DE102017005970A1 - Device and method for the device-specific detection of synchronization and data update errors in data processing units - Google Patents

Abstract

The invention relates to a data processing unit that generates, processes or uses data consisting of at least one processor with at least one memory in which data in the form of data elements (1) are stored. The invention is characterized in that, for the detection of synchronization and data updating errors, the data values (2) contained in the data elements (1) are assigned a time step identifier (3) which specifies in at least two partial identifications (4, 5) whether and which Time step has the data value.

Description

The invention relates to a device and a method for the device-specific detection of synchronization and data update errors in data processing units.

• • den Datentyp und damit das Darstellungsformat des Datenwerts spezifizierten und teilweise
• • weitere Bits, die eine Integritätsprüfung des gesamten Datenelements erlaubten.

It is known that already in the 1960s in data processing systems such. B. the mainframe TR4 [1] the data values more identifiers were added, the

• • the data type and thus the presentation format of the data value specified and partially
• • additional bits that allowed an integrity check of the entire data element.

Based on the explicit, hardware-understandable and verifiable specification of the data type within the data word itself, corresponding architectures are referred to as data type architectures.

Furthermore, it is known that in qualification architectures the data element is given a further identifier which specifies the access rights to the data element concerned. Good examples of modern capability architectures are e.g. lowRISC [2] and SAFE [3].

• • die ANBD-Kodierung nach Forin [5],
• • die Versionskennung in ADI / SSM des Oracle Sparc-M7-Prozessors [9, 6] und
• • die Sequenznummern in Kommunikationsprotokollen wie TCP und PROFIsafe.

Known are the following detection possibilities of synchronization and data update errors, which are then presented in detail:

• • the ANBD coding according to Forin [5],
• • The version ID in ADI / SSM of the Oracle Sparc M7 processor [9, 6] and
• • The sequence numbers in communication protocols such as TCP and PROFIsafe.

The ANBD coding [5] is an arithmetic coding in which arithmetic operations are performed on coded values. For this purpose, the values are coded by multiplying the data value x by the integrity check A. In addition, an identifier B and, for this disclosure of the invention, a time stamp D are added.

durch die Multiplikation des Datenwerts x mit der Integritätsprüfung A und der anschließenden Addition einer Adresse oder eines Identifikators B_x und einem Zeitstempel D_xt.Accordingly, the coded data value x _{cANBD results} according to the following equation $$x_{cANBD}=A\cdot x+B_x+D_{xt}$$

by the multiplication of the data value x by the integrity check A and the subsequent addition of an address or an identifier B _x and a time stamp D _xt .

bzw. $$x_{cANBD}=A\cdot x+B_x+D_{xt}\equiv B_x+D_{xt}\text{ mod }A$$

erfüllt ist. Dadurch lassen sich die folgenden Fehlerarten aufdecken:

• • ein durch eine fehlerhafte Operation verfälschtes Ergebnis
• • das Heranziehen eines falschen Operanden durch unpassendes B
• • das Heranziehen eines veralteten Operanden durch unpassendes D

At any point in time, the integrity of a coded value can be verified by checking whether $$x_{cANBD}-B_x-D_{xt}=\left(A\cdot x+B_x+D_{xt}\right)-B_x-D_{xt}=A\cdot x\equiv 0\text{mod}A$$

respectively. $$x_{cANBD}=A\cdot x+B_x+D_{xt}\equiv B_x+D_{xt}\text{mod}A$$

is satisfied. This will reveal the following types of errors:

• • a result corrupted by a faulty operation
• • the use of a wrong operand by inappropriate B
• • the use of an obsolete operand by inappropriate D

In the Sparc-M7 processor, Oracle introduced a new security feature, first called Application Data Integrity ADI [9] and later renamed to Silicon Secured Memory SSM [6]. Since both terms appear in the literature, both are mentioned here.

For ADI / SSM, data blocks of 64 bytes each are assigned a 4-bit-wide version identifier. Pointers that access these memory blocks also contain a 4-bit version identifier. When accessing the memory via these pointers, the hardware checks to see if the two version identifiers match. If this is not the case, an exception error is reported and, for example, the program in question is terminated.

Sequence numbers are used in communication protocols such as TCP [10] or the PROFIsafe safety-related fieldbus protocol [7] to detect the loss or duplication of data packets. As a rule, the sequence number is expected to increase by one with each newly received data packet. If it stays the same, the data package was duplicated, if it increases by more than one, a package was lost.

Data processing systems are increasingly responsible for people, the environment, and capital goods, and in some applications replace well-tried mechanical systems, such as: B. in the "x-by-wire" systems in avionics and automotive engineering or autonomous control functions in vehicles. Correspondingly serious consequences can not have errors that are not recognized in time.

The high complexity of the systems and the software and hardware used in them leads to increased error probabilities. In addition, due to the ever-decreasing structural widths, the integrated circuits used are becoming increasingly sensitive to environmental influences, especially to the effects of radiation.

Various types of errors can cause the data to be processed in data processing systems to be insufficiently synchronized or data updates to fail. Processing this data results in erroneous results that can lead to dangerous failures of an entire data processing system. This is particularly relevant to the safety-related applications mentioned above, where such failures can result in personal injury, environmental damage or property damage.

Data is represented in conventional data processing systems only by their data value. About the other data properties such. As data type and - particularly relevant to this invention - the discrete time step of the data value only implicit assumptions are made by the way the data is used. So the hardware can not check these data properties because they are not known to it.

None of the architecture types mentioned above, such as data type or capability architectures, support the specification of the unit of data value in an identifier, which could then be automatically checked or set by the data processing hardware in the data processing units.

Data is represented in conventional data processing systems only by their data value. About the other data properties such. Data type and - for this invention disclosure particularly relevant - the timeliness and the date of origin only implicit assumptions are made by the way the data is used. So the hardware can not check data properties because it does not know them.

By mistake, e.g. Addressing errors, data values may not be updated or, with concurrent processing, different processes may not be synchronized correctly, which may cause inconsistencies in the data being exchanged.

zur Wahrung der Aussagekraft der beschriebenen Prüfungen gelten muss und die Notwendigkeit, B und D in irgendeiner Form für die einzelnen Operanden zu speichern oder zu berechnen, um sie für entsprechende Integritätsprüfungen heranziehen zu können, limitieren die Einsatzmöglichkeiten der ANBD-Kodierung zusätzlich. Bei jeder Werteaktualisierung muss das in die Kodierung eingehende D neu gesetzt werden.The problem with the ANBD coding is that the coding is restricted to certain data types and operations. In addition, unlike the uncoded ones, the coded values are not human-readable, which makes troubleshooting in the program more difficult. The coded values continue to have a higher bit width than the uncoded values. For certain arithmetic operations, after the operation has been performed, extensive corrective measures have to be taken in order to obtain an expected coded result value. This results in a correspondingly increased runtime requirement. Other difficulties, such as the condition that $$B+D<A$$

to maintain the validity of the tests described and the need to store or compute B and D in any form for each operand, in order to make them appropriate To be able to use integrity checks, the application possibilities of the ANBD coding are additionally limited. For each value update, the D coming into the coding must be reset.

The fact that the match of the version numbers in the pointer and the data block is checked at ADI / SSM on a hardware basis at the same time as the actual access does not result in an increased runtime requirement. The method reveals certain constellations of lost data updates and synchronization errors. However, the granularity is quite crude, since only 64-byte blocks can be provided with a version identifier. Furthermore, the identifier with only 4 bits is very small, so it can be distinguished by the hardware just 16 versions. Each time you change the version of a data block, the expected version in the associated pointer must also be changed because the absolute values of the version identifiers are compared and no verification of a difference between version identifiers is provided. Likewise, no presence bit is provided, by which it could be detected that a data block should not have a version number.

In communication protocols such as TCP and PROFIsafe, sequence numbers are added to the data when the message is sent in the form of a data packet, that is to say they are not introduced into the data by the generating program instance, but by a communication driver layer. Furthermore, the sequence numbers are again separated from the data after receipt of the data packet on the receiver side, whereupon these again exist without them. Errors within data sources or data processing units can therefore not be revealed by the sequence numbers within the data packets, but these are also not in the focus of the communication protocols.

A good example of personal injury was the medical irradiation device Therac-25 [8], which caused mismatching of old and new operating parameters due to inadequate synchro- nization mechanisms, which in some cases massively irradiated patients and sometimes resulted in deaths. If the validity of the parameters had been limited to a treatment period, then the invalid outdated parameters would have been recognized.

Another example is the heartbleed vulnerability. In April 2014, a bug in the OpenSSL cryptography library became known that resulted in millions of server systems having to be updated immediately [4]. An error in a special function within the library that is responsible for a cyclic sign of life, the so-called heartbeat. "Heartbeat" was used, it allowed to read memory contents from the memory of the target computer, which contained highly sensitive data over encrypted connections. Derived from the name of the actual function, the error was baptized with the name "Heartbleed" and provided with an appropriate emblem.

The real mistake was that it was possible for an attacker to send a small number of extra bytes to a server and reclaim the return from a significantly larger number of bytes. A plausibility check of the number of bytes sent and the number of requested bytes that should be returned did not occur. In this way, attackers were able to receive the previously mentioned highly sensitive data from other communication links. The effects of the error in [11] are excellently illustrated.

The object of the invention is to recognize synchronization and data updating errors in a simple manner by the hardware of a data processing unit.

The object is based on the data processing unit by the features of claims 1 and 6 and based on the method by the features of claims 7 and 9 solved. The dependent claims each represent advantageous embodiments.

With respect to the data processing units, the solution provides to add a time step identifier to the individual data elements in addition to the data value, which indicates the discrete time step of the data value. Each time the data value is updated, the data-generating data processing unit increments the time step of the data value by one. This allows a data processing unit processing this data to ensure their timeliness and synchronicity when processing the data. For the purposes of this invention, the term "data processing unit" is to be understood as meaning all technical devices which generate, process or use data, such as data. As sensors, process computers and actuators. In such devices, at least one processor is present, the stored data stored in at least one memory, read from such, processed and possibly stores the results again in such a memory. A corresponding processor can, for. B. also be implemented in programmable hardware such as FPGAs. Data elements in the The purposes of this invention are data words in a memory or register which contain, in addition to the data value, further information about the data value itself. Advantageously, the time step identifier is inseparably connected to the data value and is stored, processed and transmitted with it.

• • ein Befehl erlaubt das Setzen der Zeitschritt- und Präsenzbitteilkennungen der Zeitschrittkennung eines Operanden, um neu erzeugten Daten einen Zeitschritt in deren Zeitschrittkennung zuzuweisen und
• • ein weiterer Befehl erlaubt die explizite Prüfung des Zeitschritts eines Operanden, um sicherzustellen, dass dieser den erwarteten Zeitschritt aufweist.

With respect to the data processing units, the solution also provides for additional instructions to be provided in the processor of the data processing unit, with the aid of which further checking and administration possibilities of the time step identifiers of operands result:

• A command allows the setting of the time step and presence bit part identifiers of the time step identifier of an operand in order to assign a time step in its time step identifier to newly generated data and
• • Another command allows the explicit checking of the time step of an operand to ensure that it has the expected time step.

With regard to the data processing units, the solution also provides for adding a time step identifier to the command elements stored in at least one memory. In the context of this invention, command elements are command words in a memory or register which, in addition to the command code and the specification of the operands of the command, contain further information relevant to the execution of the command. The time step identifier in the instruction element consists of at least two partial identifiers: at least one presence bit and at least one specification of the expected temporal relationship of at least two operands of the instruction, d. H. the difference of the time steps of said operands. Advantageously, an incremental bit is present in a further partial identifier.

With regard to the method, the solution provides that the processor of the data processing unit reads out and interprets the content of the time step identifier of the command element to be executed when instructions are executed. If the presence bit is zero, the time step identifier does not specify a relative temporal relationship of the operands of the instruction, and the processor does not check the contents of the time step identifiers of the instruction's operands. If the presence bit has the value one, the processor forms the difference between the contents of the time step identifiers of at least one operand pair and compares these with the contents of the time step subcode of the command. If the processor detects a deviation during this check, a corresponding error handling can be initiated. Possible reactions are z. For example, the triggering of an exception error and / or the transfer of the system to a safe state and / or a reboot of the system. Advantageously, it is proposed that the test described occur simultaneously with the execution of the processing of the data values. If the presence bit in the time step identifiers of one of the operands to be tested has the value zero, then this operand has no time step to be checked and the processor does not perform a calculation and check of the difference of the time steps of the relevant operand pair.

With regard to the method, the solution further provides that the processor of the data processing unit determines the time step of the result of a command to be executed based on the time increments of the source operands and the incremental bit within the time step identifier of the command element. If none of the source operands has a time step, ie all presence bits within the time step identifier of the operands have the value zero, the result is not assigned any time step, ie the presence bit within the time step identifier of the result is set to zero. If only one source operand has a time step in which the presence bit within the time step identifier therefore has the value one, then this time step is selected as the time step of the result. If two or more source operands have a time step, the processor determines the most recent time step by forming the differences and selects this as the time step of the result to be set. Depending on the value of the incremental bit within the time step identifier of the command element, the time step selected for the result is incremented by one before being stored in the time step identifier of the result. If the incremental bit has the value zero, said increase does not take place; if it has the value one, the increase takes place. It is advantageously proposed that the described determination of the time step of the result takes place at the same time as the execution of the processing of the data values.

The invention will be described below with reference to a drawing. 1 the drawing shows how the data value ( 2 ) within a data element ( 1 ) a time step identifier ( 3 ) will be added. This describes - if available - the discrete time step of the data value. 2 of the drawing shows the division of the time step identifier into at least two partial identifiers: a presence bit ( 4 ) and a time step indication ( 5 ). The order of the partial identifiers is shown in the figure only as an example, any other arrangement is also possible.

3 the drawing shows how in the command elements ( 6 ) next to the actual instruction and its operands or operand addresses ( 7 ) also a time step identifier ( 8th ) is available. 4 The drawing shows the structure of the time step identifier in the command elements ( 6 ) in at least 3 partial identifiers. These are presence bits ( 9 ), at least one indication of the relative temporal relationship of two operands ( 10 ) and an incremental bit ( 11 ). The order of the partial identifiers is shown in the figure only as an example, any other arrangement is also possible.

• • Die Darstellung in Form einer Zeitschrittkennung ist für die Hardware verständlich, wodurch diese die Prüfungen zeitgleich zur Ausführung der eigentlichen Operation durchführen kann, es entsteht also kein erhöhter Laufzeitbedarf.
• • Gegenüber der Versionskennung (ADI bzw. SSM) des Oracle Sparc-M7-Prozessors hat die Erfindung die folgenden Vorteile:
  • - die Zeitschrittkennung ist feingranular den einzelnen Datenwerten und nicht Blöcken mit 64 Byte Größe zugeordnet
  • - die relative temporale Beziehung in der Zeitschrittkennung der Befehle spezifiziert die Differenz der Zeitschritte der Operanden des jeweiligen Befehls, wodurch keine Prüfung auf absolute Zeitschrittangaben stattfinden muss
• • Gegenüber der ANBD-Kodierung bestehen die folgenden Vorteile:
  • - es besteht keine Beschränkung der Anwendbarkeit der Zeitschrittkennung auf bestimmte Datentypen oder Operationen
  • - die Bitbreite der Datenwerte erhöht sich durch den Einsatz der Zeitschrittkennung nicht, wodurch keine Probleme bei der Nutzung von Datentypen mit der höchsten nativ durch die Prozessorarchitektur unterstützten Bitbreite auftreten
  • - da keine Kodierung der Datenwerte stattfindet, bleiben die Datenwerte bei der Fehlersuche menschenlesbar
  • - da in den Zeitschrittkennungen der Befehle relative temporale Beziehungen der Operanden spezifiziert werden, ist es nicht notwendig, absolute Zeitschrittwerte für die Prüfung der Aktualität der Operanden getrennt von diesen zu speichern und zur Prüfung heranzuziehen
• • Gegenüber den Kommunikationslösungen, bei denen Sequenznummern zum Einsatz kommen, wie z.B. TCP oder das sicherheitsgerichtete Feldbusprotokoll PROFIsafe (IEC 61784-3-3), hat die Zeitschrittkennung die folgenden Vorteile:
  • - da die Zeitschrittkennung vorteilshafterweise untrennbar mit den Daten verbunden ist, wird sie mit ihnen übertragen und gespeichert und liegt daher zu jeder Zeit unmittelbar vor und muss nicht implizit mit den Daten in Verbindung gebracht werden
  • - die Zeitschrittkennung ist feingranular jedem einzelnen Datenwert hinzugefügt
• • Da es sich um eine gerätetechnische Lösung handelt, wird die Lösung nur einmal spezifiziert, entworfen, implementiert und getestet. Bei softwarebasierten Lösungen muss dieses Prozedere i.d.R. bei jedem Projekt erneut durchlaufen werden.

The invention has the following advantages over the state of science and technology:

• • The representation in the form of a time step identifier is understandable for the hardware, so that it can carry out the tests at the same time as the actual operation, so there is no longer run time requirement.
• • Compared to the version identifier (ADI or SSM) of the Oracle Sparc M7 processor, the invention has the following advantages:
  • - The time step identifier is finely granularly assigned to the individual data values and not to blocks with a size of 64 bytes
  • the relative temporal relationship in the time step identifier of the instructions specifies the difference in the time steps of the operands of the respective instruction, whereby no checking must be performed on absolute time step indications
• • Compared to ANBD coding, there are the following advantages:
  • there is no limitation on the applicability of the time step identifier to certain data types or operations
  • the bit width of the data values is not increased by the use of the time step identifier, whereby no problems arise when using data types with the highest natively supported by the processor architecture bit width
  • - Since there is no encoding of the data values, the data values remain human-readable during debugging
  • since relative temporal relations of the operands are specified in the time step identifiers of the instructions, it is not necessary to store absolute time step values for checking the actuality of the operands separately from these and to use them for checking
• • Compared with communication solutions that use sequence numbers, such as TCP or the PROFIsafe safety-related fieldbus protocol (IEC 61784-3-3), the time step identifier has the following advantages:
  • since the time step identifier is advantageously inseparably linked to the data, it is transmitted and stored with them and is therefore immediately available at all times and does not need to be implicitly associated with the data
  • - The time step identifier is finely granular added to each individual data value
• • As it is a device-based solution, the solution is specified, designed, implemented and tested only once. For software-based solutions, this procedure usually has to be repeated for each project.

The allocation of a specific time step to each set of treatment parameters of the Therac-25 according to the features of this invention would have revealed the mixing of old and new parameters on the basis of differing time steps and, with appropriate error treatment, could prevent the radiation of the patients.

Also, the heartbleed vulnerability described above would have had much less impact using the features of this invention if all the data associated with a specific data block had been provided with an identical time step. The change in the time step when the data block boundaries were exceeded when copying the data would have been recognized immediately by the processor and, with appropriate error handling, no confidential memory contents would have been sent to an attacker.

literature

1. [1] AEG Data Processing: TR 4 Operation Manual
2. [2] A. Bradbury, G. Ferris, R. Mullins: Tagged memory and minion cores in the lowRISC SoC; 2014; http://www.lowrisc.org/docs/
3. [3] S. Chiricescu, A. DeHon, D. Demange, S. Iyer, A. Kliger, G. Morrisett, BC Pierce, H. Reubenstein, JM Smith, GT Sullivan, A. Thomas, J. Tov, CM White , D. Wittenberg: SAFE: A Clean-Slate Architecture for Secure Systems; http://www.crash-safe.org/docs/ HST2013-SAFE.html; 2013
4. [4] CODENOMICON: The Heartbleed Bug; http://heartbleed.com/; 2014
5. [5] P. Forin: Vital Coded Microprocessor Principles and Application for Various Transit Systems; 1989; IFAC Control, Computers, Communications; Pp. 79-84; Paris
6. [6] D. Gove, R. Prakash: Detecting memory access errors; 2015; https://blogs.oracle.com/raj/resource/Silicon-Secured-Memory-Application.pdf
7. [7] IEC 61784-3-3: 2010: Industrial communication networks - Profiles - Part 3-3: Functional safety fieldbuses - Additional specifications for CPF 3 (Edition 2.0, 2010-06)
8. [8th] NG Leveson, CS Turner: An Investigation of the Therac-25 Accidents; Computer, Vol. 26, Issue 7; Pp. 18-41; 1993
9. [9] Oracle: Introduction to SPARC M7 and Application Data Integrity (ADI); https://swisdev.oracle.com/_files/What-Is-ADI.html
10. [10] RFC 793: Transmission Control Protocol, DARPA Internet Program, Protocol Specification; September 1981; http://www.rfc-base.org/rfc-793.html
11. [11] xkcd: Heartbleed Explanation; http://xkcd.com/1354/

QUOTES INCLUDE IN THE DESCRIPTION

This list of the documents listed by the applicant has been generated automatically and is included solely for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.

Cited non-patent literature

• P. Forin: Vital Coded Microprocessor Principles and Application for Various Transit Systems; 1989; IFAC Control, Computers, Communications; Pp. 79-84; Paris [0036]
• D. Gove, R. Prakash: Detecting memory access errors; 2015; https://blogs.oracle.com/raj/resource/Silicon-Secured-Memory-Application.pdf [0036]
• IEC 61784-3-3: 2010: Industrial communication networks - Profiles - Part 3-3: Functional safety fieldbuses - Additional specifications for CPF 3 (Edition 2.0, 2010-06) [0036]
• Leveson, C.S. Turner: An Investigation of the Therac-25 Accidents; Computer, Vol. 26, Issue 7; Pp. 18-41; 1993 [0036]

Claims (9)

Data processing unit that generates, processes or uses data consisting of at least one processor with at least one memory in which data in the form of data elements (1) are stored, characterized in that for detecting synchronization and data updating errors in the data elements (1 2) is assigned a time step identifier (3) which specifies in at least two partial identifications (4, 5) whether and which time step is assigned to the data value. Data processing unit after Claim 1 , characterized in that the time step identifier (3) is inseparably linked to the data value (2) in the data element (1) and is stored, processed and transmitted therewith. Data processing unit after Claim 1 , characterized in that the processor provides commands for checking and managing the contents of the time step identifications (3) of data elements (1). Data processing unit after Claim 3 , characterized in that the processor provides a command for explicitly checking the contents of the time step identifier (3) and thus of the time step of at least one data element (1). Data processing unit after Claim 3 , characterized in that the processor provides a command for setting the contents of the time step identifier (3) and thus of the time step of at least one data element (1). Data processing unit that generates, processes or uses data consisting of at least one processor with at least one memory in which instructions are stored in the form of instruction elements (6), characterized in that a time step identifier for specifying the expected temporal relationship of at least two operands of the instruction (8) is present in the command elements (6). Method for detecting synchronization and data updating errors in data processing units, comprising at least one processor with at least one memory in which data is stored in the form of data elements (1) and commands in the form of command elements (6) in the same or further memory are stored, characterized in that the processor in addition to the execution of a data processing operation based on the presence of bits (9) within the time step identifier of the command element (6) determines whether a relative temporal relationship of the operands to be checked, and based on the presence of bits (4) Time step identifiers (3) of the operands determines whether a time step is assigned to the operands and, if at least two operands a time step is assigned, the difference of the time steps (5) forms the at least two operands and with at least one indication of a relative temporal relationship (10) in the time step identifier (8) in the command element (6) compares. Method according to Claim 7 CHARACTERIZED IN THAT , upon detection of the non-satisfaction of the relative temporal relationship of the operands specified by the time step identifier (8) of the instruction, the processor reports an exception error and / or transfers the data processing unit to a secure state and / or restarts. Method for automatically setting the contents of the time step identifier (3) of the result of an operation in data processing units, comprising at least one processor having at least one memory in which data is stored in the form of data elements (1), and commands in the form of command elements (6) stored in the same or further memory, characterized in that in addition to the execution of the data processing operation the processor determines the time step of the result from the contents of the time step identifications (3) of the data to be processed and of the incremental bit (11) within the time step identifier (8). of the command element (6) and stores it in the time step identifier (3) of the result.

Images