JP2014035740A - Electronic control device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an electronic control device that detects an invalid access resulting from an abnormality in a program counter.SOLUTION: An electronic control device increases the counter value by +1 in an initiation process when a function is called normally (S400), then performs the process of a function body (S402), and decreases the counter value by -1 (S404). When the function is called normally from S400 and the process in S404 is performed, the counter value could return to an initial value before the increment of +1 in S400 due to the process in S404. If the counter value is smaller than the initial value (S406: Yes) before the increment of +1 in S400, the electronic control device determines that a program counter has become abnormal and the function has not been performed from the initiation process in S400 but carried out from some point. If the function is carried out from some point, the process of the function is not properly performed. Therefore, the electronic control device, for example, resets the own device as a fail-safe process (S408).

Description

  The present invention relates to an electronic control device that detects unauthorized access due to an abnormality in a program counter.

  A microcomputer (hereinafter also referred to as a “microcomputer”) performs processing by reading and executing instructions of a program stored in a memory by a CPU. The read address of the instruction is shown in the program counter, and the program counter is updated according to the processing flow.

  However, if the program counter is updated to an abnormal value due to the influence of cosmic rays, electromagnetic noise, or the like, there is a possibility that the CPU reads and executes instructions of other programs that are not accessed from the processing flow of the program being executed.

  In order to solve this problem, for example, Patent Document 1 discloses that the address of the program counter is smaller than the boundary address of the instruction by comparing the boundary address between the instruction and the address indicated by the program counter. A technique is disclosed in which it is determined whether or not the value changes in order with a value that matches with the boundary address and a value that is larger than the boundary address, and the program counter is determined to be abnormal if updated without matching the boundary address.

JP 2001-188688 A

  However, in the technique of Patent Document 1, when the program counter is updated to an abnormal value after it matches the instruction boundary address, another processing unit is illegally accessed from the processing unit being executed due to the abnormality of the program counter. However, it may not be possible to detect unauthorized access.

  The present invention has been made to solve the above-described problems, and an object thereof is to provide an electronic control device that detects unauthorized access due to an abnormality in a program counter.

  According to the electronic control device of the present invention, the start when the execution of the target processing unit is normally started in at least one target processing unit provided with access information indicating an access state to itself among the plurality of processing units. A first operation is executed on the access information in the process, and a second operation for returning to the value of the access information before the first operation is executed is executed in the end process of the target processing unit.

  Therefore, if the target processing unit is executed from the middle by an unauthorized access rather than from the start process, the start process is not executed, so the first operation is not executed on the access information, and only the second operation is executed. Become. In this case, the access information does not return to the initial value before the first calculation is performed on the access information in the start process when the target processing unit is normally started.

  Therefore, by comparing the value of the access information after executing the second operation and the initial value of the access information before executing the first operation at the time of the end processing of the target processing unit, It can be determined that the target processing unit has been illegally accessed due to an abnormality in the program counter.

  In addition, even if the program counter is updated to an abnormal value after it matches the boundary address of the instruction of the processing unit being executed and the target processing unit is illegally accessed, it is detected that the program counter is illegally accessed due to an abnormal program counter. it can.

  The functions of the plurality of means provided in the present invention are realized by hardware resources whose functions are specified by the configuration itself, hardware resources whose functions are specified by a program, or a combination thereof. The functions of the plurality of means are not limited to those realized by hardware resources that are physically independent of each other.

The block diagram which shows the electronic control apparatus by this embodiment. The flowchart which shows the access check process using a counter. Explanatory drawing which shows the change of the counter for every function. Explanatory drawing which shows the change of the counter in unauthorized access. Explanatory drawing which shows the change of the counter provided in the specific function. Explanatory drawing which shows the flag provided for every function. The flowchart which shows the access check process using a flag.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
(First embodiment)
An electronic control unit (ECU) 10 shown in FIG. 1 is mounted on a vehicle, for example, and is mainly configured by a microcomputer including a CPU 20, a ROM 30, a RAM 40, an input / output interface (not shown), and the like. The CPU 20 executes various processes by reading out an instruction at an address indicated by the program counter 22 and executing a program stored in the ROM 30 or the like.

  The storage area of the ROM 30 is divided into an important program area 32 that stores a plurality of important programs and a normal program area 34 that stores a plurality of normal programs. The storage area of the RAM 40 is divided into an important data area 42 that stores important data and a normal data area 44 that stores normal data.

  When the program accesses another program, the CPU 20 checks the addresses of both programs, thereby accessing the important program area 32 or the normal program area 34 from the important program area 32 and the normal program from the normal program area 34. If access to the area 34 is permitted, access to the important program area 32 from the normal program area 34 is prohibited.

  When the program accesses data, the program address and the data address are checked to access the important data area 42 or the normal data area 44 from the important program area 32, and from the normal program area 34 to the normal data area 44. Access is permitted, and access from the normal program area 34 to the important data area 42 is prohibited.

  Here, when the program accesses another program, the access from the important program area 32 to the important program area 32 or the normal program area 34 and the access from the normal program area 34 to the normal program area 34 are as described above. Permitted at the territory level.

  However, if the value of the program counter is updated to an abnormal value due to cosmic rays, electromagnetic noise, or the like, the program may be executed halfway due to unauthorized access rather than from normal start processing. Even if the program is permitted to be accessed at the region level, if the program is executed from the middle rather than from the normal start process, an appropriate process cannot be executed.

  Therefore, in the first embodiment, a function constituting the program is used as a processing unit, and a counter is provided in the RAM 40 as access information indicating an access state for the function. If it is a function constituting an important program, the counter may be provided in either the important data area 42 or the normal data area 44. If it is a function constituting a normal program, access information is provided in the normal data area 44. A task may be used as a processing unit instead of a function.

(Access check process)
FIG. 2 shows an access check process using a counter as access information. In FIG. 2, “S” represents a step.

  The CPU 20 increments the counter as the first calculation in the start process when the function is normally called (S400), and then executes the process of the function body (S402). As shown in FIG. 3, counters A to C are provided corresponding to the functions A to C, respectively, and when the function is normally called, the counter is incremented by one in the function start processing. The initial value of each counter is zero. When the processing of the function main body is finished, the CPU 20 decrements the counter as the second calculation (S404).

  If the function is normally called from the start process, the process of S400 is executed, and then the process of S404 is executed, the counter value should return to 0, which is the initial value before being incremented by S400.

  On the other hand, if the counter is illegally accessed from the function C as shown in the function B of FIG. 4 and is executed in the middle, and the start process of S400 is not executed and the counter is decremented by S404, the value of the counter becomes +1 in S400. It becomes −1 which is smaller than 0 which is the initial value before being performed.

  Therefore, the CPU 20 determines whether or not the counter value is smaller than the initial value before incrementing by 1 in S400 (S406). When the value of the counter is equal to or larger than the initial value (S406: Yes), it is determined that the program counter is normal and the function is normally called from the start process, and the CPU 20 ends this process.

  Even if the function is permitted to be accessed at the area level, if the counter value is smaller than the initial value (S406: Yes), the CPU 20 executes the program from the middle due to an illegal access because the program counter becomes abnormal. Judge that If the function is executed from the middle, the function processing is not properly executed, so the CPU 20 resets the own ECU, for example, as a fail-safe process (S408).

  In the case of an ECU mounted on a vehicle, in the case of a gasoline engine, the throttle opening is limited to reduce the intake air amount. In the case of a diesel engine, the injection amount from the injector is reduced, or the gear position Alternatively, a fail-safe process may be executed to fix the vehicle and realize the retreat travel.

  In addition, all of the multiple functions may be set as a target processing unit for which access information is checked by providing a counter as access information, and unauthorized access is permitted because it causes a serious failure if unauthorized access is made midway. Only important functions that are not allowed may be the target processing unit. In FIG. 5, only the function B among the functions A to C is provided with a counter.

  As an important function for providing access information, in the case of an ECU mounted on a vehicle, an intake air amount control for a gasoline engine, an injection amount control for a diesel engine, a supercharging control, a brake hydraulic pressure control, and a power steering control A function that performs the above can be considered.

  As described above, by providing access information only to important functions instead of all functions, the storage capacity and processing load of ROM and RAM can be reduced for functions that do not have access information.

  In the first embodiment, as the access information, the CPU 20 performs an increase / decrease process on a counter provided in the RAM 40 instead of a dedicated register to determine whether the program counter 22 is abnormal. The resources of the ECU 10 to be used can be reduced as much as possible.

(Second Embodiment)
A second embodiment of the present invention is shown in FIGS. In the second embodiment, instead of the counter of the first embodiment, a flag representing a binary state is provided as access information. FIG. 6 shows an example in which 1-bit flags are provided corresponding to the functions 1 to n, respectively. A flag indicating the access state of the functions 1 to n is provided in the RAM 40.

  When the flag is provided as the access information, the CPU 20 inverts the flag of the function being executed from the initial value as the first calculation in the start process of S410 in FIG. That is, if the initial value of the flag is 0, it is inverted to 1, and if it is 1, it is inverted to 0.

  After executing the process of the function body (S412), in the end process, the CPU 20 inverts the flag value as the second operation (S414), and determines whether or not the flag value is the initial value before inversion in S410. (S416).

If the flag value is the initial value (S416: Yes), the program counter is normal, the function is determined to have been called normally from the start process, and the CPU 20 ends the process.
If the value of the flag is not the initial value (S416: No), the CPU 20 determines that the program counter has become abnormal and the function has been executed halfway due to unauthorized access, and executes fail-safe processing (S418).

  Also in the case of the second embodiment, as in the first embodiment, if unauthorized access is made from the middle, a serious failure is caused. Therefore, only an important function that does not permit unauthorized access is set as a target processing unit, and a flag is provided as access information. May be.

  In the embodiment described above, a counter or flag is provided as access information for a function that is a target processing unit, and when the function is normally called, a predetermined value set in advance in the counter or flag in the function start processing and end processing The access state of the function was determined based on the value of the counter or flag after executing the calculation in the termination process.

  As a result, even if access to the function is permitted at the stored area level, such as the important program area 32 or the normal program area 34 from the important program area 32 shown in the above embodiment, the program By detecting based on the access information that the function has been executed from the middle rather than from the normal start process due to the abnormality of the counter, it is possible to detect the unauthorized access due to the abnormality of the program counter.

  Further, even if the program counter is updated to an abnormal value after matching the instruction boundary address of the function being executed and another function is executed halfway, it is possible to detect unauthorized access due to an abnormality in the program counter.

[Other Embodiments]
The combination of the first operation executed in the function start process and the second operation executed in the function end process shown in the above embodiment is that the second operation is added to the value of the access information before the first operation is executed. Any combination is possible as long as it is returned. For example, if the access information is a numerical value, a combination of multiplication and division may be used.

  The electronic control device according to the present invention is not limited to a device mounted on a vehicle, but can be used for any purpose as long as the purpose is to detect unauthorized access due to an abnormality of a program counter based on an access state of a processing unit. You may apply to the electronic controller used.

  As described above, the present invention is not limited to the above-described embodiment, and can be applied to various embodiments without departing from the gist thereof.

10: ECU (electronic control unit, first calculation means, second calculation means, determination means, fail-safe means), 22: program counter

Claims (6)

An electronic control device (10) that reads an instruction at an address indicated by a program counter (22) and executes each of a plurality of processing units,
In at least one target processing unit provided with access information representing an access state to itself among the plurality of processing units, the access information is added to the access information in a start process when the execution of the target processing unit is normally started. First computing means (20, S400, S410) for performing one computation;
Second calculation means (20, S404, S414) for executing a second calculation for returning the access information to a value before the first calculation is executed by the first calculation means in an end process of the target processing unit;
The value of the access information after the second calculation means executes the second calculation and the value of the access information before the first calculation means executes the first calculation are compared during the end processing. If there is no match, determination means (20, S406, S416) for determining that the access to the target processing unit is an unauthorized access due to an abnormality in the program counter,
An electronic control device comprising:   The first calculation means (S400) performs either addition or subtraction on the access information as the first calculation, and the second calculation means (S404) applies to the access information as the second calculation. The electronic control device according to claim 1, wherein the other of addition and subtraction is executed.   The electronic control device according to claim 1, wherein the processing unit that does not permit unauthorized access is selected as the target processing unit.   4. The apparatus according to claim 1, further comprising a fail-safe unit (20, S <b> 408, S <b> 418) that executes a fail-safe process when the determination unit determines that the program counter is abnormal. 5. Electronic control unit.   The electronic control device according to claim 4, wherein the fail-safe means resets its own device as the fail-safe process.   The electronic control device according to claim 1, wherein the electronic control device is a device mounted on a vehicle.

Images