Title of Invention	PROTECTION UNIT FOR A PROGRAMMABLE DATA PROCESS ING DEVICE
Abstract	A protection unit (PU) for a (programmable) data- processing device (DE), such as a controller of a motor vehicle, airplane, ship, or the like, the data-processing device comprising at least one operating memory (BS) in which operating data (BD) can be stored or is stored for the operation of the data-processing device, the protection unit (PU) having at least one monitoring logic (ÜL) and at least one protection logic (SL) in an execution environment (AU) protected against unauthorized access. For monitoring unauthorized modifications, access, or similar protection violations of the operating data stored in the operating memory, the monitoring logic (ÜL) accesses the operating memory and notifies the protection logic (SL) in case of any protection violation, and the protection logic provides replacement data for the operation, or for the substitute operation of the data- processing device in case of any protection violation.

Title of Invention

PROTECTION UNIT FOR A PROGRAMMABLE DATA PROCESS ING DEVICE

Abstract

A protection unit (PU) for a (programmable) data- processing device (DE), such as a controller of a motor vehicle, airplane, ship, or the like, the data-processing device comprising at least one operating memory (BS) in which operating data (BD) can be stored or is stored for the operation of the data-processing device, the protection unit (PU) having at least one monitoring logic (ÜL) and at least one protection logic (SL) in an execution environment (AU) protected against unauthorized access. For monitoring unauthorized modifications, access, or similar protection violations of the operating data stored in the operating memory, the monitoring logic (ÜL) accesses the operating memory and notifies the protection logic (SL) in case of any protection violation, and the protection logic provides replacement data for the operation, or for the substitute operation of the data- processing device in case of any protection violation.

Full Text	FIELD OF INVENTION The invention relates to a protection unit for a (programmable) data-processing device, the data-processing device comprising at least one operating memory in which operating data can be stored or is stored for the operation of the data-processing device. BACKGROUND OF THE INVENTION A programmable data-processing device denotes in particular a control unit or controller in a motor vehicle, airplane, ship, a machine in an assembly line, or a remotely administered plant. Such data-processing devices, such as programmable controllers, are currently integrated in modern vehicles in large numbers and in a great variety. Increasingly they are cross-linked to their environment, especially since areas of "infotainment", or traffic detection systems are becoming increasingly more important. It is generally known to protect data-processing devices, such as personal computers that are connected to computer networks, for example the internet, from viruses or attacks by means of antivirus software or other programs. Such developments have not had any influence at all on the reliability or safety of data-processing devices in, for example, motor vehicles. The invention therefore has the object of creating a (programmable) protection unit for a (programmable) data-processing device, such as a motor vehicle controller, that ensures reliable and safe operation of the data-processing device. SUMMARY OF THE INVENTION In order to attain this object the invention provides a protection unit for a (programmable) data-processing device, such as a controller of a motor vehicle, or the like, where the data- processing device comprises at least one operating memory in which operating data can be or is stored for the operation of the data- processing device, wherein the protection unit has at least one monitoring logic and at least one protection logic in an execution environment protected against unauthorized access, wherein the monitoring logic accesses the operating memory for the monitoring of unauthorized modifications, access, or similar protection violations of the operating data stored in the operating memory, and notifies the protection logic in case of any protection violations, and wherein the protection logic provides non-compromised replacement data for a substitute operation of the data-processing device in case of a protection violation. Data (operating data on one hand, and replacement data on the other hand) denotes data, programs, memory areas, or the like, within the scope of the invention that determine or influence the operation of such a data- processing device. Protection violation denotes in particular unauthorized access to the operating memory or the operating data as well as unauthorized modifications to the operating data within the scope of the invention. Within the scope of the invention a protection unit for a programmable data-processing device, such as a controller of a motor vehicle, is therefore provided that protects the data- processing device against unauthorized access, or unauthorized modifications of the operating data. Unauthorized modifications of the data and thus protection violations of the data-processing device can be determined continuously or cyclically by means of the monitoring logic of the protection unit. Corresponding test programs (monitoring logic) are stored within the protection unit in a tamper-proof manner and are executed in a tamper-proof manner. In particular, the protection unit is protected against unauthorized reading or writing of data by means of these programs. If the monitoring logic detects a protection violation, it will notify the protection logic that in turn provides non-compromised replacement data for the operation, or for a substitute operation of the data-processing device. This replacement data, or the replacement data operation thus form "emergency operation instructions." In this regard the invention is based on the recognition that it is not only essential to detect tampering with or unauthorized access to the operating memory, but that despite such a protection violation error-free operation, or at least an "emergency running operation," or "substitute operation" of the data-processing device must be ensured. This ensures, for example in motor vehicles, that in case of an unauthorized manipulation at least one emergency running operation or emergency operation is provided. This consideration particularly allows for the fact that progressive electrification, or automation of the primary driving functions in motor vehicles (drive by wire technology) makes increased demands on safety. It must be ensured at all times that the controllers involved behave in accordance with specifications, and that in case of fail-safe emergency running instructions can be reverted to in a quick manner. The safety device according to the invention thus forms a safe trust anchor that imparts full efficiency to protection measures, and can in a timely manner quickly execute the protection operation in order to prevent dangerous behavior of the motor vehicle caused by manipulation of its controllers. Advantageous further embodiments of the invention are explained as follows. It is provided that the safety device has at least one monitoring memory that stores information on one or more protection violation detected. Furthermore, an information interface is preferably provided that can read information on the protection violations and/or other status information from the protection unit. Information on the protection violations detected by the monitoring logic and the start of the emergency running instructions or the replacement data from the monitoring memory can be read in an authorized manner by means of this information interface and provided to the relevant devices to notify the user. The authorization information required for reading is stored in the execution environment. For this purpose, different authorization information can be stored in the execution environment so that different memory areas can be read depending on the authorization information provided to the information interface. Thus role models can be provided for the access to the monitoring memory. According to a further proposition according to the invention, the protection unit has an administration interface. Authorization information of the execution environment can be exchanged by means of this administration interface. For this purpose, the execution environment receives at least one piece of initial authorization information. In this manner, new authorization information, as well as new monitoring logics, and/or protection logics can be incorporated into the execution environment after successful external authorization. The execution environment for the execution logic of the protection unit is preferably hardware, or in the form of hardware. This execution environment forms a runtime environment for the logics and the memory described above and is protected against unauthorized writing and reading access. The execution environment comprises the authorization information in order to be able to safely execute the emergency running instructions, or the substitute operation, i.e. not until successful authorization. The execution environment further comprises the authorization information in order to be able to reload modified protection logic, and/or monitoring logics in the protection unit in an authorized manner. These may be, for example, cryptographic keys that can check the signatures of the logics, or can possibly decode the logic. It is further within the scope of the invention that the monitoring logic may be part of the execution environment and therefore part of the underlying hardware. In this case the monitoring logic is thus built or integrated into the hardware. However, the monitoring logic is preferably software. Software within the scope of the invention also denotes executable code for a programmable module, such as an FPGA. Such a monitoring logic embodied as software is preferably not loaded into the execution environment until the time of execution. Storage is effected either within the protection unit or in a memory area of the data- processing device. Before the monitoring logic is executed the execution environment verifies by means of the authorization information stored within whether the monitoring logic is authorized to execute. At runtime, the monitoring logic forms with the data-processing device an interface by means of which the corresponding data (or programs/memory areas) can be "permanently" verified for correctness by means of a respective logic unit. This can, for example, be done by verifying an electronic signature of the data (or programs/memory areas) via cryptographic mechanisms, or by monitoring memory thresholds that may not be deviated from by any executed program. For example, malicious modifications to the code by viruses, Trojan horses, buffer overflows, etc, can be recognized in this manner. The protection logic can also be part of the execution environment and thus of the underlying hardware, and therefore it may also be hardware. However, preferably the protection logic is also software. In this case, software also comprises an executable code for a programmable module, such as an FPGA. Thus the protection logic can also not be loaded into the execution environment until the time of execution. Storage is in the protection unit or in a memory area of the data-processing device. It is also within the scope of the invention that the monitoring memory, the information interface, the administration interface, and/or the operating data, or the operating memory are in software, or code for a programmable module (FPGA). Another object of the invention is also a data-processing device, such as a controller for a motor vehicle or the like, having at least one protection unit of the type described above. The invention thus also includes within the scope of protection the combination of a data-processing device on one hand, and a protection unit on the other hand, i.e. a data-processing device, into which at least one protection unit is integrated. A further object of the invention is a method for monitoring a data-processing device by means of at least one protection unit of the type described above, where the monitoring logic accesses the operating memory and determines possible protection violations, where the monitoring logic notifies the protection logic in case of a protection violation, and where the protection logic provides replacement data for the operation of the data-processing device or for a substitute operation in case of a protection violation. Information on detected protection violation(s) is stored in the monitoring memory. For this purpose, the monitoring logic can continuously or preferably cyclically (such as quasi-continuously) access the operating memory at a predetermined clock frequency. In order to verify any protection violations, for example, a verification of an electronic signature of the operating data is executed. Therefore, the memory of the data-processing device is "constantly" being checked by the monitoring logic within the scope of the invention. This can occur, for example, by verifying an electronic signature of the data by means of cryptographic mechanisms or by monitoring memory thresholds that may not be deviated from by an executed program. Any malicious modifications to the code by means of viruses, Trojan horses, buffer overflows, etc, can be recognized in this manner. The sampling rate, i.e. the frequency, at which the correctness of the data is checked by the monitoring logic, can be configured via the administration interface. If the monitoring logic has recognized a protection violation, it notifies the protection logic of the type of protection violation. Before the protection logic is executed, the execution environment checks by means of the authorization information stored there whether the protection logic is authorized to execute. The protection logic accepts data only from a monitoring logic that has been authorized by the execution environment. For the runtime, the protection logic forms an interface to the data-processing device by means of which access by the data-processing device to the data affected by the protection violation is prevented. It is of considerable importance that different replacement data can be provided depending on the type of protection violation. The protection logic thus activates one set of stored replacement data or emergency running instructions in a fail-safe manner. For this purpose, the appropriate emergency running instructions are verified by means of the authorization information stored in the execution environment and is executed in case of success. If the authorization fails, initial emergency running instructions are stored in the protection logic itself that is then executed. Depending on, the characteristic of the protection logic, the protection unit then executes the emergency running instructions. If the protection logic does not handle the execution of the emergency running instructions, the emergency running instructions are transferred to the data-processing device for execution, and execution is started in the runtime environment of the data-processing device via the interface of the protection logic. Subsequently the monitoring logic handles the monitoring of the emergency running instructions are executed, instead of the data monitored by the protection violation. Thus the replacement data described within the scope of the invention, which is also called "emergency running instructions," is preferably logic, or multiple logics, which are executed either within the protection unit, instead of and hence as a substitute for the operating data available in the data- processing device, or also outside of the protection unit in the data-processing device by means of the protection logic. In each case each set of emergency running instructions receives authorization information, such as an electronic signature that enables safe verification of the authorization of the emergency running instructions by means of the protection logic within the execution environment. The emergency running instructions are always executed after successful authorization only. The storage of the emergency running instructions or of the replacement data is handled by the protection unit. As an alternative, the replacement data, or the emergency running instructions, can also be stored in a memory area of the data-processing device, and then safely loaded by the protection logic. Corresponding replacement data, or emergency running instructions can be reloaded into the protection unit or the data-processing device by means of the authorization information in the execution environment in an authorized manner. The invention will be explained in further detail by means of a drawing illustrating only one embodiment example, as follows. BRIEF DESCRIPTION OF ACCOMPANYING DRAWING The single figure shows in an extremely simplified schematic illustration a data-processing device comprising an integrated protection unit according to the invention. DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT OF THE INVENTION A data-processing device DE is indicated in the figure. It can be a controller of a motor vehicle, such as an air-bag controller, a motor controller, a transmission controller, or the like. This data-processing device or controller DE has an operating memory BS in which operating data BD is stored for the operation of this controller. This operating data BD may also represent operating programs or the like. The figure indicates that according to the invention a protection unit PU according to the invention is integrated into this data-processing device or controller DE. This protection unit provides an execution environment AU that is protected from unauthorized access, this execution environment AU being formed for example as a hardware module. A monitoring logic UL on. one hand, and a protection logic SL on the other hand, are integrated into the protection unit. These are formed, for example, by programmable modules (FPGSs), or a respective code of such an FPGA, respectively. A monitoring memory US is also provided. The communication of the protection unit PU is conducted by means of an information interface IS, as well as by means of an administration interface AS. The protection unit according to the invention preferably operates as follows: operating data BD, or operating programs, or the like, are stored in the operating memory BS, as required for the operation of the respective controller DE, such as the air-bag control. In order to ensure safe operation of such a controller DE, a permanent monitoring of unauthorized access or unauthorized modifications of such operating data occurs by means of the protection unit according to the invention, and thus a verification, or monitoring of unauthorized protection violations. If the monitoring logic UL determines such a protection violation, information on the type of this protection violation as well as other information such as the time of the protection information is stored in the monitoring memory US. Furthermore, the monitoring logic UL notifies the protection logic SL of the type of protection violation. Depending on the type of protection violation, the protection logic SL can now provide replacement data ED for a substitute operation of the controller DE. Such replacement data ED thus forms emergency running instructions for an emergency running operation, or emergency operation of the controller DE. The drawing shows that the protection logic SL can provide different replacement data ED, or different emergency running instructions depending on the type of the protection violation to be determined. Thus, within the scope of the invention a flexible response can be provided to the type, or degree, respectively, of the protection violation, in that prepared, suitable emergency running instructions ED are activated in each respective case. Information on the protection violation and on the start of a substitute operation (or an emergency running instructions) can be read from the monitoring memory US in an authorized manner, and provided to the devices relevant for notifying the user by means of the monitoring logic UL. The authorization information required for reading in this regard is stored in the execution environment AU. Particular authorization information of the execution environment can also be exchanged by means of the administration interface AS also indicated in the figure. Thus, after successful outside authorization (such as by means of an administrator) new authorization information may be imbedded, and a monitoring logic UL, and/or a protection logic SL may be reloaded into the execution environment by means of the administration interface AS, insofar as the protection logic SL itself is not hardware, but instead as, for example, an FPGA code. The execution environment AU indicated only represents a runtime environment protected against unauthorized write and read access for the above-referenced logics and memories. The execution environment AU comprises the authorization information, and thus cryptographic keys, by means of which respective signatures of the logics described can be verified, or the logics can possibly be decoded. Overall, the protection unit according to the invention ensures safe operation of a controller or the like, for example in a motor vehicle. This is achieved although such motor vehicles are usually not permanently "online." A continuous online updating of, for example, anti-virus software is not necessary. By means of cross-linking controllers within motor vehicles, any tampering with or failures of online access would be particularly critical, since particular risks could be posed to passengers due to unauthorized access to safety-relevant functions via the bus systems. The invention finds a remedy in this regard by means of creating a safe assurance anchor within the motor vehicle that, for example, may be under the sole control of an automobile manufacturer, thus lending full effectiveness to the protective measures. Protection operations are rapidly executed, and dangerous behavior of the motor vehicle by manipulation of controllers is prevented in due time. WE CLAIM 1. A protection unit (PU) for a (programmable) data-processing device (DE), such as a controller of a motor vehicle, airplane, ship, or the like, wherein the data-processing device (DE) comprises at least one operating memory (BS) in which operating data (BD) can be or is stored for the operation of the data-processing device, characterized in that, the protection unit (PU) has in an execution environment (AU) protected from unauthorized access at least one monitoring logic system (ÜL) and at least one protection logic system (SL), wherein the monitoring logic system (ÜL) accesses the operating memory (BS) for monitoring unauthorized modifications, access, or similar protection violations of the operating data stored in the operating memory and notifies the protection logic system (SL) in case of any such protection violations, and wherein the protection logic system (SL) provides replacement data (ED) for the operation or for a substitute operation of the data-processing device (DE) in case of a protection violation. 2. The protection unit as claimed in claim 1, wherein at least one monitoring memory (ÜS) in which information can be stored about one or more identified protection violations. 3. The protection unit as claimed in claims 1 or 2, wherein at least one information interface (IS) that can read information on protection violations, and/or other status information from the protection unit (PU). 4. The protection unit as claimed in one of claims 1 to 3, wherein at least one administration interface (AS) that can write in or read out of the protection unit (PU) authorization information, configurations, a monitoring logic system, a protection logic system, or other data/programs. 5. The protection unit as claimed in one of claims 1 to 4, wherein the execution environment (AU) is hardware. 6. The protection unit as claimed in one of claims 1 to 5, wherein the monitoring logic system (ÜL), the protection logic system (SL), the monitoring memory (ÜS), the information interface (IS), the administration interface (AS), and/or the replacement data (ED) are software, such as a code of a programmable module. 7. A method for monitoring a data-processing device having at least one protection unit as claimed in one of claims 1 to 6, wherein the monitoring logic system accesses the operating data and detects protection violations, wherein the monitoring logic system notifies the protection logic system in the case of any protection violation, and wherein the protection logic system provides replacement data for the operation, or for an emergency operation, respectively, of the data- processing device in case of any protection violation. 8. The method as claimed in claim 7, wherein information on a protection violation is stored in the monitoring memory. 9. The method as claimed in claim 7 or 8, wherein the monitoring logic system continuously, or cyclically, or quasi-continuously accesses the operating data, or the operating memory at a predetermined clock frequency. 10.The method as claimed in claim 9, wherein the clock frequency is specified by means of the administration interface. 11.The method as claimed in one of claims 7 to 10, wherein for verification of protection violations the verification of at least one electronic signature of the operating data is executed. 12.The method as claimed in one of claims 7 to 11, wherein the protection logic system prevents access to the operating data in the operating memory of the data-processing device in case of any protection violation. 13.The method as claimed in one of claims 7 to 12 wherein, depending on the type of protection violation, different replacement data is provided. 14.The method as claimed in one of claims 7 to 13, wherein the replacement data is verified by means of the authorization information stored in the execution environment. 15.The method as claimed in one of claims 7 to 14, wherein the replacement data for a substitute operation of the data-processing device is processed by the protection unit, and/or by the data-processing device. 16.The method as claimed in one of claims 7 to 15, wherein after a protection violation the replacement data provided is checked for any possible protection violations by means of the monitoring logic system (ÜL). PROTECTION UNIT FOR A PROGRAMMABLE DATA PROCESSING DEVICE Abstract A protection unit (PU) for a (programmable) data- processing device (DE), such as a controller of a motor vehicle, airplane, ship, or the like, the data-processing device comprising at least one operating memory (BS) in which operating data (BD) can be stored or is stored for the operation of the data-processing device, the protection unit (PU) having at least one monitoring logic (ÜL) and at least one protection logic (SL) in an execution environment (AU) protected against unauthorized access. For monitoring unauthorized modifications, access, or similar protection violations of the operating data stored in the operating memory, the monitoring logic (ÜL) accesses the operating memory and notifies the protection logic (SL) in case of any protection violation, and the protection logic provides replacement data for the operation, or for the substitute operation of the data- processing device in case of any protection violation.

Full Text

FIELD OF INVENTION
The invention relates to a protection unit for a (programmable)
data-processing device, the data-processing device comprising at least one
operating memory in which operating data can be stored or is stored for the
operation of the data-processing device.
BACKGROUND OF THE INVENTION
A programmable data-processing device denotes in particular a
control unit or controller in a motor vehicle, airplane, ship, a machine in an
assembly line, or a remotely administered plant. Such data-processing devices,
such as programmable controllers, are currently integrated in modern vehicles in
large numbers and in a great variety. Increasingly they are cross-linked to their
environment, especially since areas of "infotainment", or traffic detection
systems are becoming increasingly more important.
It is generally known to protect data-processing devices, such as
personal computers that are connected to computer networks, for example the
internet, from viruses or attacks by means of antivirus software or other
programs. Such developments have not had any influence at all on the reliability
or safety of data-processing devices in, for example, motor vehicles.
The invention therefore has the object of creating a
(programmable) protection unit for a (programmable) data-processing device,
such as a motor vehicle controller, that ensures reliable and safe operation of the
data-processing device.
SUMMARY OF THE INVENTION
In order to attain this object the invention provides a protection
unit for a (programmable) data-processing device, such

as a controller of a motor vehicle, or the like, where the data-
processing device comprises at least one operating memory in which
operating data can be or is stored for the operation of the data-
processing device,
wherein the protection unit has at least one monitoring
logic and at least one protection logic in an execution environment
protected against unauthorized access,
wherein the monitoring logic accesses the operating
memory for the monitoring of unauthorized modifications, access, or
similar protection violations of the operating data stored in the
operating memory, and notifies the protection logic in case of any
protection violations, and
wherein the protection logic provides non-compromised
replacement data for a substitute operation of the data-processing
device in case of a protection violation. Data (operating data on
one hand, and replacement data on the other hand) denotes data,
programs, memory areas, or the like, within the scope of the
invention that determine or influence the operation of such a data-
processing device. Protection violation denotes in particular
unauthorized access to the operating memory or the operating data
as well as unauthorized modifications to the operating data within
the scope of the invention.
Within the scope of the invention a protection unit for a
programmable data-processing device, such as a controller of a
motor vehicle, is therefore provided that protects the data-
processing device against unauthorized access, or unauthorized
modifications of the operating data. Unauthorized modifications of

the data and thus protection violations of the data-processing
device can be determined continuously or cyclically by means of the
monitoring logic of the protection unit. Corresponding test
programs (monitoring logic) are stored within the protection unit
in a tamper-proof manner and are executed in a tamper-proof manner.
In particular, the protection unit is protected against
unauthorized reading or writing of data by means of these programs.
If the monitoring logic detects a protection violation, it will
notify the protection logic that in turn provides non-compromised
replacement data for the operation, or for a substitute operation
of the data-processing device. This replacement data, or the
replacement data operation thus form "emergency operation
instructions." In this regard the invention is based on the
recognition that it is not only essential to detect tampering with
or unauthorized access to the operating memory, but that despite
such a protection violation error-free operation, or at least an
"emergency running operation," or "substitute operation" of the
data-processing device must be ensured. This ensures, for example
in motor vehicles, that in case of an unauthorized manipulation at
least one emergency running operation or emergency operation is
provided. This consideration particularly allows for the fact that
progressive electrification, or automation of the primary driving
functions in motor vehicles (drive by wire technology) makes
increased demands on safety. It must be ensured at all times that
the controllers involved behave in accordance with specifications,
and that in case of fail-safe emergency running instructions can be
reverted to in a quick manner. The safety device according to the

invention thus forms a safe trust anchor that imparts full
efficiency to protection measures, and can in a timely manner
quickly execute the protection operation in order to prevent
dangerous behavior of the motor vehicle caused by manipulation of
its controllers.
Advantageous further embodiments of the invention are
explained as follows. It is provided that the safety device has at
least one monitoring memory that stores information on one or more
protection violation detected. Furthermore, an information
interface is preferably provided that can read information on the
protection violations and/or other status information from the
protection unit. Information on the protection violations detected
by the monitoring logic and the start of the emergency running
instructions or the replacement data from the monitoring memory can
be read in an authorized manner by means of this information
interface and provided to the relevant devices to notify the user.
The authorization information required for reading is stored in the
execution environment. For this purpose, different authorization
information can be stored in the execution environment so that
different memory areas can be read depending on the authorization
information provided to the information interface. Thus role
models can be provided for the access to the monitoring memory.
According to a further proposition according to the
invention, the protection unit has an administration interface.
Authorization information of the execution environment can be
exchanged by means of this administration interface. For this
purpose, the execution environment receives at least one piece of

initial authorization information. In this manner, new
authorization information, as well as new monitoring logics, and/or
protection logics can be incorporated into the execution
environment after successful external authorization.
The execution environment for the execution logic of the
protection unit is preferably hardware, or in the form of hardware.
This execution environment forms a runtime environment for the
logics and the memory described above and is protected against
unauthorized writing and reading access. The execution environment
comprises the authorization information in order to be able to
safely execute the emergency running instructions, or the
substitute operation, i.e. not until successful authorization. The
execution environment further comprises the authorization
information in order to be able to reload modified protection
logic, and/or monitoring logics in the protection unit in an
authorized manner. These may be, for example, cryptographic keys
that can check the signatures of the logics, or can possibly decode
the logic.
It is further within the scope of the invention that the
monitoring logic may be part of the execution environment and
therefore part of the underlying hardware. In this case the
monitoring logic is thus built or integrated into the hardware.
However, the monitoring logic is preferably software. Software
within the scope of the invention also denotes executable code for
a programmable module, such as an FPGA. Such a monitoring logic
embodied as software is preferably not loaded into the execution
environment until the time of execution. Storage is effected

either within the protection unit or in a memory area of the data-
processing device. Before the monitoring logic is executed the
execution environment verifies by means of the authorization
information stored within whether the monitoring logic is
authorized to execute. At runtime, the monitoring logic forms with
the data-processing device an interface by means of which the
corresponding data (or programs/memory areas) can be "permanently"
verified for correctness by means of a respective logic unit. This
can, for example, be done by verifying an electronic signature of
the data (or programs/memory areas) via cryptographic mechanisms,
or by monitoring memory thresholds that may not be deviated from by
any executed program. For example, malicious modifications to the
code by viruses, Trojan horses, buffer overflows, etc, can be
recognized in this manner.
The protection logic can also be part of the execution
environment and thus of the underlying hardware, and therefore it
may also be hardware. However, preferably the protection logic is
also software. In this case, software also comprises an executable
code for a programmable module, such as an FPGA. Thus the
protection logic can also not be loaded into the execution
environment until the time of execution. Storage is in the
protection unit or in a memory area of the data-processing device.
It is also within the scope of the invention that the
monitoring memory, the information interface, the administration
interface, and/or the operating data, or the operating memory are
in software, or code for a programmable module (FPGA).

Another object of the invention is also a data-processing
device, such as a controller for a motor vehicle or the like,
having at least one protection unit of the type described above.
The invention thus also includes within the scope of protection the
combination of a data-processing device on one hand, and a
protection unit on the other hand, i.e. a data-processing device,
into which at least one protection unit is integrated.
A further object of the invention is a method for
monitoring a data-processing device by means of at least one
protection unit of the type described above, where the monitoring
logic accesses the operating memory and determines possible
protection violations, where the monitoring logic notifies the
protection logic in case of a protection violation, and where the
protection logic provides replacement data for the operation of the
data-processing device or for a substitute operation in case of a
protection violation. Information on detected protection
violation(s) is stored in the monitoring memory. For this purpose,
the monitoring logic can continuously or preferably cyclically
(such as quasi-continuously) access the operating memory at a
predetermined clock frequency. In order to verify any protection
violations, for example, a verification of an electronic signature
of the operating data is executed.
Therefore, the memory of the data-processing device is
"constantly" being checked by the monitoring logic within the scope
of the invention. This can occur, for example, by verifying an
electronic signature of the data by means of cryptographic
mechanisms or by monitoring memory thresholds that may not be

deviated from by an executed program. Any malicious modifications
to the code by means of viruses, Trojan horses, buffer overflows,
etc, can be recognized in this manner. The sampling rate, i.e. the
frequency, at which the correctness of the data is checked by the
monitoring logic, can be configured via the administration
interface. If the monitoring logic has recognized a protection
violation, it notifies the protection logic of the type of
protection violation. Before the protection logic is executed, the
execution environment checks by means of the authorization
information stored there whether the protection logic is authorized
to execute. The protection logic accepts data only from a
monitoring logic that has been authorized by the execution
environment. For the runtime, the protection logic forms an
interface to the data-processing device by means of which access by
the data-processing device to the data affected by the protection
violation is prevented.
It is of considerable importance that different
replacement data can be provided depending on the type of
protection violation. The protection logic thus activates one set
of stored replacement data or emergency running instructions in a
fail-safe manner. For this purpose, the appropriate emergency
running instructions are verified by means of the authorization
information stored in the execution environment and is executed in
case of success. If the authorization fails, initial emergency
running instructions are stored in the protection logic itself that
is then executed. Depending on, the characteristic of the
protection logic, the protection unit then executes the emergency

running instructions. If the protection logic does not handle the
execution of the emergency running instructions, the emergency
running instructions are transferred to the data-processing device
for execution, and execution is started in the runtime environment
of the data-processing device via the interface of the protection
logic. Subsequently the monitoring logic handles the monitoring of
the emergency running instructions are executed, instead of the
data monitored by the protection violation.
Thus the replacement data described within the scope of
the invention, which is also called "emergency running
instructions," is preferably logic, or multiple logics, which are
executed either within the protection unit, instead of and hence as
a substitute for the operating data available in the data-
processing device, or also outside of the protection unit in the
data-processing device by means of the protection logic. In each
case each set of emergency running instructions receives
authorization information, such as an electronic signature that
enables safe verification of the authorization of the emergency
running instructions by means of the protection logic within the
execution environment. The emergency running instructions are
always executed after successful authorization only. The storage
of the emergency running instructions or of the replacement data is
handled by the protection unit. As an alternative, the replacement
data, or the emergency running instructions, can also be stored in
a memory area of the data-processing device, and then safely loaded
by the protection logic. Corresponding replacement data, or
emergency running instructions can be reloaded into the protection

unit or the data-processing device by means of the authorization information in the
execution environment in an authorized manner.
The invention will be explained in further detail by means of a drawing
illustrating only one embodiment example, as follows.
BRIEF DESCRIPTION OF ACCOMPANYING DRAWING
The single figure shows in an extremely simplified schematic
illustration a data-processing device comprising an integrated protection unit
according to the invention.
DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT OF THE
INVENTION
A data-processing device DE is indicated in the figure. It can be a
controller of a motor vehicle, such as an air-bag controller, a motor controller, a
transmission controller, or the like. This data-processing device or controller DE has
an operating memory BS in which operating data BD is stored for the operation of
this controller. This operating data BD may also represent operating programs or the
like.
The figure indicates that according to the invention a protection unit
PU according to the invention is integrated into this data-processing device or
controller DE. This protection unit provides an execution environment AU that is
protected from unauthorized access, this execution environment AU being formed
for example as a hardware module.
A monitoring logic UL on. one hand, and a protection logic SL on the
other hand, are integrated into the protection unit. These are formed, for example,
by programmable modules (FPGSs), or a respective code of such an FPGA,
respectively. A monitoring memory US is also provided. The communication of the
protection unit PU is conducted by means of an information interface IS, as well as
by means of an administration interface AS.

The protection unit according to the invention preferably
operates as follows:
operating data BD, or operating programs, or the like,
are stored in the operating memory BS, as required for the
operation of the respective controller DE, such as the air-bag
control. In order to ensure safe operation of such a controller
DE, a permanent monitoring of unauthorized access or unauthorized
modifications of such operating data occurs by means of the
protection unit according to the invention, and thus a
verification, or monitoring of unauthorized protection violations.
If the monitoring logic UL determines such a protection
violation, information on the type of this protection violation as
well as other information such as the time of the protection
information is stored in the monitoring memory US. Furthermore,
the monitoring logic UL notifies the protection logic SL of the
type of protection violation. Depending on the type of protection
violation, the protection logic SL can now provide replacement data
ED for a substitute operation of the controller DE. Such
replacement data ED thus forms emergency running instructions for
an emergency running operation, or emergency operation of the
controller DE. The drawing shows that the protection logic SL can
provide different replacement data ED, or different emergency
running instructions depending on the type of the protection
violation to be determined. Thus, within the scope of the
invention a flexible response can be provided to the type, or
degree, respectively, of the protection violation, in that

prepared, suitable emergency running instructions ED are activated
in each respective case.
Information on the protection violation and on the start
of a substitute operation (or an emergency running instructions)
can be read from the monitoring memory US in an authorized manner,
and provided to the devices relevant for notifying the user by
means of the monitoring logic UL. The authorization information
required for reading in this regard is stored in the execution
environment AU.
Particular authorization information of the execution
environment can also be exchanged by means of the administration
interface AS also indicated in the figure. Thus, after successful
outside authorization (such as by means of an administrator) new
authorization information may be imbedded, and a monitoring logic
UL, and/or a protection logic SL may be reloaded into the execution
environment by means of the administration interface AS, insofar as
the protection logic SL itself is not hardware, but instead as, for
example, an FPGA code.
The execution environment AU indicated only represents a
runtime environment protected against unauthorized write and read
access for the above-referenced logics and memories. The execution
environment AU comprises the authorization information, and thus
cryptographic keys, by means of which respective signatures of the
logics described can be verified, or the logics can possibly be
decoded.
Overall, the protection unit according to the invention
ensures safe operation of a controller or the like, for example in

a motor vehicle. This is achieved although such motor vehicles are
usually not permanently "online." A continuous online updating of,
for example, anti-virus software is not necessary. By means of
cross-linking controllers within motor vehicles, any tampering with
or failures of online access would be particularly critical, since
particular risks could be posed to passengers due to unauthorized
access to safety-relevant functions via the bus systems. The
invention finds a remedy in this regard by means of creating a safe
assurance anchor within the motor vehicle that, for example, may be
under the sole control of an automobile manufacturer, thus lending
full effectiveness to the protective measures. Protection
operations are rapidly executed, and dangerous behavior of the
motor vehicle by manipulation of controllers is prevented in due
time.

WE CLAIM
1. A protection unit (PU) for a (programmable) data-processing device (DE),
such as a controller of a motor vehicle, airplane, ship, or the like,
wherein the data-processing device (DE) comprises at least one operating
memory (BS) in which operating data (BD) can be or is stored for the
operation of the data-processing device, characterized in that,
the protection unit (PU) has in an execution environment (AU) protected
from unauthorized access at least one monitoring logic system (ÜL) and at
least one protection logic system (SL),
wherein the monitoring logic system (ÜL) accesses the operating memory
(BS) for monitoring unauthorized modifications, access, or similar
protection violations of the operating data stored in the operating memory
and notifies the protection logic system (SL) in case of any such
protection violations, and
wherein the protection logic system (SL) provides replacement data (ED)
for the operation or for a substitute operation of the data-processing
device (DE) in case of a protection violation.
2. The protection unit as claimed in claim 1, wherein at least one monitoring
memory (ÜS) in which information can be stored about one or more
identified protection violations.

3. The protection unit as claimed in claims 1 or 2, wherein at least one
information interface (IS) that can read information on protection
violations, and/or other status information from the protection unit (PU).
4. The protection unit as claimed in one of claims 1 to 3, wherein at least
one administration interface (AS) that can write in or read out of the
protection unit (PU) authorization information, configurations, a
monitoring logic system, a protection logic system, or other
data/programs.
5. The protection unit as claimed in one of claims 1 to 4, wherein the
execution environment (AU) is hardware.
6. The protection unit as claimed in one of claims 1 to 5, wherein the
monitoring logic system (ÜL), the protection logic system (SL), the
monitoring memory (ÜS), the information interface (IS), the
administration interface (AS), and/or the replacement data (ED) are
software, such as a code of a programmable module.
7. A method for monitoring a data-processing device having at least one
protection unit as claimed in one of claims 1 to 6, wherein the monitoring
logic system accesses the operating data and detects protection violations,
wherein the monitoring logic system notifies the protection logic system in
the case of any protection violation, and

wherein the protection logic system provides replacement data for the
operation, or for an emergency operation, respectively, of the data-
processing device in case of any protection violation.
8. The method as claimed in claim 7, wherein information on a protection
violation is stored in the monitoring memory.
9. The method as claimed in claim 7 or 8, wherein the monitoring logic
system continuously, or cyclically, or quasi-continuously accesses the
operating data, or the operating memory at a predetermined clock
frequency.
10.The method as claimed in claim 9, wherein the clock frequency is
specified by means of the administration interface.
11.The method as claimed in one of claims 7 to 10, wherein for verification of
protection violations the verification of at least one electronic signature of
the operating data is executed.
12.The method as claimed in one of claims 7 to 11, wherein the protection
logic system prevents access to the operating data in the operating
memory of the data-processing device in case of any protection violation.
13.The method as claimed in one of claims 7 to 12 wherein, depending on
the type of protection violation, different replacement data is provided.

14.The method as claimed in one of claims 7 to 13, wherein the replacement
data is verified by means of the authorization information stored in the
execution environment.
15.The method as claimed in one of claims 7 to 14, wherein the replacement
data for a substitute operation of the data-processing device is processed
by the protection unit, and/or by the data-processing device.
16.The method as claimed in one of claims 7 to 15, wherein after a
protection violation the replacement data provided is checked for any
possible protection violations by means of the monitoring logic system
(ÜL).

PROTECTION UNIT FOR A PROGRAMMABLE DATA PROCESSING DEVICE

Abstract

A protection unit (PU) for a (programmable) data-
processing device (DE), such as a controller of a motor vehicle,
airplane, ship, or the like, the data-processing device comprising
at least one operating memory (BS) in which operating data (BD) can
be stored or is stored for the operation of the data-processing
device, the protection unit (PU) having at least one monitoring
logic (ÜL) and at least one protection logic (SL) in an execution
environment (AU) protected against unauthorized access. For
monitoring unauthorized modifications, access, or similar
protection violations of the operating data stored in the operating
memory, the monitoring logic (ÜL) accesses the operating memory and
notifies the protection logic (SL) in case of any protection
violation, and the protection logic provides replacement data for
the operation, or for the substitute operation of the data-
processing device in case of any protection violation.

Documents:

00485-kol-2008-abstract.pdf

00485-kol-2008-claims.pdf

00485-kol-2008-correspondence others.pdf

00485-kol-2008-description complete.pdf

00485-kol-2008-drawings.pdf

00485-kol-2008-form 1.pdf

00485-kol-2008-form 2.pdf

00485-kol-2008-form 3.pdf

00485-kol-2008-form 5.pdf

485-KOL-2008-(14-03-2013)-ABSTRACT.pdf

485-KOL-2008-(14-03-2013)-ANNEXURE TO FORM 3.pdf

485-KOL-2008-(14-03-2013)-CLAIMS.pdf

485-KOL-2008-(14-03-2013)-CORRESPONDENCE.pdf

485-KOL-2008-(14-03-2013)-DESCRIPTION (COMPLETE).pdf

485-KOL-2008-(14-03-2013)-DRAWINGS.pdf

485-KOL-2008-(14-03-2013)-FORM-1.pdf

485-KOL-2008-(14-03-2013)-FORM-2.pdf

485-KOL-2008-(14-03-2013)-OTHERS.pdf

485-KOL-2008-ASSIGNMENT.pdf

485-KOL-2008-CANCELLED PAGES.pdf

485-KOL-2008-CORRESPONDENCE 1.3.pdf

485-KOL-2008-CORRESPONDENCE OTHERS 1.2.pdf

485-KOL-2008-CORRESPONDENCE.pdf

485-KOL-2008-EXAMINATION REPORT.pdf

485-kol-2008-form 18.pdf

485-KOL-2008-FORM 26.pdf

485-KOL-2008-FORM 3-1.1.pdf

485-KOL-2008-GRANTED-ABSTRACT.pdf

485-KOL-2008-GRANTED-CLAIMS.pdf

485-KOL-2008-GRANTED-DESCRIPTION (COMPLETE).pdf

485-KOL-2008-GRANTED-DRAWINGS.pdf

485-KOL-2008-GRANTED-FORM 1.pdf

485-KOL-2008-GRANTED-FORM 2.pdf

485-KOL-2008-GRANTED-FORM 3.pdf

485-KOL-2008-GRANTED-FORM 5.pdf

485-KOL-2008-GRANTED-SPECIFICATION-COMPLETE.pdf

485-KOL-2008-INTERNATIONAL SEARCH REPORT & OTHERS.pdf

485-KOL-2008-PA.pdf

485-KOL-2008-PRIORITY DOCUMENT OTHERS.pdf

485-KOL-2008-PRIORITY DOCUMENT.pdf

485-KOL-2008-REPLY TO EXAMINATION REPORT.pdf

485-KOL-2008-TRANSLATED COPY OF PRIORITY DOCUMENT.pdf

485-KOLNP-2008-CORRESPONDENCE OTHERS 1.1.pdf

485-KOLNP-2008-OTHERS.pdf

abstract-00485-kol-2008.jpg

« Previous Patent

Next Patent »

Patent Number

257049

Indian Patent Application Number

485/KOL/2008

PG Journal Number

35/2013

Publication Date

30-Aug-2013

Grant Date

29-Aug-2013

Date of Filing

10-Mar-2008

Name of Patentee

SECUNET SECURITY NETWORKS AKTIENGESELLSCHAFT

Applicant Address

KRONPRIN ZENSTR. 30, 45128 ESSEN

Inventors:

#	Inventor's Name	Inventor's Address
1	MARCO HOFMANN	HARRAS 14, 81373 MUNCHEN
2	GUNNAR HETTSTEDT	WALKSTRASSE 20, 85570 MARKT SCHWABEN
3	MARC LINDLBAUER	GAIGLSTRASSE 25, 80335 MUNCHEN
4	HARRY KNECHTEL	HARDTER STRASSE 21, 85459 BERGLERN

PCT International Classification Number

H04L9/18; G06F9/00; H04L9/06

PCT International Application Number

N/A

PCT International Filing date

PCT Conventions:

#	PCT Application Number	Date of Convention	Priority Country
1	07005046.3	2007-03-12	EPO