ELECTRONIC CONTROL DEVICE

Abstract

An electronic control device comprising a number of application partitions and a firewall partition, also comprising a number of secure interfaces which can only be accessed by the firewall partition. This increases the safety of the electronic device for example when used as an embedded controller.

Claims

1. An electronic control device comprising a number of application partitions, wherein in each application partition, a respective application is implemented, at least one firewall partition, in which a firewall is implemented, a number of secured interfaces which are designed to communicate with external appliances to the control device and/or with on-board appliances, wherein the secured interfaces can be triggered solely from the firewall partition and a number of virtual interfaces, which are designed respectively to communicate between the firewall partition and at least one application partition. wherein the control device is designed as an embedded controller.

2. The electronic control device according to claim 1, wherein the secured interfaces can be triggered from the firewall partition in such a manner that data can be issued from the firewall partition via the secured interfaces, and/or in such a manner that data can be received from the firewall partition via the secured interfaces.

3. The electronic control device according to claim 1, wherein the virtual interfaces respectively enable a transfer of data from at least one application partition to the firewall partition and/or from the firewall partition to at least one application partition.

4. The electronic control device according to claim 1, wherein at least one of the virtual interfaces can be formed by an overlap between a firewall partition and at least one application partition.

5. The electronic control device according to claim 1, wherein at least one of the virtual interfaces is formed by means of a dedicated register, which does not belong to an application partition, or to a firewall partition and which can be addressed from at least one application partition and from the firewall partition.

6. The electronic control device according to claim 1, wherein the firewall is designed to report a data flow between a virtual interface and a secured interface when the respective data flow is impermissible according to a specified list.

7. The electronic control device according to claim 1, wherein the firewall is designed to only permit a data flow between a virtual interface and a secured interface when the respective data flow is permissible according to a specified list.

8. The electronic control device according to claim 1, wherein the firewall is designed to report a data flow between a virtual interface and a secured interface when the respective data flow is to be reported according to a specified list.

9. The electronic control device according to claim 1, which further features a number of non-secured interfaces, which are designed to communicate with appliances external to the control device, wherein the non-secured interfaces are directly triggerable from at least one application partition or via the firewall partition in such a manner that between the application partition and the non-secured interface, replaced data is in general permitted by the firewall.

10. The electronic control device according to claim 1, wherein the firewall partition is a component of a plurality of firewall partitions, wherein each firewall partition is assigned to a number of secured interfaces.

11. (canceled)

12. The electronic control device according to claim 1 further comprising: a memory management unit, wherein the memory management unit manages the partitions.

13. The electronic control device according to claim 1 further comprising: a memory protection unit, MPU, wherein the memory protection unit manages the partitions.

14. The electronic control device according to claim 1 further comprising: an operating system, wherein the operating system prevents direct access to the secured interfaces from the application partitions, and/or wherein the operating system enables communication between different partitions by providing an overlap of the respective partitions or by providing a dedicated register, and/or wherein the operating system assigns computing time to different applications, and/or wherein the operating system configures a memory management unit or a memory protection unit.

15. The electronic control device according to claim 1, wherein the secured interfaces can be one or more of the following interfaces: General Purpose Input/Output, Serial Peripheral Interface, Controller Area Network, Ethernet, Universal Asynchronous Receiver Transmitter, FlexRay, LIN, Secure Digital Input Output, I2C, other serial interface.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0044] Further features and advantages will be derived by persons skilled in the art from the exemplary embodiment described below with reference to the appended drawing.

[0045] FIG. 1 shows an electronic control device according to an aspect of the invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

[0046] FIG. 1 shows an electronic control device in the form of a microcontroller 10. The microcontroller 10 features an interface part 100 and a partition part 200. In the interface part 100, as presented, a CAN interface 110, and SPI interface 120 and a GPIO interface 130 are implemented. In the partition part 200, a firewall partition 210, a first application partition 220 and a second application partition 230 are implemented. In the firewall partition 210, a firewall is executed. In the first application partition 220, a first application is executed. In the second application partition 230, a second application is executed.

[0047] The firewall running in the firewall partition 210 features a CAN driver 213, an SPI driver 215 and a GPIO driver 217. These drivers can communicate with the interfaces 110, 120, 130 of the interface part 100, and thus address these interfaces 110, 120, 130, so that communication is possible with external appliances or with on-board appliances. As can be seen in FIG. 1, the interfaces 110, 120, 130 can only be addressed by the drivers 213, 215, 217. This means in particular that they can only be addressed from the firewall partition 210. Direct access to the interfaces 110, 120, 130 from the two application partitions 220, 230 is not possible.

[0048] The firewall further features a CAN inspection module 212, an SPI inspection module 214 and a GPIO inspection module 216. The inspection modules 212, 214, 216 are designed to inspect the respective data traffic to the drivers 213, 215, 217. In particular, they are designed to monitor the respective data traffic as to whether suspicious or forbidden data is included. In this case, the data traffic would be immediately stopped. This corresponds to the so-called blacklist principle, in which communication is generally permitted, but is prevented when certain rules or criteria apply. Even in cases when for example an attacker might succeed in incorporating malware into one of the application partitions 220, 230, a potentially malicious communication to the outside could be prevented by the firewall. Here, too, reference is made to the fact that the interfaces 110, 120, 130 which ultimately create the connection to the outside can only be addressed from the firewall partition 210 and thus only data traffic reaches the outside or is received from the outside which has been inspected by one of the inspection modules 212, 214, 216. As is shown, it is also provided that the SPI inspection module 214 and the GPIO inspection module 216 can exchange data with each other.

[0049] As is shown, the first application partition 220 is designed in such a manner that the first application, which executes e.g. an algorithm 222, can access the CAN interface. For this purpose, a virtual CAN interface 224 is provided which is primarily designed as a register, which can be accessed both by the first application partition 220 and by the firewall partition 210. This enables the first application to exchange data with the firewall in the firewall partition 210 from its first application partition 220, which is then forwarded to the CAN interface 210, unless it contravenes any rules. A similar process occurs when data is received via the CAN interface 110.

[0050] The second application, which runs in the second application partition 230 and which executes e.g. an algorithm 232, can by contrast access the SPI interface 120 and the GPIO interface 130. For this purpose, a virtual SPI interface 234 and a virtual GPIO interface 236 are implemented which are primarily designed as a register, which can be accessed both from the second application partition 230 and from the firewall partition 210. This enables a data exchange in the same form between the second application partition 230 and the firewall partition 210, so that the second application can access the SPI interface 120 and the GPIO interface 130 from its second application partition, i.e. it can send data via these and receive data via these. The corresponding data traffic is monitored by the firewall in the firewall partition 210. Additionally, communication is also provided between the virtual SPI interface 234 and the virtual GPIO interface 236.

[0051] As presented, communication is also possible between the two applications in the application partitions 220, 230.

[0052] It should be mentioned that the firewall running in the firewall partition 210 is particularly simply programmed, so that it offers no weak points which could be exploited by attackers. It is thus considerably less likely that an attacker will succeed in compromising the firewall in the firewall partition 210 than one of the applications in the application partitions 220, 230. Even if the latter should occur, despite all precautionary measures, the firewall would still continue to function, which due to the mandatory required implemented by the hardware to permit data traffic to run via the firewall can capture any malicious data traffic.

[0053] The claims which are a part of the application do not represent a waiver of the attainment of further protection.

[0054] Insofar as it emerges during the course of the procedure that a feature or a group of features is not absolutely necessary, a formulation is already sought at this stage by the applicant of at least one independent claim, which no longer comprises the feature or group of features. This can for example be a sub-combination of a claim present on the day of application, or a sub-combination which is restricted by further features of a claim present on the day of application. Such claims or feature combinations to be newly formulated should be understood as being covered by the disclosure of this application.

[0055] Reference is further made to the fact that designs, features and variants of the invention which are described in the different embodiments or exemplary embodiments and/or shown in the figures can be combined with each other in any way desired. Individual or multiple features can be exchanged as required. Such claims or feature combinations thus created should be understood as being covered by the disclosure of this application.

[0056] References in dependent claims should not be understood as a waiver of the attainment of independent, concrete protection for the features of the subclaims to which reference is made. These features can also be combined with other features as desired.

[0057] Features which are only disclosed in the description, or features which are only disclosed in the description or in a claim in connection with other features can in general be of independent importance of essence to the invention. They can therefore also be claimed individually as a differentiation from the prior art.

[0058] It should be understood that an electronic control device can in general feature processor means and memory means, wherein in the memory means, a program code is stored during the execution of which the processor means behave in a defined manner.