The present invention relates to a method of protecting a microcomputer system against manipulation of its program. The microcomputer system includes a rewritable memory in which at least one portion of the program is stored. In this method, a check is performed as part of a checking procedure to determine whether at least one portion of the rewritable memory includes a specified content.
The present invention also relates to a microcomputer system which is protected against manipulation of its program. The microcomputer system includes a rewritable memory in which at least one portion of the program is stored. In addition, the microcomputer system includes for its protection a checking arrangement for checking on whether at least one portion of the rewritable memory includes a preselected content.
A method and a microcomputer system for protecting against manipulation of a program is referred to in German Published Patent Application No. 197 23 332, for example. The method discussed in German Published Patent Application No. 197 23 332 is used in particular to protect an automotive control device against manipulation of its control program. The control device controls and/or regulates automotive functions, for example of an internal combustion engine, an electronic control (steer-by-wire) or an electronic brake (brake-by-wire). In the method discussed in German Published Patent Application No. 197 23 332, a boot routine is executed each time the microcomputer system is powered up, a checking procedure is executed as part of the boot routine. The checking procedure is implemented, for example, as a checking program, which is stored in a read-only memory of the microcomputer system. In execution of the checking procedure, a code word is determined from at least one portion of the memory content of the rewritable memory with the help of an encryption algorithm and compared with a reference code word stored in the rewritable memory. The code word is a checksum, for example. Execution of the control program stored in the rewritable memory of the control device is blocked if the code word determined is not the same as the reference code word.
If a manipulated program has been stored in the rewritable memory, the code word determined via the memory content of the rewritable memory will usually differ from the reference code word stored, and execution of the manipulated program is blocked. This prevents the automotive functions or automotive units that are to be regulated or controlled by the control device from being damaged by manipulation of the control program.
Various encryption algorithms may be used to form the code word. In particular, cross-checksums and/or longitudinal checksums may be formed (even parity check) or a cyclic redundancy check (CRC) may be used, in which code words are generated in blocks from the content of the rewritable memory and compared with reference code words. The more complex the encryption algorithms used to calculate the code word, the more difficult it is for an unauthorized third party to overcome the protection against manipulation and tuning. On the other hand, a complicated encryption algorithm requires a great deal of computation capacity (memory and computing time) of a computer core, in particular a microprocessor, of the microcomputer system. However, it is problematical that unlimited time is not available for checking the content of the rewritable memory in a microcomputer system. There is thus a destination conflict between secure and reliable protection against manipulation and tuning of a microcomputer system and rapid execution of the checking procedure without any significant delay in execution of the program.
In a microcomputer system, the power of the microprocessors used is not unlimited for reasons of cost and configuration (high-power microprocessors require a relatively large structure, have a relatively high power consumption and generate a great deal of waste heat which is dissipated from the microcomputer system). For this reason, the checking procedure in other prior systems is executed only at certain points in time when more time is available for complete processing of the checking program, e.g., when powering up the microcomputer system or after reprogramming or new programming of the rewritable memory. As an alternative, it may also be allowed to process only a portion of the checking program, which takes less time but reduces the certainty and reliability of the protection against manipulation and tuning.
If the checking procedure reveals that the checked portion of the rewritable memory includes a specified content, a corresponding marker is stored in a memory of the microcomputer system. By querying this marker at later points in time, e.g., each time the microcomputer system is powered up, it is allowed within an extremely short period of time to check on whether or not the program stored in the rewritable memory has been manipulated. In the method discussed in German Published Patent Application No. 197 23 332, however, no check of the content of other portions of the rewritable memory or even the entire rewritable memory during operation of the microcomputer system, i.e., while the program is running, is performed. Another check is performed only on reaching the point in time for performing the checking procedure again, e.g., when powering up the microcomputer system again. In the exemplary method according to the present invention, it may therefore take a relatively long time until manipulation of the program of a microcomputer system is detected and suitable countermeasures have been taken.
It is an object of the exemplary embodiment and/or exemplary method of the present invention to reliably and with certainty protect a microcomputer system against manipulation of its program, so that manipulation is detectable within the shortest period of time.
The exemplary embodiment and/or exemplary method of the present invention provides that the checking procedure be executed cyclically at preselectable intervals during operation of the microcomputer system.
According to the exemplary embodiment and/or exemplary method of the present invention, the checking procedure is thus executed not only at discrete points in time, e.g., following a reprogramming or new programming of the rewritable memory, but instead cyclically during normal operation of the microcomputer system, i.e., when running the program. Cyclic execution of the checking procedure may be performed in addition to or instead of execution of the checking procedure at discrete points in time, e.g., after reprogramming or new programming of the rewritable memory. The portion of the checking procedure executed during a cycle is reduced so that running of the program is hardly impaired by a computer core, in particular by a microprocessor, of the microcomputer system. A reduction in the checking procedure may be achieved, for example, by checking only a small portion of the rewritable memory in each cycle. The entire rewritable memory may be checked according to the present invention after only a relatively short operation of the microcomputer system and repeated execution of various portions of the checking program. If it is found in execution of the checking procedure that the rewritable memory or the checked portion of the rewritable memory does not include a specified content, suitable measures are initiated immediately. For example, the program or the checked portion of the program is declared invalid immediately and execution of the program, i.e., the checked portion of the program, is blocked immediately.
Various checking procedures which may be used in conjunction with the exemplary embodiment and/or exemplary method of the present invention are referred to in other prior systems. First, a method referred to in German Published Patent Application No 197 23 332 may be used, for example. In this method, a code word, e.g., a checksum, is formed over the rewritable memory or at least one portion of the rewritable memory and compared with a reference code word. In addition, the content of the rewritable memory may be marked or encrypted on the basis of an asymmetrical encryption method within the checking procedure. By checking the signature of decryption of a reprogrammed or newly programmed program, it may be ascertained as to whether or not the new program has been manipulated. Finally, as other method markers may be introduced into the program at defined locations and checked according to specified procedures. This method may allow low demand on the computing capacity of the microcomputer system. The disadvantage, however, is that the content of a program to be checked does not enter into the check and therefore only another completely different program without markers is detectable as manipulated.
According to an exemplary embodiment of the present invention, execution of the program may be blocked immediately as part of the checking procedure if the rewritable memory or a portion thereof does not include the specified content. Due to the fact that execution of the program is blocked immediately following the cyclically executed checking procedure if it is found to have been manipulated, rapid and reliable blocking of execution of the program is allowed, thus promptly preventing damage to a unit controlled or regulated by the microcomputer system.
According to an exemplary embodiment of the present invention, various portions of the rewritable memory may be checked by the checking procedure within a plurality cycles. The portions of the rewritable memory to be checked during a cycle of the checking procedure may be selected either randomly or on the basis of a predefined algorithm. In the case of a fixed algorithm, it may be predicted as to exactly when the entire rewritable memory has been checked. In the case of a random selection of the portion of the rewritable memory to be checked, it may be determined statistically as to when the entire rewritable memory has been checked. The size of the portions of the rewritable memory to be checked within a cycle depends on the computing power of the computer core of the microprocessor system and the available computation time. The size of the portions should be selected so as to prevent any negative effect on execution of the program due to the execution of the checking procedure.
According to another exemplary embodiment of the present invention, a preselectable marker is stored in a storage area of the microcomputer system if the rewritable memory or a portion thereof includes the specified content; the content of the storage area is checked during the execution of the program; and the marker is deleted to block the execution of the program. The presence of the marker in the storage area of the microcomputer system thus means that the program stored in the rewritable memory has not been manipulated. The marker is deleted when manipulation of the program is detected. The marker is in the form of a test pattern, for example. It may include one bit, multiple bits or even one or more bytes.
According to an alternative exemplary embodiment of the present invention, a storage area of the microcomputer system is checked during execution of the program, and a preselectable marker is stored in the storage area to block execution of the program. According to this alternative exemplary embodiment, the storage area of the microcomputer system thus does not have any marker with a non-manipulated program. However, if manipulation of the program is detected, a corresponding marker is stored in the storage area. According to another exemplary embodiment of the present invention, the cyclic execution of the checking procedure may run as a background application during operation of the microcomputer system. The checking procedure is thus always active in the background of running the program by the computer core and is called up cyclically at preselectable points in time.
According to an alternative exemplary embodiment of the present invention, the cyclic execution of the checking procedure may run at noncritical running times during operation of the microcomputer system. Noncritical running times are understood to be points in time when running time does not play a role, i.e., utilization of the computer core due to running of the program is low. This is the case, for example, during steady-state operation of the microcomputer system.
In addition, a use of the exemplary method according to the present invention for protecting an automotive control device against manipulation of its control program includes using the control device to control and/or regulate an automotive function.
The checking arrangement may also execute the check of the rewritable memory cyclically at preselectable intervals during operation of the microcomputer system.
According to an exemplary embodiment of the present invention, the rewritable memory may be configured as an EPROM (erasable programmable read-only memory) or an EEPROM (electronically erasable programmable read-only memory), in particular as a flash memory.