[go: up one dir, main page]

EP2044517A1 - System for protecting sensitive data from user code in register window architecture - Google Patents

System for protecting sensitive data from user code in register window architecture

Info

Publication number
EP2044517A1
EP2044517A1 EP06760841A EP06760841A EP2044517A1 EP 2044517 A1 EP2044517 A1 EP 2044517A1 EP 06760841 A EP06760841 A EP 06760841A EP 06760841 A EP06760841 A EP 06760841A EP 2044517 A1 EP2044517 A1 EP 2044517A1
Authority
EP
European Patent Office
Prior art keywords
window
supervisor
transition
user
stack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP06760841A
Other languages
German (de)
French (fr)
Other versions
EP2044517A4 (en
Inventor
David William Funk
Simon Robert Walmsley
Kia Silverbrook
Barry Gauke
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Memjet Technology Ltd
Original Assignee
Silverbrook Research Pty Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Silverbrook Research Pty Ltd filed Critical Silverbrook Research Pty Ltd
Publication of EP2044517A1 publication Critical patent/EP2044517A1/en
Publication of EP2044517A4 publication Critical patent/EP2044517A4/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • G06F21/608Secure printing
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/30Arrangements for executing machine instructions, e.g. instruction decode
    • G06F9/30098Register arrangements
    • G06F9/3012Organisation of register space, e.g. banked or distributed register file
    • G06F9/30123Organisation of register space, e.g. banked or distributed register file according to context, e.g. thread buffers
    • G06F9/30127Register windows
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/30Arrangements for executing machine instructions, e.g. instruction decode
    • G06F9/30181Instruction operation extension or modification
    • G06F9/30189Instruction operation extension or modification according to execution mode, e.g. mode flag
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/468Specific access rights for resources, e.g. using capability register
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2105Dual mode as a secondary aspect

Definitions

  • This invention relates to an electronic device having an embedded computer system. It has been developed primarily for improving security and protecting the computer system from malicious software tampering, whilst still allowing flexibility in software design downstream of the device manufacturer.
  • an embedded system contains special-purpose hardware and a processor (CPU) supporting a real-time operating system (RTOS).
  • the system is programmed with special-purpose software tailored to meet the requirements for that particular system.
  • software written for an embedded system is referred to as 'firmware'. Since electronic devices are expected to run continuously for many years without errors, firmware is usually developed and tested more rigorously than software for computers.
  • a first product may have Feature X
  • a second product may have Features X, Y and Z.
  • an inherent problem with embedded firmware is that it is susceptible to malicious attack from hackers or willful copyright infringers offering unauthorized firmware upgrades.
  • an unauthorized firmware upgrade may be freely distributed over the Internet, allowing users to upgrade their devices free of charge.
  • QA chip(s) in a printer perform an array of functions in a secure environment.
  • a QA chip in a print cartridge may be used to allow operation of the printer only in a licensed manner.
  • a printer A may be licensed to print at 10 pages per minute, while a printer B may be licensed to print at 30 pages per minute.
  • the hardware in each printer is identical, but the QA chip allows each printer to be differentiated.
  • the QA chip since the QA chip stores its data in a secure, authenticated fashion, it can only be upgraded or replaced by an authentic source. Hence, the QA chip provides protection against attack from unlicensed users.
  • a QA chip mounted on an ink cartridge may be used to guarantee that the ink contained in the cartridge is from a particular source or of a particular quality, thereby ensuring that incorrect ink, which may damage the printhead, cannot be used.
  • the same QA chip may similarly be used to store dynamically in its memory a quantity of 'virtual ink' remaining in the cartridge, determined with reference to the initial quantity of ink in the cartridge and the number of dots printed using that ink.
  • the quantity of 'virtual ink' provides a security mechanism for the printer and prevents unauthorized refilling of ink cartridges - the firmware in the printer communicates with the ink cartridge QA chip before printing and if the amount of 'virtual ink' is insufficient, the printer will not print. In this way, the quality of ink can be assured and risk of damaging the printhead using low quality ink from an unauthorized refill is minimized.
  • QA chips provide an excellent means for preventing unauthorized uses of electronic devices.
  • the security of QA chips relies on firmware in the embedded system communicating with the chip. It is conceivable that the most determined hacker may be able to modify the firmware and override its communication with QA chip(s) in the device. In this scenario, the security provided by the QA chip would be compromised. In the above example, unauthorized refills of ink cartridges would be possible, irrespective of the presence of a QA chip on the ink cartridge.
  • an electronic device comprising an embedded computer system, said device comprising a processor supporting a real-time operating system (RTOS), said processor supporting user and supervisor modes, wherein said computer system is programmed such that only code portions directly controlling essential hardware in said device are run in supervisor mode.
  • RTOS real-time operating system
  • essential hardware is used to mean hardware component(s) which are essential for the device to perform its primary function.
  • the essential hardware may include drive circuitry for actuating nozzle actuators in a printhead, but does not include an LCD display on the printer, since an LCD display is not essential for the printer to be able to print.
  • code portion is used to mean any portion of code which performs a specific function.
  • a code portion may be part of a thread or a process.
  • Processors supporting user and supervisor modes are well known in the computer art. Code running in supervisor mode can only be accessed by a person with special privileges, such as the person who wrote the code originally. By contrast, code running in user mode can be accessed and modified by any person, irrespective of their privileges.
  • An example of a processor, which supports user and supervisor modes, is the SPARCTM processor. Such processors were designed to protect a core (or kernel) of an operating system from potentially buggy applications running on a computer.
  • the operating system can continue to run, even if a particular application running in user mode has crashed. This ensures that other applications running in user mode can continue running on the operating system.
  • the risk of crashing the whole computer with a buggy application is minimized - there is a separation between applications and the core of the operating system.
  • the processor supporting user and supervisor modes is employed in a different manner from its conventional use in non-embedded computer systems.
  • the embedded computer system of the present invention is programmed so that only code portions directly controlling essential hardware in the device are run in supervisor mode, with the remainder of code portions being run in user mode.
  • a major advantage of running certain code portions (which control essential hardware in the device) in supervisor mode is that these code portions cannot be modified once they have been finalized by the device manufacturer. Hence, the manufacturer, or a licensee, retains ultimate control over how the device may be operated.
  • a printer manufacturer may program into code portions directly controlling a printhead and paper feed mechanism that the printer should only print at 10 pages per minute. Since this code portion is protected in supervisor mode, it is not possible for a hacker to modify the code and upgrade his printer.
  • the computer system is programmed such that code portions not directly controlling essential hardware in said device are run in user mode.
  • a core of the RTOS is run in user mode.
  • the advantages of programming the embedded computer system in this way are twofold. Firstly, the amount of code in supervisor mode is kept to a minimum, which minimizes the risk of bugs being present in this immutable code. Secondly, by having the RTOS and non-essential applications running in user mode, there is an opportunity for a licensed printer manufacturer or distributor, downstream of the original printer manufacturer, to develop its own firmware specific to its requirements on an operating system of its choice.
  • a licensed printer manufacturer may wish to change the format of an LCD display and he may wish to program this using his preferred operating system, hi accordance with the present invention, a licensed printer manufacturer has the flexibility to do this, without the security of a QA system in the device being compromised.
  • the computer system is programmed such that a code portion directly controlling essential hardware is callable from an application running in user mode via a trap identifying that code portion.
  • a plurality of code portions, each directly controlling respective essential hardware may each be independently callable from an application running in user mode via a respective trap identifying a respective code portion.
  • User mode applications may be programmed by a licensed device manufacturer or may even be available via an upgrade, downloadable from the Internet. For example, a printer user may wish to have a default option of printing '5000 pages, full color'. He is able to upgrade bis firmware to have this default option, because the print job application(s) programmed into the embedded system run in user mode.
  • the code portion directly controlling essential hardware communicates with at least one authentication chip in the device before an operation of the hardware.
  • the authentication chip (or 'QA chip') authorizes the operation.
  • the code portion may ask the QA chip for the authorized print speed for that printer.
  • the QA chip returns this information (e.g. 10 pages per minute) to the computer system and printing at the authorized print speed can commence. Li this way, licensed operation of the device can be controlled securely via the QA chip, without being compromised by a malicious attack on firmware in the device.
  • a first authentication chip is associated with a consumable component of said device.
  • consumable components in electronic devices include ink cartridges, toner, paper, batteries etc.
  • the first authentication chip may contain static and/or dynamic data relating to the consumable component.
  • static data may relate to a source, batch number, quality (e.g. ink color), initial quantity etc. of the consumable component.
  • Dynamic data may relate to a current quantity (e.g. amount of remaining ink) or quality (e.g. temperature) of the consumable component.
  • An electronic device may require several consumable components. Accordingly, the device may comprise a plurality of first authentication chips, each one of the first authentication chips being associated with a respective consumable component.
  • the electronic device is a printer and the consumable component is an ink cartridge having a respective first authentication chip.
  • the authentication chip on an ink cartridge may be used to authorize printing only if certain conditions have been met e.g. (i) printing only when an ink cartridge of a predetermined type, as determined via the associated authentication chip, is loaded in the printer; and/or (ii) printing only when a predetermined amount of ink, as determined via the associated authentication chip, is remaining in the ink cartridge.
  • these authentication mechanisms provide a printer manufacturer with assurances regarding the quality of ink used in its printers, thereby preserving the manufacturer's reputation in the printer market.
  • a second authentication chip is positioned in a body of the device, which is not associated with a consumable component.
  • a second authentication chip may be mounted in or on a print engine for a printer.
  • the second authentication chip may be used to authorize certain operations of the device, such as printing at a predetermined speed.
  • a system for upgrading firmware in a PictBridge printer comprising: a PictBridge printer having an embedded computer system; and a memory stick for communicating with said embedded computer system, wherein said memory stick contains a firmware upgrade for said embedded computer system.
  • a memory stick containing a firmware upgrade for an embedded computer system of a PictBridge printer.
  • a system for upgrading firmware in a PictBridge printer comprising: a PictBridge printer having an embedded computer system; and a digital camera for communicating with said embedded computer system, wherein said camera contains a firmware upgrade for said embedded computer system.
  • a digital camera containing a firmware upgrade for an embedded computer system of a PictBridge printer.
  • PictBridge is an industry open standard from the Camera & Imaging Products Association (CIPA) for direct printing. It allows images to be printed directly from digital cameras to a printer, without having to connect the camera to a computer. By connecting a PictBridge-enabled printer to a PictBridge-enabled camera using a single USB cable, users can easily control print settings using their camera and produce high quality photos without using a PC.
  • CIPA Camera & Imaging Products Association
  • a major advantage of PictBridge printing is its simplicity for the user, and especially those users for whom complex photo application software may be a barrier.
  • PictBridge relies on communication between embedded computer systems in the camera and printer. These embedded computer systems effectively replace PC photo applications and, moreover, simplify operability for the user.
  • PictBridge printer From time to time, it may be necessary to upgrade firmware in a PictBridge printer. For example, additional printing options may be required or it may be necessary to upgrade firmware so that it is compatible with new PictBridge-enabled cameras on the market.
  • software upgrades for PC photo applications are provided via internet downloads or CD.
  • PictBridge printer users may not own a computer in the first place. For those that do own a computer, the complexity of downloading new software onto their PC from the internet and upgrading their PictBridge printer by connecting it to their PC is likely to be a significant barrier. After all, PictBridge users are generally attracted to this system, because of its simplicity and because it obviates the need for a PC.
  • a major advantage of the present invention is its simplicity for the user. Insertion of a memory stick into a USB port of a PictBridge printer requires no computer skills. Therefore, firmware upgrades of a printer may be confidently performed by anyone without risk or fear of upgrading the printer incorrectly.
  • memory stick is used to mean any portable non- volatile digital memory device.
  • the memory stick or camera may communicate with the embedded computer system via standard USB connectors.
  • the memory stick or camera is configured to download automatically a firmware upgrade to the printer if it detects that the printer does not already have that upgrade.
  • the portable non- volatile digital memory device is a memory stick.
  • the camera may be sold with the firmware upgrade already programmed into its memory.
  • the camera may receive the firmware upgrade from an external source.
  • a memory stick may be used to download the firmware upgrade to the camera so that the camera can upgrade the printer when it is next connected.
  • a system for protecting supervisor mode data from user code in a register window architecture of a processor such as the processor of the first aspect, the system comprising, when transitioning from supervisor mode to user mode, setting at least one invalid window bit in the invalid window mask of the architecture additional to the invalid window bit set for the reserved window of the invalid window mask, the additional bit being set for a transition window between supervisor and user data windows.
  • the position of the additional invalid window bit in the invalid window mask is maintained independent of window overflows and underflows at the transition window.
  • Separate supervisor mode and user mode stacks may be provided, where the separate supervisor mode and user mode stacks are respectively stored in supervisor mode- only and user mode accessible memory.
  • the current stack pointer may be switched to between the supervisor and user stacks whenever a transition from user mode to supervisor mode and from supervisor mode to user mode occurs.
  • information on the transition window is recorded in the supervisor stack upon window overflow and underflow at the transition window.
  • a window stack is stored in the supervisor mode-only accessible memory, with the information on the transition window being recorded in the window stack upon window overflow and underflow at the transition window.
  • information on non-transition windows is recorded in the window stack upon window overflow and underflow at the non-transition windows.
  • a unique numerical label is assigned to each register window starting from zero and increasing monotonically for every save.
  • a record of the current label - assigned to the reserved window may be held in the local registers of the reserved window, with the record being updated as window overflows and underflows occur at the reserved window.
  • the labels may be calculated based on the current window pointer.
  • the labels are used to index a record of at least the stack pointer of the reserved window in the window stack upon window overflow and underflow at the reserved window.
  • the labels are used to index a record of the stack pointers of each window in the window stack upon window overflow and underflow at each window.
  • the call function may issue saves to bring the current window pointer to the user window positioned after the transition window and overwrite the registers in at least the windows containing supervisor code data from the current window to the reserved window.
  • the call function may overwrite the registers in all of the windows from the current window to the reserved window or all the registers of the processor containing supervisor code data.
  • the registers in the transition window may be overwritten upon window overflow and underflow at the transition window.
  • the window underflow trap routine may issue restores to bring the current window pointer to the supervisor window preceding the transition window.
  • Figure 1 is a perspective view of a printer having an embedded computer system
  • Figure 2 is a diagram showing the interrelationship between various components of the embedded computer system and printer hardware.
  • Figure 3 illustrates a register window architecture implemented by a processor of the embedded computer system
  • Figure 4 illustrates a mode switch between supervisor and user modes
  • Figure 5 illustrates a mode switch between supervisor and user modes employing a transition window.
  • Figure 1 shows a printer 2 embodying the present invention.
  • Media supply tray 3 supports and supplies media 8 to be printed by a print engine (concealed within a printer casing).
  • Printed sheets of media 8 are fed from the print engine to a media output tray 4 for collection.
  • User interface 5 is an LCD touch screen and enables a user to control the operation of the printer 2.
  • the printer 2 comprises an embedded computer system (not shown), which controls the overall operation of the printer.
  • the embedded computer system 10 comprises a processor 11, which supports user and supervisor modes.
  • the processor 11 runs code portions 12 controlling essential printing hardware 13 in supervisor mode only.
  • the essential printing hardware 13 may comprise drive circuitry for actuating nozzle actuators, motors driving a feed mechanism etc. All other code is run in user mode, including the core RTOS 14.
  • the code portions 12 are in communication with a print engine QA chip 16a and one or more ink cartridge QA chips 16b in the printer. Before any operation of essential printing hardware 13, the code portions 12 communicate with the QA chips 16a and 16b to request authorization for that operation.
  • the print engine QA chip 16a is programmed with an authorized print speed ⁇ e.g. 30 pages per minute). This information is returned to the code portions 12 and the essential printing hardware 13 is operated in accordance with the authorized print speed.
  • the ink cartridge QA chip 16b is programmed with information regarding the ink, including an amount of remaining ink. If, for example, the ink cartridge QA chip 16b returns information that no ink is remaining in the cartridge, then the code portions 12 are not authorized to operate the essential printing hardware 13 and printing is aborted. Since the code portions 12 are run in supervisor mode only, it is not possible for an unauthorized person to modify these code portions and, hence, it is not possible to change the operation of essential printing hardware 13 or override the security provided by the QA chips 16a and 16b.
  • code portions 17 controlling non-essential hardware 18, such as the LCD display 5, are run in user mode.
  • These code portions 17, together with the core RTOS 14, can be modified without any authorization privileges, to provide flexibility in operation of non-essential hardware and even flexibility in selecting a desired operating system.
  • the print engine QA chip 16a may receive a print speed upgrade 19 via an authorized internet download or memory stick.
  • an ink refill QA chip 20 may communicate with the ink cartridge QA chip 16b during an authorized ink refill, so that the ink cartridge QA chip 16b knows a refill from an authentic source has taken place.
  • Authorized ink refill operations are described in detail in our earlier US patent application no. 11/014,769 (filed on December 12, 2004), the contents of which is hereby incorporated by reference.
  • firmware in the embedded system 10 for printer 2 may be modified or upgraded without compromising the security of licensed printer operations. Some firmware upgrades may be provided by the user.
  • a firmware upgrade may be provided by a memory stick 30 or a camera 31.
  • the memory stick 30 or camera 31 contains the firmware upgrade in its memory and automatically downloads the upgrade to the embedded system 10 if it detects that the embedded system requires upgrading.
  • the user simply plugs the memory stick into a USB port of a PictBridge printer.
  • the user simply connects the camera to a Pictbridge printer via its USB port in the normal way. The user may even be unaware that a firmware upgrade has taken place if the camera was purchased with the upgrade contained in its memory.
  • the memory stick 30 may be used to download a firmware upgrade into the camera's memory, and the camera 31 used to upgrade firmware in the embedded system 10 when the camera is next connected to the printer 2.
  • supervisor code Further security is provided by protecting all supervisor code from user code. This removes the possibility of user code reading sensitive data and having the computer system execute arbitrary code in supervisor mode, which could allow unauthorized access to, and modification of, the operational hardware and software of the printer.
  • the processor 11 implements a register window architecture to manipulate data.
  • the processor is a LEON CPU implementing SPARCTM architecture.
  • the Integer Unit working registers 'r' registers
  • the Multiply/Divide register Y register
  • the Program Counters PC and nPC
  • these registers must not hold sensitive data across transitions between supervisor and user modes, in either direction.
  • the 'r' registers of the print engine have eight global 32-bit registers and eight sets of registers with sixteen 32-bit registers in each set.
  • the register sets are arranged such that the processor 11 has a window that sees 24 of the registers.
  • the current window being viewed is determined by a pointer to that window, such as a Current Window Pointer (CWP).
  • WBP Current Window Pointer
  • the above number of registers and register sets are merely exemplary, and a different number of registers and registers sets may be used.
  • SPARCTM architecture allows a configurable number of register sets from two to 32.
  • the invalid window mask may, for example, be the Windows Invalid Mask (WIM) used in SPARCTM architecture.
  • WIM Windows Invalid Mask
  • Overflow and underflow handlers are used to give the illusion of an unbounded number of register windows.
  • an invalid window mask contains one bit per window and overflow and underflow traps are generated when an instruction is issued to move to a new window which has its bit set, designating it as invalid.
  • the processor when a save instruction is issued to move the current window from window N to window N-I, the processor first checks bit N-I of the invalid window mask. If that bit is set, the window is invalid, such that the processor does not change windows but generates a window overflow trap. Similarly, when a restore instruction is issued to move the current window from window N to window N+l , the processor first checks bit N+l of the invalid window mask. If that bit is set, the window is invalid, such that the processor does not change windows but generates a window underflow trap.
  • the invalid window mask conventionally has a value with one bit set, which marks the end of the available windows, i.e., seven in the present embodiment, and reserves one window for a trap.
  • the trap handler When an overflow trap is taken, e.g., as a result of a save instruction rotating the current window to a reserved window, the trap handler saves the oldest window to memory, rotates the invalid mask to now point to that saved window, and thereby frees up the previously reserved window for use.
  • an underflow trap is taken, e.g., as a result of a restore instruction rotating the current window to a reserved window.
  • Each register set has 16 registers, comprising eight "in” registers and eight "local” registers. However, the window sees 24 registers, the remaining registers being eight “out” registers. Thus, as the window cycles through the sets, the processor 11 sees some registers from the adjacent set. This is illustrated in Figure 3, where the "out” registers correspond to the "in” registers of the next lowest window. Thus, a given window can modify the "out” registers of the next highest window and the "in” registers of the next lowest window, even upon overflow and underflow.
  • a user mode window is able to read and modify some of the data in adjacent windows including supervisor mode windows. It may even be possible for the user code to cycle through the register windows, reading and modifying the values.
  • Figure 4 in which a switch from supervisor mode to user mode is shown. As can be seen, the supervisor code had been using windows 7 and 6 before calling the user code, however there is nothing stopping the user code from issuing multiple instructions to move back and read/modify the supervisor data.
  • supervisor stacks are used for supervisor code data and user code data.
  • the current stack pointer e.g., %o6
  • the supervisor stack is stored in supervisor mode-only accessible memory and the user stack is stored in user mode accessible or user mode-only accessible memory.
  • the setting of the additional bit provides a transition window between supervisor and user windows which ensures that sensitive data stored in the supervisor registers is not accessible to user code. This is illustrated in Figure 5 where, before calling user code, the supervisor code moved down an extra two windows and marked the intermediate window invalid in the invalid window mask. This window represents a barrier at the transition because if the user code issues multiple instructions to move back through the windows, it will generate a trap when it hits the invalid window at window 5.
  • the location of the transition window (there may be more than one) is maintained as overflows and underflows occur. This is done by either storing information on the transition window(s) in the supervisor stack as traps occur, or storing this same information in a separate window stack, which is maintained in supervisor mode-only accessible memory. In this way, information about the transition windows is not stored in the invalid window mask or in the registers of the transition window itself. Accordingly, this information cannot be accessed by user code, thereby protecting the supervisor code data stored in the "out" or "in” registers of the transition window.
  • code which overwrites the number of windows known to be used or known to contain supervisor code data can be used. Because the user code calls the supervisor mode by way of a trap, the associated trap routine is configured to remember the return addresses from the trap. It may also remember the previous processor state register (PSR) when SPARCTM architecture is employed. This is done in the "local" registers of the new register window allocated for the trap routine. Given this, there will never be two adjacent transition windows, i.e., every transition window will be preceded by at least one supervisor window, namely the window used to hold the return addresses from the trap.
  • PSR processor state register
  • supervisor code Whenever supervisor code wants to call user code, it issues a call instruction to a function ('callUserFunction'), which takes the following arguments: (i) The address of the function to be called, in %oO. (ii) The current user (NOT supervisor) stack pointer in %ol, where the caller must arrange to pass a correct user stack pointer:
  • the trap routine could either use the user stack pointer read from the current thread context or a separate, dedicated user stack for the interrupt is used. In the latter case, context-switch calls are disabled during these calls because it is not possible to context-switch between threads if they share a common stack;
  • callUserFunction is configured to:
  • the window overflow trap routine determines if the window to be saved to memory is already marked as invalid in the WIM:
  • the trap routine therefore saves the window's registers to memory as normal, and pushes a "normal" record onto the window stack, after checking for stack overflow (as described above). This record only needs to be a single flag indicating that this is a "normal” record.
  • transition window's frame pointer i.e. %i6, the return address from callUserFunction which is read from transition window's %i7 and the %y register and global register values saved in the transition window.
  • the %i6, %i7, %y and global registers must be saved on the window stack because they are not necessarily maintained in the transition window after the transition window is saved. After doing these saves, the transition window's registers must be overwritten (as described above).
  • the window underflow trap routine does the following: • Looks at the WIM to see if more than one bit is set. If more than one bit is set, it means that the window just encountered is a transition window. This is because the reserved window is always the first invalid window in the downward direction, such that encountering a different invalid window in the upward direction can only mean that that window is a transition window.
  • the trap routine is configured to:
  • the trap routine is configured to:
  • the window stack is used to record flags related to the type of window being stored, i.e., a "transition" record for a transition window and a "normal” record for a non-transition window.
  • a transition record for a transition window
  • a normal record for a non-transition window.
  • each used register window is labeled and the %o6 value is stored on register overflow to be used for the corresponding restore, hi this way, on occurrence of overflows and underflows it is known whether a register window belongs to user mode or supervisor mode, upon checking and validation of the %o6 value.
  • the labels are allocated, for example, as unique numerical labels for every possible register window for a thread of execution, starting from zero and increasing monotonically for every save and/or function.
  • the labels are used similar to the flag records described above by keeping a record of where the labels are as overflows and underflows occur. That is, a record may be kept of the current label assigned to the reserved window, and the reserved window's window number. This is updated whenever the overflow and underflow routines shift the reserved window, where an overflow increments the label and an underflow decrements the label.
  • the reserved window's label is set to eight, and its window number to zero.
  • This record could be kept in some thread-specific supervisor RAM or it could be held in the "local" registers of the reserved window (which is inaccessible to user code), hi this case, the underflow and overflow traps shift the value as they, shift the reserved window.
  • the labels can also be used to access an additional state for each register window at overflow and underflow events.
  • the additional state contains the saved stack pointer, e.g., %o6, for the window and the mode of the window.
  • the mode identifies whether the window is executing in supervisor mode, and can additionally identify whether the window is executing in an interrupt and mode change.
  • the additional state information is accessed by indexing a record of the stack pointer and mode in the window stack when overflows and underflows occur as part of the label record. This can be done for the reserved window only, as described above, or for all of the register windows, hi this way, restores across transitions between user and supervisor modes can be identified and handled differently than restores which remain in user mode, for example in the manner described above. Thereby, protecting the supervisor mode sensitive data from user code access.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Mathematical Physics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Accessory Devices And Overall Control Thereof (AREA)
  • Storage Device Security (AREA)

Abstract

A system for protecting supervisor mode data from user code in a register window architecture of a processor is provided. The system, when transitioning from supervisor mode to user mode, setting at least one invalid window bit in the invalid window mask of the architecture additional to the invalid window bit set for the reserved window of the invalid window mask. The additional bit is set for a transition window between supervisor and user data windows.

Description

SYSTEM FOR PROTECTING SENSITIVE DATA FROM USER CODE IN REGISTER WINDOW ARCHITECTURE
Field of the Invention
This invention relates to an electronic device having an embedded computer system. It has been developed primarily for improving security and protecting the computer system from malicious software tampering, whilst still allowing flexibility in software design downstream of the device manufacturer.
Cross References to Related Applications
Various methods, systems and apparatus relating to the present invention are disclosed in the following US Patents/ Patent Applications filed by the applicant or assignee of the present invention:
09/517539 6566858 6331946 6246970 6442525 09/517384 09/505951 6374354 09/517608 6816968 6757832 6334190 6745331 09/517541 10/203559 10/203560 10/203564 10/636263 10/636283 10/866608 10/902889 10/902833 10/940653 10/942858 10/727181 10/727162 10/727163 10/727245 10/727204 10/727233 10/727280 10/727157 10/727178 10/727210 10/727257 10/727238 10/727251 10/727159 10/727180 10/727179 10/727192 10/727274 10/727164 10/727161 10/727198 10/727158 10/754536 10/754938 10/727227 10/727160 10/934720 11/212702 11/272491 10/296522 6795215 10/296535 09/575109 6805419 6859289 6977751 6398332 6394573 6622923 6747760 6921144 10/884881 10/943941 10/949294 11/039866 11/123011 6986560 7008033 11/148237 11/248435 11/248426 10/922846 10/922845 10/854521 10/854522 10/854488 10/854487 10/854503 10/854504 10/854509 10/854510 10/854496 10/854497 10/854495 10/854498 10/854511 10/854512 10/854525 10/854526 10/854516 10/854508 10/854507 10/854515 10/854506 10/854505 10/854493 10/854494 10/854489 10/854490 10/854492 10/854491 10/854528 10/854523 10/854527 10/854524 10/854520 10/854514 10/854519 10/854513 10/854499 10/854501 10/854500 10/854502 10/854518 10/854517 10/934628 11/212823 10/728804 10/728952 10/728806 6991322 10/728790 10/728884 10/728970 10/728784 10/728783 10/728925 6962402 10/728803 /728780 10/728779 10/773189 10/773204 10/773198 10/773199 6830318/773201 10/773191 10/773183 10/773195 10/773196 10/773186 10/773200/773185 10/773192 10/773197 10/773203 10/773187 10/773202 10/773188/773194 10/773193 10/773184 11/008118 11/060751 11/060805 11/188017/298773 11/298774 11/329157 6623101 6406129 6505916 645780950895 6457812 10/296434 6428133 6746105 10/407212 10/407207/683064 10/683041 6750901 6476863 6788336 11/097308 11/097309/097335 11/097299 11/097310 11/097213 11/210687 11/097212 11/212637/246687 11/246718 11/246685 11/246686 11/246703 11/246691 11/246711/246690 11/246712 11/246717 11/246709 11/246700 11/246701 11/246702/246668 11/246697 11/246698 11/246699 11/246675 11/246674 11/246667/246684 11/246672 11/246673 11/246683 11/246682 10/760272 10/760273/760187 10/760182 10/760188 , 10/760218 10/760217 10/760216 10/760233/760246 10/760212 10/760243 10/760201 10/760185 10/760253 10/760255/760209 10/760208 10/760194 10/760238 10/760234 10/760235 10/760183/760189 10/760262 10/760232 10/760231 10/760200 10/760190 10/760191/760227 10/760207 10/760181 10/815625 10/815624 10/815628 10/913375/913373 10/913374 10/913372 10/913377 10/913378 10/913380 10/913379/913376 10/913381 10/986402 11/172816 11/172815 11/172814 11/003786/003616 11/003418 11/003334 11/003600 11/003404 11/003419 11/003700/003601 11/003618 11/003615 11/003337 11/003698 11/003420 6984017/003699 11/071473 11/003463 11/003701 11/003683 11/003614 11/003702/003684 11/003619 11/003617 11/293800 11/293802 11/293801 11/293808/293809 11/246676 11/246677 11/246678 11/246679 11/246680 11/246681/246714 11/246713 11/246689 11/246671 11/246670 11/246669 11/246704/246710 11/246688 11/246716 11/246715 11/246707 11/246706 11/246705/246708 11/246693 11/246692 11/246696 11/246695 11/246694 11/293832/293838 11/293825 11/293841 11/293799 11/293796 11/293797 11/293798/760254 10/760210 10/760202 10/760197 10/760198 10/760249 10/760263/760196 10/760247 10/760223 10/760264 10/760244 10/760245 10/760222/760248 10/760236 10/760192 10/760203 10/760204 10/760205 10/760206/760267 10/760270 10/760259 10/760271 10/760275 10/760274 10/760268/760184 10/760195 10/760186 10/760261 10/760258 11/293804 11/293840 11/293803 11/293833 11/293834 11/293835 11/293836 11/293837 11/293792
11/293794 11/293839 11/293826 11/293829 11/293830 11/293827 11/293828
11/293795 11/293823 11/293824 11/293831 11/293815 11/293819 11/293818
11/293817 11/293816 11/014764 11/014763 11/014748 11/014747 11/014761
11/014760 11/014757 11/014714 11/014713 11/014762 11/014724 11/014723
11/014756 11/014736 11/014759 11/014758 11/014725 11/014739 11/014738
11/014737 11/014726 11/014745 11/014712 11/014715 11/014751 11/014735
11/014734 11/014719 11/014750 11/014749 11/014746 11/014769 11/014729
11/014743 11/014733 11/014754 11/014755 11/014765 11/014766 11/014740
11/014720 11/014753 11/014752 11/014744 11/014741 11/014768 11/014767
11/014718 11/014717 11/014716 11/014732 11/014742 11/097268 11/097185
11/097184 11/293820 11/293813 11/293822 11/293812 11/293821 11/293814
11/293793 11/293842 11/293811 11/293807 11/293806 11/293805 11/293810
09/575197 09/575195 09/575159 09/575123 6825945 09/575165 6813039
6987506 09/575131 6980318 6816274 09/575139 09/575186 6681045
6728000 09/575145 09/575192 09/575181 09/575193 09/575183 6789194
6789191 6644642 6502614 6622999 6669385 6549935 09/575187
6727996 6591884 6439706 6760119 09/575198 6290349 6428155
6785016 09/575174 09/575163 6737591 09/575154 09/575129 6830196
6832717 6957768 09/575162 09/575172 09/575170 09/575171 09/575161
The disclosures of these applications and patents are incorporated herein by reference.
Background of the Invention Electronic devices having embedded computer systems are now part of everyday life. Examples of such devices include automatic teller machines (ATMs), mobile telephones, printers, photocopiers, handheld calculators, microwave ovens, televisions, DVD players, washing machines, handheld game consoles etc. Broadly speaking, embedded computer systems are characterized by providing a function (or functions) that is not itself a computer.
Generally, an embedded system contains special-purpose hardware and a processor (CPU) supporting a real-time operating system (RTOS). The system is programmed with special-purpose software tailored to meet the requirements for that particular system. Typically, software written for an embedded system is referred to as 'firmware'. Since electronic devices are expected to run continuously for many years without errors, firmware is usually developed and tested more rigorously than software for computers.
Aside from the obvious operational advantages of an embedded computer system, there is a considerable advantage offered in terms of the manufacture and distribution of various product lines. When a new product is released onto the market, it is often desirable to release the product in different versions, each version having a price commensurate with that particular version. For example, a first product may have Feature X, while a second product may have Features X, Y and Z.
In terms of manufacturing, it is relatively expensive to have one production line dedicated to a first product and another production line dedicated to a second product. It is cheaper to manufacture a single product type that includes the necessary hardware for supporting Features X, Y and Z in all products. In this scenario, various product lines may be differentiated via their embedded firmware. The firmware provides a much cheaper means for differentiating between a range of products, compared to the hardware. Moreover, the firmware allows users to upgrade their devices without having to buy a new device. For example, an authorized Internet download via a personal computer may be used to provide an upgrade, which enables Features Y and Z in a product purchased originally with only Feature X.
However, an inherent problem with embedded firmware is that it is susceptible to malicious attack from hackers or willful copyright infringers offering unauthorized firmware upgrades. For example, an unauthorized firmware upgrade may be freely distributed over the Internet, allowing users to upgrade their devices free of charge.
One way of circumventing this problem is to provide upgrades not via the firmware itself, but via an authentication chip in the device. The use of an authentication chip CQA chip') in a printer environment was described in our earlier applications listed below, the contents of which are herein incorporated by reference:
10/727251 10/727159 10/727180 10/727179 10/727192 10/727274 10/727164
10/727161 10/727198 10/727158 10/754536 10/754938 10/727227 10/72716C
10/296522 6795215 10/296535 09/575109 6805419 6859289 6977751
6398332 6394573 6622923 6747760 6921144 10/884881 10/943941
10/949294 11/039866 11/123011 6986560 7008033 11/148237 11/24843.
11/248426 11/298630 09/517539 6566858 6331946 6246970 6442525
09/517384 09/505951 6374354 09/517608 09/505147 6757832 6334190 6745331 09/517541 10/203559 10/203560 10/203564 10/636263 10/636283
10/866608 10/902889 10/902833 10/940653 10/942858 10/854514 10/854519
10/854513 10/854499 10/854501 10/854500 10/854502 10/854518 10/854517
As described in our earlier applications, QA chip(s) in a printer perform an array of functions in a secure environment. A QA chip in a print cartridge may be used to allow operation of the printer only in a licensed manner. For example, a printer A may be licensed to print at 10 pages per minute, while a printer B may be licensed to print at 30 pages per minute. The hardware in each printer is identical, but the QA chip allows each printer to be differentiated. Moreover, since the QA chip stores its data in a secure, authenticated fashion, it can only be upgraded or replaced by an authentic source. Hence, the QA chip provides protection against attack from unlicensed users. A QA chip mounted on an ink cartridge may be used to guarantee that the ink contained in the cartridge is from a particular source or of a particular quality, thereby ensuring that incorrect ink, which may damage the printhead, cannot be used. The same QA chip may similarly be used to store dynamically in its memory a quantity of 'virtual ink' remaining in the cartridge, determined with reference to the initial quantity of ink in the cartridge and the number of dots printed using that ink. The quantity of 'virtual ink' provides a security mechanism for the printer and prevents unauthorized refilling of ink cartridges - the firmware in the printer communicates with the ink cartridge QA chip before printing and if the amount of 'virtual ink' is insufficient, the printer will not print. In this way, the quality of ink can be assured and risk of damaging the printhead using low quality ink from an unauthorized refill is minimized.
QA chips provide an excellent means for preventing unauthorized uses of electronic devices. However, the security of QA chips relies on firmware in the embedded system communicating with the chip. It is conceivable that the most determined hacker may be able to modify the firmware and override its communication with QA chip(s) in the device. In this scenario, the security provided by the QA chip would be compromised. In the above example, unauthorized refills of ink cartridges would be possible, irrespective of the presence of a QA chip on the ink cartridge.
It may seem unlikely that such a determined attack on an embedded computer system would be made. However, in the printer market, sales of unauthorized ink refills is becoming a multimillion dollar industry and provides considerable motivation for a malicious attack on any security systems built in to a printer. From the point of view of a printer manufacturer, the use of low quality ink in its printers, resulting in poor print quality and shortened printhead lifetime, has the potential to do incalculable damage to its goodwill and reputation in the printer market.
It would therefore be desirable to provide an electronic device, having an embedded computer system, with improved security from malicious attack.
It would further be desirable to provide such an electronic device, which still allows flexibility for firmware upgrades or even installation of an alternative core RTOS downstream of the device manufacturer.
It would further be desirable to provide a simple means for upgrading firmware in PictBridge printers.
Summary of the Invention
In a first aspect, there is provided an electronic device comprising an embedded computer system, said device comprising a processor supporting a real-time operating system (RTOS), said processor supporting user and supervisor modes, wherein said computer system is programmed such that only code portions directly controlling essential hardware in said device are run in supervisor mode.
As used herein, "essential hardware" is used to mean hardware component(s) which are essential for the device to perform its primary function. For example, in the case of a printer, the essential hardware may include drive circuitry for actuating nozzle actuators in a printhead, but does not include an LCD display on the printer, since an LCD display is not essential for the printer to be able to print.
As used herein, the term "code portion" is used to mean any portion of code which performs a specific function. A code portion may be part of a thread or a process. Processors supporting user and supervisor modes are well known in the computer art. Code running in supervisor mode can only be accessed by a person with special privileges, such as the person who wrote the code originally. By contrast, code running in user mode can be accessed and modified by any person, irrespective of their privileges. An example of a processor, which supports user and supervisor modes, is the SPARC™ processor. Such processors were designed to protect a core (or kernel) of an operating system from potentially buggy applications running on a computer. With the core of the operating system running in supervisor mode, the operating system can continue to run, even if a particular application running in user mode has crashed. This ensures that other applications running in user mode can continue running on the operating system. By protecting the core of the operating system in this way, the risk of crashing the whole computer with a buggy application is minimized - there is a separation between applications and the core of the operating system.
In the present invention, the processor supporting user and supervisor modes is employed in a different manner from its conventional use in non-embedded computer systems. The embedded computer system of the present invention is programmed so that only code portions directly controlling essential hardware in the device are run in supervisor mode, with the remainder of code portions being run in user mode.
A major advantage of running certain code portions (which control essential hardware in the device) in supervisor mode is that these code portions cannot be modified once they have been finalized by the device manufacturer. Hence, the manufacturer, or a licensee, retains ultimate control over how the device may be operated.
For example, a printer manufacturer may program into code portions directly controlling a printhead and paper feed mechanism that the printer should only print at 10 pages per minute. Since this code portion is protected in supervisor mode, it is not possible for a hacker to modify the code and upgrade his printer.
Optionally, the computer system is programmed such that code portions not directly controlling essential hardware in said device are run in user mode. Optionally, a core of the RTOS is run in user mode. The advantages of programming the embedded computer system in this way are twofold. Firstly, the amount of code in supervisor mode is kept to a minimum, which minimizes the risk of bugs being present in this immutable code. Secondly, by having the RTOS and non-essential applications running in user mode, there is an opportunity for a licensed printer manufacturer or distributor, downstream of the original printer manufacturer, to develop its own firmware specific to its requirements on an operating system of its choice. For example, a licensed printer manufacturer may wish to change the format of an LCD display and he may wish to program this using his preferred operating system, hi accordance with the present invention, a licensed printer manufacturer has the flexibility to do this, without the security of a QA system in the device being compromised. Optionally, the computer system is programmed such that a code portion directly controlling essential hardware is callable from an application running in user mode via a trap identifying that code portion. A plurality of code portions, each directly controlling respective essential hardware, may each be independently callable from an application running in user mode via a respective trap identifying a respective code portion. An advantage of being able to call up a particular code portion from user mode is that it provides further flexibility for programming specific operation sequences into the device. User mode applications may be programmed by a licensed device manufacturer or may even be available via an upgrade, downloadable from the Internet. For example, a printer user may wish to have a default option of printing '5000 pages, full color'. He is able to upgrade bis firmware to have this default option, because the print job application(s) programmed into the embedded system run in user mode.
Optionally, the code portion directly controlling essential hardware communicates with at least one authentication chip in the device before an operation of the hardware. The authentication chip (or 'QA chip') authorizes the operation. For example, the code portion may ask the QA chip for the authorized print speed for that printer. The QA chip returns this information (e.g. 10 pages per minute) to the computer system and printing at the authorized print speed can commence. Li this way, licensed operation of the device can be controlled securely via the QA chip, without being compromised by a malicious attack on firmware in the device.
Optionally, a first authentication chip is associated with a consumable component of said device. Examples of consumable components in electronic devices include ink cartridges, toner, paper, batteries etc. The first authentication chip may contain static and/or dynamic data relating to the consumable component. For example, static data may relate to a source, batch number, quality (e.g. ink color), initial quantity etc. of the consumable component. Dynamic data may relate to a current quantity (e.g. amount of remaining ink) or quality (e.g. temperature) of the consumable component.
An electronic device may require several consumable components. Accordingly, the device may comprise a plurality of first authentication chips, each one of the first authentication chips being associated with a respective consumable component.
Optionally, the electronic device is a printer and the consumable component is an ink cartridge having a respective first authentication chip. The authentication chip on an ink cartridge may be used to authorize printing only if certain conditions have been met e.g. (i) printing only when an ink cartridge of a predetermined type, as determined via the associated authentication chip, is loaded in the printer; and/or (ii) printing only when a predetermined amount of ink, as determined via the associated authentication chip, is remaining in the ink cartridge. As described earlier, these authentication mechanisms provide a printer manufacturer with assurances regarding the quality of ink used in its printers, thereby preserving the manufacturer's reputation in the printer market. Optionally, a second authentication chip is positioned in a body of the device, which is not associated with a consumable component. For example, a second authentication chip may be mounted in or on a print engine for a printer. The second authentication chip may be used to authorize certain operations of the device, such as printing at a predetermined speed.
In a second aspect, there is provided a system for upgrading firmware in a PictBridge printer, the system comprising: a PictBridge printer having an embedded computer system; and a memory stick for communicating with said embedded computer system, wherein said memory stick contains a firmware upgrade for said embedded computer system.
In a third aspect, there is provided a memory stick containing a firmware upgrade for an embedded computer system of a PictBridge printer.
In a fourth aspect, there is provided a system for upgrading firmware in a PictBridge printer, the system comprising: a PictBridge printer having an embedded computer system; and a digital camera for communicating with said embedded computer system, wherein said camera contains a firmware upgrade for said embedded computer system.
In a fifth aspect, there is provided a digital camera containing a firmware upgrade for an embedded computer system of a PictBridge printer.
PictBridge is an industry open standard from the Camera & Imaging Products Association (CIPA) for direct printing. It allows images to be printed directly from digital cameras to a printer, without having to connect the camera to a computer. By connecting a PictBridge-enabled printer to a PictBridge-enabled camera using a single USB cable, users can easily control print settings using their camera and produce high quality photos without using a PC. A major advantage of PictBridge printing is its simplicity for the user, and especially those users for whom complex photo application software may be a barrier.
PictBridge relies on communication between embedded computer systems in the camera and printer. These embedded computer systems effectively replace PC photo applications and, moreover, simplify operability for the user.
From time to time, it may be necessary to upgrade firmware in a PictBridge printer. For example, additional printing options may be required or it may be necessary to upgrade firmware so that it is compatible with new PictBridge-enabled cameras on the market. In traditional digital camera systems, software upgrades for PC photo applications are provided via internet downloads or CD. However, many PictBridge printer users may not own a computer in the first place. For those that do own a computer, the complexity of downloading new software onto their PC from the internet and upgrading their PictBridge printer by connecting it to their PC is likely to be a significant barrier. After all, PictBridge users are generally attracted to this system, because of its simplicity and because it obviates the need for a PC.
A major advantage of the present invention is its simplicity for the user. Insertion of a memory stick into a USB port of a PictBridge printer requires no computer skills. Therefore, firmware upgrades of a printer may be confidently performed by anyone without risk or fear of upgrading the printer incorrectly.
As used herein, the term "memory stick" is used to mean any portable non- volatile digital memory device.
The memory stick or camera may communicate with the embedded computer system via standard USB connectors.
Optionally, the memory stick or camera is configured to download automatically a firmware upgrade to the printer if it detects that the printer does not already have that upgrade.
Optionally, the portable non- volatile digital memory device is a memory stick. The camera may be sold with the firmware upgrade already programmed into its memory. Alternatively, the camera may receive the firmware upgrade from an external source. For example, a memory stick may be used to download the firmware upgrade to the camera so that the camera can upgrade the printer when it is next connected.
In a sixth aspect, there is provided a system for protecting supervisor mode data from user code in a register window architecture of a processor, such as the processor of the first aspect, the system comprising, when transitioning from supervisor mode to user mode, setting at least one invalid window bit in the invalid window mask of the architecture additional to the invalid window bit set for the reserved window of the invalid window mask, the additional bit being set for a transition window between supervisor and user data windows.
The position of the additional invalid window bit in the invalid window mask is maintained independent of window overflows and underflows at the transition window. Separate supervisor mode and user mode stacks may be provided, where the separate supervisor mode and user mode stacks are respectively stored in supervisor mode- only and user mode accessible memory.
The current stack pointer may be switched to between the supervisor and user stacks whenever a transition from user mode to supervisor mode and from supervisor mode to user mode occurs.
Optionally, information on the transition window is recorded in the supervisor stack upon window overflow and underflow at the transition window.
Optionally, a window stack is stored in the supervisor mode-only accessible memory, with the information on the transition window being recorded in the window stack upon window overflow and underflow at the transition window.
Optionally, information on non-transition windows is recorded in the window stack upon window overflow and underflow at the non-transition windows.
Optionally, a unique numerical label is assigned to each register window starting from zero and increasing monotonically for every save. A record of the current label - assigned to the reserved window may be held in the local registers of the reserved window, with the record being updated as window overflows and underflows occur at the reserved window. The labels may be calculated based on the current window pointer.
Optionally, the labels are used to index a record of at least the stack pointer of the reserved window in the window stack upon window overflow and underflow at the reserved window.
Optionally, the labels are used to index a record of the stack pointers of each window in the window stack upon window overflow and underflow at each window.
When transitioning from supervisor code to user code, the call function may issue saves to bring the current window pointer to the user window positioned after the transition window and overwrite the registers in at least the windows containing supervisor code data from the current window to the reserved window.
The call function may overwrite the registers in all of the windows from the current window to the reserved window or all the registers of the processor containing supervisor code data. The registers in the transition window may be overwritten upon window overflow and underflow at the transition window.
When transitioning from user code to supervisor code, the window underflow trap routine may issue restores to bring the current window pointer to the supervisor window preceding the transition window. Brief Description of the Drawings
A specific embodiment of the invention will now be described in detail, with reference to the following drawings in which: Figure 1 is a perspective view of a printer having an embedded computer system;
Figure 2 is a diagram showing the interrelationship between various components of the embedded computer system and printer hardware; and
Figure 3 illustrates a register window architecture implemented by a processor of the embedded computer system; Figure 4 illustrates a mode switch between supervisor and user modes; and
Figure 5 illustrates a mode switch between supervisor and user modes employing a transition window.
Detailed Description of a Specific Embodiment Embedded System with User and Supervisor Modes
Figure 1 shows a printer 2 embodying the present invention. Media supply tray 3 supports and supplies media 8 to be printed by a print engine (concealed within a printer casing). Printed sheets of media 8 are fed from the print engine to a media output tray 4 for collection. User interface 5 is an LCD touch screen and enables a user to control the operation of the printer 2. The printer 2 comprises an embedded computer system (not shown), which controls the overall operation of the printer.
Turning to Figure 2, there is shown schematically the embedded computer system 10 and its interrelationship with printer hardware and other external components. The embedded computer system 10 comprises a processor 11, which supports user and supervisor modes. The processor 11 runs code portions 12 controlling essential printing hardware 13 in supervisor mode only. The essential printing hardware 13 may comprise drive circuitry for actuating nozzle actuators, motors driving a feed mechanism etc. All other code is run in user mode, including the core RTOS 14.
Applications 15 running in user mode control printer operations indirectly via traps which call up code portions 12. In this way, the integrity of the code portions 12 is protected, whilst still allowing some flexibility on exactly how the printer is operated.
The code portions 12 are in communication with a print engine QA chip 16a and one or more ink cartridge QA chips 16b in the printer. Before any operation of essential printing hardware 13, the code portions 12 communicate with the QA chips 16a and 16b to request authorization for that operation.
The print engine QA chip 16a is programmed with an authorized print speed {e.g. 30 pages per minute). This information is returned to the code portions 12 and the essential printing hardware 13 is operated in accordance with the authorized print speed.
The ink cartridge QA chip 16b is programmed with information regarding the ink, including an amount of remaining ink. If, for example, the ink cartridge QA chip 16b returns information that no ink is remaining in the cartridge, then the code portions 12 are not authorized to operate the essential printing hardware 13 and printing is aborted. Since the code portions 12 are run in supervisor mode only, it is not possible for an unauthorized person to modify these code portions and, hence, it is not possible to change the operation of essential printing hardware 13 or override the security provided by the QA chips 16a and 16b.
On the other hand, code portions 17 controlling non-essential hardware 18, such as the LCD display 5, are run in user mode. These code portions 17, together with the core RTOS 14, can be modified without any authorization privileges, to provide flexibility in operation of non-essential hardware and even flexibility in selecting a desired operating system.
With the embedded system 10 arranged as described above, all printer upgrades and ink refills can be reliably controlled via the QA chips 16a and 16b. The print engine QA chip 16a may receive a print speed upgrade 19 via an authorized internet download or memory stick. Likewise, an ink refill QA chip 20 may communicate with the ink cartridge QA chip 16b during an authorized ink refill, so that the ink cartridge QA chip 16b knows a refill from an authentic source has taken place. Authorized ink refill operations are described in detail in our earlier US patent application no. 11/014,769 (filed on December 12, 2004), the contents of which is hereby incorporated by reference.
Firmware Upgrades
As described above, the majority of firmware in the embedded system 10 for printer 2 may be modified or upgraded without compromising the security of licensed printer operations. Some firmware upgrades may be provided by the user.
Referring to Figure 2, a firmware upgrade may be provided by a memory stick 30 or a camera 31. The memory stick 30 or camera 31 contains the firmware upgrade in its memory and automatically downloads the upgrade to the embedded system 10 if it detects that the embedded system requires upgrading.
In the case of the memory stick 30, the user simply plugs the memory stick into a USB port of a PictBridge printer. In the case of the camera 31, the user simply connects the camera to a Pictbridge printer via its USB port in the normal way. The user may even be unaware that a firmware upgrade has taken place if the camera was purchased with the upgrade contained in its memory. Alternatively, the memory stick 30 may be used to download a firmware upgrade into the camera's memory, and the camera 31 used to upgrade firmware in the embedded system 10 when the camera is next connected to the printer 2.
Invalid Window Mask Configuration for User and Supervisor Codes
Further security is provided by protecting all supervisor code from user code. This removes the possibility of user code reading sensitive data and having the computer system execute arbitrary code in supervisor mode, which could allow unauthorized access to, and modification of, the operational hardware and software of the printer.
The processor 11 implements a register window architecture to manipulate data. For example, the processor is a LEON CPU implementing SPARC™ architecture. In the processor 11, the Integer Unit working registers ('r' registers), the Multiply/Divide register (Y register), the Program Counters (PC and nPC) and the hardware watchpoints are accessible to user code. Accordingly, these registers must not hold sensitive data across transitions between supervisor and user modes, in either direction.
The 'r' registers of the print engine have eight global 32-bit registers and eight sets of registers with sixteen 32-bit registers in each set. The register sets are arranged such that the processor 11 has a window that sees 24 of the registers. The current window being viewed is determined by a pointer to that window, such as a Current Window Pointer (CWP). It is to be understood that the above number of registers and register sets are merely exemplary, and a different number of registers and registers sets may be used. For example, SPARC™ architecture allows a configurable number of register sets from two to 32.
With only eight windows, function calls and traps beyond this depth will cause the register window to overflow, which is handled by using a combination of an invalid window mask and overflow and underflow traps. The invalid window mask may, for example, be the Windows Invalid Mask (WIM) used in SPARC™ architecture. Overflow and underflow handlers are used to give the illusion of an unbounded number of register windows.
Conventionally, an invalid window mask contains one bit per window and overflow and underflow traps are generated when an instruction is issued to move to a new window which has its bit set, designating it as invalid.
For example, when a save instruction is issued to move the current window from window N to window N-I, the processor first checks bit N-I of the invalid window mask. If that bit is set, the window is invalid, such that the processor does not change windows but generates a window overflow trap. Similarly, when a restore instruction is issued to move the current window from window N to window N+l , the processor first checks bit N+l of the invalid window mask. If that bit is set, the window is invalid, such that the processor does not change windows but generates a window underflow trap.
Because the mask is ignored when a trap, such as an interrupt, occurs, rotating the window regardless, it is conventional to reserve one window as invalid so as to ensure that used registers are not overwritten when a tap occurs. Accordingly, the invalid window mask conventionally has a value with one bit set, which marks the end of the available windows, i.e., seven in the present embodiment, and reserves one window for a trap.
When an overflow trap is taken, e.g., as a result of a save instruction rotating the current window to a reserved window, the trap handler saves the oldest window to memory, rotates the invalid mask to now point to that saved window, and thereby frees up the previously reserved window for use. The reverse occurs when an underflow trap is taken, e.g., as a result of a restore instruction rotating the current window to a reserved window.
Each register set has 16 registers, comprising eight "in" registers and eight "local" registers. However, the window sees 24 registers, the remaining registers being eight "out" registers. Thus, as the window cycles through the sets, the processor 11 sees some registers from the adjacent set. This is illustrated in Figure 3, where the "out" registers correspond to the "in" registers of the next lowest window. Thus, a given window can modify the "out" registers of the next highest window and the "in" registers of the next lowest window, even upon overflow and underflow.
Accordingly, unless appropriate measures are taken a user mode window is able to read and modify some of the data in adjacent windows including supervisor mode windows. It may even be possible for the user code to cycle through the register windows, reading and modifying the values. This is illustrated in Figure 4, in which a switch from supervisor mode to user mode is shown. As can be seen, the supervisor code had been using windows 7 and 6 before calling the user code, however there is nothing stopping the user code from issuing multiple instructions to move back and read/modify the supervisor data. Potentially this can lead to examples such as, if a supervisor code's registers are stored in user accessible memory, the user code easily overwriting those values thereby adjusting the values the supervisor code sees when registers are restored, or even if the supervisor code's registers are stored in supervisor-only accessible memory, the user code modifying the "out" register values and potentially fooling the code into restoring the registers from the wrong location. hi the present embodiment, these potential security threats to the supervisor code, and therefore sensitive data, are minimized by providing a system implemented by the processor 11 which configures the invalid window mask to set at least one additional bit. This designates an invalid window(s) beyond the conventional reserved window which causes additional overflow and underflow traps to be generated, namely at transitions between supervisor and user modes.
To facilitate these additional traps, separate stacks are used for supervisor code data and user code data. When transitions occur, the current stack pointer, e.g., %o6, is switched between the supervisor and user stacks. The supervisor stack is stored in supervisor mode-only accessible memory and the user stack is stored in user mode accessible or user mode-only accessible memory.
The setting of the additional bit provides a transition window between supervisor and user windows which ensures that sensitive data stored in the supervisor registers is not accessible to user code. This is illustrated in Figure 5 where, before calling user code, the supervisor code moved down an extra two windows and marked the intermediate window invalid in the invalid window mask. This window represents a barrier at the transition because if the user code issues multiple instructions to move back through the windows, it will generate a trap when it hits the invalid window at window 5.
The location of the transition window (there may be more than one) is maintained as overflows and underflows occur. This is done by either storing information on the transition window(s) in the supervisor stack as traps occur, or storing this same information in a separate window stack, which is maintained in supervisor mode-only accessible memory. In this way, information about the transition windows is not stored in the invalid window mask or in the registers of the transition window itself. Accordingly, this information cannot be accessed by user code, thereby protecting the supervisor code data stored in the "out" or "in" registers of the transition window.
The possibility of an overflow occurring whenever supervisor mode is entered is checked so as to prevent overflow of the supervisor stack and therefore prevent overwriting of other supervisor code data. Such overflows may occur as a result of the user installing a function to be called by a trap which issues that same trap, thereby potentially causing large nesting, or a function to be called on a timer tick which takes longer than the tick's period to execute, thereby inducing continual nesting of interrupts.
Further protection of supervisor code data is needed when the reserved window is rotated on top of a supervisor window due to a call function and user code issues a trap to call supervisor code, for example. This protection is effected by configuring the traps to overwrite with 0 (e.g., with %gθ) all "in" and "local" registers in the new reserved window after saving the registers to memory for the former situation, and by configuring the traps to overwrite all used register windows before returning for the latter situation. With respect to overwriting all used register windows, a common piece of code that returns from traps can be employed, where the code overwrites all register windows from (and including) the current window down to (but not including) the reserved window (which has already been overwritten). Alternatively, code which overwrites the number of windows known to be used or known to contain supervisor code data can be used. Because the user code calls the supervisor mode by way of a trap, the associated trap routine is configured to remember the return addresses from the trap. It may also remember the previous processor state register (PSR) when SPARC™ architecture is employed. This is done in the "local" registers of the new register window allocated for the trap routine. Given this, there will never be two adjacent transition windows, i.e., every transition window will be preceded by at least one supervisor window, namely the window used to hold the return addresses from the trap.
An exemplary system of maintaining a stack of overflow and transition windows, executed in either hardware or firmware, is now described with respect to the processor 11 employing SPARC™ architecture (a similar system is also applicable to underflows): 1. Each thread has an associated stack for storing information about transition windows.
2. Whenever supervisor code wants to call user code, it issues a call instruction to a function ('callUserFunction'), which takes the following arguments: (i) The address of the function to be called, in %oO. (ii) The current user (NOT supervisor) stack pointer in %ol, where the caller must arrange to pass a correct user stack pointer:
• where an interrupt routine calls a user function, the trap routine could either use the user stack pointer read from the current thread context or a separate, dedicated user stack for the interrupt is used. In the latter case, context-switch calls are disabled during these calls because it is not possible to context-switch between threads if they share a common stack;
• where a non-interrupt trap routine calls a user function, that trap routine would use the user stack pointer read from the current thread context. (iii) Up to four parameters to be passed to the user function, in %o2 to %o5. %o6 contains the current frame pointer (on the supervisor stack), which must be maintained because it is where the previous supervisor window will be saved if an overflow occurs. Accordingly, callUserFunction is configured to:
• issue a save, which brings the CWP to the transition window. It also means the function arguments are in the "in" registers, where the transition window's %Ϊ7 contains the address of the call instruction that called callUserFunction (because the call instruction put it there);
• copy the "in" registers that contain arguments to the "out" registers, which includes the function to be called and the user stack pointer; • mark the current window (being the transition window) as invalid in the WIM.
• save the %y register and the global registers into the "local" and "in" registers in this transition window;
• issue another save, e.g., "save %il, -104, %o6", which moves the current window beyond the transition window, meaning the arguments copied above are now in the "in" registers;
• overwrite all register windows from the current window down to (but not including) the reserved window (which has already been overwritten). However, when overwriting the current window, those "in" registers used for arguments are not overwritten; • overwrite the %y register and the global registers, which protects any old supervisor data;
• switch to user mode;
• copy the required user-function arguments from %i2 to %i5 to %o0 to %o3;
• call the user function; • after the user function returns, copy the current window's %oO to %iθ, which is the return value from the user function and is now in the transition window's %oO; and
• having copied %oO, issue a restore, which should hit the WIM' s invalid bit set for the transition window, meaning the underflow trap routine should take over. The code after the restore instruction should not be executed because the restore should have caused a trap. If the code is to be executed it means the user code doesn't match all save instructions with restore instructions. This is due to a bug or malicious attack. Thus, the processor 11 is halted until reset or the code is branched back to the restore instruction, continually unwinding the register window until the expected trap is encountered.
3. The window overflow trap routine determines if the window to be saved to memory is already marked as invalid in the WIM:
• If it is not marked invalid, it means it's a normal window. The trap routine therefore saves the window's registers to memory as normal, and pushes a "normal" record onto the window stack, after checking for stack overflow (as described above). This record only needs to be a single flag indicating that this is a "normal" record.
• If it is marked invalid, it means it's a transition window. In this case, there is no need for the trap routine to save any registers to memory. However, it pushes a "transition" record onto the window stack. This record must include:
• a flag indicating that this is a "transition" record; and
• the transition window's frame pointer, i.e. %i6, the return address from callUserFunction which is read from transition window's %i7 and the %y register and global register values saved in the transition window. The %i6, %i7, %y and global registers must be saved on the window stack because they are not necessarily maintained in the transition window after the transition window is saved. After doing these saves, the transition window's registers must be overwritten (as described above).
4. The window underflow trap routine does the following: • Looks at the WIM to see if more than one bit is set. If more than one bit is set, it means that the window just encountered is a transition window. This is because the reserved window is always the first invalid window in the downward direction, such that encountering a different invalid window in the upward direction can only mean that that window is a transition window. In this case, the trap routine is configured to:
• mark the transition window as valid in the WIM;
• copy the transition window's %oO to %iθ, which is the return value from the user function;
• restore the %y and global registers from the transition window's local registers;
• move the current window pointer to the window prior to the transition window. If this hits another invalid window, that window must be the reserved window because consecutive transition windows are not possible, as described earlier. In this case, that invalid window is restored from memory, and its associated normal record is popped from the window stack; and
• jump to the supervisor code that first called callUserFunction, the address of which is available via the current window's %o7 (i.e., the transition window's %i7 because, in this case, the transition window hasn't been overwritten by an overflow). If the WIM only has one bit set, it is the reserved window that has been struck, so the trap must pop a record from the window stack. That record will indicate whether or not the window to be restored is a transition window. If it is not a transition window, the trap routine simply restores that window from memory, adjusting the CWP, and shuffling the reserved window bit appropriately in the
WEvI. If it is a transition window, the trap routine is configured to:
• restore the transition window's %i6 and %i7, and the %y and global registers from the transition record popped from the stack;
• copy the transition window's %oO to %iθ, which is the return value from the user function;
• move the current window pointer to the window prior to the transition window, shuffling the reserved window bit appropriately in the WIM. This brings the CWP to the supervisor window before the transition window, meaning the values written to the "in" registers above are now in the "out" registers. Note that this window will still be in memory at this time; it also needs to be restored;
• pop the next record from the window stack, which is the "normal" record corresponding to the saved supervisor window; • restore that saved supervisor window, which restores the "in" and "local" registers. The values in the "out" registers (the return value etc from above) won't be overwritten; and
• jump to the supervisor code that first called callUserFunction, the address of which is available via the restored supervisor window's %o7.
In the above example, the window stack is used to record flags related to the type of window being stored, i.e., a "transition" record for a transition window and a "normal" record for a non-transition window. In this way, the position of the transition window(s) is maintained throughout overflows and underflows, and the transitions between supervisor and user modes do not result in sensitive data being accessible to user code. This is further ensured by the overwriting of all register windows before returning from traps.
Alternatively, or additionally, each used register window is labeled and the %o6 value is stored on register overflow to be used for the corresponding restore, hi this way, on occurrence of overflows and underflows it is known whether a register window belongs to user mode or supervisor mode, upon checking and validation of the %o6 value.
The labels are allocated, for example, as unique numerical labels for every possible register window for a thread of execution, starting from zero and increasing monotonically for every save and/or function. The labels are used similar to the flag records described above by keeping a record of where the labels are as overflows and underflows occur. That is, a record may be kept of the current label assigned to the reserved window, and the reserved window's window number. This is updated whenever the overflow and underflow routines shift the reserved window, where an overflow increments the label and an underflow decrements the label.
For example, at thread initialization the reserved window's label is set to eight, and its window number to zero. This record could be kept in some thread-specific supervisor RAM or it could be held in the "local" registers of the reserved window (which is inaccessible to user code), hi this case, the underflow and overflow traps shift the value as they, shift the reserved window. The label (L) of the current window can then be calculated as L = reserved window label - ((CWP - reserved window number);bit-wise ANDed with N-I5 N being the number of register windows).
The labels can also be used to access an additional state for each register window at overflow and underflow events. The additional state contains the saved stack pointer, e.g., %o6, for the window and the mode of the window. The mode identifies whether the window is executing in supervisor mode, and can additionally identify whether the window is executing in an interrupt and mode change. Similar to the flag records described above, this provides records on whether a register window belongs to user mode or supervisor mode, hi this case, the label for the current window can be calculated as L = next label to save + ((CWP + next label to save)Λ(N-l);bit-wise ANDed with N-I5 N being the number of register windows), where the 'next label to save' variable contains the label for the next register window to overflow, which assists in the orderly handling of overflows and underflows.
The additional state information is accessed by indexing a record of the stack pointer and mode in the window stack when overflows and underflows occur as part of the label record. This can be done for the reserved window only, as described above, or for all of the register windows, hi this way, restores across transitions between user and supervisor modes can be identified and handled differently than restores which remain in user mode, for example in the manner described above. Thereby, protecting the supervisor mode sensitive data from user code access. It will, of course, be appreciated that the present invention has been described purely by way of example and that modifications of detail may be made within the scope of the invention, which is defined by the accompanying claims.

Claims

1. A system for protecting supervisor mode data from user code in a register window architecture of a processor, the system comprising, when transitioning from supervisor mode to user mode, setting at least one invalid window bit in the invalid window mask of the architecture additional to the invalid window bit set for the reserved window of the invalid window mask, the additional bit being set for a transition window between supervisor and user data windows.
2. A system according to claim 1 , wherein the register window architecture of the processor is SPARC™ register window architecture.
3. A system according to claim 1 , wherein the processor is incorporated in a print engine for a printer.
4. A system according to claim 1, wherein the position of the additional invalid window bit in the invalid window mask is maintained independent of window overflows and underflows at the transition window.
5. A system according to claim 1, further comprising separate supervisor mode and user mode stacks.
6. A system according to claim 5, wherein the separate supervisor mode and user mode stacks are respectively stored in supervisor mode-only and user mode accessible memory.
7. A system according to claim 6, wherein: the current stack pointer is switched to the supervisor stack whenever a transition from user mode to supervisor mode occurs; and the current stack pointer is switched to the user stack whenever a transition from supervisor mode to user mode occurs.
8. A system according to claim 6, wherein information on the transition window is recorded in the supervisor stack upon window overflow and underflow at the transition window.
9. A system according to claim 6, further comprising a window stack stored in the supervisor mode-only accessible memory, information on the transition window being recorded in the window stack upon window overflow and underflow at the transition window.
10. A system according to claim 9, wherein information on non-transition windows is recorded in the window stack upon window overflow and underflow at the non-transition windows.
11. A system according to claim 6, wherein a unique numerical label is assigned to each register window starting from 0 and increasing monotonically for every save.
12. A system according to claim 11, wherein a record of the current label assigned to the reserved window is held in the local registers of the reserved window, the record being updated as window overflows and underflows occur at the reserved window.
13. A system according to claim 11, further comprising a window stack stored in the supervisor mode-only accessible memory, the labels being used to index a record of at least the stack pointer of the reserved window in the window stack upon window overflow and underflow at the reserved window.
14. A system according to claim 13, wherein the labels are used to index a record of the stack pointers of each window in the window stack upon window overflow and underflow at each window.
15. A system according to claim 11 , wherein the labels are calculated based on the current window pointer.
16. A system according to claim 1, wherein, when transitioning from supervisor code to user code, the call function issues saves to bring the current window pointer to the user window positioned after the transition window and overwrites the registers in at least the windows containing supervisor code data from the current window to the reserved window.
17. A system according to claim 16, wherein the call function overwrites the registers in all of the windows from the current window to the reserved window.
18. A system according to claim 17, wherein the call function overwrites all registers of the processor containing supervisor code data.
19. A system according to claim 1, wherein the registers in the transition window are overwritten upon window overflow and underflow at the transition window.
20. A system according to claim 1, wherein, when transitioning from user code to supervisor code, the window underflow trap routine issues restores to bring the current window pointer to the supervisor window preceding the transition window.
EP06760841A 2006-07-10 2006-07-10 SYSTEM FOR PROTECTING USER SENSITIVE DATA IN A REGISTER WINDOW ARCHITECTURE Withdrawn EP2044517A4 (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/AU2006/000971 WO2008006130A1 (en) 2006-07-10 2006-07-10 System for protecting sensitive data from user code in register window architecture

Publications (2)

Publication Number Publication Date
EP2044517A1 true EP2044517A1 (en) 2009-04-08
EP2044517A4 EP2044517A4 (en) 2010-08-25

Family

ID=38922824

Family Applications (1)

Application Number Title Priority Date Filing Date
EP06760841A Withdrawn EP2044517A4 (en) 2006-07-10 2006-07-10 SYSTEM FOR PROTECTING USER SENSITIVE DATA IN A REGISTER WINDOW ARCHITECTURE

Country Status (3)

Country Link
EP (1) EP2044517A4 (en)
JP (1) JP2009543234A (en)
WO (1) WO2008006130A1 (en)

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5083263A (en) * 1988-07-28 1992-01-21 Sun Microsystems, Inc. BISC with interconnected register ring and selectively operating portion of the ring as a conventional computer
US5655132A (en) * 1994-08-08 1997-08-05 Rockwell International Corporation Register file with multi-tasking support
JP3595028B2 (en) * 1995-06-20 2004-12-02 富士通株式会社 Real-time OS processing method
US6167504A (en) * 1998-07-24 2000-12-26 Sun Microsystems, Inc. Method, apparatus and computer program product for processing stack related exception traps
TWI229817B (en) * 2003-01-07 2005-03-21 Wistron Corp Kernel-mode operating system of application program and method thereof
JP4246672B2 (en) * 2004-06-03 2009-04-02 株式会社リコー Image forming apparatus and image forming apparatus control method
JP4956891B2 (en) * 2004-07-26 2012-06-20 富士通株式会社 Arithmetic processing apparatus, information processing apparatus, and control method for arithmetic processing apparatus

Also Published As

Publication number Publication date
EP2044517A4 (en) 2010-08-25
WO2008006130A1 (en) 2008-01-17
JP2009543234A (en) 2009-12-03

Similar Documents

Publication Publication Date Title
US7984257B2 (en) System for protecting supervisor mode data from user code
KR102836890B1 (en) Transition Disable Indicator
JP7467856B2 (en) Image forming apparatus and consumable cartridge
JP4939382B2 (en) Information processing apparatus and program execution control method thereof
US20070300207A1 (en) Boot Validation System and Method
JP2009053901A (en) Printer
US20100277536A1 (en) Electronic device having essential hardware authentication
JP2001306170A (en) Image processing apparatus, image processing system, method of restricting use of image processing apparatus, and storage medium
WO1999059049A1 (en) Protected storage device for computer system
JP3978521B2 (en) Game machine
JP4584044B2 (en) Semiconductor device
US20080010637A1 (en) Pictbridge printer firmware upgrades via camera
US20060036800A1 (en) Process management method and image forming apparatus
EP2044517A1 (en) System for protecting sensitive data from user code in register window architecture
JP2008176608A (en) Data backup device and data backup method
US20080010636A1 (en) Pictbridge printer firmware upgrades via memory stick
US8689320B2 (en) Image forming apparatus with hard disk drive securely formatted
US6415351B1 (en) Switching access to a flash memory from an IC card, after downloading is complete, while the power is still on
JP4545496B2 (en) Electrical equipment
JP4865064B2 (en) Semiconductor device
JPH0223427A (en) Personal computer
JP4418942B2 (en) Game machine
JP4266995B2 (en) Image forming apparatus
JP2008009799A (en) Image forming device
JP4491660B2 (en) Image forming apparatus

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20090206

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC NL PL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: AL BA HR MK RS

A4 Supplementary search report drawn up and despatched

Effective date: 20100726

RIC1 Information provided on ipc code assigned before grant

Ipc: G06F 13/00 20060101ALI20100720BHEP

Ipc: G06F 9/46 20060101AFI20100720BHEP

RIC1 Information provided on ipc code assigned before grant

Ipc: G06F 13/00 20060101ALI20110131BHEP

Ipc: G06F 9/46 20060101AFI20110131BHEP

17Q First examination report despatched

Effective date: 20110218

DAX Request for extension of the european patent (deleted)
RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: ZAMTEC LIMITED

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: ZAMTEC LIMITED

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: MEMJET TECHNOLOLGY LIMITED

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: MEMJET TECHNOLOGY LIMITED

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20160111