The invention relates to computer controlled systems and is particularly concerned with arrangements for improving memory securing and reliability of computer controlled systems. The invention is applicable for example to a standard CPU.such as represented by Motorola MC 68000. INTEL 1APX 286, etc. and the memory accessed from this CPU, for instance to be included in a Master Control Unit. The invention allows memory faults and spurious errors to be detected before a memory element is accessed by a normally executed instruction, thereby enabling preventive fault elimination. The invention also allows a certain type of variable dynamic transposition of memory contents, thereby making meaningful interpretation of the memory contents impossible without knowledge of the correct key. Each computer has at least one associated memory where information may be stored in binary form. This is illustrated by Figure 1, which shows a typical computer consisting of a Central Processing unit (CPU) and a connected memory (M). The memory is addressed via an Address Bus (ABUS) containing k address bits. The memory itself contains 2k memory words, each one containing N information bits.

The CPU may order information to be read from a particular memory word, whereby the address to the actual word (= a unique combination of the k address bits) is asserted on the Address Bus and the corresponding memory word thereby indicated via the Address Bus Decoder (ADEC). When the Real Control Signal (R) is asserted, then the N information bits are read out to the Data Bus (DBUS), from where the

0

- 2 -

information now is available for further processing by the CPU. When writing information into the memory the CPU asserts the address on the Address Bus in the samer way as for reading, but in this case also the information to be written on the Data Bus (DBUS). When the CPU now asserts the Write Control Signal (W), then the information from the Data Bus is written into the memory word indicated by the decoded address asserted on the Address Bus. The information stored by the memory word is subject to errors and faults. One possible type of error is for instance errors caused by spurious alpha particles, i.e. an alpha particle may, in certain cases, cause a bit to switch from 0 to 1 or vice versa in modern semiconductor memories. Another type of error is the case where bits get "stuck" in the "0" or "1" position. A third type is errors caused by transient voltage or current peaks. Common for all these errors is that ttiey are either spurious unintentional changes of values stored in a memory or lack of change when a deliberately specified change is ordered.

The normal way of detecting and in certain cases, correcting spurious inadvertent errors is by providing redundancy in some form. The N information bits in a memory word are therefore grouped into data bits which carry the actual information and redundancy bits, which are used only for error detection purposes as illustrated by Figure 2. In certain cases the redundancy bits may also be used for error correction purposes.

The simplest method of error detection by means of redundancy bits is the well known parity checking method, where a single redundancy bit, the so called parity bit is used. The parity of a complete memory word is specified as odd or even.

depending on whether the number of bits containing a one is odd or even. All memory words are thereby specified to have the same parity (i.e. either odd or even) when no error exists. Thus, if for instance even parity is assumed as shown by Figure 3, the parity bit can always be set so that, independently of the parity of the data bits, even parity for the total memory word is achieved. Any spurious single bit error or, in general, any odd number of bit errors will now show up as a parity error. The parity bit may thus be used to detect spurious errors, but it cannot be used to localise or correct the errors, because any odd number of bit errors gives the same error indication. Also, parity checking does not give any error indication for an even number of bit errors.

By increasing the number of redundancy bits, the fault detection capability may be increased, even to the extent to obtain fault correction capabilities in certain cases. This is for instance the case with so called "Hamming" codes where multiple errors may be detected and single errors corrected. The fault detection and -correction capability may be even more increased by increasing the number of redundancy bits to the same number as the data bits (duplication) . In this case errors may be found by means of a bit-by-bit comparison as illustrated in Figure 4, where comparison is indicated by 0. However, when an error actually occurs, there still remains the problem of determining which of the duplicated bits, the actual data bit or the associated redundancy bit, is in error. This problem may be resolved by the addition of a parity bit, equally duplicated, making the actual number of redundancy bits = (the number of data bits) + 2. As shown in Figure 4 a parity error

SUBSTITUTE SHEET

is obtained for the original data bits, assuming even parity. Thus the data bits are in error and the actual value should be taken from the redundancy bits. However, if an even number of bits are in error, then no parity indication will be obtained or even, if an odd number of bits are in error among the data bits and an odd number of bits are in error among the redundancy bits, thereby making the total number of errors even, both sides will indicate a parity error.

By increasing the number of redundancy bits still more, for instance by having twice (triplication) or more the number of redundancy bits than data bits, a fault may now be found by a mismatch and eliminated by majority logic.

Certain classes of data error are nevertheless such, that they may slip undetected through all such error detection schemes. One class of error is the multiple bit error, where the pit pattern formed by the faulty bits happen to conform to a valid bit pattern. An example of this is the even number of bit errors by parity checking, A second class of undetected errors is the "stuck" bit error where the actual value of the bit happens to be the value to bit isd "stuck" in. In this case the error will not be detected before the bit value is actually changed. Howsever, if, for instance, parity checking is employed, the error will not be detected when the value is written into the memory, but only when the memory word containing the error is subsequently read (providing a single or an odd number of bits are in error), thus necessitating an immediate error processing.

Certain schemes do exist for off-line error detection. It is for instance possible to form

"multidimensional" check sums of the contents of a

SUB

memory whereby "multidimensional" means that each memory word participates in a least two separately and independently calculated check sums. Any bit in error may thereby be immediately pinpointed. Such check sums are not usable for automatic error correction purposes because for every single bit error, there exists at least one multiple bit error pattern, which gives exactly the same check sum error. Secondly check sums are only feasible when the check summed information is fixed, because the overhead of repeated recalculation of the check sum for every change would otherwise be prohibitive.

A scheme which might be utilized to detect "stuck" memory bits is to use a "refresh" routine, which cyclically scans through the memory, word by word and for each word reads the contents of the word, inverts these contents and writes them back, reads the contents a second time and rewrites the original contents into the memory word, the two read contents may now be compared whereby each bit of the first content must be different from the corresponding bit value of the second content. Any equality on the bit level indicates a "stuck" bit. Unfortunately, this method requires that the memory is locked for reading from any other process to prevent the temporarily inverted value from being read by anybody else than the "refresh" function, which significantly will increase the waiting times on the memory and thereby unacceptably reduce the performance of the total system.

The invention aims to improve the capability for off-line detection without introducing the drawbacks described above. Simultaneously the invention also offers a means of coding the information in memory so that this information cannot readily be interpreted without the aid of the

invention.

The invention will be described in detail by the aid of Figures 5 - 9. Figure 5 illustrates the basic principle of the invention. Each information word is associated with a number (M) of data bits, a number (P) of redundancy bits and a single Control Bit. The information and redundancy bits have their conventional functions. The number of information and redundancy bits is not dependent on the invention. The Control Bit determines how the information in memory is to be interpreted, so that one of the possible values of the Control Bit causes the information to be interpreted directly as is, while the opposite value cause the information to be inverted before interpretation. In the following it is assumed that the value "0" of the Control bit controls the direct interpretation. Correct interpretation can now be ensured by means of the two gates Gl and G2 in the path of the information flow as illustrated by Figure 5. Both of these gates are enabled by the Control bit, i.e. the gate Gl is enabled when the Control Bit contains a "O" and gate G2 is enabled when the Control bit contains a "one". Hence only the data and redundancy bits participate in the actual information transfer, both when reading from and writing to a memory word. Figure 6 illustrates the effect of this arrangement. Every value may be physically stored either directly or in inverted form. Regardless of which form in which the information is stored, the value transferred through the arrangement of the gates Gl and G2 to the Data Bus (DBUS) will represent the actual value when the information is read from the memory. When the information is written from the Bata Bus to a memory word, then the actual value of the Control Bit is used to determine whether the

information is to be stored in direct or in inverted form.

In order for the use of the Control Bit to be meaningful, the Control Bit must be able to vary, preferably in a random or semi-random fashion. One way of achieving this effect is to connect the Control Bit to a third gate G3, which inverts the Control Bit value each time the associated memory word is read. Hence, if the Control Bit is zero and the memory word is read, then the Control Bit is changed into a one. If now a new value is written into the memory word then the value will be physically written into the memory in inverted form, because the Control Bit now has the value "1". Writing of information into the memory has no effect on the value of the Control Bit.

Figure 7 shows a possible realisation of the invention by means of a Master Control Unit (MCU) inserted between the Memory (M) and the CPU. Each physical memory word in the memory M contains its own data bits, redundancy bits and a single control bit according to the principle described with the aid of Figure 5. The MCU contains three registers, a Data Bit Register (DBR), a Redundancy Bit Register (RBR) and a Control Bit Register (CBR) for temporary buffering of the data bits, the redundancy bits and the control bit respectively. When information is to be read from the memory M to the CPU, then the CPU asserts the address bits A _Q - A. , on the address bus and a Read signal (R) to the MCU. On recognizing the Read signal (R) the MCU asserts a Read Signal of its own to the memory (M), whereby the contents of the identified word (information bits D _Q - D are transferred from the memory (M) to the MCU via the secondary data bus (DBUS2). On reception of the information the MCU buffers the

SUBSTITUTESHEET

data bits of this information in the register DBR, the redundancy bits in the register RBR and the control bit in the CBR register. If the control bit in the CBR register contains a "1" then the two inverting gates G2R and G2D are enabled, whereby the information in RBR and DBR is inverted. Finally the contents of RBR and DBR is transferred onto the Data Bus (DBUS) to the CPU. When the control bit is "0" no inversion is required, i.e. the contents of DBR and RBR are directly transferred to the Data Bus (DBUS) in this case. It should be evident that in this case no separate gate corresponding to Gl in Figure 5 is required due to the existence of the buffer registers RBR and DBR. When information is to be written into the memory, then the CPU asserts the address in the same way as for reading, asserts the information bits to be written ( ^D ø~ ^D _N _ _ι ) ^{on tϊιe} Data Bus (DBUS) and asserts a Write (W) signal to the MCU. On reception of this Write Signal the MCU first buffers the data bits into the DBR register and the redundancy bits into the RBR register. The CBR register is unaffected by this transfer. If, however, the current contents in CBR is a 1", then the information in DBR and RBR is again inverted by means of the gates G2R and G2D. No inversion occurs if CBR contains a "0". Finally the current contents of the three buffer registers CBR, RBR and DBR are transferred to the indicated word in the memory M as a result of the MCU asserting its own Write signal (W) to the memory.

In the arrangement according to Figure 7 the content of the CRB register does not participate in the information transfer between the CPU and the MCU. In order to ensure a pseudo-random distribution of the control bits in memory the content of the CBR

register is again inverted each time information is read from the memory. With this arrangement the existence of bits "stuck" in the "0" or the "1" position may now easily be found by using a concurrent refresh routine, which reads the contents of each memory word, writes it back and thereafter reads it once more. The two readouts can now be directly compared, whereby any "stuck" bits will show up as a mismatch between the two read values. Unlike the previously mentioned "refresh" routine, this new refresh routine does not need to lock the memory for readout at any time during the refresh cycle, because the logic information read out from the memory will be the same regardless of whether it is physically stored in direct or in inverted form. This new refresh routine is as such not the subject of the invention although the invention does form the basis of the refresh routine.

In the arrangement according to Figure 7 the data and redundancy bits are shown to be buffered by means of two separate registers DBR and RBR. This is merely meant as an illustration to indicate that the data and redundancy bits are individually and separately treated. An arrangement where the the two registers DBR and RBR are merged into a single register and the two gates G2D and G2R merged into a single gate is equally feasible.

It is also to be noted that the principle of the invention is equally valid for read/write and read only memories. The difference between these is principally that writing of information to a read only memory is not possible.

Figure 8 shows a different possible realisation of the invention. In this case the memory M is assumed to contain only data and redundancy bits within the control bits physically

- ιu -

located in a separate Control Bit Memory (CBM) within the MCU. This arrangement now requires the existence of an Address Decoder (ADEC2) for the CBM, so that when the CPU asserts an address on the Address Bus (ABUS), then both a memory word in the memory M and its associated control bit within the CMB of the MCU are indicated. In this case the arrangement directly follows the basic principle according to Figure 5. Note that the gate G3 now controls the inversion of the appropriate control bit in the CBM by each read operation.

The arrangement in Figure 8 has the advantage that it offers a simple means of encryption of the information held in the memory M, because the contents of the memory M cannot now be interpreted without the knowledge and existence of the key held in the CBM, provided that the redundancy bits in the memory are not dependent on the value of the associated control bit(s). Figure 9 shows a possible arrangement for the utilisation of this additional capabaility of the invention. In this case an extra control signal (C) is used between the CPU and the MCU. This control signal may be realised by any conventionally available technique, i.e. a direct signal, a code etc. The Control Bit Memory is partitioned into two parts, one part (CBM) consisting of a read/write memory while the second part (10 ROM) consists of a read only memory. Both the CBM and the 10 ROM part are accessed by means of the Address Decoder ADEC2. The CBM part is, in Figure 9, associated with the memory addresses ) - (q - 1) and the 10 ROM part with the memory addresses q - 2k—1.

The addresses associated with the 10 ROM part are not critical for the invention, i.e. these addresses may specify any contiguous address range.

TITUTE SHEET

Depending on the actual address asserted on the Address Bus (ABUS) either the CBM or the 10 ROM part will be used to control the gates Gl and G2 according to the general principle of the invention. The 10 ROM control of the gates Gl and G2 is gated through a gate G4, which is controlled by the control signal C from the CPU so that assertion of the control signal C forces the output of the gate G4 to "0", thereby enabling the gate Gl independently of the actual value stored in the 10 ROM.

The part of the memory M accessed through the address codes associated with the 10 ROM is designated as the 10 BUFFER. This 10 BUFFER and the associated 10 ROM are used as follows. The 10 ROM contains a fixed bit pattern, which bit pattern is known to the manufacturer of the computer system, and which bit pattern may be different for each individual computer installation. Any software delivered by a manufacturer to a particular customer, for instance held on a diskette as shown in Figure 9, will contain the physical values of the data and redundancy bits for each memory word, assuming the actual values of the control bits held in the 10 ROM. When loading the software on such a diskette by means of a suitable 10 Device (IODEV), then the CPU will transfer the information from the diskette to consecutive words of the 10 BUFFER area in the memory M by asserting the associated addresses on the Address Bus. When writing each word into the memory M the CPU asserts both the W and the C control signals. Assertion of the C signal causes the contents of the 10 ROM to be ignored, thereby ensuring that the contents of the diskette is directly transferred to the memory. When the entire contents of the diskette are transferred

to the 10 BUFFER, or, if the software of the diskette exceeds the 10 BUFFER capacity, when the 10 buffer is full, the contents of the 10 buffer are now transferred to any convenient area in the memory M, this time without assertion of the control signal C. This ensures that the information will be correctly interpreted. After this transfer the 10 BUFFER is again available for transfer of the next part of the contents of the diskette as and when required.

When the contents of the memory are to be output on a diskette, then these contents are first transferred to the 10 BUFFER without assertion of the control signal C, thereby utilising the 10 ROM to control the physical inversion of the actual values. For the subsequent transfer of the contents of the 10 BUFFER to the actual 10 medium, for instance a diskette, the control signal C is again asserted, thereby suppressing the control bits in the 10 ROM and forcing the actual values in the 10 BUFFER to be output on the diskette. It should now be evident that the contents of this diskette may be freely read back in to the same computer system, on which it was produced. It cannot, however, be interpreted by any other computer system, unless that computer system has an 10 ROM containing an identical bit pattern as the first one. It is to be noted that this security feature does postulate that the assertion of the control signal C for any and all transfer of binary information to and from any external devices cannot by bypassed. This in turn required the existence of hardware priviledge levels in the CPUs, which already is a standard feature of most modern CPUs. It is finally to be noted that, although the basic principle of the invention utilises the logic

operation inversion, it is by no means restricted to inversion only. Any other suitable type of logic or arithmetic operation may be used, for instance different types of permutation of the memory contents.

SU _BS TITUTESHEET