Method and system usable in sensor networks for handling memory faults

US 7,581,142 B2
Filed: 12/26/2006
Issued: 08/25/2009
Est. Priority Date: 01/03/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

executing multiple application modules which access memory in a single memory address space;

prior to a memory access to an application state by an application module, detecting whether the state of the application module is corrupted;

when the state of the application module is corrupted, micro-rebooting the application module; and

when the state of the application module is not corrupted, permitting the application module to access the at least one block of memory allocated to the application module up to completion of a current execution of the application module, recalculating the MIC for the at least one block of memory allocated to the application module immediately after the execution of the application module, and replacing the stored MIC for the at least one block of memory allocated to the application module with the recalculated MIC for the at least one block of memory allocated to the application module;

wherein each of the application modules is allocated at least one block of memory in said single data memory space, and said step of detecting whether a state of the application module is corrupted comprises;

calculating a memory integrity code (MIC) for the at least one block of memory allocated to the application module as a function of content stored in the at least one block of memory allocated to the application module;

comparing the calculated MIC with a stored MIC for the at least one block of memory allocated to the application module;

when the calculated MIC is identical to the stored MIC for the at least one block of memory allocated to the application module, determining that the state of the application module is not corrupted; and

when the calculated MIC is not identical to the stored MIC for the at least one block of memory allocated to the application module, determining that the state of the application module is corrupted.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system usable in sensor networks for handling memory faults is disclosed. In order to protect the operating system of a sensor node, coarse-grained memory protection is provided by creating and enforcing an application fault domain in the data memory address space of the sensor node. The data memory accessed by the application modules is restricted to the region (which defines the application fault domain) within the data memory address space. The application modules are prevented from accessing memory outside the application fault domain through software-based run-time checks. The state belonging to the operations system is maintained outside of the application fault domain, and is thus protected from memory corruption from any application module. In order to ensure that an application module does not operate on a corrupted state, fine-grained error detection and recovery is provided within the application fault domain. Any corruption of memory within the application fault domain is detected by a run-time memory integrity verifier implemented in the operating system kernel. Recovery involves purging the corrupted state and restarting only the affected application module to operate on an uncorrupted state.

Citations

21 Claims

1. A method comprising:
- executing multiple application modules which access memory in a single memory address space;
  
  prior to a memory access to an application state by an application module, detecting whether the state of the application module is corrupted;
  
  when the state of the application module is corrupted, micro-rebooting the application module; and
  
  when the state of the application module is not corrupted, permitting the application module to access the at least one block of memory allocated to the application module up to completion of a current execution of the application module, recalculating the MIC for the at least one block of memory allocated to the application module immediately after the execution of the application module, and replacing the stored MIC for the at least one block of memory allocated to the application module with the recalculated MIC for the at least one block of memory allocated to the application module;
  
  wherein each of the application modules is allocated at least one block of memory in said single data memory space, and said step of detecting whether a state of the application module is corrupted comprises;
  
  calculating a memory integrity code (MIC) for the at least one block of memory allocated to the application module as a function of content stored in the at least one block of memory allocated to the application module;
  
  comparing the calculated MIC with a stored MIC for the at least one block of memory allocated to the application module;
  
  when the calculated MIC is identical to the stored MIC for the at least one block of memory allocated to the application module, determining that the state of the application module is not corrupted; and
  
  when the calculated MIC is not identical to the stored MIC for the at least one block of memory allocated to the application module, determining that the state of the application module is corrupted.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - when the state of the application module is not corrupted, permitting the memory access by the application module.
  - 3. The method of claim 1, wherein said step of detecting whether a state of the application module is corrupted is performed prior to execution of the application module.
  - 4. The method of claim 1, wherein said step of calculating a memory integrity code (MIC) comprises:
    - calculating said MIC using a checksum function.
  - 5. The method of claim 1, wherein said step of micro-rebooting the application module having the corrupted state comprises:
    - restarting the application module and restoring the state of the application module to an uncorrupted state.
  - 6. The method of claim 1, wherein said step of micro-rebooting the application module having the corrupted state comprises:
    - unloading the application module; and
      
      reloading the application module.
  - 7. The method of claim 1, further comprising:
    - preventing the application modules from writing to memory locations outside of an application fault domain defined within said single data memory space;
      
      maintaining a state of an operating system kernel in a portion of said single data memory space outside of said application fault domain.
  - 8. The method of claim 7, further comprising:
    - dynamically allocating memory locations associated with program modules to a first range of contiguous memory addresses and memory locations associated with an operating system kernel to a second range of contiguous memory addresses, wherein said first and second ranges of contiguous memory addresses do not overlap; and
      
      defining said first range of contiguous memory addresses as said application fault domain.
  - 9. The method of claim 8, wherein said step of preventing the application modules from writing to memory locations outside of an application fault domain comprises:
    - tracking boundaries of said first range of memory addresses;
      
      comparing a target memory address of an application module with said boundaries of said first range of memory addresses;
      
      when the target memory address is within said boundaries of said first range of memory addresses, permitting the application module to write to the target memory address; and
      
      when the target memory address is not within said boundaries of said first range of memory addresses, preventing the application module from writing to the target memory address.
  - 10. The method of claim 1, further comprising:
    - when the state of the application module is corrupted, identifying one or more suspect application modules suspected of corrupting the state of the application module.

11. A computer readable medium storing computer program instructions for handling memory faults, said computer program instructions defining the steps comprising:
- executing multiple application modules which access memory in a single memory address space;
  
  prior to a memory access to an application state by an application module, detecting whether the state of the application module is corrupted;
  
  when the state of the application module is corrupted, micro-rebooting the application module; and
  
  when the state of the application module is not corrupted, permitting the application module to access the at least one block of memory allocated to the application module up to completion of a current execution of the application module, recalculating the MIC for the at least one block of memory allocated to the application module immediately after the execution of the application module, and replacing the stored MIC for the at least one block of memory allocated to the application module with the recalculated MIC for the at least one block of memory allocated to the application module;
  
  wherein each of the application modules is allocated at least one block of memory in said single data memory space, and the computer program instructions defining the step of detecting whether a state of the application module is corrupted comprise computer program instructions defining the steps;
  
  calculating a memory integrity code (MIC) for the at least one block of memory allocated to the application module as a function of content stored in the at least one block of memory allocated to the application module;
  
  comparing the calculated MIC with a stored MIC for the at least one block of memory allocated to the application module;
  
  when the calculated MIC is identical to the stored MIC for the at least one block of memory allocated to the application module, determining that the state of the application module is not corrupted; and
  
  when the calculated MIC is not identical to the stored MIC for the at least one block of memory allocated to the application module, determining that the state of the application module is corrupted.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 12. The computer readable medium of claim 11, wherein the computer program instructions defining the step of detecting whether a state of the application module is corrupted comprise computer program instructions defining the step of:
    - detecting whether a state of the application module is corrupted prior to execution of the application module.
  - 13. The computer readable medium of claim 11, wherein the computer program instructions defining the step of calculating a memory integrity code (MIC) comprise computer program instructions defining the step of:
    - calculating said MIC using a checksum function.
  - 14. The computer readable medium of claim 11, wherein the computer program instructions defining the step of micro-rebooting the application module having the corrupted state comprise computer program instructions defining the step of:
    - restarting the application module and restoring the state of the application module to an uncorrupted state.
  - 15. The computer readable medium of claim 11, wherein the computer program instructions defining the step of micro-rebooting the application module having the corrupted state comprise computer program instructions defining the steps of:
    - unloading the application module; and
      
      reloading the application module.
  - 16. The computer readable medium of claim 11, further comprising computer program instructions defining the steps of:
    - preventing the application modules from writing to memory locations outside of an application fault domain defined within said single data memory space;
      
      maintaining a state of an operation system kernel in a portion of said single data memory space outside of said application fault domain.
  - 17. The computer readable medium of claim 16, further comprising computer program instructions defining the steps of:
    - dynamically allocating memory locations associated with program modules to a first range of contiguous memory addresses and memory locations associated with an operating system kernel to a second range of contiguous memory addresses, wherein said first and second ranges of contiguous memory addresses do not overlap; and
      
      defining said first range of contiguous memory addresses as said application fault domain.
  - 18. The computer readable medium of claim 17, wherein the computer program instructions defining the step of preventing the application modules from writing to memory locations outside of an application fault domain comprise computer program instructions defining the steps of:
    - tracking boundaries of said first range of memory addresses;
      
      comparing a target memory address of an application module with said boundaries of said first range of memory addresses;
      
      when the target memory address is within said boundaries of said first range of memory addresses, permitting the application module to write to the target memory address; and
      
      when the target memory address is not within said boundaries of said first range of memory addresses, preventing the application module from writing to the target memory address.
  - 19. The computer readable medium of claim 11, wherein the computer program instructions are implemented in an operating system kernel installed on a sensor node.
  - 20. The computer readable medium of claim 19, wherein said operating system comprises Sensor Operating System (SOS).
  - 21. The computer readable medium of claim 11, further comprising computer program instructions defining the step of:
    - when the state of the application module is corrupted, identifying one or more suspect application modules suspected of corrupting the state of the application module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NEC Corporation
Original Assignee
NEC Laboratories America Inc (NEC Corporation)
Inventors
Nagaraja, Kiran, Rengaswamy, Ram Kumar, Sultan, Florin, Chakradhar, Srimat T.
Primary Examiner(s)
Iqbal; Nadeem

Application Number

US11/616,086
Publication Number

US 20070156951A1
Time in Patent Office

973 Days
Field of Search

714 2- 5, 714/7, 714/8, 714/15, 714/16, 714/20, 714/21, 714 37- 39, 714/42, 714/43, 714/47, 714/52
US Class Current

714/38.13
CPC Class Codes

G06F 11/1044 with specific ECC/EDC distr...

G06F 11/1438 Restarting or rejuvenating

Method and system usable in sensor networks for handling memory faults

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system usable in sensor networks for handling memory faults

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links