JP2023020590A - Information processing apparatus and monitoring method - Google Patents

Abstract

To provide a mechanism for reducing recovery time in an apparatus that executes automatic restoration processing when data alteration is detected.SOLUTION: An information processing apparatus includes a nonvolatile storage unit having a first region storing a program and a second region storing a restoration program for conserving the program. The information processing apparatus includes a control unit which executes the program stored in the nonvolatile storage unit. The information processing apparatus monitors an access path to the nonvolatile storage unit, and executes automatic restoration processing to restore a part of the contents in the first region or the second region in accordance with information on addresses and types of accesses to the first region and the second region.SELECTED DRAWING: Figure 4

Description

The present invention relates to an information processing device and a monitoring method.

The information processing apparatus may be started with the data in its nonvolatile memory being tampered with. In such a case, there is known a system that detects tampering when booting from a tampered non-volatile memory and restores normal data from an untampered non-volatile memory area.

For example, according to Patent Document 1, when tampering with a boot program module is detected at startup, the tampered module is updated to perform automatic recovery. Further, according to Patent Literature 2, an OS monitoring device that monitors software updates is used to safely and efficiently monitor integrity and soundness during software updates and operations. Such an information processing device that detects software tampering and performs automatic recovery processing detects tampering at startup to prevent startup using unauthorized ROM data, and restores normal ROM data before startup. be able to.

Japanese Unexamined Patent Application Publication No. 2020-82441 Japanese Patent No. 4288292

However, the conventional technology described above has the following problems. In some cases, software is tampered with by infiltrating exception handling, etc. that is not assumed by the provider of the information processing equipment, taking advantage of blind spots (so-called software vulnerabilities) where operation verification has not been sufficiently conducted. many. In such a case, it is considered that the software in which the exception processing has been inserted cannot operate as expected by the provider of the information processing apparatus, or is in a state where the operation is incomplete, which may cause disadvantages for the user. There is

Therefore, in the conventional technology described above, when a software module is activated, the signature of each module is verified to detect whether or not the module has been tampered with, and if the module has been tampered with, the module is restored. However, in the conventional technology described above, although it is possible to detect that a module has been tampered with based on the signature for each module, it is not possible to specify the details of the tampered portion, so restoration is performed in units of modules. end up As a result, there is no choice but to restore a portion that has not been tampered with, so there is a problem that restoration takes a long time if the module size is large. Similarly, even if the OS monitoring device monitors tampering during software operation, tampering is detected by the signature of the software to be monitored, and restoration needs to be performed in units of signed modules. rice field.

SUMMARY OF THE INVENTION The present invention has been made in view of at least one of the above problems, and provides a mechanism for shortening recovery time in a device that executes automatic recovery processing when falsification of data is detected.

The present invention is, for example, an information processing apparatus, comprising nonvolatile storage means having a first area storing a program and a second area storing a recovery program for maintaining the program; A control means for executing a program stored in a storage means and an access path to the non-volatile storage means are monitored, and according to the access type and the accessed address information regarding the access to the first area and the second area, and monitoring means for executing an automatic recovery process for recovering the contents of a part of the first area or the second area.

Advantageous Effects of Invention According to the present invention, it is possible to shorten recovery time and reduce downtime of the apparatus in an apparatus that executes automatic recovery processing when falsification of data is detected.

The figure which shows an example of a structure of the information processing apparatus which concerns on one Embodiment. FIG. 4 is a sequence diagram showing an example of firmware update in a normal procedure according to one embodiment; FIG. 3 is a diagram showing the arrangement of software modules in a flash ROM according to one embodiment; FIG. 3 is a detailed diagram of the falsification monitoring unit 11 according to one embodiment; The figure which shows the example of the operation|movement of the unauthorized application which concerns on one embodiment. 4 is a flow chart according to one embodiment. 4 is a sequence diagram showing an operation example of tampering monitoring and automatic recovery by the tampering monitoring unit 11 according to the embodiment; FIG. The figure which shows an example of the structure which concerns on one Embodiment.

Hereinafter, embodiments will be described in detail with reference to the accompanying drawings. In addition, the following embodiments do not limit the invention according to the scope of claims. Although multiple features are described in the embodiments, not all of these multiple features are essential to the invention, and multiple features may be combined arbitrarily. Furthermore, in the accompanying drawings, the same or similar configurations are denoted by the same reference numerals, and redundant description is omitted.

<First Embodiment>
<Configuration of information processing device>
A first embodiment of the present invention will be described below. First, a configuration example of an information processing apparatus 1 according to the present embodiment will be described with reference to FIG.

As shown in FIG. 1, an information processing apparatus 1 is connected to a PC 2 via an external I/F cable 3 . Also, the PC 2 is connected to the router 5 via the network cable 4 and can access the Internet 6 . 8 is the user of the information processing apparatus 1, and 7 is the website published by the provider of the information processing apparatus 1. FIG. A firmware update application 71 for the information processing apparatus 1 is published on the website 7 .

The information processing apparatus 1 includes a CPU 10, a flash ROM 12, a RAM 15 in which programs and data are loaded, a tampering monitor 11, SPI buses 16 and 17, a memory I/F 18, an external I/F 13, and a normal procedure flag 14. On the other hand, PC2 is what is called a personal computer, and is provided with CPU20, RAM25, HDD22, external I/F23, and NW I/F26.

The CPU 10 is an SoC (System On Chip) using, for example, an ARM Cortex A9 processor, and controls the entire information processing apparatus 1 . The flash ROM 12 is, for example, a 32 MB NOR flash memory connected via an SPI bus, and stores control software executed by the CPU 10, for example.

As shown in FIG. 1, the tampering monitor 11 and the flash ROM 12 are connected to the SPI bus 16, respectively. Therefore, the tampering monitor 11 can monitor rewrite or erase access to the flash ROM 12 on the SPI bus 16 . It is assumed that the CPU 10 can access the tampering monitor 11 and the normal procedure flag 14 via the SPI bus 17, respectively. Note that the normal procedure flag 14 may be a storage unit that can be read/written from the CPU 10 or the falsification monitoring unit 11 , and may be provided on the flash ROM 12 or RAM 15 . Also, the normal procedure flag 14 may be provided in the CPU 10 or the tampering monitor 11 in order to prevent wiretapping by an unauthorized accessor.

RAM15 and RAM25 are, for example, DDR4 memories. The external I/F 13 is, for example, a USB device I/F or network I/F. Here, for the sake of explanation, it is assumed to be a USB device I/F. The external I/F cable 3 is, for example, a USB cable. The external I/F 23 is, for example, a USB host I/F or network I/F. Here, for the sake of explanation, it is assumed to be a USB host I/F. The HDD 22 is an HDD (hard disk drive) that holds the OS and applications of the PC. The CPU 20 is a processor that executes the PC OS and applications, and is, for example, an Intel Core processor. The NW I/F 26 is, for example, a 100Base-T network I/F. The NW I/F cable 4 is, for example, a 100Base-T LAN cable. A router 5 is a network router that connects to the Internet 6 .

<Firmware update>
Next, referring to FIG. 2, using a firmware update application 71 provided by the website 7 of the provider of the information processing device 1, the user 8 of the information processing device 1 updates the flash ROM 12 in a normal procedure. Explain the sequence.

In S<b>201 , the PC 2 accesses the website 7 of the provider of the information processing device 1 using a web browser or the like according to the operation by the user 8 , and downloads the firmware update application 71 for the information processing device 1 to the HDD 22 . Subsequently, in S<b>202 , the PC 2 executes the firmware update application 24 downloaded to the HDD 22 according to the operation of the user 8 of the information processing device 1 . In S<b>203 , the firmware update application 24 displays to the user 8 an operation method for shifting the information processing apparatus 1 to the firmware update mode on the PC 2 .

When the user 8 performs an operation according to the operation method displayed in S203, the information processing apparatus 1 receives an operation to shift to the firmware update mode in S204. Subsequently, in S205, the information processing apparatus 1 sets the normal procedure flag 14 to 1, restarts, and executes only the firmware update application after the restart. The firmware update application transmits and receives a data packet for firmware update via an external I/F (here, a USB device I/F) between the information processing apparatus 1 and the PC 2 . Further, the firmware update application displays to the user 8 that the firmware is being updated on the operation unit.

In S<b>206 , the PC 2 transmits a firmware update start packet to the information processing apparatus 1 . In S<b>207 , the information processing apparatus 1 returns a firmware update start ACK packet to the PC 2 . At S208, PC2 transmits the firmware data packet. Firmware data includes size information. In S209, the information processing apparatus 1 receives data of the firmware size received in S208, and then returns a firmware data reception completion packet. In S210, the information processing apparatus 1 updates the flash ROM 12 after receiving the firmware data in S209. At this time, an erase command for the area is executed, and then a program command for the area is executed.

Next, in S211, the PC 2 transmits to the information processing apparatus 1 a firmware update confirmation packet for confirming whether the firmware update has been completed. In S212, the information processing apparatus 1 returns a firmware data update completion packet after completing the update of the flash ROM executed in S210. Since the firmware update is completed in S213, the information processing apparatus 1 sets the normal procedure flag 14 to 0 and restarts. After rebooting, it will boot according to the normal boot sequence.

<Data structure of flash ROM>
Next, with reference to FIG. 3, a data configuration example of the software program area in the 32 MB flash ROM 12 will be described. The flash ROM 12 has a boot ROM area 120 of 1 MB, a boot parameter area 121 of 1 MB, a boot ROM recovery area 122 of 1 MB, a system area 123 of 13 MB, an application area 124 of 8 MB, and an application data area 125 of 8 MB. included.

In this embodiment, the boot ROM area 120 and the boot ROM recovery area 122 hatched with diagonal lines in FIG. do. Assume that the address range of the boot ROM area 120 is 0x00000000 to 0x000FFFFF, and the address range of the boot ROM recovery area 122 is 0x00200000 to 0x002FFFFF.

The same data are written in the boot ROM area 120 and the boot ROM recovery area 122 . That is, if the boot ROM area 120 has been tampered with, data is restored from the boot ROM recovery area 122 to the boot ROM area, and if the boot ROM recovery area 122 has been tampered with, data is restored from the boot ROM area to the boot ROM area. Restore to the recovery area.

<Tampering monitoring unit>
Next, a detailed configuration of the falsification monitoring unit 11 will be described with reference to FIG. As shown in FIG. 4 , the falsification monitor 11 includes a controller 110 , an address monitor 112 and a command monitor 114 .

The control unit 110 of the tampering monitoring unit 11 is a microcomputer that controls the entire tampering monitoring unit 11, receives control from the CPU 10 via the SPI bus 17, and monitors access to the storage area of the flash ROM 12 at the address level. do. The monitoring target address 111 is a register for setting an address range to be monitored for tampering in the storage area of the flash ROM 12 , and is set by the control unit 110 via the SPI bus 17 . For example, when the monitoring target address 111 is set using FIG. 3 as an example, the monitoring target address 111 is 1 MB from 0x00000000 to 0x000FFFFF and 1 MB from 0x00200000 to 0x002FFFFF. That is, the tampering monitor 11 monitors access to the boot ROM area 120 and access to the boot ROM recovery area 122 .

The address monitor 112 monitors access addresses on the SPI bus 16 . When the normal procedure flag 14 is set to 0 (zero) and the monitored address set in the monitored address 111 is accessed, the address of the access is stored in the tampered address 113 . Here, when 0 (zero) is set in the normal procedure flag 14, it indicates that the monitored address is to be monitored. On the other hand, when the normal procedure flag 14 is set to 1, it is assumed that rewriting is performed according to the normal procedure, so address monitoring is not performed.

A command monitoring unit 114 monitors commands on the SPI bus 16 . When the normal procedure flag 14 is set to 0 (zero), when an access type of an Erase command or a Program command is issued to the flash ROM 12, the command is stored in the tampering command 115. . When the normal procedure flag 14 is set to 1, rewriting is performed according to the normal procedure, so command monitoring is not performed. Erase commands are, for example, 4KB Sector Erase (20h), 32KB Block Erase (52h), 64KB Block Erase (D8h), and the like. Program commands are, for example, Page Program (02h), Quad Page Program (32h), and the like. As described above, among the commands to the flash ROM 12, an access type that changes the data content, such as a delete or write command, is monitored. On the other hand, an access type in which the data content does not change, such as a read command, is not monitored.

<Example of Malicious App Behavior>
Next, with reference to FIG. 5, an example of a case where an unauthorized application operates in the configuration according to this embodiment will be described. FIG. 5 shows a state in which the application running on the RAM 15 has been tampered with for some reason and the unauthorized application 19 is running. In the present embodiment, tampering such as rewriting by removing the flash ROM from the substrate is not applicable because it has no effect of shortening the recovery time, and will not be described.

In general, unauthorized tampering involves giving unauthorized data to a network program or external I/F, causing an exception to occur such as overflowing the data area, and calling an unauthorized application during this exception. done. Therefore, most of the unauthorized applications are executed on the RAM 15 at the initial stage. When the unauthorized application is executed on the RAM 15, in the next step, the non-volatile memory such as flash ROM is tampered with so that the unauthorized application can be executed permanently, and an attempt is made so that the unauthorized application can be executed at the next startup. become.

<Processing procedure>
Next, with reference to FIG. 6, a processing procedure according to the present embodiment regarding how to monitor and restore when the flash ROM 12 is tampered with in the state of FIG. 5 will be described. The processing described below is processing by the falsification monitoring unit 11 . S601 to S607 are falsification monitoring processing, and S608 to S612 are automatic recovery processing.

When the information processing apparatus 1 is powered on, the tampering monitor 11 starts monitoring the SPI bus in S601. Subsequently, in S<b>602 , the tampering monitoring unit 11 releases the reset of the CPU 10 and boots the CPU 10 . The reset-released CPU 10 reads data from the SPI flash and executes boot processing.

Next, in S603, the tampering monitoring unit 11 determines whether the power has been turned off. If it is determined that the power is turned off, the process proceeds to S612, and if the power is on, the process proceeds to S604. In S604, the tampering monitor 11 determines whether the normal procedure flag 14 is 0 (zero). If it is 0, the process proceeds to S605, and if it is 1, the process returns to S603. On the other hand, if it is determined in S603 that the power is off, the process proceeds to S612, and the tampering monitoring unit 11 finishes monitoring the SPI bus.

In S<b>605 , the falsification monitoring unit 11 determines whether or not an Erase or Program command has been issued to the flash ROM 12 . If so, the process proceeds to S606; otherwise, the process returns to S603. In S606, the tampering monitoring unit 11 stores the command of S605 in the tampering time command 115 and the subsequently specified address in the tampering time address 113, and proceeds to S607.

In S<b>607 , the tampering monitoring unit 11 determines whether or not the address stored in the tampered address 113 is within the range of the monitored address 111 . If it is within the range, the process proceeds to S608, and if it is out of the range, the process returns to S603. In S608, the tampering monitoring unit 11 determines that the flash ROM 12 has been tampered with, temporarily resets the CPU 10, controls so that no further tampering is performed, and proceeds to S609.

In S609, the tampering monitoring unit 11 determines whether the tampering command is of the Erase type. If it is the Erase type, the process proceeds to S610, and if it is not the Erase type, the process proceeds to S611. In S610, the tampering monitoring unit 11 performs automatic recovery processing for Erase type tampering. Specifically, the tampering monitoring unit 11 reads the data corresponding to the erased block range from the boot ROM area 120 or the boot ROM recovery area 122 from the tampering address 113 and the tampering command 115, and erases the data. reprogram to the block that has been After the reprogramming is completed (automatic recovery processing is completed), the processing is returned to S602. Here, the block indicates a predetermined area which is a partial area of the flash ROM 12 including the tampered address 113 which is the accessed address. In this way, when the access type is erasing, one of the boot ROM area 120 and the boot ROM recovery area 122 is supported by the other of the boot ROM area 120 and the boot ROM recovery area 122. Read and write data to

On the other hand, in S611, the tampering monitoring unit 11 performs automatic recovery processing for program-based tampering. Specifically, the tampering monitoring unit 11 temporarily erases a block illegally programmed from the tampering address 113 and the tampering command 115 . After that, the data corresponding to the range is read from the boot ROM area 120 or the boot ROM recovery area 122, and the data is reprogrammed into the illegally programmed block. After the reprogramming is completed (automatic recovery processing is completed), the process returns to S602. Thus, when the access type is write, a partial area of either the boot ROM area 120 or the boot ROM recovery area 122 is created, and the other of the boot ROM area 120 or the boot ROM recovery area 122 responds. Read and write data to

<Processing sequence>
Next, with reference to FIG. 7, an example of a sequence when the flash ROM 12 is tampered with by the unauthorized application 19 while the tampering monitoring unit 11 is monitoring tampering will be described.

At time 1 in FIG. 7, the tampering monitoring unit 11 is in a state of monitoring tampering by executing the processes of S601 to S604 in the flowchart of FIG. In the monitoring target address 111, 1 MB from 0x00000000 to 0x000FFFFF and 1 MB from 0x00200000 to 0x002FFFFF, which are the address ranges of the boot ROM area 120 and the boot ROM recovery area 122, are set. Also, the normal procedure flag 14 is set to 0 (zero).

Assume that at time 2, the malicious application 19 issues a Page Program command (02h) to the SPI bus in order to alter the 256 bytes from 0x00000100 in the boot ROM area 120 of the flash ROM 12. FIG. In this case, the tampering monitoring unit 11 advances to S605 because the normal procedure flag is 0 in S604, and further advances to S606 to determine that the command is a program-based command in S605, and stores the command (02h) and the subsequently issued address. do.

After time 2, the unauthorized application 19 continues to access the address according to the clock of the SPI bus. A23:16=0x00, A15:08=0x01, and A07:00=0x00 specifying address 0x00000100 in the boot ROM area 120 are issued on the SPI bus. Subsequently, 256 bytes of data for falsification are issued on the SPI bus as Data Byte1 to Data Byte256. In this case, the falsification monitoring unit 11 determines whether or not the address issued on the SPI bus is within the range of the monitored address 111 according to the above S607.

At time 3, the tampering monitoring unit 11 waits until the SPI bus access issued at time 2 is completed because it cannot immediately be reset by the CPU 10 in S608.

At time 4, the SPI bus access issued at time 2 is completed. The tampering monitoring unit 11 resets the CPU 10 in S608, and proceeds to S609. Since the tampering command issued at time 2 was not of the Erase type in S609, the tampering monitoring unit 11 advances to S611 and starts the automatic recovery process. In S612, the falsification monitoring unit 11 issues a Read Status Reg (05h) command to determine whether the command to the flash ROM 12 has been completed, and checks whether it is BUSY.

At time 5, the tampering monitor 11 issues a Read Status Reg (05h) command to determine whether or not the command to the flash ROM 12 has been completed in the automatic restoration process of S611. Since NOT BUSY is returned here, it is confirmed that the command has been completed. The tampering monitoring unit 11 erases the area of the flash ROM 12 that has been tampered with by the unauthorized application 19 at time 2 using the Sector Erase command.

At time 6, the tampering monitoring unit 11 retrieves the recovery data from the boot ROM recovery area 122 because the address stored in the tampered address 113 is the address of the boot ROM area 120 in the automatic recovery process of S611. read out. At time 7, the tampering monitoring unit 11 uses the recovery data read at time 6 to reprogram and recover the boot ROM area that has been tampered with in the automatic recovery process of S611. At time 8, the tampering monitoring unit 11 returns the process to S602 because the automatic restoration process of S611 is completed, cancels the reset of the CPU 10, and boots the CPU 10. FIG.

<Time required for automatic recovery processing>
The time required for automatic recovery processing will be described below.

For example, as shown in FIG. 3, when it is unknown where in 1 MB of the boot ROM area 120 has been tampered with, the following time is required. It is assumed that the flash ROM 12 operates at 25 MHz (=1 cycle is 40 ns). In this case, 16 KB Block Erase commands (block erasing time of 2 seconds) are required 16 times (approximately 32 seconds) to erase 1 MB. In addition, Read Data commands (39 cycles=1560 ns) are required 1048576 times (approximately 1.6 seconds). Further, the reprogram processing requires 4096 times (approximately 1.5 seconds) of 256-byte Page Program commands (execution time of approximately 3.5 ms). Therefore, in total, the automatic restoration process takes about 35 seconds.

On the other hand, when the tampering monitoring unit 11 according to the present embodiment identifies the tampered area at the address level, the following time is required. For example, calculation is made for the case where the PageProgram command (256 bytes) is tampered with. In this case, a 4 KB Sector Erase command (sector erase time of 400 ms) is required for the Erase processing of 256 bytes. Also, the Read Data command (39 cycles) is required 256 times (approximately 0.5 ms). Furthermore, the re-program processing requires a 256-byte Page Program command (execution time of about 3.5 ms) once (=3.5 ms). Therefore, the sum total of these is 405 ms for automatic recovery processing. Also, the calculation is made for the case where the data is tampered with by the Sector Erase command (4 KB). In this case, the Read Data command (39 cycles) is required 4096 times (approximately 6.3 ms). The reprogram processing requires 16 times (=56 ms) of 256-byte Page Program commands (execution time is about 3.5 ms). Therefore, the sum total of these is 60 ms for automatic recovery processing.

In this way, if the tampered position is not specified at the address level, the automatic recovery process must be performed for the entire boot ROM area 120, and therefore recovery time of about 35 seconds is required. On the other hand, according to the present embodiment, since the tampered position is specified at the address level, it is possible to carry out restoration processing only for the relevant position. As a result, the recovery time is about 405 msec for the Program command and 60 ms for the Erase command, so that the recovery time can be greatly reduced.

As described above, the information processing apparatus according to the present embodiment includes a nonvolatile storage unit having a first area storing a program and a second area storing a recovery program for maintaining the program. . Further, the information processing apparatus includes a control section that executes the program stored in the nonvolatile storage section. This information processing apparatus monitors an access path to a nonvolatile storage unit, and according to information on an access type and an accessed address regarding access to a first area and a second area, a part of the first area or the second area. Execute automatic recovery processing to recover the contents. As described above, according to the present embodiment, the tampering monitoring unit 11 monitors tampering of the flash ROM 12, acquires the address and command at the time of tampering, and selects the minimum area including the address as the target of the automatic restoration process. can do. This makes it possible to minimize the time required for recovery processing.

In the above embodiments, the tampering monitoring of the SPI flash has been described as an example, but it goes without saying that other types of buses and non-volatile memories may also be used. Further, in the present embodiment, the normal procedure flag 14 and the tampering monitor 11 are configured separately from the CPU 10 . However, there is a possibility that an attacker aiming at falsification may imitate the procedure for updating the flash ROM 12 in a normal procedure while tapping (eavesdropping) the SPI bus 16 and SPI bus I17. Therefore, a configuration may be adopted in which the tampering monitoring unit 11 and the normal procedure flag 14 are included as a multi-chip package inside the package of the CPU (SoC) 10 so that they cannot be easily tapped.

<Second embodiment>
Below, the 2nd Embodiment of this invention is described. In the first embodiment, the normal procedure flag 14 is used to determine whether or not the data has been tampered with. In this case, if the normal procedure flag 14 is tampered with by an attacker, the flash ROM 12 may be tampered with. Therefore, in the present embodiment, an example is shown in which the normal procedure flag 14 is set only when the correct procedure according to the communication protocol of the firmware update application is passed.

<Setting procedure>
FIG. 8 shows the configuration of an information processing apparatus according to this embodiment. The same reference numerals are given to the same configurations as those of FIG. 1 described in the first embodiment, and the description thereof is omitted. As shown in FIG. 8, the procedure for setting the normal procedure flag 14 is different in the information processing apparatus 1 according to the present embodiment.

Firmware update in a normal procedure by the firmware update application will be described with reference to FIG. In the first embodiment, as shown in FIG. 2, the information processing apparatus 1 is restarted after setting the normal procedure flag 14 to 1 in S205. On the other hand, in the present embodiment, the normal procedure flag 14 is not set to 1 in S205, and the normal procedure flag 14 is set to 1 immediately before S210 by performing the following procedures 1 to 4 in order. have The example of FIG. 8 shows an example in which the CPU 10 functions as the hardware via a dedicated signal line 801 to the normal procedure flag 14 . However, the present invention is not limited to this, and for example, a setting unit that monitors the procedures 1 to 4 and sets the normal procedure flag 14 via a dedicated signal line may be separately provided as the hardware.

As a procedure 1, in S204, the information processing apparatus 1 receives and executes an operation to shift to the firmware update mode. Subsequently, as step 2, in S205, the information processing apparatus 1 does not set the normal procedure flag 14 to 1, and restarts so that only the firmware update application is executed. As procedure 3, the information processing apparatus 1 receives a firmware update start packet in S206. As procedure 4, the information processing apparatus 1 receives the firmware data transmission packet in S208. When the procedures 1 to 4 are normally performed, the CPU 10 sets the normal procedure flag 14 to 1 via the dedicated signal line 801 .

As described above, according to the present embodiment, when a predetermined procedure is performed, the value of the flag indicating that the predetermined procedure is being processed is sent to the flag via a dedicated signal line. It further comprises a setting unit for setting the The setting unit may be provided as the CPU 10 or may be provided as separate hardware. As a result, the normal procedure flag 14 is set via a dedicated signal line only when the correct procedure is performed by the firmware update application, and tampering with the normal procedure flag 14 by an attacker can be prevented. As an example of the procedure in which the above-described normal procedure flag is set, if the procedure is not easily guessed by an attacker, any of the normal update procedures, such as an operation between the information processing device 1 and the PC 2 or a communication packet, is used. It goes without saying that

<Other embodiments>
The present invention supplies a program that implements one or more functions of the above-described embodiments to a system or device via a network or a storage medium, and one or more processors in the computer of the system or device reads and executes the program. It can also be realized by processing to It can also be implemented by a circuit (for example, ASIC) that implements one or more functions.

The invention is not limited to the embodiments described above, and various modifications and variations are possible without departing from the spirit and scope of the invention. Accordingly, the claims are appended to make public the scope of the invention.

1: Information processing device, 2: PC, 3: External I/F cable, 4: NW cable, 5: Router, 6: Internet, 7: Website of provider of information processing device 1, 8: User, 10 : CPU (SoC), 11: Tampering monitor, 12: Flash ROM, 13: External I/F, 14: Normal procedure flag, 15, 25: RAM, 16, 17: SPI bus, 18: Memory I/F, 20: CPU, 22: HDD, 23: External I/F, 24: Downloaded firmware update application, 26: NW I/F

Claims (11)

An information processing device,
non-volatile storage means having a first area storing a program and a second area storing a recovery program for maintaining the program;
a control means for executing a program stored in the nonvolatile storage means;
monitoring the access path to the non-volatile storage means, and according to the information of the access type and the accessed address regarding the access to the first area and the second area, the contents of the part of the first area or the second area; and monitoring means for executing automatic restoration processing for restoring the information processing apparatus. 2. The information processing according to claim 1, wherein said monitoring means executes said automatic recovery processing when said first area or said second area is accessed by a procedure different from a predetermined procedure. Device. further comprising holding means for holding a value of a flag indicating that the process is being performed according to the predetermined procedure;
The monitoring means determines that the first area or the second area is accessed by a procedure different from the prescribed procedure when the flag does not indicate that the process is performed according to the prescribed procedure. 3. The information processing apparatus according to claim 2, characterized by: The apparatus further comprises setting means for setting a value of a flag, which indicates that the processing is performed according to the predetermined procedure, to the flag via a dedicated signal line when a predetermined procedure is performed. The information processing apparatus according to claim 3. 5. The information processing apparatus according to any one of claims 2 to 4, wherein said monitoring means executes said automatic recovery processing on a predetermined area including said accessed address. The monitoring means
means for storing the access type and information of the accessed address when the first area or the second area is accessed by a procedure different from the predetermined procedure;
6. The information processing apparatus according to any one of claims 2 to 5, further comprising means for executing said automatic recovery processing according to stored information when said access is terminated. 7. The information processing apparatus according to claim 1, wherein said access type is writing or erasing to said non-volatile storage means. In the automatic recovery process when the access type is write, data in a part of one of the first area and the second area is deleted, and the other of the first area and the second area is processed. 8. The information processing apparatus according to any one of claims 1 to 7, wherein the read data is read and the read data is written in the partial area. In the automatic recovery processing when the access type is erasure, for the deleted area of one of the first area and the second area, the other of the first area and the second area 9. The information processing apparatus according to any one of claims 1 to 8, wherein corresponding data is read and the read data is written in the partial area. 10. The information processing apparatus according to claim 1, wherein said access path is a bus for transmitting and receiving signals between said nonvolatile storage means and said control means. non-volatile storage means having a first area storing a program and a second area storing a recovery program for maintaining the program; and control means for executing the program stored in the non-volatile storage means. A method for monitoring an information processing device comprising
monitoring an access path to said non-volatile storage means;
and executing an automatic recovery process for recovering the contents of a part of the first area or the second area according to the access type and the accessed address information regarding the access to the first area and the second area. A monitoring method characterized by:

Images