The invention relates generally to the protection of important or critical data in memory devices, and relates particularly to protection of such data in postage meters.
When important information is stored in a computer system it is commonplace to provide security against loss of some or all of the information, for example by making a backup copy of the information. In some systems, however, the information as stored in the system is what must be capable of being relied upon, and the theoretical feasibility of relying on backups is of little or no value. An example of such a system is the electronic postage meter, in which the amount of postage available for printing is stored in a nonvolatile memory. The user should not be able to affect the stored postage data in any way other than reducing it (by printing postage) or increasing it (by authorized resetting activities). Some single stored location must necessarily be relied upon by all parties (the customer, the postal service, and the provider of the meter) as the sole determinant of the value of the amount of postage available for printing. In electronic postage meters that single stored location is the secure physical housing of the meter itself. Within the secure housing one or more items of data in one or more nonvolatile memories serve to determine the amount of postage available for printing.
Experience with modern-day systems employing processors shows that it is advantageous to guard against the possibility of a processor running amok. Generally a processor is expected to execute its stored program and it is assumed the stored program contains no programming errors. Under rare circumstances, however, a processor may commence executing something other than the stored program, such as data. Under other rare circumstances the processor, even though it may be executing the stored program, nonetheless behaves incorrectly due to the incorrect contents of a processor register or a memory location. The former may occur if, for example, the instruction pointer or program counter of the processor changes a bit due to, say, absorption of a cosmic ray. The latter may occur if the contents of the processor register or memory location are changed by that or other mechanisms.
In pragmatic terms it is not possible to prove the correctness of a stored program; testing and debugging of the program serve at best to raise to a relatively high level (but not to certainty) the designer's confidence in the correctness of the code. Nonetheless an unforeseen combination of internal states, or an unforeseen set of inputs, has been known to cause a program that was thought to be fully debugged to proceed erroneously.
For all these reasons in systems where crucial data are stored in what is necessarily a single location under control of a processor running a stored program, it is highly desirable to provide ways to detect a processor running amok and to reduce to a minimum the likelihood of the processor's harming the crucial data. In the particular case of a postage meter, it is desirable that the amount of postage available for printing, also called the descending register, be recoverable by an authorized technician even if the system is completely inoperable from the customer's point of view, even after any of a wide range of possible processor malfunctions.
Numerous measures have been attempted to protect crucial data in such systems as postage meters. In a system having an address decoder providing selection outputs to the various memory devices in the system, it is known to monitor all the selection outputs of the address decoder, and to permit the processor's write strobe to reach certain of the memory devices only if (a) the address decoder has selected one of the certain memory devices, and (b) the address decoder has not selected any memory device other than the certain memory devices.
In another system having an address decoder providing selection outputs to the various memory devices in the system, it is known to monitor the selection outputs associated with certain of the memory devices, and to take a predetermined action if any of the selection outputs is selected for longer than a predetermined interval of time. The predetermined action is to interrupt the write strobe and selection outputs to the certain of the memory devices.
Although these approaches isolate the certain memory devices (typically the devices containing the crucial postage data) upon occurrence of some categories of malfunction, they do little or nothing to cure the malfunction when it is caused by a processor running amok. That is, it is important to distinguish the problems just mentioned from the problem of physical malfunction of a processor or other system component. Simple physical malfunction can be quite rare if conservative design standards are followed and if the system is used in rated ambient conditions, so that the frequency of occurrence of such physical malfunctions can be low. But many of the above-mentioned failure modes are not of a lasting physical nature and, if appropriately cleared, need not give rise to permanent loss of functionality.
It is also well-known to provide "watchdog" circuits in computerized systems. In such a system the code executed by the processor includes periodic issuance of a watchdog signal which serves to clear a watchdog circuit. If an excessive time passes without receipt of the watchdog signal, the watchdog circuit takes protective action such as shutting down the system or resetting the processor. The latter action has the advantage that it may restore normal processor function if, for example, the malfunction was due to a spurious change in the value of the instruction pointer or program counter. But the watchdog circuit only triggers after the passage of a predetermined interval, and processor malfunction could conceivably alter crucial data during the predetermined interval and prior to a watchdog-induced reset. It would be most desirable if crucial data could enjoy more comprehensive safeguards against processor malfunction, with the safeguards implemented in such a way as to permit restoration of proper processor function if possible.