GB2314180A - Protecting memory by requiring all accessing programs to be modified - Google Patents

Protecting memory by requiring all accessing programs to be modified Download PDF

Info

Publication number
GB2314180A
GB2314180A GB9711251A GB9711251A GB2314180A GB 2314180 A GB2314180 A GB 2314180A GB 9711251 A GB9711251 A GB 9711251A GB 9711251 A GB9711251 A GB 9711251A GB 2314180 A GB2314180 A GB 2314180A
Authority
GB
United Kingdom
Prior art keywords
data
control apparatus
program section
overwriting
erasure
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB9711251A
Other versions
GB9711251D0 (en
GB2314180B (en
Inventor
Andreas Werner
Carsten Franz
Udo Schulz
Walter Nagl
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Robert Bosch GmbH
Original Assignee
Robert Bosch GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Robert Bosch GmbH filed Critical Robert Bosch GmbH
Publication of GB9711251D0 publication Critical patent/GB9711251D0/en
Publication of GB2314180A publication Critical patent/GB2314180A/en
Application granted granted Critical
Publication of GB2314180B publication Critical patent/GB2314180B/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/572Secure firmware programming, e.g. of basic input output system [BIOS]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/79Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C16/00Erasable programmable read-only memories
    • G11C16/02Erasable programmable read-only memories electrically programmable
    • G11C16/06Auxiliary circuits, e.g. for writing into memory
    • G11C16/10Programming or data input circuits
    • G11C16/102External programming circuits, e.g. EPROM programmers; In-circuit programming or reprogramming; EPROM emulators
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R16/00Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for
    • B60R16/02Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements
    • B60R16/03Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements for supply of electrical power to vehicle subsystems or for
    • B60R16/0315Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements for supply of electrical power to vehicle subsystems or for using multiplexing techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2105Dual mode as a secondary aspect
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2143Clearing memory, e.g. to prevent the data from being stolen

Description

2314180 METHOD OF OPERATING CONTROL APPARATUS WITH PROGRAMMABLE STORAGE
MEANS The present invention relates to a method of operating control apparatus with storage means programmable by programming means and to control apparatus with such storage means.
A method of that kind is disclosed in, for example, DE 43 32 499 Al.
The control device described in this specification is used in a motor vehicle and its construction and embedding in a larger system are described more closely in the following with reference to Fig. 3 of the accompanying drawings.
The motor vehicle control device is denoted by 10 in Fig. 3 and comprises a microcomputer 11 and input-output switching circuits 12. The microcomputer 11 comprises a central unit 13, an electrically erasable and programmable storage device 14 in the form of a flash-EPROM, a read write storage device 15, a read-only storage device 16 and a serial interface 21.
The control device 10 receives input signals from sensors, such as a throttle flap potentiometer 17, a rotational speed sensor 23 and further sensors 18, by way of the circuits 12. The further sensors, which are not described in more detail,, are an engine temperature sensor, an inducted air temperature sensor, an air mass meter, an idling switch and so forth, depending on the particular type of the control device 10. The control device 10 delivers output signals to actuators 19 for the control of, for example, injection valves, ignition coils and the like by way of the circuits 12. 25 The exact construction of the control device 10 can be derived from the publication "Bosch-Technichsche Unterrichtung, kombiniertes Zund- und Benzineinspritzsystem MotroniC, of Robert Bos ch GmbH, 1983, and therefore requires no further explanation. The storage devices 14, 15 and 16 are associated with the central unit 13 and serve for the storage of programs and data for the unit. 5 The use of electrically erasable and programmable non-volatile storage devices such as the device 14 is advantageous in a motor vehicle control system because they can be reprogrammed at any time, which is of not inappreciable significance in the case of, for example, subsequently discovered faults or to meet individual customer wishes. 10 The use of flash-EPROMS as electrically erasable and programmable non-volatile storage devices is of increasing importance because these combine the advantages of a "normal" EPROM (high storage cell density) and an EEPROM (electrical and thereby simple and convenient erasure of the storage contents). 15 For initial programming of the flash-EPROMs (preferably in dependence on the motor vehicle type during the vehicle manufacturing stage) or for later reprogramming of the same (during service for fault elimination or to meet individual customer wishes) an external programming device 20, for example in the form of a personal computer, is connected to the control device 10.
The connection takes place by way of, for example, a serial interface line 22 and the serial interface 21.
The programming device 20 can cause the control device 10 to erase or overwrite data in the flash-EPROM as may be required for the execution of data processing program sections, in which case the data to be newly stored can be made available.
The control device 10 cannot normally by itself, thus without 3 external impetus, cause the execution of such program sections, i.e. no entry into these program sections is provided in the programs executed in the control device during vehicle travel operation. The reason for this measure is, inter alia, to prevent unintentional or an unauthorised erasure and/or overwriting of the content of the flash-EPROM storage device.
A further measure for protection against unintentional change in the storage content and against manipulations by unauthorised persons is provided by way of an authorisation check (by checking of an entered password or the like), which precedes the actual erasure and/or overwriting.
An unintentional or unauthorised erasure and/or overwriting of the flashEPROM content is largely prevented by these protective precautions. However, in the case of an unfortunate interlinking of particular circumstances it is possible that these. protective measures are individually ineffective. The cause of this is, in particular, EM radiation into the control device. An additional cause is targeted manipulation of the address pointers or of the address bus by unauthorised third persons. 20 The consequence is that - although this is not envisaged - an entry into a data processing program section, whereby data stored in the flashEPROM of the control device can be erased and/or written over, can occur under unfavourable conditions at least in theory without the initiation intended by the programming device. 25 Insofar as an entry might take place at the beginning of such a routine, threatening damage can be averted by interrogation of a password or the like and, if appropriate, by abandoning the routine. However, if the entry takes place at a point further back in the program, this protective mechanism is ineffective so that an erasure and/or overwriting, which is not as intended, of data stored in the programmable storage device cannot be excluded with any certainty.
As a remedy against this, programming voltage inputs are provided in part at the flash-EPROMs, at which inputs a predetermined programming voltage is to be applied when an erasure from or writing into the storage device is to be performed. However, protected mechanism of that kind requires an additional outlay on hardware. Due to the f act that the predetermined programming voltage must be maintained relatively accurately, this additional outlay can assume not inappreciable proportions, which in turn can have a negative effect on the reliability or susceptibility to faults of the protective mechanism itself.
There thus remains a need for a method of operating a control apparatus with programmable storage means in such a manner that an erasure and/or overwriting of data stored in the storage means may be able to be reliably excluded in simple manner.
According to a first aspect of the present invention there is provided a method of operating control apparatus with storage means programmable by a programming device, wherein the erasing and the overwriting of the content of the storage means are performed each time with the execution of a data processing program section and with the use of data, characterised in that at least either the data processing program portion or the data are made available in such a manner that they require a modification before their usability for causing an erasure or an overwriting and that this modification is performed only after it is ascertained that an entry into the data processing program section has taken place or will take place or can take place as intended.
An entry into the program section for erasure and/or overwriting of the contents of the programmable storage means can thus lead to an erasure and/or overwriting only when it can or could be presumed at least with high probability by reason of the accompanying circumstances that the erasure and/or overwriting routine was, is or will not be called up unintentionally or improperly.
A checking of that kind and of the code and/or data modification required in dependence thereon can be performed in a relatively simple manner. With suitable selection of the circumstances, by means of which it is ascertained whether an entry into the program section has taken place or will take place or can take place as intended (for example, a decision on whether an external programming device or the like is connected and/or activated), the protective mechanism is highly secure and unlikely to be circumvented.
The prevention of erasure, which is not as intended, not only secures the stored data against unintentional or unauthorised change, but also contributes to the operational reliability of the control apparatus, because a step from an application program executed during ordinary operation to a program section for erasure and/or overwriting of the flash-EPROM could jeopardise safety. for example in the case of control apparatus controlling a motor vehicle engine and operating while the vehicle is travelling.
Preferably, the program section is coded in such a manner before its modification that it is, at least in part, not able to be performed or performed properly. For preference, the data are used by the program section to generate unlatching cycles serving to cancel the latching of 6 the storage means against erasure or overwriting of contents, for which purpose specific data are issued to specific addresses of the storage means. The data can have values of such a kind before the modification that the program section portion is not as a result capable of generating the unlatching cycles.
Preferably, an entry, as intended, into the program section is deduced when it is ascertained that circumstances are present which let a conscious and intentional erasure or overwriting of the contents of the storage means appear probable. In particular, this deduction can be made when, for example, it is ascertained that an external programming device is connected to the control apparatus or when such a device, having been connected to the control apparatus, is activated.
The program section or the data can be subjected to such a treatment after an erasure or an overwriting of the contents of the storage means has taken place and optionally also after a switching-on or resetting of the control apparatus that they are made available again in such a manner without renewed modification on the next entry into the program section that they are not suitable for causing an erasure or an overwriting of the content of the storage means.
According to a second aspect of the present invention there is provided control apparatus comprising storage means programmable by programming means, means for erasing or overwriting at least part of the content of the storage means with the use of data and with the operation of a section of a data processing program, the data, the program section or the data and the program section being usable for the purpose of overwriting or erasure only after a modification, and means for carrying out the modification only after ascertaining that an entry into the 7 program section in accordance with intention has taken place or will or can take place.
Examples of the method and embodiments of the control apparatus will now be more particularly described by way of example with reference to the accompanying drawings, in which:
Fig. 1 is a flow diagram illustrating the basic sequence of steps in a method exemplifying the invention; Figs. 2A to 2D are flow diagrams illustrating the steps in performance of an erasure,, as intended, of a flash-EPROM in the case of a method exemplifying the invention; and Fig. 3 is a block circuit diagram of control apparatus which includes a flash-EPROM to be protected, by such a method against a contents erasure and/or overwriting not as intended.
is The following description relates to a method for operating control apparatus for control of, for example, the engine, the transmission, the brakes and so forth of a motor vehicle.
The control apparatus includes programmable storage devices, or more accurately electrically erasable and programmable (non-volatile) storage devices in the form of flash-EPROMs. The programming of these flashEPROMs takes place by way of an external programming device which is connected with the control apparatus by way of, for example, a serial interface.
A system containing control apparatus of that kind is illustrated in Fig. 3 and express reference is made to the detailed description, which has already been given, of that apparatus.
The present invention is not, however, restricted to the programming of flash-EPROMs in motor vehicle control apparatus by way of an external programming device. It is applicable generally to programming of storage means in control apparatus by a programming device.
The programming, or more accurately the erasure and overwriting of the contents of the flash-EPROMs, is performed each time through execution of a data processing program section in the control apparatus and with the use of data needed for the proper execution of the program section.
The respective program sections need not be performed simply by a call-up or an entry into the sections, but can be initially present in a form in which erasure and/or overwriting of data in the flash-EPROM is not yet manageable. One of the various possibilities for achieving this is by way of a code which represents the program sections and which is at least in part enciphered in such a manner or manipulated in other manner that, without appropriate modification, it represents an inccnplete and/or improperly performable program. A further possibility is by way of building commands into the code at strategically appropriate places, by which commands the execution of other commands, which are to cause the erasure and/or overwriting of data, is inhibited. These can be, for example, jump instructions which cause a departure from a data processing program section or a jumping over the critical instructions and which are to be removed or at least be made ineffective by an appropriate modification of the program code before an orderly execution of the program.
In another approach, data, upon which the erasure and/or overwriting of the content of the flash-EPROMs can be made dependent, can alternatively or additionally be set to (non-plausible) values which prevent the erasure and/or overwriting. Such data can be data and address values which, at least in the case of some flash-EPROMs, must be given by way of a bus to the flash-EPROM before the actual erasure and/or overwriting and have the form of unlatching cycles (unlock cycles).
During the unlock cycles, certain data must be written in a certain sequence to certain addresses of the flash-EPROM in order to unlock or unlatch the flash-EPROM for the purpose of erasure and/or overwriting of data. If the attempt to unlatch the flash-EPROM fails, it remains blocked against erasure and/or overwriting.
If provision is made so that an unlatching of the flash-EPROM cannot be managed automatically by the addresses and data issued in the unlock cycles, but only in quite specific circumstances and in particular in the case of erasure and/or overwriting of the flash-EPROM as intended, then a further protective mechanism is present to prevent erasure and/or overwriting which is not as intended.
In order to avoid automatic unlatching of the flash-EPROM, it can be provided that the data and/or addresses, which are to be issued to the flash-EPROM during the unlock cycles, are not integrated in the program code as usual but must be fetched by the program section from a preferably volatile store (RAM). The storage region (table of variables) from which the program section fetches such data and/or addresses is thus not automatically occupied by values which can be used to unlatch the flash-EPROM.
In a practical example of this protective mechanism, the data, which make an unlatching of the flash-EPROM possible, can be written into the table of variables only after it is established that a requirement, which has arisen in accordance with intention, for erasure or overwriting of the flash-EPROM is present or will follow or can follow and that the data in the table of variables are erased from the flash-EPROM immediately after the erasing or overwriting operation or are replaced by data excluding an unlatching of the flash-EPROM. An erasure of the data in the table of variables or an overwriting of the same by data excluding an unlatching of the flash-EPROM can also be provided after switching-on or resetting of the control apparatus in order to prevent an accidental unlatching capability of the flash-EPROM.
In the case of the described protective mechanisms, i.e. mechanisms which have an influence on the orderly execution of the program section for erasure and/or overwriting of the flash-EPROM, a jump into the corresponding program section does not automatically have the consequence of an erasure and/or overwriting of data in the flash-EPROM. Rather, erasure and/or overwriting is initially excluded. If an erasure and/or overwriting of data is to be performed as intended, this requires - as has been indicated - a modification of the program section and/or of the table of variables containing data for the unlock cycles.
This operation is illustrated in Fig. 1, according to which it is initially checked in a first step S1 whether a jump into a data processing program portion for the erasure and/or overwriting of data of a flash-EPROM has taken place, will take place or can take place as intended, i.e. at least not obviously unintentionally or improperly. The checking preferably concentrates on such criteria, the presence of which alone or in combination with other conditions not only lets the initiation of a programming of the flash-EPROM appear possible (does not exclude it), but from which it can be concluded with certainty that the programming of the flash-EPROM is actually initiated or was caused or will be caused.
If an external programming device or test device must be connected to the control apparatus for the programming of the flash-EPROM, as in the present embodiment, it can, for example, be checked in the step S1 whether an appropriate external programming device is connected and/or whether the programming device is activated (switched on) and/or - whether the programming device is disposed in a programming-operating mode andlor - whether a communication as intended between the control apparatus and the programming device is taking place or has taken place.
The performance of one or more of the mentioned and similar checks enables a very reliable statement about whether an entry into the programming routine for the programming of the flash-EPROM has been or will be caused as intended.
The actual checks which are to be performed will depend on the individual conditions. Feasible in this case are, in particular (but not exclusively), interrogations of appropriate status data of the control apparatus and, optionally also, of external devices connected thereto and/or the interrogation of marks which are set on the occurrence of certain events.
If it is ascertained during the checking in step S1 that a jump as intended into the program section for the erasure and/or overwriting of the flash-EPROM is not present or cannot be present at the time and/or in forseeable time thereafter, the program section shown in Fig. 1 will be departed from by the omission of a step S2. The omission of step S2 has the effect that a jump, which has taken place or is taking place, into a program section for erasure and/or overwriting cannot have the - 12 consequence of erasure and/or overwriting.
If, however, it was ascertained in step S1 that a jump as intended is present or can be present at the time and/or in a forseeable time thereafter, the previously mentioned modification of the program section and/or of the data needed by this is performed in the step S2, whereby the data are converted into a state which enables a program sequence as intended, i.e. an orderly erasure and overwriting of data of the flashEPROM.
The measures to be undertaken for the modification depend on the manner in which the program section and/or the data were manipulated and for which reason they are not usable in the form present at the respective instant.
Independently of the kind and the extent of modification to be undertaken in step 52, the modification can additionally be dependent on the entry of a password or the like.
On performance of the step S2, the program part illustrated in Fig. 1 has been completed and is departed from. The execution of the step S2 has the effect that an entry, which has taken place or will take place later, into a program section for erasure and/or overwriting of a flash- EPROM can actually have the consequence of an erasure and/or overwriting.
In order to ensure that the erasure and/or overwriting of data in a flashEPROM is actually performed on entry as intended into the corresponding program section, it must be made certain that a modification according to the step S2 is carried out at the right time before the start of the program section concerned or before the access to the data then needed.
Alternatively or additionally, the method illustrated in Fig. 1 can be repeated automatically at short time intervals or be executed on the occurrence of certain events.
A multiple or repeated execution of the method shown in Fig. 1 has the advantage that the modification (step S2) can be reversed or be made ineffective in the case of conditions that have changed in the interim.
To increase the security of the protective mechanism, the performance of the modification (step S2) can be made dependent on this having been caused or at least permitted previously by the external programming device.
Independently thereof, the modification undertaken in step S2 must be reversed or be made ineffective, preferably immediately after completed execution of the erasure and/or overwriting of the flash-EPROM. In addition care should be taken after the switching-on, resetting or the like of the control apparatus that no relevant program section portion can be executed in orderly manner or that data in the table of variables and able to permit an orderly execution are not present.
The operations in the case of an intended erasure of the content of a flash-EPROM are now described in more detail with reference to Figs. 2A to 2D. In that case, as before,the control apparatus has the form shown in Fig. 3.
Figure 2A illustrates the activities of the programming device 20 connected to the control device 10.
The programming device activates a protocol (step S10) automatically after each switching-on or in the case of an external cause, in order to be able to communicate with the control apparatus in a fixed mode and manner.
For the purpose of the following description it will be assumed that - 14 an orderly erasure and/or overwriting of the flash-EPROM of the control apparatus requires a preceding modification of the data and addresses, which are made available or to be made available in the table of variables, for the unlock cycles. 5 Accordingly, the programming device before the issue of the erase command to the control apparatus causes writing-in of plausible address and data values, i.e. such as enable an unlatching of the flash-EPROM, into the RAM table of variables of the control apparatus, i.e. in the table of variables accommodated in the RAM (step S11). 10 The writing-in of these values, which can be made available by the programming device, into the RAM table is performed by the control apparatus itself, as will still be described later with reference to Fig. 2B. The step 511 is therefore only the impetus of the modification step S2 in Fig. 1. 15 Thereafter,, i.e. in a step S12 according to Fig. 2A, the erasure of the flash-EPROM of the control apparatus is caused by the programming device. The erasure is performed by the control apparatus itself. as described in more detail later with reference to Fig. 2C. The step S12 is merely the impetus. as intended, for this.
The program of the programming device is not yet concluded by the step S12. The operations following thereon are, however, of no interest in the present context.
The modification, which is initiated by the step S1, of the address and data values for the unlock cycles in the RAM table of variables by the control device is now described with reference to the Fig. 2B.
On external action by the programming device to prepare the control apparatus for erasure and/or overwriting of the flash-EPROM (step S11), it is initially checked in the control apparatus in step S20 whether a programming device is connected at all and whether a communications protocol was activated. It is ascertained in this manner whether the external causation, which may be effected only by a device provided for this purpose, thus a programming device or the like, actually derives or at least can derive from such a device or whether the presumed external causation and thereby also a causation which has already taken place, or is to follow, of the erasure of the flash-EPROM is possibly due to a disturbance or an unauthorised action.
If it is ascertained in a step S20 that no programming device is connected and/or no communications protocol is activated, the program section shown in Fig. 2B will be left without performing an overwriting of the RAM table.
Otherwise, i.e. when the programming device is connected and a communications protocol is activated, thus an erasure and/or overwriting, as intended, of the flash-EPROM is to be expected, the sequence goes to a step S21, where it is checked for the sake of safety before overwriting of the RAM table whether the address, at which the address and data values intended for the RAM table are to be written, lies within the table.
It it is ascertained in the step 521 that the writing address lies outside the RAM table, the program section shown in Fig. 2B is left without performing an overwriting of the table. Otherwise. i.e. when the address lies within the table, the sequence continues to a step S22, where the writing of the address and data values into the RAM table takes place. The program section shown in Fig. 2B is thus terminated in orderly manner and the control apparatus is prepared for an erasure and/or overwriting of the flash-EPROM. The erasure, which is initiated by the step S12, is now described with reference to Fig. 2C. 5 On the external causation by the programming device for the erasure and/or overwriting of the flash-EPROM by the control apparatus (step S12), it is initially checked in the control apparatus in a step S30 whether a programming device is connected at all or whether a communications protocol was activated. In this manner, it is ascertained, similarly as for step S20 in Fig. 2B, whether the external causation, which may be effected only by a device provided for this purpose, actually derives or at least can derive from such a device or whether the presumed external causation is possibly due to a disturbance or an unauthorised action.
If it is ascertained in the step S20 that no programming device is connected and/or no communications control is activated, the program section shown in Fig. 2C is left without performing an erasure of the flash-EPROM.
Otherwise, i.e. when a programming device is connected and a communications protocol is activated, the sequence continues to a step S31, where the erasure of the flash-EPROM takes place.
After termination of the erasure process, thus in a step S32 according to Fig. 2C, the RAM table of variables is destroyed, i.e. provided with values which exclude unlatching of the flash-EPROM by the unlock cycles.
The program section shown in Fig. 2C, i.e. the erasure of the flashEPROM, is terminated in orderly manner by the renewed securing of the - 17 control apparatus against an erasure and/or overwriting which is or are not as intended.
The destruction of the RAM table taking place in the step S32 must, as already discussed, also be performed after switching-on, resetting and other such actions of the control apparatus in order to prevent the values, which are present in the RAM table at this instant, from accidentally permitting an unlatching of the flash-EPROM. An operation of that kind is illustrated in Fig. 2D, which is self-explanatory.
The example described with reference to Figs. 2A to 2D relates to the erasure of the flash-EPROM. Corresponding operations take place in like manner for any actions which have the purpose of a change in storage content of the flash-EPROM, thus the case of overwriting, reprogramming and so forth.
In the described manner, it can be reliably ensured that an erasure and/or overwriting of the flash-EPROM is performed only when it was caused asintended.

Claims (18)

1. A method of operating control apparatus with storage means programmable by a programming device, the method comprising the steps of erasing or overwriting at least part of the content of the storage means with the use of data and with the operation of a section of a data processing program, the data, the program section or the data and the program section being usable for the purpose of overwriting or erasure only after a modification, and carrying out the modification only after ascertaining that an entry into the program section in accordance with intention has taken place or will or can take place.
2. A method as claimed in claim 1, wherein the program section is so coded prior to modification that it is incapable of being performed or of being performed properly.
3. A method as claimed in claim 1 or claim 2, wherein the data is used by the program section to generate unlatching cycles to cancel latching of the storage means against erasure or overwriting of contents thereof, for which purpose specific items of data are delivered to specific addresses of the storage means.
4. A method as claimed in claim 3, wherein the data has such values prior to modification that the program section is incapable of generating the unlatching cycles.
- 19
5. A method as claimed in any one of the preceding claims, wherein an entry in accordance with intention is ascertained in response to recognition of circumstances indicative of a probable intention to overwrite or erase contents of the storage means.
6. A method as claimed in any one of the preceding claims, wherein an entry in accordance with intention is ascertained when the programming device is connected to the control apparatus.
7. A method as claimed in any one of the preceding claims, wherein an entry in accordance with intention is ascertained when the programming device, having been connected to the control apparatus, is activated.
8. A method as claimed in any one of the preceding claims, comprising the step of so processing the program section or data after an overwriting or erasure of contents of the storage means that the program section or the data on the occasion of the next entry into the program section is or are incapable, without repeated modification, of causing an overwriting or erasure of contents of the storage means.
9. A method as claimed in any one of the preceding claims, comprising the step of so processing the program section or data after switching on or resetting of the control apparatus that the program section or the data on the occasion of the next entry into the program section is or are incapable, without repeated modification, of causing an overwriting or erasure of contents of the storage means.
10. A method as claime'd in claim 1 and substantially as hereinbefore described with reference to the accompanying drawings.
11. Control apparatus comprising storage means programmable by programming means, means for erasing or overwriting at least part of the content of the storage means with the use of data and with the operation of a section of a data processing program, the data, the program section or the data and the program section being usable for the purpose of overwriting or erasure only after a modification, and means for carrying out the modification only after ascertaining that an entry into the program section in accordance with intention has taken place or will or can take place.
12. Control apparatus as claimed in claim 11, wherein the program section is so coded prior to modification that it is incapable of being performed or of being performed properly.
13. Control apparatus as claimed in claim 11 or claim 12, wherein the data is used by the program section to generate unlatching cycles to cancel latching of the storage means against erasure or overwriting of contents thereof,, for which purpose specific items of data are delivered to specific addresses of the storage means. 20
14. Control apparatus as claimed in any one of claims 11 to 13, wherein the data has such values prior to modification that the program section is incapable of generating the unlatching cycles.
15. Control apparatus as claimed in any one of claims 11 to 14, said means for carrying out the modification being arranged to ascertain said entry in response to recognition of circumstances indicative of a probable intention to overwrite or erase contents of the storage means.
16. Control apparatus as claimed in any one of claims 11 to 15, said means for carrying out the modification being arranged to ascertain said entry when the programming device is connected to the control apparatus.
17. Control apparatus as claimed in any one of claims 11 to 16, said means for carrying out the modification being arranged to ascertain said entry when the programming device,having been connected to the control apparatus, is activated.
18. Control apparatus as claimed in claim 11 and substantially as hereinbefore described with reference to the accompanying drawings.
GB9711251A 1996-06-10 1997-05-30 Method of operating control apparatus with programmable storage means Expired - Fee Related GB2314180B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
DE1996123145 DE19623145B4 (en) 1996-06-10 1996-06-10 Method for operating a control device with a memory device programmable via a programming device

Publications (3)

Publication Number Publication Date
GB9711251D0 GB9711251D0 (en) 1997-07-23
GB2314180A true GB2314180A (en) 1997-12-17
GB2314180B GB2314180B (en) 1998-04-22

Family

ID=7796551

Family Applications (1)

Application Number Title Priority Date Filing Date
GB9711251A Expired - Fee Related GB2314180B (en) 1996-06-10 1997-05-30 Method of operating control apparatus with programmable storage means

Country Status (4)

Country Link
JP (1) JPH1083294A (en)
DE (1) DE19623145B4 (en)
FR (1) FR2749697B1 (en)
GB (1) GB2314180B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1131700A1 (en) * 1998-04-29 2001-09-12 Atmel Corporation A microcontroller including a single memory module having a data memory sector and a code memory sector and supporting simultaneous read/write access to both sectors
US7003621B2 (en) * 2003-03-25 2006-02-21 M-System Flash Disk Pioneers Ltd. Methods of sanitizing a flash-based data storage device
US7707329B2 (en) 2005-03-10 2010-04-27 Zarlink Semiconductor Ab Method of securing radiolink for remotely programmable devices

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19911794B4 (en) 1999-03-17 2005-10-06 Robert Bosch Gmbh Method and device for securing changes in the memory contents of control units
DE10035149C1 (en) * 2000-07-19 2001-08-16 Kostal Leopold Gmbh & Co Kg Method for programming a memory device, in particular for a motor vehicle control unit
DE10123170A1 (en) 2001-05-12 2002-11-14 Bosch Gmbh Robert Operating controller, especially for motor vehicle, involves running changed program and/or using changed data only if changed program and/or data has or have been successfully verified
JP4547846B2 (en) * 2001-09-28 2010-09-22 株式会社デンソー Vehicle power generation control device
EP3412514B1 (en) * 2014-11-12 2019-12-04 Panasonic Intellectual Property Corporation of America Update management method, update management device, and control program
CN105117652B (en) * 2015-10-09 2018-12-04 天津国芯科技有限公司 A kind of SOC starting method based on NAND Flash

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2232281A (en) * 1989-05-09 1990-12-05 Mitsubishi Electric Corp IC card memory protection
EP0595288A1 (en) * 1992-10-27 1994-05-04 Kabushiki Kaisha Toshiba Security circuit for protecting data stored in memory

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3025502B2 (en) * 1987-03-16 2000-03-27 日立マクセル株式会社 Semiconductor memory device
US5014191A (en) * 1988-05-02 1991-05-07 Padgaonkar Ajay J Security for digital signal processor program memory
DE4013727C2 (en) * 1990-04-28 1999-03-11 Bayerische Motoren Werke Ag Control device for technical systems and machines
DE4332499A1 (en) * 1993-09-24 1995-03-30 Bosch Gmbh Robert Procedure for completely reprogramming an erasable, non-volatile memory

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2232281A (en) * 1989-05-09 1990-12-05 Mitsubishi Electric Corp IC card memory protection
EP0595288A1 (en) * 1992-10-27 1994-05-04 Kabushiki Kaisha Toshiba Security circuit for protecting data stored in memory

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1131700A1 (en) * 1998-04-29 2001-09-12 Atmel Corporation A microcontroller including a single memory module having a data memory sector and a code memory sector and supporting simultaneous read/write access to both sectors
EP1131700A4 (en) * 1998-04-29 2006-05-24 Atmel Corp A microcontroller including a single memory module having a data memory sector and a code memory sector and supporting simultaneous read/write access to both sectors
US7003621B2 (en) * 2003-03-25 2006-02-21 M-System Flash Disk Pioneers Ltd. Methods of sanitizing a flash-based data storage device
US7707329B2 (en) 2005-03-10 2010-04-27 Zarlink Semiconductor Ab Method of securing radiolink for remotely programmable devices

Also Published As

Publication number Publication date
GB9711251D0 (en) 1997-07-23
GB2314180B (en) 1998-04-22
JPH1083294A (en) 1998-03-31
DE19623145A1 (en) 1997-12-11
DE19623145B4 (en) 2004-05-13
FR2749697A1 (en) 1997-12-12
FR2749697B1 (en) 2006-06-02

Similar Documents

Publication Publication Date Title
EP0851358B1 (en) Processing system security
JP4708514B2 (en) Method for loading secure program into microprocessor card and microprocessor card including secure program
US4430709A (en) Apparatus for safeguarding data entered into a microprocessor
US6731536B1 (en) Password and dynamic protection of flash memory data
US4811293A (en) Method for storing data in an electrically erasable memory for carrying out this method
JPH0476749A (en) Security circuit
CN108376226B (en) Unauthorized determination system and unauthorized determination method
GB2314180A (en) Protecting memory by requiring all accessing programs to be modified
DE112016002785T5 (en) Electronic control units for vehicles
JP4865126B2 (en) Memory device operation confirmation method, external programming device, and vehicle digital control device.
CN110020561A (en) The method of semiconductor device and operation semiconductor device
US20020184523A1 (en) Programmable unit
US6167344A (en) Process for operating a controller with a programmable memory
US20010025347A1 (en) Method for protecting a microcomputer system against manipulation of data stored in a storage arrangement of the microcomputer system
US7293148B2 (en) Method for reliably verifying a memory area of a microcontroller in a control unit and control unit having a protected microcontroller
KR930004944B1 (en) Memory system
US8380918B2 (en) Non-volatile storage alteration tracking
CN113935011A (en) Method for executing a secure boot sequence of a control device
JPS63245016A (en) Programmable logic device
US7552354B2 (en) Method of protecting a microcomputer system against manipulation of data stored in a memory arrangement
US7313703B2 (en) Method for protecting a microcomputer system against manipulation of data stored in a storage assembly
JPS6235701B2 (en)
JP6547533B2 (en) Motor drive
CN114091008A (en) Method for securely updating a control device
RU2146834C1 (en) Device for authentication of software units

Legal Events

Date Code Title Description
PCNP Patent ceased through non-payment of renewal fee

Effective date: 20080530