thereof is multiplied by the system variable A. The signatures B.sub.x and D.sub.x additionally add together to give the value of the coded variable x.sub.c.

[0072] The value 1 provided for the addition is also processed in coded form with the coded operation +.sub.c; the coded value 1.sub.c likewise consists of the system constant A multiplied by 1, a signature B.sub.ADD (static signature) and the dynamic signature D.sub.x.

[0073] In this example, the new dynamic signature D.sub.x results from the previous dynamic signature D.sub.x plus B.sub.ADD. This new dynamic signature D.sub.x is stored in the system in association with the variable X.sub.c. In one alternative (but less secure) embodiment, all coded variables in the system may have the same dynamic signature D.sub.x.

[0074] The left-hand side of FIG. 1, in the same way as the addition process illustrated on the right (increment by 1), illustrates the handling of the coded tracer variable Tracer.sub.c. The coded tracer variable Tracer.sub.c contains the sum of all previous dynamic signatures D.sub.x in coded form, with the modulo A operation MOD A ensuring that no overflow can occur due to the summing. The tracer variable Tracer.sub.c furthermore comprises its own static signature B.sub.tracer1 and the dynamic signature D.sub.cycle (D.sub.cyc for short), where it is assumed here that the current dynamic signature of the tracer variable Tracer.sub.c is always retained in the system variable D.sub.cycle.

[0075] The second row of the FIG. 1 then shows the supplementing of the tracer variable Tracer.sub.c with the addition process. In addition to the previous value of Tracer.sub.c, A times B.sub.ADD is first added, because the “payload content” (sum of D.sub.x) multiplied by the system variable A is kept in the coded tracer variable Tracer.sub.c. The previous static signature B.sub.tracer1 of the tracer variable Tracer.sub.c is also subtracted and a new, current static signature B.sub.tracer2 is added to the value of the tracer variable Tracer.sub.c. It may be seen that it is assumed, in this example, that the tracer variable Tracer.sub.c, instead of a “conventional” static signature B, has a “quasi-static” signature B.sub.tracer1 or B.sub.tracer2 that likewise changes. This is advantageous because, although the remaining coded variables in the system now have a dynamic signature D.sub.x in accordance with disclosed embodiments of the invention, precisely the dynamic signature D.sub.cycle of the tracer variable is not able to be secured by the method of the invention. For this reason, a changing, quasi-static signature has advantageously been created here from the hitherto completely static signature B.sub.tracer1. In other exemplary embodiments, in particular those that require a lower SIL (security integrity level), it is also possible to dispense with making the static signature of the tracer variable Tracer.sub.c dynamic in this way.

[0076] The third, bottom row in FIG. 1 shows the checking step in the evaluation of the tracer variable Tracer.sub.c. Here, the top row shows the comparison operation (“modulo comparison”) as to how the value of the tracer variable Tracer.sub.c is decoded; this corresponds to the conventional prior art method. The result must be identical “modulo” to the result of the computing operations shown in the second row. Here, a “modulo comparison” is performed with the sum of the dynamic signatures of all coded variables in the system, where the sum result is initially processed with a modulo A operation to eliminate the effect of any overflows beyond the numerical value of the system constant A. In the event that the comparison operation is not satisfied, it may be assumed that an error is present. In such a case, provision may be made for various measures, for example, outputting an error notification or using secure replacement values for system parameters or the like.

[0077] The sum kept in the tracer variable Tracer.sub.c of the dynamic signatures D.sub.x is, at the same time, a measure of the number of access operations to the coded variables. At least for basic blocks, i.e., linear program structures, the number of access operations to coded variables in a program cycle is fixed in each case. This number may be used as an expected value, the comparison of which with the content of the coded tracer variable Tracer.sub.c provides information as to whether the program code has been executed in a prescribed manner. It should be understood the value of the tracer variable must be decoded for this purpose (row 1) and the result divided by B.sub.ADD or another regular offset. As an alternative, the expected value might not consist of the number of expected access operations, but rather the expected sum signature value ΣD.sub.x or (ΣD.sub.x) MOD A. In the event of a discrepancy, error handling may likewise occur, as already discussed for the case in which there might be a discrepancy in the dynamic signatures as such.

[0078] FIG. 2 is a flowchart of the method for securing access operations to at least one coded variable xc in a computer program comprising a multiplicity of coded variables, where a large number of or each coded variable xc includes a respective dynamic signature Dx, each respective dynamic signature Dx is changed in a prescribed manner in the event of an access operation to the at least one coded variable xc and a sum value ΣDx for all dynamic signatures Dx of all other coded variables xc is carried in a coded tracer variable Tracerc.

[0079] The method comprises modifying, in an event of a change in a dynamic signature Dx of one of the coded variables xc, the sum value ΣDx carried in the tracer variable Tracerc in the same way as the prescribed manner, as indicated in step 210.

[0080] Next, for a check, the sum of the dynamic signatures Dx of the coded variables xc is compared with the sum value ΣDx stored in the coded tracer variable Tracerc, as indicated in step 220.

[0081] Next, in an event of a discrepancy, error handling is triggered, as indicated in step 230. In accordance with the invention, the sum value ΣDx of all dynamic signatures Dx is formed during the check. Furthermore, prior to the comparison, a respective modulo operation comprising system constants A utilized to code all coded variables xc and to code the coded tracer variable Tracerc is applied to the sum of the dynamic signatures Dx and is also applied to the sum value ΣDx carried in the tracer variable Tracerc.

[0082] Thus, while there have been shown, described and pointed out fundamental novel features of the invention as applied to a preferred embodiment thereof, it will be understood that various omissions and substitutions and changes in the form and details of the methods described and the devices illustrated, and in their operation, may be made by those skilled in the art without departing from the spirit of the invention. For example, it is expressly intended that all combinations of those elements and/or method steps which perform substantially the same function in substantially the same way to achieve the same results are within the scope of the invention. Moreover, it should be recognized that structures and/or elements and/or method steps shown and/or described in connection with any disclosed form or embodiment of the invention may be incorporated in any other disclosed or described or suggested form or embodiment as a general matter of design choice. It is the intention, therefore, to be limited only as indicated by the scope of the claims appended hereto.