The present invention relates to a method and a device for monitoring unauthorized memory accesses to a predetermined memory area in a computing device, in particular in a motor vehicle.
The term “memory protection” is to be understood as the capability of an operating system running on a microcomputer of effectively preventing individual processes of the operating system from accessing those memory areas for which they do not have authorization.
An unauthorized memory access is typically prevented with the support of the microcomputer, i.e., with hardware components. These are often special, costly components. Thus, there are microcontrollers (e.g., MPC 566 from Motorola) which are provided with a memory protection unit. However, these are subject to various restrictions. Thus, for example, only four contiguous memory areas may be protected simultaneously by the memory protection unit. Furthermore, the protection may not be applied equally to all types of memory, such as internal and external memories or volatile and nonvolatile memories.
In a computing device having multiple computers which is implemented in a CAN (controller area network) in a motor vehicle, for example, the computers identified as control units are not provided with memory protection implemented in software for cost reasons. In such computers which do not support memory protection, it is not possible to prevent processes from unauthorized access to memory areas. This may result in problems if sequence patterns of the computing device and/or of a computer are used dynamically and automatically, for example, when updating a sequence pattern. Unauthorized memory accesses may result in errors in other sequence patterns or computers of the computing device.
Therefore, there is a fundamental need for preventing unauthorized memory accesses, in particular to a predetermined memory area in a computing device.
German Patent Document DE 699 07 709 T2 describes a process monitor in a computer system. This device is used in particular in monitoring a procedure and/or process which is referred to as the daemon (CMSD) of a configuration management system (CMS). A daemon provides a background service in a computing device. It manages various system units or objects, which may be physical devices or also software units. If the CMSD service is no longer available, at least parts of the mode of operation of the computing device may be impaired. To provide a process monitor having a high degree of reliability and to ensure an automatic restart of a monitor process which has broken down or is flawed, it is suggested that a process monitoring unit be provided, the monitored process not being a daughter of the process monitoring unit. In the scope of the monitoring, the identity of a monitored process is uniquely determined and the correct operation of the monitored process is verified. If correct operation of the monitored process cannot be verified, the monitored process is restarted and a unique self-identification of the monitored system in relation to the computing device is caused after the restart. The described device has the disadvantage cited at the beginning, that on one hand there is no direct monitoring of an unauthorized memory access to a predetermined memory area and, on the other hand, an additional unit in the form of hardware components must be provided.
The object of the present invention is to specify a method and a device for monitoring an unauthorized memory access to a predetermined memory area in a computing device, in particular for a motor vehicle, so that the computing device cannot assume an undefined state. In particular, no additional hardware components are to be necessary.
One exemplary aspect of the present invention comprises monitoring an unauthorized memory access to a predetermined memory area in a computing device in that the information contained in the specification of a sequence pattern about memory accesses of this sequence pattern is integrated in a suitable way therein for monitoring purposes of the sequence pattern.
The method for monitoring an unauthorized memory access to a predetermined memory area in the computing device, in particular in a vehicle, is characterized by the following steps: firstly, a sequence pattern is provided in the computing device. Furthermore, a monitoring medium is provided, having at least one sensor medium, which is set up for the purpose of recognizing an event of the computing device, and having at least one recognition medium, which is set up for the purpose of tracking the behavior of the event recognized by the sensor medium. In a further step, the monitoring medium is integrated into the sequence pattern. The sequence pattern is monitored at its runtime, in that memory accesses to a memory address or an address range are detected by the monitoring medium as events.
The monitoring medium does not represent an element of the computing device implemented in hardware, but rather is a computer program product, which is integrated in a suitable way in the sequence pattern implemented as software. Accordingly, the sensor medium is a “software sensor” and the recognition medium is also implemented in software. This procedure allows memory accesses of the sequence pattern to be monitored at its runtime in operation. In particular, it is possible to detect unauthorized memory accesses and deal with them suitably. This is based on the assumption that the specification is established in such a way that according to the specification, an unauthorized memory access to a predetermined memory area in the computing device is not allowed. Errors, i.e., unauthorized memory accesses, which were not recognized in preceding tests, for example, may be recognized by the monitoring of the sequence pattern at the runtime. The operational reliability of the sequence pattern and/or of the computing device is thus increased.
According to an expedient design, the step of generating the monitoring medium is provided, in that a specified behavior of the sequence pattern having at least one event and the states and state changes assigned to the at least one event is established, the specified behavior being converted into program code. In other words, this step provides that the specified behavior of the sequence pattern, which is provided in text form, for example, is converted into a form readable and processable by the computing device.
In one embodiment, authorized and/or unauthorized address ranges of a memory device are established in the step of generating the monitoring medium, a behavior deviating from the specified behavior existing if the sequence pattern wishes to perform an access to an unauthorized address range. In the specification, those memory areas of the memory device are thus identified, in tabular form, for example, which are to be protected from an unauthorized memory access. These may be those memory areas in which the operating system of the computing device or of a computer of the computing device is stored, for example. During the monitoring of the sequence pattern at its runtime, it is detected whether or not the sequence pattern wishes to perform a memory access. If so, there is a comparison of the desired memory address to the memory addresses established in the specification. If a correspondence is established, a previously defined fixed reaction may be initiated, e.g., the access of the sequence pattern to the desired memory area may be prevented.
According to a further exemplary design, the generation of the monitoring medium, and in particular the conversion of the monitoring medium into the program code, is performed automatically. In this way, a high efficiency of the program code is ensured, i.e., the monitoring medium only requires a few memory resources. Furthermore, the sequence pattern, if it operates correctly, is not impaired by the monitoring medium.
According to a further exemplary preferred design, the step of integrating the monitoring medium in the sequence pattern comprises introducing the program code into a sequence pattern program code. After, in the step of generating the monitoring medium, the specified behavior of the computing device has been brought into a form readable by the computing device in the form of a computer program product, in the step of integrating the monitoring medium, this existing program code is integrated into the program code of the sequence pattern. The integration may comprise adding additional code lines to the sequence pattern program code. The integration may also comprise providing additional objects or modules. A combination of the cited possibilities is also conceivable.
According to a further exemplary design, an access to a memory area attempted by the sequence pattern is monitored as an event, a check being performed by the monitoring medium as to whether the memory access occurs in an unauthorized or an authorized memory area, in case of access to an unauthorized area, a denial of the memory access and/or the call of an error handling routine and/or a signaling of the unauthorized memory access by the sequence pattern occurring as a reaction. Specifically, the deviation is established by the recognition medium of the monitoring medium, which may differentiate unauthorized memory accesses from authorized memory accesses.
According to a further exemplary design, in the event of detection of an event by the monitoring medium, more precisely the sensor medium of the monitoring medium, there is a function call in the sequence pattern program code. The integration of the monitoring medium in the sequence pattern thus provides the possibility of performing a check of its behavior at predefined points in the sequence pattern, i.e., a check for an unauthorized memory access, and calling a predefined function, which may include signaling, storing variables, or similar actions, for example, in the event of a deviation from a specified behavior.
According to one exemplary variant, the monitoring medium is provided in one computer of multiple computers, and this computer of the multiple computers of the computing device is monitored in regard to its sequence pattern, i.e., an unauthorized memory access.
According to another exemplary variant, the monitoring medium is provided in at least two computers of multiple computers of the computing device, and memory accesses between the computers of the computing device are monitored. Which of the two variants is selected, possibly in a combination, is a function of the procedure of integrating the monitoring medium into the sequence pattern.
The same advantages are connected to the device according to the present invention as were described above in connection with the method.
In the exemplary device according to the present invention for monitoring an unauthorized memory access to a predetermined memory area in a computing device, in particular in a motor vehicle, a monitoring medium having at least one sensor medium is provided, which is set up for the purpose of recognizing an event, in particular a desired memory access, of the computing device. At least one recognition medium is provided, which is set up to track the behavior of the event recognized by the sensor medium, the monitoring medium being integrated in a sequence pattern on the computing device and the monitoring medium being set up for the purpose of monitoring the sequence pattern at its runtime, in that memory accesses to a memory address or an address range are detected by the monitoring medium as events.
In one design, the computing device has multiple computers coupled to one another, the monitoring medium being situated in at least one of the computers.
In another design, the computing device is a bus system and the computers are bus users of this bus system, which are coupled to one another via a bus line, via which the exchange of messages is possible. A bus user represents a control unit of a bus system.
In a further design, the monitoring medium is a computer program product which is integrated in the sequence pattern.
A further design provides that the monitoring medium is implemented to monitor at least one of the computers of the computing device.
Another design provides that the monitoring medium is implemented to monitor memory accesses between at least two computers of the computing device.
Furthermore, the present invention describes a computer program product for a computing device of a motor vehicle, in which a monitoring medium is integrated in a sequence pattern controlling the computing unit, which comprises a computer-readable specification of the behavior of the sequence pattern and is set up for the purpose of establishing memory accesses at the runtime of the sequence pattern and initiating a reaction thereto, if there is a memory access to an unauthorized memory area of a memory device of the computing device.
Other objects, advantages and novel features of the present invention will become apparent from the following detailed description of the invention when considered in conjunction with the accompanying drawings.