JP4923925B2 - Check program, monitoring device, and monitoring method - Google Patents

Description

  The present invention relates to a software tampering monitoring apparatus and tampering monitoring method, and more particularly to a technique for monitoring tampering of software executed in a computer system with publicly disclosed specifications such as a PC (personal computer).

  2. Description of the Related Art Conventionally, a device that detects software tampering by monitoring a main memory of a PC from a monitoring program realized by a program code on the PC or a monitoring device installed on a general-purpose bus of the PC is known. In such a device, since it is difficult to externally monitor the data area that is dynamically generated in the main memory when software that is subject to tampering is executed on the PC, a static program Monitor code and static data.

  For example, the following software tamper detection device is known. Information that has been determined before execution of the process related to the program code including at least the program code is stored, and a static storage area in which the alteration of the information is periodically inspected, and changed with execution of the process related to the program code Storage means for storing information that can be stored, area information storage means for storing address information indicating the range of the static storage area in the storage means, and stored in the dynamic storage area When referring to the address information and executing processing based on the information stored in the static storage area, the address information referenced from the dynamic storage area is indicated by the address information stored in the area information storage means. Detecting means for determining whether or not it is within a range of a static storage area to be detected and detecting falsification of information stored in the dynamic storage area; And wherein the obtaining (e.g., see Patent Document 1.).

JP 2006-106956 A

  However, as described above, simply monitoring static program code and static data identifies that the monitored program code and data are actually code and data being executed on a PC. It is difficult to do. For this reason, when software tampering technology becomes more sophisticated, the program code that is actually executed on the PC is tampered with another program area while the monitoring program or monitoring device monitors the program code that has not been tampered with. It can be thought of as running on. In this case, it is possible to tamper with the software so that the monitoring program and the monitoring device are not noticed.

  In addition, the apparatus disclosed in Patent Document 1 detects the presence or absence of falsification by inserting a malicious code detection mechanism using a macro or the like at a branch or return location on the source code. However, if there are many branches and return points in the source code, detecting the presence or absence of tampering at all branch and return points will increase the time required to execute the main program and increase the software processing performance. There is a problem in that it causes a decrease in.

  An object of the present invention is to provide a software tampering monitoring apparatus and tampering monitoring method that can monitor tampering of a program code that is actually being executed in order to solve the above-described problems caused by the prior art. Another object of the present invention is to provide a software alteration monitoring apparatus and alteration monitoring method capable of distributing the load for monitoring alteration when monitoring the alteration of a program code being executed. .

  In order to solve the above-described problems and achieve the object, a software alteration monitoring apparatus and alteration monitoring method according to the present invention connect a monitoring apparatus to another device such as a PC. Also, a software code in which one or more checker codes are inserted into the program code to be monitored is created, and the checker code is activated by the monitoring device while the PC or the like is executing the software code. When a PC or the like that is executing the software code executes the process specified by the activated checker code, the monitoring apparatus confirms that the process specified by the checker code has been executed, The presence or absence of tampering is detected for some or all parts. When the monitoring device activates the checker code, the activation frequency may be adjusted according to the execution status of the checker code.

  According to the present invention, it is possible to monitor the program code actually being executed by the PC or the like by confirming that the PC or the like has executed the checker code inserted into the program code to be monitored. Further, by reducing the activation frequency of a checker code having a high execution frequency, the load for monitoring the program code being executed can be distributed.

  According to the software tampering monitoring apparatus and tampering monitoring method of the present invention, it is possible to monitor the tampering of program code actually being executed by a PC or the like. Further, according to the present invention, when monitoring the alteration of the program code being executed on the PC or the like, it is possible to distribute the load for monitoring the alteration.

  Exemplary embodiments of a software alteration monitoring apparatus and alteration monitoring method according to the present invention will be described below in detail with reference to the accompanying drawings.

(Hardware configuration of software tampering monitoring device)
First, the hardware configuration of the software tampering monitoring apparatus according to the embodiment of the present invention will be described. FIG. 1 is a block diagram showing a hardware configuration of a software tampering monitoring apparatus according to an embodiment of the present invention.

  The software tampering monitoring apparatus includes the monitoring apparatus 1 shown in FIG. 1 and software code (not shown). The monitoring device 1 is connected to another device (not shown) other than the monitoring device 1, such as a PC. The PC or the like executes software code provided together with the monitoring device 1. For example, the monitoring device 1 is used by being connected to a general-purpose bus such as a PCI bus such as a PC. The monitoring device 1 monitors the program code being executed by the PC or the like. The software code is obtained by inserting one or more checker codes into a program code to be monitored by the monitoring device 1.

  As shown in FIG. 1, the monitoring device 1 includes a CPU 11, a DMAC (direct memory access controller) 12, an I / O (input / output interface) 13, a ROM 14 and a RAM 15. Each of these components is connected to each other by a bus 10. The CPU 11 governs overall control of the monitoring device 1. The DMAC 12 controls data transfer performed between the monitoring apparatus 1 and a storage memory of activation determination data, which will be described later, such as a PC, without using a CPU such as a PC. When the monitoring device 1 is not a bus master system, the monitoring device 1 does not have the DMAC 12, and therefore data transfer between the monitoring device 1 and the PC is controlled by the DMAC such as the PC.

  The ROM 14 stores a program that is executed when the CPU 11 controls the monitoring device 1. The RAM 15 is used as a work area for the CPU 11. Further, the RAM 15 stores a checker position / frequency database which will be described later. The I / O 13 is connected to, for example, a PCI bus such as a PC, controls the interface between the PC and the inside of the monitoring device 1, and controls data input / output between the PC and the like.

  FIG. 1 shows only the configuration necessary for monitoring software code being executed by a PC or the like, and other configurations are omitted. For example, when the monitoring device 1 and the program code to be monitored are a digital television broadcast receiving system, the monitoring device 1 has a circuit that realizes an encoder function, a tuner function, etc. in addition to the configuration shown in FIG. Etc. are provided.

(Functional configuration of software alteration monitoring device)
Next, a functional configuration of the software alteration monitoring device according to the embodiment of the present invention will be described. FIG. 2 is a block diagram showing a functional configuration of the software tampering monitoring apparatus according to the embodiment of the present invention. As shown in FIG. 2, the monitoring device 1 includes an input / output unit 21, a decoding processing unit 22, a conversion processing unit 23, an activation management unit 24, a DMA unit 25, an execution confirmation unit 26, a frequency management unit 27, and a falsification detection unit 28. It has.

  The input / output unit 21 receives the encrypted software code from a PC or the like and passes it to the decryption processing unit 22. The decryption processing unit 22 decrypts the software code passed from the input / output unit 21 and passes it to the conversion processing unit 23. The conversion processing unit 23 converts the software code passed from the decryption processing unit 22 into an executable format such as a PC. The software code converted into the execution format is transferred to a PC or the like via the input / output unit 21 and developed in a main memory such as a PC. That is, software code executed on a PC or the like is encrypted and installed on a hard disk or the like such as a PC. The software code can be executed only after being decrypted by the monitoring device 1 at the time of startup and expanded in a main memory such as a PC. It becomes a state.

  Further, the conversion processing unit 23 extracts the checker code insertion position when developing the software code, and creates the checker position / frequency database 29. The checker position / frequency database 29 at this time stores insertion position information of each checker code and an initial value (design value) of the frequency at which each checker code is activated. In addition, as the checker position / frequency database 29, a database storing the insertion position of each checker code and the initial value of the activation frequency may be prepared in advance at the software code design stage. The checker position / frequency database 29 is stored in the RAM 15 as described above. If the storage capacity of the RAM 15 is small, the checker position / frequency database 29 is encrypted and stored in a hard disk such as a PC. Also good.

  The activation management unit 24 outputs an activation determination data rewrite request based on the information in the checker position / frequency database 29. The activation determination data is stored in a predetermined memory area such as a PC. When receiving a rewrite request from the activation management unit 24, the DMA unit 25 directly accesses a predetermined memory area such as a PC via the input / output unit 21 and rewrites the activation determination data. When the activation determination data is rewritten by the monitoring device 1, the checker code corresponding to the rewritten activation determination data is activated. For example, a flag is used as the activation determination data. The checker code is in an activated state when a flag corresponding to the checker code is set, and is in an inactivated state when the flag is set.

  The execution confirmation unit 26 confirms that the activated checker code is executed by the PC or the like via the input / output unit 21. The frequency management unit 27 manages the activation frequency of each checker code. When the checker code is executed by a PC or the like, the falsification detection unit 28 detects whether or not a part or all of the program code has been falsified based on the execution result.

  Specifically, the decoding processing unit 22, the conversion processing unit 23, the activation management unit 24, the execution confirmation unit 26, the frequency management unit 27, and the falsification detection unit 28 described above are recorded in, for example, the ROM 14 or the RAM 15 illustrated in FIG. The function is realized when the CPU 11 executes the executed program. Further, the input / output unit 21 and the DMA unit 25 realize their functions by the I / O 13 and the DMAC 12, respectively.

(First example of the outline of the flow from product development to application execution)
Next, an outline of the flow from the time of product development to the time of application execution of the software tampering monitoring apparatus according to the embodiment of the present invention will be described. FIG. 3 is an explanatory diagram showing a first example of a schematic flow from the product development time to the application execution time of the software tampering monitoring apparatus according to the embodiment of the present invention.

  As shown in FIG. 3, first, at the time of product development, the developer performs a process of embedding checker insertion position / frequency instruction information 32 as checker insertion information in the main program code 31, and encrypts the encrypted software code 33. create. Here, the main program code 31 is a program code to be monitored by the monitoring device 1. The checker insertion position / frequency instruction information 32 is information indicating the insertion position of each checker code inserted into the main program code 31 and the frequency with which each checker code is activated.

  As a result of embedding the checker insertion position / frequency instruction information 32, a checker code activated at the specified frequency is inserted into the main program code 31 at the position specified by the checker insertion position / frequency instruction information 32. The encrypted software code 33 and the monitoring device 1 are provided as a set to the user of the software alteration monitoring device.

  Next, the user connects the monitoring device 1 to a PC or the like that executes the main program code 31, and installs the encrypted software code 33 in a storage device 34 such as a hard disk such as a PC. When a user operates a PC or the like to start an application, the monitoring device 1 reads the encrypted software code 33 from the storage device 34 such as a PC and decrypts it. Then, the monitoring device 1 converts the decrypted software code into an execution format, and develops the execution format software code 36 in the main memory 35 such as a PC. Further, the monitoring device 1 extracts the embedded checker code when developing the execution format software code 36 and creates a checker position / initial frequency list as the checker position / frequency database 29.

  Here, the initial frequency is an initial value (design value) of the frequency for activating each checker code. In FIG. 3, for convenience, the checker position / frequency database 29 is placed outside the monitoring apparatus 1, but actually, the checker position / frequency database 29 is constructed inside the monitoring apparatus 1. However, if the storage device 1 does not have a sufficient storage capacity, the checker position / frequency database 29 may be stored in a hard disk such as a PC.

  Next, when the application is executed, the monitoring device 1 instructs the PC or the like to start the checker code embedded in the software code 36 being executed on the PC or the like based on the information in the checker position / frequency database 29. And activates that checker code. When the PC or the like executes the activated checker code and executes the process designated by the checker code, the monitoring device 1 is notified of the check result. Therefore, the monitoring device 1 can monitor the program code that is actually being executed by a PC or the like, and detect falsification of the program code. Moreover, the monitoring apparatus 1 updates the information regarding the frequency of the checker position / frequency database 29 based on the check result.

  Here, as a means for notifying the monitoring device 1 of the check result, a configuration may be adopted in which a PC or the like passes an execution notification to the monitoring device 1 through a device driver or the like. Alternatively, the execution of the checker code rewrites the value of a specific memory area such as a PC, and the monitoring apparatus 1 periodically monitors the value of the memory area by polling, so that the monitoring apparatus 1 knows the execution of the checker code. You may do it. In this case, for example, a flag different from the activation determination data can be used as a memory area whose value is rewritten by execution of the checker code.

(Second example of outline of flow from product development to application execution)
FIG. 4 is an explanatory diagram showing a second example of a schematic flow from the product development time to the application execution time of the software tampering monitoring apparatus according to the embodiment of the present invention. As shown in FIG. 4, the second example is different from the first example described above in that the processing for embedding the checker insertion position / frequency instruction information 32 in the main program code 31 is not performed during product development. is there.

  That is, at the time of product development, the main program code 31 and the checker insertion information / frequency instruction information 37 are separately encrypted to create the encrypted main program code 38 and the encrypted checker insertion information / frequency instruction information 39. The checker insertion information / frequency instruction information 37 corresponds to the checker insertion position / frequency instruction information 32 of the first example. In the second example, the encryption main program code 38, the encryption checker insertion information / frequency instruction information 39, and the monitoring device 1 are set and provided to the user of the software alteration monitoring device.

  Therefore, the user installs the encryption main program code 38 and the encryption checker insertion information / frequency instruction information 39 in the storage device 34 such as a PC. When the user activates the application, the monitoring apparatus 1 decrypts the encrypted main program code 38 and the encrypted checker insertion information / frequency instruction information 39 read from the storage device 34 such as a PC, and adds a checker code to the main program code 31. It is embedded, converted into an execution format, and expanded in a main memory 35 such as a PC. The subsequent steps are the same as in the first example described above.

  Note that the checker code may be inserted into the program code to be monitored so that the checker code insertion position is different each time the application is executed. In this case, a database in which absolute address references and relative address references in the program code to be monitored are extracted in advance is created. Then, based on the database, instruction code level relocation is enabled, and a means for resolving address reference misalignment caused by insertion of an arbitrary code string is used to check a program code at an arbitrary place when an application is started. While inserting the code, it is expanded in a main memory such as a PC. Although detailed description of a specific technique that enables this is omitted, it can be realized by applying the technique disclosed in Japanese Patent Application Laid-Open No. 2005-85188 filed earlier by the present inventor. .

(Checker code structure)
Next, the structure of the checker code will be described. FIG. 5 is an explanatory diagram showing the program code of the checker code of the software alteration monitoring device according to the embodiment of the present invention. As shown in FIG. 5, the checker code 41 includes a step (step S 1) for examining activation determination data (activation determination flag), a step for performing activation determination processing based on the investigation result (step S 2), and an activation determination. If the flag is asleep as a result of the processing (step S2: No), nothing is done, that is, the process is passed (step S3), and the execution of the checker code 41 is terminated (step S4).

  The checker code 41 performs the process specified in the checker code 41 when the flag is set as a result of the activation determination process (step S2: Yes) (step S5), and thereafter ends the execution of the checker code. It has a process (Step S4). The path passing through step S5 corresponds to the first or third execution path, and the path passing through step S3 corresponds to the second execution path.

  Here, the program for executing the process of step S5 is (1) a program for performing a process for notifying the monitoring apparatus 1 that the checker code 41 has been executed, and (2) one of the program codes to be monitored. A program that performs processing for detecting whether or not all or part of the checker code has been tampered with, or (3) a program that performs processing for detecting whether or not the checker code itself has been tampered with is there. The case (1) corresponds to the first execution path, and the case (2) corresponds to the third execution path. The case (3) corresponds to another execution path. As described above, there may be four or more execution paths executed according to the activation determination flag. At some point in the execution path from step S2 through step S5 to step S4, the activation determination flag is laid and the checker code is inactivated.

  In the above step S5, the amount that the activated checker code processes in response to a single activation instruction may be divided, and the items to be checked may be executed little by little to complete the check by multiple executions. In this case, it is possible to avoid adversely affecting the execution of the program code to be monitored by executing the process of step S5.

  When the program (2) is executed in step S5, the program code developed in the main memory 35 such as a PC by the DMA unit 25 of the monitoring apparatus 1 (or the DMA unit such as PC when there is no program). And the program code may be compared with the original program code. At this time, the program codes themselves may be compared, or data summarizing the program codes such as a checksum and a hash value of the program codes may be compared.

  As the original program code, the program code decrypted when the application is started can be stored in the RAM 15 of the monitoring apparatus 1 and read out for use. When the capacity of the RAM 15 of the monitoring device 1 is not sufficient, the program code decrypted when the application is activated may be encrypted in the monitoring device 1 and stored again in the storage device 34 such as a PC. The same applies when the program (3) is executed in step S5.

(Checker code activation method)
When the number of checker codes is small, all checker codes may be always activated. However, when the number of checker codes is large, if all the checker codes are always activated, the checker codes are executed one after another, resulting in a large load and processing of the program code to be monitored. The speed will drop. In order to avoid this, it is necessary to control the activation frequency of the checker code on the monitoring device 1 side or to dynamically change the checker code to be activated.

  For example, the monitoring device 1 observes the execution frequency of the checker code by measuring the time until receiving the checker code execution notification after the checker code activation instruction. Then, the load is distributed by dynamically performing control such that the activation interval of the checker code with high execution frequency is lengthened and the activation interval of the checker code with low execution frequency is shortened. In this case, a thorough investigation is performed during product development, the frequency range is determined in advance, a database is created, and the checker is changed while dynamically changing the runtime load based on some guidelines. The code can be activated. As a checker code activation method, one of (1) cyclic method, (2) frequency equalization method, (3) frequency fixed method, or a combination thereof may be considered.

  The (1) patrol method will be described. FIG. 6 is a flowchart showing a flow in the case where the checker code is activated in a cyclic manner in the software tampering monitoring apparatus according to the embodiment of the present invention. As shown in FIG. 6, first, the monitoring device 1 activates one checker code (step S11). Then, it waits for the activated checker code to be executed (step S12: no execution notification). During this time, another checker code is not activated.

  When the checker code 41 activated in step S11 is executed and an execution notification is passed to the monitoring device 1 (step S12: execution notification is present), the monitoring device 1 switches the activation target to the next checker code. (Step S13). Then, the same processing is performed for the new checker code. This is sequentially performed for all the checker codes, and all the checker codes are activated and executed.

  The (2) frequency equalization method will be described. In this method, a frequency control database is constructed to control the activation frequency of the checker code. The frequency control database is stored in, for example, the RAM 15 of the monitoring device 1. FIG. 7 is an explanatory diagram showing the configuration of a frequency control database constructed in the monitoring apparatus when the frequency equalization method is applied. As shown in FIG. 7, the frequency control database 51 has records 52a, 52b, and 52n corresponding to the respective checker codes.

  Each record 52a, 52b, 52n includes a checker information field 53 for storing various information related to the checker code, a state field 54 indicating whether the current state is an active state or an inactive state, and a first field. Counter 1 prescribed number field 55 indicating the prescribed number of counters, Counter 1 field 56 indicative of the counter value of the first counter, Counter 2 prescribed number field 57 indicating the prescribed number of second counters, and counter of the second counter It has a counter 2 field 58 indicating a value. The first counter and the second counter are provided in the activation management unit 24 and the frequency management unit 27 of the monitoring device 1.

  FIG. 8 is a flowchart showing a flow in the case where the checker code is activated by the frequency uniformization method in the software alteration monitoring apparatus according to the embodiment of the present invention. First, when a timer event or an execution notification event occurs, the generated event is queued. Here, a timer event is periodically generated for each checker code. An execution notification event is generated for an execution notification from an activated checker code.

  The monitoring device 1 acquires an event from the event queue (step S21), and determines the type of event (step S22). If the result is a timer event (step S22: timer event), the checker code status field 54 of the frequency control database 51 is referenced to determine the status of the checker code (step S23). As a result, when it is in the inactive state (step S23: state = inactive), the counter 1 prescribed number field 55 of the corresponding checker code is referred to and the prescribed number of the first counter is examined (step S24). ).

  As a result, when the counter value of the counter 1 field 56 of the corresponding checker code has not reached the specified number of times of the first counter (step S24: number not reached), the counter value of the counter 1 field 56 is incremented. (Step S25), and the process ends. On the other hand, if the counter value in the counter 1 field 56 has reached the specified number of times of the first counter as a result of checking the specified number of times of the first counter in step S24 (step S24: number of times reached), the corresponding checker. The checker code of the code is activated, the status field 54 of the checker code is switched to the activated state (step S26), and the process ends.

  If the state of the corresponding checker code is determined in step S23 to be in the activated state (step S23: state = activated), the counter 2 defined number field 57 of the corresponding checker code is referred to, The specified number of counters of 2 is checked (step S27). As a result, when the counter value of the counter 2 field 58 of the corresponding checker code has not reached the specified number of times of the second counter (step S27: number not reached), the counter value of the counter 2 field 58 is incremented. (Step S28), and the process ends. On the other hand, if the counter value in the counter 2 field 58 has reached the specified number of times of the second counter as a result of examining the specified number of times of the second counter in step S27, it is necessary. If so, the time-over process is performed (step S29), and the process ends.

  If the event type is determined to be an execution notification event in step S22 (step S22: execution notification event), the specified number of times in the counter 1 specified number field 55 is set based on the counter value in the counter 2 field 58. Update (step S30). For example, when the counter value of the counter 2 field 58 is small, the specified number of times in the counter 1 specified number field 55 is increased. When the counter value of the counter 2 field 58 is large, the specified number of times in the counter 1 specified number field 55 Make it smaller. Then, the counter values in the counter 1 field 56 and the counter 2 field 58 are initialized (step S31), and the process ends.

  In this way, the activation of the checker code with a large number of execution confirmations per unit time is reduced, and the checker code with a small number of execution confirmations per unit time is increased in the activation frequency. It can be adjusted dynamically at the time of program code execution. Note that the example shown in FIG. 8 is an example in which the first and second counters are up-counters, but the same applies when a down-counter is used. In addition, the actual timer time can be recorded without using the counter, and the time interval can be obtained in comparison with the current time. Further, it is possible to shift directly to the control shown in FIG. 8 when an event occurs without using an event queue.

  The (3) frequency fixing method will be described. In this method, a frequency control database 51 similar to the above (2) frequency equalization method is prepared, and all checker codes 41 are sequentially set in units of preset time based on the checker position / frequency database 29. ,Activate. The flow when the checker code is activated by the fixed frequency method is a flow in which step S30 is omitted in the flowchart shown in FIG.

  Further, instead of activating all the checker codes one by one, all the checker codes are divided into a plurality of groups, and the above-described (1) cyclic method, (2) frequency equalization method, (3) frequency fixed method, Any of these or a combination thereof may be used to activate the checker code in units of groups. In this case, there may be a group having one checker code. In the case of a group having a plurality of checker codes, each checker code in the group is selected from the above-described (1) cyclic method, (2) frequency equalization method, (3) frequency fixed method, or a combination thereof. It may be activated. Moreover, you may activate by a different system for every group. By grouping a plurality of checker codes in this way, it is possible to distribute the load caused by execution of the checker code.

(Appendix 1) A software tampering monitoring device that is connected to another device and monitors a software code executed by the other device,
Main program code,
Checker insertion information relating to the checker code inserted into the main program code;
Based on the checker insertion information, the software code in which one or more checker codes are inserted into the main program code is expanded in the main memory of the other device, and the software code being executed by the other device is monitored. A monitoring device to
With
The software code is at least
A first execution path for executing the process specified by the checker code and returning to the execution of the main program code based on the activation determination data stored in the memory area of the other device;
A second execution path for returning to the execution of the main program code without executing the process specified by the checker code;
Including
The monitoring device
An activation management means for rewriting the activation determination data; an execution confirmation means for confirming that the other apparatus has executed the first execution path;
A software alteration monitoring device comprising:

(Supplementary note 2) The monitoring device is a software code in which the checker code is inserted into the main memory of the other device while inserting one or more checker codes into the main program code based on the checker insertion information. The software tampering monitoring apparatus according to appendix 1, wherein the checker code insertion position information is recorded, and the activation determination data is rewritten based on the position information.

(Supplementary Note 3) A software tampering monitoring device that is connected to another device and monitors software code executed by the other device,
Software code with one or more checker codes inserted into the main program code;
A monitoring device that expands the software code in a main memory of the other device and monitors the software code being executed by the other device;
With
The software code is at least
A first execution path for executing the process specified by the checker code and returning to the execution of the main program code based on the activation determination data stored in the memory area of the other device;
A second execution path for returning to the execution of the main program code without executing the process specified by the checker code;
Including
The monitoring device
An activation management means for rewriting the activation determination data; an execution confirmation means for confirming that the other apparatus has executed the first execution path;
A software alteration monitoring device comprising:

(Additional remark 4) When the said monitoring apparatus expand | deploys the said software code to the main memory of the said other apparatus, it detects the checker code inserted in the software code, and the information of the insertion position of the checker code is shown. 4. The software alteration monitoring device according to appendix 3, wherein the activation determination data is recorded and rewritten based on the position information.

(Additional remark 5) When the said monitoring apparatus expand | deploys the said software code to the main memory of said another apparatus, it acquires the information on the insertion position of the checker code inserted in the software code, and based on this positional information The software alteration monitoring device according to appendix 3, wherein the activation determination data is rewritten.

(Supplementary note 6) The software code further includes a third execution path that executes processing for detecting falsification of the software code based on the activation determination data and returns to the execution of the main program code,
The monitoring device further includes a tampering detection unit that detects whether or not a part or all of the software code has been tampered with when the other device executes the third execution path. The software tampering monitoring apparatus according to any one of 1 to 5.

(Supplementary note 7) When the other device executes the third execution path, the software code is based on the activation determination data rewritten by the monitoring device to execute the third execution path. The software tampering monitoring apparatus according to appendix 6, wherein the software alteration monitoring apparatus is rewritten to the above data.

(Supplementary Note 8) The software code is based on the activation determination data rewritten by the monitoring device to execute the first execution path when the other device executes the first execution path. The software tampering monitoring apparatus according to any one of appendices 1 to 7, wherein the software alteration monitoring apparatus is rewritten to the above data.

(Supplementary note 9) In any one of Supplementary notes 1 to 8, wherein the activation management unit sequentially rewrites the activation determination data corresponding to each checker code in order to execute a plurality of checker codes. Software tampering monitoring device.

(Supplementary note 10) Any one of Supplementary notes 1 to 8, wherein the activation management means rewrites the activation determination data corresponding to each checker code at a preset interval in order to execute a plurality of checker codes. Software tampering monitoring device according to any one of the above.

(Additional remark 11) The said starting management means adjusts the rewriting frequency of the said start determination data for performing the said checker code according to the execution condition of a checker code, Any one of Additional remark 1-8 characterized by the above-mentioned. Software tampering monitoring device described in 1.

(Supplementary Note 12) In a software tampering monitoring method for monitoring a running software code,
Inserting one or more checker codes into the main program code;
Activating the checker code during execution of the software code with the checker code inserted;
Executing a process specified by the activated checker code;
Confirming that the processing specified by the checker code has been executed, and detecting whether or not a part or all of the software code has been tampered with;
A software tamper monitoring method characterized by comprising:

  As described above, the software tampering monitoring apparatus and tampering monitoring method according to the present invention are useful for preventing tampering of the program code to be monitored, and in particular, protecting intellectual property rights in a digital television broadcast receiving system. Suitable for equipment to do.

It is a block diagram which shows the hardware constitutions of the software alteration monitoring apparatus concerning embodiment of this invention. It is a block diagram which shows the functional structure of the software alteration monitoring apparatus concerning embodiment of this invention. It is explanatory drawing which shows the 1st example of the outline of the flow from the time of product development of the software alteration monitoring apparatus concerning embodiment of this invention to the time of application execution. It is explanatory drawing which shows the 2nd example of the outline of the flow from the time of product development of the software alteration monitoring apparatus concerning embodiment of this invention to the time of application execution. It is explanatory drawing which shows the program code of the checker code of the software tampering monitoring apparatus concerning embodiment of this invention. It is a flowchart which shows the flow in the case of activating a checker code by a cyclic system in the software alteration monitoring apparatus concerning embodiment of this invention. It is explanatory drawing which shows the structure of the database for frequency control in the case of activating a checker code by a frequency equalization system in the software alteration monitoring apparatus concerning embodiment of this invention. It is a flowchart which shows the flow in the case of activating a checker code by a frequency equalization system in the software alteration monitoring apparatus concerning embodiment of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Monitoring apparatus 24 Startup management part 26 Execution confirmation part 28 Tampering detection part 29 Checker position / frequency database 31 Main program code 32 Checker insertion position / frequency instruction information 35 Main memory such as PC 36 Software code 37 Checker insertion information / frequency instruction information 41 Checker code

Claims (7)

A check program embedded in software code, the computer executing the software code,
When an instruction to start the check program is received from the monitoring device during execution of the software code, the monitoring device stores the determination information that can be rewritten periodically or irregularly, stored in the computer,
As a result of the investigation, when the activation determination data indicates that the processing specified in the check program should not be executed, the execution of the check program is terminated,
As a result of the investigation, when the activation determination data indicates that the process specified by the check program should be executed, the process specified by the check program is executed,
Sending the execution result of the process specified by the check program to the monitoring device;
A check program that terminates execution of the check program when transmission of the execution result is completed. The check program according to claim 1, wherein the process specified by the check program is a process of detecting that the check program has been executed. 2. The check program according to claim 1, wherein the process specified by the check program is a process of detecting falsification of a program code excluding the check program in the software code. 2. The check program according to claim 1, wherein the process specified by the check program is a process of detecting falsification of the check program itself. A monitoring device for monitoring a computer executing software code in which a checker code is embedded,
The activation determination data stored in the computer indicates that the first state indicating that the process specified by the checker code should not be executed and the process specified by the checker code should be executed. Rewriting means for rewriting regularly or irregularly to any one of the second states;
Transmitting means for transmitting an instruction to start the checker code to the computer;
Receiving means for receiving an execution result of the process designated by the checker code from the computer when the computer is in the second state;
A monitoring device comprising: A monitoring device that monitors a computer that executes software code in which checker code is embedded,
The activation determination data stored in the computer indicates that the first state indicating that the process specified by the checker code should not be executed and the process specified by the checker code should be executed. Rewritten regularly or irregularly to one of the second states,
Sending the checker code activation instruction to the computer,
Receiving an execution result of the process designated by the checker code from the computer when the computer is in the second state;
A monitoring method characterized by executing processing. Storage means for storing program code and checker insertion information relating to a checker code inserted into the program code ;
Expand the software code of one or more of the checker code before Kipu program code based on the checker insertion information is inserted into the main memory of the other device, monitoring the software code in the another device is executed comprising monitoring means for, the,
Before Symbol monitoring means,
Activation management means for rewriting the activation determination data;
The other device executes the process specified by the checker code based on at least the activation determination data stored in the memory area of the other device included in the software code. Out of the first execution path that returns to the execution of the code and the second execution path that returns to the execution of the program code without executing the processing specified by the checker code, the execution of the first execution path Execution confirmation means to confirm;
Monitoring device you comprising: a.

Images