1. Field of the Invention
The present invention relates to a device and a method for treating a state of a memory with memory cells organized in a plurality of pages resulting from incomplete writing or erasing of data, wherein the memory is particularly a UCP EEPROM (uniform channel programming electrically erasable read only memory).
2. Description of the Related Art
Electrically erasable programmable read only memories (EEPROMs) are used for a number of applications to store data in a non-volatile way, or also after turning off a supply-power. A sub-class of the EEPROMs is the UCP EEPROM. In order to save chip area and thus reduce manufacturing costs, bit/byte switches are omitted in a UCP EEPROM, among other things. The memory is organized in pages. One page consists of a number of bytes or words, wherein one word may, for example, include 32 bits. One page consists, for example, of 64 bytes. In the UCP concept, no individual bits or bytes can be erased individually within a page, i.e. for example be set to 0, depending on the definition. Programming of individual bits or bytes is also limited. Instead, programming and erasing is done page-wise, i.e. all bits of the page are written or erased in parallel and simultaneously. In the following, it is assumed that a bit is set to 0 when erasing, and is pulled to 1 when programming, if necessary.
The considerable advantage of saving chip area is opposed by the disadvantage that a whole page must be erased and then re-programmed even if only one single bit is to be changed. For changing the page, it must be buffered from, at the latest, before the start of the erasing to at least after completing the writing. This buffering occurs in a (volatile) RAM cell field (RAM=random access memory) or also in a (non-volatile) EEPROM cell field. The buffering in an EEPROM cell field has the advantage that the buffered data are not lost, not even in the case of a failure of the supply power during erasing or writing.
A widespread architecture is one where a number (for example 32) of pages are combined to a sector. In this example, a sector S includes pages P1, . . . , P32. In order to avoid the need of buffering a page (in the case of a non-volatile buffering, this corresponds to an EEPROM programming process) prior to erasing it, a further page is added to the sector, which, in the following, will be referred to as P0. The additional page P0 is initially in an erased state. In order to change one of the pages P1, . . . , P32, its data content including the changes is programmed into the page P0. After that, the old page is erased and the page P0, now containing the updated data, is mapped into the memory. The erased page now takes over the role originally occupied by the page P0. The respective erased extra page is called spare page.
In the described programming process for changing a page, pages in the sector are scrambled, i.e. the association of physical pages with logical pages is arbitrary and changes with every programming process. In order to identify the physical pages and/or guarantee their association with logical pages and/or memory addresses within a memory address space of the sector, each page has some additional bits forming the so-called map and/or association block. This association block has the map and/or association address in each page. It indicates which memory addresses the physical page corresponds to. To stick to the numerical example above, there is an integer between 1 and 32 or, more practicable, between 0 and 31 in the association block of each page and indicates the position of the page in the memory space and/or address space of the sector. So there is one erased page and/or spare page and 32 data pages and/or pages with data content within a sector.
Looking at the 32 association blocks of the 32 data pages, you will find every integer between 1 and 32 (or better: between 0 and 31) exactly once, and it is uniquely established which memory address each physical page corresponds to. The association block includes non-volatile memory cells so that the association of the physical pages with memory addresses is not lost, not even in the case of a reset process or a loss of current and/or a failure of the power supply. The association block is, for example, integrated in the plurality of the EEPROM cells of the page.
In the described UCP concept, each programming process of a page also somewhat disturbs the pages which are not the target of the programming process. Therefore, a programming process is also referred to as disturb. Each disturb changes the analog state of a memory cell. After a large number of disturbs, the memory cell then has a changed digital state. This is equivalent to a loss and/or corruption of the stored information. In order to prevent this consequence of a too large number of disturbs, each page is provided with a time stamp when it is written. The time stamp is the current value of a counter at the time of writing the page, the counter also being referred to as disturb counter. The time stamp is deposited, for example, in or at the association block. When a page ages, i.e. is exposed to a growing number of disturbs, the time stamp will be more and more remote from the current value of the counter. The current value, in turn, is equal to the maximum of all 32 time stamps present. When the difference between the time stamp of a page and the current value of the counter exceeds a predetermined threshold, the page is re-programmed to avoid excessive ageing.
A loss of information or data stored in an EEPROM is disadvantageous for several reasons. On the one hand, a loss of data is undesirable per se in most cases, because it may have unpredictable and often serious consequences. In the case of an EEPROM on a chip card, a loss of data may further, for example, result in an unwanted enabling of functions or performance features. Furthermore, a loss of data is usable for an attack for decrypting cryptographic features, for example of a chip card. Certain parties therefore have an interest in causing a loss of data of an EEPROM on a chip card.
One possibility of causing a loss of data is to interrupt the current supply and/or the power supply repeatedly during a programming process and/or during the writing of a new page and the subsequent erasing of the old page. This intervention is also called tearing. Tearing may cause two problems.    A. The power supply fails during the writing of the new page or during the erasing of the old page. This results in the presence of a page containing invalid data, because some bits are already toggled in the right direction and/or are already programmed, while others still comprise the original content. This may, for example, be detected by means of an error correcting code. As a result, the invalid page is erased.    B. The tearing occurs after the new page has been written and before the old page has been erased and/or after all bits of the new page to be programmed to 1 have been toggled from 0 to 1 and before the first bits of the old page programmed with the value 1 toggle from 1 to 0. As a consequence, a page exists twice and/or two physical pages have the same association address in their association blocks. In this case, one of the two pages is erased, preferably the page identified as the older one by means of the time stamp.
In the case of a tearing or another failure of the supply power during the writing of the new page, the write operation generates a disturb disturbing the other pages. If, as described at A, the incompletely written and thus invalid page is now erased, the old page with the unchanged data is preserved, but the sector does not contain any page with the time stamp incremented corresponding to the write operation. The information of the disturb is thus present in the form of a small, accumulatable disturb of the memory cells in the rest of the chip. However, the time stamp of the incompletely written new page which gives an incremented disturb count is lost. In order to introduce the information on the number of the disturbs into the sector, a time stamp incremented with respect to the maximum of the time stamps of the pages of the sector has to be introduced afterwards into any page of the sector. But an attacker could turn off the power supply again at that moment. In that case, the information on the disturb would be irretrievably lost. In this way, an attacker could introduce many (any number of) disturbs into a sector, without the system being able to detect it. The result is a loss of data which may be used for an attack for the decryption of cryptographic functions.