Field of the Invention
In a microcomputer, the program being executed at any time has control over the computer, and/or the memories and other peripheral devices contained in and connected to it. Among other things, this results in that an address of a memory is always jumped to if it is contained in a program instruction, irrespective of whether the memory area containing the address is supposed to be available to the program or not.
In this way, memory areas could be examined whose memory contents are secret and access should be denied. As this is frequently not the case, security precautions need to be taken.
One possibility for such security precautions is to use a memory management unit, denoted MMU below, as it is provided, for example, in an iAPX286 chip from INTEL corporation. This is principally used when not only (chip) manufacturer programs, but also user programs, are to be executed, which can then be put to improper use. The MMU is disposed between the central processing unit, denoted CPU below, of the computer and the bus connecting this unit to the other units, such as memories.
Each application maintains an entry in the MMU, recording which memory contains the application, the address at which it begins, how long it is and what access rights exist. The user must specify these data when loading his application, or his program, into the memory of the microcomputer. The application program then has access rights only to memory areas lying within the area defined by the start address and length specified previously. Entering information into the MMU therefore describes a characteristic of a program stored in a data memory segment. The area containing this entry in the MMU is therefore termed a segment descriptor.
Every call to an address from the program is checked by the MMU, and the call is allowed only when the address lies in the permitted area, otherwise the program execution is terminated or an error message occurs.
In the case in which different users, programs are in memory, this provides the assurance for the particular users that other users cannot view or even alter their programs, since each user program can operate only within the area specified by the user when loading the program.
U.S. Pat. No. 5,452,431 describes a microcircuit with a CPU, which is connected via an address bus to a program memory which has several areas for user programs. A zonal memory area, in which start and end addresses and a reference code of the user programs are listed in a table, is assigned to the memory area for the user programs. When running a user program, the start and end addresses of the memory area of that user program are compared with actually called addresses, whereby an address which was called and which lies outside the area defined by start and end address, results in a program abort. This protective mechanism, however, does not exceed the possibilities for protection established by a MMU.
Published, Non-Prosecuted German Patent Application DE 37 09 205 A1 in combination with Published, Non-Prosecuted German Patent Application DE 35 33 787 A1 cited therein, describes a protective circuit for the protection of data stored in a memory area. A descriptor in which characteristics of that area are entered, is assigned to the memory area. It furthermore contains a preamble in which it is entered whether the data is protected. Furthermore, the preamble contains a vector that is stored in an intermediate memory every time that memory area is addressed. After a positive check-up of the access authorization to the protected data, the vector is transferred to the computerizing unit which manages the memory and which then calls up a program for processing the protected data, whose memory location is indicated by the vector. It is secured (guaranteed) therewith that the protected data is not processed randomly but by that particular program.
User programs usually contain subroutines. With these, different users frequently need the same subroutines, and hence the security precautions described above results in that these subroutines are repeatedly available. This requires an unnecessarily large amount of memory space. It is therefore desirable and would also make sense to provide subroutine libraries in a memory area of the microcomputer which can be accessed by different user programs, possibly incorporating particular security measures such as checking a personal identification number, for example.
However, this would again lead to the problems outlined above, namely that a user with fraudulent intent could access a library program at will by bypassing the checking routines.
It is accordingly an object of the invention to provide a microcomputer that overcomes the above-mentioned disadvantages of the prior art devices of this general type, which allows user programs to access library programs, but which is at the same time protected against manipulation.
With the foregoing and other objects in view there is provided, in accordance with the invention, a microcomputer, containing: an address bus; a memory management unit connected to the address bus; a central processing unit connected to the address bus and to the memory management unit by the address bus; and at least one program memory having at least one memory area for storing user programs and connected to the address bus and to the memory management unit via the address bus, each of the user programs being assigned in the memory management unit a segment descriptor storing at least a start address, a length and access rights of a respective user program, the at least one program memory further having a library program memory area for storing library programs and a vector memory area, a further segment descriptor having a segment descriptor label is stored in the memory management unit and describes an assignment of the vector memory area and the library program memory area, at least a vector number and a vector assigned to the vector number being stored in the vector memory area, and a call to a library program from the respective user program having to contain at least the segment descriptor label and the vector number to which the memory management unit assigns the vector, a jump to the library program called being effected by the vector.
In the microcomputer according to the invention, it is not possible to access a library program directly. Instead, a vector number is specified in the call instruction in addition to a label for the MMU segment descriptor describing the library program. The label for the MMU segment descriptor may be a number or a name, for example.
The MMU checks whether the vector number specified actually exists and whether it belongs to the library program called. If the test result is positive, access is permitted to a vector memory area whose start address and length are stored in the MMU segment descriptor. Only in this memory vector area is the vector number stored. Also in the memory vector area a jump address or an address of a jump instruction (i.e. a vector) to the library program start address is also stored. This effectively prevents a user from being able to access the library program directly and at the same time from possibly bypassing security routines.
Other features which are considered as characteristic for the invention are set forth in the appended claims.
Although the invention is illustrated and described herein as embodied in a microcomputer, it is nevertheless not intended to be limited to the details shown, since various modifications and structural changes may be made therein without departing from the spirit of the invention and within the scope and range of equivalents of the claims.
The construction and method of operation of the invention, however, together with additional objects and advantages thereof will be best understood from the following description of specific embodiments when read in connection with the accompanying drawings.