Summary of the invention
It is an object of the invention to through adding " security function ", making can be with cheap but effective manner, efficiently
Rate ground expands existing control unit and existing " standard feature ", thus saves development cost and Material Cost.
This purpose is to realize with the method described in introduction and/or the hardware platform described in introduction, this be due to the fact that
On, according to hardware platform of the present invention this at least one internal memory there is write protection (write at least partially
Protection) mechanism, and this security-relevant software component writes access right completely to some region or to having in whole
Limit, or this security-relevant software component has an access right to certain region of this internal memory, and this region be presented to non-security
The region of memory of correlation function is separate, and wherein this security-relevant software component erection internal memory protects against non-safety-related
At least one region of the internal memory of this safety related functions is accessed by function, and this is at this non-safety-related software structure
Part sets up before performing so that this non-security-relevant software component only can access the limited of this internal memory by write access right
Region, and particularly cannot access the separate region of the internal memory for safety-related component, and wherein from this non-security phase
After closing component return, this internal memory protection can be again switched off, and wherein this monitoring component can monitor this safety related functions to determine
Whether it operates normally.
Refer to that this safety-related component " initializes " this non-safety-related structure here, " return " from this non-safety-related component
Part, then " only " this non-safety-related component can run, and when it stops, this safety-related component will run again.
Here, the invention provides the scheme more relatively inexpensive than person mentioned above.The core of the present invention is the use of " optimistic
Method ".In other words, pro assume that Nonvital Function will not cause any mistake.This assumes can be by reliably and the quickest
Check whether correct.Therefore, although (mistake of=Nonvital Function, it can shadow will not to prevent invading (encroachment)
Ring this safety related functions), but this invasion can be detected so that safety related functions can be brought to safe condition (or with
Interference is reacted by another suitable method).
For Zheng Chang, this safe condition refers to that the another type of " closing (shutdown) " safe condition has been probably event
The function of barrier is stopped (as rewritten certain region of the working memory required for this safety related functions) before invasion performs
And this there is no any negative effect to this safety related functions.This can be reached by exception handler.
For most systems, this program is the most suitable, and this is owing to generally having other insecure parts, and
Even if generation single failure, safety-related systems never should be allowed to enter unsafe condition.
In a variant of the present invention, wherein operating system is in the upper operation of this computer unit (=CPU), and this operates system
The dispatcher (dispatcher) of system guarantees that the protection of this internal memory can come into force before the scheduling making non-safety-related determines always,
And the internal memory with this separate region of memory in non-safety-related region is protected, only (and if only if) startup safety can made
The scheduling of associated components is disengaged when determining.
If after going out non-security-relevant software component from this safety related functions retrieval (retrieve), there is signal
(alive signal) can be sent to monitoring modular, then be the most favourable.
If additionally, before and after retrieving non-critical software component, time stamp can be sent to monitoring modular, then
It is probably favourable.
If there is signal can be sent to be distributed in several positions (" central " position) of those security-relevant software component
Monitoring modular (this is important for the execution of this safety related functions) so that this monitoring modular also can check that those are pacified
The function executing of total correlation software component, then be particularly advantageous.
In the case, also can pass through to check and (checksums) or similar fashion, and non-usage simply exists letter
Number, the execution to multiple checkpoints is monitored.Therefore, this safety related functions the most visible is currently running, the most visible
The order being once approached to some key point in this function.
Finally, if after lacking and there is signal and/or time stamp, this monitoring modular can the conversion of (sub) system to pacifying
Total state, then be particularly advantageous.
Detailed description of the invention
The present invention is with the basis that is combined as of several features and several method:
1. the internal memory of couple this CPU implements internal memory protection, to block in the wrong direction from Nonvital Function
(misdirected) memory access (detection).
2. use in the separate unit that function is monitoring modular and check component (checking component), with detection
Go out the out of order execution of safety related functions.
The method utilizes this two technology, realizes the reliable monitoring carrying out safety related functions.This control unit
The working memory SPE of CPU is some sections (segments) according to Fig. 1.
Those safety related functions SAFET can be to this whole working memory SPE (or main region SPE1-of this internal memory SPE
SPE4) reading and writing, those Nonvital Functions STANT the most only can be to certain part SPE3-of this working memory SPE
SPE5 reads and writes.Part SPE3 of this internal memory SPE, it is assigned and gives non-critical areas, is defined as exchange area.
If it is desired, safety related functions and Nonvital Function can exchange data at this.
The segmentation of this internal memory SPE must have stack (stack) and the heap (heap) of their own with those safety related functions
The mode of region SPE1 is carried out.Therefore, it is impossible for directly retrieving function between these regions.
Safety related functions the or likely stack/heap region SPE5 of standard feature (not shown) is had access right;As usual
For, standard feature cannot access the stack/heap SPE1 (or those variablees) of those safety related functions certainly is less there is a need to
But it is important.
Just memory sections is to be not enough to protect those safety related functions.Also must guarantee that those Nonvital Functions will not be because of
Mistake and block this CPU and thus prevent those safety related functions from can react rapidly.According to the method described in the present invention
Will not prevent from blocking, but can be detected.Cut between safety related functions and non-key (standard) function every time
When changing, software checkpoint (SW checkpoint) will be passed through and check.
False code (there is described herein through safety related functions to retrieve the example of standard feature) in Fig. 2 presents
Core according to the method described in the present invention, i.e. inspection/defencive function, the access checking working memory with it and those non-passes
The runtime performance of key function.
This CPU is always initialized by safety related functions, and then safety related functions will be the most just to this
CPU has control.Every time when Nonvital Function should run, the protection to this (a bit) safety related functions will be both ways
Increase: (1) this internal memory protection restructuring, it is achieved the protection to the data of this safety related functions.Special module at this CPU
Make setting so that only allow the restricted area of this working memory is accessed.The parameter that must swap can first be answered
System is to exchange area.If this standard feature also can provide return data, then will be with other direction (from Nonvital Function to safety
Correlation function) carry out similar mechanism (not showing in false code).(2) this SW checkpoint (is referred to as " check_ in false code
Point ") guarantee that any of this standard feature all can be detected when machine situation.There is signal can be sent, and can be at this
Outside CPU monitored (seeing below).
When retrieving standard feature in security-relating environment, it is necessary to generate false code as shown in Figure 2 every time.Permissible
Known macro-instruction generation technique and/or code Generation are used with regard to this purpose so that without manually writing this code.
In order to detect that Nonvital Function takies this CPU and exceedes the feelings of allowed time (will its block) because of fault
Condition, it is necessary to independent monitoring sends the existence signal of the safety related functions of this inspection/defencive function.For example, can be used this
Monitoring modular outside CPU accomplishes this monitoring.Fig. 3 shows such a kind of design.There is signal and can be collected in those
(the SafeCrossCheck module see in Fig. 3) is also sent to monitoring modular MOD on I/O line.This monitoring modular MOD is " independent
In " this CPU (those safety related functions run on this CPU) and " existence ", so it would not be by the mistake in this CPU
Or block affected, and can safety related functions not correct run time detect in this way.
If this monitoring function fails to timely receive this there is signal, it can take some measures changes this system extremely
Safe condition.For example, the subsystem such as motor or control unit can be closed, or start mechanical lock/mechanical type " standby system
System " (as to realize being rigidly connected between steering wheel and wheel).
In sum, method described herein with have following difference according to the way of prior art
Zero the method is " optimistic ".It does not attempts to force safety related functions and Nonvital Function to separate by force.So
And, the invasion in this safety-related region can be reliably detected by those Nonvital Functions.
Zero it is simple and use any resource hardly.
Zero need not certified operating system.The method can use in the system there is no operating system, and is having standard
Using in the system of operating system and make an appointment, it can be taken as Nonvital Function and treat.
Nonvital Function need not be made adjustment by zero for this method.This non-critical software need not make change just can be whole
Close.The API (" application programming interface ") of those Nonvital Functions can be retained.
The variant of the present invention
(1) time supervision of those Nonvital Functions:
This inspection/defencive function also can be used for recording the persistent period of those Nonvital Functions.For doing so, in inspection
Rope first stores time stamp before going out this Nonvital Function.After retrieving, so that it may thus measure the operation of this Nonvital Function
Time.This operation time can be transferred into this monitoring modular.The operation time that those Nonvital Functions are spent exceeds a certain limit
Time will be read as mistake.
(2) those safety related functions are more fully checked:
Expansible method described herein, to carry out the inspection of complexity to those safety related functions.Therefore, can be in this peace
Total correlation function is followed a certain path independently, therefrom in certain sequence retrieved described in this inspection/support function.
(3) use with operating system:
If fruit standard operation system itself does not meets required safety criterion, the most also can be
Safety related functions is performed in this system.Following safety related functions must be integrated in this operating system so that even if ring
There is any change in border, and the rule of this method still can be observed.
Zero should start this internal memory and protects (this software initialization early stage before task initialization to be performed on this CPU
Stage starts the protection of this internal memory)
The protection of this internal memory is all made correct amendment when switching task by zero every time
The protection of this internal memory is made amendment reliably through interrupting by zero
False code in Fig. 4 shows the expansion needed for this dispatcher.This dispatcher interrupts work with one and starts, in this
Containing code shown in the diagram in disconnected service routine.
Variant (1) described can elapse over time and monitored Nonvital Function, and this operating system was also by this
Feasible.Like this, it is necessary for additionally including timer in all environmental changes mentioned above.
(4) plurality of classes of memory sections
For simplicity, the most only carry in the description of this method and state the classification of two kinds of internal memories protection:
● the internal memory of all-round opening for safety related functions
● the safety-related region of memory comprehensively protected.
But, the method also can be used for the system having more internal memory protection classification.Multinomial safety related functions can be managed, but
Each function only can access the region of memory of himself rather than the region of other safety related functions.Also can be at those Nonvital Functions
The region of memory that interior restriction is different.The method must is fulfilled for a condition: the special region of memory of safety related functions (RAM,
ROM, stack, heap) must be protected from, in case Nonvital Function accesses.
Make security-relevant software function likely together with standard feature and/or operation system according to the method described in the present invention
System runs in a computer.
Safety-related and Nonvital Function is in different environments (with its respective stack/heap and its respective memory sections)
Run.Switching between safety related functions and Nonvital Function is not only for starting the protection of (or disabling) this internal memory.Deposit
Also leave identical position at signal, allow monitoring modular can observe this control unit independently, and closed when wrong
Close.
The method is characterised by that it simply has a wide range of applications probability.It only needs the internal memory by hardware support to protect
Protect the monitoring modular with independent operating.To the standard software used no requirement (NR), therefore use can make at that time big
Variation.When there is change in environment, it is only necessary to a few key position in the function near this operating system modifies.
The computer being particularly suitable for according to the method described in the present invention in safety-critical field is (the most embedded
Or as main frame).