阅读说明：本技术 数据处理系统中冷启动存储器攻击的检测 (Detection of cold start memory attacks in a data processing system ) 是由 简-彼得·斯考特 于 2021-02-02 设计创作，主要内容包括：提供一种用于检测数据处理系统中冷启动攻击的方法。所述数据处理系统包括处理器、具有ECC的存储器和监测电路。在所述方法中,在所述数据处理系统的启动过程期间,所述监测电路就对所述存储器的读访问和写访问进行计数,并维持所述ECC检测到的所述存储器中的错误数量的计数。所述读访问计数和所述写访问计数以及所述错误计数用于检测可指示对所述存储器的冷启动攻击的可疑活动。还提供实施所述方法的数据处理系统。(A method for detecting a cold start attack in a data processing system is provided. The data processing system includes a processor, a memory having an ECC, and a monitoring circuit. In the method, the monitoring circuit counts read accesses and write accesses to the memory and maintains a count of the number of errors in the memory detected by the ECC during a boot-up process of the data processing system. The read access count and the write access count and the error count are used to detect suspicious activity that may indicate a cold boot attack on the memory. A data processing system implementing the method is also provided.)

1. A method for detecting a cold start attack on a memory of a data processing system, the method comprising:

detecting initiation of a boot process in the system;

counting read accesses to the memory;

running Error Correction Code (ECC) on the memory in response to detecting the boot process;

counting errors in the memory detected by the ECC during the boot-up process; and

using the read access count and the detected error count, it is determined that an attack on the memory is likely to be occurring.

2. The method of claim 1, wherein using the read access count and the detected error count further comprises:

determining a ratio of a detected error count to the read access count;

wherein determining that an attack is occurring further comprises determining that the ratio is greater than a first threshold; and is

Providing an indication of the possible cold start attack.

3. The method of claim 2, wherein counting errors in the memory detected by the ECC further comprises:

counting correctable errors in the memory;

determining a ratio of a correctable error count to the read access count; and

determining that the ratio of the read access counts is greater than a third threshold.

4. The method of claim 2, wherein counting errors in the memory by the ECC further comprises:

counting uncorrectable errors in the memory;

determining a ratio of an uncorrectable error count to the read access count; and

determining that the ratio of the read access counts is greater than a third threshold.

5. The method of claim 2, wherein counting errors in the memory detected by the ECC during the boot process further comprises detecting correctable errors and detecting uncorrectable errors.

6. The method of claim 2, further comprising:

counting write accesses to the memory during the boot process of the memory;

determining a ratio of the read access count to the write access count; and

determining that the ratio of the read access count to the write access count is greater than a second threshold.

7. The method of claim 6, wherein determining the ratio of the detected error count to the read access count further comprises:

counting correctable errors of data read from the memory during the boot process;

determining a ratio of the correctable error count to the read access count;

counting uncorrectable errors of data read from the memory; and

determining a ratio of the uncorrectable error count to the read access count.

8. The method of claim 1, wherein detecting initiation of the boot process further comprises sending a boot start signal to a monitoring circuit coupled to the memory and to an ECC circuit, the monitoring circuit in response receiving the detected error in the memory and providing the indication of the possible cold boot attack.

9. A method for detecting a cold start attack on a memory, the method comprising:

counting read accesses and write accesses to the memory during a boot process of the memory;

determining a ratio of the read access count to the write access count;

counting correctable errors of data read from the memory during the boot process;

determining a ratio of the correctable error count to the read access count;

counting uncorrectable errors of data read from the memory;

determining a ratio of the uncorrectable error count to the read access count; and

determining that an attack on the memory is likely to have occurred when one of: the ratio of the read access count to the write access count is greater than a first threshold, the ratio of the correctable error count to the read access count is greater than a second threshold, or the ratio of the uncorrectable error count to the read access count is greater than a third threshold.

10. A data processing system, comprising:

a processor to execute instructions;

a memory coupled to the processor for storing data for use by the processor in executing the instructions;

an Error Correction Code (ECC) block coupled to the memory for detecting errors in the stored data and for correcting at least some of the detected errors in the stored data; and

a monitoring circuit coupled to the ECC block and responsive to receiving an activation start signal, the monitoring circuit for counting read accesses and for counting errors in the memory detected by the ECC block, the monitoring circuit providing an indication of a possible cold start attack when a ratio of the error count to the read access count is greater than a first threshold.

Technical Field

The present disclosure relates generally to data processing, and more particularly, to detection of cold start memory attacks in a data processing system.

Background

Some devices, such as transportation cards, credit cards, medical care cards, and the like, use volatile memory, such as Dynamic Random Access Memory (DRAM) and Static Random Access Memory (SRAM), to store sensitive data, such as unencrypted private encryption keys. Software in the operating system of the device is typically provided for protecting sensitive data. In a cold start attack, an attacker attempts to gain control of the device by cooling the device to a very low temperature (e.g., to a temperature in the range of about-100 to 0 degrees celsius) and then turning the device off and on again very quickly. By cooling the device, the memory contents can still be in the same state before the power is turned off. The attacker can then take over the start-up process of the device. Operating system software, which typically protects data from being read by unauthorized users, may fail in an attack, thus allowing an attacker access to sensitive data.

Disclosure of Invention

According to a first aspect of the present invention, there is provided a method for detecting a cold start attack on a memory of a data processing system, the method comprising:

detecting initiation of a boot process in the system;

counting read accesses to the memory;

running Error Correction Code (ECC) on the memory in response to detecting the boot process;

counting errors in the memory detected by the ECC during the boot-up process; and

using the read access count and the detected error count, it is determined that an attack on the memory is likely to be occurring.

In one or more embodiments, using the read access count and the detected error count further comprises:

determining a ratio of a detected error count to the read access count;

wherein determining that an attack is occurring further comprises determining that the ratio is greater than a first threshold; and is

Providing an indication of the possible cold start attack.

In one or more embodiments, counting errors in the memory detected by the ECC further comprises:

counting correctable errors in the memory;

determining a ratio of a correctable error count to the read access count; and

determining that the ratio of the read access counts is greater than a third threshold.

In one or more embodiments, counting errors in the memory by the ECC further comprises:

counting uncorrectable errors in the memory;

determining a ratio of an uncorrectable error count to the read access count; and

determining that the ratio of the read access counts is greater than a third threshold.

In one or more embodiments, counting errors in the memory detected by the ECC during the boot process further includes detecting correctable errors and detecting uncorrectable errors.

In one or more embodiments, the method additionally comprises:

counting write accesses to the memory during the boot process of the memory;

determining a ratio of the read access count to the write access count; and

determining that the ratio of the read access count to the write access count is greater than a second threshold.

In one or more embodiments, determining the ratio of the detected error count to the read access count further comprises:

counting correctable errors of data read from the memory during the boot process;

determining a ratio of the correctable error count to the read access count;

counting uncorrectable errors of data read from the memory; and

determining a ratio of the uncorrectable error count to the read access count.

In one or more embodiments, providing the indication of the possible cold start attack additionally includes determining that an attack on the memory has occurred when one or more of the following occurs: the ratio of the correctable error count to the read access count is greater than a second threshold, or the ratio of the uncorrectable error count to the read access count is greater than a third threshold.

In one or more embodiments, the memory is a dynamic random access memory.

In one or more embodiments, detecting initiation of the boot process further comprises sending a boot start signal to a monitoring circuit coupled to the memory and to an ECC circuit, the monitoring circuit in response receiving the detected error in the memory and providing the indication of the possible cold boot attack.

According to a second aspect of the present invention, there is provided a method for detecting a cold start attack on a memory, the method comprising:

counting read accesses and write accesses to the memory during a boot process of the memory;

determining a ratio of the read access count to the write access count;

counting correctable errors of data read from the memory during the boot process;

determining a ratio of the correctable error count to the read access count;

counting uncorrectable errors of data read from the memory;

determining a ratio of the uncorrectable error count to the read access count; and

determining that an attack on the memory is likely to have occurred when one of: the ratio of the read access count to the write access count is greater than a first threshold, the ratio of the correctable error count to the read access count is greater than a second threshold, or the ratio of the uncorrectable error count to the read access count is greater than a third threshold.

In one or more embodiments, the memory is a dynamic random access memory.

In one or more embodiments, the correctable error is a one bit error or a two bit error.

In one or more embodiments, determining that the attack on the memory is likely to have occurred further comprises providing an indication of the attack.

In one or more embodiments, the method additionally includes sending an activation start signal to a monitoring circuit coupled to the memory and to an ECC circuit, and in response, the monitoring circuit receives the detected error in the memory and provides the indication of the possible cold start attack.

According to a third aspect of the present invention, there is provided a data processing system comprising:

a processor to execute instructions;

a memory coupled to the processor for storing data for use by the processor in executing the instructions;

an Error Correction Code (ECC) block coupled to the memory for detecting errors in the stored data and for correcting at least some of the detected errors in the stored data; and

a monitoring circuit coupled to the ECC block and responsive to receiving an activation start signal, the monitoring circuit for counting read accesses and for counting errors in the memory detected by the ECC block, the monitoring circuit providing an indication of a possible cold start attack when a ratio of the error count to the read access count is greater than a first threshold.

In one or more embodiments, the memory is a dynamic random access memory.

In one or more embodiments, the data processing system additionally includes the monitoring circuitry to count write accesses to the memory, wherein the monitoring circuitry provides an indication of a possible cold start attack when a ratio of the read access count to the write access count exceeds a second threshold.

In one or more embodiments, the errors detected by the monitoring circuitry additionally include correctable errors and uncorrectable errors, wherein the monitoring circuitry provides an indication of a possible cold start attack when a ratio of the detected correctable errors to the read access count is greater than a third threshold, and wherein the monitoring circuitry provides an indication of a possible cold start attack when a ratio of the detected uncorrectable errors to the read access count is greater than a fourth threshold.

In one or more embodiments, the data processing system is implemented on at least one integrated circuit.

These and other aspects of the invention are apparent from and will be elucidated with reference to the embodiments described hereinafter.

Drawings

The present invention is illustrated by way of example and is not limited by the accompanying figures, in which like references indicate similar elements. Elements in the figures are illustrated for simplicity and clarity and have not necessarily been drawn to scale.

FIG. 1 illustrates a data processing system according to an embodiment.

FIG. 2 illustrates an embodiment of a memory and Error Correction Code (ECC) circuitry of the data processing system of FIG. 1.

FIG. 3 illustrates an embodiment of a monitoring circuit of the data processing system of FIG. 1 in more detail.

FIG. 4 is a flow diagram of a method for detecting a cold start attack on a memory, according to an embodiment.

Detailed Description

In general, a method for detecting a cold start attack and a data processing system implementing the method are provided. A data processing system includes a processor, a memory having Error Correction Codes (ECC), and a monitoring circuit coupled to the processor and to the memory having ECC. When the start-up procedure is started in the apparatus with the data processing system, a start-up start signal is sent to the monitoring circuit. Upon device startup, the monitoring circuitry counts read accesses and write accesses to the memory and maintains a read access count and a write access count. Also, in response to the enable start signal, the monitoring circuit counts memory errors detected using ECC. A ratio of read accesses to write accesses is determined and if the predetermined ratio is exceeded, a warning is provided. Also, if a predetermined rate of ECC-detected errors per read access is exceeded, a warning is issued that may indicate a high-rate flipped memory cell state in memory, which may be an indication of an attack. In response to detecting the attack, countermeasures may be taken, such as shutting down the system or overwriting memory.

More specifically, in one embodiment, separate counts may be maintained for correctable errors and uncorrectable errors. Using the read access count value, the error-correctable count value, and the error-correctable count value, the monitoring circuitry determines whether an attack is ongoing on the memory of the data processing system. In one embodiment, a ratio of the total error count detected to the read access count is calculated. If the ratio is greater than a threshold, it is determined that an attack is likely to occur and an indication of the attack is provided. In another embodiment, a ratio of the correctable error count to the read access count is calculated and compared to a threshold to detect possible attacks. Additionally, a ratio of the uncorrectable error count to the read access count can be calculated and compared to another threshold. In each case, if the calculated ratio is greater than the threshold, then an attack is likely.

In many different types of systems, an attacker must provide an identity to access a device, wherein the device must be accessed before an attack can be performed on the device. By enabling detection of cold start attacks using, for example, the described methods, an attacker can be identified, thus providing an opportunity to prevent the attacker from attacking not only the device he or she is currently attacking, but also other devices.

According to an embodiment, there is provided a method for detecting a cold boot attack on a memory of a data processing system, the method comprising: detecting initiation of a boot process in the system; counting read accesses to the memory; running Error Correction Code (ECC) on the memory in response to detecting the boot process; counting errors in the memory detected by the ECC during the boot-up process; and determining that an attack on the memory is likely to be occurring using the read access count and the detected error count. Using the read access count and the detected error count may additionally include: determining a ratio of a detected error count to the read access count; wherein determining that an attack is occurring further comprises determining that the ratio is greater than a first threshold; and providing an indication of the possible cold start attack. Counting errors in the memory detected by the ECC may additionally include: counting correctable errors in a memory; determining a ratio of a correctable error count to the read access count; and determining that the ratio of the read access counts is greater than a third threshold. Counting errors in the memory by the ECC may additionally include: counting uncorrectable errors in the memory; determining a ratio of an uncorrectable error count to the read access count; and determining that the ratio of the read access counts is greater than a third threshold. Counting errors in the memory detected by the ECC during the boot process may additionally include detecting correctable errors and detecting uncorrectable errors. The method may additionally comprise: counting write accesses to the memory during the boot process of the memory; determining a ratio of the read access count to the write access count; and determining that the ratio of the read access count to the write access count is greater than a second threshold. Determining a ratio of the detected error count to the read access count may additionally include: counting correctable errors of data read from the memory during the boot process; determining a ratio of the correctable error count to the read access count; counting uncorrectable errors of data read from the memory; and determining a ratio of the uncorrectable error count to the read access count. Providing the indication of the possible cold start attack may additionally include determining that an attack on the memory has occurred when one or more of the following occurs: the ratio of the correctable error count to the read access count is greater than a second threshold, or the ratio of the uncorrectable error count to the read access count is greater than a third threshold. The memory may be a dynamic random access memory. Detecting initiation of the boot process may additionally include sending a boot start signal to a monitoring circuit coupled to the memory and to an ECC circuit, the monitoring circuit receiving the detected error in the memory and providing the indication of the possible cold boot attack in response.

In another embodiment, a method for detecting a cold start attack on a memory is provided, the method comprising: counting read accesses and write accesses to the memory during a boot process of the memory; determining a ratio of the read access count to the write access count; counting correctable errors of data read from the memory during the boot process; determining a ratio of the correctable error count to the read access count; counting uncorrectable errors of data read from the memory; determining a ratio of the uncorrectable error count to the read access count; and determining that an attack on the memory is likely to have occurred when one of: the ratio of the read access count to the write access count is greater than a first threshold, the ratio of the correctable error count to the read access count is greater than a second threshold, or the ratio of the uncorrectable error count to the read access count is greater than a third threshold. The memory may be a dynamic random access memory. The correctable errors may be one bit errors or two bit errors. Determining that the attack on the memory is likely to have occurred may additionally include providing an indication of the attack. The method may additionally include sending an activation start signal to a monitoring circuit coupled to the memory and to an ECC circuit, and in response, the monitoring circuit receives the detected error in the memory and provides the indication of the possible cold start attack.

In yet another embodiment, a data processing system is provided, comprising: a processor to execute instructions; a memory coupled to the processor for storing data for use by the processor in executing the instructions; an Error Correction Code (ECC) block coupled to the memory for detecting errors in the stored data and for correcting at least some of the detected errors in the stored data; and monitoring circuitry coupled to the ECC block and responsive to receiving a start-up start signal, the monitoring circuitry to count read accesses and to count errors in the memory detected by the ECC block, the monitoring circuitry to provide an indication of a possible cold start attack when a ratio of the error count to the read access count is greater than a first threshold. The memory may be a dynamic random access memory. The data processing system may additionally include the monitoring circuitry to count write accesses to the memory, wherein the monitoring circuitry provides an indication of a possible cold start attack when a ratio of the read access count to the write access count exceeds a second threshold. The errors detected by the monitoring circuitry may additionally include correctable errors and uncorrectable errors, wherein the monitoring circuitry provides an indication of a possible cold start attack when a ratio of the detected correctable errors to the read access count is greater than a third threshold, and wherein the monitoring circuitry provides an indication of a possible cold start attack when a ratio of the detected uncorrectable errors to the read access count is greater than a fourth threshold. The data processing system may be implemented on at least one integrated circuit.

FIG. 1 illustrates a data processing system 10 according to an embodiment. Data processing system 10 includes a processor 12, a memory 14 having ECC, and a monitoring circuit 16. The illustrated embodiment is greatly simplified and an actual implementation will include additional circuitry and functionality not shown in fig. 1. Data processing system 10 may be implemented on a single Integrated Circuit (IC) or on multiple ICs. Processor 12 may include a core or cores and may be any hardware device capable of executing instructions. Processor 12 may execute instructions that are stored in memory 14 with ECC or in some other memory (not shown) in data processing system 10. Also, the processor 12 may be, for example, a Microcontroller (MCU) Microprocessor (MPU), a Field Programmable Gate Array (FPGA), an Application Specific Integrated Circuit (ASIC), or the like. In the illustrated embodiment, the processor 12 includes an output for providing control signals, addresses and data to an input of the memory 14 having ECC. For example, processor 12 has an output for providing a READ ENABLE (READ ENABLE) signal, an output for providing a WRITE ENABLE (WRITE ENABLE) signal, an output for providing a CLOCK (CLOCK) signal, an output for providing an ADDRESS (ADDRESS), and an output for providing input DATA (DATA IN) to the memory. The read enable signal is used to initiate a read access to the memory 14 having ECC and the write enable signal is used to initiate a write access to the memory 14 having ECC.

The memory with ECC 14 includes outputs for providing output DATA, CORRECTABLE ERRORs (CORRECTABLE ERROR), UNCORRECTABLE ERRORs (UNCORRECTABLE ERROR), and output DATA (DATA OUT). Memory 14 may include an array of volatile memory cells, such as Dynamic Random Access Memory (DRAM) cells or Static Random Access Memory (SRAM) cells. Other Random Access Memory (RAM) types are also possible. The ECC and ECC 14 implemented in the memory may be any type of ECC, depending on system requirements. In one embodiment, ECC may correct one bit errors and two bit errors in memory.

The monitoring circuit 16 has an input for receiving a START-up START (BOOT START) signal that indicates initiation of a START-up process. The start signal may be generated by the processor 12 or another circuit (not shown), such as a watchdog circuit. An attacker may initiate the boot process. Upon receiving the valid enable start signal, monitoring circuitry 16 receives as inputs a READ enable (READ enable) signal, a WRITE enable (WRITE enable) signal, and a CLOCK (CLOCK) signal from processor 12, and maintains a count of the READ enable signal and the WRITE enable signal. In one embodiment, a single read access and a single write access each occupy a single clock cycle. When the READ ENABLE (READ ENABLE) signal is active, counting of READ accesses may be performed by counting clock cycles. Likewise, when the WRITE ENABLE (WRITE ENABLE) signal is active, a WRITE access may be counted by counting clock cycles.

During the startup process of data processing system 10, most memory accesses should be write accesses to memory. A write access may overwrite data in memory or may copy data to memory. Thus, too many read accesses during the boot process may be an indication of an attack on the memory, as read accesses may indicate an attempt to read data present in the memory prior to the boot process. Specifically, in one embodiment, a ratio of read accesses to write accesses is calculated. If the ratio is above a predetermined threshold, an indication of a possible cold start attack is provided. In addition, cold start attacks may cause increased errors in memory. Monitoring circuitry 16 receives indications of correctable errors and uncorrectable errors from memory 14 having ECC. Counters are provided to count ECC-correctable errors and ECC-uncorrectable errors, as shown in FIG. 3. If the ratio of correctable errors to read access counts is above a predetermined threshold, a cold start attack may be ongoing. Also, the ratio of uncorrectable errors to read access counts may indicate a cold start attack. Either of the count value and the ratio comparison may be used as an indication of a cold start attack. When a possible cold start attack is detected, an attack warning is provided by the monitoring circuit 16 (ATTACK WARNING).

The monitoring circuit 16 detects a cold start attack without disturbing the input DATA IN and the output DATA OUT from the memory. The monitoring circuitry 16 indicates when suspicious activity at the memory has been detected so that hierarchically higher levels can take appropriate action, such as shutting down the system or writing data into memory designed to mislead an attacker.

FIG. 2 illustrates an embodiment of memory 14 with ECC of data processing system 10 of FIG. 1. The memory with ECC 14 includes a RAM 20. The random access memory 20 may be any type of RAM, such as DRAM, that is susceptible to cold start attacks. The RAM may also be multi-port or other types of RAM. In the illustrated embodiment, the ECC function includes conventional ECC, shown in fig. 2 as ECC encoder block 22 and ECC decoder block 24. The ECC function may be any type of conventional ECC and will depend, at least in part, on system requirements. For example, in a system with relatively low processing power, such as a traffic card, the ECC function may be relatively simple. The ECC encoder block 22 adds parity and/or other check bits to each word in the memory. The memory for storing parity and/or other check bits may be the RAM 20 or a separate memory (not shown). The ECC decoder block 24 determines whether there is an error in the parity or other check bits added to the word. During the boot process of data processing system 10, the ECC operates and detects errors in memory. The monitoring circuit 16 records the number of read accesses and write accesses to the memory and records the number of correctable errors and uncorrectable errors that the ECC detected. Most of the accesses to memory should be write accesses. Also, after the start-up process begins, a large number of ECC errors may indicate suspicious activity. The detected errors and the number of read and write accesses to the memory are used to detect cold start attacks. One embodiment of using detected errors and read access counts and write access counts is provided below in the discussion of FIG. 3.

FIG. 3 illustrates an embodiment of monitoring circuitry 16 of data processing system 10 of FIG. 1 in more detail. Monitoring circuit 16 includes AND logic gates 30-33, counters 34-37, ratio functions 40-42, and threshold comparators 44-46. A clock signal from the processor 12 is provided to an input of each of the and logic gates 30-33. The and logic gate 30 has an input for receiving an UNCORRECTABLE ERROR (UNCORRECTABLE ERROR) signal from the memory 14 having ECC. And logic gate 31 has an input for receiving a CORRECTABLE ERROR (correct ERROR) signal from memory 14 having ECC. And logic gate 32 has an input for receiving a READ ENABLE (READ ENABLE) signal. The and logic gate 33 has an input for receiving a WRITE ENABLE (WRITE ENABLE) signal. When both the read enable signal and the clock signal are logic high, a logic high output signal is provided to counter 36. Using the read enable signal, counter 36 maintains a count of read accesses to memory 14 having ECC. When both the write enable signal and the clock signal are logic high, a logic high signal is provided to the counter 37 through the and logic gate 33. Using the write enable signal, counter 37 maintains a count of write accesses to memory 14 having ECC. The read access count value is provided to the ratio function 40,41 and 42. The write access count value is provided to a ratio function 42. The ratio function 42 receives both the read access count value and the write access count value and determines the ratio of the read access count value to the write access count value (N)_R/N_W). After the start-up procedure has started, most memory accesses should be write accesses. The THRESHOLD comparator 46 compares the NR/NW ratio with a predetermined THRESHOLD (THRESHOLD 3). If the ratio N is_R/N_WGreater than THRESHOLD 3, a cold start attack warning is provided by the monitoring circuit 16 (ATTACK WARNING 3). In one embodiment, only when N is present_WRounded to a power of 2 (e.g., 2)¹⁰、2¹²、2¹⁶Etc.) execute N_R/N_WAnd (4) calculating. This simplifies the calculation, since Nr can then be shifted in bits by the corresponding exponent.

Each time an UNCORRECTABLE ERROR is detected in the memory by ECC, an UNCORRECTABLE ERROR (UNCORRECTABLE ERROR) signal is received at the input of AND logic gate 30. When both the CLOCK (CLOCK) signal and the UNCORRECTABLE ERROR (UNCORRECTABLE ERROR) signal are logic high, a logic high output is provided by and logic gate 30 to counter 34. Counter 34 maintains and counts (ECC) the number of detected uncorrectable errors_UNCORR) Is provided to the ratio function 40. The ratio function 40 calculates the ratio of uncorrectable errors to read accesses (ECC)_UNCORR/N_R) And ECC the ratio_UNCORR/N_RIs provided to a threshold comparator 44. Threshold comparator 44 compares the ratio ECC_UNCORR/N_RComparing with a predetermined THRESHOLD (THRESHOLD 1) and if ratio ECC_UNCORR/N_RGreater than THRESHOLD 1, a cold start attack warning is provided (ATTACK WARNING 1).

Each time a CORRECTABLE ERROR is detected in memory 14 having ECC, a CORRECTABLE ERROR (correct ERROR) signal is received at the input of and logic gate 31. When both the CLOCK (CLOCK) signal and the CORRECTABLE ERROR (correct ERROR) signal are logic high, a logic high output is provided by and logic gate 31 to counter 35. Counter 35 maintains a count of detected correctable errors and counts (ECC)_CORR) Is provided to the ratio function 41. The ratio function 41 calculates the correctable error andratio of read accesses (ECC)_CORR/N_R) And ECC the ratio_CORR/N_RIs provided to a threshold comparator 45. Threshold comparator 45 compares the ratio ECC_CORR/N_RComparing with a predetermined THRESHOLD (THRESHOLD 2) and if ratio ECC_CORR/N_RGreater than THRESHOLD 2, a cold start attack warning is provided (ATTACK WARNING 2). It should be noted that instead of and logic gates, other embodiments may use different logic gates or combinations of logic gates. Also, the logic used may be determined in part by whether the signal is an active high signal or an active low signal.

Fig. 4 shows a flow diagram of a method 50 for detecting a cold start attack on a memory with ECC, according to an embodiment. The method 50 begins at step 52. At step 52, read accesses and write accesses to the memory are counted during a boot process of the data processing system having the memory. At step 54, a ratio of the detected read access count to the detected write access count is calculated. At step 56, correctable errors detected by the ECC associated with the memory are counted. At step 58, a ratio of the correctable error count to the read access count is determined. At step 60, uncorrectable errors detected by the ECC are counted. At step 62, a ratio of uncorrectable error counts to read access counts is determined. At step 64, an attack on the memory may be indicated when one or more of any of the following occurs: the ratio of the read access count to the write access count is greater than a first threshold, the ratio of the correctable error count to the read access count is greater than a second threshold, or the ratio of the uncorrectable error count to the read access count is greater than a third threshold.

Various embodiments or portions of embodiments may be implemented in hardware or as instructions on a non-transitory machine-readable storage medium, including any mechanism for storing information in a machine-readable form, such as a personal computer, laptop computer, file server, smart phone, or other computing device. The non-transitory machine-readable storage medium may include volatile and non-volatile memory, such as Read Only Memory (ROM), Random Access Memory (RAM), magnetic disk storage media, optical storage media, flash memory, and so forth. The non-transitory machine-readable storage medium does not include a transitory signal.

Although the invention is described herein with reference to specific embodiments, various modifications and changes can be made without departing from the scope of the present invention as set forth in the claims below. Accordingly, the specification and figures are to be regarded in an illustrative rather than a restrictive sense, and all such modifications are intended to be included within the scope of present invention. Any advantages, or solutions to problems that are described herein with regard to specific embodiments are not intended to be construed as a critical, required, or essential feature or element of any or all the claims.

Furthermore, the terms "a" or "an," as used herein, are defined as one or more than one. Moreover, the use of introductory phrases such as "at least one" and "one or more" in the claims should not be construed to imply that the introduction of another claim element by the indefinite articles "a" or "an" limits any particular claim containing such introduced claim element to inventions containing only one such element, even when the same claim includes the introductory phrases "one or more" or "at least one" and indefinite articles such as "a" or "an". The same holds true for the use of definite articles.

Unless otherwise specified, terms such as "first" and "second" are used to arbitrarily distinguish between the elements such terms describe. Thus, these terms are not necessarily intended to indicate temporal or other prioritization of such elements.