(12) United States Patent
`Lutter
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7.793,136 B2
`Sep. 7, 2010
`
`US007793136B2
`
`(54) APPLICATION MANAGEMENT SYSTEM
`WITH CONFIGURABLE SOFTWARE
`APPLICATIONS
`
`(75) Inventor: Robert Pierce Lutter, Tacoma, WA
`(US)
`(73) Assignee: Eagle Harbor Holdings LLC,
`Bainbridge Island, WA (US)
`
`5,045,937 A
`5,111,401 A
`5,115,245 A
`5.245,909 A
`5,287,199 A
`5,303,297 A
`5,339,086 A
`
`9/1991 Myrick
`5/1992 Everett, Jr. et al.
`5/1992 Wen et al.
`9/1993 Corrigan et al.
`2f1994 Zoccolillo
`4/1994 Hillis
`8, 1994 DeLuca et al.
`
`(*) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 923 days.
`
`Continued
`(Continued)
`FOREIGN PATENT DOCUMENTS
`
`(21) Appl. No.: 11/616,650
`
`(22) Filed:
`
`Dec. 27, 2006
`
`DE
`
`3125151
`
`1, 1983
`
`(65)
`
`Prior Publication Data
`US 2007/02771 75 A1
`Nov. 29, 2007
`Related U.S. Application Data
`(63) Continuation of application No. 10/132,886, filed on
`Apr. 24, 2002, now Pat. No. 7,178,049.
`(51) Int. Cl
`nt. C.
`(2006.01)
`G06F II/00
`(52) U.S. Cl. ........................................... 714. 71soo
`(58) Field of Classification Search ..................... 714/1,
`714/2, 3, 10, 13: 718/100, 101, 102, 103,
`718/104,106, 107
`See application file for complete search history.
`References Cited
`
`(56)
`
`U.S. PATENT DOCUMENTS
`
`8, 1961 Cocharo
`2,995.318 A
`4.303.978. A 12/1981 Shaw etal
`4. 5 2s. 563 A
`7, 1985 Takeuchi
`4.59 1976 A
`5, 1986 Webber etal
`4,829.434 A
`5, 1989 Karmel et all
`4,907.159 A
`3/1990 Mauge etal
`5,008,678 A
`4, 1991 Herman
`5,031,330 A
`7, 1991 Stuart
`
`(Continued)
`OTHER PUBLICATIONS
`St. My Ministry. Yighly
`Technology Conference (CAT. No. 00CH37152).
`
`Ca
`
`Oce a
`
`al
`
`(Continued)
`LLP
`Min's itZ Ford C
`E. East
`(74) Attorney, Agent, or Firm-Stolowitz Ford Cowger
`(57)
`ABSTRACT
`
`An application management system identifies a new device.
`The new device is configured into a multiprocessor System
`when a type of data used by the new device conforms with a
`type of data used in the multiprocessor System. An application
`in the multiprocessor system is identified that uses a same
`data type used on the new device. The stored application is
`then used to take over control of the new device and process
`data received from the new device. A security protocol can be
`optionally used to control what types of data, applications, or
`devices are allowed to access the multiprocessor system.
`
`31 Claims, 5 Drawing Sheets
`
`------ - - - -
`
`CrSHRA
`
`32
`.....I :
`-
`
`SENSORFUSION
`fHRA
`
`S4
`
`.
`
`.
`
`.
`
`.
`
`.
`
`i
`
`---- -
`
`SENSEION
`
`:
`- - - ...l.
`n
`72
`
`- - SS --
`
`J.
`
`MESSAGEMANAGER
`
`CRITICALDATA MANAGER
`
`SECURITY MANASR
`
`30
`
`52
`
`54
`
`74
`
`CONFGURATIONMANAGER
`
`AHM, Exh. 1001, p. 1
`
`

`

`U.S. PATENT DOCUMENTS
`
`8, 1994 Shirai et al.
`5,341.301 A
`8, 1995 Coleman
`5.438,361 A
`5,471,214. A 1 1/1995 Faibiish et al.
`5,506,963 A
`4, 1996 Ducateau et al.
`5,532,706 A
`7, 1996 Reinhardt et al.
`5,552,773. A
`9, 1996 Kuhnert
`5,572.201 A 11/1996 Graham
`5,581.462 A 12/1996 Rogers
`5,585,798 A 12/1996 Yoshioka et al.
`5,617,085 A
`4/1997 Tsutsumi et al.
`5,646,612 A
`7/1997 Byon
`5,749,060 A
`5, 1998 Graf et al.
`5,751,211 A
`5, 1998 Shirai
`5,761,320 A
`6, 1998 Farinelli et al.
`5,786,998 A
`7, 1998 Neeson et al.
`5,872,508 A
`2f1999 Taoka
`5,907,293 A
`5/1999 Tognazzini
`5,915,214 A
`6, 1999 Reece et al.
`5,943,427 A
`8, 1999 Massie et al.
`5,963,092 A 10/1999 Vanzalinge
`5,964,822 A 10/1999 Alland
`5.966,658 A 10/1999 Kennedy et al.
`5,969,598. A 10/1999 Kimura
`5,977,906 A 1 1/1999 Ameen
`5,983,092 A 11/1999 Whinnett et al.
`5,983, 161 A 11/1999 Lemelson et al.
`6,009,330 A 12/1999 Kennedy et al.
`6,028,537 A
`2, 2000 Suman et al.
`6,028,548 A
`2/2000 Farmer
`6,054,950 A
`4/2000 Fontana
`6,060,989 A
`5, 2000 Gehlot
`6,061,709 A
`5/2000 Bronte
`6,097,285 A
`8, 2000 Curtin
`6,128,608 A 10/2000 Barnhill
`6,148,261 A 11/2000 Obradovich et al.
`6,150,961 A 11/2000 Alewine
`6,154,123 A 1 1/2000 Kleinberg
`6,161,071 A 12/2000 Shuman et al.
`6,163,711 A 12/2000 Juntunen et al.
`6,166,627 A 12/2000 Reeley
`6,167.253 A 12/2000 Farris et al.
`6,169,894 B1
`1/2001 McCormick
`6,175,728 B1
`1/2001 Mitama
`6,175,782 B1
`1/2001 Obradovich et al.
`6,181,994 B1
`1/2001 Colson et al.
`6,182,006 B1
`1/2001 Meek
`6,202,027 B1
`3/2001 Alland et al.
`6,203,366 B1
`3, 2001 Muller et al.
`6,204.804 B1
`3/2001 Andersson
`6,226,389 B1
`5/2001 Lebelson et al.
`6,233,468 B1
`5, 2001 Chen
`6,240,365 B1
`5/2001 Bunn
`6,243450 B1
`6/2001 Jansen et al.
`6.252,544 B1
`6/2001 Hoffberg
`6,275,231 B1
`8, 2001 Obradovich et al.
`6,292,109 B1
`9/2001 Murano et al.
`6,292,747 B1
`9/2001 Amro et al.
`6,294.987 B1
`9/2001 Matsuda et al.
`6,297,732 B2 10/2001 Hsu et al.
`6.298,302 B2 10/2001 Walgers et al.
`6,326,903 B1
`12/2001 Gross et al.
`6,327,536 B1
`12/2001 Tsuji et al.
`6,362,748 B1
`3/2002 Huang
`6,374,286 B1
`4/2002 Gee et al.
`6,389.340 B1
`5/2002 Rayner
`6.405,132 B1
`6, 2002 Breed et al.
`6,408,174 B1
`6/2002 Steijer
`6,417,782 B1
`7/2002 Darnall
`6.421,429 B1
`7/2002 Merritt
`6,429,789 B1
`8/2002 Kiridena et al.
`6,429,812 B1
`8/2002 Hoffberg
`
`US 7,793.136 B2
`Page 2
`
`9, 2002 Koike
`6,445,308 B1
`9/2002 Drori
`6,452.484 B1
`6,484,080 B2 11/2002 Breed
`6,496,107 B1
`12/2002 Himmelstein
`6,496,689 B1
`12/2002 Keller et al.
`6,505,100 B1
`1/2003 Stuempfleet al.
`6,515,595 B1
`2/2003 Obradovich et al.
`6,522,875 B1
`2/2003 Dowling et al.
`6,559,773 B1
`5/2003 Berry
`6,615,137 B2
`9/2003 Lutter
`6,616,071 B2
`9, 2003 Kitamura
`6,622,083 B1
`9/2003 Knockeart et al.
`6,629,033 B2 * 9/2003 Preston et al. ................ 7O 1/70
`6,647,270 B1
`1 1/2003 Himmelstein
`6,734,799 B2
`5, 2004 Munch
`6,778,073 B2 * 8/2004 Lutter et al. ................ 340/.435
`6,778,924 B2
`8, 2004 Hanse
`6,782,315 B2
`8/2004 Lu et al.
`6,785,551 B1
`8, 2004 Richard
`6,792.351 B2
`9, 2004 Lutter
`6,901,057 B2
`5/2005 Rune
`6,952,155 B2 10/2005 Himmelstein
`6,993,511 B2
`1/2006 Himmelstein
`7,006,950 B1
`2/2006 Greiffenhagen et al.
`7.024,363 B1
`4/2006 Comerford et al.
`7,079,993 B2
`7/2006 Stephenson et al.
`7,092,723 B2
`8, 2006 Himmelstein
`7,120,129 B2 10/2006 Ayyagari et al.
`7,123,926 B2 10/2006 Himmelstein
`7,146,260 B2 * 12/2006 Preston et al. ................ TO1/24
`7,158,956 B1
`1/2007 Himmelstein
`7, 178,049 B2
`2/2007 Lutter ........................... T14f1
`7,187,947 B1
`3/2007 White et al.
`7,450,955 B2
`4/2007 Himmelstein
`7,249,266 B2
`7/2007 Margalit
`7,257.426 B1
`8/2007 Witkowski et al.
`7,272,637 B1
`9, 2007 Himmelstein
`7,274.988 B2
`9/2007 Mukaiyama
`7,277,693 B2 10/2007 Chen
`7,343,160 B2
`3/2008 Morton
`7,375,728 B2
`5/2008 Donath
`7,379,707 B2
`5/2008 DiFonzo
`7,418.476 B2
`8/2008 Salesky
`7.587,370 B2
`9/2009 Himmelstein
`7,594,000 B2
`9/2009 Himmelstein
`7,596,391 B2
`9, 2009 Himmelstein
`7,599,715 B2 10/2009 Himmelstein
`7,614,055 B2 * 1 1/2009 Buskens et al. ............. T18, 102
`2001/0008992 A1
`7, 2001 Saito et al.
`2001/OOO9855 A1
`7/2001 L'Anson
`2001 OO18639 A1
`8, 2001 Bunn
`2001/0041556 A1 11/2001 Laursen et al.
`2001/0048749 A1 12/2001 Ohmura et al.
`2001/0051853 A1 12/2001 Evans et al.
`2002fOO 12329 A1
`1/2002 Atkinson et al.
`2002/0022927 A1
`2/2002 Lemelson et al.
`2002fOO87886 A1
`7, 2002 Ellis
`2002/01 19766 A1
`8/2002 Bianconi et al.
`2002fO142759 A1 10, 2002 Newell et al.
`2002fO14401.0 A1 10, 2002 Younis et al.
`2002/0177429 A1 11, 2002 Water et al.
`2002fO198925 A1 12/2002 Smith et al.
`2003, OOO4633 A1
`1/2003 Russell et al.
`2003,0009270 A1
`1/2003 Breed
`2003, OO11509 A1
`1/2003 Honda
`2003/0060188 A1
`3/2003 Gidron et al.
`2003/0065432 A1
`4/2003 Shuman et al.
`2003/0110113 A1
`6/2003 Martin
`2003/02O1365 A1 10, 2003 Nelson
`2003/0201929 A1 10, 2003 Lutter et al.
`2004/O14903.6 A1
`8/2004 Foxlin et al.
`2004/0162064 A1
`8/2004 Himmelstein
`2004/0164228 A1
`8/2004 Fogg et al.
`
`AHM, Exh. 1001, p. 2
`
`

`

`US 7,793.136 B2
`Page 3
`
`2005/OOO9506 A1
`1/2005 Smolentzov
`3/2005 Upton
`2005/0070221 A1
`4/2005 Lu et al.
`2005, 0080543 A1
`6, 2005 Chen
`2005. O130656 A1
`7/2005 Anderson
`2005/O153654 A1
`2005/0260984 A1 11, 2005 Karabinis
`2005/0275505 A1 12, 2005 Himmelstein
`2005/0278712 A1* 12/2005 Buskens et al. ............. T17,148
`2007, 0115868 A1
`5, 2007 Chen
`2007/0115897 A1
`5, 2007 Chen et al.
`2008/0092140 A1* 4/2008 Doninger et al. ............ T18, 102
`FOREIGN PATENT DOCUMENTS
`
`DE
`DE
`DE
`DE
`EP
`EP
`EP
`JP
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`
`3125 161
`4237987
`19922608
`19931. 161
`O441576
`84.1648
`1355128
`2000207691
`96.24229
`99.08436
`995.7662
`99651.83
`WOOO29948
`0040038
`O130061
`O158110
`
`1, 1983
`5, 1994
`11, 2000
`1, 2001
`8, 1991
`5, 1998
`10, 2003
`T 2000
`8, 1996
`2, 1999
`11, 1999
`12/1999
`5, 2000
`6, 2000
`4/2001
`8, 2001
`
`OTHER PUBLICATIONS
`Nusser R. et al.: "Bluetooth-based wireless connectivity in an auto
`motive environment” Vehicular Technoloty Conference Fall 2000.
`IEEE VTS Fall VTC2000 52nd Vehicular Techonlogy Conference
`(Cat. No. 00CH37152).
`Martins efv et al. “design of an OS9 operating system extension for
`a
`message-passing
`multiprocesor
`Microprocessors and
`Microsysetms, IPC Business Press LT. London, BG, vol. 21, No. 9.
`Apr. 1, 1998, pp. 533-543.
`Gutierrez Garcia JJ et al. “Minimizing the effects of jitter in distrib
`uted hard real-time systems' Journal of Systems Architecture,
`Elsevier Science Publishers B.V., Amsterdam, NL, vol. 41, No. 6/7.
`Dec. 15, 1996, pp. 431-447.
`International Search Report for PCT/US02/020402; Mailing date
`Apr. 3, 2003.
`International Search Report for PCT/US02/020403; Mailing date
`Jan. 27, 2003.
`International Search Report for PCT/US02/016364; Mailing date
`Feb. 14, 2003.
`International Search Report for PCT/US02/016371; Mailing date
`Aug. 18, 2003.
`A. Das, R. Fierro, V. Kumar, J. Ostrowski, J. Spletzer, and C. Taylor,
`“A Framework for Vision Based Formation Control', IEEE Transac
`tions on Robotics and Automation, vol. XX, No.Y. 2001, pp. 1-13.
`Ada 95 Transition Support—Lessons Learned, Sections 3, 4, and 5.
`CACI, Inc.—Federal, Nov. 15, 1996, 14 pages.
`Boeing News Release, “Boeing Demonstrates JSF Avionics Multi
`Sensor Fusion'. Seattle, WA. May 9, 2000, pp. 1-2.
`Boeing Statement, “Chairman and CEO Phil Condit on the JSF
`Decision', Washington, D.C., Oct. 26, 2001, pp. 1-2.
`
`Bluetooth Specification version 1.1: Feb. 22, 2001.
`Counterair: The Cutting Edge, Ch. 2 “The Evolutionary Trajectory
`The Fighter Pilot-Here to Stay?” AF2025 v3c8-2, Dec. 1996, pp. 1-7.
`Counterair: The Cutting Edge, Ch. 4 “The Virtual Trajectory Air
`Superiority without an “Air Force?” AF2025 v3c8-4, Dec. 1996, pp.
`1-12.
`Green Hills Software, Inc., “The AdaMULTI 2000 Integrated Devel
`opment Environment. Copyright 2002, 7 pages.
`H. Chung, L. Ojeda, and J. Borenstein, “Sensor Fusion for Mobile
`Robot Dead-reckoning with a Precision-calibrated Fiber Optic Gyro
`scope', 2001 IEEE International Conference on Robotics and Auto
`mation, Seoul, Korea, May 21-26, pp. 1-6.
`Hitachi Automated Highway System (AHS), Automotive Products,
`Hitachi, Ltd., Copyright 1994-2002, 8 pages.
`ISIS Project: Sensor Fusion, Linkoping University Division of Auto
`matic Control and Communication Systems in cooperation with
`SAAB (Dynamics and Aircraft), 18 pages.
`J. Takezaki, N. Ueki, T. Minowa, H. Kondoh, “Support System for
`Safe Driving A Step Toward Its Autonomous Driving '. Hitachi
`Review, vol. 49, No. 3, 2000, pp. 1-8.
`Joint Strike Fighter Terrain Database, ets-news.com “Simulator
`Solutions' 2002, 3 pages.
`Luttge, Karsten; "E-Charging API: Outsource Charging to a Payment
`Service Provider”; IEEE: 2001 (pp. 216-222).
`M. Chantler, G. Russel, and R. Dunbar, “Probabilistic Sensor Fusion
`for Reliable Workspace Sensing', pp. 1-14.
`MSRC Redacted Proposal, 3.0 Architecture Development, pp. 1-43.
`Powerpoint Presentation by Robert Allen Boeing Phantom Works
`entitled “Real-Time Embedded Avionics System Security and COTS
`Operating Systems”. Open Group Real-Time Forum, Jul. 18, 2001,
`16 pages.
`Product description of Raytheon Electronic Systems (ES), Copyright
`2002, pp. 1-2.
`Product description of Raytheon RT Secure, "Development Environ
`ment”. Copyright 2001, pp. 1-2.
`Product description of Raytheon RT Secure, "Embedded Hard Real
`Time Secure Operating System”. Copyright 2000, pp. 1-2.
`Product description of Raytheon RT Secure, Copyright 2001, pp. 1-2.
`S.G. Goodridge, “Multimedia Sensor Fusion for Intelligent Camera
`Control and Human-Computer Interaction”. Dissertation submitted
`to the Graduate Faculty of North Carolina State University in partial
`fulfillment of the requirements for the degree of Doctor of Philosophy
`in Electrical Engineering, Raleigh, NC, 1997, pp. 1-5.
`TNO FEL Annual Review 1998: Quality works, 16 pages.
`Vehicle Dynamics Lab, University of California, Berkeley, funded by
`BMW, current members: D. Caveney and B. Feldman, "Adaptive
`Cruise Control', 17 pages.
`Specification of the Bluetooth System v1.0.B Dec. 1, 1999.
`Specification of the Bluetooth System v1.1 Feb. 22, 2001.
`MyGig.
`Embedded Bluetooth Lisbon-Seattle Jan. 23, 2008.
`AMIC. Architecture specification release 1, 2001.
`Bluetooth hands-free profile 1.5 Nov. 25, 2005.
`Bluetooth advance audio distribution profile specification May 22,
`2003.
`Bluetooth audio/video remote control profile May 22, 2003.
`IEEE Standard for Information Technology—POSIX Based
`Supercomputing Application Environment Profile; Jun. 14, 1995, 72
`pageS.
`* cited by examiner
`
`AHM, Exh. 1001, p. 3
`
`

`

`U.S. Patent
`
`Sep. 7, 2010
`
`Sheet 1 of 5
`
`US 7.793,136 B2
`
`
`
`-
`
`-
`
`JAVAWIRTUAL MACHINE
`
`2
`
`-10
`
`FG 1
`
`AHM, Exh. 1001, p. 4
`
`

`

`SYdnoas JOYNLNOD
`
`|||||||||
`
`
`
`ALINDASayVvug
`
`JOALNOD
`
`U.S. Patent
`U.S. Patent
`
`Sep. 7, 2010
`Sep. 7, 2010
`
`Sheet 2 of 5
`Sheet 2 of 5
`
`
`
`ZYOSNAS
`
`uvavHyululOlan
`
`AALLNOAXaSWWad
`
`US 7.793,136 B2
`US 7,793,136 B2
`
`éOld
`
`AHM, Exh. 1001, p. 5
`
`AHM, Exh. 1001, p. 5
`
`

`

`U.S. Patent
`
`Sep. 7, 2010
`
`Sheet 3 of 5
`
`US 7.793,136 B2
`
`14
`
`
`
`MESSAGE
`MANAGER
`
`CRITICAL DATA
`MANAGER
`
`SECURITY
`MANAGER
`
`DATA MANAGER
`
`TASK MANAGER
`
`CONFIGURATION
`MANAGER
`
`FIG 3
`
`AHM, Exh. 1001, p. 6
`
`

`

`U.S. Patent
`U.S. Patent
`
`Sep. 7, 2010
`Sep. 7, 2010
`
`Sheet 4 of 5
`Sheet 4 of 5
`
`US 7.793,136 B2
`US 7,793,136 B2
`
`G?.
`
`
`
`
`
`|OVauHL!
`
`NOISN4
`YOSNAS|
`
`OVSYHLSdd
`
`YOSNAS| OVAMHL|NOISN4
`YAOVNVINASVL
`
`
`
`
`YADVNVWJOVSSSA
`
`YAOVNVAWIVWOLD
`
`
`
`YAOVNVAALIMADAS
`
`dAOVNVVIVO
`
`
`
`YSAOVNVANOILYYNDIANOD
`
`vOld
`
`vl
`
`AHM, Exh. 1001, p. 7
`
`AHM, Exh. 1001, p. 7
`
`
`
`

`

`
`
`
`SENSOR
`
`FUSION
`
`THREAD
`
`62
`
`GPSTHREAD
`
`68
`89
`
`U.S. Patent
`U.S. Patent
`
`Sep. 7, 2010
`Sep. 7, 2010
`
`Sheet 5 of 5
`Sheet 5 of 5
`
`US 7.793,136 B2
`US 7,793,136 B2
`
`
`
`TASKMANAGER
`
`FIG5
`
`AHM, Exh. 1001, p. 8
`
`AHM, Exh. 1001, p. 8
`
`

`

`US 7,793,136 B2
`
`1.
`APPLICATION MANAGEMENT SYSTEM
`WITH CONFIGURABLE SOFTWARE
`APPLICATIONS
`
`5
`
`This application is a continuation of U.S. Pat. No. 7,178,
`049, filed Apr. 24, 2002 entitled: METHOD FOR MULTI
`TASKING MULTIPLE JAVAVIRTUAL MACHINES INA
`SECURE ENVIRONMENT.
`This application incorporates by reference U.S. Pat. No.
`6,629,033, filed Apr. 24, 2001 entitled: OPEN COMMUNI
`10
`CATION SYSTEM FOR REAL-TIME MULTIPROCES
`SOR APPLICATIONS and U.S. Pat. No. 7,146,260, filed
`Apr. 24, 2001 entitled: METHOD AND APPARATUS FOR
`DYNAMIC CONFIGURATION OF MULTIPROCESSOR
`SYSTEM.
`
`15
`
`BACKGROUND OF THE INVENTION
`
`Java is a robust, object-oriented programming language
`expressly designed for use in the distributed environment of
`the Internet. Java can be used to create complete applications
`that may run on a single computer or be distributed among
`servers and clients in a network. A source program in Java is
`compiled into byte code, which can be run anywhere in a
`network on a server or client that has a Java virtual machine
`(JVM).
`A JVM describes software that is nothing more than an
`interface between the compiled byte code and the micropro
`cessor or hardware platform that actually performs the pro
`grams instructions. Thus, the JVM makes it possible for Java
`application programs to be built that can run on any platform
`without having to be rewritten or recompiled by the program
`mer for each separate platform.
`Jini is a distributed system based on the idea of federating
`groups of users and the resources required by those users.
`Resources can be implemented either as hardware devices,
`Software programs, or a combination of the two. The Jini
`system extends the Java application environment from a
`single virtual machine to a network of machines. The Java
`application environment provides a good computing platform
`for distributed computing because both code and data can
`move from machine to machine. The Jini infrastructure pro
`vides mechanisms for devices, services, and users to join and
`detach from a network. Jini systems are more dynamic than is
`currently possible in networked groups where configuring a
`network is a centralized function done by hand.
`However, the Java/Jini approach is not without its disad
`Vantages. Both Java and Jini are free, open source applica
`tions. The Java application environment is not designed for
`controlling messaging between different machines. For
`example, the Java application is not concerned about the
`protocols between different hardware platforms. Jini has
`some built-in security that allows code to be downloaded and
`run from different machines in confidence. However, this
`limited security is insufficient for environments where it is
`necessary to further restrict code sharing or operation sharing
`among selected devices in a secure embedded system.
`
`25
`
`35
`
`40
`
`45
`
`50
`
`55
`
`SUMMARY OF THE INVENTION
`
`The present invention allows construction of a secure, real
`time operating system from a portable language such as Java
`that appears to be a Java virtual machine from a top perspec
`tive but provides a secure operating system from a bottom
`perspective. This allows portable languages, such as Java, to
`be used for secure embedded multiprocessor environments.
`
`60
`
`65
`
`2
`The foregoing and other objects, features and advantages
`of the invention will become more readily apparent from the
`following detailed description of a preferred embodiment of
`the invention which proceeds with reference to the accompa
`nying drawings.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. 1 is a diagram showing a java stack with an additional
`Secure Real-time Executive (SRE) layer.
`FIG. 2 is a diagram of a multiprocessor System that runs
`multiple Java Virtual Machines that each include a SRE.
`FIG. 3 is a detailed diagram of the managers in the SRE.
`FIG. 4 is a block diagram of how the SRE manages a
`multiprocessor system.
`FIG. 5 is a bock diagram showing how a task manager in
`the SRE operates the multiprocessor system in a lock-step
`mode.
`
`DETAILED DESCRIPTION
`
`Ajava application stack includes a Java layer 5 for running
`any one of multiple different applications. In one example,
`the applications are related to different vehicle operations
`Such as Infrared (IR) and radar sensor control and monitoring,
`vehicle brake control, vehicle audio and video control, envi
`ronmental control, driver assistance control, etc. A Java Vir
`tual Machine (JVM) layer 16 provides the hardware indepen
`dent platform for running the Java applications 5. A Jini layer
`12 provides some limited security for the Java applications
`that run on different machines. However, the Jini layer 12
`does not provide the necessary reconfiguration and security
`management necessary for a distributed real-time multipro
`cessor System.
`A Secure Real-time Executive (SRE) 14 provides an exten
`sion to the JVM 16 and allows Java to run on different pro
`cessors for real-time applications. The SRE 20 manages mes
`saging, security, critical data, file I/O multiprocessor task
`control and watchdog tasks in the Java environment as
`described below. The JVM 16, Jini 12 and SRE 14 can all be
`implemented in the same JVM 10. However, for explanation
`purposes, the JVM 10 and the SRE 14 will be shown as
`separate elements.
`FIG.2 shows a system 15 that includes multiple processors
`16, 18, 20, 22 and 24. Each processor includes one or more
`JVMs 10 that run different Java applications. For example,
`processor 16 includes one Java application 28 that controls a
`vehicle security system and another Java application 26 that
`controls the vehicles antilock brakes. A processor 18 includes
`a Java application 30 that controls audio sources in the
`vehicle. Other processors 20 and 22 may run different threads
`32A and 32B for the same sensor fusion Java application 32
`that monitors different IR sensors. Another thread 32C on
`processor 24 monitors a radar sensor for the sensor fusion
`Java application 32.
`The SRE 14 runs below the JVMs 10 in each processor and
`control tasks, messaging, security, etc. For example, the Java
`application 26 controls vehicle braking according to the sen
`sor data collected by the sensor fusion Java application 32.
`The SRE 14 in one example prevents unauthorized data from
`being loaded into the processor 16 that runs brake control
`application 26. The SRE 14 also prevents other Java applica
`tions that are allowed to be loaded into processor 16 from
`disrupting critical braking operations, or taking priority over
`the braking operations, performed by Java application 26.
`For example, the SRE 14 may prevent noncritical vehicle
`applications, such as audio control, from being loaded onto
`
`AHM, Exh. 1001, p. 9
`
`

`

`US 7,793,136 B2
`
`10
`
`15
`
`30
`
`35
`
`40
`
`25
`
`3
`processor 16. In another example, noncritical operations,
`Such as security control application 28, are allowed to be
`loaded onto processor 16. However, the SRE 14 assigns the
`security messages low priority values that will only be pro
`cessed when there are no braking tasks in application 26 that
`require processing by processor 16.
`The SRE 14 allows any variety of real-time, mission criti
`cal, nonreal-time and nonmission critical Java applications to
`be loaded onto the multiprocessor system 15. The SRE 14
`then automatically manages the different types of applica
`tions and messages to ensure that the critical vehicle applica
`tions are not corrupted and processed with the necessary
`priority. The SRE 14 is secure software that cannot be
`manipulated by other Java applications.
`The SRE 14 provides priority preemption on a message
`scale across the entire system 15 and priority preemption on
`a task scale across the entire system 15. So the SRE 14
`controls how the JVMs 10 talk to each other and controls how
`the JVMs 10 are started or initiated to perform tasks. The SRE
`14 allows programmers to write applications using Java in a
`safe and secure real time environment. Thus, viruses can be
`prevented by SRE 14 from infiltrating the system 15.
`While the explanation uses Java as one example of a pro
`gramming environment where SRE 14 can be implemented, it
`should be understood that the SRE 14 can be integrated into
`any variety of different programming environments that may
`run in the same or different systems 15. For example, SRE 14
`can be integrated into an Application Programmers Interface
`(API) for use with any programming language such as C++.
`FIG.3 shows the different functions that are performed by
`the SRE 20. Any combination of the functions described
`below can be provided in the SRE20. A message manager 50
`controls the order messages are received and transmitted by
`the different Java applications. A security manager 52 con
`trols what data and messages are allowed to be received or
`transmitted by different Java applications. A critical data
`manager 54 controls what data is archived by the different
`Java applications.
`A data manager 56 controls what data is allowed to be
`transferred between different processors. A task manager 58
`controls the order tasks are performed by the different JVMs.
`A reconfiguration manager 60 monitors the operation of the
`different processors in the system and reassigns or reconfig
`ures Java applications and Java threads to different processors
`according to what processors have failed or what new proces
`sors and applications have been configured into system 15.
`The message manager 50 partially corresponds to the pri
`ority manager 44 shown in FIG. 2 of pending patent applica
`tion Ser. No. 09/841,753, the critical data manager 52 par
`tially corresponds with the logging manager 44 shown in FIG.
`2 of the copending 753 patent application, and the security
`manger 54 a least partially corresponds with the security
`manager 40 shown in the 753 patent application. The data
`manager 56 at least partially corresponds with the data man
`55
`ager 42 shown in FIG. 2 of pending patent application Ser.
`No. 09/841,915, the task manager 58 partially corresponds to
`the device manger 46 shown in FIG. 2 of the 915 application,
`and the configuration manager 60 at least partially corre
`sponds to the configuration manager 44 shown in FIG. 2 of the
`915 patent application. The descriptions of how the different
`managers 50-60 operate similarly to the corresponding man
`agers in the 753 and 915 patent applications are herein
`incorporated by reference and are therefore not described in
`further detail.
`However, Some specific tasks performed by the managers
`50-60 are described below in further detail.
`
`45
`
`50
`
`60
`
`65
`
`4
`FIG. 4 shows in more detail how the SRE 14 operates. One
`of the operations performed by the task manager 58 is to
`control when different tasks are initiated on different proces
`sors. For example, a first Global Positioning System (GPS)
`thread 62 is running on a JVM in a processor 80. Another
`sensor fusion thread 64 is running on a different processor 82.
`Block 74 represents the Java Virtual Machine operating in
`each of processors 80 and 82. A master JVM 74 may run on
`either processor 80, processor 82 or on some other processor.
`The task manager 58 sends an initiation command 66 to the
`GPS thread 62 to obtain location data. The task manager 58
`then directs the obtained GPS data 68 through a link to the
`sensor fusion thread 64 for subsequent processing of GPS
`data 68. The link may be any bus, such as a PCIbus, serial link
`such as a Universal Serial Bus, a wireless link such as blue
`tooth or IEEE 802.11, or a network link such as Ethernet, etc.
`The configuration manager 60 acts as a watchdog to make
`sure that the GPS thread 62 and the sensor fusion thread 64 are
`each running correctly. In one example, separate configura
`tion managers 60 in each processor 80 and 82 sends out
`periodic signals to the other configuration managers 60 in the
`other processors. Any one of the configuration managers 60
`can detect a processor or application failure by not receiving
`the periodic 'ok' signals from any one of the other processors
`for some period of time. If a failure is detected, then a par
`ticular master configuration manager 60 in one of the proces
`sors determines where the task in the failed processor is going
`to be reloaded. If the master configuration manager 60 dies,
`then some conventional priority Scheme, such as round robin,
`is used to select another configuration master.
`If a failure is detected, say in the processor 82 that is
`currently performing the sensor fusion thread 64, a message is
`sent from the configuration manager 60 notifying the task
`manager 58 which processor is reassigned the sensor fusion
`thread. In this example, another sensor fusion thread 76 in
`processor 84 is configured by the configuration manager 60.
`The critical data manager 52 manages the retention of any
`critical data 72 that was previously generated by the sensor
`fusion thread 64. For example, the critical data manager 54
`automatically stores certain data and state information that
`was currently being used in the sensor fusion thread 64. The
`critical data may include GPS readings for the last 10 min
`utes, sensor data obtained from sensors in other processors in
`the vehicle over the last 10 minutes. The critical data may also
`include any processed data generated by the sensor fusion
`thread 64 that identifies any critical vehicle conditions.
`The critical data manager 52 also determines which data to
`archive generally for vehicle maintenance and accident
`reconstruction purposes.
`The configuration manager 60 directs the critical data 72 to
`the new sensor fusion thread 76. The task manager 74 then
`redirects any new GPS data obtained by the GPS thread 78 to
`the new sensor fusion thread 76 and controls sensor fusion
`tasks from application 76. Thus, the configuration manager
`60 and the task manager 58 dynamically control how different
`Java threads are initialized, distributed and activated on dif
`ferent processors.
`The message manager 50 determines the priority of sent
`and received messages. If the data transmitted and received
`by the sensor fusion thread 76 is higher priority than other
`data transmitted and received on the processor 84, then the
`sensor fusion data will be given priority over the other data.
`The task manager 58 controls the priority that the sensor
`fusion thread 76 is giving by processor 84. If the sensor fusion
`thread 76 has higher priority than, for example, an audio
`
`AHM, Exh. 1001, p. 10
`
`

`

`US 7,793,136 B2
`
`5
`application that is also being run by processor 84, then the
`sensor fusion thread 76 will be performed before the audio
`application.
`The SRE 14 can be implemented in any system that needs
`to be operated in a secure environment. For example, network
`servers or multiprocessors operating in a home environment.
`The multiprocessors in home appliances. Such as washer and
`dryers, home computers, home security systems, home heat
`ing systems, can be networked together and operate Java
`applications. The SRE 14 prevents these multiple processors
`and the Software that controls these processors from being
`corrupted by unauthorized software and also allows the appli
`cations on these different processors to operate as one inte
`grated system.
`The SRE 14 is a controlled trusted computing based that is
`not accessible by non-authorized application programmers
`and anyone in the general public. Therefore, the SRL 14
`prevents hacking or unauthorized control and access to the
`processors in the vehicle.
`
`TASK CONTROLLED APPLICATIONS
`
`5
`
`10
`
`15
`
`25
`
`6
`when and how often activation commands 94 are sent to GPS
`thread 62. In a similar manner, the task manager 58 can
`control when other tasks are performed by the system 89.
`such as when the sensor fusion thread 64 is activated.
`Thus, the task manager 58 controls when Java applications
`are activated effectively running the overall system 89 in a
`lock-step mode. The task manager 58 can control the initia
`tion of multiple tasks at the same time. This allows the task
`manager to control what parameters and operations are per
`formed and used by the different Java threads so that different
`states in the multiprocessor system 89 can be detected and
`monitored more effectively.
`One application for the task controlled applications is for
`accident reconstruction. The critical data manager 52 (FIG.3)
`may save different vehicle parameters from a vehicle that has
`been in an accident. For example, sensor data, brake data,
`speed data, etc. The task manager 58 can feed the saved data
`into the different Java applications in a lock-step mode to
`determine how each Java thread processes the saved data.
`This can then be used to identify any failures that may have
`occurred in the system 89.
`The system described above can use dedicated processor
`systems, micro controllers, programmable logic devices, or
`microprocessors that perform some or all of the communica
`tion operations. Some of the operations described above may
`be implemented in Software and other operations may be
`implemented in hardware.
`For the sake of convenience, the operations are described
`as various interconnected functional blocks or distinct soft
`ware modules. This is not necessary, however, and there may
`be cases where these functional blocks or modules are equiva
`lently aggregated into a single logic device, program or opera
`tion with unclear boundaries. In any event, the functional
`blocks and software modules or described features can be
`implemented by themselves, or in combination with other
`operations in either hardware or software.
`Having described and illustrated the principles of the
`invention in a preferred embodiment thereof, it should be
`apparent that the invention may be modified in arrangement
`and detail without departing from Such principles. Claim is
`made to all modifications and variation coming within the
`spirit an