JP2003122588A - Software processing device and software installation method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a software processing device capable of obstructing the installation of invalid software. SOLUTION: Downloaded software and an attached signature enciphered by the secret key of a software distributor are temporarily held in the buffer of a RAM 13. After a processor 14 and the working memory of the RAM 13 are initialized at a specified timing and, based on the public key of the distributor created in a ROM 11 and the signature of the software temporarily held in the buffer, the validity of the software is verified by a first processing program code created in the ROM 11. When the validity is verified, the software from the buffer of the RAM 13 is stored in a flash memory 12 by a second processing program code created in the ROM 11.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a software processing device such as a home electric appliance, a general-purpose computer, a mobile phone, and a PDA, which has a function of installing and executing software from the outside, and a software installation method.

[0002]

2. Description of the Related Art In recent years, with the spread of the Internet and the generalization of always-on connections, many devices such as general-purpose computers are connected to a network, and users can receive various services using the network. Is becoming. On the other hand, malicious acts by malicious users via networks have become a social problem, and the importance of network security is increasing.

In general, these illegal acts are often caused by an attack or a virus that uses vulnerability of software or a setting error of an administrator. In particular, regarding software vulnerabilities, it is generally difficult for developers to create and distribute complete software that has no design or implementation mistakes in advance. Furthermore, since such mistakes are often found during use by developers and users after the software has been distributed, they are published and distributed in the form of modification programs by the developers, and the users can use these modification programs as appropriate. After downloading, the form is generally installed.

However, not all network users have specialized knowledge or interest in network security. Therefore, there are many cases where the software having a problem is left unattended, even though a program for correcting the software having the problem has been released. Therefore, it is required that the software creator distribute the modification program or the update program including the modification program to the device users and surely install the modification program or the software. The program itself has been tampered with, or it is not replaced by unauthorized software, and refers to installing legitimate software).

A digital signature is considered to be useful as a conventional technique for safely installing software. An example of how to use the digital signature is shown below.

[0006] The software creator creates a public key and a secret key based on the public key algorithm, and writes the public key in the ROM of the device to be installed. Therefore, it is impossible to rewrite the public key. On the other hand, the software to be installed has a signature encrypted with the private key corresponding to the public key written in the ROM in order to prove itself to be correct. When the software is installed, the validity of the software is verified by using the public key and the signature, which is the creator of the key, that is, the creator of the legitimate software. If the tampering verification code is also stored in the ROM, even if the software is tampered with by malicious code, the tampering verification process will not be tampered with, so the installation of software with an illegal signature is prevented. be able to.

However, the software that performs the installation process itself has been tampered with by implementing malicious code that makes use of design mistakes to skip the tampering verification process or invalidate the tampering verification result. In this case, it is not possible to forcibly carry out a proper tampering verification process. Therefore, the above method does not solve the essential problem of installing software safely.

In order to install the software safely, not only is the software tampering impossible, but the software itself is tampered with so that the signature tampering verification process is always performed when the software is installed. Instead, it must be equipped with a mechanism that allows software to be updated safely.

[0009]

As described above,
In the conventional mechanism for safely installing software, there is a possibility that illegal software may be installed, which is insufficient as a countermeasure.

The present invention has been made in view of the above circumstances, and an object of the present invention is to provide a software processing device and a software installation method capable of preventing the installation of unauthorized software.

[0011]

According to the present invention, in a software processing device having a function of installing and executing software from the outside, a processor for executing the software and a flash memory for storing the software to be executed. And the software input from the outside and for verifying the correctness of the software,
A buffer for temporarily holding the signature encrypted with the first key, a second key uniquely corresponding to the first key, and the buffer temporarily held in the buffer. The program code of the first process for verifying the correctness of the software based on the signature for the software and the second key, and the software whose correctness is confirmed by the verification is transferred from the buffer to the flash memory. And a ROM in which the program code of the second process for saving is written.

Further, the present invention is a software installation method in an apparatus having a function of installing and executing software from the outside, which is used for verifying the software inputted from the outside and the correctness of the software. , The signature encrypted with the first key,
Temporarily holding in a buffer, a second key uniquely corresponding to the first key written in ROM, and a signature for the software temporarily held in the buffer, A step of verifying the correctness of the software by the program code of the first process written in the ROM, and a program of the second process written in the ROM when the correctness is confirmed by the verification. Saving the software, which has been validated by the code, from the buffer to the flash memory.

Preferably, after the processor and the working memory are initialized at regular intervals, the RO
The method may further include the step of transferring control to the processing written in M.

It should be noted that the present invention relating to the apparatus also holds as the invention relating to the method, and the present invention relating to the method also holds as the invention relating to the apparatus.

According to the present invention, the ROM is provided with the second key, the program code for the first process for verification, and the program code for the second process for installing the proper software, and the input is made. The stored software / signature is temporarily stored in a buffer and then RO
By storing only the software successfully verified by M in the flash memory, it is possible to prevent falsification of the key / verification process / installation process and to ensure that only legitimate software is installed. This also makes it possible to guarantee the use of the legitimate software.

Further, even if the running software is tampered with by performing the verification / installation process after the initialization of the processor and the working memory at regular intervals, the software that has been tampered with even after the reset is executed. Can be prevented from continuing to operate.

[0017]

BEST MODE FOR CARRYING OUT THE INVENTION Embodiments of the present invention will be described below with reference to the drawings.

FIG. 1 shows an example of the overall configuration of a system according to an embodiment of the present invention.

The device 1 of FIG. 1 is a home electric device, a general-purpose computer, a mobile phone, a PD as long as it has a function of executing software installed from the outside by a processor.
It is applicable to any device such as A. The device 1 of FIG. 1 may be a stand-alone device as well as a device connectable to a network (a wireless network or a wired network) such as a LAN and / or a WAN. In the following description, the case where the device 1 is a home appliance that can be connected to the network is mainly described as an example.

The software distribution server 6 connected to the Internet 3 publishes and distributes software such as “correction program”, “update program including correction program”, and “function addition program” that operates on the device 1. With the function to do. The software distribution server 6 may be, for example, a server launched by a device manufacturer or a vendor of software related to the device. It is assumed that the software has a signature for the software, which is encrypted with the private key of the distributor of the software.

The software distribution server 6 does not necessarily have to be on the Internet 3, but may be installed on the LAN 2 constructed by a company or an individual. Also, CD-
The software may be distributed by a portable recording medium such as a ROM, a flexible disk, or an IC card. Further, two or more of the method of providing the software distribution server 6 on the Internet 3, the method of installing the software distribution server 5 on the LAN 2, and the method of distributing the software by the recording medium may be combined and implemented. . In the following, a case where software to be overwritten over software already installed in the device 1 is mainly distributed and installed will be described as an example.

The first version of the software may be distributed by the same method as that described above, may be pre-installed in the device 1, or may be distributed / installed by another method.

There are various forms of means for the device 1 to acquire software from the outside. For example, (1) a method in which the device 1 includes the communication interface unit 15 and downloads software from the software distribution server 6 on the Internet 3 (in this case, a method of connecting to the Internet 3 via the LAN 2 or not via the LAN 2) There is a method to connect directly to the Internet 3),
(2) The device 1 includes the communication interface unit 15 and
Method of downloading software from the software distribution server 5 on N2 (In this case, for example, a method of giving software to the software distribution server 5 from the software distribution server 6 or the like via the Internet 3 or reading software from a recording medium (3) The device 1 is provided with the external storage device interface section 16, and the software is read from the external storage device 4 such as a CD-ROM drive, a flexible disk drive or an IC card drive. is there.

Of course, the device 1 may have only one or a plurality of means for acquiring software from the outside as exemplified above.

By the way, after the shipment, software is additionally installed on the home appliances connected to the network, and the software is used to provide a new service to the user, or a defect is found in the software. In this case, it is an attractive service for both the user and the vendor that the home appliance manufacturer or the software vendor distributes and installs the correction program via the network.

In particular, for home electric appliances, the user does not always have knowledge of network security, and furthermore, the status of software of the appliance is not always monitored. In addition, it is considered that home appliances are more likely to cause physical damage than general-purpose computers. For example, depending on the refrigerator design, there is a risk that a malicious user may cause the refrigerator software to malfunction, thereby corrupting the contents.

Therefore, it is desirable that the device does not require security or specialized knowledge of software by the user, and that the device has a mechanism for excluding software created by an unauthorized creator and applying only valid software.

FIG. 2 shows a hardware configuration example of the device 1 having a function of installing and executing software.

As shown in FIG. 2, the device 1 is a ROM
11, a flash memory 12, a RAM 13, and a processor 14 that performs a predetermined process.

In the ROM 11, a public key of a software distributor, a signature verification process (program) added to the software, and a software installation process (program) are built.

When the device 1 is intended for a plurality of software distributors, a plurality of public keys may be provided corresponding to the software distributors. In this case, the public key may be stored in the ROM 11 in association with the vendor ID for identifying the software distributor, and the vendor ID may be added to the software for distribution. As for the verification process / installation process, there are a method prepared for each software distribution source and a method made the same regardless of the software distribution source.

When the device 1 is intended for a plurality of software distributors, the ROM 11 may be provided corresponding to each software distributor.

The verification processing program and the installation processing program may be created separately,
It may be integrally formed. In the former case, various modes are possible, such as a mode in which the installation process is executed after the verification process is executed, or a mode in which the installation process is first activated and the installation process calls the verification process. In addition to the verification processing program and the installation processing program, a control program for controlling the entire processing may be further built in the ROM 11.

The RAM 13 includes a working memory used by the processor 14 and a buffer for temporarily storing a program to be installed. This state is shown in FIG. In practice, the working memory and the buffer may be on the same RAM or different RAs.
It may be on M (other forms such as part of the working memory and part of the buffer being on the same RAM).

Of the software temporarily stored in the buffer of the RAM 13, the flash memory 12 is
It is for storing only those that have been successfully authenticated (verification of signature) for their validity. That is, the software distributed by the software distributor is authenticated and stored in the flash memory 12.

Here, FIG. 4 shows the relationship of write authority among the ROM 11, the flash memory 12, and the RAM 13. The flash memory 12 can write data only by a program created in the ROM 11. Further, the contents of the ROM 11 cannot be tampered with. Therefore, since the unjustified software that cannot pass the signature verification is not stored in the flash memory 12, the flash memory 12 stores the legal software distributed by the software distributor. Is guaranteed.

On the other hand, the device 1 is, as shown in FIG.
At least one of the communication interface unit 15 and the external storage device connection interface unit 16 is provided to obtain the software to be installed. The network used by the communication interface unit 15 may be, for example, a wireless network or a wired network such as Ethernet (registered trademark). Further, the external storage device connection interface unit 15 is a CD
-A recording medium such as a ROM is connected, and a function of exchanging data with these external storage devices is provided.

Note that FIG. 2 shows only the parts necessary for explaining the present embodiment, and in practice, various components other than those shown in FIG. 2 may be provided. For example,
The home electric appliance is provided with constituent elements for realizing the original function of the home electric appliance.

FIG. 5 shows a software configuration example of the device 1.

As shown in FIG. 5, the device 1 includes an operating system, applications, and a timer described later (middleware may be incorporated if necessary). The timer may be configured by hardware. Also, a configuration without a timer is possible.

In the present embodiment, the software to be installed in the device refers to an operating system for controlling the device, middleware, and their modification programs, function addition programs, user applications and the like.

The present embodiment will be described in more detail below with reference to FIG.

Here, a case will be mainly described where the software is downloaded from the software distribution server to the home electric appliance 1 via the network, the signature is verified, and then the software is overwritten.

FIG. 7 shows an example of a procedure for acquiring software. That is, the device 1 downloads necessary software from, for example, a pre-registered (one or more) software distribution server (5 or 6) (step S1) (see 101 in FIG. 6) and temporarily stores it in the buffer 131 of the RAM 13. (Step S2) (FIG. 6)
102). In the case of using the external storage device interface unit 16, the CD-R is loaded in the CD-ROM drive.
The software is read in step S1 by mounting the OM.

Regarding server registration, (i) the device manufacturing vendor or software manufacturing vendor may specify at the time of device shipment, (ii) the user may additionally specify after shipping, or (iii) ) Both (i) and (ii) may be possible. The server registration information specified by the vendor is R
It may be written in the OM 11.

For checking whether or not there is software to be downloaded, (i) the device 1 is provided with a function of periodically checking whether or not new software to be updated is distributed (disclosed) to the software distribution server. Therefore, without the user being aware,
The latest software may be automatically installed in the device 1, or (ii) the checking period can be changed or the user can check at any time according to the user's request. Alternatively, both (iii), (i) and (ii) may be possible.

When downloading, data may be exchanged on a secure communication path by performing a predetermined authentication / key exchange procedure between the device 1 and the software distribution server.

For the details of the processing to be described later, the downloaded software is stored in the RAM 13 here.
When the software is stored in the buffer 131, the date and time when the software is stored in the RAM 13 is stored in association with the software. In addition, the software is loaded from the buffer 131 of the RAM 13 to the flash memory 1
In storing the data in 2, the date and time (the date and time when the software is stored in the RAM 13) are stored in association with the software.

Now, when the device 1 connects to the software distribution server (5 or 6) and downloads the target software, a malicious user on the network misrepresents the IP address of the server. Fake it by fake it to a fake server and letting it download fake software including Trojan horses and viruses to the device 1 or intruding into the software distribution server (5 or 6) and rewriting the contents of the server. There is a risk of distributing the software.

Therefore, since the software downloaded from the software distribution server (5 or 6) is not always valid, in the present embodiment, the software is not fake software created by a malicious person and is legitimate. Check that it is the correct software,
The device 1 is provided with a function of distinguishing between legitimate and fake ones and installing only legitimate ones. Moreover, it is impossible to prevent the function itself of installing only the above-mentioned legitimate software from being disturbed by falsifying the software currently used.

FIG. 8 shows an example of the procedure of the verification process / installation process.

While the software is downloaded and temporarily stored in the buffer 131 of the RAM 13 as described above, the processing of FIG. 8 is performed.

That is, a timer (see 17 in FIG. 6)
Operates every time a certain time elapses (or every time a certain value is counted).
The working memory 132 of 13 is reset (step S11) (see 103 in FIG. 6).

This timer is independent of the processing of the operating system, middleware, and applications, and cannot be controlled by those software, and manages the time (for example, the value is added in a constant cycle based on the value stored in the ROM 11). Continue to). When a certain time has passed (or when the count exceeds a certain value), the processor (registers, etc.) and the current contents of RAM processing temporarily stored in the working memory are unconditionally forced. clear. Clear means, for example, initialization processing,
It refers to the process of resetting the value without saving the processing state up to that point.

This timer adds the value (or resets when the value outside the memory range is added),
Moreover, it has a function that cannot be subtracted. The software cannot disable the timer by skipping the reset, and cannot delay the reset time by changing the value of the timer.

Note that the software may issue a request to advance the reset to the timer in order to prevent the software in operation from losing or destroying data due to the forced reset. For example, before the currently executing program executes the next processing unit, check the remaining time until the next reset, and if that time is short, the normal processing procedure (in preparation for reset) is short. The processing may be performed so that it can be reset in time (in this case, by performing processing that can be completed in a short time without performing the next processing unit, the processing is completed before the reset time). It is also possible to advance the reset and execute it).

The core portion of the device 1 may be kept operating regardless of the above reset.
For example, in a refrigerator with Internet function,
The internet function part is initialized by the above reset, but the original function part of the refrigerator may be kept operating regardless of the reset.

After performing the reset process, the timer shifts the process to the ROM 11 (see 104 in FIG. 6).

The ROM 11 checks the specific buffer 131 of the RAM 12.

If a software image is present in the buffer 131 of the RAM 13 (step S12), a falsification verification process is performed using the signature of the software and the public key 1101 (from which the software is distributed) stored in the ROM 11. (Refer to 105, 106, 1102 in FIG. 6) (step S13).

For example, when the signature is a hash value obtained by applying a predetermined hash function to the software, the signature is stored in the ROM 11 when it is encrypted with the private key of the distribution source of the software. The original hash value is obtained by decrypting with the public key, and the same predetermined hash function is applied to the software to obtain the hash value. If the two match, the signature verification (software authentication) succeeds. It is assumed that Of course, various methods are known for the verification process, and any method can be used.

If the result of the falsification verification is false (step S14), a predetermined error process is performed (step S18).

As a cause of failure in falsification verification, for example,
Possible causes include "the file was not transferred normally due to a network error" and "the file was not created by a legitimate creator". If the file was not created by a legitimate author, it may be fake software distributed by a malicious user. Therefore, for example, if the error processing is provided with a function of reporting error information from the device 1 to the software distribution source, the software distribution source can be used as a material for taking countermeasures and investigations.

As for software that has failed verification, there are a method of immediately erasing it from the RAM buffer in error processing, a method of not erasing it in error processing (for example, saving it for countermeasures, investigations, etc.). .

On the other hand, if the result of the tampering verification is true (step S14), the flash 12 is used in this procedure example.
The date and time (see 107-1 in FIG. 6) corresponding to the current software stored in the RAM 1 and the buffer 1 of the RAM 13
A process of comparing with the date and time (see 107-2 of FIG. 6) corresponding to the image of the software stored on 31 (see FIG. 6).
1103) is performed (step S15).

Then, the date and time corresponding to the image of the software stored in the buffer 131 of the RAM 13 is
If it is newer than the date and time corresponding to the current software stored in the flash 12 (step S16), the image of the buffer 131 of the RAM 13 is copied to the flash memory 12 and the previous contents are overwritten (step S17) (FIG. 6). 108).

As a result of the above comparison processing, when the date and time corresponding to the image of the software stored in the buffer 131 of the RAM 13 is older than the date and time corresponding to the current software stored in the flash 12 (step S
16) is software that is considered to have already been installed (if the software that has failed the above verification is not erased in the error processing, it is the software that has been determined not to be installed because the verification failed. Flash 12
Is not written to.

In the case where the software may not be stored in the flash 12 in step S15, if the software is not stored in the flash 12, in step S16,
For example, the date and time corresponding to the image of the software stored in the buffer 131 of the RAM 13 is the flash 1
It may be newer than the date and time corresponding to the current software stored in 2. Further, in the case where the software cannot be stored in the flash 12 in step S15, if the software is not stored in the flash 12, for example, error processing may be performed.

In step S17, when the software stored in the buffer 113 of the RAM 13 is written in the flash memory 12, the software may be erased from the buffer 113 of the RAM 13, or instead of or in addition to that. With step S
In the case of No in 16, the buffer 11 of the RAM 13
The software may be deleted from item 3.

Then, (in step S17, the RAM 13
When the software is written from the buffer 113 to the flash memory 12, No in step S16, error processing is performed in step S18, or No in step S12 (when there is no image of software in the buffer 131 of the RAM 13). )
The ROM 11 moves the process to the flash memory 12 and transfers control to the image written in the flash memory 12, and the image executes the system boot process (see 109 in FIG. 6).

Now, the memory address control function of this embodiment will be described.

In addition, the working memory 13 of the RAM 13
Suppose that the software running on 2 has been tampered with. However, as described above, the working memory 132 of the RAM 13 is reset when reset by the timer. Therefore, in order for this falsified software to survive the reset, it is necessary to copy it to the flash memory 12. However, since the flash memory 12 can only be rewritten from the ROM 11 (see FIG. 4), the image of the falsified RAM 13 cannot rewrite the flash 12. By using this memory address control means, the tampered RAM 13
Image does not continue to exist after reset.

Forced resetting means by a timer,
Even if the malicious software is tampered with by the operating software in the working memory 132 of the RAM 13, the memory address control means restores the legitimate software stored in the flash memory 12 at the next startup. Is possible.

As described above, according to this embodiment, the software to be installed is guaranteed to have been created by a legitimate creator, and the other software (eg, forged). It is possible to distinguish and install only the former. In addition, even if the software has been tampered with, by periodically resetting the system, it is possible to prevent the tampered image existing in the current working memory from continuing to exist. Therefore, the device is always guaranteed to use the software created by the authorized creator, and only the software created by the authorized creator can be installed.

The procedure of FIG. 8 is an example, and various modifications can be implemented. For example, in the above process, first, a signature verification process is performed, and if this is successful, a date and time check is performed to compare the date and time between the software stored in the RAM buffer and the software stored in the flash memory, If this succeeds, it is judged that the downloaded software is legitimate and should be installed, and the image of the RAM buffer is written to the flash memory. Conversely, if the date and time check is performed and this succeeds, Then, the verification process is performed, and if the verification process is successful, the verification process may be written in the flash memory. Alternatively, the verification process and the date / time check may be performed in parallel, and if both of the results are true, they may be written in the flash memory, and if at least one result is false, they may not be written.

Further, in the above description, "overwriting software" is assumed for the software having the sameness. However, when the software is added to the main software, for example, as shown in FIG. In the procedure, steps S15 and S16 may be omitted, the overwriting process of step S17 may be modified to an incorporation process, and if the verification is successful in step S14, the corresponding software may be incorporated in step S17. If it is different whether to overwrite or add at each time, for example, in the procedure of FIG. 8, it is determined whether the target software should be overwritten or added, and in the former case, the date and time check is performed. When the result of the date and time check is true (in the verification process), the RA is written to the flash memory.
The software of the buffer of M may be overwritten, and in the latter case, the software of the buffer of RAM may be added to the software of the flash memory without performing the date and time check. As to whether the target software should be overwritten or added, for example, the one having unique identification information for each software and having the same identification information as the identification information of the software in the RAM buffer is stored in the flash memory. If stored in memory,
It may be determined to overwrite, and if not saved, it may be determined to add. Also, for example, there is a method of adding information indicating whether to overwrite or add to each software.

If a plurality of types of software (each software is identified by, for example, identification information unique to the software) can be present in the RAM buffer in step S12 of FIG. 8, verification / installation is performed.
It may be performed for each software existing in the RAM buffer.

Further, in starting the software in the flash memory in step S19 of FIG. 8, when there can be a plurality of software that can be started in the flash memory, the one to be started is selected according to a predetermined selection criterion. And start it up. There are various selection criteria, for example, a method of selecting software having identification information set in ROM in advance, a method of selecting software designated by a user in advance, a method of selecting software that has been activated at reset, and the like. There is a method.

Further, in the procedure of FIG. 8, step S
There is also a method in which the software in the flash memory 19 is not activated but is activated at different triggers.

Further, in the procedure of FIG. 8, step S
There is also a method of resetting the working memory of the processor 11 and the RAM of 11 and performing them with different triggers.

Although the method in which the software is automatically installed when the timer is started has been described so far, the user can install the software at an arbitrary time instead of or together with the automatic installation. It is also possible to do so. By doing so, for example, when an important defect of software is discovered, the correction program can be installed according to the user's request.

Regarding the function to be installed by the user at any time, when used in combination with automatic installation,
For example, if there is a function of advancing and executing the resetting of the timer described above, this function can be used to realize it. To execute the instruction to advance the reset of the timer, the device 1 may be provided with a physical switch, or the request may be transmitted to the device 1 through an infrared remote controller or the like. It is also possible to send an arbitrary command via the network. in this case,
When the timer receives the reset request, the current processing content of the processor and the information stored in the working memory of the RAM are reset, the processing content is transferred to the ROM, and the falsification verification and installation of the software are performed as in the procedure of FIG. Start.

If the user is provided with the function of installing software at an arbitrary time without the automatic installation function, the reset, verification, and installation processes may be carried out triggered by the user's input (in this case, However, it is also possible to do not reset.

Further, in the above description, when the downloaded software is stored in the buffer of the RAM, the date and time when the software is stored in the RAM is stored in association with the software, and the software is stored in the buffer of the RAM. When storing the data in the flash memory, the date and time (the date and time when the software is stored in the RAM) is stored in association with the software, and the software is RA-stored according to the result of comparing the both dates and times.
It was decided whether to save from the M buffer to the flash memory. Instead, for example, version information is added to the software, and the software is stored in the RAM according to the comparison result of the old and new version information. It may be possible to determine whether to save from the buffer to the flash memory. Also, other methods are possible.

Up to now, it has been assumed that the software has the signature encrypted with the secret key of the distributor and the public key of the software distributor is built in the ROM 11 of the device 1. As described above, it is possible to adopt another encryption method instead of the public key encryption method. For example, a method of using the same shared key for the software distributor and the device 1 can be adopted.

Further, the distribution and installation of the software via the network have been mainly described so far, but as described above, the device or the user does not need to obtain the software via the network. If the device does not have a communication interface, or if the device is not connected to a network, then portable and writable media such as floppy disks, or portable and writable media such as CD-ROM. It is possible to update the software from an impossible medium. Of course, as in the case of downloading via a network, the storage medium does not always have the guarantee that software created by a legitimate creator is recorded.
It can be applied by saving it in the buffer of and then installing it in the flash memory.

Further, as described above, the present invention is applicable not only to home electric appliances but also to general-purpose computers, mobile phones, PDAs and other such devices. Especially mobile phones and PDs
Since A has a limited memory capacity, it is difficult to install a large number of applications at once.
Further, the present invention can be applied when an application is downloaded and installed via the Internet using a mobile phone service or an Internet connection service.

The configuration illustrated in the embodiment of the present invention is an example, and is not intended to exclude other configurations, and a part of the illustrated configuration may be replaced with another configuration or illustrated. Other configurations that are obtained by omitting a part of the configuration, adding another function or element to the exemplified configuration, or combining them are possible. Also, another configuration logically equivalent to the exemplified configuration,
Other configurations including a portion logically equivalent to the exemplified configuration, another configuration logically equivalent to the main part of the exemplified configuration, and the like are possible. Further, another configuration that achieves the same or similar purpose as the exemplified configuration, another configuration that achieves the same or similar effect as the exemplified configuration, and the like are possible. Further, various variations of the various constituent parts illustrated in the embodiments of the present invention can be implemented in an appropriate combination. Further, the embodiments of the present invention include an invention as an individual device, an invention as to two or more related devices, an invention as an entire system, an invention as to a component inside an individual device, or a method corresponding thereto. It is intended to encompass and include inventions related to various viewpoints, stages, concepts or categories such as inventions. Therefore, the invention disclosed in the embodiments of the present invention can be extracted without being limited to the exemplified configurations.

The present invention is not limited to the above-described embodiments, but can be implemented with various modifications within the technical scope thereof.

[0090]

According to the present invention, it is possible to prevent the installation of unauthorized software.

[Brief description of drawings]

FIG. 1 is a diagram showing an example of the overall configuration of a system according to an embodiment of the present invention.

FIG. 2 is a diagram showing a hardware configuration example of a device according to the embodiment.

FIG. 3 is a diagram showing a configuration example of a RAM of the device according to the embodiment.

FIG. 4 is a diagram showing a relationship of write authority among a ROM, a flash memory, and a RAM of the device according to the embodiment.

FIG. 5 is a diagram showing a software configuration example of a device according to the embodiment.

FIG. 6 is a diagram for explaining a data flow and control in the device according to the embodiment.

FIG. 7 is a flowchart showing an example of a procedure for acquiring software of the device according to the embodiment.

FIG. 8 is a flowchart showing an example of a procedure of device authentication processing / installation processing according to the embodiment.

[Explanation of symbols]

1 ... Equipment 2 ... LAN 3 ... Internet 4 ... External storage device 5, 6 ... Software distribution server 11 ... ROM 12 ... Flash memory 13 ... RAM 14 ... Processor 15 ... Communication interface section 16 ... External storage device connection interface section 17 ... Timer

Continued front page    F-term (reference) 5B017 AA02 BA02 BA07 BA09 CA15                 5B076 AC01 AC05 AC10 BA05 BB04                       BB06 BB13 FA13 FA20 FB11

Claims (20)

[Claims] 1. A software processing device having a function of installing and executing software from the outside, a processor for executing the software, a flash memory for storing the software to be executed, and an external input. A buffer for temporarily holding software and a signature encrypted with the first key for verifying the authenticity of the software, and a second buffer uniquely corresponding to the first key. A program code of a first process for verifying the correctness of the software based on the key, the signature for the software temporarily held in the buffer, and the second key, and the correctness by the verification Of the second process for saving the identified software from the buffer to the flash memory. R with the program code written
A software processing device comprising: an OM. 2. The software processing device according to claim 1, wherein the flash memory can write data only by executing a program of the second processing in the ROM. 3. The second process temporarily stores the software in the buffer before overwriting the software temporarily stored in the buffer with respect to the software stored in the flash memory. The old version of the software stored in the flash memory is compared with the old version of the software stored in the flash memory, and the overwriting is performed only when the software temporarily stored in the buffer is determined to be newer. The software processing device according to claim 1, wherein 4. The software processing apparatus according to claim 3, wherein the second processing compares old and new based on date and time information added to the software. 5. The software processing device according to claim 3, wherein the second processing compares old and new based on version information added to the software. 6. The first key is a private key unique to a distribution source of the software, the second key is a public key unique to a distribution source of the software, and the first process Sends the signature encrypted with the secret key temporarily stored in the buffer to the RO
A process of decrypting with the public key written in M,
The software processing device according to claim 1, further comprising: a process of verifying the presence or absence of tampering based on the signature obtained by the decryption. 7. The software processing device according to claim 1, wherein the ROM is provided for each target software distributor. 8. The software process according to claim 1, wherein the software stored in the flash memory is currently installed software including an operating system, applications, and data required by them. apparatus. 9. The software stored in the flash memory is currently installed software consisting of an operating system, middleware executed on the operating system, applications, and data required by them. The software processing device according to claim 1. 10. The software processing apparatus according to claim 1, further comprising a rewritable working memory used when software is running. 11. The software processing device according to claim 10, further comprising reset means for initializing the processor and the working memory at regular intervals. 12. The ROM after initializing the processor and the working memory at regular intervals.
11. The software processing device according to claim 10, further comprising timer means for transferring control to the processing written in. 13. The timer means is independent of any processing of an operating system, middleware, and an application, cannot be controlled by the processing, and manages the elapse of the certain period.
2. The software processing device according to 2. 14. The timer means adds a value at a constant cycle based on the value stored in the ROM,
14. The software processing device according to claim 13, wherein the progress of the certain period is managed. 15. The timer means checks the remaining time until the next scheduled reset time before the currently executing software executes the next processing unit, and when the remaining time is short, the normal processing procedure is performed. 15. The method according to claim 12, further comprising means for performing processing so as to be in a resettable state in a short time, and advancing and executing resetting before the next scheduled resetting time. The software processing device according to. 16. The software processing apparatus according to claim 1, further comprising a communication interface unit for acquiring software to be installed. 17. The software processing device according to claim 1, further comprising external storage device connection interface means for connecting a medium including the software in order to obtain the software to be installed. 18. The software processing device according to claim 1, wherein the software processing device is a home electric appliance, a general-purpose computer, a mobile phone, or a PDA having a function of installing and executing software from the outside. . 19. A software installation method in a device having a function of installing and executing software from the outside, which comprises a first software for verifying the correctness of the software and the software input from the outside. Temporarily storing in the buffer the signature encrypted with the key, a second key uniquely corresponding to the first key written in the ROM, and temporarily stored in the buffer. A step of verifying the legitimacy of the software by the program code of the first process written in the ROM based on the signature for the software, and the ROM when the legitimacy is confirmed by the verification. The software whose validity has been confirmed by the program code of the second processing written in How software installation, characterized by a step of storing from the buffer to the flash memory. 20. The software according to claim 19, further comprising the step of transferring control to the processing written in the ROM after initializing the processor and the working memory at regular intervals. -Installation method.