HK1048178B - Device for processing data and corresponding method - Google Patents
Device for processing data and corresponding method Download PDFInfo
- Publication number
- HK1048178B HK1048178B HK03100411.8A HK03100411A HK1048178B HK 1048178 B HK1048178 B HK 1048178B HK 03100411 A HK03100411 A HK 03100411A HK 1048178 B HK1048178 B HK 1048178B
- Authority
- HK
- Hong Kong
- Prior art keywords
- data
- protected
- memory
- processing unit
- unit
- Prior art date
Links
Description
Technical Field
The invention relates to an apparatus for processing data and a method of controlling such an apparatus.
Background
Data processing systems comprising processing elements and memory elements are increasingly used in a variety of different electronic fields. In the field of communications, most communication devices include a processor that executes programs stored in a suitable memory device to process data stored in the same memory device or elsewhere. An example of a communication device comprising a processor, typically a microprocessor controller, and a suitable memory chip is a mobile telephone.
One of the problems encountered with data processing systems is the data security problem. For example, the mobile telephone described above may contain different types of memory independent of the central processor, such as a flash memory or an EEPROM. An EEPROM may be emulated by a flash memory, or it may be partly a flash memory. Typically, such memories must be protected from unauthorized access to protect the normal operation of the mobile phone.
Of course, data security issues arise in any such data processing system, not just in mobile phones. The basic solution to the data security problem is to provide a protection software, e.g., an algorithm, for validating the EEPROM or emulating the sensitive data in the EEPROM. However, such software solutions suffer from problems that the software itself cannot overcome, for example, the possibility of skipping or changing the validation algorithm. Sometimes, it is also possible to circumvent a validation routine by using old software that does not contain a validation routine but still provides access to sensitive data.
In the article "BITS: a SMARTCARD PROTECTED OPERATING SYSTEM ", in the interest of Communications of the Association for Computing Machinery, US, Association for Computing Machinery, New York, Vol: 37, No.11, p.66-70, 94, a SYSTEM for improving computer security by means of a smart card is described. The system is called BITS (boot Integrity token System). The basic idea of BITS is that the host computer will be booted by a smart card. Key information required to complete a boot sequence is retrieved from a smart card so that boot integrity is determined by the security of the card, and during system start-up, two confirmations must be successfully performed to complete the boot sequence, i.e., first, the user authenticates himself to the smart card with a user password, and if successful, the smart card allows the user to read boot sectors and other information from the smart card memory. The data read from the smart card is used as the boot information, this data being read protected by user confirmation and write protected by security bureau confirmation. In other words, a security bureau clerk can change the guidance information on the smart card.
Summary of The Invention
It is an object of the invention to provide a better data processing device which is relatively simple to implement and which solves the above-mentioned problems.
The object of the present invention is achieved by the following technical means.
According to a first aspect of the present invention, there is provided an apparatus for processing data, comprising:
a processing unit (1) for executing a program routine, and
a storage unit (2) for storing a program routine to be executed by the processing unit (1), where:
at least a part of said memory cells (2) being arranged as a protected part (21) from which data can be read but to which data cannot be written in order to protect the protected part, wherein said protected part (21) is arranged such that, after initially storing data in said protected area (21), any subsequent writing of data to the protected part (21) is blocked,
the processing unit (1) has to execute a program routine stored in the protected part of the memory unit at start-up.
According to a second aspect of the present invention there is provided a communications device comprising a data processing device according to the first aspect of the present invention as described above. Wherein the processing unit (1) stores permanent start addresses (11) which have to be called upon start-up of the processing unit (1), wherein at least one of the start addresses points to the protected part (21) of the memory unit (2). Furthermore, the program routine in the protected part (21) executed at start-up of the processing unit (1) comprises calculating a characteristic parameter for the data detected to have changed and comparing the characteristic parameter with a value stored in the second part (22) of the storage unit (2) when writing the data detected to have changed in the second part (22) of the storage unit (2).
According to a third aspect of the present invention, there is provided a method of controlling a data processing apparatus having a processing unit (1) for executing program routines, and a storage unit (2) for storing program routines to be executed by said processing unit (1), wherein at least a part of said storage unit (2) is arranged as a protected portion (21) from which data can be read but to which data cannot be written, there being provided a mechanism for blocking any subsequent writing of data to the protected portion after the initial storage of data in said protected area, the method comprising:
making it necessary for the processing unit (1) to execute a program routine (S4) in the protected portion (21) of the memory unit at start-up (S3).
According to the invention, in a data processing device having a memory unit and a processing unit, on the one hand a protected section is provided in the memory unit of the data processing device, and on the other hand, at start-up, the processing unit has to execute a program routine stored in the protected section of the memory unit. With this arrangement, dedicated programs (e.g. security-related programs) can be executed, which cannot be changed by unauthorized users because they are stored in the protected portion of the storage unit. As will be described in more detail below, such security programs may be programmed to confirm that other data has not been tampered with.
An important aspect of the present invention is that no modifications to the processor are required. In other words, a straightforward solution to the above problem involves modifications to the processing unit to include the security mechanism, but such modifications to the processor are generally complex, time consuming and expensive. In contrast, the invention provides a very simple arrangement in which only a modified memory is required, which is quite simple. In particular, the in-use processor may be reserved, in which case the memory has to be managed in a specific way, i.e. the address fixed in the processor for booting (the so-called start address) points to the protected part of the memory device. Alternatively, a small change to the memory may be made, i.e. changing the starting address. Although this is a modification of the processor, it is quite simple and requires little expense.
Brief Description of Drawings
Various advantages and features of the present invention will become apparent from the following detailed description of examples thereof, when read in conjunction with the accompanying drawings, wherein:
FIG. 1 depicts the basic structure of one example of the present invention;
FIG. 2 depicts the structure of another example of the present invention;
FIGS. 3a and 3b illustrate a preferred storage device for use with the data processing system of the present invention;
FIG. 4 is a flow diagram illustrating a process for storing data in a protected portion to thereby protect the data;
FIG. 5 is a flowchart illustrating the basic operation of the data processing system of the present invention;
FIG. 6 is a block diagram of an example of a memory cell.
Detailed description of the embodiments
Fig. 1 shows an example of the present invention. Reference numeral 1 refers to a processor, for example a microprocessor controller. Reference numeral 11 denotes a start address in the processor, wherein the start address cannot be changed from the outside. In other words, when the processor 1 starts up, it must call the start address stored in the memory portion 11.
Reference numeral 2 is a memory system comprising a first part 21, which is a protected part, and a second part 22, to which data can be freely written. The processor 1 and the memory 2 are connected by an address line 3 and a data line 4. The symbol CLK provides the clock signal for the circuit and the symbol U provides the operating voltage for the circuit.
The protected portion is protected from writing data thereto. This may be achieved by any suitable method.
The protected part 21 is preferably organized in such a way that it is no longer possible to write data to it after storing the initial data in the part. In other words, the memory must be arranged such that initially dedicated data and program routines can be stored in the protected portion 21, and then a mechanism must be used to ensure that it is not possible to subsequently rewrite the data to that area. A preferred example of a memory implemented in this way is shown in fig. 4. In this case, a so-called one-time programming region is provided in a flash memory device in which there is a mechanism to disable a write line to the protected portion (e.g., by burning the write line to break the line, a so-called fusable link). The memory destroys the write line in response to a predetermined signal. In this manner, for an apparatus (i.e., a mobile phone) in which the data processing device of the present invention is to be built, the manufacturer can write necessary programs and data into the protected portion (step S1 in fig. 4), and then, send a predetermined signal to blow the write line (fusible link). As a result, it is not possible to subsequently write data to the protected portion. Therefore, the data in this portion is not changed (step S2 in fig. 4).
Naturally, this is only a preferred example and the invention extends to any type of storage device in which it may be desirable to protect a specified portion of the memory from being written to. For example, memories are known having input lines in which predetermined portions of the memory are protected from writing whenever certain predetermined signals (e.g., ground voltage 0 or supply voltage) are present on the input lines.
In connection with fig. 6, another example is described, in which a memory has a so-called finite state machine FS. Since finite state machines are known in the art, they will only be briefly described here. The memory 1A has an address bus 70, a data bus 71, read/write (R/W) access lines 72, and a line 73 for switching the state of a finite state machine (FS). NO stands for normal operation and FSO stands for finite state operation. The finite state machine is basically a program that is implemented in the memory 1A by hardware, and thus cannot be changed from the outside, thereby achieving a basic security requirement. The hardware implemented program is part of address logic that handles addresses that are sent to memory via an address bus.
For example, if line 73 is high (i.e., 1), the memory is in a normal operating state and data bus 71 is used to transfer data in a conventional manner. If the line 73 is low (i.e. 0), the data bus 71 is used to control the finite state machine FS.
In the application of the invention, the finite-state machine FS has two states, called a first state, in which writing of data into a predetermined portion of the memory 1A is allowed (i.e. the portion will be the protected portion), and a second state, which is a locked state, in which data cannot be written into the predetermined portion. The finite state machine is arranged as follows: the transition from the first state to the second state is irreversible, i.e. once the machine is locked, it is no longer possible to transition back to the first state and, consequently, to write to the protected portion. This can be done in any suitable way with known finite state machines. For example, the finite state program may be chosen so that the locked state is controlled by a dedicated value in the protected portion, so that writing to the protected portion is allowed as long as the initial value is at a specified address, and once the value of the specified address changes (which is a state transition), the finite state program will fall into a dead loop or abort if an attempt is made to write to an address of the protected portion, and since the specified address is in the protected portion, it will not be changed, so the locked state is permanent.
Returning now to fig. 1, the arrangement of the system is such that the addresses contained in the part 11 of the processor 1 point to the protected part 21 of the memory 2. In other words, at start-up, the processor 1 will call one or more addresses in the protected portion 21 of the memory 2 and subsequently execute the programs contained therein. This is explained in the upper part of fig. 5, fig. 5 showing a control operation flow according to the present invention. In a first step S3, the memory and the processor CP are started by supplying a supply voltage U and a clock signal CLK. Then, at step S4, the processor CP calls the start address pointing to the protected portion of memory. Finally, at step S5, the processor CP executes the program in the protected portion.
It should be noted that it is not necessary to store a dedicated program in the protected part 21 of the memory 2, since in the case where the processor 1 has been programmed, it is sufficient for the processor to only call up dedicated parameters stored in this protected part 21, where the processor 1 processes these parameters in a subsequent pre-programmed routine.
The processing that should be performed at start-up may be selected according to the requirements and desires specified in a given application. According to a preferred example, the routine executed at startup is a security routine, as shown in the lower portion of the flow chart of FIG. 5. More specifically, in the case of fig. 5, the program routine executed at startup checks for unauthorized changes in the unprotected part 22 of the memory 2.
For example, in the case of the data processing device of the invention being used in a mobile telephone, certain parameters (such as services, priorities, etc.) relating to a given user of the mobile telephone may be stored in the unprotected part 22, these parameters possibly being changed during the execution of the routine by the processor 1. However, it is also possible that an unauthorized user will access these parameters and change them. To check for such an unauthorized access, a characteristic parameter may be stored for the data in the unprotected part 22, along with any changed parameters. A typical example of such a characteristic parameter is a checksum. Another example is the result of a cryptographic hash function. In other words, each time the authorized enterprise (processor) changes the data in the storage portion 22, a checksum of the corresponding change is stored. In this manner, the routine of verifying whether unauthorized access and changes are performed may include a routine of calculating a checksum and comparing it to a stored value. If a deviation occurs, the routine determines that an unauthorized data change has occurred. As shown in the lower part of fig. 5, if an unauthorized change is detected (yes at step S6), the routine reacts by invoking any type of desired security or emergency procedure (e.g., turning off the equipment) or, if no change is detected, continues with normal operation.
Although in fig. 1 the memory 2 is a single unit, this should be understood as an abstract description, i.e. the memory may be a single unit or may comprise a plurality of physically separate memory devices, as shown in fig. 2. In fig. 2, the same reference numerals are used for the components already described in fig. 1. And thus need not be repeated. As shown in fig. 2, the memory 2 contains a plurality of memory devices, such as individual memory chips 201, 202, 203. The particular arrangement of the memory devices or chips is not important to the present invention. For example, the protected portion shown as 21 in FIG. 1 may be made up of the entire chip 201 in FIG. 2, i.e., chip 201 has no write access. The remaining chips 202, 203 may all be conventional EEPROMs, i.e., chips that are all capable of normal write access. Naturally, it is also possible that each chip 201, 202, 203 has a first part that is protected and a second part that is unprotected, where, for example, an address in the part 11 of the processor 1 points to an address in the protected part of the chip 201, which protected part of the chip 201 points to the other protected parts of the other chips 202, 203. In the latter case, all protected parts of the chips 201, 202, 203.
It may be noted that although the above example relates to a system in which the memory has a protected portion to which data cannot be written, it is still possible to read the data in the protected portion, even by an unauthorized user. In order to make it difficult for an unauthorized user to read out data in the protected area, a preferred example of a memory in a data processing device of the invention is shown in fig. 3a and 3 b. In fig. 3a and 3b, a memory chip 5 is shown, which has an electrical contact 51 soldered or connected to an electrical lead 61 on a circuit board 6. Fig. 3a shows the components before mounting and fig. 3b shows the device after mounting of the memory chip 5 on the wiring board 6, where the electrical contacts 51 and the electrical leads 61 have been merged into contacts 71. It should be noted that the representation in fig. 3b is enlarged, and in practice the spacing between the memory chip 5 and the wiring board 6 is particularly small, and it is not possible to operate the contacts 71 after the chip 5 has been mounted on the wiring board 6.
Therefore, as shown in fig. 3, after the chip 5 is mounted on the wiring board 6, the final contacts 71 obtained by the electrical contacts 51 are completely covered by the chip 5, and it is not possible to operate the contacts 51 at all from the outside. For example, the contacts 51 may be small hemispheres organized in a so-called ball grid array.
With the arrangement of fig. 3, it is prevented that an unauthorized user can get access to the signals flowing through the contacts during operation of the chip, so that during operation of the chip, in order to monitor the signals entering or exiting the memory chip 5, the chip must be removed from the circuit board and a corresponding replacement connection provided. This is a tedious and tedious process sufficient to circumvent the monitoring of signals between the memory and the rest of the line by the intended unauthorized user. It should be noted that even if it is possible to read data from the protected part after removing the memory chip 5 from the circuit board, it is undoubtedly a cumbersome and tedious process to replace the chip on the circuit board, since this mounting process is done mechanically with high precision during manufacture, i.e. the spacing between the contacts is generally particularly small.
Naturally, the connections between the memory and the processor on the board must also be hidden in a suitable manner, for example, they must be destroyed to access the board, and electrical contacts to the processor must also be inaccessible, for example, in the manner described above in connection with the memory.
As already mentioned above, the invention provides an arrangement in which a relatively high data security can be obtained in an inexpensive manner. A recommended application of the data processing device of the invention is in a communication device. Such a communication device may be, for example, a mobile phone. A particularly recommended application of the data processing device is a communication device supporting the so-called Bluetooth technology. Bluetooth technology is designed to enable users to connect their portable computers, digital cellular telephones, handheld devices, network access points, and other mobile devices via a wireless short-range radio frequency link that is not line-of-sight restricted. Bluetooth technology increases the convenience and breadth of wireless connectivity by not requiring a proprietary cable and by not requiring targeted communication over an IR link to connect the devices. Bluetooth operates in the ISM "Idle band" at 2.45 GHz. Details of this technique may be found, for example, inhttp://www.bluetooth.comFinding the website address.
The present invention has been described above by way of examples, and it should be understood that these examples are only for the purpose of clearly understanding the present invention by those skilled in the art, and they do not limit the scope of the present invention.
Claims (27)
1. Apparatus for processing data, comprising:
a processing unit (1) for executing a program routine, and
a storage unit (2) for storing a program routine to be executed by the processing unit (1), where:
at least a part of said memory cells (2) being arranged as a protected part (21) from which data can be read but to which data cannot be written in order to protect the protected part, wherein said protected part (21) is arranged such that, after initially storing data in said protected part (21), any subsequent writing of data to the protected part (21) is blocked,
the processing unit (1) has to execute a program routine stored in the protected part of the memory unit at start-up.
2. A device as claimed in claim 1, wherein the processing unit (1) stores permanent start addresses (11) which have to be called upon start-up of the processing unit (1), where at least one of the start addresses points to the protected part (21) of the storage unit (2).
3. A device according to claim 1 or 2, wherein said protected part (21) of said memory unit (2) is a first part, said memory unit further comprising a second part (22) to which data can be written, wherein the program routine in said protected part (21) that is executed at start-up of said processing unit (1) comprises checking for changes in at least a part of the data contained in said second part (22).
4. A device as claimed in claim 3, wherein said program routine in said protected part (21) that is executed at start-up of said processing unit (1) comprises calculating a characteristic parameter for data that is detected to have changed and comparing said characteristic parameter with a value stored in said second part (22) of said memory unit (2) when said data that is detected to have changed is written in said second part (22) of said memory unit (2).
5. The apparatus of claim 4, wherein said characteristic parameter is a checksum.
6. The device of claim 1, 2 or 4, wherein the storage unit (2) comprises a plurality of storage devices (201, 202, 203), one storage device (201) of the plurality of storage devices comprising the protected portion, the remaining storage devices (202, 203) of the plurality of storage devices being arranged such that data can be written thereto.
7. The device of claim 1, 2 or 4, wherein the protected portion (21) is arranged such that storing the data comprises:
writing data to the protected portion (21) through a write line (S1), and
a signal is sent to the protected portion (S2) in accordance with which the write line is permanently interrupted.
8. The apparatus of claim 7 wherein said write line is a fusable link.
9. A device as claimed in claim 1, 2 or 4, wherein said memory unit (1) comprises a finite state machine, said finite state machine defining a state which protects said protected portion from being written to.
10. The device of claim 1, 2 or 4, wherein said storage unit (2) comprises one or more of an EEPROM, a flash memory device, and a flash memory device emulating an EEPROM.
11. A device according to claim 1, 2 or 4, wherein said memory unit (2) comprises a memory chip (5) having an electrical contact (51) connected to a circuit board (6), said electrical contact (51) being covered by said memory chip (5) when said memory chip (5) is mounted on said circuit board (6).
12. The apparatus of claim 11, wherein said electrical contacts (51) are arranged in a ball grid array.
13. Communication device comprising a device for processing data according to claim 1, 2 or 4.
14. The communication device of claim 13, wherein said communication device is a mobile telephone.
15. The communication device of claim 13, wherein said communication device is a bluetooth communication device.
16. Method of controlling a data processing device having a processing unit (1) for executing program routines, and a memory unit (2) for storing program routines to be executed by said processing unit (1), wherein at least a part of said memory unit (2) is arranged as a protected portion (21) from which data can be read but to which data cannot be written, wherein a mechanism is provided for blocking any subsequent writing of data to the protected portion after initial storing of data in said protected portion, the method comprising:
making it necessary for the processing unit (1) to execute a program routine (S4) in the protected portion (21) of the memory unit at start-up (S3).
17. A method as claimed in claim 16, wherein said processing unit stores permanent start addresses that must be called upon startup of said processing unit, where at least one of said start addresses points to said protected portion of said storage unit.
18. The method according to one of claims 16 or 17, wherein said protected portion of said memory unit is a first portion, said memory unit further comprising a second portion to which data can be written, wherein said program routine in said protected portion executed at start-up of said processing unit comprises detecting a change in at least a part of the data contained in said second portion.
19. A method as claimed in claim 18, wherein said program routine in said protected portion executed at start-up of said processing unit comprises calculating a characteristic parameter for data whose change is detected and comparing said characteristic parameter with a value stored in said second portion of said storage unit when said data whose change is detected is written in said second portion of said storage unit.
20. The method of claim 19, wherein said characteristic parameter is a checksum.
21. A method as claimed in claim 16, 17, 19 or 20, wherein said storage unit comprises a plurality of storage devices, one of which contains said protected portion, the remaining storage devices being arranged to be writable with data.
22. A method as claimed in claim 16, 17, 19 or 20, wherein said protected portion is arranged such that the process into which the data is stored comprises:
writing data to said protected portion via a write line, an
A signal is sent to the protected portion, in response to which the write line is permanently interrupted.
23. The method of claim 22 wherein the write line is a fusible line.
24. A method as claimed in claim 16, 17, 19 or 20, wherein said memory unit (2) comprises a finite state machine, said finite state machine defining a state which protects said protected portion from being written to.
25. A method as claimed in claim 16, 17, 19 or 20, wherein said storage unit comprises one or more of an EEPROM, a flash memory device, and a flash memory device emulating an EEPROM.
26. The method of claim 16, 17, 19 or 20, wherein said memory unit comprises a memory chip having an electrical contact connected to a circuit board, said electrical contact being covered by said memory chip when said memory chip is mounted on said circuit board.
27. The method of claim 26, wherein said electrical contacts are arranged in a ball grid array.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| EP99111962.9 | 1999-06-25 | ||
| EP99111962A EP1063589A1 (en) | 1999-06-25 | 1999-06-25 | Device for processing data and corresponding method |
| PCT/EP2000/005634 WO2001001243A2 (en) | 1999-06-25 | 2000-06-19 | Device for processing data and corresponding method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| HK1048178A1 HK1048178A1 (en) | 2003-03-21 |
| HK1048178B true HK1048178B (en) | 2005-04-29 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1665001B1 (en) | Method for detecting and reacting against possible attack to security enforcing operation performed by a cryptographic token or card | |
| EP1194845B1 (en) | Device for processing data and corresponding method | |
| US20050138409A1 (en) | Securing an electronic device | |
| KR100929870B1 (en) | How to keep BIOS security of computer system | |
| US7953913B2 (en) | Peripheral device locking mechanism | |
| WO2004015553A1 (en) | Computer architecture for executing a program in a secure of insecure mode | |
| KR100640881B1 (en) | How to prevent user recognition module hacking of mobile communication terminal | |
| EP2078272B1 (en) | Protecting secret information in a programmed electronic device | |
| US9262631B2 (en) | Embedded device and control method thereof | |
| US9406388B2 (en) | Memory area protection system and methods | |
| CN116745765A (en) | Secure in-service firmware updates | |
| US7228569B2 (en) | Programmable unit | |
| WO2003081544A2 (en) | Enhanced memory management for portable devices | |
| EP2429226A1 (en) | Mobile terminal and method for protecting its system data | |
| WO2007035811A1 (en) | Hardware-assisted device configuration detection | |
| WO2001097010A2 (en) | Data processing method and device for protected execution of instructions | |
| HK1048178B (en) | Device for processing data and corresponding method | |
| US7836219B1 (en) | System and method for authentication of embedded RAID on a host RAID card | |
| GB2425193A (en) | Method for updating the software in a processor unit | |
| EP1535124A1 (en) | Computer architecture for executing a program in a secure of insecure mode | |
| KR100351875B1 (en) | Method for protection copying electrically serial number of mobile station | |
| EP2335180B1 (en) | Memory access control | |
| CN119987803A (en) | Firmware upgrade method, device, intelligent terminal and storage medium | |
| CN114444142A (en) | Information protection method, electronic device and readable storage medium | |
| JP2002073417A (en) | Memory protection device, wireless mobile station device and wireless base station device using the device |