US 8,006,117 B1
`(10) Patent No.:
`a2, United States Patent
`Lutter
`(45) Date of Patent:
`*Aug. 23, 2011
`
`
`US008006117B1
`
`(54) METHOD FOR MULTI-TASKING MULTIPLE
`JAVA VIRTUAL MACHINES IN A SECURE
`ENVIRONMENT
`Inventor: Robert Pierce Lutter, Tacoma, WA
`(US)
`
`(75)
`
`(73) Assignee: Eagle Harbor Moldings, Bainbridge
`Island, WA
`(US
`sland,
`WA
`(US)
`
`(*) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`as patent is subject to a terminal dis-
`claimer.
`Appl. No.: 12/858.994
`21)
`Appl.
`No.:
`°
`(21)
`(22) Filed:
`Aug. 18, 2010
`
`Related U.S. Application Data
`(63) Continuation ofapplication No. 11/616,650, filed on
`Dec. 27, 2006, now Pat. No. 7,793,136, which is a
`continuation of application No. 10/132,886, filed on
`Apr. 24, 2002, now Pat. No. 7,178,049.
`Int. Cl.
`GO6F 11/00
`(2006.01)
`(52) US. Ch. ww.seoseneseenaninsennsenenseee 714/1; 718/100
`(58) Field of Classification Search ........000....... 714/1-3,
`714/10 13; 717/118, 148; 718/100, 101 108
`See applicationfile for complete search history.
`
`(51)
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`2,995,318 A
`8/1961 Cocharo
`4,303,978 A
`12/1981 Shaw
`4,528,563 A
`TA985 Takeuchi
`4,591,976 A *
`5/1986 Webbor ct al. wo... 714/20
`
`4,829,434 A
`eO08;-8 “
`008,
`5,031,330 A
`5,045,937 A
`5,111,401 ‘
`5,115,245 A
`5,245,909 A ,
`5,287,199 A *
`5,303,297 A *
`5,339,086 A *
`5,341,301 A
`5,438,361 A
`5,471,214 A
`5,506,963 A
`5,532,706 A
`
`5/1989 Karmel
`3toot nage
`erman
`T/A991 Stuart
`9/1991 Myrick
`5/1992 Everett, Tr.
`5/1992, Wen
`9/1993 Corrigan
`2/1994 Zoccolillo litte, 358/402
`
`wee 455/406
`4/1994 Hillis ........
`8/1994 DeLucaelal. ccc 342/371
`8/1994 Shirai
`8/1995 Coleman
`11/1995 Faibish
`4/1996 Ducateau
`7/1996 Reinhardt
`(Continued)
`
`
`
`FOREIGN PATENT DOCUMENTS
`3125161
`1/1983
`(Continued)
`
`DE
`
`,
`
`.
`
`OTHER PUBLICATIONS
`A.Das, R.Fierro, V. Kumar, J. Ostrowski, J. Spletzer, and C. Taylor,
`“A Framework for Vision Based. Formation Control”, IEEE Transac-
`tions on Robotics and Automation, vol. 18, Nov. 5, 2001, pp. 1-13.
`(Continued)
`oe Dien.
`Mi
`(a)taotsemtoeStolowitz Ford Cowger
`LLP ‘
`aan
`,
`~
`ABSTRACT
`(57)
`.
`.
`.
`The present invention allows construction of a secure, real-
`time operating system from a portable language such as Java
`that appears to be a Java virtual machine froma top perspec-
`tive but provides a secure operating system from a bottom
`perspective. This allows portable languages, such as Java, to
`be used for secure embedded multiprocessor environments.
`
`30 Claims, 5 Drawing Sheets
`
`ne
`
`MESSAGE MANAGER
`
`io
`
`pe ai
`i
`if
`tot
`|
`it
`Po
`|
`| sensne rusian .
`.
`+
`i
`1
`|
`™
`i!
`4
`-
`4
`id
`poboom |
`: TST 1
`;
`to
`en ee ah sae
`n
`i!
`fo
`
`ele|s]e
`
`
`‘CRITICAL DATA MANAGER.
`SECURITY fANAGER
`DATA MANAGER
`TASK MANAGER
`a
`CONFIGURATION MAWAGER
`B
`
`AHM, Exh. 1001, p. 1
`
`AHM, Exh. 1001, p. 1
`
`

`

`US 8,006,117 B1
`
`Page 2
`
`U.S. PATENT DOCUMENTS
`5,552,773 A
`9/1996 Kuhnert
`5.572.201 A
`11/1996 Graham
`5581462 A
`12/1996 Rogers
`5,585,798 A
`12/1996 Yoshioka
`5,617,085 A
`4/1997 Tsutsumi
`oieoco ‘
`does pyon
`See toot Sti
`feos
`;
`ara
`5,761,320 A
`6/1998 Farinelli et al.
`5,786,998 A
`71998 Neeson etal.
`5,794,164 A
`8/1998 Beckert et al.
`5,872,508 A
`2/1999 Taoka
`5,907,293 A
`5/1999 Tognazzini
`5.915.214 A
`6/1999 Reece
`5,943,427 A
`8/1999 Massie etal.
`3,948,040 A
`9/1999 DeLormeet al.
`3,951,620 A
`9/1999" Abrens ctal.
`5,959,536 A
`9/1999 Chambers
`5,963,092 A
`10/1999 VanZalinge
`5,964,822 A
`10/1999 Aland
`5,966,658 A
`10/1999 Kennedy, III
`5,969,598 A
`10/1999 Kimura
`5,977,906 A
`11/1999 Ameen
`5,983,092 AL 1/1999 Whinnett
`5,983,161 A
`11/1999 Lemelson
`6,009,330 A
`12/1999 Kennedy, IIL
`6,009,403 A
`12/1998 Sato
`6,028,537 A
`2/2000 Suman
`6,028,548 A
`2/2000 Farmer
`6,032,089 A
`2/2000 Buckely
`6,054,950 A
`4/2000 Fontana
`6,060,989 A
`5/2000. Gehlot
`6,061,709 A
`5/2000 Bronte
`ejoroes ‘
`85000 qinagawa
`7
`£8.
`ie
`curtin
`6,128,608 A
`10/2000 Barnhill
`6.148,261 A
`11/2000 Obradovich
`6,150,961 A
`11/2000 Alewine
`6,154,123 A
`11/2000 Kleinberg
`6,161,071 A
`12/2000 Shuman
`6,163,711 A
`12/2000 Juntunen
`6,166,627 A
`12/2000 Recley
`6,167,253 A
`12/2000. Farris
`6,169,894 Bl
`1/2001) McCormick
`6,175,728 B1
`1/2001 Mitama
`6,175,782 Bl
`1/2001 Obradovich
`6,181,922 Bl
`1/2001 Iwai
`6,181,994 Bl
`1/2001 Colson
`iesaor BI
`Soul week
`30007 BL
`30001 altad
`6,202,
`12
`ani
`6,203,366 BI
`3/2001 Muller
`6,204,804 BIL
`3/2001 Andersson
`6,226,389 Bl
`5/2001 Lemelson, III
`CaS BE
`eter nen
`os
`‘
`reston
`6,240,365 Bl
`5/2001 Bunn
`6,243,450 BL
`6/2001 Jansen
`6,252,544 Bl
`6/2001 Hottberg,
`6,275,231 Bl
`8/2001 Obradovich
`D448,366 8
`9/2001 Youngers
`eon BI
`Sobel Murano
`on.
`in
`°
`6.204.987 BL
`9/2001 Matsuda
`6,297,732 B2
`10/2001 Hsu
`‘
`.
`6,298,302 B2
`10/2001 Walgers
`oo8oe RL
`Loner Gat
`es
`ia
`TOSS
`6.327.536 BI
`12/2001. Tsuji
`6,362,748 BL
`3/2002 Huang
`5
`9
`:
`6377860 BI
`43003 ceeetal litetereeee 718/108
`6,382,897 B2
`5/2002 Mattio
`6,389,340 BL
`5/2002 Rayner
`6,401,029 BL
`6/2002 Kubota
`6,405,132 Bl
`6/2002 Breed.
`6,408,174 Bl
`6/2002 Steyer
`6,417,782 Bl
`7/2002 Darnall
`
`*
`
`
`
`6,421,429 BL
`7/2002 Merritt
`9
`yi)
`il
`Coa R ne huigena
`C430 161 BL
`8/2002 Tones
`C442 485 B2
`8/2002 Beane
`445308 BL
`9/2002. Keike
`6452484 Bl
`9/2002 Dron
`6,484,080 B2
`11/2002 Breed
`6,493,338 BI
`12/2002 Preston
`6,496,107 B
`12/2002 Himmelstein
`6.496.117 B2
`12/2002 Gulla
`6.496.689 B
`12/2002 Keller
`6,505,100 B
`1/2003 Stuemptfie
`6,515,595 Bl
`2/2003 Obradovich
`6.522.875 B
`2/2003 Dowling
`6350773 Bl
`5/2003 Bey
`6.584.403 B2
`6/2003 Bunn
`DA479,228 S
`9/2003 Sakaguchiet al
`6,614,349 Bl
`9/2003. Proctoret al
`eels 137 BD
`-92003 Tulle
`6.616.071 B2
`9/2003 Kitamura
`6,622,083 Bl
`9/2003 Knockeart etal.
`6620033 B2
`92003 Prenton
`6,641,087 BI
`11/2003 Nelson
`6,647,270 Bl
`11/2003 Himmelstein
`270012 B2
`12/9003 Thanh
`6,675,081 B2
`1/2004. Shuman
`6681-121 BL
`1/2004. Presion
`6,690,681 Bl
`2/2004 Preston
`6,707,421 Bl
`3/2004 Druryetal.
`6.708.100 B2
`3/2004. Russell
`6,714,139 B2
`3/2004. Saito
`6,725,031 B2
`4/2004 Watlor
`2734709 BD
`«8/2004 Munch
`6,738,697 B2
`5/2004. Breed
`6,771,208 B2
`8/2004 Lutter etal.
`6,771,629 Bl
`8/2004 Preston
`6.778.073 B2
`9/2004 Lutter
`598.091 BD
`8/2004 Hance
`6780315 BD
`8/2004 Tu
`eos S51 Bl
`8/2004 Richard
`6,792,351 B2
`9/2004 Lutter
`eReask Bl
`11004 Kosa
`6,895,238 B2
`5/2005 Newell
`ee6,895,240 B2
`5/2005 Laursen
`6,901,057 B2
`3/2005 Rune
`6,906,619 B2
`6/2005 Williams
`6,920,129 B2
`7/2005 Preston
`6,925,368 B2
`8/2005 Funkhouseretal.
`6,937,732 B2
`8/2005 Ohmura
`6,952,155 B2
`10/2005. Tlimmelstein
`6,972,669 B2
`12/2005 Saito
`6,973,030 B2
`12/2005 Pecen
`6.993.511 B2
`1/2006 Himmelstein
`7.000.469 B2
`2/2006 Foxlin
`7'006.950 Bl
`3/2006 Greiffenhagen
`7,024,363 Bl
`4/2006 Comerford
`7,079,993 B2
`7/2006 Stephenson
`7.089.206 B2
`8/2006 Martin
`7,092.723 B2
`8/2006. Tlimmelstein
`7,120,129 B2
`10/2006 Ayyagari
`7123926 B2
`10/2006 Himmelstein
`7.146.260 B2
`12/2006 Preston
`7151-768 B2
`12/2006 Preston
`7,158,956 Bl
`1/2007 Himmelstein
`eleBD Lovey Bamme
`°
`reston
`7
`‘7
`seone Bo
`Sey piancont
`7,187,947 Bl
`3/2007 White
`7,206,305 B2
`4/2007 Preston
`7,207,042 B2
`4/2007 Smith
`7,215,965 B2
`5/2007 Tournieret al.
`7221669 B2
`5/2007 Preston
`7,239,949 B2
`7/2007 Lu
`7,249,266 B2
`7/2007 Margalit
`7,257A26 Bl
`8/2007 Witkowski
`7,269,188 B2
`9/2007 Smith
`7,272,637 Bl
`9/2007 Himmelstein
`7,274,988 B2
`9/2007 Mukatyama
`
`AHM, Exh. 1001, p. 2
`
`AHM, Exh. 1001, p. 2
`
`

`

`US 8,006,117 B1
`Page 3
`
`7,277,693 B2
`7,283,567 B2
`7,283,904 B2
`7,286,522 B2
`7,317,696 B2
`7,343,160 B2
`7,375,728 B2
`7,379,707 B2
`7A11,982 B2
`7,418,476 B2
`7,450,955 B2
`7,506,020 B2
`7,508,810 B2
`7,509,134 B2
`7,587,370 B2
`7,594,000 B2
`7,596,391 B2
`7,599,715 B2
`7,614,055 B2
`7,664,315 B2
`7,733,853 B2
`7,747,281 B2
`7,848,763 B2
`2001/0009855 Al
`2002/0012329 Al
`2002/0022927 Al
`2002/0070852 Al
`2002/0095501 Al
`2002/0105423 Al
`2002/0144010 Al
`2003/0060188 Al
`2004/0162064 Al
`2004/0164228 Al
`2005/0009506 Al
`2005/0070221 Al
`2005/0130656 Al
`2005/0153654 Al
`2005/0260984 Al
`2005/0275505 Al
`2005/0278712 Al
`2007/0115868 Al
`2007/0115897 Al
`2008/0092140 Al
`
`10/2007 Chen
`10/2007 Preston
`10/2007 Benjamin
`10/2007 Preston
`1/2008 Preston
`3/2008 Morton
`5/2008 Donath
`5/2008 Dikonzo
`8/2008 Smith
`8/2008 Salesky
`11/2008 Himmelstein
`3/2009 Ellis
`3/2009 Moinzadeh
`3/2009 Fournier et al.
`9/2009 Himmelstein
`9/2009 Himmelstein
`9/2009 Himmelstein
`10/2009 Himmelstein
`11/2009 Buskenset al.
`2/2010 Woodfill
`6/2010 Moinzadehetal.
`6/2010 Preston
`12/2010 Fournieret al.
`7/2001 L’ Anson
`1/2002 Atkinson
`2/2002 T.emelson et al.
`6/2002 Trauner
`7/2002 Chiloyan etal.
`8/2002 Rast
`10/2002 Younis
`3/2003 Gidron
`8/2004 Himmelstein
`8/2004 Fogg
`1/2005 Smolentzov
`3/2005 Upton
`6/2005 Chen
`7/2005 Anderson
`11/2005 Karabinis
`12/2005 Himmelstein
`12/2005 Buskensetal.
`§/2007 Chen
`5/2007 Chen
`4/2008 Doningeretal.
`FOREIGN PATENT DOCUMENTS
`4237987
`5/1994
`19922608
`11/2000
`19931161
`1/2001
`0 441 576
`8/1991
`0841648
`5/1998
`1355 128
`10/2003
`10-076115
`10/1999
`2000207691
`7/2000
`WO9624229
`8/1996
`W09908436
`2/1999
`WO9957662
`11/1999
`WO09965183
`12/1999
`WO0029948
`5/2000
`WO0040038
`7/2000
`W0O0130061
`4/2001
`WO0158110
`8/2001
`
`DE
`DE
`DE
`EP
`EP
`EP
`JP
`JP
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`WO
`
`
`
`OTHER PUBLICATIONS
`
`Ada 95 Transition Support—Tessons T.earned. Sections 3, 4, and 5,
`CACTI, Inc.-Federal, Nov, 15, 1996, 14 pages.
`AMIC. Architecture specification release 1, 2001; 35 pages.
`Bluetooth Doc; Advance Audio Distribution Profile Specification;
`Adopted version 1.0; dated May 22, 2003; 75 pages.
`Bluetooth Doc; Audio/Video Remote Control Profile: Version 1.0
`Adopted; dated May 22, 2003; 52 pages.
`Bluetooth Tlands-free Profile 1.5 Nov. 25, 2005.
`Bluetooth Specification version 1.1; Feb. 22, 2001, 452 pages.
`Boeing News Release, “Boeing Demonstrates JSF Avionics Multi-
`Sensor Fusion’, Seattle, WA, May9, 2000, pp. 1-2.
`Boeing Statement, “Chairman and ClO Phil Condit on the JSF
`Decision”, Washington, D.C., Oct. 26, 2001, pp. 1-2.
`Counterair: The Cutting Edge, Ch. 2 “The Evolutionary Trajectory
`The Fighter Pilot-Here to Stay?” AF2025 v3c8-2, Dec. 1996, pp. 1-7.
`
`Counterair: The Cutting Edge, Ch. 4 “The Virtual Trajectory Air
`Superiority without an “Air” Force?” AF2025 v3c8-4, Dec. 1996, pp.
`1-12.
`Embedded Bluctooth Migrates to Lisbon and Scattle; 11 pages; Jan.
`23, 2008.
`Green TTills Software, Inc., “The AdaMUTTT 2000 Integrated Devel-
`opment Environment,” Copyright 2002,printed Jul. 9, 2002; 7 pages.
`H. Chung, L. Ojeda, and J. Borenstein, “Sensor Fusion for Mobile
`Robot Dead-reckoning with a Precision-calibrated Fiber Optic Gyro-
`scope”, 2001 IEEE International Conference on Robotics and Auto-
`mation, Seoul, Korea, May 21-26, 2001, pp. 1-6.
`Hitachi Automated Highway System (AHS), Automotive Products,
`Hitachi, Ltd., Copyright 1994-2002, 8 pages.
`IEEE Standard for
`Information Technology—POSIX Based
`Supercomputing Application EnvironmentProfile; Jun. 14, 1995, 72
`pages.
`ISIS Project: Sensor Fusion, Linkoping University Division ofAuto-
`matic Control and Communication Systems in cooperation with
`SAAB (Dynamics and Aircraft), 2001, 18 pages.
`J. Takezaki, N. Ueki, T. Minowa, H. Kondoh, “Support System for
`Safe Driving A Step Toward ITS Autonomous Driving
`”, Hitachi
`Review,vol. 49, Nov. 3, 2000, pp. 1-8.
`Joint Strike Fighter Terrain Database, ets-news.com “Simulator
`Solutions” 2002, 3 pages.
`Luitge, Karsten; “E-Charging API: Oulsource Charging Lo a Payment
`Service Provider”; IEEE; 2001 (pp. 216-222).
`M.Chantler, G. Russel, and R. Dunbar, “Probabilistic Sensor Fusion
`for Reliable Workspace Sensing”, Fourth IARP workship on Under-
`water Robotics, Genoa, Nov. 1992, pp. 1-14.
`MSRC Redacted Proposal, 3.0 Archilecture Development, Aug. 29,
`2002; pp. 43.
`
`MyGig User Guide, Mar. 11, 2008.
`Powerpoint Presentation by Robert Allen—Boeing Phantom Works
`entitled “Real- lime Embedded Avionics System Security and COIS
`Operaling Systems”, Open Group Real-Time Forum, Jul. 18, 2001,
`16 pages.
`Product description ofRaytheon Electronic Systems (ES), Copyright
`2002, pp. 1-2.
`Product description of Raytheon lt! Secure, “Development Environ-
`ment”, Copyright 2001, pp. 1-2.
`Product description of Raytheon RT Secure, “Embedded Hard Real-
`Time Secure Operating System”, Copyright 2000, pp. 1-2.
`Productdescription ofRaytheon RT Secure, Copyright 2001, pp. 1-2.
`S.G. Goodridge, “Multimedia Sensor Fusion for Intelligent Camera
`Control and Human-Computer Interaction”, Dissertation submitted.
`to the Graduate Faculty ofNorth Carolina State University in partial
`fulfillment ofthe requirements for the degree ofDoctorof Philosophy
`in Electrical Engineering, Raleigh. NC, 1997, pp. 1-5.
`Specification of the Bluetooth System v1.0.B; Dec. 1, 1999,
`Specification of the Bluetooth System v1.1; Feb. 22, 2001.
`TNO FEL Annual Review 1998: Quality works, Observation Sys-
`tems Division; “The Whole is More Than the Sumofits Parts”; 16
`pages.
`Vehicle Dynamics Lab, University ofCalifornia, Berkeley, funded by
`BMW, current members: D. Caveney and B. Feldman, “Adaptive
`Cruise Control”, at least as early as 2002, printed Jul. 2, 2002; 17
`pages.
`Stirling A: “Mobile Multimedia platforms” Vehicular Technology
`Conference Fall 2000. IEEE VIS Fall WI'C2000. 52nd Vehicular
`Technology Conference (CAT. No, 00CH37152).
`NusserR.et al.: “Bluetooth-based wireless connectivity in an auto-
`motive environment” Vehicular Technology Conference Fall 2000.
`IEEE VTS Fall VTC2000 52nd Vehicular Technology Conference
`(Cat. No, 00CH37 152).
`Martinse fvet al. “design of an OS9 operating system extension for
`a message-passing multiprocessor” Microprocessors
`and
`Microsystems, IPC Business Press LT. London, BG,vol. 21, No. 9,
`Apr. 1, 1998, pp. 533-543.
`Gutierrez Garcia JJ et al. “Minimizing the effects ofjitter in distrib-
`uted hard real-time systems” Journal of Systems Architecture,
`Elsevier Science Publishers BV., Amsterdam, NL, vol. 41, No. 6/7.
`Dec. 15, 1996, pp. 431-447.
`
`AHM, Exh. 1001, p. 3
`
`AHM, Exh. 1001, p. 3
`
`

`

`US 8,006,117 B1
`Page 4
`
`International Search Report for PCT/US02/020402; Mailing date
`Apr. 3, 2003.
`International Search Report for PCT/US02/020403; Mailing date
`Jan. 27, 2003.
`International Search Report for PCT/US02/016364; Mailing date
`Feb. 14, 2003.
`
`
`
`International Search Report for PCT/S02/016371; Mailing date
`Aug. 18, 2003.
`Stolowilz Ford Cowger LLP Listing of Related Cases Mar. 15, 2011.
`
`* cited by examiner
`
`AHM, Exh. 1001, p. 4
`
`AHM, Exh. 1001, p. 4
`
`

`

`U.S. Patent
`
`Aug.23, 2011
`
`Sheet 1 of 5
`
`US 8,006,117 B1
`
`2
`
`PA
`
`44 |
`
`} i
`
`| | |
`
`|
`
`| | | |
`
`JAVA VIRTUAL MACHINE
`
`18
`
`SECURE REALTIME EXECUTIVE
`
`FIG 4
`
`AHM, Exh. 1001, p. 5
`
`AHM, Exh. 1001, p. 5
`
`

`

`Sheet 2 of 5
`
`US 8,006,117 B1
`
`Aug. 23, 2011
`
`U.S. Patent AALLNOAXS
`
`YOSNSS|zyosNasIogHOSNaSioTouNoD|TOULNODTOW.LNOD
`
`[eeos(oeee.ixanydvdva;ululiiolan?[ALIMNOASaivudiLee.
`
`|I]iiiii|14iiiviii||i|iiii
`
`SILLSAUNTSi
`
`AHM, Exh. 1001, p. 6
`
`AHM, Exh. 1001, p. 6
`
`

`

`U.S. Patent
`
`Aug.23, 2011
`
`Sheet 3 of 5
`
`US 8,006,117 B1
`
`14
`
`/
`
`MESSAGE
`MANAGER
`
`CRITICAL DATA
`MANAGER
`
`SECURITY
`MANAGER
`
`DATA MANAGER
`
`MANAGER
`
`TASK MANAGER
`
`CONFIGURATION
`
`FIG 3
`
`AHM, Exh. 1001, p. 7
`
`AHM, Exh. 1001, p. 7
`
`

`

`U.S. Patent
`
`Aug. 23, 2011
`
`Sheet 4 of 5
`
`US 8,006,117 B1
`
`II
`
`I,
`
`FL
`
`19qv
`
`
`
`YSOVNVWFOVSSaA
`
`YEOVNVWVLVOTVOLUD
`
`
`
`HAOVNVIANALHNOAS
`
`
`
`YSOVNVINvLlvd
`
`YAOVNVWHSVL
`
`
`
`HAOVNYWNOLLVENOINOD
`
`vb
`
`
`
`NOISN4HOSNSS
`
`OVayHL
`
`¥Ola
`
`AHM, Exh. 1001, p. 8
`
`AHM, Exh. 1001, p. 8
`
`
`
`
`

`

`U.S. Patent
`
`Aug.23, 2011
`
`Sheet 5 of 5
`
`US 8,006,117 B1
`
`
`
`5Eg
`
`e
`
`fig
`z|¢
`=
`LL
`a
`
`
`
`AHM, Exh. 1001, p. 9
`
`AHM, Exh. 1001, p. 9
`
`

`

`US 8,006,117 Bl
`
`1
`METHOD FOR MULTI-TASKING MULTIPLE
`JAVA VIRTUAL MACHINES IN A SECURE
`ENVIRONMENT
`
`
`
`
`This application is a continuation of U.S. patent applica-
`tion Ser. No. 11/616,650,
`filed Dec. 27, 2006 entitled:
`METHOD FOR MULTI-TASKING MULTIPLE JAVA VIR-
`
`
`
`TUAL MACHINES IN A SECURE ENVIRONMENT,now
`USS. Pat. No. 7,793,136 issued Sep. 7, 2010, which is a
`continuation ofapplication Ser. No. 10/132,886,filedApr. 24
`2002 now U.S. Pat. No. 7,178,049 issued Feb. 13, 200
`entitled: METHOD FOR MULTI-TASKING MULTIPLE
`JAVA VIRTUAL MACHINES IN A SECURE ENVIRON
`MENT, which are both incorporated by reference in their
`entirety.
`This application incorporates by reference U.S. patent
`application Ser. No. 09/841,753, filed Apr. 24, 2001 entitled:
`
`
`OPEN COMMUNICATION SYSTEM FOR REAL-TIME
`MULTIPROCESSOR APPLICATIONS, now U-S. Pat. No.
`6,629,033 issued Sep. 30, 2003 and U.S. patent application
`Ser. No. 09/841,915, filed Apr. 24, 2001 entitled: METHOD
`AND APPARATUS FOR DYNAMIC CONFIGURATION
`OF MULTIPROCESSOR SYSTEM, now U.S. Pat. No.
`7,146,260 issued. Dec. 5, 2006.
`
`
`
`
`
`2
`necessaryto further restrict code sharing or operation sharing
`among selected devices in a secure embedded system.
`
`SUMMARYOFTHE INVENTION
`
`The present invention allows construction ofa secure, real-
`time operating system from a portable language such as Java
`that appears to be a Java virtual machine from a top perspec-
`tive but provides a secure operating system from a bottom
`perspective. This allows portable languages, such as Java, to
`be used for secure embedded multiprocessor environments.
`The foregoing and other objects, features and advantages
`of the invention will become morereadily apparent from the
`following detailed description of a preferred embodiment of
`the invention which proceeds with reference to the accompa-
`nying drawings.
`
`BRILE DESCRIPTION OF TIE DRAWINGS
`
`2
`
`30
`
`VIG. 1 is a diagram showinga java stack with an additional
`Secure Real-time Executive (SRF) layer.
`FIG.2 is a diagram of a multiprocessor system: that runs
`multiple Java Virtual Machines that each include a SRF.
`FIG.3 is a detailed diagram of the managers in the SRE.
`FIG. 4 is a block diagram of how the SRE manages a
`multiprocessor system.
`FIG. 5 is a bock diagram showing how a task manager in
`the SRE operates the multiprocessor system in a lock-step
`mode.
`
`DETAILED DESCRIPTION,
`
`BACKGROUND OFTHE INVENTION
`
`Java is a robust, object-oriented programming, language
`expressly designed for use in the distributed environment of
`the Internet. Java can be used to create complete applications
`that may run on a single computer or be distributed among
`servers and clients in a network. A source programinJava is
`compiled into byte code, which can be run anywhere in a
`network on a server or a client that has a Java virtual machine
`
`40
`
`45
`
`(JVM).
`A JVM describes software that is nothing more than an
`interface between the compiled byte code and the micropro-
`cessor or hardware platform that actually performs the pro-
`gram’s instructions. Thus, theVM makesit possible for Java
`application programs to be built that can run on any platform
`without having to be rewritten or recompiled bythe program-
`merfor cach separate platform.
`Jini is a distributed system based on the idea of federating
`groups of users and the resources required by those users.
`Resources can be implemented either as hardware devices,
`software programs, or a combination of the two. The Jini
`system extends the Java application environment from a
`i2
`single virtual machine to a network of machines. The Java >
`application environmentprovides a good computing platform
`for distributed computing because both code and data can
`move from machine to machine. The Jini infrastructure pro-
`vides mechanismsfor devices, services, and usersto join and
`detach from a network.Jini systems are more dynamicthan is
`currently possible in networked groups where configuring a
`network is a centralized function done by hand.
`However, the Java/Jini approach is not without its disad-
`vantages. Both Java and Jini are free, open source applica-
`tions. The Java application environmentis not designed for
`controlling messaging between different machines. For
`example, the Java application is not concerned about the
`protocols between different hardware platforms. Jini has
`some built-in security that allows code to be downloaded and
`run from different machines in confidence. However, this
`limited security is insufficient for environments whereit is
`
`35
`
`60
`
`65
`
`A java application stack includes a Java layer 5 for running
`any one of multiple different applications. In one example,
`the applications are related to different vehicle operations
`such as Infrared (IR) and radarsensor control and monitoring,
`vehicle brake control, vehicle audio and video control, envi-
`ronmental control, driver assistance control, elc. A Java Vir-
`tual Machine (JVM)layer 16 provides the hardware indepen-
`dent platform for running the Java applications 5, A Jini layer
`12 provides somelimited security for the Java applications
`that run on different machines. However, the Jini layer 12
`does not provide the necessary reconfiguration and security
`management necessary for a distributed real-time multipro-
`cessor system.
`
`A Secure Real-time Executive (SRE) 14 provides an exten-
`sion to the JVM 16 and allows Java to run on different pro-
`cessors for real-time applications. ‘The SRE 20 manages mes-
`saging, security, critical data, file I/O multiprocessor task
`control and watchdog tasks in the Java environment as
`described below. The JVM 16, Jini 12 and SRE 14 canall be
`implemented in the same JVM 10. However, for explanation
`purposes, the JVM 10 and the SRE 14 will be shown as
`separate clements.
`FIG. 2 shows a system 15 that includes multiple processors
`16, 18, 20, 22 and 24. Each processor includes one or more
`JVMs10 that run different Java applications. For example,
`processor 16 includes one Java application 28 that controls a
`vehicle security system and another Java application 26 that
`controls the vehicles antilock brakes. A processor 18 includes
`a Java application 30 that controls audio sources in the
`vehicle. Other processors 20 and 22 mayrun different threads
`32A and 32Bfor the same sensorfusion Java application 32
`that monitors different IR sensors. Another thread 32C on
`processor 24 monitors a radar sensor for the sensor fusion
`Java application 32.
`
`AHM, Exh. 1001, p. 10
`
`AHM, Exh. 1001, p. 10
`
`

`

`US 8,006,117 Bl
`
`3
`The SRE 14 runsbelow the JVMs10 in each processor and
`control tasks, messaging, security, etc. For example, the Java
`application 26 controls vehicle braking according, to the sen-
`sor data collected by the sensor fusion Java application 32.
`The SRE 14 in one cxample prevents unauthorized data from
`being loaded into the processor 16 that runs brake control
`application 26. The SRE 14 also prevents other Java applica-
`tions that are allowed to be loaded into processor 16 from
`disrupting critical braking operations, or taking priority over
`the braking operations, performed byJava application 26.
`For example, the SRE 14 mayprevent noncritical vehicle
`applications, such as audio control, from being loaded onto
`processor 16. In another example, noncritical operations,
`such as security control application 28, are allowed to be
`loaded onto processor 16. However, the SRE 14 assigns the
`securily messages lowpriority values that will only be pro-
`cessed when there are no braking tasks in application 26 that
`require processing by processor 16.
`
`The SRE14 allowsany variety of real-time, missioncriti-
`cal, nonreal-time and nonmissioncritical Java applications to
`be loaded onto the multiprocessor system 15. The SRE 14
`then automatically manages the different types of applica-
`tions and messages to ensurethat the critical vehicle applica-
`tions are not corrupted and processed with the necessary
`priority. The SRE 14 is secure software that cannot be 2
`manipulated by other Java applications.
`The SRE 14 provides priority preemption on a message
`scale across the entire system 15 and priority preemption on
`
`a task scale across the entire system 15. So the SRE 14
`controls how the JVMs10 talk to each other and controls how
`the JVMs10 arestarted orinitiated to performtasks. ‘The SRE
`14 allows programmersto write applications using Java in a
`safe and secure real time environment. Thus, viruses can be
`prevented, by SRE 14 frominfiltrating the system 15.
`While the explanation uses Java as one example ofa pro-
`gramming environment where SRE 14 can be implemented,it
`should be understood that the SRE 14 can beintegrated into
`any variety of different programming environments that may
`
`run in the sameor different systems 15. For example, SRE 14
`can be integrated into an Application ProgrammersInterface
`(APT) for use with any programming language such as C++.
`FIG. 3 showsthe different functionsthat are performed by
`the SRE 20. Any combination of the functions described
`below canbe provided in the SRE 20. A message manager 50
`controls the order messages are received and transmitted by
`the different Java applications. A security manager 52 con-
`trols what data and messages are allowed to be received or
`transmitted by different Java applications. A critical data
`manager 54 controls what data is archived bythe different
`Java applications.
`A data manager 56 controls what data is allowed to be
`transferred between different processors. A task manager 58
`controls the order tasks are performedbythe different VMs.
`A reconfiguration manager 60 monitors the operation of the
`different processors in the system and reassigns or reconfig-
`ures Java applications and Java threads to different processors
`according to what processors have failed or what new proces-
`sors and applications have been configured into system 15.
`The message manager50 partially correspondsto the pri-
`ority manager 44 shownin FIG.2 of pending patent applica-
`tion Ser. No. 09/841,753, the critical data manager 52 par-
`tially correspondswith the logging manager 44 shownin FIG.
`2 of the copending ’753 patent application, and the security
`manger 54 a least partially corresponds with the sccurity
`manager 40 shownin the ’753 patent application. The data
`manager56 atleast partially corresponds with the data man-
`ager 42 shown in FIG. 2 of pending patent application Ser.
`
`35
`
`60
`
`65
`
`30
`
`35
`
`40
`
`45
`
`4
`No. 09/841,915, the task manager58 partially corresponds to
`the device manger 46 shownin FIG.2 ofthe ’915 application,
`and the configuration manager 60 at least partially corre-
`spondsto the configuration manager 44 shownin FIG.2 ofthe
`*915 patent application. The descriptions ofhow the different
`managers 50-60 operate similarly to the corresponding man-
`agers in the °753 and °915 patent applications are herein
`incorporated by reference andare therefore not described in
`further detail.
`However, somespecific tasks performed by the managers
`50-60 are described below in furtherdetail.
`FIG. 4 showsin moredetail how the SRE 14 operates. One
`of the operations performed bythe task manager 58 is to
`control whendifferent tasks are initiated on different proces-
`sors. For example, a first Global Positioning System (GPS)
`thread 62 is running on a JVM ina processor 80. Another
`sensor fusionthread 64 is miming ona different processor 82.
`Block 74 represents the Java Virtual Machine operating in
`each ofprocessors 80 and 82. A master JVM 74 may run on
`either processor 80, processor 82 or on some other processor.
`‘The task manager 58 sends aninitiation command66 to the
`GPS thread 62 to obtain location data. ‘he task manager 58
`then directs the obtained GPS data 68 through a Link to the
`sensor fusion thread 64 for subsequent processing of GPS
`data 68. The link may be any bus, such as a PC] bus,serial link
`such as a Universal Serial Bus, a wireless link such as blue
`tooth or TEER, 802.11, or a network link such as Fthernet,etc.
`The configuration manager GO acts as a watchdog to make
`sure that the GPSthread 62 and the sensorfusion thread 64 are
`each running correctly. In one example, separate configura-
`tion managers 60 in each processor 80 and 82 sends out
`periodic signals to the other configuration managers 60 in the
`other processors. Any one of the configuration managers 60
`can detect a processoror application failure by not receiving
`the periodic “ok”signals from any one ofthe other processors
`for some period oftime. If a failure is detected, then a par-
`ticular master configuration manager60 in one ofthe proces-
`sors determines wherethetask in the failed processoris going
`to be reloaded. If the master configuration manager 60 dies,
`then some conventionalpriority scheme, such as round robin,
`is used to select another configuration master.
`If a failure is detected, say in the processor 82 that is
`currently performing the sensor fusion thread 64, a message is
`sent from the configuration manager 60 notifying the task
`manager 58 which processoris reassigned the sensor fusion
`thread. In this example, another sensor fusion thread 76 in
`processor 84 is configured by the configuration manager60.
`Thecritical data manager 52 managesthe retention of any
`critical data 72 that was previously generated by the sensor
`fusion thread 64. For example, the critical data manager 54
`automatically stores certain data and state information that
`was currently being used in the sensor fusion thread. 64. The
`critical data may include GPS readings for the last 10 min-
`utes, sensor data obtained from sensors in other processors in
`the vehicle over the last 10 minutes. Thecritical data may also
`include any processed data generated by the sensor fusion
`thread 64that identifies any critical vehicle conditions.
`The critical data manager 52 also determines which data to
`archive generally for vehicle maintenance and accident
`reconstruction purposes.
`The configuration manager60 directsthe critical data 72 to
`the new sensor fusion thread 76. The task manager 74 then
`redirects any new GPSdata obtained by the GPSthread 78 to
`the new sensor fusion thread 76 and controls sensor fusion
`tasks fromapplication 76. Thus, the configuration manager
`
`AHM, Exh. 1001, p. 11
`
`AHM, Exh. 1001, p. 11
`
`

`

`US 8,006,117 Bl
`
`5
`60 and the task manager 58 dynamically control how different
`Java threadsare initialized, distributed and activated on dif-
`ferent processors.
`The message manager 50 determinesthe priority of sent
`and received messages. If the data transmitted and received
`by the sensor fusion thread 76 is higher priority than other
`data transmitted and received on the processor 84, then the
`sensor fusion data will be givenpriority over the other data.
`The task manager 58 controls the priority that the sensor
`fusionthread 76 is giving by processor $4. Ifthe sensor fusion
`thread 76 has higher priority than, for example, an audio
`application that is also being run by processor 84, then the
`sensor fusion thread 76 will be performed before the audio
`application.
`
`The SRE 14 can be implemented in any system that needs
`to be operated in a secure environment. For example, network
`servers or multiprocessors operating in a home environment.
`The multiprocessors in home appliances, such as washer and
`dryers, home computers, home security systems, homeheat-
`ing systems, can be networked together and operate Java
`applications. The SRE 14 prevents these multiple processors
`and the software that controls these processors from being
`corrupted by unauthorized software and also allowsthe appli-
`cations on these different processors to operate as one inte-
`grated system.
`The SRE14 is a controlled trusted computing basedthatis
`not accessible by non-authorized application programmers
`and anyone in the general public. ‘Therefore, the SRE 14
`prevents hacking or unauthorized control and access to the
`processors in the vehicle.
`
`
`
`Task Controlled Applications
`
`Debuggingis a problem with multiprocessor systems. The
`task manager 58 allows the Java applications to be run in a
`lock-step mode to more effectively identify problems in the
`multiprocessor system 15.
`FIG. 5 shows a path 90 taken by a vehicle 92. In one
`application, the position of the vehicle 92 is sampled every
`second t,, t,, t,, t,, etc.he position of the vehicle 92 is
`sampled by a GPS receiver in vehicle 92 that reads a longi-
`tudinal and latitudinal position froma GPSsatellite. The GPS
`receiveris controlled by the GPS thread 62 that receives the
`GPSdata and then sends the GPS data to a sensor fusion
`thread 64 that may run on the sameor a different processor in
`the vehicle 92. The sensor fusion thread 64 can perform any
`one of many different tasks based on the GPS data For
`example, the sensor fusion thread 64 may update a mapthatis
`currently bemg displayed to the driver of vehicle 92 or gen-
`erate a warning signal to the vehicle driver.
`For each sample period t,, the task manager 58 sends a
`request 94 to the GPSthread 62 to obtain GPSdata. The task
`manager 58uses a clock 96 as a reference for identifying each
`one second sample period. Each time a second passes accord-
`ing to clock 96, the task manager 58 sends out the request 94
`that wakes up the GPSthread 62 to go read the GPSdata from
`the UPSsatellite. Once the GPS data has been received, the
`GPSthread 62 passes the GPS data 96 to the sensor fusion
`thread 64. The GPS thread 62 then goes back into an idle
`mode until it receives another activation command from the
`task manager 58.
`The task manager 58 can control when the GPS thread 62
`is woken up. Instead ofthe GPS thread 62 being free running,
`the GPSthread 62 is operating according to a perecived time
`controlled by the task manager 58. The task ma