JP6155933B2 - Portable storage media - Google Patents

Description

  The present invention relates to a portable storage medium typified by an IC card used for financial purposes and a USIM used for mobile communication, and more specifically, the validity of a program stored in a nonvolatile memory of the portable storage medium. The present invention relates to a technique for verifying sex.

  A portable storage medium represented by an IC card used for financial purposes or a USIM used for mobile communication is referred to as a non-volatile memory (hereinafter referred to as “NVM”). Some of them have a function of loading a program in the (Volatile Memory), and a representative example is an IC card equipped with a platform type operating system such as JAVA (registered trademark).

  The program loaded in the NVM of the portable storage medium is written into the NVM of the portable storage medium in the form of an execution code or an intermediate code, and the CPU of the portable storage medium reads and executes the code.

  At this time, if the program loaded into the non-volatile memory becomes falsified due to a memory error that has occurred in the NVM of the portable storage medium or a failure attack from the outside, the portable storage medium will not operate when the program is executed. Risking serious security problems.

  Patent Document 1 discloses an invention that uses a check code as an invention for verifying the validity of a program loaded in an NVM of a portable storage medium.

  However, when verifying the legitimacy of a program using a check code, there is a problem that it cannot be detected that the program has been tampered with if the program has been tampered with other than at the timing of verifying the check code. Further, when the program length of the program is long, there is a problem that the calculation time of the check code becomes long.

  Since the program loaded in the NVM of the portable storage medium is configured to include a plurality of execution modules, when the execution module of the program loaded in the NVM of the portable storage medium is executed, the execution result of the execution module If the legitimacy can be verified, it is possible to detect program tampering.

  As a method for verifying the validity of the execution result of the execution module, Patent Document 2 describes a multiplexing method in which the same processing is performed a plurality of times on the same data, and whether or not the plurality of processing results match is described. Therefore, performing the same process twice on the same data is sometimes called a duplexing method.

  It suffices if all the modules included in the program loaded into the NVM of the portable storage medium can be multiplexed. However, since the memory capacity required for multiplexing all the execution modules becomes large, there is only one execution module to be multiplexed. It is limited to the execution module of the part.

  Execution modules to be multiplexed can be determined at the time of design. However, there are cases where it is desired to multiplex execution modules that were not initially planned at the stage of operation of the portable storage medium, so a program is stored in the NVM of the portable storage medium. It is desirable to be able to multiplex execution modules even after loading.

JP 2004-213478 A JP-A-10-154976

  Therefore, the present invention can verify the execution result of the module included in the program loaded into the NVM of the portable storage medium by the multiplexing method, and even after loading the program into the NVM of the portable storage medium, An object is to provide a portable storage medium capable of multiplexing modules.

  According to a first aspect of the present invention for solving the above-described problem, an execution file storing a program having at least one execution module and meta information indicating the execution module to be multiplexed are added, and the execution module indicated by the meta information includes An execution file storing a multiplexing module that takes over the data to be used and executes the same processing as the execution module is stored in a nonvolatile memory, and when one execution module of the program is executed, the meta information is stored. When the execution file of the multiplexed module corresponding to the executed execution module is mounted on the nonvolatile memory, and the execution file of the multiplexed module is mounted on the nonvolatile memory The multiplexing module is executed, and the executed execution module is executed. Validity verifying unit that verifies whether the execution result of the multiplexing module of executing the execution result of Le match is a portable storage medium, characterized in that provided in the operating system.

  Further, the second invention is the portable storage medium described in the first invention, and includes the code of the program so that the execution file of the program and the execution file of the multiplexed file can be loaded into the NVM. When the load command is received, the program execution file is stored in the nonvolatile memory by writing the program code in the nonvolatile memory, and the execution module specifying information indicating the execution module corresponding to the multiplexing module and the meta data are stored. When a load command including information is received, the code of the execution module indicated by the execution module specifying information is written in the nonvolatile memory as the code of the multiplexing module, and further, the meta information is written in the nonvolatile memory. The executable file of the multiplexing module is non-volatile Characterized by comprising a loading unit to be stored in memory.

  Furthermore, a third invention is the portable storage medium described in the second invention, wherein the load unit includes a code of the multiplexing module and the code so as to cope with other than the execution module specifying information. When a load command including meta information is received, the code of the multiplexing module and the meta information are written into the nonvolatile memory.

  According to the present invention described above, after executing the execution module included in the program loaded into the NVM of the portable storage medium, the multiplexing module corresponding to the execution module is executed, and the execution result of the execution module and the multiplexing module are executed. The execution results of the execution modules can be verified by the multiplexing method. Furthermore, since the execution file can be loaded even after the program is loaded, even after the program is loaded by storing the multiplexing module in the NVM of the portable storage medium in the form of the execution file, A predetermined execution module can be multiplexed.

FIG. 3 is a diagram for explaining a portable storage medium according to the embodiment. The figure explaining the content of the memory of a portable storage medium. The figure explaining the software mounted in a portable storage medium. The figure explaining the operation | movement which verifies the correctness of the execution result of an execution module. The figure explaining operation | movement at the time of loading a multiplexing module execution file into NVM simultaneously with a program execution file. The figure explaining operation | movement at the time of loading a multiplexing module execution file to NVM, after loading a program execution file to NVM.

  From here, preferred embodiments of the present invention will be described. The following description is not intended to limit the scope of the present invention, but is provided to aid understanding.

  FIG. 1 is a diagram for explaining a portable storage medium 1 according to the present embodiment, FIG. 2 is a diagram for explaining the contents of a memory of the portable storage medium 1, and FIG. 3 is mounted on the portable storage medium 1. It is a figure explaining the software to be performed.

  A portable storage medium 1 according to this embodiment includes a CPU 12 that is a central processing unit, a RAM 13 that is a volatile memory, a ROM 11 that is a read-only memory, an electrically rewritable NVM 10, and an external device. An electronic medium on which the interface circuit 14 is mounted operates in cooperation with a host system that requires security.

  In FIG. 1, the portable storage medium 1 according to the present embodiment is illustrated as an IC card used for financial purposes, but other forms of the portable storage medium 1 include a SIM mounted on a mobile communication terminal, Various forms such as a UICC and an embed SIM installed in a mobile communication terminal can be assumed.

  As shown in FIG. 2, an operating system 2 having a function of managing execution of the program 3 is mounted on the ROM 11 of the portable storage medium 1, and the NVM 10 of the portable storage medium 1 is installed on the operating system 2. A program execution file 100 storing a code of an operating program 3 and a multiplexing module execution file 101 storing a code of a multiplexing module 4 for multiplexing the execution module 30 included in the program 3 are stored. Meta information 102 indicating at least the execution module 30 to be multiplexed is added to the execution file 101.

  As shown in FIG. 3, the portable storage medium 1 is mounted with an operating system 2, a program 3, and a multiplexing module 4 for multiplexing an execution module 30 included in the program 3 as software.

  The program 3 installed in the portable storage medium 1 has a plurality of execution modules 30. In FIG. 3, as an execution module 30 included in the program 3, a selection module 30a used for selecting data and the like, a read module 30b for reading data from the NVM 10 and the like, an authentication module 30c used for user authentication and the like, and a writing module for writing data to the NVM 10 A state transition module 30e that transitions the state of the portable storage medium 1 based on the execution results of 30d and the authentication module 30c is illustrated.

  The multiplexing module 4 mounted on the portable storage medium 1 is a module that takes over the data used by the execution module 30 indicated by the meta information 102 and executes the same processing as the execution module 30. The multiplexing module 4 is mounted for each execution module 30 to be multiplexed. In FIG. 3, the multiplexing module 4a of the authentication module 30a and the state transition module 30e are multiplexed in order to multiplex the authentication module 30a and the state transition module 30e. Module 4b is mounted.

  The number of multiplexing modules 4 corresponding to the execution module 30 to be multiplexed depends on the number of multiplexing. For example, when duplicating the authentication module 30a, there is only one multiplexing module 4a corresponding to the authentication module 30a, and when multiplexing the authentication module 30a, there are two multiplexing modules 4a corresponding to the authentication module 30a. become.

  The operating system 2 mounted on the portable storage medium 1 provides the program 3 operating on the operating system 2 with an environment in which resources (RAM 13, NVM 10, etc.) of the portable storage medium 1 can be accessed. The operating system 2 of the present embodiment has a management function. When the program execution management unit 22 that manages the execution of the program 3 operating on the operating system 2 and the execution module 30 included in the program 3 are executed, It has a validity verification unit 20 that verifies the validity of the execution result of the module 30 and a load unit 21 that loads the program 3 and the multiplexing module 4 into the NVM 10.

  The program execution management unit 22 included in the operating system 2 of the portable storage medium 1 allocates the resources of the portable storage medium 1 to the program 3 started on the operating system 2, and then executes the code described in the program execution file 100. Means for reading and executing in order.

  The legitimacy verification unit 20 included in the operating system 2 of the portable storage medium 1 is called by the program execution management unit 22 and started up. When one execution module 30 included in the program 3 is executed, An operation to verify the validity of the execution result is performed.

  FIG. 4 is a diagram for explaining the operation of verifying the validity of the execution result of the execution module 30. When the code read from the program 3 is a code that calls the execution module 30, the program execution management unit 22 of the operating system 2 executes the execution module 30 indicated by this code (S1), and the execution result of the execution module 30 is stored in the RAM 13 (S2), information for specifying the executed execution module 30 is delivered and the validity verification unit 20 is called.

  When called from the program execution management unit 22, the validity verification unit 20 of the operating system 2 refers to the meta information 102 added to the multiplexed module execution file 101 and passes information from the program execution management unit 22. It is confirmed whether or not the multiplexed module execution file 101 corresponding to, ie, the multiplexed module execution file 101 corresponding to the execution module 30 executed by the program execution management unit 22 is installed in the NVM 10 (S3).

  When the multiplexed module execution file 101 corresponding to the execution module 30 executed by the program execution management unit 22 is not mounted in the NVM 10, the validity verification unit 20 returns the processing to the program execution management unit 22, and this procedure is finish.

  When the multiplexed module execution file 101 corresponding to the execution module 30 executed by the program execution management unit 22 is mounted on the NVM 10, the validity verification unit 20 is described in the multiplexed module execution file 101. By executing the code, the multiplexing module 4 corresponding to the execution module 30 executed by the program execution management unit 22 is executed (S4), and the execution result of the execution module 30 executed by the program execution management unit 22 is an address. Instead, the execution result of the multiplexing module 4 is stored in the RAM 13 (S5).

  Note that the number of multiplexed modules 4 executed by the validity verification unit 20 of the operating system 2 depends on the number of multiplexed execution modules 30 executed by the program execution management unit 22. For example, when the execution module 30 is duplicated, the multiplexing module 4 corresponding to the execution module 30 is one, so that the validity verifying unit 20 executes the multiplexing module 4 once. , The execution result of the multiplexing module 4 becomes one. Further, when the execution module 30 is tripled, the number of multiplexing modules 4 corresponding to the execution module 30 is two, so the number of times that the validity verification unit 20 executes the multiplexing module 4 is twice. Thus, the execution result of the multiplexing module 4 is two.

  When the multiplexing module 4 corresponding to the execution module 30 executed by the program execution management unit 22 is executed, the validity verification unit 20 executes the execution result of the execution module 30 executed by the program execution management unit 22 and the multiplexing module 4. It is confirmed whether all the execution results match (S6).

  If all the execution results match, the correctness verification unit 20 returns the processing to the program execution management unit 22 and ends this procedure. If all the execution results do not match, the correctness verification unit 20 executes predetermined error processing (S7), and this procedure ends.

  As described above, the multiplexed module execution file 101 is stored in the NVM 10 of the portable storage medium 1 separately from the program execution file 100, and the execution module 30 included in the program 3 is executed. By executing the conversion module 4 and verifying whether the processing results are all the same, the validity of the execution result of the execution module 30 can be verified on the portable storage medium 1 side.

  Specifically, even if the code of the program 3 is falsified due to a memory error occurring in the NVM 10 of the portable storage medium 1 or a failure attack from the outside, the code of the multiplexing module 4 is falsified. Since the processing result of the execution module 30 included in the program 3 and the processing result of the multiplexing module 4 corresponding to the execution module 30 are not the same because the program 3 does not enter the state, if the NVM 10 is abnormal for some reason, the portable storage medium 1 Can be judged by the side.

  The load unit 21 included in the operating system 2 of the portable storage medium 1 according to the present embodiment is means for loading the program execution file 100 and the multiplexed module execution file 101 into the NVM 10.

  In the present embodiment, the multiplexing module 4 that multiplexes the execution module 30 included in the program 3 is mounted on the NVM 10 in the form of an execution file. Therefore, the timing for loading the multiplexing module execution file 101 into the NVM 10 is the program execution file. 100 may be simultaneously loaded or after the program execution file 100 is loaded.

  From here, operation | movement of the load part 21 which the operating system 2 has is demonstrated. FIG. 5 is a diagram for explaining the operation when the multiplexed module execution file 101 is loaded into the NVM 10 simultaneously with the program execution file 100.

  When the multiplexed module execution file 101 is loaded into the NVM 10 at the same time as the program execution file 100, the system that cooperates with the portable storage medium 1 is an unillustrated issuing system. From the issuing system to the portable storage medium 1, A load command for loading the program execution file 100 and the multiplexed module execution file 101 into the NVM 10 is transmitted (S10).

  This load command includes the code of the program 3 as data related to the program execution file 100. Further, the load command includes either the execution module specifying information or the code of the multiplexing module 4 in addition to the meta information 102 as data related to the multiplexing module execution file 101. Here, the execution module specifying information is information indicating the execution module 30 corresponding to the multiplexing module 4, and is, for example, the address of the execution module 30 or the name of the execution module 30.

  When the load unit 21 of the operating system 2 receives a load command for loading the program execution file 100 and the multiplexed module execution file 101 into the NVM 10, first, the code of the program 3 included in the load command is written into the NVM 10. The program execution file 100 is stored in the NVM 10 (S11).

  Next, the load unit 21 of the operating system 2 confirms the data related to the multiplexed module execution file 101 included in this load command (S12), and if the data related to the multiplexed module execution file 101 is execution module specifying information. For example, the code of the execution module 30 indicated by the execution module specifying information is specified from the program execution file 100, the code of the specified execution module 30 is written in the NVM 10 as the code of the multiplexing module 4, and the meta information 102 is further stored in the NVM 10. By writing, the multiplexed module execution file 101 to which the meta information 102 is added is stored in the NVM 10 (S13), and this procedure ends.

  In addition, if the data related to the multiplexed module execution file 101 is the code of the multiplexed module 4, the load unit 21 of the operating system 2 writes the code of the multiplexed module 4 and the meta information 102 into the NVM 10 so that the meta information The multiplexed module execution file 101 to which 102 is added is stored in the NVM 10 (S13), and this procedure ends.

  FIG. 6 is a diagram for explaining the operation when loading the multiplexed module execution file 101 into the NVM 10 after loading the program execution file 100 into the NVM 10.

  When loading the program 3 into the NVM 10, first, a load command for loading the program execution file 100 into the NVM 10 is transmitted from the issuing system to the portable storage medium 1 (S20). The load command includes the code of the program 3, and the load unit 21 of the operating system 2 writes the code of the program 3 into the NVM 10 so that the program execution file 100 is stored in the NVM 10 (S21).

  Next, a load command for loading the multiplexed module execution file 101 into the NVM 10 is transmitted from the host system to the portable storage medium 1 (S22). As described above, in addition to the meta information 102, this load command includes either the execution module specifying information or the code of the multiplexing module 4.

  Then, the load unit 21 of the operating system 2 checks the data related to the multiplexed module execution file 101 (S23). If the data of the multiplexed module 4 is the execution module specifying information, the execution indicated by the execution module specifying information is executed. The code of the module 30 is specified from the program execution file 100, the code of the specified execution module 30 is written to the NVM 10 as the code of the multiplexing module 4, and the meta information 102 is added to the NVM 10 by adding the meta information 102. The multiplexed module execution file 101 is stored in the NVM 10 (S24), and this procedure is finished.

  In addition, if the data of the multiplexing module 4 included in the load command is the code of the multiplexing module 4, the load unit 21 of the operating system 2 writes the code of the multiplexing module 4 and the meta information 102 to the NVM 10. The multiplexed module execution file 101 to which the meta information 102 is added is stored in the NVM 10 (S25), and this procedure ends.

1 Portable storage medium 10 NVM
11 ROM
13 RAM
DESCRIPTION OF SYMBOLS 100 Program execution file 101 Multiplex module execution file 102 Meta information 2 Operating system 20 Validity verification part 21 Load part 22 Program execution management part 3 Program 30 Execution module 4 Multiplex module

Claims (3)

  An execution file storing a program having at least one execution module and meta information indicating the execution module to be multiplexed are added, and data used by the execution module indicated by the meta information is inherited to perform the same processing as the execution module The execution file storing the multiplexing module for executing the program is stored in a non-volatile memory, and when one execution module of the program is executed, the meta information is used to correspond to the executed execution module. Confirm that the execution file of the multiplexing module is mounted in a non-volatile memory. If the execution file of the multiplexing module is mounted in a non-volatile memory, the multiplexing module is executed and executed. The execution result of the execution module and the multiplexed module executed Portable storage medium validity verifying unit that the execution result of Yuru to verify whether it matches is equal to or provided in the operating system.   When the load command including the program code is received, the execution file of the program is stored in the non-volatile memory by writing the program code to the non-volatile memory, and the multiplexing module indicates the corresponding execution module When the load command including the module identification information and the meta information is received, the code of the execution module indicated by the execution module identification information is written in the nonvolatile memory as the code of the multiplexed module, and the meta information is further stored in the nonvolatile memory. The portable storage medium according to claim 1, further comprising a load unit that stores an execution file of the multiplexing module in a nonvolatile memory by writing to the nonvolatile memory. The load unit, when receiving a load command including the code of the multiplexing module and the meta information, writes the code of the multiplexing module and the meta information in the nonvolatile memory. The portable storage medium described.

Images