RU2248608C1 - Processor - Google Patents

Abstract

FIELD: computers, data protection.

SUBSTANCE: processor has bus interface device, device for selection/decoding of commands, device for dispatching/execution, program string decoding device, which string is selected from program and loaded in first levels command cash, which contains a set of N two-input elements XOR, keys memory, storing different N-bit decoding keys.

EFFECT: higher efficiency.

2 dwg

Description

The invention relates to the field of computer technology, as well as to the field of information protection in computer systems and can be used to protect programs and data from unauthorized (“pirated”) copying and use, as well as to protect computer systems from computer viruses (KB) and software bookmarks (PZ), the result of the harmful effect of which is a violation of the integrity (distortion or destruction) of information.

Known means of protecting programs and data from unauthorized copying (NSC), which use various techniques that make it difficult to install and execute copies of programs in electronic computers (computers). (Spesivtsev A.V., Wegner V.A., Krutyakov A.Yu. et al. Information security in personal computers. - M.: Radio and communications, 1992).

However, they are all quite “cracked” by analyzing the program and the built-in security system using debugging programs during the execution of the program, as well as by analyzing the text of the program and the built-in security system obtained by disassembling the program code. The successful “hacking” of the protection system is explained by the fact that information about the system of machine instructions (formats and codes of commands) is known, the program text obtained by disassembly is available for analysis, step-by-step execution of the program and analysis of the results after each step are possible.

Known means of protecting computers against KB and PZ (Bezrukov NN Computer Virology. - Kiev: KIIGA, 1990), which by testing the program code ensure the detection of known KB and PZ and their destruction.

However, until now no method has been found that provides a full guarantee of computer protection against KB and PZ. In addition, the ability to create new KB and PZ is based on the openness and accessibility of the machine instruction system for use.

Cryptographic methods and means of information protection are known, the use of which can provide the required level of protection during the transmission and storage of information. (Introduction to cryptography. / Ed. By V.V. Yashchenko. - St. Petersburg: Peter, 2001).

However, at the information processing stage in the processor, the use of cryptographic methods is hindered by the openness of the machine instruction system. This violates the well-known condition for reliable operation of the protection system - the requirement of continuity of the protection process.

Known devices that use cryptography methods at the stage of program execution, in which special schemes are used, for example

cryptomicroprocessor (US patent No. 4465901, IPC G 06 K 5/00, H 04 L 9/00, 1984; US patent No. 56666411, IPC H 04 L 9/00, 1997);

the decoder (US patent No. 4246638, IPC G 06 F 013/00, H 04 K 001/00, 1981, US patent No. 4433207, H 04 L 009/00, 1984);

coprocessor (US patent No. 4903296, H 04 L 009/00, 1990).

These schemes are connected to standard equipment from the outside and provide decryption of the pre-encrypted program or its part before execution or during its execution.

The main disadvantages of the known devices:

- the preservation of the execution mode and unencrypted programs leads to a violation of the continuity of the protection process;

- the need for external connection of a circuit specific for each computer to a standard computer complicates its use and prevents mass use.

A digital computer is also known (US patent No. 4306289, G 06 F 005/00, 1981), using cryptography methods at the program execution stage, containing a circuit for decrypting the code of the encrypted program. This circuit is located in the processor between the instruction register and the command decoder, thereby changing the standard processor architecture. The processor operates in two modes:

1) execution mode of an unencrypted program;

2) the execution mode of the pre-encrypted program.

Switching from one mode to another is performed by special commands placed at the beginning and at the end of the encrypted section of the program. As a result, the execution of the encrypted program (“pirated” copy) on another computer becomes impossible.

The disadvantages of the device:

- the need to use the open program execution mode does not satisfy the requirement of the continuity of the protection process;

- software switching of the processor operating mode by a special command makes it easy to detect encrypted program sections and, by analyzing them, “crack” the encryption key, since its length is small - only 8 bits;

- To encrypt various programs, virtually one key is used. However, modern computers use licensed programs from various manufacturers, so the use of one key does not protect other programs from decryption with the key opened on another program.

Due to these shortcomings, cryptographic tools are not used in modern mass-produced processors.

The closest in technical essence and the achieved result to the claimed device is a Pentium Pro processor from Intel (Pentiun Pro Family Developer's Manual. Intel Corporation, 1996), including

a bus interface unit (Bus Interface Unit) that provides the processor with a system bus (System Bus) and a second-level cache memory (L2 Cache);

device fetch / decode units (Fetch / Decode Unit), providing a selection of commands from memory in order (in order);

a dispatch / execution unit (Despatch / Execute Unit), providing the execution of commands in a mess (out of order) and recording the results in memory in order.

The processor has two modes of operation: the Real Address Mode and the Protected Virtual Address Mode. On the basis of the second mode, various software protection systems are created, which are included in the operating systems that protect information from unauthorized use and distortion.

The disadvantage of the prototype is the use of the open execution mode, that is, unencrypted programs, which does not satisfy the requirement of the continuity of the protection process, therefore protection systems built on the basis of the protected mode of the Pentium Pro processor do not guarantee protection of the programs from the NSC, and the computer against the harmful effects of KB and PP .

The task is to develop a processor with a closed instruction system (CCD), in which it will be possible to execute only encrypted programs, each of which is encrypted with an individual secret key, the decryption process being carried out inside the processor and the decrypted code of the program fragment is not accessible to humans.

The problem is solved due to the fact that a device for decrypting a program line selected from the memory and loaded into the first level command cache is introduced into the processor containing the bus interface device, the command fetch / decode device, the dispatch / execution device, according to the invention, the first and second inputs / outputs of the bus interface device are CCD inputs / outputs, the first of which is connected to the system bus, and the second is the second level cache memory, the third input / output is connected to the dispatch / execution device’s progress / output, and the output is connected to the first input of the program line decryption device, the second input of which is connected to the first output of the command sample / decode device, and the output is connected to the first input of the sample / decode device, the second output of which is connected to the device input the bus interface, and the third output is connected to the input of the dispatch / execution device, the output of which is connected to the second input of the command fetch / decode device, and the line decryption device The program contains a set of N two-input XOR elements - "exclusive or", a key memory that stores various N-bit decryption keys, while all the first inputs of XOR elements are connected to the first input of the program line decryption device, and the outputs of XOR elements are connected to the output of the decryption device program lines, and the second inputs of XOR elements are connected to the key memory output, the input of which is connected to the second input of the program line decryption device.

A search by the applicant for scientific, technical and patent information and the selected prototype made it possible to identify distinctive features in the claimed technical solution, therefore, the claimed device meets the criteria of the invention of “novelty”.

An additional search by the applicant for known technical solutions in order to detect features similar to the distinguishing features of the claimed technical solution showed that the claimed solution has properties that do not coincide with the properties shown by the indicated features in the known technical solutions, therefore, the claimed technical solution satisfies the criteria of the invention is “inventive step”.

The invention is illustrated by drawings, where figure 1 shows a block diagram of a processor (CCD), and figure 2 presents a diagram of a device for decrypting a program line.

The processor contains a bus interface device 1, a program line decryption device 2, an instruction fetch / decoder 3, a dispatch / execution device 4. The bus interface device 1 has three inputs / outputs, with the first input / output connected to the system bus and the second to cache memory of the second level, and the third is connected to the input / output of the dispatch / execution device and serves to read data from the memory, as well as to write the results to the memory. The output of the bus interface device 1 is connected to the first input of the program line decryption device 2, the second input of which is connected to the first output of the sampling / decoding device 3, and the output of the program 2 line decryption device is connected to the first input of the sampling / decoding device 3, the second output of which is connected to the input of the bus interface device 1, and the third output is with the input of the dispatch / execution device 4, the output of which is connected to the second input of the sampling / decoding device 3.

The program line decryption device 2 contains a set of N two-input XOR elements (“exclusive or”) 2.1 ₁ , ..., 2.1 _N , key memory 2.2 of the program line decryption, while all the first inputs of the XOR elements are connected to the first input of the bus interface device 1 and the outputs of all XOR elements are connected to the output of the program line decryption device 2, and the second inputs of XOR elements are connected to the memory output of the program line decryption keys 2.2, the address input of which is connected to the second input of the program line decryption device s 2.

Key memory 2.2, which stores N-bit decryption keys, is made according to the EEPROM type ROM with a serial input interface, which is used to write individual keys for the processor. After writing the keys, the inputs of the interface are destroyed by burning them. This method allows you to write keys to the memory of keys 2.2 after manufacturing BIS PZSK.

The processor operates with a closed instruction system (CCD) as follows. In the computer's memory (in RAM or on hard drives), all programs are stored in an encrypted form with individual keys. The preliminary encryption of each program is carried out by an N-bit key, one of the set of keys recorded in the key memory 2.2. PZSK. The length N of the encryption key coincides with the width of the data bus of the device of the bus interface 1 (in the Pentium Pro processor N = 64), through which the program line is fetched and written to the first level cache commands located in the fetch / decode device 3. During encryption the program is split into N-bit lines. The line is encrypted by adding it modulo two with the encryption key, the number of which becomes an attribute of the program.

The decryption of each N-bit line of the program in the decryption device 2 is carried out after it is fetched from the memory and before being written to the cache of the first level of the sampling / decoding device 3. Decryption is performed with the key extracted from the key memory 2.2 by the number that corresponds to the executable program and is supplied to its address input from the sampling / decoding device 3. The number of the decryption key is placed in the attribute field of the descriptor register of the code segment, the selector of which is loaded into the segment register CS. The decryption key number is loaded into it simultaneously with the transfer of control to the program, that is, immediately after loading the new selector into the CS register, the descriptor and key number are loaded into the descriptor register as an attribute of the program.

The decrypted line of the program is recorded in the command cache of the first level of the sampling / decoding device 3, from where it is then extracted and used in the traditional way.

Thus, the program line in decrypted form is only inside the processor and therefore is not available for analysis. Attempting to execute a program encrypted with another key or completely unencrypted leads to incorrect processor operation, which provides protection against KB and PZ. In addition, the use of various keys to encrypt different programs virtually eliminates their disclosure and NSC.

Massive use of the claimed device will ensure the achievement of the following technical and economic advantages:

- to extend the use of cryptographic methods to the stage of information processing, which in this case is carried out by executing a program encrypted with a unique secret key, which will make the process of protecting information in computers continuous;

- exclude the possibility of executing unencrypted programs, which will protect the programs from the NSC, and computer systems - from the harmful effects of KB and PZ;

- cryptographic strength of protection, which is ensured by the large capacity of the N encryption key (in modern processors, it ranges from 64 to 256), different lengths of instructions in CISC processors, therefore, with a constant length N of the program line, the same commands are encrypted in meaning encryption key fields, which is practically equivalent to encryption with different keys.

Claims (1)

A processor comprising a bus interface device, a command fetch / decode device, a dispatch / execution device, characterized in that a device for decrypting a program line selected from the memory and loaded into the first level command cache is inserted into it, the first and second inputs / outputs devices of the bus interface are inputs / outputs of the processor, the first of which is connected to the system bus, and the second is the cache of the second level, the third input / output is connected to the input / output of the device manager performance / execution, and the output is connected to the first input of the program line decryption device, the second input of which is connected to the first output of the sample / decode device, and the output is connected to the first input of the sample / decode device, the second output of which is connected to the input of the bus interface device, and the third output is with the input of the dispatch / execution device, the output of which is connected to the second input of the command fetch / decode device, the program line decryption device containing a set of N two of the exclusive or elements, a key memory that stores various N-bit decryption keys, while all the first inputs of the two-way exclusive or are connected to the first input of the program line decryption device, and the outputs of the two-input exclusive or are connected to the output of the device decryption of the program line, and the second inputs of the two-input elements "exclusive or" are connected to the output of the key memory, the input of which is connected to the second input of the device to decrypt the program line.

Images