JP4664055B2 - Program dividing device, program executing device, program dividing method, and program executing method - Google Patents

Description

  The present invention relates to a program dividing device, a program executing device, a program dividing method, and a program executing method.

  Conventionally, various techniques have been disclosed in order to protect a program running on a computer.

  For example, a program that handles important data such as keys, passwords, electronic values, etc. is prepared in advance by dividing it into parts that require protection (protection code) and other normal codes, and each of them is a protected environment and a normal environment. There is a technique for performing linked operation in two independent computer environments on a PC (see, for example, Patent Document 1). As an example of division, the program is divided into a part that wants to be protected from unauthorized operations related to license inspection and content decryption, and a part that is related to user interface processing. An example of use that makes it difficult to analyze and tamper with a viewing program is described. Before installation, the program that operates in the protected environment, the part that operates in the normal environment, the digital signature, and the program that operates in the normal environment depends on the communication method between the protected environment and the normal environment. Send installation instructions to the protected environment. On the protected environment side, if the digital code is used to confirm that the code is legitimate, installation is performed.

In this way, it is possible to provide a program execution environment that prevents the analysis and falsification of the portion of the program that runs on the computer that is desired to be protected and ensures safety.
JP 2002-251326 A

  However, as a first problem in the above prior art, when the normal code is falsified or the authority is taken, the normal code calls the function 2 by bypassing the function 1 that originally needs to be called in the protection code. There is a possibility that the program is executed by an illegal procedure such as

  Also, as the second issue, the program division criteria and execution location are fixed, so the code division criteria can be changed or the protection code execution location can be changed for different device types and different security requirements. Can not do it. For this reason, when the resources that can be used differ depending on the device type and the execution environment, the function included in the protection code may not be able to access the resources necessary in a certain protection environment. In this case, flexibility is required such that the function is included in normal code or executed in a protected environment on another device.

  Further, frequent calls from the normal code to the protection code cause an increase in load due to processing / communication delay and switching processing between the normal / protection computer environment. In order to balance performance and safety, it is desirable to determine the optimum code division criteria and start-up / introduction location according to the safety of the environment in which the program is operated and the security requirements of the user and the program provider. As a start-up / introduction place, a plurality of protection environments having different safety and performance can be used, such as a tamper resistant hardware protection environment on the same device, a software-based protection environment, and a protection environment on another device.

  Therefore, in view of the above problems, the present invention allows a program to be operated in two computer environments, a protected environment and a normal environment, to access appropriate resources, and to analyze and falsify the program without increasing the processing load. An object of the present invention is to provide a program dividing device, a program executing device, a program dividing method, and a program executing method capable of preventing leakage of secret data and illegal operations due to the capture of the data and ensuring safety.

  In order to achieve the above object, a first feature of the present invention is a program dividing apparatus that divides one program into protection code that requires execution in a protected execution environment and other normal code. (A) a source code analysis unit that inputs a policy that gives a rule for generating a divided code and gives a protection attribute to a function and a variable that require protection of the given source code; and (b) a source code analysis unit A protection code generation unit that generates a protection code including a function having a protection attribute using the analysis result of (c), and (c) a function and a protection code having no protection attribute using the analysis result of the source code analysis unit The gist of the present invention is that the program dividing apparatus includes a normal code generation unit that generates a normal code including a function that calls the function.

  According to the program dividing apparatus according to the first feature, the program source code is analyzed, and the program is divided into a protection code including a function and a variable that need to be protected and a normal code other than that according to a given policy. it can. Therefore, the program provider can divide the program by giving a code division standard according to its own policy, and an appropriate balance between security and performance can be achieved.

  The source code analysis unit of the program dividing device according to the first feature is the same as the source code input unit that inputs the source code of the program from the file system or the server device on the network and the device that inputs the source code. You may provide the policy input part which inputs a policy from the file system on another apparatus, or the server apparatus on a network.

  According to this program dividing apparatus, the source code and the policy can be acquired from the file system or the network. The program dividing device can acquire source code and policy from a remote server device to create a divided code, and can acquire and combine source code and policy from different server devices, so it can be dynamically generated at any time. In addition to generating split codes, it is also possible to generate split codes corresponding to different security policies such as service providers and users.

  The protection code generation unit of the program dividing apparatus according to the first feature uses a policy to generate a code for verifying the operation of at least one of the protection code and the normal code, and embeds the code in the protection code A verification code embedding unit may be provided.

  According to this program dividing apparatus, it is possible to embed a code for verifying the operation of the program itself including the protection code and the normal code in the protection code that operates in a protected environment according to a given policy. Therefore, it is possible to audit the operation of the entire program from a safe environment, and it is possible to detect and prevent unauthorized operation of an application such as bypassing a license check or unauthorized privileged operations (such as library / system call).

  In addition, the normal code generation unit of the program dividing apparatus according to the first feature includes a start control code embedding unit that generates a code for controlling the activation of the protection code using a policy and embeds the code in the protection code or the normal code. May be.

  According to this program dividing apparatus, it is possible to generate a code for controlling activation of a protection code according to a given policy and embed it in the protection code or the normal code. For this reason, the execution place of the protection code can be determined according to the policy, and appropriate security and performance can be achieved.

  In addition, the normal code generation unit of the program dividing apparatus according to the first feature may include an introduction control code embedding unit that generates a code for controlling the introduction of the protection code using a policy and embeds the code in the normal code .

  According to the program dividing apparatus, a code for controlling the introduction of the protection code can be generated and embedded in the protection code or the normal code according to a given policy. For this reason, it is possible to determine the installation location of the protection code according to the policy, and to achieve appropriate security and performance.

  The protection code generation unit and the normal code generation unit of the program dividing apparatus according to the first feature include a communication protection unit that incorporates at least one communication protection function of authentication, encryption, and tampering inspection into a communication function. May be provided.

  According to this program dividing apparatus, communication protection functions such as authentication, encryption, and signature can be added to the protection code and the normal code. For this reason, attacks such as wiretapping and tampering of communication between the protection code and the normal code can be prevented, and the program can be executed safely.

  A second feature of the present invention is a program execution device that provides a protection code that requests execution in a protected execution environment and an execution environment for a program that is divided into other normal codes. A multi-program execution environment management unit that isolates and controls two environments, a protection environment for the protection code and a normal environment for the normal code; and (b) protection code management that manages the introduction and activation of the protection code. And (c) a normal code management unit that manages the introduction and activation of normal codes.

  According to the program execution device according to the second feature, the means for introducing and starting the code divided into the code requiring protection and the other code in the protection environment and the normal environment, and the means for enabling mutual communication And two environmental isolation means. Therefore, it is possible to provide a safe execution environment for a program divided into code that requires protection and other code.

  In the program execution device according to the second feature, the protection environment and the normal environment may each be a virtual machine, and the multiple program execution environment management unit may be a virtual machine monitor that isolates and controls the virtual machine.

  According to this program execution device, in a virtual machine monitor-based device, a safe execution environment can be provided for a program divided into code that requires protection and other code.

  The protection code management unit of the program execution device according to the second feature executes a protection code in a protection environment when the signature verification unit verifies the digital signature of the protection code and when the signature verification by the signature verification unit is successful A protection introduction unit that can be incorporated and a protection activation unit that activates the protection code when the verification of the integrity of the protection code is successful may be provided.

  According to this program execution device, the integrity of the code that requires protection is verified and can be activated only when it is successful. Also, in a protected environment, the code signature can be verified before installation. For this reason, it is possible to avoid the danger of introducing untrusted code or executing altered code and maintain safe program protection environment execution.

  Further, the multiple program execution environment management unit of the program execution device according to the second feature may include an inter-environment communication control unit that provides a protection means for safely communicating the protection code and the normal code.

  According to this program execution apparatus, it is possible to prevent communication spoofing, falsification, and eavesdropping, and to prevent leakage of confidential information and processing inconsistency during program execution.

  In addition, the multiple program execution environment management unit of the program execution device according to the second feature may include an inter-environment monitoring control unit in which the protection code acquires and verifies the operation or state of the normal code.

  According to this program execution device, the protection code existing in a safe environment can audit the operation of the entire program including the protection code and normal code, bypassing the license check and unauthorized privileged operations (libraries / system calls, etc.) It can detect and prevent unauthorized operations such as execution.

  A third feature of the present invention is a program dividing method for dividing one program into a protection code that requests execution in a protected execution environment and other normal code, and (a) A step of inputting a policy that gives a rule for generation and assigning a protection attribute to a function and a variable that require protection of the given source code; and (b) including a function having a protection attribute using the analysis result A program dividing method including a step of generating a protection code, and (c) generating a normal code including a function that has no protection attribute and a function that calls a function of the protection code by using an analysis result. The gist.

  According to the program dividing method according to the third feature, the program source code is analyzed, and the program is divided into a protection code including a function and a variable that need protection and a normal code other than that according to a given policy. it can. Therefore, the program provider can divide the program by giving a code division standard according to its own policy, and an appropriate balance between security and performance can be achieved.

  A fourth feature of the present invention is a program execution method for providing a protection code that requests execution in a protected execution environment and an execution environment for a program that is divided into other normal codes. A step of isolating and controlling two environments, a protection environment for the protection code and a normal environment for the normal code; (b) a step of managing the introduction and activation of the protection code; and (c) a normal code. And a step of managing the introduction and activation of the program.

  According to the program execution method according to the fourth feature, it is possible to provide a safe execution environment for a program divided into a code requiring protection and a code other than that.

  According to the present invention, it is possible to operate a program in two computer environments, that is, a protected environment and a normal environment, to access appropriate resources, and to leak confidential data by analyzing and falsifying the program and acquiring authority without increasing the processing load. In addition, it is possible to provide a program dividing device, a program executing device, a program dividing method, and a program executing method that can prevent an illegal operation and ensure safety.

  Next, embodiments of the present invention will be described with reference to the drawings. In the following description of the drawings, the same or similar parts are denoted by the same or similar reference numerals. However, it should be noted that the drawings are schematic.

<First Embodiment>
(Program dividing device)
The program dividing apparatus according to the first embodiment divides one program into protected code that requests execution in a protected execution environment and other normal code.

  As shown in FIG. 1, the program dividing apparatus according to the first embodiment includes a source code analysis unit 110, a protection code generation unit 130, a normal code generation unit 140, and a control unit 120 that controls them. Prepare. Further, the source code analysis unit 110 includes a source code input unit 111 and a policy input unit 112, and the protection code generation unit 130 includes a self-verification code embedding unit 131 and a communication protection unit 132, and a normal code generation unit 140. Includes an activation control code embedding unit 141, an introduction control code embedding unit 142, and a communication protection unit 143.

{Source code analysis part}
The source code analysis unit 110 inputs a policy that gives a rule for generating a divided code, and gives a protection attribute to a function and a variable that need to be protected in the given source code. Specific examples of source code and policy will be described below, and then analysis and protection attribute assignment procedures will be described.

  The source code input unit 111 inputs a source code of a program from a file system or a network, and prepares for subsequent analysis or code generation. The program may be any language such as C language, C ++ language, Java language, etc., but is assumed to be a function call or use of a variable. In addition, the programmer may annotate the part that needs protection.

  As a specific example, FIG. 2 shows a part of the original source code of a music reproduction program that handles copyrighted music. The function declaration, its body, error handling, etc. are omitted for simplicity. The OnPlayButton function of this source code is called when a user requests playback of a song (ID is music_id), creates a record name corresponding to the song with the MakeRecordName function, and uses the SimReadRecord function to license the record name Information is acquired from a tamper resistant module called SIM. Then, the license information is accessed by the DrmCheckValid function, and if the playback period of the song is specified, it is checked whether it is a valid playback period. If playback is possible, the number of playbacks is counted for charging by the AddPlayCount function and written to the corresponding record in the SIM. Then, the decryption key of the encrypted music file is acquired from the license information by the DrmGetKey function, and the music is decrypted by the DecryptSong function. Finally, the data decoded by the OutputMusic function is output to the speaker through a sound driver or the like.

  The policy input unit 112 inputs a policy related to generation of a divided code from a file system or a network, and prepares for subsequent analysis or code generation. FIG. 3 shows two specific examples of policies. Here, the policy consists of <sensitive> and <insensitive> parts that specify split criteria, <verification> parts that estimate verification rules, and <launch> and <install> parts that specify launch and installation locations. It is supposed to be. In addition to these, an instruction or instruction for controlling code division, such as a target device type or a compiler to be used in code generation, may be given to the policy. In this specific example, description in XML is shown, but other description methods may be used.

  In Policy 1 (Policy 1), a <sensitive> tag is assigned to the SimReadRecord function as a function to be included in the protection environment in the division. And as a rule of verification, before the DrmGetKey function to obtain the key to decrypt the song, the DrmCheckValid function for license check is executed with the same argument as the target function (DrmGetKey function), and the return value is TRUE. It is specified that it is normal that the AddPlayCount function for counting the number of playbacks is executed. The <action> tag specifies that the DrmGetKey function call should be rejected (REJECT) if this condition is not satisfied. Here, we gave a verification rule that a specific function was executed before the execution of a function, but in addition, the call argument is within the expected value range, and the number of calls per unit time is A verification rule such as being below a specified threshold is conceivable. In addition, this policy specifies that the protection code (specified by the <monitor> tag) is to be installed and activated in a protected environment on the same device represented by the name securevm.mydevice.mydomain. .

  On the other hand, in policy 2 (Policy 2), an <insentive> tag is assigned so that the OutputMusic function is included in the normal environment in code division. This assumes that the sound driver is not available in the protected environment, or that the protected environment and the normal environment are physically separated into separate devices and you want to output music on the normal environment device. . The protection code is specified to be installed and activated in the protection environment on the same device represented by the name myhandset.mydomain. The verification rule is omitted because it is the same as policy 1.

  FIG. 4 shows a specific example of the analysis result of the source code output from the source code analysis unit based on the specific example of the source code and policy described above. In the policy, the licenseinfo argument of the SimReadRecord function and the return value of the DrmGetKey function are given the modifier $ sensitive. This propagation is analyzed, and the protection attribute is also given to the DrmCheckValid function, DrmAddPlayCount function, and DrmGetKey function that take licenseinfo as an argument, and the prefix sensitive_ is given. Furthermore, the protection attribute is also given to the DecryptSong function from the propagation of the variable key which is the return value of the DrmGetKey function. In this way, protection attributes are assigned to functions and variables that need to be protected in a given source code.

{Normal code generator}
The normal code generation unit 140 generates a normal code including a function that has no protection attribute and a function that calls a function of the protection code, using the analysis result of the source code analysis unit 110.

  Specifically, the normal code generation unit 140 uses the source code analysis result to replace the function call with the protection attribute with a wrapper function that calls the corresponding function in the protection code, and the protection attribute is given. After replacing the generated variable as the index of the corresponding variable in the protection code, normal code is generated by compiling and linking. The name of the wrapper function or variable to be replaced may be the source code analysis result as it is like sensitive_SimReadRecord or sensitive_licenseinfo, or may be another name. The wrapper function internally calls the corresponding function in the protection code via RPC (Remote Procedure Call) or shared memory, receives the return value, and gives it to the caller of the wrapper function. When a protection attribute is given to an argument given at the time of calling, the protection code is given an index value to the entity of the variable, and the protection code converts the index value to the entity. Even when a protection attribute is added to the return value, the return value received by the wrapper function is an index value. The wrapper function may be prepared in advance by a developer or may be dynamically generated.

  The activation control code embedding unit 141 generates a code for controlling activation of the protection code using a policy and embeds it in the normal code. In the case of policy 1, a code for starting a protection code in the protection environment on the same device is embedded, and in the case of policy 2, a code for starting a protection code on the mobile phone is embedded. In the specific example shown in FIG. 4, StartMonitor () corresponds to this activation code.

  The introduction control code embedding unit 142 generates a code for controlling the introduction of the protection code using a policy, and embeds the code in the normal code. In the case of policy 1, a code for introducing a protection code is embedded in the protection environment on the same device. In the case of policy 2, a code for introducing a protection code is embedded in the protection environment in the mobile phone. In the specific example shown in FIG. 4, the call to InstallMonitor () corresponds to this introduction code.

  The communication protection unit 143 incorporates at least one communication protection function of authentication, encryption, and tampering inspection into a communication mechanism for calling a function corresponding to a protection code by the wrapper function and receiving a return value. Is. For example, a secret key is shared in advance between the protection code and the normal code, authentication is performed using a challenge response protocol, and data is encrypted using the exchanged session key. Further, the use of MAC (Message Authentication Code) checks for tampering during communication.

{Protection code generator}
The protection code generation unit 130 generates a protection code including a function having a protection attribute using the analysis result of the source code analysis unit 110.

  Specifically, the protection code generation unit 130 uses a source code analysis result, a wrapper function that internally calls a function with a protection attribute, a communication unit that receives and processes a call from a normal code, Including a variable management unit that manages variables that need to be protected, and generates a protection code. FIG. 5 shows a specific example of the protection code when the policy 1 is applied. In the communication part, for example, the part that accepts a call from normal code (ReceiveRpc line in main ()), the part that restores the entity from the index of the argument given by the normal code (RestoreArg line), the call and arguments, the return value A part for saving history (CallLog line) and a part for dispatching calls to wrapper functions (Dispatch line) are included. The wrapper functions include monitor_SimReadRecord and monitor_DrmCheckValid functions corresponding to the SimReadRecord, DrmCheckValid, DrmAddPlayCount, DrmGetKey, and DecryptSong functions to which the protection attribute is assigned. The wrap function internally calls actual functions such as SimReadRecord and DrmCheckValid using the argument restored from the index, and returns the return value to the calling normal code. However, when a protection attribute is given to the return value, the return value is held together with the index value by the variable management unit, and the index is returned to the normal code. FIG. 6 shows a specific example of a table held by the variable management unit. Licenseinfo as a variable that needs to be protected and key as a return value that needs to be protected are held by the variable management unit of the monitor and are accessed by the indexes 101 and 102.

  The self-verification code embedding unit 131 generates a code for verifying the operation of the program using a policy and embeds it in the protection code. In the specific example of FIG. 5, the policy is checked by calling the CheckPolicy function in main (). In the case of policy 1, when the DrmGetKey function that obtains the key to decrypt a song is called, the DrmCheckValid function is executed with the same arguments as the DrmGetKey function, the return value is TRUE, and the playback count is counted. Check that the AddPlayCount function is executed, and if this condition is not met, block the call to the DrmCheckValid function. For example, as shown in FIG. 7, these policy checks can be realized by storing a history of calls, arguments, and return values in a protection code in a table format and searching this table.

  Similar to the normal code, the communication protection unit 132 incorporates at least one communication protection function of authentication, encryption, and tampering inspection into the protection code. These protection functions are added to the part that receives the call from the normal code and returns the value returned to the normal code by the communication unit or wrapper function to be processed.

  The program dividing apparatus 100 has a processing control unit (CPU) and is configured to be executed by the CPU with the above-described source code analysis unit 110, protection code generation unit 130, normal code generation unit 140, and the like as modules. Can do. These modules can be realized by executing a dedicated program for using a predetermined program language in a general-purpose computer such as a personal computer.

  Although not shown, the program dividing apparatus 100 may include a program holding unit that stores a program for causing the CPU to execute source code analysis processing, protection code generation processing, normal code generation processing, and the like. The program holding unit is a recording medium such as a RAM, a ROM, a hard disk, a flexible disk, a compact disk, an IC chip, and a cassette tape. According to such a recording medium, it is possible to easily store, transport, and sell programs.

(Program division method)
Next, the program dividing method according to the first embodiment will be described with reference to FIG. The present method is activated with an input from a user or an input from an external device as a trigger.

  First, in step S101, source code is input, and in step S102, a policy is input. Next, in step S103, the source code analysis unit 110 analyzes the source code and propagates the protection attribute given by the policy to related functions and variables.

  Next, in step S104 and step S105, a normal code and a protection code are generated using the source code of the analysis result in step S103. Steps S104 and S105 will be described in detail later.

  Next, in step S106, the normal code and the protection code are packaged, and in step S107, a digital signature and a certificate are added to the package. At that time, encryption or compression may be performed in order to prevent reverse engineering or reduce the amount of data.

  The normal code generation method shown in step S104 of FIG. 8 will be described with reference to FIG.

  First, in step S201, a function / variable with a protection attribute in the source code of the analysis result is replaced with a wrapper function and an index variable, respectively.

  Next, in step S202 and step S203, the activation code and the introduction code are embedded in the source code in accordance with the activation place and introduction place of the protection code designated by the policy.

  In step S204, the source code is compiled, and in step S205, an executable normal code is generated by linking a communication library for calling a function of the protection code.

  Although not shown, a digital signature or certificate may be added to the normal code, or encryption or compression may be performed to prevent reverse engineering or reduce the amount of data.

  Next, the protection code generation method shown in step S105 of FIG. 8 will be described with reference to FIG.

  First, in step S301, a function / variable with a protection attribute is extracted from the analysis source code. Then, a communication unit that processes a call from the normal code, a code of a variable management unit that manages a variable that needs to be protected, and a wrapper function corresponding to each function of the protection attribute are generated. The wrapper function is created to call the actual function internally and return an index variable if the return value has a protection attribute.

  Next, in step S302, the self-verification code embedding unit 131 generates a code for verifying the operation of the program using the policy, and embeds it in the protection code.

  Next, in step S303, the source code is compiled, and in step S304, a communication library or the like is linked to generate an executable protection code.

  Next, in step S306, a digital signature and a certificate are added to the protection code. At that time, encryption or compression may be performed in order to prevent reverse engineering or reduce the amount of data (step S305).

(Program execution device)
The program execution device according to the first embodiment provides an execution environment for a program divided into a code that requires protection (protection code) and other normal code.

  As shown in FIG. 11, the program execution device according to the first exemplary embodiment includes a multiple program execution environment management unit 230, a protection code management unit 212, and a normal code management unit 222. Further, the multiple program execution environment management unit 230 includes an inter-environment communication control unit 232 and an inter-environment monitoring control unit 231, and the protection code management unit 212 includes a signature verification unit 215, a protection activation unit 213, and protection introduction. Part 214.

{Multiple Program Execution Environment Management Department}
The multiple program execution environment management unit 230 isolates and controls two or more execution environments, that is, a protection environment 210 for executing protection code and a normal environment 220 for executing normal code. There are no restrictions on the means for implementing the execution environment, and in implementing the multiple program execution environment management unit 230, a plurality of execution environments at the virtual machine level may be managed using the technology of the virtual machine monitor, or the process level may be controlled by the operating system. A plurality of execution environments may be managed. Furthermore, a plurality of execution environments on a plurality of devices may be managed using middleware for a distributed system. In the first embodiment, it is assumed that the protection environment 210 and the normal environment 220 are virtual machines, and the multiple program execution environment management unit 230 is a virtual machine monitor that isolates and controls virtual machines.

  The inter-environment communication control unit 232 provides means for safely communicating the protection code and the normal code. For example, the inter-environment communication control unit 232 manages key assignment and gives a shared key in accordance with a request from a protection code and a normal code, thereby authenticating by a challenge response protocol, encrypting data using an exchanged session key, MAC Check for tampering during communication due to the use of (Message Authentication Code).

  The inter-environment monitoring control unit 231 acquires and verifies the operation or state of the normal code by the code requesting protection. For example, it is possible to acquire normal code system calls, machine language level execution sequences, execution code text segments, data segments, memory states such as heaps and stacks.

{Protection code management department}
The protection code management unit 212 manages the introduction and activation of codes that require protection.

  The signature verification unit 215 verifies the digital signature and certificate assigned to the protection code. The digital signature algorithm may be any of RSA, El Gamal, DSA, and Rabin methods. The certificate may be in any format such as X.509 certificate format.

  The protection introduction unit 214 incorporates the protection code so that it can be executed in the protection environment only when the signature and the certificate are successfully verified. During installation, if the protection code is encrypted or compressed, it will be decrypted and decompressed, and the necessary files will be copied to the file system in the protected environment, and environment variables and configuration files will be set. . Further, the hash value of the protection code is calculated using a hash function such as SHA1, and stored as a normal hash value in the protection code management unit. When the verification fails, a response indicating the verification failure may be returned to the request source for introducing the protection code, or the processing may be interrupted without returning the response.

  The protection activation unit 213 verifies the integrity of the protection code, and activates when the verification is successful. The integrity can be verified by calculating the hash value of the executable file of the protection code and comparing it with the normal hash value held by the protection code management unit. When the verification fails, a response indicating the verification failure may be returned to the request source for starting the protection code, or the processing may be interrupted without returning the response.

{Normal code management department}
The normal code management unit 222 manages the introduction and activation of normal codes that do not require protection. In the installation procedure, necessary files are copied to the file system in the normal environment, and environment variables and setting files are set. At this time, like the protection code management unit, the signature may be verified to determine whether or not to install, or a normal hash value of the normal code may be calculated and held. In the activation procedure, the executable file of the normal code is activated in accordance with an input from the user or an external device. At this time, the activation process may be performed after the integrity is verified as in the protection code management unit.

  The program execution device 200 includes a processing control device (CPU) and is configured to be executed by the CPU using the above-described multiple program execution environment management unit 230, protection code management unit 212, normal code management unit 222, and the like as modules. can do. These modules can be realized by executing a dedicated program for using a predetermined program language in a general-purpose computer such as a personal computer.

  Although not shown, the program execution device 200 may include a program holding unit that stores a program for causing the CPU to execute a multiple program execution environment management process, a protection code management process, a normal code management process, and the like. . The program holding unit is a recording medium such as a RAM, a ROM, a hard disk, a flexible disk, a compact disk, an IC chip, and a cassette tape. According to such a recording medium, it is possible to easily store, transport, and sell programs.

(Program execution method)
Next, a program execution method according to the first embodiment will be described with reference to FIGS.

{Protection code installation procedure}
A method for introducing a protection code will be described with reference to FIG.

  First, the user acquires a package in which the protection code and the normal code are bundled on the normal environment of the device through downloading from a server device on the network or a storage medium such as a CD-ROM. Then, the normal code is taken out from the package and introduced into the normal environment. The normal code is introduced by the normal code management unit, the normal code itself, or an external installer program, and the file is copied to a specific location or an environment variable or a setting file is set. After completing the introduction of the normal code, the normal code management unit or the normal code itself issues a protection code introduction request to the protection code management unit. From here, the introduction procedure of the protection code of FIG. 10 is started.

  First, in step S401, the protection code management unit 212 receives a normal code or a protection code introduction request from a user. In step S402, the signature and certificate of the protection code file are verified. The protection code file is given through a file system or communication. For example, the normal code may call the protection code management unit to establish a communication channel and transfer the binary data of the protection code, or the normal code provides the protection code file in the normal environment by the OS or the virtual machine monitor The file may be copied to a protected environment by means of file copying.

  If the verification of the signature and certificate is successful in step S403, the process proceeds to step S404, and when the protection code is introduced, if the protection code is encrypted or compressed, decryption or decompression is performed. In step S405, necessary files are copied to the file system in the protected environment, and environment variables and setting files are set. In step S406, the hash value of the protection code is calculated using a hash function such as SHA1 and stored in the protection code management unit as a normal hash value.

  On the other hand, if the verification fails in step S403, the process proceeds to step S407, and a response indicating the verification failure is returned to the protection code introduction request source.

{Protection code activation procedure}
A protection code activation method will be described with reference to FIG. This procedure is started when triggered by a normal code or a protection code activation request from the user.

  First, in step S501, the protection code management unit 212 receives a normal code or a protection code activation request from a user. In step S502, a hash value of the protection code is calculated and compared with a normal hash value held by the protection code management unit.

  In step S503, if the verification is successful, the process proceeds to step S504 to activate the protection code.

  On the other hand, if the verification fails in step S503, the process proceeds to step S505, and a response indicating the verification failure is returned to the activation source of the protection code.

{Function call procedure for protection code from normal code}
A method of calling a function that requires protection in the protection code from the normal code will be described with reference to FIG.

  First, in step S601, a function included in a protection code in a normal code is called through a wrap function. Then, in step S602, the protection code accepts a call from the normal code, and in step S603, authentication and tampering are inspected to check whether the call is valid.

  If it is determined in step S603 that it is not valid, the process proceeds to step S612, and a call rejection is responded to the normal code.

  On the other hand, if it is determined in step S603 that it is valid, the process advances to step S604. If an index variable indicating a protected variable is given in the call argument, the actual argument is extracted from the variable management table.

  Next, in step S605, the self-verification code embedded in the protection code checks whether the call from the normal code conforms to the policy. Here, a specific example of the self-verification policy check will be described using the self-verification policy shown in FIG. 3 and a history example of calls from the normal code x and the normal code y shown in FIG. In accordance with the self-verification policy shown in FIG. 3, when the DrmGetKey function is called, the protection code is executed with the same argument as the DrmGetKey function, the return value is TRUE, and the playback count is counted. Check that the AddPlayCount function is executed. In the case of the normal code x, since this verification rule is satisfied, the self-verification policy check succeeds (step S606 → step S607). However, when the normal code y is called, neither the DrmCheckValid function nor the AddPlayCount function is executed before the DrmGetKey function. Therefore, the verification rule is not satisfied, and the protection code refuses to call the DrmGetKey function (step S606 → step S612).

  Next, in step S607, the protection code holds the function name and argument of the call, the return value, and the time stamp when the call is accepted as a history. This history is used in the verification of the self-validation policy.

  In step S608, a wrapper function in the protection code is called based on the restored argument. In step S609, actual functions such as SimReadRecord and DrmCheckValid are called in the wrapper function, and a return value is created in step S610. In step S610, the return value is returned to the normal code. However, when a protection attribute is assigned to the return value, the return value is stored with an index in the variable management table, and the index is returned to the normal code.

(Action and effect)
The program dividing apparatus 100 according to the first embodiment can divide a program into a protection code including a function and a variable that need protection and a normal code other than that according to a given policy. Therefore, the program provider can divide the program by giving a code division standard according to its own policy, and an appropriate balance between security and performance can be achieved.

  In addition, since the source code analysis unit 110 of the program dividing apparatus 100 according to the first embodiment includes the source code input unit 111 and the policy input unit 112, the source code and the policy are acquired from the file system or the network. be able to. The program dividing device can acquire source code and policy from a remote server device to create a divided code, and can acquire and combine source code and policy from different server devices, so it can be dynamically generated at any time. In addition to generating split codes, it is also possible to generate split codes corresponding to different security policies such as service providers and users.

  Further, since the protection code generation unit 130 of the program dividing apparatus 100 according to the first embodiment includes the self-verification code embedding unit 131, the protection code that operates in the protected environment according to the given policy is protected. It is possible to embed a code for verifying the operation of the program itself including the code and the normal code. Therefore, it is possible to audit the operation of the entire program from a safe environment, and it is possible to detect and prevent unauthorized operation of an application such as bypassing a license check or unauthorized privileged operations (such as library / system call).

  Moreover, since the normal code generation unit 140 of the program dividing apparatus according to the first embodiment includes the activation control code embedding unit 141, the normal code generation unit 140 generates a code for controlling activation of the protection code according to a given policy. Or it can be embedded in normal code. For this reason, the execution place of the protection code can be determined according to the policy, and appropriate security and performance can be achieved.

  Further, since the normal code generation unit 140 of the program dividing apparatus 100 according to the first embodiment includes the introduction control code embedding unit 142, the normal code generation unit 140 generates a code for controlling the introduction of the protection code according to a given policy, It can be embedded in a protection code or a normal code. For this reason, it is possible to determine the installation location of the protection code according to the policy, and to achieve appropriate security and performance.

  Further, since the protection code generation unit 130 and the normal code generation unit 140 of the program dividing apparatus 100 according to the first embodiment include the communication protection units 132 and 143, respectively, the protection code and the normal code are authenticated and encrypted. Communication protection functions such as signatures can be added. For this reason, attacks such as wiretapping and tampering of communication between the protection code and the normal code can be prevented, and the program can be executed safely.

  The program execution device according to the first embodiment enables mutual communication with means for introducing and starting a code that is required to be protected and a program divided into other codes in the protected environment and the normal environment. And remote means of two environments can be provided. Therefore, it is possible to provide a safe execution environment for a program divided into code that requires protection and other code.

  In the program execution device 200 according to the first embodiment, the protection environment and the normal environment are each a virtual machine, and the multiple program execution environment management unit 230 is a virtual machine monitor that isolates and controls a virtual machine. . Therefore, in a virtual machine monitor-based device, it is possible to provide a safe execution environment for a program divided into code that requires protection and other code.

  Further, the protection code management unit 212 of the program execution device 200 according to the first embodiment includes a signature verification unit 215 that verifies the digital signature of the protection code, and a protection code when the signature verification unit succeeds in verifying the signature. Is installed in a protected environment so as to be executable in a protected environment, and a protection activation unit 213 that activates the protection code when the integrity of the protection code is successfully verified. It can be activated only when it has been verified and complete. Also, in a protected environment, the code signature can be verified before installation. For this reason, it is possible to avoid the danger of introducing untrusted code or executing altered code and maintain safe program protection environment execution.

  In addition, the multiple program execution environment management unit 230 of the execution device 200 according to the first embodiment includes the inter-environment communication control unit 232 that provides a protection unit for safely communicating the protection code and the normal code. Communication spoofing, falsification, and eavesdropping can be prevented, and leakage of confidential information and processing inconsistencies during program execution can be prevented.

  In addition, since the multiple code execution environment management unit 230 of the program execution device 200 according to the first embodiment includes the inter-environment monitoring control unit 231 that acquires and verifies the operation or state of the normal code, Protection code that exists in a safe environment can audit the operation of the entire program including protection code and normal code, and detect illegal operation of apps such as bypassing license checks and unauthorized privileged operations (library / system calls, etc.) Can be prevented.

  As described above, according to the program dividing apparatus and the program execution apparatus according to the first embodiment, the protection code itself in the safe environment can audit the program operation, and the illegal operation of the program due to the deprivation of authority or the alteration (license inspection). Can be detected and prevented). Program providers and users can specify code division criteria and protection code execution locations (secure virtual machines, portable devices, tamper-resistant chips, etc.), and programs can be executed in accordance with various device environments and different security policies. It can be executed safely.

<Second Embodiment>
In the first embodiment, the program divided between the protection environment and the normal environment on the same device is operated. However, in the second embodiment, the protection environment and the normal environment existing on different devices are used. The protection code and the normal code are executed in a coordinated manner. Here, it is assumed that a divided program is operated between a protected environment on the user's portable device and a normal environment on a peripheral device such as a laptop PC or information appliance.

  As shown in FIG. 15, in the program execution apparatus according to the second embodiment, the protection environment 210 and the normal environment 220 are physically arranged on different devices, and the multiple program execution environment management units 230a and 230b are arranged. Are located on both devices and cooperate to isolate and control the execution environment.

  In order to divide and execute the program into the protected environment and the normal environment existing on the different devices, the policy dividing unit shown in FIG. 3 is passed to the program dividing apparatus to generate the normal code and the protection code. This policy generates a normal code that runs on the peripheral device and a protection code that runs on the mobile device. The normal code includes an introduction code that introduces the protection code on the mobile device and a protection code on the mobile device. The activation code that activates is embedded. As in the first embodiment, the protection code is introduced according to the procedure of FIG. 12, but the difference from the first embodiment is that the request from the normal code to the protection code management unit is different between the peripheral device and the portable device. It is a point that goes through the communication path between.

  According to the program execution device 200 according to the second embodiment, even if the protection environment and the normal environment exist on different devices, the protection code and the normal code can be executed in cooperation between the protection environment and the normal environment. it can.

<Third Embodiment>
As a third embodiment, a case where a tamper resistant hardware for protecting internal secret data and important processing against attacks such as eavesdropping and tampering from the outside is incorporated in the program execution device will be described. To do. Tamper resistant hardware is implemented using smart cards (IC cards) such as SIM (Subscriber Information Module) and TPM (Trusted Platform Module) whose specifications are defined by Trusted Computing Group (www.trustedcomputing), for example. be able to.

  The difference from the first embodiment is that a tamper resistant protection environment has been added. Therefore, the program dividing apparatus 100 divides the protection code, the normal code, and the tamper resistant protection code into three parts, and the program execution apparatus. The difference is that it is divided into a protection environment, a normal environment, and a tamper resistant protection environment.

  In the program dividing apparatus according to the third embodiment, as shown in FIG. 16, a tamper resistant protection code generation unit 133 is added to the protection code generation unit 130. The tamper resistant protection code generation unit 133 generates a code that can be executed in a tamper resistant protection environment, and can be called from the protection code. Just like the code that controls the activation and introduction of the protection code, the code that controls the activation and introduction of the tamper-resistant protection code may be incorporated into the protection code. A verification code may be incorporated.

  Since functions other than the tamper resistant protection code generation unit 133 are the same as those in the first embodiment, description thereof is omitted here.

  The program execution device 200 according to the third embodiment includes a tamper resistant protection environment 240 as shown in FIG. The tamper resistant protection code generated by the program dividing apparatus 100 is executed in this tamper resistant protected environment. Similar to the introduction and activation procedure of the protection code of the first embodiment, whether or not introduction or activation can be performed may be determined by verifying the signature or hash.

  Since it is the same as that of 1st Embodiment except providing the tamper resistant protection environment 240, description is abbreviate | omitted here.

  According to the program dividing apparatus 100 and the program execution apparatus 200 according to the third embodiment, in order to divide into a tamper-resistant protected environment in addition to a protected environment and a normal environment, it supports various device environments and different security policies. The program can be executed more safely.

It is a block diagram of the configuration of the program dividing apparatus according to the first embodiment. It is an example of the source code which the program division | segmentation apparatus concerning 1st Embodiment inputs. It is an example of the policy which the program division | segmentation apparatus concerning 1st Embodiment inputs. It is an example of the normal code which the program dividing device concerning a 1st embodiment generates. It is an example of the protection code which the program dividing device concerning a 1st embodiment generates. It is an example of the variable management table which the protection code which concerns on 1st Embodiment manages. It is an example of the log | history of the call which the protection code which concerns on 1st Embodiment hold | maintains. It is a flowchart which shows the program division | segmentation method concerning 1st Embodiment. It is a flowchart which shows the detail of step S104 of FIG. It is a flowchart which shows the detail of step S105 of FIG. 1 is a configuration block diagram of a program execution device according to a first embodiment. FIG. It is a flowchart which shows the introduction method of the protection code which concerns on 1st Embodiment. It is a flowchart which shows the starting method of the protection code which concerns on 1st Embodiment. It is a flowchart which shows the method of calling the function in the protection code which concerns on 1st Embodiment. It is a block diagram of a configuration of a program execution device according to a second embodiment. It is a block diagram of the configuration of the program dividing apparatus according to the third embodiment. It is a block diagram of a configuration of a program execution device according to a third embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 100 ... Program division | segmentation apparatus 110 ... Source code analysis part 111 ... Source code input part 112 ... Policy input part 120 ... Control part 130 ... Protection code generation part 131 ... Self-verification code embedding part 132 ... Communication protection part 133 ... Tamper-proof protection code Generating unit 140 ... Normal code generating unit 141 ... Startup control code embedding unit 142 ... Installation control code embedding unit 143 ... Communication protection unit 200 ... Program execution device 210 ... Protected environment 212 ... Protected code management unit 213 ... Protection starting unit 214 ... Protection Introduction unit 215 ... Signature verification unit 220 ... Normal environment 222 ... Normal code management unit 230 ... Multiple program execution environment management unit 231 ... Inter-environment monitoring control unit 232 ... Inter-environment communication control unit 240 ... Tamper resistant protection environment

Claims (12)

A program dividing apparatus that divides one program into protection code that requests execution in a protected execution environment and other normal code,
A source code analysis unit that inputs a policy that gives rules for generation of a divided code from a file system or a network, and assigns a protection attribute to a function and a variable that require protection of the given source code;
A protection code generating unit for generating the protection code that contains functions which the protection attribute is granted me by the source code analyzer,
And a normal code generation unit for generating the normal code comprising function that calls the function of the source code analyzer function and the protective code the protection attribute is not granted me by the,
The protection code generation unit includes a wrapper function that internally calls the function to which the protection attribute is assigned, a communication unit that receives and processes a call from the normal code, and a variable management unit that manages a variable that needs protection. Generating said protection code comprising:
The normal code generation unit replaces the call of the function assigned the protection attribute with a wrapper function that calls the corresponding function in the protection code, and the variable assigned the protection attribute corresponds to the correspondence in the protection code. The program dividing apparatus, characterized in that the normal code is generated by replacing it as an index of a variable to be performed. The source code analysis unit
A source code input section for inputting a program source code from the server device on the file system or network,
The program dividing apparatus according to claim 1, further comprising: a policy input unit that inputs a policy from a file system on a device that is the same as or different from the device that has input the source code, or a server device on the network.   The protection code generation unit includes a self-verification code embedding unit that generates a code for verifying the operation of at least one of the protection code and the normal code using the policy, and embeds the code in the protection code. The program dividing apparatus according to claim 1, wherein:   The normal code generation unit includes an activation control code embedding unit that generates a code for controlling activation of the protection code using the policy and embeds the code in the protection code or the normal code. The program dividing device according to any one of 1 to 3.   The normal code generation unit includes an introduction control code embedding unit that generates a code for controlling the introduction of the protection code using the policy and embeds the code in the normal code. The program dividing device according to any one of the above.   The said protection code production | generation part and the said normal code production | generation part are provided with the communication protection part which incorporates the protection function of at least any one of authentication, encryption, and the inspection of tampering in the function of communication. The program dividing device according to any one of? A program execution device that provides an execution environment for a program divided into protection code for requesting execution in a protected execution environment and other normal code,
A multiple program execution environment management unit that isolates and controls two environments, a protection environment for the protection code and a normal environment for the normal code;
A protection code management unit for managing the introduction and activation of the protection code;
A normal code management unit for managing the introduction and activation of the normal code ,
The program execution apparatus, wherein the multiple program execution environment management unit includes an inter-environment monitoring control unit that acquires and verifies the operation or state of the normal code as the protection code . The protection environment and the normal environment are virtual machines,
The program execution apparatus according to claim 7, wherein the multiple program execution environment management unit is a virtual machine monitor that performs isolation and control of a virtual machine. The protection code management unit
A signature verification unit for verifying a digital signature of the protection code;
If the signature verification by the signature verification unit is successful, a protection introduction unit that incorporates the protection code so as to be executable in a protected environment;
The program execution device according to claim 7, further comprising: a protection activation unit that activates the protection code when the verification of the integrity of the protection code is successful.   The said multiple program execution environment management part is equipped with the communication control part between environments which provides the protection means for the said protection code and the said normal code to communicate safely, The any one of Claims 7-9 characterized by the above-mentioned. The program execution device described in 1. A program dividing method in a program dividing apparatus that divides one program into protection code that requests execution in a protected execution environment and other normal code,
The program dividing apparatus inputs a policy that gives rules for generating a divided code from a file system or a network, and assigns a protection attribute to a function and a variable that require protection of the given source code;
The program dividing device generating the protection code including the function to which the protection attribute is given in the step of giving the protection attribute ;
The program dividing device, viewed contains and generating the normal code comprising function that calls the function of the protection attribute functions and the protective code the protection attribute is not granted in the step of imparting,
In the step of generating the protection code, a wrapper function that internally calls the function to which the protection attribute is given, a communication unit that receives and processes a call from the normal code, and a variable management unit that manages a variable that needs to be protected Generating the protection code including:
In the step of generating the normal code, the function call with the protection attribute is replaced with a wrapper function that calls a corresponding function in the protection code, and the variable with the protection attribute is replaced in the protection code. The program dividing method , wherein the normal code is generated by substituting as an index of a corresponding variable . A program execution method in a program execution device that provides a protection code that requests execution in a protected execution environment and a program execution environment that is divided into other normal code,
The program execution device performing isolation and control of two environments, a protection environment for the protection code and a normal environment for the normal code;
The program execution device managing the introduction and activation of the protection code;
Said program execution device, viewed contains a step of managing the introduction and activation of the normal code,
In the step of performing isolation and control, the protection code acquires and verifies the operation or state of the normal code .

Images