View All Documents & Correspondence
Method For Controlling The Operation Of A Complex Electronic Component
Abstract: The invention concerns a method for controlling the operation of a complex electronic component (10) transferring data frames to physical ports, the method: inserts, into each data frame to be transferred by the complex electronic component (10), a first signature determined at least from the source address included in the data frame and an identifier of the physical port via which the data frame is transferred, transfers the data frame into which the signature has been inserted, a routing security device (25a, 25b, 25, 25d) associated with the physical port (porta, Portb, Porte, Portd): receives the data frame into which the signature has been inserted, determines a second signature from the identifier of the physical port and the source address, compares the signatures, executes a first operation if the first and second signatures are different or a second operation if the first and second signatures are identical.
Notices, Deadlines & Correspondence
Patent Information
Applicants
SAFRAN ELECTRONICS & DEFENSE
Inventors
1. GUILLOT, François
2. COURTEILLE, Jean-Marie
Specification
The present invention relates to a method and a system for controlling the operation of a complex electronic component transferring data frames to physical ports.
Conventionally, the components used in the field of avionics are qualified to meet safety standards.
One such standard is DO-254. It is used in the design of complex electronic equipment in air systems. Complex electronic hardware includes devices such as Field Programmable Gate Arrays (FPGAs), Programmable Logic Devices (PLDs), and Application Specific Integrated Circuits (ASICs).
OD-254 defines requirements throughout the design and verification process of electronic equipment. Evidence, such as for example the physical verification plan, diagrams, must be provided to the competent authorities.
To meet the various communication needs in an aircraft, the electronic components used in avionics are increasingly complex.
Complex electronic components are available on the market. For example, there are communications processors that combine multiple 64-bit processor cores with high performance data path acceleration logic and network peripheral bus interfaces required for routing and telecommunications. These components are for example used in applications such as routers, switches, Internet access devices, firewalls and other applications.
These complex electronic components were not designed according to the standards and requirements of avionics and yet provide functionalities that would be of interest in the field of avionics.
For example, there are communications networks that coexist in an aircraft. These communication networks allow the exchange of data vital to the operation of the aircraft, allow the exchange of messages between the cockpit and the cabin crew and allow passengers to access data or communicate with third parties.
The various networks must be protected and isolated in such a way as to prevent any intrusion by a third party into a network to which he is not authorized to access.
An ill-intentioned passenger, connected to a so-called unsecured communication network, open to passengers, could for example attempt to access, through fraudulent operations, the so-called secure communication network, allowing the exchange of data vital to the operation of the aircraft to disrupt its operation.
Complex electronic components sometimes get stuck at a particular stage in the processing they perform. This type of problem can become very problematic when using them in systems which are on board an aircraft.
The complex electronic components on the market cannot be used as such in an aircraft because they cannot guarantee the best level of reliability, thus for example to prevent data from being transferred to the wrong destination.
The present invention aims to solve the drawbacks of the prior art by providing a method and a system for controlling the operation of a complex electronic component transferring data frames to physical ports which ensure that the data is always transferred to the right destination and which make it possible to guarantee that a complex electronic component does not remain blocked at a particular stage of the processing that it performs.
To this end, according to a first aspect, the invention proposes a method for controlling the operation of a complex electronic component transferring data frames to physical ports, each data frame comprising at least one source address, characterized in that the process comprises the steps of:
- Insertion, by a software module included in the complex electronic component, in each data frame to be transferred by the complex electronic component, of a first signature determined at least from the source address included in the data frame and d '' an identifier of the physical port through which the data frame is transferred by the complex electronic component,
- transfer, by the complex electronic component, of the data frame in which the signature has been inserted,
- reception, by a routing security device associated with the physical port, of the data frame in which the signature has been inserted,
- determination, by the routing security device associated with the physical port, from the identifier of the physical port and the source address, of a second signature,
- comparison, by the routing security device associated with the physical port, of the signatures,
- Execution, by the routing security device associated with the physical port, of a first operation if the first and second signatures are different or of a second operation if the first and second signatures are identical.
The invention also relates to a system for controlling the operation of a complex electronic component transferring data frames to physical ports, each data frame comprising at least one source address, characterized in that the system comprises:
means for inserting, by a software module included in the complex electronic component, into each data frame to be transferred by the complex electronic component, a first signature determined at least from the source address included in the frame data and an identifier of the physical port through which the data frame is transferred by the complex electronic component, - transfer means, included in the complex electronic component, of the data frame in which the signature has been inserted,
- means for receiving, by a routing security device associated with the physical port, the data frame in which the signature has been inserted,
means for determining, included in the routing security device associated with the physical port, from the identifier of the physical port and the source address, of a second signature,
- comparison means, included in the routing security device associated with the physical port, signatures,
means of execution, included in the routing security device associated with the physical port, of a first operation if the first and second signatures are different or of a second operation if the first and second signatures are identical.
Thus, the present invention ensures that a complex electronic component transferring data frames to physical ports functions correctly.
Thanks to the addition of the software module included in the complex electronic component and of the routing security device associated with the physical port, it is possible to prevent a data frame from passing through a port to which the data frame should not. not going. It is then possible to use complex electronic components marketed for purposes other than aeronautics and to guarantee that a complex electronic component can operate with the level of quality required by the aeronautical industry.
According to a particular embodiment of the invention, the first operation is a deletion of the data frame received by the routing security device associated with the physical port and the second operation is a deletion of the first signature in the data frame for a transfer, by the routing security device associated with the physical port, of the data frame to a destination address included in the data frame.
Thus, the present invention ensures that data is always transferred to the correct destination.
According to a particular embodiment of the invention, the method further comprises a step of counting the deleted data frames.
Thus, it is possible to have experience feedback on the reliability of the complex electronic component, or even to reinitialize the complex electronic component, when the number of deleted data frames exceeds a predetermined threshold.
According to a particular embodiment of the invention, the signatures are also determined from the destination address.
According to a particular embodiment of the invention, the signatures are also determined from all or part of the data included in the data frame.
According to a particular embodiment of the invention, the signatures are also determined from the quantity of data included in the data frame.
According to a particular embodiment of the invention, the signatures are obtained from an exclusive or type function or from a hash function from a coding key shared only between the software module and each security device of the routing.
Thus, the determination of the signature is simple, fast and does not penalize the speed of the transfer of data frames.
According to a particular embodiment of the invention, the data frames are predetermined service frames transferred periodically and the first operation is at least one non-processing of the service frame and one deletion of the service frame received by the securing device. routing associated with the port and a reset of the complex electronic component if a predetermined number of service frames are not received for a predetermined time and the second operation is a processing of the service frame and a deletion of the received service frame by the routing security device associated with the port.
Thus the present invention ensures that the complex electronic component does not remain blocked at a particular step of the processing that it performs by introducing a watchdog function. Thanks to this functionality, it is possible to detect a blockage of the complex electronic component and to restart the system if the sum of the number of predetermined service frames not received within a specified time and the number of service frames for which the signature comparison is negative within the time allowed by the routing securing device associated with the physical port.
According to a particular embodiment of the invention, the complex electronic component and each routing security device associated with a physical port are included in an aircraft.
According to a particular embodiment of the invention, the aircraft comprises different secure areas.
The invention also relates to computer programs stored on an information medium, said programs comprising instructions making it possible to implement the methods described above, when they are loaded and executed by a computer system.
The characteristics of the invention mentioned above, as well as others, will emerge more clearly on reading the following description of an exemplary embodiment, said description being given in relation to the accompanying drawings, among which:
Fig. 1 represents an example of a system for controlling the operation of a complex electronic component transferring data frames to physical ports in an aircraft comprising a secure zone and an unsecured zone; Fig. 2 shows an example of a method of inserting, by a software module included in the complex electronic component, in each data frame to be transferred by the complex electronic component, a first signature;
Fig. 3 shows an example of a processing method, by a routing security device associated with a physical port, of a data frame in which a signature has been inserted.
Fig. 1 represents an example of a system for controlling the operation of a complex electronic component transferring data frames to physical ports in an aircraft comprising a secure zone and an unsecured zone.
The system comprises a complex electronic component 10. The complex electronic component 10 is, for example, a communications processor which combines several 64-bit processor cores with high-performance data path acceleration logic and network peripheral bus interfaces required for routing and telecommunications.
According to the present invention, the complex electronic component 10 further comprises a software module 15 which inserts, in each data frame to be transferred by the complex electronic component 10, a first signature determined at least from the source address included in the data frame and an identifier of the physical port through which the data frame will be transferred by the complex electronic component.
The complex electronic component 10 without the software module 15 is not a secure component. The system comprises a secure component 20.
An unsecured component is a device for which it is not possible to guarantee that all the functions of the device are performed with certainty and / or it is not possible to prove that the component performs all of its functions with certainty.
A safe component is a device for which it is possible to guarantee that all the functions of the component are performed with certainty and / or it is possible to prove that the component performs all of its functions with certainty or that a possible failure causes a failure. controlled and previously anticipated behavior.
In the example of FIG. 1, the ports porta and portb are ports of a secure area of an aircraft and the ports porte and portd are ports of an unsecured area of the aircraft. Of course, the aircraft can include a greater number of secure areas.
Furthermore, the present invention guarantees that any routing error between two different security zones is treated as well as any routing error between two ports of the same security zone is treated.
The secure component 20 comprises a plurality of physical interfaces denoted 22a to 22d and two-way physical ports denoted Porta to Portd.
The secure component 20 comprises, according to the present invention, a device for securing the routing 25 a to 25 d associated with each port Porta to Portd.
Each routing security device 25a to 25d determines from the identifier of the physical port and the source address, a second signature, compares the first and second signatures and performs a first operation if the first and second signatures are different or a second operation if the first and second signatures are identical.
For example, the first operation is a deletion of the data frame received by the routing security device associated with the physical port and the second operation is a deletion of the first signature in the data frame for a transfer, of the data frame. data to a destination address included in the data frame.
For example, data frames are predetermined service frames transferred periodically. According to this example, it is possible to provide a watchdog function, in English “Watchdog”, through the entire routing and acceleration chain of the complex electronic component 10. To this end, service frames are produced. periodically by the software module 15. If the routing security device 25 does not receive any with a correct signature for a predetermined unit of time, then the routing security device 25 performs a reinitialization of the complex electronic component 10 by means of a dedicated signal denoted 35 in FIG. 1. Service frames are systematically eliminated, whether the signature verification is good or bad,
Fig. 2 represents an example of a method of inserting, by a software module included in the complex electronic component, in each data frame to be transferred by the complex electronic component, a first signature.
The software module 15 forms a data frame 68 that the complex electronic component 10 must transmit.
The data frame is for example produced by an application or is a predetermined service frame which must be transmitted periodically.
Field 60 of the frame includes the destination address of the application to receive the data.
Field 61 of the frame comprises the source address of the application transferring the data.
Field 62 is the field comprising the data.
Field 63 is a redundancy field for the detection of possible errors.
The software module 15 in step 100 obtains the source address of the application sending the data in the field 61, or even the destination address, as well as the physical port or sub-port to which the data must be transferred.
The software module 15 generates in step 101 at least one signature from the source address and the identifier of the physical port or subport obtained.
As a variant, the software module 15 generates a signature from the source address, the physical port or sub-port, the destination address, the data and / or the quantity of data.
The signature is quick and easy to calculate. The signature is for example a type or exclusive function, a hash function from a coding key shared between the software module 15 and the routing security device 25 but which the complex electronic component 10 will not be able to achieve. to develop itself following any functioning or dysfunction of one or more of its constituents.
The software module 15 forms a data frame 78 comprising the signature.
Fields 60 to 63 are identical to the fields of data frame 68. Field 65 includes the signature generated in step 101.
The data frame is then transferred by the complex electronic component 10 to the physical port or subport to which the data must be transferred.
Fig. 3 shows an example of a processing method, by a routing security device 25a to 25d associated with a physical port, of a data frame in which a signature has been inserted.
A routing security device 25 receives a frame 78 from the complex electronic component 10.
The data frame is for example received from an application or is a predetermined data frame which must be received periodically.
The routing security device 25 associated with the physical port obtains in step 200, the source address of the application sending the data in the field 61, or even the destination address, as well as the physical port through which the frame data is received.
The routing security device 25 associated with the physical port generates in step 201 a signature at least from the source address and the identifier of the port or of the physical subport obtained.
The routing security device 25 associated with the physical port compares in step 202 the signature included in field 65 of the data frame with the signature obtained in step 201.
The routing security device 25 associated with the physical port performs in step 203 a first operation if the first and second signatures are different.
The first operation is a deletion of the data frame received by the routing security device 25 associated with the physical port if the data frame is a data frame sent by an application.
The present invention provides a watchdog function, in English “Watchdog”, through the entire routing and acceleration chain of the complex electronic component 10. If the routing security device 25 does not receive any service frame with a correct signature for a predetermined unit of time, then the routing security device 25 performs a reinitialization of the complex electronic component 10 by means of a dedicated signal denoted 35 in FIG. 1. The service frames are systematically eliminated, whether the signature verification is good or bad, by the component 25 and are therefore not transferred so as not to go out on the ports Porta to Portd.
The routing security device 25 associated with the physical port performs a second operation if the first and second signatures are identical.
The second operation is a removal of the first signature in the data frame for a transfer of the data frame to a destination address included in the data frame if the data frame is a data frame sent by an application.
The second operation is a deletion of the data frame received by the routing security device 25 associated with the physical port if the received frame is a predetermined data frame.
Of course, the present invention is in no way limited to the embodiments described here, but encompasses, on the contrary, any variant within the reach of those skilled in the art.
For example, the present invention is described in an embodiment in which the data frames are transferred by the complex electronic component to physical ports. The present invention is also applicable in an operating mode in which the data frames are received by the complex electronic component of the physical ports.
CLAIMS
1) Method for controlling the operation of a complex electronic component (10) transferring data frames to physical ports, each data frame comprising at least one source address, characterized in that the method comprises the steps of:
- Insertion, by a software module (15) included in the complex electronic component, in each data frame to be transferred by the complex electronic component, of a first signature determined at least from the source address included in the frame of data and an identifier of the physical port through which the data frame is transferred by the complex electronic component,
- transfer, by the complex electronic component (10), of the data frame in which the signature has been inserted,
- reception, by a routing security device (25a, 25b, 25c, 25d) associated with the physical port (porta, Portb, Porte, Portd), of the data frame in which the signature has been inserted,
- determination, by the routing security device (25a, 25b, 25c, 25d) associated with the physical port (porta, Portb, Porte, Portd), from the identifier of the physical port and the source address, d 'a second signature,
- comparison, by the routing security device (25a, 25b, 25c, 25d) associated with the physical port (porta, Portb, Porte, Portd), of the signatures,
- execution, by the routing security device (25a, 25b, 25c, 25d) associated with the physical port (porta, Portb, Porte, Portd), of a first operation if the first and second signatures are different or of a second operation if the first and second signatures are identical.
2) Method according to claim 1, characterized in that the first operation is a deletion of the data frame received by the routing security device associated with the physical port and the second operation is a deletion of the first signature in the frame data for a transfer of the data frame to a destination address included in the data frame.
3) Method according to claim 2, characterized in that the method further comprises a step of counting deleted data frames.
4) Method according to claim 2 or 3, characterized in that the signatures are further determined from the destination address.
5) Method according to any one of claims 2 to 4, characterized in that the signatures are further determined from all or part of the data included in the data frame.
6) Method according to any one of claims 2 to 5, characterized in that the signatures are further determined from the quantity of data included in the data frame.
7) Method according to claim 1, characterized in that the data frames are predetermined service frames transferred periodically and in that the first operation is at least one non-processing of the service frame and a deletion of the service frame received by the routing security device associated with the port and a reset of the complex electronic component if a predetermined number of frames is not received for a predetermined period of time and the second operation is a processing of the service frame and a deletion of the service frame received by the routing security device associated with the port.
8) Method according to any one of claims 1 to 7, characterized in that the complex electronic component and each routing security device associated with a physical port are included in an aircraft
9) Method according to claim 8, characterized in that the aircraft comprises different secure areas.
10) Method according to any one of claims 1 to 9, characterized in that the signatures are obtained from a type or exclusive function or a hash function from an encoding key shared only between the software module and each routing security device.
11) System for controlling the operation of a complex electronic component transferring data frames to physical ports, each data frame comprising at least one source address, characterized in that the system comprises:
- means for inserting, by a software module included in the complex electronic component, in each data frame to be transferred by the complex electronic component, a first signature determined at least from the source address included in the frame data and an identifier of the physical port through which the data frame is transferred by the complex electronic component,
- transfer means, included in the complex electronic component, of the data frame in which the signature has been inserted,
- means for receiving, by a routing security device associated with the physical port, the data frame in which the signature has been inserted,
means for determining, included in the routing security device associated with the physical port, from the identifier of the physical port and the source address, of a second signature,
- comparison means, included in the routing security device associated with the physical port, signatures,
means of execution, included in the routing security device associated with the physical port, of a first operation if the first and second signatures are different or of a second operation if the first and second signatures are identical.
Documents
Orders
| Section | Controller | Decision Date |
|---|---|---|
Application Documents
| # | Name | Date |
|---|---|---|
| 1 | 202017025982-IntimationOfGrant21-02-2024.pdf | 2024-02-21 |
| 1 | 202017025982-TRANSLATIOIN OF PRIOIRTY DOCUMENTS ETC. [19-06-2020(online)].pdf | 2020-06-19 |
| 2 | 202017025982-PatentCertificate21-02-2024.pdf | 2024-02-21 |
| 2 | 202017025982-STATEMENT OF UNDERTAKING (FORM 3) [19-06-2020(online)].pdf | 2020-06-19 |
| 3 | 202017025982-Written submissions and relevant documents [23-01-2024(online)].pdf | 2024-01-23 |
| 3 | 202017025982-PRIORITY DOCUMENTS [19-06-2020(online)].pdf | 2020-06-19 |
| 4 | 202017025982-FORM 1 [19-06-2020(online)].pdf | 2020-06-19 |
| 4 | 202017025982-Correspondence to notify the Controller [16-01-2024(online)].pdf | 2024-01-16 |
| 5 | 202017025982-FORM-26 [16-01-2024(online)].pdf | 2024-01-16 |
| 5 | 202017025982-DRAWINGS [19-06-2020(online)].pdf | 2020-06-19 |
| 6 | 202017025982-US(14)-HearingNotice-(HearingDate-19-01-2024).pdf | 2023-12-21 |
| 6 | 202017025982-DECLARATION OF INVENTORSHIP (FORM 5) [19-06-2020(online)].pdf | 2020-06-19 |
| 7 | 202017025982-COMPLETE SPECIFICATION [19-06-2020(online)].pdf | 2020-06-19 |
| 7 | 202017025982-CLAIMS [08-08-2022(online)].pdf | 2022-08-08 |
| 8 | 202017025982-FORM-26 [25-06-2020(online)].pdf | 2020-06-25 |
| 8 | 202017025982-COMPLETE SPECIFICATION [08-08-2022(online)].pdf | 2022-08-08 |
| 9 | 202017025982-DRAWING [08-08-2022(online)].pdf | 2022-08-08 |
| 9 | 202017025982-RELEVANT DOCUMENTS [13-07-2020(online)].pdf | 2020-07-13 |
| 10 | 202017025982-FER_SER_REPLY [08-08-2022(online)].pdf | 2022-08-08 |
| 10 | 202017025982-FORM 13 [13-07-2020(online)].pdf | 2020-07-13 |
| 11 | 202017025982-AMENDED DOCUMENTS [13-07-2020(online)].pdf | 2020-07-13 |
| 11 | 202017025982-OTHERS [08-08-2022(online)].pdf | 2022-08-08 |
| 12 | 202017025982-FER.pdf | 2022-04-13 |
| 12 | 202017025982-RELEVANT DOCUMENTS [14-07-2020(online)].pdf | 2020-07-14 |
| 13 | 202017025982-FORM 13 [14-07-2020(online)].pdf | 2020-07-14 |
| 13 | 202017025982-FORM 18 [30-10-2021(online)].pdf | 2021-10-30 |
| 14 | 202017025982-AMENDED DOCUMENTS [14-07-2020(online)].pdf | 2020-07-14 |
| 14 | 202017025982.pdf | 2021-10-19 |
| 15 | 202017025982-FORM 13 [15-07-2020(online)].pdf | 2020-07-15 |
| 15 | 202017025982-FORM 3 [17-12-2020(online)].pdf | 2020-12-17 |
| 16 | 202017025982-AMMENDED DOCUMENTS [15-07-2020(online)].pdf | 2020-07-15 |
| 16 | 202017025982-Information under section 8(2) [25-09-2020(online)].pdf | 2020-09-25 |
| 17 | 202017025982-Proof of Right [29-08-2020(online)].pdf | 2020-08-29 |
| 18 | 202017025982-Information under section 8(2) [25-09-2020(online)].pdf | 2020-09-25 |
| 18 | 202017025982-AMMENDED DOCUMENTS [15-07-2020(online)].pdf | 2020-07-15 |
| 19 | 202017025982-FORM 13 [15-07-2020(online)].pdf | 2020-07-15 |
| 19 | 202017025982-FORM 3 [17-12-2020(online)].pdf | 2020-12-17 |
| 20 | 202017025982-AMENDED DOCUMENTS [14-07-2020(online)].pdf | 2020-07-14 |
| 20 | 202017025982.pdf | 2021-10-19 |
| 21 | 202017025982-FORM 13 [14-07-2020(online)].pdf | 2020-07-14 |
| 21 | 202017025982-FORM 18 [30-10-2021(online)].pdf | 2021-10-30 |
| 22 | 202017025982-FER.pdf | 2022-04-13 |
| 22 | 202017025982-RELEVANT DOCUMENTS [14-07-2020(online)].pdf | 2020-07-14 |
| 23 | 202017025982-AMENDED DOCUMENTS [13-07-2020(online)].pdf | 2020-07-13 |
| 23 | 202017025982-OTHERS [08-08-2022(online)].pdf | 2022-08-08 |
| 24 | 202017025982-FORM 13 [13-07-2020(online)].pdf | 2020-07-13 |
| 24 | 202017025982-FER_SER_REPLY [08-08-2022(online)].pdf | 2022-08-08 |
| 25 | 202017025982-DRAWING [08-08-2022(online)].pdf | 2022-08-08 |
| 25 | 202017025982-RELEVANT DOCUMENTS [13-07-2020(online)].pdf | 2020-07-13 |
| 26 | 202017025982-COMPLETE SPECIFICATION [08-08-2022(online)].pdf | 2022-08-08 |
| 26 | 202017025982-FORM-26 [25-06-2020(online)].pdf | 2020-06-25 |
| 27 | 202017025982-CLAIMS [08-08-2022(online)].pdf | 2022-08-08 |
| 27 | 202017025982-COMPLETE SPECIFICATION [19-06-2020(online)].pdf | 2020-06-19 |
| 28 | 202017025982-DECLARATION OF INVENTORSHIP (FORM 5) [19-06-2020(online)].pdf | 2020-06-19 |
| 28 | 202017025982-US(14)-HearingNotice-(HearingDate-19-01-2024).pdf | 2023-12-21 |
| 29 | 202017025982-DRAWINGS [19-06-2020(online)].pdf | 2020-06-19 |
| 29 | 202017025982-FORM-26 [16-01-2024(online)].pdf | 2024-01-16 |
| 30 | 202017025982-Correspondence to notify the Controller [16-01-2024(online)].pdf | 2024-01-16 |
| 30 | 202017025982-FORM 1 [19-06-2020(online)].pdf | 2020-06-19 |
| 31 | 202017025982-Written submissions and relevant documents [23-01-2024(online)].pdf | 2024-01-23 |
| 31 | 202017025982-PRIORITY DOCUMENTS [19-06-2020(online)].pdf | 2020-06-19 |
| 32 | 202017025982-STATEMENT OF UNDERTAKING (FORM 3) [19-06-2020(online)].pdf | 2020-06-19 |
| 32 | 202017025982-PatentCertificate21-02-2024.pdf | 2024-02-21 |
| 33 | 202017025982-TRANSLATIOIN OF PRIOIRTY DOCUMENTS ETC. [19-06-2020(online)].pdf | 2020-06-19 |
| 33 | 202017025982-IntimationOfGrant21-02-2024.pdf | 2024-02-21 |
Search Strategy
| 1 | SearchE_13-04-2022.pdf |