| CPC G06F 21/554 (2013.01) [G06F 2221/034 (2013.01)] | 18 Claims |
|
1. An integrated circuit device, comprising:
a system interconnect;
a central processing unit (CPU) subsystem coupled to the system interconnect, the CPU subsystem comprising a set of CPU cores configured to execute instructions;
a set of trace blocks configured to extract a set of execution traces from the set of CPU cores, the set of execution traces indicating the instructions that have been executed by the set of CPU cores; and
a security subsystem coupled to the system interconnect, the security subsystem being separate from the CPU subsystem, the security subsystem comprising:
a rules block configured to store a set of rules; and
a set of verification cores configured to receive the set of execution traces from the set of trace blocks via a set of trace buses that extend between the set of trace blocks and the set of verification cores, the set of trace buses being separate from the system interconnect, wherein each of the set of verification cores is configured to:
receive an execution trace of the set of execution traces;
identify a control transfer instruction in the execution trace;
extract an address from the control transfer instruction, wherein the address is a destination address or a return address;
perform a check on the address by:
retrieving a rule of the set of rules from the rules block based on the control transfer instruction, the rule including an acceptable address range; and
determining that the address is not within the acceptable address range; and
generate an alarm signal based on the address not being within the acceptable address range.
|