Patent Application
20250156175
The present disclosure relates to a software update system and a software update method to update software for use in a microcomputer or a central processing unit (CPU).
With the development of the Internet of things (IoT) technology, a household electrical appliance having conventionally been used alone is provided with a communication feature and is connected to the Internet, so that the household electrical appliance can be operated or an operating status of the household electrical appliance can be checked on the go by means of a smartphone. A microcomputer or a CPU (hereinafter collectively referred to as the “CPU”) for an embedded device used for control of the household electrical appliance can be a target of a computer virus as with a CPU for a personal computer, a smartphone, or a tablet terminal. A software update is thus necessary not only to improve a feature of application software for household electrical appliance control running on a CPU itself but also to avoid vulnerability found in driver software to achieve a communication feature operating on a CPU mounted on a household electrical appliance, an operating system (OS) to operate a group of software (including that referred to as firmware) including the above-mentioned control application software, or software such as a boot loader.
On the other hand, a CPU for use in a household electrical appliance or a control board for household electrical appliance control on which the CPU is mounted has been generalized as in a case of a personal computer, so that it is easy to copy such hardware for manufacture. When having a price competitiveness enabling inexpensive manufacture of hardware and having access to application software for control without development, late-coming manufacturers can devote their resources for development of application software for control having higher added value and are thus advantageous in a market of the household electrical appliance. It is thus necessary to protect application software for control to increase the added value of the household electrical appliance to thereby maintain the price of the household electrical appliance against theft or reverse engineering by a third party. Measures against theft, piracy, and reverse engineering of software are important not only for the household electrical appliance but also for all embedded devices having software update features.
Even when having a low processing power, a CPU for use in an embedded device generally has a feature of prohibiting reading of software stored in a nonvolatile region, such as a flash memory, in the CPU by being externally connected to a debugger and the like as shown in Non-Patent Document 1 (FIG. 2.11 on page 33), for example. It is thus difficult to read or copy the software in the CPU by disassembly of a commercially available embedded device, and there is a low risk of theft or piracy of the software by disassembly.
As for an IoT device, software in the IoT device is updated from an update file server on a wide area network, such as the Internet, via a communication gateway as shown in Non-Patent Document 2 (FIG. 1 on page 12), for example. In this case, an update file in a hashed or signed encrypted data format is used to ensure confidentiality and integrity of the updated software as shown in Non-Patent Document 2 (Table 1 on page 10). A CPU in the IoT device is required to verify hash or a signature and to decrypt and develop the update file into an update image to install the update file.
When the update file server on the Internet is not used, it is contemplated to use an encryption feature provided as a utility program of a commercially available jig (Flash Programmer) to write software into a CPU as shown in Non-Patent Document 3, for example. In this case, decryption processing is performed on a personal computer that operates the commercially available jig, so that there is an advantage that a CPU for use in an embedded device, such as the IoT device, is not required to have memory resources and a processing power to perform the decryption processing.
For example, Patent Document 1 discloses a communication scheme when a personal computer is used to update software in a peripheral device of the personal computer with Motorola S data.
For example, Patent Document 2 discloses a system to transmit software to which a redundant processing code for encryption has been added in a state of a source code of the software per personal computer of a client via a communication line.
In Non-Patent Document 1, when the software is required to be updated, the updated software might be thieved or pirated while being on a communication path or through manual intervention as an update file, so that it is necessary to avoid theft and piracy.
Non-Patent Document 2 ((10) on page 13) discloses that the communication gateway is sometimes responsible for part of processing to update the software in a use case in which the IoT device has a low processing performance, but the communication gateway is sometimes manufactured by a different manufacturer from the IoT device targeted for an update of software, so that it is assumed that confidentiality and integrity cannot be ensured. The CPU for use in the embedded device, such as the IoT device, often has insufficient memory resources and an insufficient processing power to perform verification of the signature and decryption processing, and use of a high performance CPU is likely to cause an increase in cost of a product.
In Non-Patent Document 3, a maintenance service worker who carries a commercially available jig and a work terminal, such as a personal computer, is dispatched to a place where an IoT product is installed, or a work is entrusted to an operator who configures or operates an entire system including the IoT device, so that sharing, distribution, and management of a password are necessary. It is thus difficult to ensure confidentiality, and these measures are not sufficient as measures against theft or piracy of update software.
It is an object of Patent Document 1 to detect an absence of a data record of the Motorola S data on a communication path and to make it difficult to find a method of calculating a sum value prepared per record to enhance measures against tampering, so that an address, an instruction code, or a data operand in the data record itself remains unchanged. Software can thus be used only by adding an original sum value of the Motorola S data again, so that these measures cannot be the measures against theft, piracy, or reverse engineering.
In Patent Document 2, some efforts are required for decryption in terms of reverse engineering, but the software can be used and operated as it is even when redundant processing has been added, so that these measures cannot be the measures against theft or piracy.
The present disclosure has been conceived to solve such problems, and it is an object of the present disclosure to provide a software update system and a software update method capable of safely performing an update at a low cost while saving resources.
To solve the above-mentioned problems, a software update system according to the present disclosure is a software update system including an update software generation device and a central processing unit (CPU), the update software generation device generating update software to update software running on the CPU, the CPU updating the software using the update software generated by the update software generation device, wherein the update software generation device includes a stored address translation unit that translates a stored address stored in a memory on the CPU allocated per at least one instruction code of an assembler code or a machine language code of the update software or a stored address stored in the memory allocated per data in a data region defined at least by a constant and a structure in the update software into a different stored address from a normal stored address, and the CPU includes a stored address inverse translation unit that returns the different stored address resulting from the translation by the stored address translation unit to the normal stored address.
According to the present disclosure, an update can safely be performed at a low cost while saving resources.
These and other objects, features, aspects and advantages of the present disclosure will become more apparent from the following detailed description when taken in conjunction with the accompanying drawings.
As shown in
The personal computer 8 includes a build unit 3, a translation processing unit 5, and an upload unit 7.
The build unit 3 performs processing such as compilation and linkage of source codes of software to be updated.
The upload unit 7 uploads software after translation processing (the update software 30) generated by the translation processing unit 5 to the update file server 6 via the upload path 9.
The translation processing unit 5 includes a storage 13, a determination unit 14, a difference generation unit 17, a stored address translation unit 19, a register number translation unit 21, an operand address translation unit 23, a data translation unit 25, a pseudo-code generation unit 27, and a pseudo-code insertion unit 29.
The storage 13 stores current processing according to an inverse translation processing unit 11 of a CPU 2 or information on a program and a function (current inverse translation information 15). The determination unit 14 determines an update (new processing, next inverse translation information 16) performed by the inverse translation processing unit 11 itself when the next software update is performed.
The difference generation unit 17 generates, from a difference between the current inverse translation information 15 stored in the storage 13 and the next inverse translation information 16 determined by the determination unit 14, difference update software that is software to partially update only the difference of processing performed by the inverse translation processing unit 11. The difference generation unit 17 merges the generated software into update software 4 generated by the build unit 3. The difference generation unit 17 outputs update software 18 after merging to the stored address translation unit 19.
The stored address translation unit 19 translates a stored address in the update software 18 so that the stored address is restored to an original stored address when being inverse translated according to the current inverse translation information 15. Specifically, the stored address translation unit 19 translates a stored address stored in a memory on the CPU 2 allocated per at least one instruction code of an assembler code or a machine language code of the update software 18 or a stored address stored in the memory allocated per data in a data region defined at least by a constant and a structure in the update software 18 into a different stored address from a normal stored address. The stored address translation unit 19 outputs update software 20 after the translation of the stored address to the register number translation unit 21.
The register number translation unit 21 translates a register number in the update software 20 so that the register number in an instruction code is restored to an original register number when being inverse translated according to the current inverse translation information 15. Specifically, the register number translation unit 21 translates a register number of a general-purpose register or a floating point register for use in an instruction code of an assembler code or a machine language code of the update software 20 into a register number usable by the CPU. The register number translation unit 21 outputs update software 22 after the translation of the register number to the operand address translation unit 23.
The operand address translation unit 23 translates an operand address or immediate data in the update software 22 so that the operand address or the immediate data in an instruction code is restored to an original operand address or original immediate data when being inverse translated according to the current inverse translation information 15. Specifically, the operand address translation unit 23 translates an operand address or immediate data for use in an instruction code of an assembler code or a machine language code of the update software 22. The operand address translation unit 23 outputs update software 24 after the translation of the operand address or the immediate data to the data translation unit 25.
The data translation unit 25 translates a value of each piece of data in a data region defined by a constant, a structure, and the like in the update software 24 so that the value of the data in the data region is restored to an original value of the data when being inverse translated according to the current inverse translation information 15. Specifically, the data translation unit 25 translates a value of each piece of data in the data region defined at least by the constant and the structure in the update software 24. The data translation unit 25 outputs update software 26 after the translation of the value of the data to the pseudo-code insertion unit 29.
The pseudo-code generation unit 27 generates an instruction code or any data string as a pseudo-code. The pseudo-code generation unit 27 outputs the generated pseudo-code 28 to the pseudo-code insertion unit 29. Specifically, the pseudo-code generation unit 27 generates an instruction code or a data string of an assembler code or a machine language code of the update software as the pseudo-code.
The pseudo-code insertion unit 29 inserts the pseudo-code 28 into an unused stored address in the update software 26. Specifically, the pseudo-code insertion unit 29 inserts the pseudo-code 28 generated by the pseudo-code generation unit 27 into the unused stored address in the update software 26 or into a stored address that is no longer used by being translated into a different stored address by the stored address translation unit 19. The pseudo-code insertion unit 29 outputs the update software 30 after the insertion of the pseudo-code 28 to the upload unit 7.
The embedded device 1 includes the CPU 2. The CPU 2 includes the inverse translation processing unit 11 and an update unit 12. The embedded device 1 is targeted for an update of software. The CPU 2 is one of components constituting the embedded device 1, and a memory (not shown) that stores a sequence of instructions constituting a program, a function, and the like in the software or data processed by the software is implemented in the same chip. The inverse translation processing unit 11 performs inverse translation of the translation processing performed by the translation processing unit 5 to restore the update software 4 before the translation processing. The update unit 12 updates software for use in the CPU 2 using the update software 4 restored by the inverse translation processing unit 11.
The inverse translation processing unit 11 includes a pseudo-code removal unit 31, a data inverse translation unit 32, an operand address inverse translation unit 33, a register number inverse translation unit 34, a stored address inverse translation unit 35, and a difference update unit 36.
The pseudo-code removal unit 31 removes all the pseudo-code 28 inserted by the pseudo-code insertion unit 29 from the update software 30 downloaded from the update file server 6 via the download path 10. The pseudo-code removal unit 31 outputs the update software 26 after the removal of the pseudo-code 28 to the data inverse translation unit 32. The update software 26 output from the pseudo-code removal unit 31 corresponds to the update software 26 output from the data translation unit 25.
The data inverse translation unit 32 performs inverse translation of the translation by the data translation unit 25 on the update software 26 restored by the pseudo-code removal unit 31 to restore the value of the data in the data region. The data inverse translation unit 32 outputs the update software 24 after the restoration of the value of the data to the operand address inverse translation unit 33. The update software 24 output from the data inverse translation unit 32 corresponds to the update software 24 output from the operand address translation unit 23.
The operand address inverse translation unit 33 performs inverse translation of the translation by the operand address translation unit 23 on the update software 24 restored by the data inverse translation unit 32 to restore the operand address or the immediate data. The operand address inverse translation unit 33 outputs the update software 22 after the restoration of the operand address or the immediate data to the register number inverse translation unit 34. The update software 22 output from the operand address inverse translation unit 33 corresponds to the update software 22 output from the register number translation unit 21.
The register number inverse translation unit 34 performs inverse translation of the translation by the register number translation unit 21 on the update software 22 restored by the operand address inverse translation unit 33 to restore the register number. The register number inverse translation unit 34 outputs the update software 20 after the restoration of the register number to the stored address inverse translation unit 35. The update software 20 output from the register number inverse translation unit 34 corresponds to the update software 20 output from the stored address translation unit 19.
The stored address inverse translation unit 35 performs inverse translation of the translation by the stored address translation unit 19 on the update software 20 restored by the register number inverse translation unit 34 to restore the stored address. The stored address inverse translation unit 35 outputs the update software 18 after the restoration of the stored address to the difference update unit 36. The update software 18 output from the stored address inverse translation unit 35 corresponds to the update software 18 output from the difference generation unit 17.
The difference update unit 36 extracts and removes the difference update software merged by the difference generation unit 17 to generate the update software 4 that is exactly the same update software as the update software 4 generated by the build unit 3.
The update unit 12 updates the inverse translation processing unit 11 itself (updates the software for use in the CPU 2) upon completion of the processing performed by the inverse translation processing unit 11 required for this software update.
As shown in
When the translation by the stored address translation unit 19 is performed first, an STS instruction indicating a start of a function or an RTS instruction indicating an end of a function can be used as pseudo-codes as appropriate to make it difficult to know the number of functions in the update software. When the translation by the stored address translation unit 19 is performed later, a plurality of functions that perform meaningless operation in the embedded device 1 may be stored as pseudo-codes in unused regions in the update software 4.
In the example of
In an example of
In an example of
While a case of an assembler code has been described above, similar processing can be performed on an assembler code having been translated into a machine language code or a machine language code having been translated into that in a data format for writing into the CPU 2, such as the Motorola S data. The format for writing into the CPU 2 is only required to meet the specifications of the CPU 2 and is not limited to the Motorola S data.
While a case where the translation processing unit 5 performs processing on the personal computer 8 has been described above, the processing may not be performed on the personal computer 8.
While an example in which processing of the register number translation unit 21, processing of the operand address translation unit 23, processing of the data translation unit 25, and processing of the pseudo-code insertion unit 29 are performed after processing of the stored address translation unit 19 has been described above, the processing of these units may be performed before the processing of the stored address translation unit 19. The processing of these units may be performed in any combination or in any order, and, for example, translation or inverse translation processing of one or more of these units may be performed before the processing of the stored address translation unit 19 or may not be performed. However, when register numbers are translated while taking values of register numbers in preceding and succeeding instruction codes into consideration as a rule of the translation, for example, arrangement of the preceding and succeeding instruction codes changes before and after the processing of the stored address translation unit 19, so that it is necessary to accordingly change an order in which processing of the pseudo-code removal unit 31, processing of the data inverse translation unit 32, processing of the operand address inverse translation unit 33, processing of the register number inverse translation unit 34, and processing of the stored address inverse translation unit 35 of the inverse translation processing unit 11 that performs processing on the CPU 2 are performed.
While a case where the processing of the inverse translation processing unit 11 is performed in a series of software update processes has been described above, the processing of the inverse translation processing unit 11 may be performed in a boot loader that operates when power is on or may be performed while returning an order to that before the translation immediately before actual execution of the software on the CPU 2. The rule of the translation or the inverse translation may be changed depending on a type of software, such as an OS, a boot loader, a program to perform the inverse translation, a function, and application software. Some patterns of an inverse translation function may be prepared, and the rule of the translation or the inverse translation may be changed in midstream according to a predetermined rule.
While a case where the number of update file servers 6 is one has been shown in
While a configuration in which software executed by the CPU and a memory that stores data processed by the software are implemented in the same chip as the CPU has been described as one example, the configuration is not limited to this configuration. For example, the configuration may be a configuration in which, in a CPU implemented as a CPU core in a field programmable gate array (FPGA), a memory that stores software and data are implemented in the same FPGA chip, for example.
As described above, even when the update software 30 downloaded from the update file server 6 by the embedded device 1 cannot be used as it is, the inverse translation processing unit 11 performs the inverse translation of the update software 30 on the CPU 2 according to a rule known only by a designer to restore the update software 4, so that an update can safely be performed at a low cost while saving resources.
A software update has conventionally been performed by the embedded device 1 by uploading the update software 4 generated by the build unit 3 to the update file server 6 and downloading the uploaded update software 4 from a side of the embedded device 1. The upload path 9 is over the Internet, so that uploading between the upload unit 7 on the personal computer 8 and the update file server 6 has conventionally been protected by secure sockets layer (SSL)/transport layer security (TLS) and the like to prevent theft, tampering, and reverse engineering of software on the communication path.
In contrast, in Embodiment 1, the translation processing unit 5 translates stored addresses on the CPU 2, register numbers, operand addresses or immediate data, and a value of each piece of data in the data region in the update software 4 according to the rule known only by the designer of the software, and the CPU 2 performs the software update using the update software 4 restored by the inverse translation processing unit 11 processed on the CPU 2 performing the inverse translation according to the rule known only by the designer. The stored addresses on the CPU 2, the register numbers, the operand addresses or the immediate data, and the value of the data in the data region have been translated, so that they cannot be used as they are even when thieved on the communication path. The CPU 2 on the embedded device 1 is thus not required to perform verification of a signature and decryption processing required for the SSL/TLS. Restoration without knowing the rule of the translation/inverse translation is not easy, so that even a CPU for an embedded device having limited memory resources and a limited processing power can perform the restoration, and this method is an effective method as measures to prevent reverse engineering.
A code for tampering detection and a method of calculating the code are also translated/inverse translated according to the rule known only by the designer to make identification thereof difficult, so that tampering is easily detected using an easy checksum without calculating a hash value to achieve prevention of tampering.
In a case of the C language, software includes a combination of a plurality of functions. While a particular assembler instruction in each of the functions is used in a fixed manner at a call of the function or a return from the function, assembler instructions usable by the CPU are combined in a particular order in processing in the function to achieve a desired feature. In this case, even if assembler instructions used in a certain function are stored one by one in random order, it is easy to find a correct order of execution of the instructions from a number of a general-purpose register used in each of the assembler instructions and a configuration of a stack region used in each function, and the correct order of execution of the instructions can be found in a shorter time when a feature achieved by the function is known.
When the number of functions in entire software, features of the respective functions, the number of assembler instructions constituting each of the functions, a size of the stack region, and an order in which any pieces of data and address information are stored in the stack region are not known, however, it is difficult to correctly restore the functions one by one and correctly reproduce a configuration of the functions if the order is changed across the functions.
For example, if it is known that a function is a function of 10 lines and includes a combination of six instructions including overlapping instructions, there are 610 combinations of an order of execution of the instructions for only one function. When encryption and decryption are performed, a correct answer is immediately known if keys match because an assembler code and a mot file cannot be recognized unless the keys match, but each assembler instruction correctly runs on the CPU, so that, when round-robin determination is made to find the correct answer, it is necessary to prepare an embedded device targeted for copying and write 610 types of software into the embedded device for operation verification to find a correct order of execution of the instructions. While it is considered necessary to take time for actual operation verification because operation is contemplated to include operation close to the correct answer and the same operation as the correct answer under a certain condition, a period of 11 months is required assuming that it takes one second to verify operation of one pattern including time to write software, and the correct answer can be found after verification of operation of half of 610 patterns due to parallel verification by a plurality of devices, for example.
A period of one year or more is contemplated to be required if it takes one or more seconds to verify operation, the function is a function of 10 or more lines, and the combination is a combination of six or more instructions. Software actually includes a plurality of functions, so that an effect of preventing use as it is and piracy or reverse engineering can be obtained without performing encryption and decryption processing or concealing the communication path by setting the rule of the translation/inverse translation known only by the designer of the software for a household electrical appliance whose new product is released every year.
As shown in
The work terminal 41 is a work terminal used by a maintenance service worker (not shown) who visits a site where the embedded device 1 is installed to update software.
The jig 42 is a jig to connect the embedded device 1 and the work terminal 41 and write the software into the CPU 2 in the embedded device 1.
A delivery path 43 is a path to deliver the update software 30 generated by the personal computer 8 to the work terminal 41.
The delivery path 43 is contemplated to include a path in a case of distribution over the Internet through attachment to an email and a path in a case of distribution via a medium, such as a universal serial bus (USB) memory, for example. The update software has thus conventionally been required to be encrypted to prepare for theft on the Internet or a loss of the USB memory. The encrypted software, however, is required to be decrypted on the work terminal, so that there are limitations to management of the decrypted update software.
In contrast, according to the present disclosure, the stored addresses on the CPU 2, the register numbers, the operand addresses or the immediate data, and the value of the data in the data region in the update software 30 generated by the personal computer 8 have been translated as described in Embodiment 1. Thus, they cannot be used as they are even when thieved on the delivery path 43, and this method is a method enabling restoration processing on the CPU 2, so that it is not necessary to perform restoration to the update software 4 on the work terminal 41. In Embodiment 2, a CPU for an embedded device having limited memory resources and a limited processing power can perform the restoration, and this method is an effective method as measures against theft or reverse engineering as in Embodiment 1.
Features of the build unit 3, the determination unit 14, the difference generation unit 17, the stored address translation unit 19, the register number translation unit 21, the operand address translation unit 23, the data translation unit 25, the pseudo-code generation unit 27, the pseudo-code insertion unit 29, and the upload unit 7 of the personal computer 8 shown in
When the processing circuit is the dedicated hardware, a processing circuit 51 corresponds to a single circuit, a composite circuit, a programmed processor, a parallel programmed processor, an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), or a combination thereof, for example, as shown in
When the processing circuit 51 is a processor 52 shown in
One or more of the features of the build unit 3, the determination unit 14, the difference generation unit 17, the stored address translation unit 19, the register number translation unit 21, the operand address translation unit 23, the data translation unit 25, the pseudo-code generation unit 27, the pseudo-code insertion unit 29, and the upload unit 7 may be achieved by the dedicated hardware, and the other one or more of the features may be achieved by the software or the firmware.
As described above, the processing circuit can achieve the above-mentioned features by the hardware, the software, the firmware, or a combination of them.
While a hardware configuration of the personal computer 8 in
Embodiments can freely be combined with each other and can be modified or omitted as appropriate within the scope of the present disclosure.
While the present disclosure has been described in detail, the foregoing description is in all aspects illustrative and not restrictive. It is understood that numerous unillustrated modifications can be devised.
1 embedded device, 2 CPU, 3 build unit, 4 update software, 5 translation processing unit, 6 update file server, 7 upload unit, 8 personal computer, 9 upload path, 10 download path, 11 inverse translation processing unit, 12 update unit, 13 storage, 14 determination unit, 15 current inverse translation information, 16 next inverse translation information, 17 difference generation unit, 18 update software, 19 stored address translation unit, 20 update software, 21 register number translation unit, 22 update software, 23 operand address translation unit, 24 update software, 25 data translation unit, 26 update software, 27 pseudo-code generation unit, 28 pseudo-code, 29 pseudo-code insertion unit, 30 update software, 31 pseudo-code removal unit, 32 data inverse translation unit, 33 operand address inverse translation unit, 34 register number inverse translation unit, 35 stored address inverse translation unit, 36 difference update unit, 41 work terminal, 42 jig, 43 delivery path, 51 processing circuit, 52 processor, 53 memory.
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/JP2022/007534 | 2/24/2022 | WO |
