DE102014224186B4 - Procedure for reloading an application onto a document - Google Patents

Abstract

Method for reloading an application (128) into a memory (112) of a document (102), the memory (112) containing unoccupied memory areas (212, 214...) and memory areas (204, 206,...) occupied with relocatable program code. ) comprises, wherein the reloading of the application (128) comprises:• Determining the necessary length (220) of an unoccupied contiguous memory area in order to store the application (128) in the memory (112),• Determining whether the memory (112) has a contiguous, unoccupied memory area whose length corresponds at least to the previously determined length (220),• If the memory (112) does not have a contiguous, unoccupied memory area of the previously determined length (220), defragmenting the memory (112), the defragmenting involving rearranging of the relocatable program code stored in the occupied memory areas, so that several of the unoccupied memory areas form a contiguous unoccupied memory area, which has at least the previously determined length (220),• reloading the application (128) into the unoccupied memory area, the defragmenting reorganizing the relocatable program code stored in the occupied memory areas (204, 206,...) by physically moving the relocatable includes program codes and/orwherein the logical order of the memory areas of the memory (112) is determined by an allocation table, the defragmenting comprising rearranging part of the occupied memory areas (204, 206,...) by manipulating the allocation table, the defragmenting further comprising defining a threshold value for the length of an occupied memory area (204, 206,...), wherein the shifting of relocatable program codes stored in occupied memory areas (204, 206,...) with a length that is greater than the threshold value through manipulation the assignment table is done and the shifting of occupied Speic stored relocatable program codes with a length that is smaller than the threshold value by physically shifting the relocatable program code of the occupied memory areas (204, 206,...).

Description

The invention relates to a method for reloading an application into a memory of a document, as well as a document and a system comprising a reloading machine for reloading an application onto a document and a document.

A large number of documents, in particular security or identification documents, are known in the prior art, which are designed as chip cards with arithmetic logic. In this case, an application that can be executed by a processor of the chip card is usually stored in a non-volatile memory area of the chip card.

In the following, an occupied memory area is understood to mean the set of all memory addresses that are assigned to an individual application.

Applications for smart cards are usually structured in such a way that they have to be loaded into the memory of a smart card as a coherent program module. We also assume that the operating system has mechanisms that allow program modules to be stored and executed at any memory address in the application memory. This means that, in particular, entry points that may be used for the program modules are managed in a suitable manner.

One of the ways in which program modules can be moved is that within the program code of the application, only relative jump addresses are used instead of absolute physical memory addresses within the chip card memory, so that even if the program code is moved within the chip card memory, a jump instruction effectively results in the same jump destinations within the program code . The mobility of a program code for chip cards achieved in this way is also referred to as relocatability.

The requirement for applications to be relocatable while retaining the relative jump addresses within the application for chip cards means that an application must always be stored as a logically connected block within a chip card memory, otherwise the relative jump addresses within the program code will lose their validity.

the DE 600 19 364 T2 shows a method for memory defragmentation on chip cards in order to provide a contiguous memory space for an application.

The present invention is now based on the object of creating an improved method for reloading an application onto a document.

This object is achieved in each case with the features of the independent patent claims. Embodiments of the invention are indicated with the dependent patent claims. Unless expressly stated to the contrary, embodiments of the invention can be freely combined with one another.

A “document” is understood here to mean in particular a portable electronic device which has at least one data memory for storing at least one attribute and a communication interface for reading out the attribute. The document preferably has a secure memory area for storing the at least one attribute in order to prevent the attribute stored in the memory area from being changed in an unauthorized manner or read out without the authorization required for this.

In particular, the document can be a value or security document. According to the invention, a document is understood to mean paper-based and/or plastic-based documents, such as electronic ID documents, in particular passports, identity cards, visas and driving licenses, vehicle registration documents, vehicle registration documents, company ID cards, health cards or other ID documents, as well as chip card payment methods, in particular banknotes, bank cards and credit cards , bills of lading or other proof of authorization, in which a data memory for storing the at least one attribute is integrated.

In one aspect, the invention relates to a method for reloading an application into a memory of a document. The memory of the document includes unoccupied memory areas and memory areas that are occupied with relocatable program code. Reloading the application then firstly includes determining the necessary length of an unoccupied, contiguous memory area in order to store the application in the memory of the document. It is then determined whether the memory of the document has a contiguous, unoccupied memory area whose length corresponds at least to the previously determined length. If this is not the case, ie no contiguous, unoccupied memory area are found with at least the previously determined length, the memory of the document is defragmented in a subsequent step. In this case, the defragmentation includes rearranging the relocatable program code stored in the occupied memory areas, so that several of the unoccupied memory areas form a contiguous, unoccupied memory area that has at least the previously determined length. The application is then reloaded into the unoccupied memory area. Defragmenting includes rearranging the relocatable program code stored in the occupied memory areas by physically moving the relocatable program code and/or the logical order of the memory areas of the document memory is defined by an allocation table and defragmenting the memory area of the document includes rearranging the occupied memory areas by manipulating the mapping table. Furthermore, a threshold value for the length of an occupied memory area is defined, with relocatable program codes stored in occupied memory areas being moved with a length that is greater than the threshold value by manipulating the assignment table, and with relocatable program codes stored in occupied memory areas being moved with a Length less than or equal to the threshold is done by physically moving the relocatable program code.

In addition, before starting the defragmentation process, it can be checked whether the total of all free memory areas together would be sufficient to accommodate the application. A defragmentation process is only triggered if it has previously been determined that the total of all free memory areas is sufficient to accommodate the application, since otherwise even defragmentation would not result in an application being able to be reloaded.

It should be noted at this point that a contiguous memory area is to be understood not only as a physically contiguous memory area but also as a logically contiguous memory area with consecutive memory addresses. In this case, the physical addresses of a logically connected memory can also not be connected, for example as a result of memory scrambling which is usual in chip cards.

A shift can be correspondingly implemented logically or physically.

Embodiments of the invention could have the advantage that the defragmentation process makes it possible to reload an application into the memory of a document even if this initially does not have a sufficiently large, contiguous, unoccupied memory area to store the application. As a result of the defragmentation process, the use of a memory in a document, which is usually very limited anyway, is possible in an improved manner. This means that applications can be repeatedly removed from the document over a longer period of time and new applications can be reloaded in the memory of the document, with the effectively usable memory of the document being prevented from shrinking due to fragmentation of the memory.

In the event of a physical move, the relocatable program code is copied from its original memory area to a new, unoccupied memory area and its original memory area is deleted. The program code stored in an occupied memory area can also be moved to an adjacent area that is initially not large enough to accommodate the entire data block. In this case, during the relocation, a first part of the program code would be relocated from its original memory address to a new memory address. If this is repeated for the following further parts of the program code, it is possible at some point that a part of the program code is copied into a memory area in which a part of the program code to be moved was originally stored. This gradually overwrites the original program code. However, this harbors the risk that in the event of a power failure during the move process, a segmented and no longer functional program code will be created.

If the assignment table is manipulated, a memory management unit (Memory Management Unit MMU) can be provided in the document, which implements the addressing of the memory by the processor using the assignment table.

Both the previously described defragmentation by physically moving memory areas and the defragmentation by manipulating an assignment table can be advantageous under certain circumstances. Thus, a memory can be defragmented very quickly by simply logically rearranging the memory areas of the memory by manipulating the assignment table. For example, an additional jump address can be inserted in the assignment tables, so that when a memory address by the chip card processor the chip card processor is referred by the MMU to the memory position where the corresponding relocatable program code is stored after defragmentation. However, repeated defragmentation can result in chaining of jump instructions as a result of manipulation of the assignment table, so that the access time that a processor of a document needs to address the relocatable program code in the memory increases.

On the other hand, defragmenting by physically moving avoids this problem, since no additional jump commands are created in an allocation table, but the program code is actually moved in the physical memory. However, if the relocatable program code to be moved involves a large number and/or very large memory areas, a physical move involves considerable effort. Furthermore, the copying and subsequent deletion of program codes is error-prone, since errors could also be inserted into the program code during copying or, in the case of non-atomic shifting processes, program blocks or parts could be deleted or duplicated.

It is therefore planned to use one of the two defragmentation methods mentioned above, depending on the situation. The decision as to whether an occupied memory area should be defragmented by manipulating the allocation table or by physically moving it depends on the said threshold value. Depending on the application, the best method for defragmenting the memory can be selected.

Other strategies are also possible, according to which it can be determined for the shifting of an individual block whether the rearrangement of the block should take place logically or physically. The decision as to whether a block should be moved physically or logically can be subject to any heuristic that can be designed.

According to a further embodiment of the invention, the defragmentation initially comprises determining a first position of a first, unoccupied memory area in terms of memory addressing, i.e. the block with the smallest memory address. A second position of a second, occupied memory area is then determined, with the second occupied memory area in the memory directly following the first free memory area with regard to memory addressing. The relocatable program code stored in the second occupied memory area is then moved to the previously determined first position. The shifting can be both logical and physical. The steps of determining an unoccupied memory area and the occupied memory area following the unoccupied memory area and moving the relocatable program code stored in the occupied memory area determined in this way can be repeated until there is no occupied memory area following the first unoccupied memory area determined. Alternatively, in the course of an iteration of the steps described, it can be checked continuously whether a sufficiently large, contiguous, free memory area has arisen in the meantime so that the application can be reloaded. In this case, provision can also be made for the defragmentation to be terminated as soon as the available, contiguous, free memory is large enough to accommodate the application to be reloaded.

Embodiments of the invention could have the advantage that a memory of a document can be defragmented in a simple manner by the algorithm described. The corresponding logic for carrying out the defragmentation process in the document can thus be implemented using simple means.

According to a further embodiment, the defragmentation initially includes determining the respective positions and lengths of the occupied memory areas and determining the respective positions and lengths of the unoccupied memory areas. Then, starting from the lowest memory address, the first unoccupied memory area is determined and a check is made as to whether one of the following blocks has the same length. If this is the case, this block is moved to the unallocated memory area. Starting from this changed memory, the method is iterated for the next free memory area following the shifted block. The iteration takes place until an unoccupied memory area is reached, which is not followed by an occupied memory area. Alternatively, the iteration can also be aborted if, after an occupied memory area has been moved, an unoccupied, contiguous memory area has arisen that is large enough to accommodate the application to be reloaded. According to a further embodiment, occupied memory areas could be moved to the positions of unoccupied memory areas of the same or greater length.

Embodiments of the invention could have the advantage that the number of shifting operations by the defragmentation method described compared to a method in which the occupied memory areas are successively added to each other to be pushed can be reduced. For example, it can happen that after a first occupied memory area there is an unoccupied memory area of a defined length, with the unoccupied memory area being followed by a chain of occupied memory areas. If, for example, the length of the last occupied memory area in the chain corresponds to the length of the unoccupied memory area after the first occupied memory area, defragmentation can be implemented according to the method described above by simply moving the last occupied memory area to the position of the unoccupied memory area will. All other occupied memory areas do not have to be moved. In this way, it can be avoided that every single occupied memory area in the chain is moved during a defragmentation process.

According to a further embodiment of the invention, the defragmentation also includes the creation of a log file, the log file reflecting the shifts in memory areas that took place during a defragmentation process.

This can have the advantage that if the defragmentation process is aborted unexpectedly, either the defragmentation process can be continued at a later point in time at the same point, or the original state before the start of the defragmentation process can be reconstructed using the log file.

With atomic execution of the individual shifting steps related only to a memory area, it can also be avoided that a document becomes unusable due to an incomplete defragmentation process, which could damage the applications stored in the document.

The previously described embodiments of a memory rearrangement can be further modified in such a way that the defragmentation process is aborted, for example as soon as an unoccupied memory area of the required size is free.

According to a further embodiment of the invention, the memory of the document is divided into at least two memory areas, with a first memory area containing relocatable program code with relative jump addresses and a second memory area containing hierarchically stored useful data with absolute jump addresses. The defragmentation is then only carried out on the first storage area.

Embodiments of the invention could have the advantage that payload data with absolute jump addresses cannot be easily defragmented by shifting. Due to the absolute jump addresses of the user data, all cross-references of the user data would be incorrect in the event of a shift due to a defragmentation process, and the user data itself would therefore be unusable. This problem could be circumvented by restricting the defragmentation process to the memory area in which relocatable program code is stored.

According to a further embodiment of the invention, the subsequently loaded application is a security-relevant application. At least one cryptographic key is then stored in the memory of the document, with the security-relevant application being designed to carry out an authentication process using the cryptographic key. For example, the cryptographic key can be used to authenticate the document to a reader as part of a challenge-response process.

In a further aspect, the invention relates to a document with storage means, processor means and a communication interface, in particular a contactless communication interface. In this case, the document is designed to receive an application for reloading into the storage means of the document via the communication interface. In this case, the processor means and the storage means of the document are designed to carry out the method which was previously described. The communication interface can be either an interface with contacts or a contactless interface. For example, the interface can be designed according to ISO 14443. In particular, the communication interface can be an NFC interface. Energy for operating the document can also be coupled into the document via the communication interface using an external energy source, for example a terminal.

The use of a contactless interface can have the advantage that a contactless interface is significantly less susceptible to wear and tear than an interface with contacts. Especially when using an interface with contacts in combination with a mechanical receptacle of a terminal, the contacts would quickly wear out due to the friction of the interface with contacts within the receptacle, making it impossible to use the document. By using a kon tactless interface could therefore improve the lifetime of a document.

In a further aspect, the invention relates to a system comprising a reloading machine for reloading an application onto a document and such a document. The reloading machine includes a communication interface and is designed to exchange data with the document via the communication interface. The reloading machine is also designed to reload the application onto the document via the communication interface.

According to one embodiment of the invention, the automatic reloader also includes a mechanical holder for the document, the mechanical holder being designed to protect the document from being removed from the automatic reloader during a reloading process until the application on the document is reloaded, possibly including defragmentation is complete.

In the case of chip cards in particular, the power supply for the processor means of the chip card usually takes place via an RFID interface by the reloading machine. If the document were to be removed from the reloading machine too early during a defragmentation or reloading process, the power supply to the document would be interrupted and any defragmentation process that might have been initiated could not be completed. This could potentially make the document unusable. Embodiments of the invention could have the advantage that this risk could be effectively avoided by the document being completely accommodated, for example, in a slot or some other type of mechanical receptacle of the automatic reloading device and thus being protected against access by a user. After the end of the reloading process, the document could then be ejected from the mechanical receptacle of the reloading machine.

When using contactless communication between the reloading machine and the document, the wear and tear on the document can be reduced to a minimum despite the use of a mechanical receptacle. The contact surface between the document and the receptacle of the automatic reloader is irrelevant for the communication between the document and the automatic reloader, as well as for the coupling of energy for operating the document. Thus, friction effects on the surface of the document body do not impair the functionality of the document. At the same time, the integrity of the data stored on the document can be maintained through the combination of mechanical recording with contactless communication, since premature removal of the document from the automatic reloading machine can be ruled out. This ensures uninterrupted communication and power supply during the reloading process.

According to a further embodiment, the reloading machine accesses the document only after a cryptographic access condition has been successfully checked, which can be implemented, for example, by transmitting a certificate, carrying out a challenge-response method or some other authentication process. In this way, unauthorized uploading of possibly defective program code to the document could be avoided.

According to one embodiment, the automatic reloading device comprises a reloading token, the reloading token containing the application to be reloaded onto the document, the reloading token being designed as an exchangeable physical data medium. For example, the data carrier can be a chip card.

Embodiments could have the advantage that one and the same automatic reloader could be used for reloading a variety of different applications and software configurations. In order to be able to reload another application onto a document, only the reload token of the reload machine would have to be exchanged.

According to one embodiment, the automatic reloader includes an authentication token, the authentication token containing data for authenticating a user of the automatic reloader, the authentication token being designed as an exchangeable physical data carrier. Here, too, the data carrier can be a chip card, for example.

Embodiments could have the advantage that the reloading machine can be used by a large number of different users by exchanging the authentication token. However, it is also ensured that only the user whose authentication token is currently connected to the reloading machine can use the reloading machine. It can be provided that the reloading machine independently checks whether a user whose authentication token has just been inserted into the reloading machine is actually authorized to use the reloading machine.

According to one embodiment, the automatic reloader comprises an energy source, the energy source being a closed internal energy source and/or an external energy source.

Embodiments could have the advantage that when using an internal energy source, the automatic reloader can be designed as a portable device that is completely self-sufficient. Such a self-sufficiency would improve the security of the reloading machine against access by unauthorized persons, since communication only takes place between the document and the reloading machine. Furthermore, a combination of an internal energy source, such as a battery, and an external energy source, such as a mains connection, can improve the reloading machine's reliability against failure, since the probability of both energy sources failing is lower than the probability of one of the energy sources failing.

• 1 ein Blockdiagramm eines erfindungsgemäßen Systems aus Dokument und Nachladeautomat,
• 2 eine schematische Darstellung eines ersten Defragmentierungsverfahrens,
• 3 schematische Darstellung eines zweiten Defragmentierungsverfahrens,

Preferred embodiments of the invention are explained in more detail below with reference to the drawings. Show it:

• 1 a block diagram of a system according to the invention made up of document and reloading machine,
• 2 a schematic representation of a first defragmentation method,
• 3 schematic representation of a second defragmentation process,

Elements that are similar to one another are identified below with the same reference symbols.

the 1 shows a block diagram of a system 100 according to the invention for reloading an application onto a document 102 by a reloading machine 104. The document 102 includes a communication interface 106. The document 102 also includes processor means 110 and storage means. The storage means 112 can be a non-volatile flash-based memory, for example. In the embodiment shown here, the storage means 112 contain a logical data structure (LDS). In addition to a chip card operating system 120 and user data 108, the logical data structure also contains the applications 114 of the document 102.

The reloading machine 104 also includes a communication interface 116 and processor means 118. The processor means 118 can be one or more single-core or multi-core processors. Furthermore, the automatic reloading machine 104 shown here comprises a control module 138, as well as an authentication token 130, a reloading token 132, a second communication interface 134 and an energy source 136.

The energy source 136 can be, for example, a battery or a power-generating device such as a fuel cell or a solar cell. The use of such a closed energy source 134 could have the advantage that the automatic reloader 104 can be made completely self-sufficient on the one hand and portable on the other. However, the energy source 134 can also be a power pack or some other type of connection to an external energy supply. Furthermore, a combination of external and internal energy supply is also possible, which would improve the reliability of the automatic reloading device 104 .

The second communication interface 134 of the automatic reloading machine 104 can be designed for the administration of the automatic reloading machine 104, for example. For example, the communication interface 134 can be an Ethernet connection. The authentication token 130 and also the reloading token 132 can be in the form of both a software token and a hardware token, for example in the form of a chip card for insertion into the reloading machine 104 . For example, the reload token 132 can be provided by a manufacturer of the document 102 on which an application 128 is to be reloaded and then contains the application 128 to be reloaded manufacturer-specific reloading software 128 would have to be transferred to the reloading machine 104 via the communication interface 134 . The reloading token 132 can also be designed as a storage area within the automatic reloading device 104 .

The communication interface 116, via which communication between the automatic reloading device 104 and the document 102 is to be ensured, can additionally have a mechanical receptacle for partially or completely receiving the document 102 in the automatic reloading device 104. The receptacle can be such that it protects the document 102 from being removed from the automatic reloading device 104 by a document user, at least for the duration of the reloading process. This ensures uninterrupted communication and power supply during the reloading process.

The reloading machine 104 is designed to communicate with the document 102 via the communication interface 116 and to exchange data. For this purpose, the communication interface 116 establish a data connection 122 with the communication interface 106 of the document 102 . The data connection 122 between the document 102 and the automatic reloading device 104 can be configured via the communication interfaces 116 and 106 in accordance with ISO 14443, for example. In order to set up such a data connection 122, provision can be made for an identification and authentication process to be carried out between the document 102 and the reloading machine 104 first. For this purpose, a corresponding program module 124 can be provided in the processor means 118 of the automatic reloading device 104 . For example, in the course of the authentication method, a mutual exchange of security certificates can be provided, which are stored in the storage means 112 of the document 102 or in a corresponding authentication token 130 of the reloading machine 104. However, the authentication methods that are possible within the meaning of the present invention are not limited to this.

As soon as a secure data connection 122 has been established between the document 102 and the reloading machine 104, the processor means 118 of the reloading machine 104 can call up another program module 126 in order to reload an application 128, which is stored in the reloading token 132 of the reloading machine 104, onto the document 102 . In this case, it can be provided that information is first transmitted to the document 102, in which the document 102 is informed about the memory space required for the installation of the application 128. The document 102 or the processor means 110 can then check whether a correspondingly large, contiguous, unoccupied memory area exists in the memory means 112, which is suitable for accommodating the application 128 to be installed.

If the processor means 110 determine that a sufficiently large, contiguous, unoccupied memory area is already available in the storage means 112, the document 102 can signal to the automatic reloading device 104 that it is ready for the application 128 to be reloaded. Automatic reloader 104 then transmits application 128 to document 102 via data connection 122, and document 102 stores application 128 in storage means 112.

However, if the processor 110 determines after being notified by the automatic reloader 104 that the storage 112 cannot provide a sufficiently large, unoccupied, contiguous storage area for storing the application 128, the processor 110 can initiate a defragmentation process. If a sufficiently large, contiguous, unoccupied memory area can be created in the storage means 112 in the course of this defragmentation process, the document 102 signals to the reloading process that it is ready to receive the application 128 . Furthermore, if it is determined that the memory means 112 cannot provide a sufficiently large unoccupied contiguous memory area, it can be provided that the processor means 110 also check whether there is sufficient free memory overall on the document 102 to install the application. If it is determined that the contiguous free memory would not be sufficient to store the application 128 even after defragmentation, the document 102 can inform the automatic reloading device 104 that a reloading process is currently not possible and end the method at this point.

Provision can be made for a continuous check to be carried out during a defragmentation process as to whether a sufficiently large memory area has been created in the memory means 112 in the meantime to accommodate the application 128 . For example, it can be provided that the defragmentation process does not run through completely, but is terminated at the point in time at which the storage means 112 can provide a sufficiently large, unoccupied, contiguous storage area. However, the defragmentation process can only be aborted when an atomic sub-step has been completed, since otherwise the memory content could become inconsistent.

Two possible methods for defragmenting the storage means 112 of the document 102 are described below.

the 2 Figure 12 is a schematic representation of a first possible defragmentation method. It is assumed here that the storage means 112 of a document 112 have a size or a storage volume which is indicated by the arrow 202 . As in 2 a) shown, the memory comprises four occupied memory areas 204, 206, 208 and 210. Between these occupied memory areas there are three unoccupied memory areas 212, 214 and 216. After the memory block 210 there follows another free memory area 222, which extends to the end of the entire memory . Furthermore, block 218 indicates the required memory area of size 220, which is required in order to store an application 218 to be reloaded in memory means 112 of document 102. As in 2 a) shown, none of the unoccupied memory areas 212, 214 is in the initial state of memory 112 or 216 large enough to hold application 218. A defragmentation of the memory 112 is therefore initiated in the course of the method according to the invention.

It should be noted here that the shifting of blocks 204, 206, 208 and 210 can be both physical and logical, independently of each other.

In a first step of the defragmentation method presented here, a first unoccupied memory area is determined, in this case memory area 212. Then the first occupied memory area 206 following the unoccupied memory area 212 is determined. This is then moved to the start position of the unoccupied memory area 212. The result of this step is in 2 B shown. Since, even after this first defragmentation step, there is still not a sufficiently large unoccupied memory area to store the application 218, the occupied memory area 208 is moved to the unoccupied memory area following the occupied memory area 206 in a subsequent defragmentation step. The result of this shift is in 2c) shown.

Since also in the in 2 c) If, in the situation shown, the unoccupied memory area is still not large enough to accommodate the application 218, the occupied memory area 210 is also moved to the remaining, unoccupied memory area, so that all four occupied memory areas 204, 206, 208 and 210 form a contiguous chain of occupied create storage areas. this is in 2d) shown. Only through this last defragmentation step, the result of which in 2d) shown, it becomes possible to save the application 218 in the now created free memory area.

the 3 is a schematic representation of another possible defragmentation method within the meaning of the present invention. Analogous to the in 2 In the initial situation shown, four occupied memory areas 302, 304, 306 and 308 are also present in a memory of a defined size, indicated by the arrow 302. As also in 3 a) As shown, none of the unallocated memory areas 312, 314 or 316 is large enough to accommodate the application 318 to be installed with the memory requirement 320.

In the method presented here, it is now provided that first the size of the respective occupied memory areas 304, 306, 308 and 310 and the size of the unoccupied memory areas 312, 314 and 316 are determined. Subsequently, occupied memory areas are moved to the position of an unoccupied memory area of the same or larger size. This is exemplary in 3 b) shown. When determining the sizes of the occupied and unoccupied memory areas, it was previously established that the occupied memory area 308 is just as large as the unoccupied memory area 312. The occupied memory area 308 was therefore moved to the position of the unoccupied memory area 312. A sufficiently large unoccupied memory area to accommodate the application 318 was already created by this simple shifting of the memory area 308 .

If you were starting from the in 3 a) The situation shown is analogous to that in 2 If the method described had been carried out, the memory area 306 would have been shifted first, and this shift would not have resulted in a sufficiently large memory area. It would therefore have been necessary to move both the occupied memory area 306 and the occupied memory area 308. However, this could be done by the in 3 shown defragmentation process can be avoided.

Provision can also be made for a defragmentation process to be continued even after the application 318 has been saved, so that the occupied memory areas of the memory 112 of the document 102 result in a contiguous memory area. For this purpose, for example, the occupied memory area 310 can be pushed up to the memory area which is occupied by the application 318 . This state is in 3c) shown.

Reference List

100

system

102

document

104

automatic reloader

106

communication interface

108

payload

110

processor means

112

storage means

114

applications

116

communication interface

118

processor means

120

chip card operating system

122

Data Connection

124

program module

126

program module

128

application

130

authentication token

132

reload token

134

communication interface

136

energy source

138

control module

202

memory size

204

occupied storage area

206

occupied storage area

208

occupied storage area

210

occupied storage area

212

unused storage area

214

unused storage area

216

unused storage area

218

application

220

memory requirements of the application

222

unused storage area

302

memory size

304

occupied storage area

306

occupied storage area

308

occupied storage area

310

occupied storage area

312

unused storage area

314

unused storage area

316

unused storage area

318

application

320

memory requirements of the application

Claims (13)

Method for reloading an application (128) into a memory (112) of a document (102), the memory (112) containing unoccupied memory areas (212, 214...) and memory areas (204, 206,...) occupied with relocatable program code. ), wherein the reloading of the application (128) comprises: • determining the necessary length (220) of an unoccupied contiguous memory area in order to store the application (128) in the memory (112), • Determining whether the memory (112) has a contiguous, unoccupied memory area whose length corresponds at least to the previously determined length (220), • If the memory (112) does not have a contiguous, unoccupied memory area of the previously determined length (220), defragmenting the memory (112), the defragmenting comprising rearranging the relocatable program code stored in the occupied memory areas, so that several of the unoccupied memory areas have a contiguous, unoccupied Form a memory area that has at least the previously determined length (220), • Reloading the application (128) into the unoccupied memory area, with the defragmenting including rearranging the relocatable program code stored in the occupied memory areas (204, 206,...) by physically moving the relocatable program code and/or the logical order of the memory areas of the memory (112) being defined by an allocation table, the defragmenting comprising rearranging part of the occupied memory areas (204, 206,...) by manipulating the allocation table wherein the defragmentation further comprises defining a threshold value for the length of an occupied memory area (204, 206,...), wherein the shifting of relocatable program codes stored in occupied memory areas (204, 206,...) with a length that is greater is carried out as the threshold value by manipulating the assignment table and the shifting of relocatable program codes stored in occupied memory areas (204, 206,...) with a length that is smaller than the threshold value is carried out by physically shifting the relocatable program code of the occupied memory areas ( 204, 206,...). procedure after claim 1 , wherein the defragmentation comprises: • determining a first position of a first, unoccupied memory area (212), • determining a second position of a second, occupied memory area (206), wherein the second occupied memory area (206) in the memory corresponds to the first free memory area ( 212) follows logically directly, • shifting the relocatable program code stored in the second occupied memory area (206) to the first position. Procedure according to one of Claims 1 and 2 , whereby the defragmentation includes: • Determining the respective positions and lengths of the occupied memory areas (204, 206,...), • Determining the respective positions and lengths of the unoccupied memory areas (212,214,...), • Shifting the occupied memory areas into stored relocatable program codes to the positions of unoccupied memory areas of the same or greater length. A method according to any one of the preceding claims, wherein the defragmentation further comprises generating a log file, the log file reflecting the movements of storage areas that occurred during a defragmentation operation. Method according to one of the preceding claims, wherein the memory (112) is divided into at least two memory areas, wherein a first memory area contains the relocatable program code with relative jump addresses and wherein a second memory area contains hierarchically stored user data (108) with absolute jump addresses, the defragmentation runs exclusively on the first memory area. Method according to one of the preceding claims, wherein the application (128) is a security-related application, wherein at least one cryptographic key is stored in the memory (112), wherein the security-related application is designed using the cryptographic key for an authentication process to perform. Document (102) with storage means (112), processor means (110) and a communication interface (106), in particular a contactless communication interface, wherein the document (102) is designed to use the communication interface (106) to load an application (128) into receiving the storage means (112), the processor means (110) and the storage means (112) being adapted to carry out the method according to any one of the preceding claims. System (100) from a reloading machine (104) for reloading an application (128) on a document (102) and a document (102). claim 7 , wherein the reloading machine (104) comprises a communication interface (116), in particular a contactless communication interface, and is designed to reload the application (128) onto the document (102) via the communication interface (116). system (100) after claim 8 , wherein the automatic reloader (104) has a mechanical receptacle for the document (102), wherein the mechanical receptacle is designed to protect the document (102) from being removed from the automatic reloader (104) during a reloading process until the Reloading the application (128) onto the document (102) is complete. System (100) according to one of Claims 8 or 9 , wherein the reloading machine (104) accesses the document (102) only after successful verification of a cryptographic access condition. System (100) according to one of Claims 8 - 10 , wherein the automatic reloading device (104) comprises a reloading token (132), the reloading token (132) containing the application (128) to be reloaded on the document (102), the reloading token (132) being designed as an exchangeable physical data medium. System (100) according to one of Claims 8 - 11 , wherein the reloading machine (104) comprises an authentication token (130), the authentication token (130) containing data for authentication of a user of the reloading machine (104), the authentication token (130) being designed as an exchangeable physical data carrier. System (100) according to one of Claims 8 - 12 , wherein the automatic reloader (104) comprises an energy source (136), the energy source (136) being a closed internal energy source and/or an external energy source.

Images