Continuous run-time validation of program execution: a practical approach

What is claimed is: 1. A processor system comprising: a cache line signature generator, configured to generate a dynamic signature of a cache line of an instruction cache holding instructions of a program; hardware verification logic configured to securely verify a reference signature for a respective cache line content against the dynamic signature and produce a verification signal in dependence thereon; and a hardware instruction processing pipeline comprising a plurality of stages, configured to: load instructions from the cache line, speculatively execute the instructions in the plurality of stages prior to commitment, and in selective dependence on the verification signal, one of: (i) flush the hardware instruction processing pipeline prior to commitment of the instructions, and (ii) permit commitment of the instructions; the hardware instruction processing pipeline comprising: a hardware commit defer unit, configured to allow reversible partial execution of the instructions prior to commitment of the instructions, while preventing irreversible changes to a program state of the program, dependent on the verification signal; a hardware buffer configured to buffer a write resulting from the partial execution of the instructions prior to commitment of the instructions; and hardware control logic configured to write the buffered write to a memory, contingent on the verification signal. 2. The processor system according to claim 1 , further comprising decryption logic configured to decrypt an encrypted reference signature in dependence on a decryption stored key, wherein the verification logic is further configured to verify an available decrypted reference signature against the dynamic signature during a pipeline latency of the hardware instruction processing pipeline, substantially without stalling the hardware instruction processing pipeline waiting for the verification. 3. The processor system according to claim 1 , wherein the verification logic is further configured to permit commitment of the instructions executed within in the hardware instruction processing pipeline based on at least a partial match of the dynamic signature of the cache line with the decrypted reference signature. 4. The processor system according to claim 1 , further comprising checkpoint logic configured to define a checkpoint state prior to execution of instructions by the hardware instruction processing pipeline stored within the cache line, and to roll back a state of the processor system to the checkpoint state if the verification logic fails to verify the decrypted reference signature against the generated signature. 5. The processor system according to claim 1 , wherein the hardware instruction processing pipeline further comprises branch prediction logic and speculative processing logic, wherein the verification logic is configured to generate a signal corresponding to a branch misprediction, resulting in the speculative processing logic causing at least a rollback to a state prior to commencement of processing of the instructions whose verification failed. 6. The processor system according to claim 1 , wherein the cache line signature generator is further configured to generate a signature of both a control flow path and instructions along the control flow path. 7. The processor system according to claim 1 , wherein the cache line signature generator is further configured to dynamically generate the dynamic signature of the cache line of the instruction cache as respective instructions of the plurality of instructions enter the cache line. 8. The processor system according to claim 1 , wherein the cache line signature generator is further configured to generate the dynamic signature of the cache line of the instruction cache on the plurality of instructions stored in the cache line. 9. The processor system according to claim 1 , further comprising: a communication port configured to receive encrypted information representing at least one reference signature; and a memory configured to securely receive and store a secret key configured to decrypt the information representing the at least one reference signature. 10. The processor system according to claim 1 , wherein the cache line signature generator is further configured to generate the dynamic signature of the cache line of the instruction cache concurrently with decoding of the instructions from the cache line. 11. A processing method, comprising: generating a dynamic signature of a cache line of an instruction cache holding instructions of a program, with a cache line signature generator; securely verifying a reference signature for a respective cache line content against the dynamic signature with hardware verification logic, and producing a verification signal in dependence thereon; loading instructions from the cache line into a hardware instruction processing pipeline having a plurality of stages; and speculatively and reversibly executing the instructions in the plurality of stages of the hardware instruction processing pipeline, to a stage prior to commitment of at least one speculatively executed instruction, while preventing irreversible changes to a program state of the program, until the verification signal indicates verification of the dynamic signature with respect to the reference signature; buffering an external write resulting from the speculative and reversible execution of the instructions prior to commitment of the instructions with a hardware buffer; and externally write the buffered external write with hardware control logic, to commit execution of the instructions, contingent on the verification signal. 12. The method according to claim 11 , further comprising: producing a signal by the verification logic selectively in dependence on said securely verifying; and selectively in dependence on a state of the signal from the verification logic, one of: flushing the hardware instruction processing pipeline in dependence on a signal prior to commitment of the instructions, and committing execution of the instructions. 13. The method according to claim 11 , further comprising flushing the hardware instruction processing pipeline in dependence on a signal selectively in dependence on said securely verifying, prior to commitment of the instructions. 14. The method according to claim 11 , further comprising committing execution of the speculatively executed instructions in the hardware instruction processing pipeline in dependence on said securely verifying, prior to commitment of the instructions selectively. 15. The method according to claim 11 , further comprising: decrypting an encrypted reference signature in dependence on a decryption stored key; wherein said verifying further comprises verifying an available decrypted reference signature against the dynamic signature during a pipeline latency of the hardware instruction processing pipeline, substantially without stalling the hardware instruction processing pipeline waiting for the verification. 16. The method according to claim 11 , further comprising wherein the verification logic is configured to permit commitment of the instructions executed within in the hardware instruction processing pipeline based on at least a partial match of the dynamic signature of the cache line with the decrypted reference signature. 17. The method according to claim 11 , further comprising: defining a checkpoint state prior to execution of instructions by the hardware instruction processing pipeline stored within the cache line; and rolling back a state of t