JP2010186386A - Processor - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a high-level protecting function capable of preventing, in the event of a malfunction by physical attack, expansion of unauthorized access to a memory area. <P>SOLUTION: The memory area of a memory 12 is composed of a plurality of protective domains in which a program is stored with an entry point showing the start address of the program being determined. Each of the protective domains is switched so that the access thereto is permitted when the entry point is instructed, and prohibited when the entry point is not instructed. When transfer to the protective domain 2 is performed while a CPU 16 is executing the program of the protective domain 1, a protective domain transfer instruction is executed to instruct the entry point determined for the protective domain 2. Upon execution of the protective domain transfer instruction, a switching part 20 performs switching to prohibit the access to the protective domain 1 and permit the access to the protective domain 2. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a processor having a memory access protection function for protecting a program and data on a memory from unauthorized access to a memory area.

  Conventionally, protection of programs and data on a memory from unauthorized access to a memory area has been performed.

  For example, a virtual memory address can be associated with whether a particular area of the virtual memory address space can only be accessed by a privileged mode process, or can be accessed by both a user mode or privileged mode process. Managed as MMU (memory management unit) or MPU (memory protection unit) as access control data parameters, and the authority to change this access control data is limited to instructions stored at specific defined locations in the memory address space Security control in a data processing system based on a memory domain is proposed (see, for example, Patent Document 1).

JP 2008-257734 A

  However, in the technique of the above-mentioned patent document 1, by causing a malfunction due to a physical attack or the like for breaking security, a program for reading information is illegally inserted, or a bit representing authority is illegally affected by noise. If the access control data is changed to an authority capable of changing, there is a problem that the MMU or MPU is operated, and any memory area can be accessed, and data can be read or altered.

  The present invention has been made to solve the above problems, and an object of the present invention is to provide a processor having a high protection function for preventing the expansion of unauthorized access to a memory area even when a malfunction occurs due to a physical attack. And

  In order to achieve the above object, the processor of the present invention stores a program and defines an entry point indicating a start address of the program. When the entry point is designated, access is permitted, and the entry A storage means having a plurality of protection domains that are switched so that access is prohibited when the point is not designated, and a program stored in a predetermined protection domain that is permitted to access, and execution of the program Control for executing an instruction indicating an entry point defined for the protection domain to be executed by the program when transitioning to the protection domain to be executed by the program in order to execute a program stored in another protection domain. And the predetermined domain before the protection domain transitions To prevent access to a protection domain, it may be configured to include a switching means for switching to allow access to the program executed in the protection domain.

  According to the processor of the present invention, the storage means has a plurality of protection domains in which a program is stored and an entry point indicating the start address of the program is defined. Is switched to prohibit access when the entry point is not instructed. The control means executes a program stored in a predetermined protection domain to which access is permitted, and executes a program stored in another protection domain during execution of the program. In the case of transition to (2), an instruction for indicating an entry point defined for a protection domain to be executed by a program is executed. As a result, the program is executed from the start address indicated by the entry point of the protection domain to which the designated entry point belongs. Then, before the protection domain transitions, the switching unit prohibits access to the predetermined protection domain and switches to permit access to the protection domain to be executed by the program.

  In this way, transition between protection domains is possible only via entry points defined for each protection domain, and access to a given protection domain is prohibited before the protection domain transitions and becomes a transition destination. Since the protection domain for program execution is switched to allow access, even if a malfunction occurs due to a physical attack, unauthorized access to the memory area remains within the protection domain where the program is being executed, and damage due to unauthorized access may occur. Expansion can be prevented.

  Further, a plurality of entry points and access permission / rejection information indicating access permission or access prohibition corresponding to each of the entry points can be defined for each of the protection domains. Further, it may be configured to include an access permission information storage means for reading and storing the access permission information at the time of activation.

  As described above, according to the processor of the present invention, even when a malfunction due to a physical attack occurs, an effect of having a high protection function for preventing expansion of unauthorized access to the memory area can be obtained.

It is the schematic which shows the structure of the processor with a memory protection function of this Embodiment. It is a figure which shows memory space. It is a table | surface which shows an example of a structure of an entry point. It is a table | surface which shows an example of access permission information.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

  FIG. 1 is a schematic diagram showing a configuration of a processor 10 with a memory protection function according to the present embodiment. The processor 10 with memory protection function includes a processor unit 14 coupled to a memory 12.

  FIG. 2 shows a memory space of the memory 12. The memory space is divided into a plurality of memory areas, and several memory areas are collectively defined as one protection domain. Each of the protection domains can be set to executable, readable, and writable with respect to a memory area in the protection domain, for example, a program area, a readable data area, a readable / writable data area, a stack area, and A heap area can be included. In addition, a shared area that can be used in common by two or more protection domains can be provided. As will be described later, the shared area is used for transferring necessary data such as an argument and a return value at the time of reading when a transition is made from a predetermined protection domain to another protection domain.

  Each protection domain has a plurality of entry points, and each entry point holds a protection domain to which the entry point belongs and a program start address after passing through the entry point, as shown in FIG. Access to each protection domain is possible only from the program start address indicated by the entry point by obtaining the program start address through this entry point. The entry point is passed by executing a special instruction (protection domain transition instruction or return instruction) described later, or executing a software interrupt instruction, generating an interrupt, or generating an exception. Corresponding entry points are provided depending on the types of special instructions.

  When the entry point is arranged in the memory space, the entry point number is converted into an address according to a predetermined rule, and the information of the protection domain to which the entry point belongs and the program start address can be stored at that address. The predetermined rule can be defined as, for example, “(address) = (start address of entry point table) + (entry point number) * 8”.

  In addition, access permission / rejection information that determines permission / refusal of access to a memory area included in each protection domain is determined for each protection domain. For example, as shown in FIG. 4, the access permission / denial information can be defined by a table of information indicating the start address and the size of the memory area and the access permission / inhibition information. The program start address specified by each entry point is determined so as to be in a memory area to which execution is permitted. If the protection domain is different, no access is allowed. For example, the program of the protection domain 1 is prohibited from accessing the permitted area of the protection domain 2. To specify a shared area between protection domains, specify the same area in different protection domains. When the program of the protection domain 1 passes the entry point 3, the protection domain 2 is switched to the protection domain 2, the read address is permitted in the area from the start address Nnnnnnnnn to the size Vvvv, and the read and execution permission is granted in the area from the start address Pppppppp to the size Wwww. An area in the range from the start address Qqqqqqqq to the size Xxxxx is allowed to be read and written. Furthermore, the program start address Ddddddddd of the entry point 3 is determined somewhere in the execution permission area, for example, the range from the start address Pppppppp to the size Wwww.

  Further, the access permission / rejection information can determine permission / rejection information indicating permission of access or prohibition of access not only for each protection domain but also for each entry point in the protection domain.

  The processor unit 14 includes a CPU 16 that executes a program stored in the memory, an access permission information storage unit 18 in which access permission information stored in the memory 12 is registered, and a switching unit 20 that switches accessible protection domains. It is configured.

  The access permission / rejection information storage unit 18 stores access permission / rejection information determined for each protection domain read from the memory 12 at the time of activation, for example, in a list format as shown in FIG. Note that the information stored in the access permission / rejection information storage unit 18 is configured such that it cannot be rewritten except during startup. For this reason, unlike the prior art, it is not necessary to rewrite the access permission information during startup.

  When the special instruction is executed and the protection domain transitions, the switching unit 20 prohibits access to the transition-source protection domain and switches to permit access to the transition-destination protection domain. The special instruction is an instruction that designates an entry point defined for a protection domain as a transition destination, and refers to a protection domain transition instruction or a return instruction that occurs during execution of a program in a predetermined protection domain. Also, when an interrupt or exception occurs, or when a software interrupt instruction is executed, it behaves as if a protection domain transition instruction specifying a predetermined entry point is executed. When an interrupt, exception, or software interrupt occurs, it is necessary to execute a program that is not normally related to the program that has been executed so far, in order to separate the memory area from the program that has been executed so far, It is necessary to switch protection domains. For this reason, entry points corresponding to interrupts, exceptions, and software interrupt instructions (for example, entry point 0 is for interrupts and entry point 1 is for exceptions) are fixedly determined at the time of design. When the error occurs, switching is performed so that a predetermined protection domain can be accessed through an entry point corresponding to each instruction.

  Next, the operation of the processor 10 of this embodiment will be described.

  First, when the processor 10 is activated, the access permission information is read from the memory 12 and stored in the access permission information storage unit 18.

  Next, the CPU 16 executes the program. Here, if the protection domain in which the program executed by the CPU 16 is stored is the protection domain 1, the switching unit 20 switches only to access the protection domain 1 and prohibits access to other protection domains. . Further, whether access to each memory area of the protection domain 1 is permitted is determined based on the access permission information stored in the access permission information storage unit 18.

  When transitioning to the protection domain 2 during execution of the program stored in the protection domain 1, a protection domain transition command is executed to specify an entry point (for example, entry point 4) indicating the protection domain 2. In response to this instruction, the switching unit 20 switches to prohibit access to the protection domain 1 and permit access to the protection domain 2. Then, the protection domain 2 program is executed from the start address Eeeeeee indicated by the entry point 4. Further, the return address to the protection domain 1 and the program status word are saved in the stack area of the protection domain 2.

  When returning from the protection domain 1 to the protection domain 2, information to be returned to the protection domain 1 is copied to a shared area between the protection domain 1 and the protection domain 2, and a protection domain return command is executed. Thus, at the same time as branching to the return address saved in the stack area of the protection domain 2, the switching unit 20 prohibits access to the protection domain 2 and switches to allow access to the protection domain 1. Then, the execution of the program is started from the address after the protection domain transition command from the protection domain 1 to the protection domain 2 is executed.

  In the above operation, the case where the protection domain transition instruction and the return instruction are executed has been described as an example, but the same operation is performed even when an interrupt, an exception occurs, and a software interrupt instruction is executed.

  As described above, according to the processor of the present embodiment, only by acquiring a start address via an entry point by executing a special instruction while adopting a flexible configuration capable of transitioning between protection domains. Because it is possible to transition to another protection domain, even if a malfunction due to a physical attack occurs, unauthorized access to the memory area stays within the protection domain where the program is being executed, preventing the damage caused by unauthorized access. Can do.

10 Processor with Memory Protection Function 12 Memory 14 Processor Unit 16 CPU
18 Access Permission Information Storage Unit 20 Switching Unit

Claims (3)

The program is stored and an entry point indicating the start address of the program is determined. Access is permitted when the entry point is designated, and access is prohibited when the entry point is not designated. Storage means having a plurality of protection domains that can be switched as follows:
When a program stored in a predetermined protection domain to which access is permitted is executed, and during the execution of the program, a transition is made to a protection domain to be executed in order to execute a program stored in another protection domain Control means for executing an instruction for indicating an entry point defined for the protection domain to be executed by the program;
Switching means for prohibiting access to the predetermined protection domain and switching to allow access to the protection domain to be executed by the program before the protection domain transitions;
Including processor.   The processor according to claim 1, wherein access permission / denial information indicating permission or prohibition of access corresponding to each of the plurality of entry points and each of the entry points is defined for each of the protection domains.   3. The processor according to claim 2, further comprising access permission information storage means for reading out and storing said access permission information at startup.

Images