CN102696037B - Perform safety-related and non-security-relevant software component method on a hardware platform - Google Patents
Perform safety-related and non-security-relevant software component method on a hardware platform Download PDFInfo
- Publication number
- CN102696037B CN102696037B CN201080057464.6A CN201080057464A CN102696037B CN 102696037 B CN102696037 B CN 102696037B CN 201080057464 A CN201080057464 A CN 201080057464A CN 102696037 B CN102696037 B CN 102696037B
- Authority
- CN
- China
- Prior art keywords
- security
- software component
- relevant software
- internal memory
- component
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000015654 memory Effects 0.000 claims abstract description 57
- 238000007689 inspection Methods 0.000 description 7
- 230000003936 working memory Effects 0.000 description 7
- 238000005314 correlation function Methods 0.000 description 4
- 230000029578 entry into host Effects 0.000 description 3
- 230000011218 segmentation Effects 0.000 description 3
- 101700071555 ODC1 Proteins 0.000 description 2
- 101700027726 SPE1 Proteins 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000002349 favourable Effects 0.000 description 2
- 238000000034 method Methods 0.000 description 2
- 101700032323 SMS Proteins 0.000 description 1
- 101710015019 SRM Proteins 0.000 description 1
- 230000003044 adaptive Effects 0.000 description 1
- 230000000903 blocking Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 235000013399 edible fruits Nutrition 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 230000002085 persistent Effects 0.000 description 1
- 230000000717 retained Effects 0.000 description 1
- 239000002965 rope Substances 0.000 description 1
Abstract
The present invention relates to perform safety-related and non-security-relevant software component method.According to the present invention; hardware platform at least one internal memory have at least partially write protection mechanism; security-relevant software component writes access right completely to some region or to having in whole; or security-relevant software component has access right to certain region of internal memory, and region is separate with the region of memory being envisaged for non-safety-related function.Before non-security-relevant software component performs; security-relevant software component can set up internal memory protection; in case at least one region of the internal memory of safety related functions is accessed by non-safety-related function; non-security-relevant software component is made only to have write access right in the finite region of internal memory; and particularly cannot access the region of any internal memory separated for safety-related component; and after returning from non-safety-related component; internal memory protection can be again switched off, and monitoring component can monitor safety related functions to determine if that running is normal.
Description
Technical field
The present invention relates to a kind of perform safety-related and non-security-relevant software component method on a hardware platform, wherein
This hardware platform comprises computer unit and at least one internal memory, and wherein this at least one non-security-relevant software component and should
At least one security-relevant software component both of which performs on this computer unit, and wherein this hardware platform comprises prison
Survey component or be connected to monitor component, and wherein operation of this monitoring component be independently of this hardware platform this at least one at
Reason device.
Additionally, the present invention is also related to a kind of hardware platform, and said method is implemented on this hardware platform.
Background technology
Computer system is more and more is used to process task, and these tasks break down in computer system or react
Just life or the property (" safety-related systems ") of the mankind may be endangered time slowly.These systems must be according to the guide of standard
(IEC61508, ISO26262) develops and tests, with greatly debug.Therefore, these systems are developed accordingly
It is extremely complex, loaded down with trivial details and expensive.
On the other hand, more and more fields all employ with computer assisted function.The demand that often has is want through adding
Add " safety related functions " and expand the control to " standard feature ".Example: (adaptive learning algorithms, it is according to front for ACC function
The travel speed of car, the speed of regulation vehicle, is a kind of non-key (comfortableness) function) and automatic emergency should be extended to stop
Car (safety related functions).
Safety-related and Nonvital Function carries out having cost advantage (less control list in single control unit simultaneously
Unit, minimizing wiring, better simply maintenance ...).But, the mistake that there is a need to guarantee in Nonvital Function will not harm safety
Correlation function.For this purpose it is proposed, prior art provides special operating system (ARINC 653, DECOS), it is arranged through multinomial
Execute and prevent Nonvital Function from " extending " to safety related functions.The harm of these operating systems be it to control unit hardware with
And function be programmed with very specific requirement, so it is equally complicated and expensive to integrate Nonvital Function in such systems
's.
Summary of the invention
It is an object of the invention to through adding " security function ", making can be with cheap but effective manner, efficiently
Rate ground expands existing control unit and existing " standard feature ", thus saves development cost and Material Cost.
This purpose is to realize with the method described in introduction and/or the hardware platform described in introduction, this be due to the fact that
On, according to hardware platform of the present invention this at least one internal memory there is write protection (write at least partially
Protection) mechanism, and this security-relevant software component writes access right completely to some region or to having in whole
Limit, or this security-relevant software component has an access right to certain region of this internal memory, and this region be presented to non-security
The region of memory of correlation function is separate, and wherein this security-relevant software component erection internal memory protects against non-safety-related
At least one region of the internal memory of this safety related functions is accessed by function, and this is at this non-safety-related software structure
Part sets up before performing so that this non-security-relevant software component only can access the limited of this internal memory by write access right
Region, and particularly cannot access the separate region of the internal memory for safety-related component, and wherein from this non-security phase
After closing component return, this internal memory protection can be again switched off, and wherein this monitoring component can monitor this safety related functions to determine
Whether it operates normally.
Refer to that this safety-related component " initializes " this non-safety-related structure here, " return " from this non-safety-related component
Part, then " only " this non-safety-related component can run, and when it stops, this safety-related component will run again.
Here, the invention provides the scheme more relatively inexpensive than person mentioned above.The core of the present invention is the use of " optimistic
Method ".In other words, pro assume that Nonvital Function will not cause any mistake.This assumes can be by reliably and the quickest
Check whether correct.Therefore, although (mistake of=Nonvital Function, it can shadow will not to prevent invading (encroachment)
Ring this safety related functions), but this invasion can be detected so that safety related functions can be brought to safe condition (or with
Interference is reacted by another suitable method).
For Zheng Chang, this safe condition refers to that the another type of " closing (shutdown) " safe condition has been probably event
The function of barrier is stopped (as rewritten certain region of the working memory required for this safety related functions) before invasion performs
And this there is no any negative effect to this safety related functions.This can be reached by exception handler.
For most systems, this program is the most suitable, and this is owing to generally having other insecure parts, and
Even if generation single failure, safety-related systems never should be allowed to enter unsafe condition.
In a variant of the present invention, wherein operating system is in the upper operation of this computer unit (=CPU), and this operates system
The dispatcher (dispatcher) of system guarantees that the protection of this internal memory can come into force before the scheduling making non-safety-related determines always,
And the internal memory with this separate region of memory in non-safety-related region is protected, only (and if only if) startup safety can made
The scheduling of associated components is disengaged when determining.
If after going out non-security-relevant software component from this safety related functions retrieval (retrieve), there is signal
(alive signal) can be sent to monitoring modular, then be the most favourable.
If additionally, before and after retrieving non-critical software component, time stamp can be sent to monitoring modular, then
It is probably favourable.
If there is signal can be sent to be distributed in several positions (" central " position) of those security-relevant software component
Monitoring modular (this is important for the execution of this safety related functions) so that this monitoring modular also can check that those are pacified
The function executing of total correlation software component, then be particularly advantageous.
In the case, also can pass through to check and (checksums) or similar fashion, and non-usage simply exists letter
Number, the execution to multiple checkpoints is monitored.Therefore, this safety related functions the most visible is currently running, the most visible
The order being once approached to some key point in this function.
Finally, if after lacking and there is signal and/or time stamp, this monitoring modular can the conversion of (sub) system to pacifying
Total state, then be particularly advantageous.
Accompanying drawing explanation
Hereafter based on accompanying drawing, the present invention is described in more detail, wherein
Fig. 1 shows the segmentation (segmentation) of the working memory of computer unit (CPU), and Nonvital Function and
Safety related functions performs on this computer unit,
Fig. 2 shows the false code of inspection/defencive function,
Fig. 3 shows the execution of the independent check of those safety related functions, and
Fig. 4 shows the false code starting internal memory protection in the dispatcher of operating system.
Detailed description of the invention
The present invention is with the basis that is combined as of several features and several method:
1. the internal memory of couple this CPU implements internal memory protection, to block in the wrong direction from Nonvital Function
(misdirected) memory access (detection).
2. use in the separate unit that function is monitoring modular and check component (checking component), with detection
Go out the out of order execution of safety related functions.
The method utilizes this two technology, realizes the reliable monitoring carrying out safety related functions.This control unit
The working memory SPE of CPU is some sections (segments) according to Fig. 1.
Those safety related functions SAFET can be to this whole working memory SPE (or main region SPE1-of this internal memory SPE
SPE4) reading and writing, those Nonvital Functions STANT the most only can be to certain part SPE3-of this working memory SPE
SPE5 reads and writes.Part SPE3 of this internal memory SPE, it is assigned and gives non-critical areas, is defined as exchange area.
If it is desired, safety related functions and Nonvital Function can exchange data at this.
The segmentation of this internal memory SPE must have stack (stack) and the heap (heap) of their own with those safety related functions
The mode of region SPE1 is carried out.Therefore, it is impossible for directly retrieving function between these regions.
Safety related functions the or likely stack/heap region SPE5 of standard feature (not shown) is had access right;As usual
For, standard feature cannot access the stack/heap SPE1 (or those variablees) of those safety related functions certainly is less there is a need to
But it is important.
Just memory sections is to be not enough to protect those safety related functions.Also must guarantee that those Nonvital Functions will not be because of
Mistake and block this CPU and thus prevent those safety related functions from can react rapidly.According to the method described in the present invention
Will not prevent from blocking, but can be detected.Cut between safety related functions and non-key (standard) function every time
When changing, software checkpoint (SW checkpoint) will be passed through and check.
False code (there is described herein through safety related functions to retrieve the example of standard feature) in Fig. 2 presents
Core according to the method described in the present invention, i.e. inspection/defencive function, the access checking working memory with it and those non-passes
The runtime performance of key function.
This CPU is always initialized by safety related functions, and then safety related functions will be the most just to this
CPU has control.Every time when Nonvital Function should run, the protection to this (a bit) safety related functions will be both ways
Increase: (1) this internal memory protection restructuring, it is achieved the protection to the data of this safety related functions.Special module at this CPU
Make setting so that only allow the restricted area of this working memory is accessed.The parameter that must swap can first be answered
System is to exchange area.If this standard feature also can provide return data, then will be with other direction (from Nonvital Function to safety
Correlation function) carry out similar mechanism (not showing in false code).(2) this SW checkpoint (is referred to as " check_ in false code
Point ") guarantee that any of this standard feature all can be detected when machine situation.There is signal can be sent, and can be at this
Outside CPU monitored (seeing below).
When retrieving standard feature in security-relating environment, it is necessary to generate false code as shown in Figure 2 every time.Permissible
Known macro-instruction generation technique and/or code Generation are used with regard to this purpose so that without manually writing this code.
In order to detect that Nonvital Function takies this CPU and exceedes the feelings of allowed time (will its block) because of fault
Condition, it is necessary to independent monitoring sends the existence signal of the safety related functions of this inspection/defencive function.For example, can be used this
Monitoring modular outside CPU accomplishes this monitoring.Fig. 3 shows such a kind of design.There is signal and can be collected in those
(the SafeCrossCheck module see in Fig. 3) is also sent to monitoring modular MOD on I/O line.This monitoring modular MOD is " independent
In " this CPU (those safety related functions run on this CPU) and " existence ", so it would not be by the mistake in this CPU
Or block affected, and can safety related functions not correct run time detect in this way.
If this monitoring function fails to timely receive this there is signal, it can take some measures changes this system extremely
Safe condition.For example, the subsystem such as motor or control unit can be closed, or start mechanical lock/mechanical type " standby system
System " (as to realize being rigidly connected between steering wheel and wheel).
In sum, method described herein with have following difference according to the way of prior art
Zero the method is " optimistic ".It does not attempts to force safety related functions and Nonvital Function to separate by force.So
And, the invasion in this safety-related region can be reliably detected by those Nonvital Functions.
Zero it is simple and use any resource hardly.
Zero need not certified operating system.The method can use in the system there is no operating system, and is having standard
Using in the system of operating system and make an appointment, it can be taken as Nonvital Function and treat.
Nonvital Function need not be made adjustment by zero for this method.This non-critical software need not make change just can be whole
Close.The API (" application programming interface ") of those Nonvital Functions can be retained.
The variant of the present invention
(1) time supervision of those Nonvital Functions:
This inspection/defencive function also can be used for recording the persistent period of those Nonvital Functions.For doing so, in inspection
Rope first stores time stamp before going out this Nonvital Function.After retrieving, so that it may thus measure the operation of this Nonvital Function
Time.This operation time can be transferred into this monitoring modular.The operation time that those Nonvital Functions are spent exceeds a certain limit
Time will be read as mistake.
(2) those safety related functions are more fully checked:
Expansible method described herein, to carry out the inspection of complexity to those safety related functions.Therefore, can be in this peace
Total correlation function is followed a certain path independently, therefrom in certain sequence retrieved described in this inspection/support function.
(3) use with operating system:
If fruit standard operation system itself does not meets required safety criterion, the most also can be
Safety related functions is performed in this system.Following safety related functions must be integrated in this operating system so that even if ring
There is any change in border, and the rule of this method still can be observed.
Zero should start this internal memory and protects (this software initialization early stage before task initialization to be performed on this CPU
Stage starts the protection of this internal memory)
The protection of this internal memory is all made correct amendment when switching task by zero every time
The protection of this internal memory is made amendment reliably through interrupting by zero
False code in Fig. 4 shows the expansion needed for this dispatcher.This dispatcher interrupts work with one and starts, in this
Containing code shown in the diagram in disconnected service routine.
Variant (1) described can elapse over time and monitored Nonvital Function, and this operating system was also by this
Feasible.Like this, it is necessary for additionally including timer in all environmental changes mentioned above.
(4) plurality of classes of memory sections
For simplicity, the most only carry in the description of this method and state the classification of two kinds of internal memories protection:
● the internal memory of all-round opening for safety related functions
● the safety-related region of memory comprehensively protected.
But, the method also can be used for the system having more internal memory protection classification.Multinomial safety related functions can be managed, but
Each function only can access the region of memory of himself rather than the region of other safety related functions.Also can be at those Nonvital Functions
The region of memory that interior restriction is different.The method must is fulfilled for a condition: the special region of memory of safety related functions (RAM,
ROM, stack, heap) must be protected from, in case Nonvital Function accesses.
Make security-relevant software function likely together with standard feature and/or operation system according to the method described in the present invention
System runs in a computer.
Safety-related and Nonvital Function is in different environments (with its respective stack/heap and its respective memory sections)
Run.Switching between safety related functions and Nonvital Function is not only for starting the protection of (or disabling) this internal memory.Deposit
Also leave identical position at signal, allow monitoring modular can observe this control unit independently, and closed when wrong
Close.
The method is characterised by that it simply has a wide range of applications probability.It only needs the internal memory by hardware support to protect
Protect the monitoring modular with independent operating.To the standard software used no requirement (NR), therefore use can make at that time big
Variation.When there is change in environment, it is only necessary to a few key position in the function near this operating system modifies.
The computer being particularly suitable for according to the method described in the present invention in safety-critical field is (the most embedded
Or as main frame).
Claims (2)
1. performing security-relevant software component and a method for non-security-relevant software component on a hardware platform, wherein this is hard
Part platform is computer unit CPU and comprises at least one internal memory, and the non-security-relevant software component of at least one of which is even
Perform on this computer unit CPU with the security-relevant software component of at least one, and wherein this hardware platform comprises monitoring
Component or be connected to monitor component, and the operation of this monitoring component is independent of this computer unit CPU of this hardware platform,
Wherein
This hardware platform has write protection mechanism at least partially to this at least one internal memory, and wherein
This security-relevant software component writes access right completely to some region or to having in whole, or
This security-relevant software component has an access right to certain region of this internal memory, and this region be presented to non-safety-related
The region of memory of software component is separate, and wherein
This security-relevant software component sets up internal memory protection before this non-security-relevant software component performs,
In case at least one part of the internal memory of this security-relevant software component is accessed by non-security-relevant software component,
Make this non-security-relevant software component only have write access right in the restricted area of this internal memory, and particularly cannot
Access the separate region of any internal memory for security-relevant software component,
And wherein, after returning from this non-security-relevant software component, this internal memory protection can be again switched off,
And wherein this monitoring component to monitor this security-relevant software component normal to determine if running, and wherein
After calling out non-security-relevant software component, this security-relevant software component can send and there is signal to this monitoring structure
Part, and/or
Before and after calling out non-security-relevant software component, time stamp can be sent to this monitoring component, and/or
There is signal and can be sent to the monitoring component in the middle position of this security-relevant software component so that this monitoring component
Also the function executing of this security-relevant software component can be checked,
And wherein
After lacking and there is signal and/or time stamp, system or subsystem can be changed to safe condition by this monitoring component.
The most in accordance with the method for claim 1, it is characterised in that operating system is run on this computer unit CPU, and this
The dispatcher of operating system guarantees that the protection of this internal memory can be constantly in starting state before the scheduling making non-safety-related, and
Internal memory protection to the separate region of memory of region of memory being presented to non-security-relevant software component with this, only can make
Start when the scheduling of this security-relevant software component determines and be disengaged.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| AT16272009 | 2009-10-15 | ||
| ATA1627/2009 | 2009-10-15 | ||
| PCT/AT2010/000386 WO2011044603A1 (en) | 2009-10-15 | 2010-10-12 | Method for executing security-relevant and non-security-relevant software components on a hardware platform |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102696037A CN102696037A (en) | 2012-09-26 |
| CN102696037B true CN102696037B (en) | 2016-12-14 |
Family
ID=
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1886712A (en) * | 2003-11-28 | 2006-12-27 | 松下电器产业株式会社 | Data processor |
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1886712A (en) * | 2003-11-28 | 2006-12-27 | 松下电器产业株式会社 | Data processor |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102822807B (en) | Computer for controlling system and control method thereof and use | |
| US7428663B2 (en) | Electronic device diagnostic methods and systems | |
| US8977848B1 (en) | Method and system for reconciling safety-critical and high assurance security functional requirements between safety and security domains | |
| CN107301082B (en) | Method and device for realizing integrity protection of operating system | |
| CN105683919A (en) | Multicore processor fault detection for safety critical software applications | |
| JP2009522664A (en) | Method and system usable in sensor networks to handle memory failures | |
| JP2009251967A (en) | Multicore system | |
| CN101369141B (en) | Protection unit for a programmable data processing unit | |
| EP3251121B1 (en) | Safety critical system | |
| JP5841271B2 (en) | How to run safety-related and non-safety-related software components on a single hardware platform | |
| CN102591761A (en) | Enhanced scalable cpu for coded execution of sw in high-dependable safety relevant applications | |
| US6907540B2 (en) | Real time based system and method for monitoring the same | |
| CN102696037B (en) | Perform safety-related and non-security-relevant software component method on a hardware platform | |
| EP3361335B1 (en) | Safety controller using hardware memory protection | |
| Holzmann | Conquering complexity | |
| Sievers et al. | A flexible contracts approach to system resiliency | |
| CN110673975B (en) | Secure kernel structure of spaceborne computer software and secure operation method | |
| Shrobe et al. | AWDRAT: a cognitive middleware system for information survivability | |
| CN108700861B (en) | Method for operating a control device for a motor vehicle | |
| Rife et al. | Applying sensor integrity concepts to detect intermittent bugs in aviation software | |
| CN103279367A (en) | Kernel drive isolating system | |
| US9772897B1 (en) | Methods and systems for improving safety of processor system | |
| JP7471532B2 (en) | Control device | |
| Yadav et al. | Functional Safety for Braking System through ISO 26262, Operating System Security and DO 254 | |
| WO2021229138A1 (en) | External threat protection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20181015 Address after: Austria Vienna Patentee after: TTTECH Computertechnik AG Address before: Austria Vienna Patentee before: FTS COMPUTERTECHNIK Gmbh |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20190628 Address after: Austria Vienna Patentee after: TTTECH Automobile Co., Ltd. Address before: Austria Vienna Patentee before: TTTECH Computertechnik AG |