JP2021069023A - Device with communication function and communication system - Google Patents

Abstract

To provide a device with communication function that can prevent alteration of a filtering condition.SOLUTION: A device with communication function includes: a first central processing unit (CPU); a communication interface connected to the first CPU; a filter provided between the communication interface and a communication path; and a second CPU connected to the filter. The second CPU sets a filtering condition of the filter.SELECTED DRAWING: Figure 1

Description

The present invention relates to a device having a communication function, and more particularly to a device having a communication function and a communication system having an enhanced resistance to security threats caused by communication.

For example, Patent Document 1 is known as a technique relating to a device having enhanced resistance to security threats caused by communication. Patent Document 1 includes a host processor for communication, a dedicated processor for filtering transmission packets, and a filter condition storage means for storing filtering conditions, and the dedicated processor transmits a transmission packet with reference to the filter conditions. A device for preventing a DDoS attack or the like by determining whether or not the packet can be transmitted and discarding a non-transmissible packet is described.

JP-A-2007-221395

Patent Document 1 does not consider means for preventing falsification of filtering conditions. In general, when the software executed by the processor becomes highly functional and the size of the source code becomes enormous, it becomes difficult to comprehensively detect security problems before shipping the product, and software having security problems may be present. Tends to be shipped.

For example, operating system software that is widely used worldwide, such as Windows and Linux®, frequently detects security problems and uses software called security patches to address the problems. It is a well-known fact that if you do not update, the probability of security incidents such as malware infection increases.

In Patent Document 1, if the software executed by the host processor is neglected and a security accident such as infection with malware occurs, the filtering conditions are falsified and the effect of providing a dedicated processor for filtering processing is invalidated. there is a possibility.

An object of the present invention is to provide an apparatus and a communication system having a communication function capable of preventing falsification of filtering conditions.

In order to solve the above problem, one of the typical devices having the communication function of the present invention is "between the first CPU, the communication interface connected to the first CPU, and the communication interface and the communication path. A device having a filter provided in the above, a second CPU connected to the filter, and having a communication function in which the second CPU sets the filtering conditions of the filter. "

Further, the present invention is "a communication system in which a server device and a terminal device are connected by a communication path, and the terminal device includes a first CPU, a communication interface connected to the first CPU, and a communication interface and a communication path. The communication system is characterized by having a filter provided between the two and a second CPU connected to the filter, and the second CPU sets the filtering conditions of the filter.

Further, the present invention is "a device having a communication function connected to a communication path, and the device having a communication function is connected to a first CPU connected to the communication path from a first bus via a communication interface and a filter. , A second CPU connected to the filter via the second bus is provided in the processor unit, the first CPU processes the data obtained via the communication path, and the second CPU processes the data passing through the filter. It is a device having a communication function, which is characterized by determining whether or not the passage is possible. "

In the present invention, since the second CPU sets the filtering conditions, it is possible to prevent the first CPU from falsifying the filtering conditions.

Issues, configurations and effects other than those described above will be clarified by the description of the following embodiments.

FIG. 3 is a block diagram showing a first configuration example of a device having a communication function to which the present invention is applied. The block diagram which shows the structural example of the filter 112 of FIG. FIG. 2 is a diagram showing an example of filtering conditions related to transmission data stored in the filtering condition memory 210 of FIG. FIG. 2 is a diagram showing a first example of a filtering condition relating to received data stored in the filtering condition memory 210 of FIG. FIG. 2 is a diagram showing a second example of a filtering condition relating to received data stored in the filtering condition memory 210 of FIG. FIG. 3 is a block diagram showing a second configuration example of a device having a communication function to which the present invention is applied. FIG. 3 is a block diagram showing a third configuration example of a device having a communication function to which the present invention is applied. The block diagram which shows the structural example of the communication system to which this invention is applied.

Hereinafter, examples of the present invention will be described with reference to the drawings.

FIG. 1 is a block diagram showing a first configuration example of a device having a communication function to which the present invention is applied.

In FIG. 1, the device 102 having a communication function is described from the processor unit 104, the first ROM (Read Only Memory) 122, the first RAM (Random Access Memory) 124, the input / output device 126, and the communication physical layer 128. Become.

Further, the processor unit 104 includes a first CPU (Central Processing Unit) 106, a bus interface 108, a communication interface 110, a filter 112, a second CPU 114, a second ROM 116, and a second RAM 120.

It is preferable that all the processor units 104 are mounted on a single semiconductor integrated circuit in terms of mounting area and operating speed, but the present invention is not limited to this, and the processor unit 104 is a plurality of semiconductor integrated circuits. It may be divided into circuits. Further, a part or all of the first ROM 122, the first RAM 124, the input / output device 126, and the communication physical layer 128 is mounted on the same semiconductor integrated circuit as a part or all of the processor unit 104. You may.

The first CPU 106 reads and executes a program from the first ROM 122 or the first RAM 124 via the bus 132, the bus interface 108, and the bus 146. If the program instructed to read or write the first ROM 122, the first RAM 124, or the input / output device 126, read or read the device instructed via the bus 132, the bus interface 108, and the bus 146. Write. When the program instructs to read or write the first communication interface 110, the communication interface 110 is read or written via the bus 132.

Since the stored value of the first RAM 124 immediately after the power is turned on is undefined, when the program is read and executed from the first RAM 124, the program is written to the first RAM 124 before that. As the program to be written to the first RAM 124, a program read from the first ROM 122, a program read from the input / output device 126, a program received via the communication interface 110, and the like can be considered. In particular, the program received via the communication interface 110 has a high risk of being infected with malware, and the first CPU 106 may execute the program infected with malware. However, since there is no function of rewriting the filtering condition of the filter 112 from the first CPU 106, it is possible to prevent the filtering condition from being tampered with.

A program is written in the first ROM 122 when the device is manufactured. However, if a ROM that can be rewritten by taking a special procedure such as a flash memory is adopted, a communication interface is used after the product is shipped. It may be rewritten to the program received via 110. In this case as well, the risk of executing malware increases, but it is possible to prevent the filtering conditions from being tampered with as in the above case.

When the communication interface 110 receives a transmission instruction from the first CPU 106 via the bus 132, the communication interface 110 reads transmission data from the first RAM 124 via the bus 132, the bus interface 108, and the bus 146, and outputs the transmission data to the signal line 136. .. When the communication interface 110 receives the reception control information from the first CPU 106 via the bus 132, the communication interface 110 stores the reception control information internally. When the communication interface 110 receives the received data from the signal line 138, the communication interface 110 writes the received data to the first RAM 124 via the bus 132, the bus interface 108, and the bus 146 according to the reception control information stored inside. When the first CPU 106 performs transmission or reception processing according to the instruction of the program, the data is read / written from / to the first RAM 124.

The second CPU 114 reads and executes the program from the second ROM 116 via the bus 134. When the program instructs the reading or writing of the second ROM 116, the second RAM 120, or the filter 112, the reading or writing of the instructed device is performed via the bus 134.

Since the program is written in the second ROM 116 when the device is manufactured and is not rewritten thereafter, the risk of being infected with malware is low, and the risk of tampering with the filtering conditions can be reduced.

When the filter 112 receives a read or write request from the second CPU 114 via the bus 134, the filter 112 reads or writes the filtering condition memory existing inside. When the filter 112 receives the transmission data from the signal line 136, the filter 112 also determines whether or not the transmission data can be transmitted from the filtering conditions stored in the filtering condition memory, and if it is determined that the transmission data can be transmitted, the data is transmitted to the signal line 142. Output. If it is determined that transmission is not possible, the data is discarded and the data is not output to the signal line 142. When the filter 112 receives the received data from the signal line 144, the filter 112 also determines whether or not the received data can be received from the filtering conditions stored in the filtering condition memory, and if it is determined that the received data can be received, the data is sent to the signal line 138. Output. If it is determined that reception is not possible, the data is discarded and the data is not output to the signal line 138.

The communication physical layer 128 is a circuit that converts a digital signal on the signal lines 142 and 144 and an analog signal on the communication path 148.

The input / output device 126 can be configured in various ways depending on the application. For example, a storage device such as a hard disk drive, an image input device such as a camera, an image display device such as a liquid crystal display, sensors such as temperature, geomagnetism, angular velocity, and acceleration, and a movable device such as a robot can be considered.

In short, the device of FIG. 1 is "connected to the first CPU 106, the communication interface 110 connected to the first CPU 106, the filter 112 provided between the communication interface 110 and the communication path 148, and the filter 112. It is shown that the device 102 has a second CPU 114 and has a communication function, wherein the second CPU 114 sets the filtering condition of the filter 112.

Further, the device of FIG. 1 is, in short, "a device 102 having a communication function connected to the communication path 148, and the device 102 having a communication function is described from the first bus 132 via the communication interface 110 and the filter 112. The processor unit 104 includes a first CPU 106 connected to the communication path 148 and a second CPU 114 connected to the filter 112 via the second bus 134, and the first CPU 106 passes through the communication path 148. It is shown that the second CPU 114 is configured as a device 102 having a communication function, which is characterized by processing the obtained data and determining whether or not the data passing through the filter 112 can be passed. There is.

FIG. 2 is a block diagram showing a configuration example of the filter 112 of FIG.

The filter 112 includes a transmission input interface 202, a transmission data buffer 204, a transmission output interface 206, a transmission filter control circuit 208, a reception input interface 218, a reception data buffer 216, a reception output interface 214, a reception filter control circuit 212, and a filtering condition memory 210. , The processor interface 220.

When the transmission input interface 202 receives the transmission data from the signal line 136, the transmission input interface 202 stores the transmission data in the transmission data buffer 204 via the signal line 222. The transmission input interface 202 also transmits the start address of the data and the received data size to the transmission filter control circuit 208 via the signal line 226. When the transmission input interface 202 detects the end of the transmission data, it transmits the final data size to the transmission filter control circuit 208.

When the transmission filter control circuit 208 receives the start address of data from the transmission input interface 202 via the signal line 226, it stores it internally. The transmission filter control circuit 208 also provides a transmission data buffer via the signal line 228 when the size of the received data received from the transmission input interface 202 via the signal line 226 is greater than or equal to the size required for determining the filtering conditions. The transmission data from 204 is read and the filtering condition memory 210 is read via the bus 234, and it is determined whether or not the transmission data can be transmitted. When it is determined that transmission is possible, the transmission filter control circuit 208 outputs the start address stored internally in the transmission output interface 206 and the final data size received from the transmission input interface 202 via the signal line 230. When the transmission filter control circuit 208 also determines from the transmission data read from the transmission data buffer 204 that the filtering condition memory 210 needs to be written, the transmission filter control circuit 208 writes the filtering condition memory 210 via the bus 234.

When the transmission output interface 206 receives the start address from the transmission filter control circuit 208 via the signal line 230, the transmission output interface 206 sequentially reads the data after the start address from the transmission data buffer 204 and outputs the data to the signal line 142. The transmit output interface 206 also internally stores when it receives the final data size from the transmit filter control circuit 208 via the signal line 230. The transmission output interface 206 also stops outputting data to the signal line 142 when the data size output to the signal line 142 becomes equal to the final data size stored internally.

The operation of the receive input interface 218 is the same as that of the transmit input interface 202. The operation of the reception filter control circuit 212 is the same as that of the transmission filter control circuit 208. The operation of the receive output interface 214 is the same as that of the transmit output interface 206.

When the processor interface 220 receives a read or write request from the bus 134, the processor interface 220 reads or writes the filtering condition memory 210.

FIG. 3 is a diagram showing an example of filtering conditions related to transmission data stored in the filtering condition memory 210 of FIG.

In FIG. 3, the “Yes / No” column indicates whether each row specifies data that can be transmitted or data that cannot be transmitted. The final filtering condition is to send if one or more of the rows with "OK" in this column are matched and none of the rows with "No" in this column are matched. It is judged that it is possible, and otherwise it is judged that transmission is not possible.

In the "Protocol" column, ARP (Addless Resolution Protocol), DHCP (Dynamic Host Configuration Protocol), UDP (User Datagram Protocol) / IP (Internet Protocol), IP (Internet Protocol), TCP (Transmission Protocol), TCP (Transmission Protocol), etc.

The "source address" and "destination address" columns specify the IP address, which is invalid for protocols that do not have an IP address.

The "source port" and "destination port" columns specify the port number used in UDP / IP and TCP / IP, and are invalid for protocols that do not have a port number.

The "Type" column specifies that the content of the data is of a particular type. For example, use this when you want to check whether the extension of an email attachment has the specified value.

The column marked "*" in FIG. 3 indicates that it is don't care. It is also possible to set only some of the bits as don't care in the comparison of addresses and the like. This can be realized by holding a set value indicating an address and a set value indicating a valid bit as a pair, setting a value other than the valid bit to 0, and then comparing the values. Since the upper digit of the IP address indicates the organization and the lower digit indicates the device number in the organization, only some bits are don't be allowed to communicate with all the devices in a specific organization. The function of "care" is effective.

The number 1 line means that the protocol allows the transmission of PT1 data, and there are no other restrictions. Specifically, it is assumed that a protocol such as ARP that does not have an IP address or port number is specified.

Lines 2 and 3 allow transmission of the specified protocol, source address, destination address, source port, and destination port, respectively. Since the source is its own device, the source address is constant, and the numbers 2 and 3 have the same value. If the source address is determined at the time of product shipment, the value written by the second CPU 114 is used as it is, but if it is dynamically determined by DHCP etc., if the received data is a DHCP response, it will be used. Rewrite with the specified value and use. Further, the destination address may be the value written by the second CPU 114 as it is, or may be rewritten with the address stored in the received data when it is a response of the DNS (Domain Name System) protocol. You may. In this case, it is necessary to provide an area for storing the domain name of the communicable device as a set with the destination address.

The number 4 line disables transmission when the specified type is "TYPE4". This assumes, for example, the case of suppressing the transmission of data of a program (extension is ".exe").

In short, the filtering conditions 1, 2 and 3 of the filter shown in FIG. 3 set the conditions for passing only the data that may communicate with each other, and the filtering condition 4 may cause a security problem. It is the one that sets the condition that the certain data is not passed.

FIG. 4 is a diagram showing a first example of a filtering condition relating to received data stored in the filtering condition memory 210 of FIG. The meaning of each column and the setting contents of each row are almost the same as those in FIG. However, in the case of reception, since the destination is the own device, the destination address is constant, and the source addresses are different in the lines 2 and 3.

FIG. 5 is a diagram showing a second example of filtering conditions related to received data stored in the filtering condition memory 210 of FIG. The process of sequentially adding the settings for permitting reception (only numbers 1 and 2 are set in the upper row, number 3 is added in the middle row, and number 4 is added in the lower row) is shown. Note that the row with "-" in the "Yes / No" column indicates that the setting is invalid.

Here, in the case of TCP / IP, the response to the transmitted data utilizes the property that the source and destination addresses and port numbers are opposite to those of the transmission data, and settings are sequentially added to allow reception of the response to the transmission data. doing. Although not shown in FIG. 5, the setting is invalidated when the end of communication is detected. Further, the setting of the line in which the corresponding transmission / reception has not been performed for a certain period of time may be invalidated.

FIG. 6 is a block diagram showing a second configuration example of a device having a communication function to which the present invention is applied.

Although it is possible to prevent falsification of the filtering conditions in the device of FIG. 1, the filtering conditions are determined by the value stored in the second ROM 116 when the device is manufactured. Therefore, for example, the address of the communication destination device. It may not be possible to handle changes to the device or adding new functions to the device to increase the number of communication protocols.

In order to deal with this problem, the device of FIG. 6 is different from that of FIG. 1 in that the second communication interface 612 and the communication switch 614 are provided.

The second communication interface 612 outputs the transmission data stored in the second RAM 120 to the signal line 622 according to the instruction from the second CPU 114, and stores the received data received from the signal line 624 in the second RAM 120. To do.

The communication switch 614 receives transmission data from the signal line 136 and the signal line 622, and outputs the transmission data to the signal line 626 on a first-come, first-served basis. If the transmission data from the signal line 622 is received while the transmission data from the signal line 136 is being output from the signal line 626, the transmission data from the signal line 622 is temporarily stored in the built-in memory, and the signal line is stored. After the output of the transmission data from 136 is completed, the data stored in the built-in memory is output to the signal line 626. The same applies when the transmission data from the signal line 136 is received while the transmission data from the signal line 622 is being output from the signal line 626. When the communication switch 614 receives the received data from the signal line 628, it also determines whether it is for the communication interface 110 or for the second communication interface 612. If it is for the communication interface 110, the received data is output to the signal line 138. If it is for the second communication interface 612, the received data is output to the signal line 624.

The second CPU 114 communicates with the outside via the second communication interface 612 and sets the filtering condition. When communicating with the outside, there is a possibility of receiving illegal filtering conditions due to falsification or spoofing of communication data, but we know how to deal with these problems such as data encryption and electronic signatures. By using these existing technologies, it is possible to prevent falsification of filtering conditions.

Further, since the processing content of the second CPU 114 is increased as compared with the device of FIG. 1, it is more likely that it will be difficult to comprehensively detect security problems before shipping the product. If the code size of the program executed by the second CPU 114 is smaller than the code size of the program to be executed, the probability that a security problem remains can be reduced as compared with the case where the filtering condition is set by the first CPU 106. it can.

FIG. 7 is a block diagram showing a third configuration example of a device having a communication function to which the present invention is applied.

In the device of FIG. 6, since the processing content of the second CPU 114 is increased as compared with the device of FIG. 1, the probability that the security problem remains is higher than that of FIG.

In order to deal with this problem, the device of FIG. 7 is different from that of FIG. 1 in that the data exchange circuit 712 is provided. Then, the second CPU 114 sets the filtering condition of the filter 112 based on the data received from the data exchange circuit 712.

The point that the second CPU 114 communicates with the outside and sets the filtering condition is the same as in FIG. 6, but when the second CPU 114 communicates with the outside, the second CPU 114 exchanges the transmitted / received data with the data exchange circuit 712. The first CPU 106 uses the communication interface 110 to read and write to and from the outside and communicate with the outside.

Compared to the device of FIG. 6, it is not necessary to perform communication processing with the second CPU 114, and the addition of processing to the device of FIG. 1 is limited to data encryption, electronic signature, etc., and therefore compared with the device of FIG. It has the effect of reducing the probability that security problems will remain.

Since the communication between the second CPU 114 and the outside goes through the first CPU 106, there is a possibility that an invalid filtering condition may be received by falsification or spoofing by the first CPU 106. This can be done by using encryption or electronic signatures.

FIG. 8 is a block diagram showing a configuration example of a communication system to which the present invention is applied.

In this embodiment, the server 802 and the terminals 811 to 81n are connected by a network. For example, it is conceivable that an abnormality is detected by aggregating the sensor data of a terminal into a server and performing processing.

The terminals 811 to 81n adopt the configuration shown in FIGS. 1, 6 or 7, and are set to allow only communication to the server 802 as a filtering condition. In this case, the second CPU 114 sets a condition for passing only communication data with the server 802 as a filtering condition for the filter 112. As a result, the security of the system can be ensured without the need to install a device for ensuring security such as a firewall device.

In short, the system of FIG. 8 describes, "In a communication system in which the server device 802 and the terminal device 811 ... 81n are connected by a communication path, the terminal device 802 communicates with the first CPU 106 and the first CPU 106. The interface 110, the filter 112 provided between the communication interface 110 and the communication path 148, and the second CPU 114 connected to the filter 112 are provided, and the second CPU 114 sets the filtering conditions of the filter 112. , A communication system characterized by. ”.

106: First CPU
110: Communication interface 112: Filter 114: Second CPU
210: Filtering condition memory 712: Data exchange circuit

Claims (8)

It has a first CPU, a communication interface connected to the first CPU, a filter provided between the communication interface and the communication path, and a second CPU connected to the filter.
A device having a communication function, wherein the second CPU sets filtering conditions for the filter. A device having the communication function according to claim 1.
The second CPU is a device having a communication function, characterized in that, as a filtering condition of the filter, a condition for passing only data that may be communicated is set. A device having the communication function according to claim 1.
The second CPU is a device having a communication function, characterized in that the filtering condition of the filter is set as a condition for not passing data that may cause a security problem. A device having the communication function according to claim 1.
A device having a communication function, wherein the code size of a program executed by the second CPU is smaller than the code size of a program executed by the first CPU. A device having the communication function according to claim 1.
A data exchange circuit between the first CPU and the second CPU is provided, and the second CPU sets filtering conditions for the filter based on data received from the data exchange circuit. A device having a characteristic communication function. A communication system in which a server device and a terminal device are connected by a communication path.
The terminal device includes a first CPU, a communication interface connected to the first CPU, a filter provided between the communication interface and the communication path, and a second CPU connected to the filter. Have,
A communication system characterized in that the second CPU sets filtering conditions for the filter. The communication system according to claim 6.
A communication system characterized in that the second CPU sets a condition for passing only communication data with the server device as a filtering condition for the filter. A device connected to a communication path and having a communication function.
The device having a communication function includes a first CPU connected to the communication path from the first bus via a communication interface and a filter, and a second CPU connected to the filter via a second bus. A communication function provided in the processor unit, wherein the first CPU processes data obtained through a communication path, and the second CPU determines whether or not data passing through the filter can be passed. A device having.

Images