JP2002244921A - Data processing device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a data processing device capable of holding secrecy of commands and data among programs when executing a plurality of programs. SOLUTION: A CPU 52 executes a plurality of application programs while accessing to a memory 53. A judging circuit 60 outputs a judgement result signal S60 determining that a switch circuit 61 is set to either of a connection condition and a non-connection condition to the switch circuit 61 based on signals S52a, S52b, and S52c. The switch circuit 61 becomes connection or non-connection condition based on the signal S60.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a data processing apparatus capable of effectively storing highly confidential codes and data.

[0002]

2. Description of the Related Art Conventionally, a system for performing electronic settlement or the like using a server device connected to a network in place of conventional bills or the like by electronic means, or an IC card or the like in place of a conventional paper ticket. A ticket gate system using a computer that performs ticket gate processing by communicating with a device in a contact or non-contact manner has been proposed. In many of these systems, it is customary to prepare a dedicated computer for each purpose, and a single computer is rarely used for multiple purposes. In such a background, in recent years, there has been an attempt to provide a plurality of services by operating a program related to a plurality of services on one computer.

[0003]

However, when a plurality of programs related to a plurality of services provided by different operators are operated on a single computer, the services are required to be highly confidential such as settlement. When handling data, there is a problem in that highly confidential data owned by each business may be illegally acquired or tampered with by another business.

[0004] The present invention has been made in view of the above-mentioned problems of the prior art, and provides a data processing apparatus capable of maintaining the confidentiality of instructions and data between programs when executing a plurality of programs. The purpose is to do.

[0005]

In order to achieve the above-mentioned object, a data processing apparatus according to the present invention comprises a storage circuit for storing instructions and data of a plurality of programs, and an access to the storage circuit via a transmission path. Performing a plurality of programs using instructions and data of the plurality of programs, an arithmetic circuit, interposed between the transmission path and the storage circuit, based on a control signal, the transmission path and the A connection switching circuit for setting any one of a connection state and a non-connection state with a storage circuit; and an address range in the storage circuit accessible by the arithmetic circuit during execution of the plurality of programs. An access range defining data defined for each of the programs, an address in the storage circuit to which the arithmetic circuit has issued an access request, and the arithmetic circuit Controlling whether the connection between the transmission path and the storage circuit is in a connection state or a non-connection state based on running program instruction information indicating which program in the program is being executed. A connection control circuit that generates a control signal, and an input / output interface circuit that performs data input / output between the arithmetic circuit via the transmission path and data input / output with the outside of the data processing device. Have.

The operation of the data processing device of the present invention is as follows. The arithmetic circuit executes a plurality of programs while accessing the storage circuit. During the execution of the program, the connection control circuit causes the address in the storage circuit to which the arithmetic circuit issues an access request, and an executing program instruction indicating which of the plurality of programs the arithmetic circuit is executing. Based on the information, a control signal for controlling whether the transmission path and the storage circuit are connected or disconnected is generated. The control signal is
The signal is output from the connection control circuit to the connection switching circuit. And
The connection switching circuit sets one of a connection state and a non-connection state between the transmission path and the storage circuit.

In the data processing apparatus according to the present invention, preferably, the connection control circuit is configured such that an address in the storage circuit to which the arithmetic circuit has issued an access request corresponds to the address during the execution specified by the access range defining data. When the address is within the address range corresponding to the program, the control signal indicating that the transmission path and the storage circuit are connected to each other is generated, and when the address is not within the address range, the control signal is generated. The control signal is generated to indicate that the connection to the storage circuit is to be disconnected.

Further, in the data processing apparatus of the present invention, preferably, the connection control circuit includes:
Based on the access range defining data defining an address range in the storage circuit that can be accessed in accordance with which instruction of read or write is being executed, the control signal is generated in accordance with the instruction being executed. Generate.

Further, in the data processing device of the present invention, preferably, the connection control circuit has a storage unit for storing the access range defining data.

Further, in the data processing apparatus of the present invention, preferably, the input / output interface circuit is connected to an integrated circuit that stores the encrypted access range defining data outside the data processing apparatus. The arithmetic circuit accesses the integrated circuit via the transmission line and the communication circuit, the connection control circuit holds predetermined key information, and the communication circuit and the transmission line Receiving the encrypted access range defining data from the integrated circuit via the integrated circuit, decrypting the received access range defining data using the key information, and using the decrypted access range defining data to control the control signal. Generate

In the data processing apparatus of the present invention, preferably, the connection control circuit receives an encrypted decryption program for performing the decryption via the input / output interface circuit and the transmission path, and And decrypting the decrypted decryption program, storing the decrypted decryption program in the storage circuit, and decrypting the access range defining data using the decryption program stored in the storage circuit.

Further, in the data processing apparatus of the present invention, preferably, the arithmetic circuit is configured such that when the connection control circuit sets the connection between the transmission line and the storage circuit to a non-connected state, Stop the operation of.

In the data processing apparatus according to the present invention, preferably, the connection control circuit includes a call source that permits the call when the program being executed by the arithmetic circuit calls a function of another program. It is determined whether or not the call is permitted based on the inter-program call relation definition data that pre-defines a combination of programs to be called and the call path and the storage when it is determined that the call is permitted. The control signal for making a connection state with the circuit is generated, and when it is determined that the connection is not permitted, the control signal for making the connection state between the transmission path and the storage circuit is generated.

Further, in the data processing apparatus of the present invention, preferably, the connection control circuit includes:
The control signal is generated in accordance with the instruction being executed, based on inter-program call relation definition data defining a combination of the programs in accordance with which instruction of read or write is being executed.

Further, in the data processing device of the present invention, preferably, the connection control circuit has a storage unit for storing the inter-program call relation definition data.

In the data processing apparatus of the present invention, preferably, the input / output interface circuit is connected to an integrated circuit storing the encrypted inter-program call relation defining data outside the data processing apparatus. The arithmetic circuit accesses the integrated circuit via the transmission line and the communication circuit, the connection control circuit holds predetermined key information, and performs communication with the communication circuit and the communication circuit. Receiving the encrypted inter-program call relation definition data from the integrated circuit via a transmission path, decrypting the received inter-program call relation specification data using the key information, and decoding the decrypted inter-program call relation; The control signal is generated using prescribed data.

[0017]

DESCRIPTION OF THE PREFERRED EMBODIMENTS A communication system according to an embodiment of the present invention will be described below. [Related Art of the Present Invention]
A computer that executes a transaction business program using a C card will be described. FIG. 1 is a functional block diagram of a computer 1 used for electronic payment as a related technique of the present invention. As shown in FIG.
Has a CPU 2, a memory 3, and a communication circuit 4. C
The PU 2, the memory 3, and the communication circuit 4 are connected to the CPU data bus 6. The CPU 2 and the communication circuit 4
It is connected to the CPU address bus 7.

The CPU 2 comprehensively controls the operation of the computer 1, operates based on instructions of a program stored in the memory 3, and accesses the memory 3 during the operation. The communication circuit 4 communicates with the IC card 8 by a contact method or a non-contact method. In the contact type, the IC card 8 and the communication circuit 4 are connected by electrical contacts.
In the non-contact type, the IC card 8 and the communication circuit 4 are connected using radio waves, light, or the like as a communication medium. Data received from the IC card 8 via the communication circuit 4 is processed by the CPU 2 according to a program stored in the memory 3. The data obtained by the calculation by the CPU 2 is transmitted to the IC card 8 via the communication circuit 4.
Further, the CPU 2 writes the settlement result generated by communication with the IC card 8 in the memory 3.

FIG. 2 is a diagram for explaining a software configuration of CPU 2 shown in FIG. In FIG. 2, the lowermost layer is a hardware layer, which is a hardware component of the CPU 2 shown in FIG. A communication driver layer is located above the hardware layer. In the communication driver layer, CP
A communication driver layer that controls the communication circuit 4 connected to U2 is located. The communication driver layer program is usually stored in a non-volatile memory. Above the communication driver layer, there is an operating system (OS) layer that provides programs that are the basis of the operation of the CPU 2. The OS layer provides a higher-level service to the uppermost application (AP) layer as compared to the lower layer. For example, a function “getcardtype ()” described later,
"Readcarddata ()" and "write
"carddata ()" is one example of this. Also,
Above the OS layer, there is an AP layer that defines specific functions (services) realized by the computer 1. In the AP layer,
For example, application programs MAIN, AP
1, AP2 and AP3 exist.

In this embodiment, an application program that provides a transaction such as settlement using the IC card 8 will be described as an example. For example, in the OS layer and the AP layer, a function for knowing the type of the IC card 8 is defined as “getcardtype ()”. In the OS layer and the AP layer, this function is called to
The type of the card 8 can be specified. For example, assume that there are three types of IC cards 8 of types A, B, and C,
The return value of the above function in each IC card 8 is defined as shown in FIG. For example, if the type B IC card 8 is used, the return value of the result of executing the function “getcardtype ()” is “2”.

In the OS layer and the AP layer, “r” is used as a function for reading data from the internal memory of the IC card 8.
eaddata (* rp) "is defined. here,"*
"rp" is the same as the concept of a pointer in the C language, "*" indicates that the variable following it is a pointer variable, and "rp" is a specific location in the internal memory of the IC card 8. Is shown. When it is described as “* rp”, it indicates the contents of “rp address” in the memory of the IC card 8. Assuming that the internal memory shown in FIG.
It is assumed that data is stored as shown in FIG. And
Assuming that “rp = 102H”, the function “readd
return value of “ata (* rp)” is “56H”,
The data at "102H" can be read.

In the OS layer and the AP layer, "writedata (* wp, wdata)" is defined as a function for writing data to a specific address in the internal memory of the IC card 8. Here, "* wp" indicates that the following variable is a pointer variable, similarly to the concept of a pointer in the C language, and "wp" indicates a specific address of the internal memory of the IC card 8. Is shown. When it is described as “* wp”, it indicates the contents of the address wp of the internal memory of the IC card 8. “Wdata” is a variable containing write data. Assume that data is stored in the memory of the IC card 8 as shown in FIG.
Here, “wp = 102H”, “wdata = 73H”
And the function “writedata (* wp, wdat
a) ”, the“ 1 ”of the memory is
The data at the address “02H” is rewritten to “73H”.

By the way, the application programs AP1, AP2 and AP3 shown in FIG. 2 each specify the transaction operation for different types of IC cards 8. The correspondence is shown in FIG. 2, the application program MAIN is executed first when the computer 1 is started. In the application program MAIN, the function “getcardtype” described above is used.
The type of the IC card 8 being used is determined using “e ()”. The CPU 2 selects and executes a corresponding application program according to the determined type of the IC card 8 according to the correspondence table shown in FIG.

Each IC of type A, type B and type C
Assuming a situation where the card 8 is handled by different businesses,
Application programs AP1, AP2, AP3
Is created by each business operator. The storage area of the internal memory of the IC card 8 is stored in the application program AP.
1, AP2, and AP3, and each application program uses a portion allocated to itself in advance. As described above, the application program AP
1, AP2, and AP3 are created by respective operators, but when a program contains an error or an illegal program by a malicious operator, a certain operator reads an application program of another operator or performs an IC operation. Card 8
In some cases, unauthorized access may be made to a storage area to which the user is not permitted to access.

[Embodiment of the Present Invention] FIG. 7 is a configuration diagram of a computer 51 according to an embodiment of the present invention. FIG.
As shown in (1), the computer 51 has a CPU 52, a memory 53, a communication circuit 4, a determination circuit 60, and a switch circuit 61. Here, the CPU 52 corresponds to the arithmetic circuit of the present invention, the memory 53 corresponds to the storage circuit of the present invention, the communication circuit 4 corresponds to the communication circuit of the present invention, the determination circuit 60 corresponds to the connection control circuit of the present invention, and the switch circuit 61 Corresponds to the connection switching circuit of the present invention. The CPU data bus 6 has a CPU
52, a switch circuit 61, a determination circuit 60, and the communication circuit 4 are connected. The CPU data bus 6 corresponds to the transmission path of the present invention.

The switch circuit 61 is connected to a memory 53 via a memory data bus 62. Also,
The CPU 53 has a memory 53, a determination circuit 60,
And the communication circuit 4 are connected. The CPU address bus 7 is connected to the CPU 52 by the memory 53 or the computer 5.
When accessing an external peripheral function or the like, CPU_ADR indicating the address is transmitted. In FIG.
Communication circuit 4 and IC card 8 denoted by the same reference numerals as in FIG.
Are the same as those described with reference to FIG. Also, C
The PU 52 has the software structure described above with reference to FIG. That is, the application program A
As P1, AP2, and AP3, those that respectively define transaction processing for three types of IC cards 8 of types A, B, and C are used.

Data received from the IC card 8 via the communication circuit 4 is subjected to arithmetic processing by the CPU 52 in accordance with a program stored in the memory 53. CPU5
2 is transmitted to the IC card 8 via the communication circuit 4. Also, the CPU 52
Writes the settlement result generated by communication with the IC card 8 in the memory 53. The switch circuit 61 switches the CPU data bus 6 and the memory data bus 62 to either the connection state or the non-connection state based on the determination result signal S60 (the control signal of the present invention) from the determination circuit 60.

The CPU 52 executes the instructions (codes) of the OS layer program, the program MAIN, and the application programs AP1, AP2, and AP3 shown in FIG. Each program is composed of a plurality of program modules. The CPU 52 executes an instruction type instruction signal S52a, an executing AP instruction signal S52b, and, if necessary, a call destination AP instruction signal S52 in accordance with the execution of the instruction.
c, and outputs these to the decision circuit 60. Here, the instruction type instruction signal S52a is a signal indicating which instruction of the fetch instruction, the read instruction, and the write instruction the CPU 52 has executed. Here, the fetch instruction is
This is an instruction for instructing the CPU 52 to fetch an instruction code via the CPU data bus 6. The read instruction is C
This is an instruction to instruct the PU 52 to read data via the CPU data bus 6. Write instruction is executed by CPU
Reference numeral 52 denotes an instruction for writing data via the CPU data bus 6.

The executing AP instruction signal S52b is
The PU 52 executes the application program A shown in FIG.
This signal indicates which of the P1, AP2, AP3, MAIN, and OS program instructions is being executed. Call destination AP instruction signal S52
c indicates that when the program module being executed by the CPU 52 calls another program module, the program to which the called program module belongs belongs to the application program AP1, AP2, AP3.
This indicates which program is the MAIN or the OS. When the switch circuit 61 is disconnected as described later, the CPU 52 stops the CPU data bus 6 and its operation.

Hereinafter, the determination circuit 60 will be described in detail. The determination circuit 60 includes an instruction type instruction signal S52a and an executing AP instruction signal S52b input from the CPU 52,
Further, it generates a determination result signal S60 based on the address CPU_ADR input from the CPU 52 via the CPU address bus 7, and outputs this to the switch circuit 61.

FIG. 8 is a configuration diagram of the determination circuit 60 shown in FIG. As shown in FIG. 8, the determination circuit 60 includes a selection circuit 70, a fetch determination circuit 71, and a read determination circuit 72.
And a write determination circuit 73. Selection circuit 70
Switches the switch 74 to the terminals 75_1 and 75_1 based on the command type instruction signal S52a input from the CPU 52 shown in FIG.
75_2, 75_3. Specifically, the selection circuit 70 supplies the instruction type instruction signal S52a
Indicates the fetch instruction, the switch 74 is connected to the terminal 75_1. As a result, the fetch determination result signal S71 output from the fetch determination circuit 71
Is output from the determination circuit 60 to the switch circuit 61 as the determination result signal S60 via the terminal 75_1 and the switch 74.

When the instruction type instruction signal S52a indicates a read instruction, the selection circuit 70 connects the switch 74 to the terminal 75_2. As a result, the read determination result signal S7 output from the read determination circuit 72
2 from the determination circuit 60 to the switch circuit 61 as a determination result signal S60 via the terminal 75_2 and the switch 74.
Is output to

When the instruction type instruction signal S52a indicates a write instruction, the selection circuit 70 connects the switch 74 to the terminal 75_3. Thus, the write determination result signal S7 output from the write determination circuit 73
3 is output from the determination circuit 60 to the switch circuit 61 as the determination result signal S60 via the terminal 75_3 and the switch 74.
Is output to

The fetch determination circuit 71 determines whether or not the currently-executing AP instruction signal S 52 b input from the CPU 52
Using the P instruction signal S52c and the address CPU_ADR, a fetch determination result signal S71 is generated and output to the terminal 75_1 of the selection circuit 70.

FIG. 9 shows the fetch determination circuit 7 shown in FIG.
1 is a configuration diagram. As illustrated in FIG. 9, the fetch determination circuit 71 includes a storage unit 81_1 and a determination unit 82_1. The storage unit 81_1 stores fetch access range definition data 84_1 and fetch AP inter-AP call relationship definition data 85_1.

Access range defining data for fetch 84_
1 designates an address in the memory 53 accessible when the CPU 52 is executing the fetch instruction,
Stipulates that the OS layer program and the application programs MAIN, AP1, AP2, and AP3 shown in FIG. 2 are being executed.

FIG. 10 is a diagram for explaining the fetch access range defining data 84_1. In the column (vertical) direction of FIG. 10, the OS layer programs and application programs MAIN, AP1, AP2, and AP shown in FIG.
3 is shown. “FROM” in the row (horizontal) direction indicates a start address of a storage area in the memory 53 in which the program of the corresponding column is permitted to be stored.
“FROM” in the row direction indicates the start address of the address range of the memory 53 to which the program of the corresponding column is permitted to access. “TO” in the row direction indicates the end address of the address range of the memory 53 to which the program of the corresponding column is permitted to access. For example, the application program AP1 is permitted to access the memory 53 in the range of addresses “2000H” to “2FFFH”.

The fetch-AP inter-AP call relation definition data 85_1 indicates a program to which a program module which can be a call source and a call destination belongs when a program module is called while the CPU 52 is executing a fetch instruction. Are shown. FIG. 11 is a diagram for describing the inter-AP call relationship definition data 85_1 for fetch. FIG.
Column directions are the OS layer programs and application programs MAIN, AP1, AP2, AP3 shown in FIG.
Is shown. In the row direction of FIG. 11, the OS layer programs and application programs MAIN, A shown in FIG.
P1, AP2 and AP3 are shown. At the position where the column and the row intersect, it is indicated whether or not the program module of the program in the corresponding column is permitted to call the program module of the program in the corresponding row.
“○” indicates that the call is permitted, and “×” indicates that the call is not permitted. For example, the program module of the application program AP1 is permitted to call the OS program and the program module of the application program AP3, but is not permitted to call the program module of the application program AP2.

The judging section 82_1 corresponds to the CPU 52 shown in FIG.
Based on the executing AP instruction signal S52b and the address CPU_ADR input from the storage unit 81_1 and the fetch access range defining data 84_1 read from the storage unit 81_1, the address CPU_ADR generates the executing AP instruction signal S52.
It is determined whether or not it is included in the address range of the memory 53 defined by “FROM” and “TO” in the column shown in FIG. 10 corresponding to the program indicated by 52b.
When the determination unit 82_1 determines that it is included in the determination, the determination unit 82_1 generates, for example, a fetch determination result signal S71 that instructs connection, and sends it to the terminal 75_1 of the selection circuit 70 illustrated in FIG. Output. On the other hand, the judgment unit 8
When 2_1 is determined not to be included in the determination, for example, a fetch determination result signal S71 indicating disconnection (disconnection) is generated, and this is output to the terminal 75_1 of the selection circuit 70 shown in FIG. Output to

Further, when the program module of the program being executed by the CPU 52 calls the program module of another program, the judgment unit 82_1 judges that the executing AP instruction signal S inputted from the CPU 52 shown in FIG.
52b, the call destination AP instruction signal S52c, and the fetch inter-AP call relation definition data 85_1 read from the storage unit 81_1, the call is
It is determined whether or not the combination is permitted by the combination indicated by the fetch inter-AP call relation definition data 85_1 shown in FIG. When the determining unit 82_1 determines that the determination is permitted, for example,
A fetch determination result signal S71 for instructing connection is generated and output to the terminal 75_1 of the selection circuit 70 shown in FIG. On the other hand, when the determination unit 82_1 determines that the connection is not permitted, the determination unit 82_1 generates, for example, a fetch determination result signal S71 indicating disconnection, and outputs the fetch determination result signal S71 to the terminal 75_1 of the selection circuit 70 illustrated in FIG. Output to.

The read determination circuit 72 receives the executing AP instruction signal S52b input from the CPU 52,
Using the instruction signal S52c and the address CPU_ADR, a read determination result signal S72 is generated and output to the terminal 75_2 of the selection circuit 70.

FIG. 12 shows the read determination circuit 7 shown in FIG.
FIG. As illustrated in FIG. 12, the read determination circuit 72 includes a storage unit 81_2 and a determination unit 82_2. The storage unit 81_2 stores read access range defining data 84_2 and read AP inter-AP calling relationship defining data 85_2.

Read access range defining data 84_2
Is an address in the memory 53 accessible when the CPU 52 is executing the read instruction, and the CPU 52 is executing an OS layer program and application programs MAIN, AP1, AP2, and AP3 shown in FIG. Each case is specified.

FIG. 13 is a diagram for explaining the read access range defining data 84_2. The column (vertical) direction in FIG. 13 corresponds to the OS layer program and the application programs MAIN, AP1, AP2, and AP shown in FIG.
3 is shown. “FROM” in the row (horizontal) direction indicates a start address of a storage area in the memory 53 in which the program of the corresponding column is permitted to be stored.
“FROM” in the row direction indicates the start address of the address range of the memory 53 to which the program of the corresponding column is permitted to access. “TO” in the row direction indicates the end address of the address range of the memory 53 to which the program of the corresponding column is permitted to access.

Read-related inter-AP call relation definition data 8
5_2 indicates that when a program module is called while the CPU 52 is executing the read instruction,
It shows a combination of programs to which a program module that can be a caller and a callee belongs. FIG. 14 is a diagram for describing the read AP inter-AP calling relationship definition data 85_2. The column direction of FIG. 14 shows the OS layer programs and application programs MAIN, AP1, AP2, and AP3 shown in FIG. The row direction in FIG. 14 corresponds to the OS layer program, application program MAIN, AP1,
AP2 and AP3 are shown. At the position where the column and the row intersect, it is indicated whether or not the program module of the program in the corresponding column is permitted to call the program module of the program in the corresponding row. "○"
Indicates that the call is permitted, and “x” indicates that the call is not permitted.

The determination section 82_2 is a CPU 52 shown in FIG.
Based on the executing AP instruction signal S52b and the address CPU_ADR input from the storage unit 81_2 and the read access range defining data 84_2 read from the storage unit 81_2.
When the address CPU_ADR is the execution AP instruction signal S52
"FR" in the column shown in FIG.
It is determined whether or not it is included in the address range of the memory 53 defined by “OM” and “TO”. When the determination unit 82_2 determines that it is included in the determination, it generates, for example, a read determination result signal S72 that instructs connection, and sends it to the terminal 75_2 of the selection circuit 70 illustrated in FIG. Output. On the other hand, the determination unit 82_2
Generates a read determination result signal S72 instructing non-connection (disconnection), and outputs this signal to the selection circuit 70 shown in FIG.
To the terminal 75_2.

Further, when the program module of the program being executed by the CPU 52 calls the program module of another program, the judging section 82_2 judges that the executing AP instruction signal S inputted from the CPU 52 shown in FIG.
On the basis of the call destination AP instruction signal S52c and the read AP inter-AP call relationship definition data 85_2 read from the storage unit 81_2, the call is changed to the read AP inter-AP call relationship definition data 85 shown in FIG.
It is determined whether the combination is permitted by the combination indicated by _2. When the determination unit 82_2 determines that the determination is permitted, the determination unit 82_2 generates, for example, a read determination result signal S72 that instructs connection, and sends the signal to the terminal 75_2 of the selection circuit 70 illustrated in FIG. Output. On the other hand, when the determination unit 82_2 determines that the connection is not permitted, the determination unit 82_2 generates, for example, a read determination result signal S72 indicating disconnection, and outputs this to the terminal 75_2 of the selection circuit 70 illustrated in FIG. Output to.

The write determination circuit 73 is configured to execute the executing AP instruction signal S52b input from the CPU 52,
Using the instruction signal S52c and the address CPU_ADR, a write determination result signal S73 is generated and output to the terminal 75_3 of the selection circuit 70.

FIG. 15 shows the write decision circuit 7 shown in FIG.
FIG. As illustrated in FIG. 15, the write determination circuit 73 includes a storage unit 81_3 and a determination unit 82_3. The storage unit 81_3 stores the write access range definition data 84_3 and the write AP call relationship definition data 85_3.

Write access range definition data 84_3
Is an address in the memory 53 accessible when the CPU 52 is executing the write instruction, and the CPU 52 is executing the OS layer program and the application programs MAIN, AP1, AP2, and AP3 shown in FIG. Each case is specified.

FIG. 16 is a diagram for explaining the write access range defining data 84_3. The column (vertical) direction in FIG. 16 corresponds to the OS layer program and the application programs MAIN, AP1, AP2, and AP shown in FIG.
3 is shown. “FROM” in the row (horizontal) direction indicates a start address of a storage area in the memory 53 in which the program of the corresponding column is permitted to be stored.
“FROM” in the row direction indicates the start address of the address range of the memory 53 to which the program of the corresponding column is permitted to access. “TO” in the row direction indicates the end address of the address range of the memory 53 to which the program of the corresponding column is permitted to access.

Call-related inter-AP calling relationship definition data 8
5_3 indicates that a program module call has occurred while the CPU 52 is executing the write instruction,
It shows a combination of programs to which a program module that can be a caller and a callee belongs. FIG. 17 is a diagram for describing the call-to-AP calling relationship definition data 85_3. The column direction in FIG. 17 shows the OS layer programs and application programs MAIN, AP1, AP2, and AP3 shown in FIG. In the row direction of FIG. 17, the OS layer programs, application programs MAIN, AP1,
AP2 and AP3 are shown. At the position where the column and the row intersect, it is indicated whether or not the program module of the program in the corresponding column is permitted to call the program module of the program in the corresponding row. "○"
Indicates that the call is permitted, and “x” indicates that the call is not permitted.

The determination section 82_3 is a CPU 52 shown in FIG.
Based on the executing AP instruction signal S52b and the address CPU_ADR input from the storage unit 81_3 and the write access range defining data 84_3 read from the storage unit 81_3.
When the address CPU_ADR is the execution AP instruction signal S52
"FR" in the column shown in FIG.
It is determined whether or not it is included in the address range of the memory 53 defined by “OM” and “TO”. When the determination unit 82_3 determines that it is included in the determination, it generates, for example, a write determination result signal S73 that instructs connection, and sends it to the terminal 75_3 of the selection circuit 70 illustrated in FIG. Output. On the other hand, the determination unit 82_3
Generates a write determination result signal S73 for instructing non-connection (disconnection), and outputs this signal to the selection circuit 70 shown in FIG.
To the terminal 75_3.

Further, when the program module of the program being executed by the CPU 52 calls the program module of another program, the judging section 82_3 judges that the executing AP instruction signal S inputted from the CPU 52 shown in FIG.
Based on the call destination AP designation signal S52c and the call destination AP instruction signal S52c, and the write inter-AP call relation definition data 85_3 read from the storage unit 81_3, the call is changed to the write inter-AP call relation definition data 85 shown in FIG.
It is determined whether the combination is permitted by the combination indicated by _3. When the determination unit 82_3 determines that the determination is permitted, the determination unit 82_3 generates a write determination result signal S73 indicating connection, for example, and sends it to the terminal 75_3 of the selection circuit 70 illustrated in FIG. Output. On the other hand, when the determination unit 82_3 determines that the connection is not permitted, the determination unit 82_3 generates, for example, a write determination result signal S73 instructing disconnection, and outputs this to the terminal 75_3 of the selection circuit 70 illustrated in FIG. Output to.

Next, the selection circuit 70 will be described. The selection circuit 70 receives an instruction type instruction signal S5 from the CPU 52.
2a, switch 74 is connected to terminals 75_1 and 75_
2, 75_3. Specifically, when the instruction type instruction signal S52a indicates a fetch instruction, the selection circuit 70 connects the switch 74 to the terminal 75_1 and outputs the fetch determination result signal S71 to the determination result S71.
As 60, it is output to the switch circuit 61. This allows
The connection / non-connection of the switch circuit 61 is controlled by the fetch determination result signal S71.

When the instruction type instruction signal S52a indicates a read instruction, the selection circuit 70 switches the switch 7
4 to the terminal 75_2, and the read determination result signal S7
2 is output to the switch circuit 61 as the determination result S60. Thus, the connection / non-connection of the switch circuit 61 is controlled by the read determination result signal S72.

When the instruction type instruction signal S52a indicates a write instruction, the selection circuit 70
4 is connected to the terminal 75_3, and the write determination result signal S7
3 is output to the switch circuit 61 as the determination result S60. Thus, connection / non-connection of the switch circuit 61 is controlled by the write determination result signal S73.

Hereinafter, an operation example of the computer 51 will be described. [First Operation Example] An operation example in the case where the computer 51 executes a fetch instruction in the course of executing the program module of the application program AP1 and specifies the address "2100H" of the memory 53 will be described below. In this case, "2100H" is displayed on the CPU address bus 7.
CPU_ADR indicating the fetch instruction instruction signal S52a indicating the fetch and the executing AP instruction signal S indicating the AP1
52b is output from the CPU 52 to the determination circuit 60.

Then, the judgment section 82_1 shown in FIG.
Based on the executing AP instruction signal S52b and the address CPU_ADR input from the PU 52 and the fetch access range defining data 84_1 shown in FIG.
It is determined that it is included in the address range “2000H” to “2FFFH” of the memory 53 defined by “FROM” and “TO” in the column shown in FIG. 10 corresponding to P1. Then, the determination unit 82_1 generates a fetch determination result signal S71 for instructing connection, and outputs this to the terminal 75_1 of the selection circuit 70 shown in FIG. Also,
The selection circuit 70 connects the switch 74 to the terminal 75_1 because the instruction type instruction signal S52a indicates fetch.

As a result, the fetch determination result signal S71 for instructing connection is output to the switch circuit 61 shown in FIG.

Then, the switch circuit 61 connects the CPU data bus 6 and the memory data bus 62 to each other,
The PU 52 can access the memory 53.

In the above case, the address CPU_
If the ADR indicates “3100H”, the address is not included in the address range “2000H” to “2FFFH”, and the fetch determination result signal S71 indicating disconnection is sent from the selection circuit 70 to the switch circuit. It is output to 61. As a result, the switch circuit 61
The data bus 6 and the memory data bus 62 are disconnected, and the CPU 52 cannot access the memory 53.

[Second Operation Example] Hereinafter, the computer 51
However, an operation example in the case where the program module of the application program AP2 calls the program of the application program AP1 when the read command is executed will be described. In this case, the executing AP instruction signal S52b indicating AP2 and the called AP instruction signal S52c indicating AP1 are output from the CPU 52 to the read determination circuit 72. The determination unit 82_2 of the read determination circuit 72 includes:
Read inter-AP call relation definition data 8 shown in FIG.
With reference to 5_2, it is determined that the call from AP2 to AP1 is permitted. Then, the determination unit 82_2 generates a read determination result signal S72 instructing connection, and outputs the signal to the terminal 75_2 of the selection circuit 70 shown in FIG. Further, the selection circuit 70 outputs the instruction type instruction signal
Since 2a indicates a lead, the switch 74 is connected to the terminal 7
Connect to 5_2.

As a result, the read determination result signal S72 for instructing the connection is output as the determination result signal S60 to the switch circuit 61 shown in FIG. The switch circuit 61 is connected to the CPU data bus 6.
And the memory data bus 62 are connected, and the CPU 52
Can access the memory 53.

On the other hand, in the case described above, when the program module of the application program AP2 calls the program of the application program AP3, the call from the AP2 to the AP3 is read from the read inter-AP call relation definition data 85_2 shown in FIG. Is determined to be unauthorized. Then, the determination unit 82_2
A read determination result signal S72 instructing non-connection is generated and output to terminal 75_2 of selection circuit 70 shown in FIG. As a result, the read determination result signal S72 indicating disconnection is output as the determination result signal S60 to the switch circuit 61 shown in FIG. Then, the switch circuit 61 disconnects the CPU data bus 6 and the memory data bus 62, and
52 cannot access the memory 53.

As described above, according to the computer 51, the determination circuit 60 and the switch circuit 61 operate according to the programs being executed by the CPU 52 based on the data defined in advance for each program. The connection state between the memory 53 and the CPU data bus 6 is determined. Therefore, it is possible to prevent an application program being executed by the CPU 52 from illegally accessing instructions and data of another application program stored in the memory 53, and even if the CPU 52 executes a plurality of application programs, the application program cannot be executed. High security between them can be obtained.

The present invention is not limited to the above embodiment. For example, in the embodiment described above, the determination circuit 60
Fetch access range defining data 84_1, fetch AP inter-AP calling relation defining data 85_1, read access range defining data 84_2, read AP inter-app calling relation defining data 85_2, write access range defining data 84_3, write AP inter-call calling relation Although the case where the prescribed data 85_3 is stored is illustrated, an IC card 58 that stores the data in a state where the data is encrypted using the key information K may be used as shown in FIG.

In this case, the determination circuit 60 determines that the key information K
And the decryption program 90, and accesses the IC card 58 via the CPU data bus 6 and the communication circuit 4 to access the fetch access range defining data 84_
1, fetch AP inter-AP call relation definition data 85_
1. The read access range defining data 84_2, the read AP calling relationship defining data 85_2, the writing access range defining data 84_3, and the writing AP calling relationship defining data 85_3 are read from the IC card 58, and a predetermined decryption program 90 and It is decrypted using the key information K and used.

Further, according to the present invention, the decryption program is stored in an IC card 58 in an encrypted state, and the decrypted program is stored in a decision circuit 60 via the communication circuit 4 and the CPU data bus 6.
Alternatively, the decryption program may be decrypted using predetermined key information by the determination circuit 60, the decrypted decryption program may be stored in the memory 53, and the determination circuit 60 may read the decryption program from the memory 53 and execute the decryption program.

In the above embodiment, the CPU 52
Output the executing AP instruction signal S52b and the callee AP instruction signal S52c to the determination circuit 60 from the above example. As shown in FIG. 19, the determination circuit 60 monitors the CPU address bus 7 as shown in FIG. By doing so.

[0071]

As described above, it is possible to provide a data processing apparatus capable of maintaining the confidentiality of instructions and data between programs when executing a plurality of programs.

[Brief description of the drawings]

FIG. 1 is a functional block diagram of a computer used for electronic payment as a related technique of the present invention.

FIG. 2 is a diagram for explaining a software structure of the computer of FIG. 1 and the embodiment of the present invention;

FIG. 3 is a diagram for explaining types of IC cards handled by the computer shown in FIG. 1;

FIG. 4 is a diagram for explaining a storage state of a memory illustrated in FIG. 1 before writing;

FIG. 5 is a diagram for explaining a storage state of the memory illustrated in FIG. 1 after writing;

FIG. 6 is a diagram for explaining a correspondence relationship between the application program shown in FIG. 2 and a type of an IC card;

FIG. 7 is a configuration diagram of a computer according to the embodiment of the present invention.

FIG. 8 is a configuration diagram of a determination circuit shown in FIG. 7;

FIG. 9 is a configuration diagram of a fetch determination circuit shown in FIG. 8;

FIG. 10 is a diagram for explaining the fetch access range defining data shown in FIG. 9;

FIG. 11 is a diagram for explaining the fetch inter-AP calling relationship definition data shown in FIG. 9;

FIG. 12 is a configuration diagram of a read determination circuit shown in FIG. 8;

FIG. 13 is a diagram for explaining the read access range defining data shown in FIG. 12;

FIG. 14 is a diagram for explaining the read inter-AP calling relationship definition data shown in FIG. 12;

FIG. 15 is a configuration diagram of a write determination circuit shown in FIG. 8;

FIG. 16 is a diagram for explaining the write access range defining data shown in FIG. 15;

FIG. 17 is a diagram for explaining the write inter-AP call relation definition data shown in FIG. 15;

FIG. 18 is a diagram for explaining another embodiment of the present invention.

FIG. 19 is a diagram for explaining another embodiment of the present invention.

[Explanation of symbols]

DESCRIPTION OF SYMBOLS 1 ... Computer, 2 ... CPU, 3 ... Memory, 4 ... Communication circuit, 6 ... CPU data bus, 7 ... CPU address bus, 8 ... IC card, 51 ... Computer, 52 ... CP
U, 53: memory, 60: determination circuit, 61: switch circuit, 62: memory data bus, 70: selection circuit, 71 ...
Fetching determination circuit, 72 ... Reading determination circuit, 73 ...
Judgment circuit for write

Claims (12)

[Claims] 1. A storage circuit for storing instructions and data of a plurality of programs, accessing the storage circuit via a transmission line, and executing the plurality of programs using the instructions and data of the plurality of programs. An arithmetic circuit, interposed between the transmission line and the storage circuit, and connection switching for setting one of a connection state and a non-connection state between the transmission line and the storage circuit based on a control signal; A circuit; an access range defining data defining an address range in the storage circuit which can be accessed during execution of the plurality of programs by the arithmetic circuit for each of the plurality of programs; and the arithmetic circuit issues an access request. An address in the storage circuit, and an executing program indicator indicating which of a plurality of programs the arithmetic circuit is executing. A connection control circuit that generates the control signal that controls whether the transmission path and the storage circuit are connected or disconnected based on information; and A data processing device having an input / output interface circuit for performing data input / output with a circuit and data input / output with the outside of the data processing device. 2. The connection control circuit according to claim 1, wherein an address in said storage circuit to which said arithmetic circuit issues an access request is within an address range corresponding to said program being executed defined by said access range defining data. Generating the control signal indicating that the transmission path and the storage circuit are connected to each other, and setting the transmission path and the storage circuit to a non-connection state when the transmission path is not within the address range. 2. The data processing device according to claim 1, wherein the control signal is generated to indicate that the control signal is to be transmitted. 3. The access range defining an address range in the storage circuit that can be accessed according to whether the arithmetic circuit is executing a fetch, read, or write instruction. The data processing device according to claim 1, wherein the control signal is generated according to an instruction being executed based on prescribed data. 4. The data processing device according to claim 1, wherein said connection control circuit has a storage unit for storing said access range defining data. 5. The input / output interface circuit transmits and receives data to and from an integrated circuit that stores the encrypted access range defining data outside the data processing device. Accessing the integrated circuit via a transmission path and the communication circuit, the connection control circuit holds predetermined key information, and is encrypted from the integrated circuit via the communication circuit and the transmission path. 2. The data processing according to claim 1, further comprising receiving the access range defining data, decoding the received access range defining data using the key information, and generating the control signal using the decoded access range defining data. 3. apparatus. 6. The connection control circuit receives an encrypted decryption program for performing the decryption via the input / output interface circuit and the transmission path, decrypts the received decryption program, and stores the decrypted decryption program in the storage circuit. 6. The data processing device according to claim 5, wherein the access range defining data is stored and decrypted using the decryption program stored in the storage circuit. 7. The operation circuit according to claim 1, wherein the operation circuit stops the operation of the operation circuit when the connection control circuit sets the connection between the transmission line and the storage circuit to a disconnected state. Data processing device. 8. The connection control circuit, when the program being executed by the arithmetic circuit calls a function of another program, a combination of a call source and a call destination program permitted to be called in advance. Determining whether or not the call is permitted based on the inter-program call relation definition data, and when determining that the call is permitted, setting the connection between the transmission path and the storage circuit in a connected state; 2. The data processing device according to claim 1, wherein a signal is generated, and when it is determined that the signal is not permitted, the control signal that generates a non-connection state between the transmission path and the storage circuit is generated. 9. The program control method according to claim 1, wherein the connection control circuit is based on inter-program call relation defining data defining a combination of the programs in accordance with which instruction of the fetch, read, and write is being executed. 9. The data processing device according to claim 8, wherein the control signal is generated according to an instruction being executed. 10. The data processing device according to claim 8, wherein the connection control circuit has a storage unit for storing the inter-program call relation definition data. 11. The input / output interface circuit transmits and receives data to and from an integrated circuit that stores the encrypted inter-program call relation definition data outside the data processing device. Accessing the integrated circuit via the transmission path and the communication circuit, the connection control circuit holds predetermined key information, and performs the encryption from the integrated circuit via the communication circuit and the transmission path. Receiving the encrypted inter-program call relation definition data, decrypting the received inter-program call relation specification data using the key information, and generating the control signal using the decoded inter-program call relation specification data. The data processing device according to claim 8. 12. The connection control circuit receives an encrypted decryption program for performing the decryption through the input / output interface circuit and the transmission path, decrypts the received decryption program, and stores the decrypted decryption program in the storage circuit. 12. The data processing device according to claim 11, wherein the data is stored, and the inter-program call relation definition data is decoded using the decoding program stored in the storage circuit.