KR20090024093A - Access control apparatus, access control method and access control program - Google Patents

Abstract

An access control apparatus, an access control method and an access control program are provided to control the access of a data processing means to a recoding means based on a predetermined command code. A data processing unit(210) reads a command code recorded in a command code recording unit(240), and then processes various data by a controller(211) according to the command code. A data providing unit(220) generates, produces or acquires, data which is used in the processing of the data processing unit, through an operation unit(221), and then stores the data in a register(222). An access control unit(223) controls the access to data recorded in the register, and monitors the command code executed by the data processing unit to permit the access to data recorded in the register only when a predetermined command code is correctly executed.

Description

Access control apparatus, access control method and access control program

The present invention relates to an access control apparatus, an access control method and an access control program for controlling access to recording means by data processing means for processing data based on a predetermined command code.

Background Art Conventionally, a technique for preventing illegal processing by a data processing device such as a circuit board, a circuit module, an electronic device, or the like has been proposed. As a cause of the illegal operation of the data processing device, for example, it is caused by an artificial action, or is caused by an electrical or physical error. Examples of artificial actions include alteration of a control program, alteration of authentication data, and the like. As an artificial action, for example, an action such as replacing a chip (semiconductor device such as LSI) in the data processing device with an illegal chip, or adding an illegal chip in the data processing device, may be used. These are mainly intended to cause the data processing device to perform a process in accordance with its own interests by a person with intention of negation.

Examples of electrical and physical errors include a case where the code string of the instruction code of the processing performed by the chip changes due to a bit error or the like at the time of reading the instruction code (patch). In this case, the processing of the data processing device may be stopped due to an error, or the processing of the data processing device may be congested, and unintended processing of the user may be performed sequentially.

In order to prevent such illegal processing, for example, when a CPU compares the result of the verification, the means for monitoring the execution address of the application program or the means for monitoring the execution time of the application program is operated. A microprocessor configured to execute an application program at the same time, to stop the operation of the device when the program crosses an area or when the program execution time elapses, and to execute the application program when the authentication code is matched by comparison. Is proposed (for example, refer following patent document 1).

For example, a table holding a value of a program counter in a register, a table holding an address of a protected area on a memory, and a table holding an address of an instruction permitted to access the protected area, The access detection circuit determines whether or not the access command is to the protected area based on the result of the command decryption and the comparison result of the address of the access destination and the address of the table. When an access command to the protected area is detected, the comparison circuit compares the addresses of the register and the table, and outputs a prohibition signal when it is determined that the command is read from an area where access to the protected area is not permitted. A technique for prohibiting unauthorized memory access has been proposed (see, for example, Patent Document 2 below).

[Patent Document 1] Japanese Unexamined Patent Publication No. 6-327831

[Patent Document 2] Japanese Unexamined Patent Publication No. 10-228421

However, according to the technique related to Patent Document 1 described above, the alteration of a program (or an unintended change, which is the same below) can be detected, but the microprocessor itself is replaced with an illegal product or an illegal chip outside the microprocessor. There is a problem in that it cannot detect that the back is added. Replacement to an illegal product or addition of an illegal chip can be performed relatively easily by the owner of the data processing device or the like. For this reason, there is a problem that if the replacement of the illegal chip or the addition of the illegal chip cannot be detected, the prevention of the illegality of the chip cannot be achieved.

Moreover, according to the technique which concerns on the above-mentioned patent document 1, there is a problem that it is not possible to change a program itself, but to detect the irregularity which alters the data read by a program.

Moreover, according to the technique which concerns on patent document 2, there exists a problem that the process of a negative detection process becomes complicated, and the difficulty of development and design becomes high in order to decode an instruction code and read a program counter value. Moreover, according to the technique concerning patent document 2, since the access control function is mounted in a CPU, there exists a problem that it cannot apply to the data processing device using an existing CPU.

An object of the present invention is to provide an access control apparatus, an access control method, and an access control program which can prevent an illegal process by a data processing device in order to solve the problems caused by the above-described prior art.

In order to solve the above problems and achieve the object, the access control device according to the invention of claim 1 controls access to recording means by data processing means for processing data based on a predetermined command code. Access to the recording means by the data processing means based on the acquiring means for acquiring the information about the instruction code executed by the data processing means and the information about the instruction code acquired by the acquiring means, by the apparatus It characterized in that it comprises a control means for controlling the.

According to the invention of claim 1, access to the recording means by the data processing means can be controlled based on the command code executed by the data processing means. In this way, it is possible to prevent the data recorded in the recording means from being illegally rewritten or the data being read incorrectly by the wrong processing of the data processing means. Data processing is performed by repeating "read data", "calculation of data" and "write data". According to the invention of claim 1, control of "reading data" and "writing of data" can be performed only at the time of execution of a valid command code, thereby preventing an illegal process from being executed.

Further, in the access control apparatus according to the invention of claim 2, in the invention according to claim 1, the acquiring means acquires a code string of an instruction code executed by the data processing means, and the control means has a predetermined code string. In the case of the code string, the access to the recording means is permitted.

According to the invention of claim 2, it is possible to access the recording means only when the instruction code executed by the data processing means is a predetermined code string. As a result, the command code rewritten by wrong or the wrong code by the wrong data or the like is executed, thereby preventing the data recorded in the recording means from being illegally rewritten or the data being read illegally. .

Further, in the access control apparatus according to the invention of claim 3, in the invention according to claim 1 or 2, the command code is recorded in a command code recording means, and the acquiring means is a command code executed by the data processor. The recording position information in the recording means for command code is acquired, and the judging means permits access to the recording means when the recording position of the command code is a predetermined position.

According to the invention of claim 3, it is possible to access the recording means only when the instruction code executed by the data processing means is recorded at a predetermined position. In this way, by executing the command code recorded at the wrong position, it is possible to prevent the data recorded in the recording means from being illegally rewritten or the data being read incorrectly.

Further, in the access control apparatus according to the invention of claim 4, in the invention according to any one of claims 1 to 3, the command code is recorded in the command code recording means, and the command recorded in the command code recording means. Computing means for performing a predetermined operation by using at least a part of the code, wherein said acquiring means acquires the calculated value calculated by said computing means, and said control means, when said calculated value is a predetermined value, said recording means. To allow access to the network.

According to the invention of claim 4, it is possible to detect that the command code recorded in the command code recording means is illegally rewritten.

Further, in the access control apparatus according to the invention of claim 5, in the invention according to any one of claims 1 to 3, the command code is recorded in the command code recording means, and the predetermined value recorded in the command code recording means. Calculating means for performing a predetermined calculation using a fixed value of?, Wherein said obtaining means obtains the calculated value calculated by said calculating means, and said control means, when said calculated value is a predetermined value, transfers said recording means to said recording means. And permitting access.

According to the invention of claim 5, it is possible to detect that the recording means for command code has been replaced with the wrong recording means.

Further, the access control apparatus according to the invention of claim 6 is the invention according to any one of claims 1 to 5, wherein the control means controls access to a specific address space of the recording means.

According to the invention of claim 6, by controlling access to the address space in which the important information such as confidential information is recorded among the recording means, it is possible to prevent the important information from being illegally rewritten or read incorrectly.

Further, the access control apparatus according to the invention of claim 7 is provided with any one of claims 1 to 6, wherein the access control apparatus is provided with notification means for notifying a control status of access to the recording means by the control means. It is done.

According to the invention of claim 7, in the case where access to the recording means by the data processing means is denied, that is, when there is a possibility that unauthorized access has been performed by the data processing means, the user or the like is notified of the fact, and the data Unauthorized processing by the processing means can be prevented.

Further, the access control method according to the invention of claim 8 is an access control method for controlling access to recording means by data processing means for processing data based on a predetermined command code, the command being executed by the data processing means. And a control step of controlling access to the recording means by the data processing means based on the acquisition step of acquiring information on the code and the information on the command code acquired at the acquisition step.

According to the invention of claim 8, access to the recording means by the data processing means can be controlled based on the command code executed by the data processing means. As a result, it is possible to prevent the data recorded in the recording means from being illegally rewritten or the data being read incorrectly by the wrong processing of the data processing means. Data processing is performed by repeating "read data", "calculation of data" and "write data". According to the eighth aspect of the present invention, by controlling the "reading of data" and "writing of data" to be performed only at the time of executing a valid instruction code, it is possible to prevent an illegal process from being executed.

Moreover, the access control program concerning the invention of Claim 9 makes a computer run the access control method of Claim 8. It is characterized by the above-mentioned.

According to the invention of claim 9, access to the recording means by the data processing means can be controlled based on the command code executed by the data processing means. As a result, it is possible to prevent the data recorded in the recording means from being illegally rewritten or the data being read incorrectly by the wrong processing of the data processing means. Data processing is performed by repeating "read data", "calculation of data" and "write data". According to the invention of claim 9, by controlling the "reading of data" and "writing of data" to be performed only when the legitimate instruction code is executed, it is possible to prevent the illegal processing from being executed.

According to the access control apparatus, the access control method, and the access control program according to the present invention, unauthorized processing by the data processing device can be prevented.

EMBODIMENT OF THE INVENTION Below, with reference to an accompanying drawing, preferred embodiment of the access control apparatus, an access control method, and an access control program which concern on this invention is described in detail.

(Embodiment 1)

(Hardware Configuration of Data Processing Apparatus 100)

First, a hardware configuration of the data processing apparatus 100 according to the first embodiment will be described. 1 is a block diagram showing a hardware configuration of a data processing apparatus. In the following description, an example in which the present invention is applied to a personal computer as an example of the data processing apparatus 100 will be described.

In FIG. 1, the data processing apparatus 100 includes a CPU 101, a ROM 102, a RAM 103, a magnetic disk drive 104, a magnetic disk 105, and an optical disk drive 106. And an optical disk 107, an audio I / F 108 (interface), a microphone 109, a speaker 110, an input device 111, a video I / F 112, and a display 113 ), A communication I / F 114 (interface), and an external connection I / F 115 are provided. In addition, each component 101-115 is connected by the bus 120, respectively.

First, the CPU 101 is in charge of controlling the entire data processing apparatus 100. The ROM 102 records programs such as a boot program, communication program, data analysis program, and the like. In addition, the RAM 103 is used as a work area of the CPU 101.

The magnetic disk drive 104 controls reading / writing of data to the magnetic disk 105 under the control of the CPU 101. The magnetic disk 105 records data recorded under the control of the magnetic disk drive 104. As the magnetic disk 105, for example, HD (hard disk) or FD (flexible disk) can be used.

The optical disc drive 106 controls reading / writing of data to the optical disc 107 under the control of the CPU 101. The optical disc 107 is detachable recording means for reading data under the control of the optical disc drive 106. The optical disc 107 may use recordable recording means. The removable recording means may be an MO, a memory card, or the like in addition to the optical disk 107.

The voice I / F 108 is connected to a microphone 109 for voice input and a speaker 110 for voice output. The voice picked up by the microphone 109 is A / D converted within the voice I / F 108. In addition, audio is output from the speaker 110. In addition, the input device 111 may include a remote controller, a keyboard, a mouse, a touch panel, and the like having a plurality of keys for inputting characters, numerical values, various instructions, and the like.

Image I / F 112 is connected to display 113. Specifically, the video I / F 112 includes, for example, a graphics controller that controls the entire display 113, a buffer memory such as a VRAM (Video RAM) that temporarily records image information that can be displayed immediately, and graphics. It is comprised by the control IC etc. which display-control the display 113 based on the image data output from a controller.

The display 113 displays icons, cursors, menus, windows, and various data such as text and images. This display 113 can employ | adopt a CRT, TFT liquid crystal display, a plasma display, etc., for example.

The communication I / F 114 is connected to a network and functions as an interface between the network and the CPU 101.

The external connection I / F 115 is an interface for connecting with an external device. The connection between the external connection I / F 115 and an external device may be wired using a cable or the like, or may be wireless. The external connection I / F 115 is configured by, for example, a port of a dedicated connection cable, a port for wireless communication, or the like.

Next, the functional configuration of the data processing unit 200 in the data processing apparatus 100 will be described. The data processing unit 200 functionally illustrates a configuration for performing substantial data processing among the hardware configurations of the data processing apparatus 100 shown in FIG. 1. 2 is a block diagram showing the functional configuration of a data processing unit according to the first embodiment. The data processing unit 200 is constituted by a data processing unit 210, a data providing unit 220, a data recording unit 230, and a command code recording unit 240. In addition, each structure of the data processing unit 200 is comprised on the same board | substrate or the same module (semiconductor device etc.), for example.

The data processing unit 210 is, for example, the CPU 101, and reads the command code (more specifically, the code string of the command code) recorded in the command code recording unit 240 to be described later (patch), and writes to the command code. Therefore, the control unit 211 performs various data processing. The data processor 210 is configured by a controller 211, a calculator 212, and a register 213. The control unit 211 outputs a signal to the bus 120 connecting the components of the data processing apparatus 100, reads out data, and controls the operation of the entire data processing apparatus 100. The calculation unit 212 performs various operations on the data read in the register 213 described later. The register 213 temporarily holds the data processed by the operation unit 212, or holds the command code read from the command code recording unit 240 to be described later or the address on which it is recorded.

The data provider 220 is, for example, a random number generator, arithmetic circuit, or the like, and the calculator 221 generates, calculates, or acquires data for use in the process of the data processor 210. The data provider 220 has a register 222 for recording data generated or calculated by the calculator 221. In addition, access to the data recorded in the register 222 is controlled by the access control unit 223.

The access control unit 223 controls the reading (access) of data recorded in the register 222 or the writing of data to the register 222. Specifically, the access control unit 223 monitors the command code executed by the data processing unit 210 and reads the data recorded in the register 222 or registers 222 only when the predetermined command code is correctly executed. Permit the recording of data for

More specifically, the access control unit 223 is, for example, the recording source of the command code (the address in the command code recording unit 240) of the command accompanying the access to the register 222 among the commands executed by the data processing unit 210. ) And the code string of the command code. Then, the access control unit 223, for example, in the case where the command executed by the data processing unit 210 is the command code recorded at a previously permitted address and is a code string previously permitted, the register 222 is stored in the register 222. Access to the recorded data and writing of data to the register 222 are allowed. The access control unit 223 may monitor both of an address and a code string, or may monitor only one of them. In addition, the command code determined as an allowable command code may be singular or plural.

The data recording unit 230 is a ROM 102, a magnetic disk 105, an optical disk 107, or the like, and records data processed by the data processing unit 210, data acquired from another device, program data, and the like. The data recording unit 230 is constituted by the recording area 231 and the access control unit 232. The recording area 231 holds data recorded in the data recording unit 230. The access control unit 232 controls access to data recorded in the recording area 231 and recording of data in the recording area 231. Specifically, the access control unit 232, like the access control unit 223, monitors the command code executed by the data processing unit 210. Then, the access control unit 232 permits access to the data recorded in the recording area 231 only when the predetermined command code is correctly executed.

In the above description, the data providing unit 220 and the data recording unit 230 are configured to be separated. However, the configuration may be integrated. In addition, although the data providing part 220 and the data recording part 230 and the access control parts 223 and 232 are formed, respectively, you may make it the structure which forms only one access control part. In addition, the path connecting the control unit 211 and the access control units 223 and 232 of the data processing unit 210 may be a physically identical path or may be a redundant individual path.

The command code recording unit 240 is a ROM 102, a magnetic disk 105, an optical disk 107, or the like, and records a command code of a command executed by the data processing unit 210. The data processing unit 210 reads the command code recorded in the command code recording unit 240 and performs various data processing according to the command code. As shown in FIG. 2, the command code recording unit 240 may be formed separately from the data processing unit 210 or may be formed inside the data processing unit 210.

Here, the structure of the command code recording unit 240 will be described with reference to FIG. 3 is an explanatory diagram schematically showing an example of the structure of the command code recording unit. In the recording area 310 of the command code recording unit 240, an address is allocated for each predetermined area (e.g., every 1 byte). In the illustrated example, addresses 0x000 to 0xNNN are allocated to the recording area 310, and each address shows an area for one byte. For example, the instruction code string 0xABCDEFGH is stored in the area indicated by the address Ox100. In the area indicated by the address 0x104, an instruction code string 0xJKLMNOPQ is stored. The data processing unit 210 reads the command code stored in the area starting from the designated address and performs processing in accordance with the read command code.

(Example of data processing by the data processing unit 210)

Next, an example of data processing performed by the data processing unit 210 will be described. 4 is a flowchart showing a procedure of an example of data processing performed by a data processing unit. Although the data processing unit 210 performs various types of processing, here, for example, a case of performing authentication processing on a connection device or the like connected to the data processing apparatus 100 will be described as an example.

Various apparatuses and devices can be connected to the data processing apparatus 100, but apparatuses and devices not approved by the user or the manufacturer are illegally connected, causing malfunction of the data processing apparatus 100, or data processing apparatuses. There is a fear that the data stored in the 100 may be altered or stolen. In order to prevent this, the data processing apparatus 100 periodically performs authentication processing on the connection device or the like connected to the data processing apparatus 100.

In the flowchart of FIG. 4, the data processing unit 210 first obtains authentication data from a connected device or device (hereinafter referred to as a "connected device") (step S401), and uses the obtained authentication data. The verification value V is generated by the data providing unit 220 (step S402). The verification value V is a value used when authenticating a connected device. The data provider 220 generates the verification value V in the calculator 221 and stores the verification value V in the register 222. The authentication data acquired in step S401 may be used as the verification value V as it is.

Subsequently, the data processing unit 210 reads the verification value V from the register 222 of the data providing unit 220 (step S403). The data processing unit 210 temporarily stores the read verification value V in the register 213 (step S404). The data processing unit 210 then records the verification value V in the recording area 231 of the data recording unit 230 (step S405). Subsequently, the data processing unit 210 generates the expected value P by the data providing unit 220 (step S406). Expected value P is a value used as a control of verification value V. The data provider 220 generates the expected value P in the calculator 221 and stores the expected value P in the register 222.

The data processing unit 210 reads the expected value P from the register 222 of the data providing unit 220 (step S407), and also reads the verification value V from the recording area 231 of the data recording unit 230 (step S408). Then, the data processing unit 210 checks the verification value V and the expected value P (step S409), and determines whether the matching result is correct (step S410). Whether or not the matching result is correct is determined by, for example, whether or not a predetermined relationship is established between the verification value V and the expected value P (for example, verification value V = expected value P).

If the matching result is correct (step S410: Yes), the data processing unit 210 authenticates the connected device (step S411), and ends the processing by this flowchart. On the other hand, when the matching result is incorrect (step S410: No), the data processing unit 210 ends the processing by this flowchart without authenticating the connected device (step S412). If the connected device is not authenticated, the data processing unit 210 displays an error message on the display 113 of the data processing device 100, for example, to notify that an illegal device is connected, or to communicate with the connected device. Cut the connection.

By the above processing, the data processing unit 210 performs authentication processing on the connected device or the like connected to the data processing apparatus 100. However, for example, the authentication process may be altered so that an illegal device is authenticated by a malicious person (hereinafter referred to as "malicious person").

For example, the verification value V is recorded in the recording area 231 of the data recording unit 230 in step S405. At this time, what is recorded in the recording area 231 is originally a verification value V temporarily stored in the register 213 of the data processing unit 210 (see step S404). However, due to an incorrect command code, the value recorded in the recording area 231 is set to a value recorded in a place other than the register 213 (or an area other than the area in which the verification value V is stored in the register 213). It becomes possible.

For example, the verification value V is read from the register 222 of the data providing unit 220 in step S403. At this time, the value to be read can be set to a value recorded in a place other than the register 222 (or an area other than the area in which the verification value V is stored in the register 222). This denial is made possible by, for example, branching the processing of the data processing unit 210 by an illegal patch or the like.

If such denial is performed, correct authentication cannot be performed, and connection of an illegal device becomes possible. For this reason, in the data processing unit 200, the access control unit 223 is formed in the data providing unit 220, and the access control unit 232 is formed in the data recording unit 230, respectively, so that the register 222 or the recording area 231 are provided. Control access (write, read) from the data processing unit 210 to the. This prevents the unauthorized apparatus from being authenticated by the execution of the illegal instruction code.

(Access Control by Access Control Units 223 and 232)

It is explanatory drawing which shows the outline | summary of access control by an access control part. In addition, in FIG. 5, the structure of the data processing unit 200 is abbreviate | omitted for convenience of description.

As shown in FIG. 5, for example, the command code permitted by the access control unit 232 of the data recording unit 230 is referred to as code string 0xJKLMNOPQ (write command) stored at address 0x104 of the command code recording unit 240. . At this time, the code string 0xJKLMNOPQ (write command) is recorded in the command code recording unit 240 in the normal time. When the data processing unit 210 reads and executes the code string 0xJKLMNOPQ of the read command stored at the address 0x104 of the normal command code recording unit 240 (arrow display α), the access control unit 232 stores the recording area 231. Allow the recording of data for.

By the way, for example, it is assumed that the code string 0xPOIUYTRE (write command) of an illegal command code is recorded in address 0x200 of the command code recording unit 240 as in the case of the negative example 1. In this case, even if the data processing unit 210 reads and executes the code string 0xPOIUYTRE (write command) at address 0x200 (arrow indication β), the access control unit 232 writes because it is not a command read from the permitted address. Do not allow access to the area 231 (deny the write command).

For example, as in the negative example 2, it is assumed that the code string 0xLKJHGFDS of the invalid command code is inserted into the address 0x080 of the command code recording unit 240. This incorrect command code is, for example, a command for changing a value recorded in the recording area 231. However, when this instruction is inserted, the permitted storage location of the instruction is shifted, and the storage location of the code string 0xJKLMNOPQ (write instruction) becomes the address 0x108.

For this reason, even if the data processing unit 210 reads and executes the code string 0xJKLMNOPQ (write command) at address 0x108 (arrow indication?), The access control unit 232 writes because it is not a command read from the permitted address. Do not allow access to the area 231 (deny the write command). As a result, even if the recording value is changed by the invalid code string 0xLKJHGFDS, the value is not recorded in the recording area 231, thereby preventing the illegal processing.

In addition, when access to the register 222 or the like is denied from the access control units 223 and 232, the data processing unit 210 may be notified that there is a possibility that illegality has been performed. Specifically, for example, an error message is displayed on the display 113, an error message is output from the microphone 109, or the like. For example, an error message may be sent to the manufacturer or manager of the data processing apparatus 100 via the communication I / F 114. As a result, the user or the like may recognize that the data processing unit 200 may have been subjected to an irregularity, and measures such as investigation and repair can be achieved.

6 is a flowchart showing a procedure of data authentication processing by the access control unit. Here, the processing of the access control units 223 and 232 in the processing of steps S403 to S405 (until the verification value V is read from the data providing unit 220 and recorded in the data recording unit 230) in FIG. 4. It explains. In the flowchart of FIG. 6, the access control unit 223 of the data providing unit 220 reads the data (verification value V generated in step S402 of FIG. 4) stored in the register 222 by the data processing unit 210. Wait until (Step S601: No loop).

When the data processing unit 210 executes a read command (step S601: Yes), the access control unit 223 determines whether or not the command executed by the data processing unit 210 is a read command to be allowed (step S602). Whether or not the read command to be permitted is, for example, whether the address in which the read command is stored (the address at the time of the instruction patch) is the permitted address or the code string of the command executed by the data processing unit 210. It is judged by whether or not it matches the code string of the instruction.

If the instruction executed by the data processing unit 210 is a read instruction allowed (step S602: Yes), the access control unit 223 outputs the data (verification value V) stored in the register 222 to the data processing unit 210. (Step S603). The output data is temporarily stored in the register 213 of the data processing unit 210.

On the other hand, when the instruction executed by the data processing unit 210 is not a read instruction allowed (step S602: No), the data stored in the register 222 (verification value V) is not output to the data processing unit 210. The flow advances to step S604. At this time, since there is no output from the data providing unit 220 in the register 213 of the data processing unit 210, an illegal value such as "0000" or "1111" is stored. This illegal value may be set as a predetermined value, and when the value is stored in the register 213, it may be notified that there is a possibility that negation has been performed. Here, the predetermined value is a group of plural kinds of fixed values, a fluctuation value for which a fluctuation rule has been determined in advance.

In addition, the notification that the illegality has been performed may cause a predetermined message, a mark, or the like to be displayed on the display 113 of the data processing apparatus 100, or a predetermined voice message or the like may be transmitted from the microphone 109. Outputting sound effects. In addition, for example, via a communication I / F 114 or an external connection I / F 115, a predetermined message is transmitted (outputted) to another device, or the other device is used to display the above message or output audio. The control signal may be outputted to the controller.

Subsequently, the access control unit 232 of the data recording unit 230 waits until the data processing unit 210 executes a write command of the data (verification value V) stored in the register 222 (step S604: No loop). ). When the data processing unit 210 executes the write command (step S604: Yes), the access control unit 223 determines whether the command executed by the data processing unit 210 is the write command to be allowed (step S605). The determination as to whether or not the write command to be permitted is performed by the same processing as that in step S602.

If the command executed by the data processing unit 210 is a write command permitted (step S605: Yes), the access control unit 232 records the data temporarily stored in the register 213 of the data processing unit 210 in the recording area 231. ), And the process by this flowchart is complete | finished. On the other hand, when the command executed by the data processing unit 210 is not a write command permitted (step S605: No), the processing by this flowchart is terminated without recording data in the recording area 231. FIG. At this time, the data processing unit 210 may notify the user or the like that there is a possibility that illegality has been performed.

By the above processing, the access control units 223 and 232 monitor the command codes executed by the data processing unit 210 so as not to access the data by the execution of the wrong command codes. As a result, the unauthorized apparatus can be prevented from being authenticated by the execution of the illegal instruction code.

For example, a denial in which each device of the data processing unit 200 is interpreted and replicated at the transistor level, or the memory type of the regular command code recording unit 240 is interpreted and replaced with a memory of the same type that records an invalid command code It may be done. It is difficult to detect such negation in a conventional negation detection method. However, since the data processing unit 200 monitors the code string and the storage address of the command code, such an irregularity can be detected.

In addition, according to the data processing unit 200, in addition to the artificial denial as described above, malfunction of the data processing apparatus 100 due to electrical causes such as wrong data can be prevented. 7 is an explanatory diagram showing another example of access control by the access control unit. For example, as shown in FIG. 7, the command code allowed by the access control unit 232 of the data recording unit 230 is stored in the read command stored at address 0x100 of the command code recording unit 240 and the address 0x104. This is called a stored write command. The code string 0xABCDEFGH (lead command) is recorded at address 0x100 of the command code recording unit 240.

Here, when the data processing unit 210 reads the command code, incorrect data ("1" becomes "0", etc.) may occur in the command code. As a result, the code string 0xABCDEFGH (lead command) read by the data processing unit 210 from address 0x100 may be replaced with, for example, the code string 0xABCDEFGI (write instruction) (arrow display?). In this case, when the data processing apparatus 100 executes the code string 0xABCDEFGI (write command), there is a possibility that the data of the data recording unit 230 is rewritten in an unexpected manner.

However, since the access control unit 232 monitors the command code executed by the data processing unit 210, even if the command A 'is executed as a write command (arrow display epsilon), the patch address of the command is 0x100. Recording to the recording area 231 is not allowed. In this case, not only the patch address but also the command code string executed by the data processing unit 210 may be monitored.

As described above, according to the data processing unit 200, it is possible to prevent the important data from being erased due to a malfunction even when erroneous data is generated when the command code is read. In addition, when applied to the above-described read command, important data can be prevented from being read due to malfunction.

Further, according to the data processing unit 200, since only the bit pattern is compared without decoding the command code or reading the program counter value, the process of the fraud detection process is not complicated, and the difficulty of development and design is reduced. can do. Moreover, according to the data processing unit 200, since the access control function is not mounted in the data processing unit 210, it can be applied to a data processing device using the existing data processing unit 210 (CPU or the like). In addition, according to the data processing unit 200, the security strength can be determined mainly using the configuration (data recording unit 230, etc.) on the side accessed by the data processing unit 210.

(Embodiment 2)

In Embodiment 1, the access control part monitored the instruction code or the storage address of the instruction code. In Embodiment 2 described below, in addition to monitoring the command code or the storage address of the command code, the access control unit monitors the check value calculated from the command code. Thereby, the precision of the false detection by an access control part can be improved. In addition, in the following description, about the structure similar to Embodiment 1, the same code | symbol is attached | subjected and detailed description is abbreviate | omitted.

8 is a block diagram showing a functional configuration of a data processing unit according to the second embodiment. The data processing unit 800 according to the second embodiment, like the data processing unit 200 according to the first embodiment, is configured to perform substantial data processing among the hardware configurations of the data processing apparatus 100 shown in FIG. 1. It is functionally illustrated. The data processing unit 800 is constituted by a data processing unit 210, a data providing unit 220, a data recording unit 230, a command code recording unit 240, and a check value calculating unit 810. Each configuration of the data processing unit 210, the data providing unit 220, and the data recording unit 230 is the same as that of the data processing unit 200 according to the first embodiment.

The check value calculator 810 acquires the code string of the command code executed by the data processor 210 from the command code recorder 240. Then, a check value for checking the validity of the command code is calculated from the code string obtained from the command code recording unit 240. The check value calculated by the check value calculating unit 810 is used for controlling the reading of data to the register 222 and the recording area 231 by the access control units 223 and 232.

Here, the check value is, for example, a value calculated from all (or part) command codes recorded in the command code recording unit 240. For example, the check value calculating unit 810 may perform calculation, parity check, and cyclic redundancy check (CRC) by a hash function on all command codes recorded in the command code recording unit 240. A check value is calculated by performing an error detection operation such as a checksum. In this way, the check value is calculated from the command code actually recorded in the command code recording unit 240. Therefore, by performing the check using the check value, it is possible to detect an illegal rewrite of the command code recorded in the command code recording unit 240, an illegal replacement of the command code recording unit 240, or the like.

As described in the first embodiment, the access control units 223 and 232 monitor the command code executed by the data processing unit 210 to determine whether the predetermined command code is correctly executed. In addition, in Embodiment 2, it is judged whether the check value calculated by the check value calculation part 810 is equal to the expected value of a check value (or whether it exists in a predetermined relationship). In this way, by combining the collation of the instruction code itself and the collation of the check value, it is possible to more reliably detect an irregularity.

The expected values used by the access control units 223 and 232 for matching are recorded in advance in the access control units 223 and 232, for example, at the time of manufacture. In addition, the expected values used by the access control units 223 and 232 for matching may be transmitted to the access control units 223 and 232 from other components. The other component is, for example, a data processor 210 or a dedicated processor (hereinafter referred to as an "expected value calculator") for generating an expected value of a check value. The data processor 210 and the expected value calculator may transmit the pre-recorded expected values to the access controllers 223 and 232, or may generate the expected values for each collation process. In addition, the coefficient required for calculating the expected value may be transmitted from the external device to the data processing unit 210 or the expected value calculation unit through an external connection I / F 115 (see FIG. 1). In this way, if the access control units 223 and 232 are acquired from another configuration unit without recording the expected value of the check value data in advance, the check value of the command code recording unit 240 can be changed later.

Next, the check value calculation process by the check value calculation unit 810 will be described. 9 is a flowchart showing a procedure of check value calculation processing by the check value calculation unit. In the flowchart of Fig. 9, the check value calculating unit 810 waits until the request for obtaining the check value is received from the access control units 223 and 232 (step S901: No loop).

Upon receiving the request to acquire the check value (step S901: Yes), the check value calculation unit 810 reads all (or part) the command code from the command code recording unit 240 (step S902), and reads the read value. An operation for error detection is performed to calculate a check value (step S903). Then, the check value calculating unit 810 transmits the value (check value) calculated by the operation performed in step S903 to the access control units 223 and 232 (step S904), and ends the processing by this flowchart.

In the flowchart of Fig. 9, the check value calculating unit 810 receives the request for obtaining the check value from the access control units 223 and 232, but calculates the check value, but is not limited to this. For example, the check value calculating unit 810 may generate a check value and transmit the check value to the access control units 223 and 232 when a predetermined condition is established.

Subsequently, data authentication processing by the access control units 223 and 232 will be described. 10 and 11 are flowcharts showing the procedure of data authentication processing by the access control unit. Here, as in the flowchart of FIG. 6, the access control unit (in the processing of steps S403 to S405 (until the verification value V is read from the data providing unit 220 and recorded in the data recording unit 230) of FIG. 4). The processing of 223 and 232 will be described. In the flowchart of FIG. 10, the access control unit 223 of the data providing unit 220 reads the data (verification value V generated in step S402 of FIG. 4) stored in the register 222 by the data processing unit 210. Wait until (Step S1001: No loop).

When the data processing unit 210 executes a read command (step S1001: Yes), the access control unit 223 determines whether the command executed by the data processing unit 210 is a read command to be allowed (step S1002). If the command executed by the data processing unit 210 is a read command permitted (step S1002: Yes), the access control unit 223 transmits a request for obtaining the check value to the check value calculating unit 810 (step S1003), The check value is received from the check value calculation unit 810 (step S1004). At this time, the access control unit 223 may acquire a plurality of divided check values. In this case, the access control unit 223 performs later processing after integrating a plurality of divided check values.

Next, the access control unit 223 obtains the expected value of the check value (step S1005). The access control part 223 acquires an expectation value, for example by reading the expectation value previously recorded, or receiving the expectation value which the data processing part 210 and the expectation value calculation part produced | generated.

The access control unit 223 then determines whether or not the check value received in step S1004 and the expected value acquired in step S1005 coincide (step S1006). Further, the access control unit 223 may determine whether the check value and the expected value are in a predetermined relationship, not whether the check value and the expected value match. The predetermined relationship is, for example, a relationship in which a value of performing a predetermined operation on a check value is equal to an expected value.

If the check value and the expected value match (step S1006: Yes), the access control unit 223 outputs the data (verification value V) stored in the register 222 to the data processing unit 210 (step S1007). The output data is temporarily stored in the register 213 of the data processing unit 210. On the other hand, when the check values do not match (step S1006: No), or when the instruction executed by the data processing unit 210 is not a read instruction allowed (step S1002: No), the access control unit 223 registers 222. ) Does not output the data (verification value V) to the data processing unit 210, and the process proceeds to step S1008 (see FIG. 11).

In view of the description of FIG. 11, the access control unit 232 of the data recording unit 230 waits until the data processing unit 210 executes a write command of data (verification value V) stored in the register 222 (step S1008). : No loop). When the data processing unit 210 executes the write command (step S1008: Yes), the access control unit 223 determines whether the command executed by the data processing unit 210 is a write command to be allowed (step S1009).

If the command executed by the data processing unit 210 is a write command permitted (step S1009: Yes), the access control unit 232 transmits a request for obtaining the check value to the check value calculating unit 810 (step S1010), The check value is received from the check value calculation unit 810 (step S1011). Next, the access control part 232 acquires the expected value of a check value (step S1012).

Then, the access control unit 223 determines whether or not the check value received in step S1011 and the expected value acquired in step S1012 coincide (step S1013). The processing of steps S1010 to S1013 is performed by the same processing as that of steps S1003 to S1006 (see FIG. 10).

If the check value and the expected value match (step S1013: Yes), the access control unit 232 records the data temporarily stored in the register 213 of the data processing unit 210 in the recording area 231 (step S1014). ), The processing by this flowchart is finished. On the other hand, when the check value and the expected value do not match (step S1013: No) or when the command executed by the data processing unit 210 is not a write command permitted (step S1009: No), the recording area 231 The process by this flowchart is complete | finished without recording data in. At this time, the data processing unit 210 may notify that there is a possibility that negation has been performed.

In the above description, the check value is calculated from the command code. However, instead of the command code, for example, the check value is written using data recorded in the command code recording unit 240 (hereinafter referred to as "check value data"). The value may be calculated. The check value data is fixed data recorded in the command code recorder 240, for example. The check value data is not limited to fixed data, and may be, for example, fluctuation data that can accurately predict data values before and after fluctuation. Specifically, the data value before and after the change can be predicted specifically, for example, when the change range is defined or when the change rule is determined.

The check value calculator 810 calculates a check value by reading the check value data recorded in the command code recorder 240. In addition, the access control units 223 and 232 record the expected values of the check value data in advance. The access control units 223 and 232 calculate a check value from the expected value of the check value data, and determine whether or not the check value calculation unit 810 coincides with the calculated check value (or is in a predetermined relationship). In addition, a negative value may be detected using both the check value calculated from the command code and the check value calculated from the check value data.

As described above, according to the second embodiment, the check value of the command code executed by the data processing unit 210 is calculated by the check value calculation unit 810 in accordance with the monitoring of the command code itself (embodiment state 1). Value or not (or whether it is in a predetermined relationship). In this way, by combining the collation of the instruction code itself and the collation of the check value, it is possible to more reliably detect an irregularity.

In addition, since false detection by a check value is performed in accordance with monitoring of the instruction code itself (Embodiment 1), even if the error detection method (for example, parity check etc.) which is comparatively light in processing addition is used for calculation of a check value. , A certain precision can be obtained.

In the above description, the case where the present invention is applied to a personal computer as the data processing apparatus 100 has been described. However, the present invention is, for example, various home electronic devices such as a mobile phone terminal and a home game machine, an automatic ticket machine. The present invention can also be applied to various business electronic devices such as organic groups. In this case, the data processing apparatus 100 in the above description may be various electronic devices.

The access control method described in this embodiment can be realized by executing a program prepared in advance on a computer such as a personal computer or a workstation. This program is recorded in computer-readable recording means such as a hard disk, a flexible disk, a CD-ROM, a MO, a DVD, and the like, and is executed by reading from the recording means by a computer. The program may be a transmission medium that can be distributed through a network such as the Internet.

As described above, the access control apparatus, the access control method, and the access control program according to the present invention are useful for access control to a recording medium that records authentication information, billing information, personal information, and the like. It is suitable for an authentication server, a billing server for billing processing, and a work terminal device for handling personal information.

1 is a block diagram showing a hardware configuration of a data processing apparatus.

2 is a block diagram showing the functional configuration of a data processing unit according to the first embodiment.

3 is an explanatory diagram schematically showing an example of the structure of the command code recording unit.

4 is a flowchart showing a procedure of an example of data processing performed by a data processing unit.

It is explanatory drawing which shows the outline | summary of access control by an access control part.

6 is a flowchart showing a procedure of data authentication processing by the access control unit.

7 is an explanatory diagram showing another example of access control by the access control unit.

8 is a block diagram showing a functional configuration of a data processing unit according to the second embodiment.

9 is a flowchart showing a procedure of check value calculation processing by the check value calculation unit.

10 is a flowchart showing a procedure of data authentication processing by the access control unit.

11 is a flowchart showing a procedure of data authentication processing by the access control unit.

Explanation of symbols on the main parts of the drawings

200, 800: data processing unit

210: data processing unit

211: control unit

212: calculation unit

213: register

220: data provider

221: calculation unit

222: register

223: access control unit

230: data record

231: recording area

232: access control unit

240: command code recorder

810: check value calculator

Claims (9)

An access control apparatus for controlling access to recording means by data processing means for processing data based on a predetermined command code, Acquisition means for acquiring information about an instruction code executed by said data processing means; And control means for controlling access to the recording means by the data processing means based on the information about the command code acquired by the acquiring means. The method of claim 1, The acquiring means acquires a code string of an instruction code executed by the data processing means, And the control means permits access to the recording means when the code string is a predetermined code string. The method according to claim 1 or 2, The command code is recorded in the recording means for command code, The acquiring means acquires recording position information in the instruction code recording means of the instruction code executed by the data processing means, And the determining means permits access to the recording means when the recording position of the command code is a predetermined position. The method according to any one of claims 1 to 3, The command code is recorded in the recording means for command code, Computing means for performing a predetermined operation by using at least a part of the command code recorded in the command code recording means, The acquiring means acquires the calculated value calculated by the computing means, And the control means permits access to the recording means when the calculated value is a predetermined value. The method according to any one of claims 1 to 3, The command code is recorded in the recording means for command code, Calculating means for performing a predetermined calculation by using a predetermined fixed value recorded in the command code recording means, The acquiring means acquires the calculated value calculated by the computing means, And the control means permits access to the recording means when the calculated value is a predetermined value. The method according to any one of claims 1 to 5, And said control means controls access to a specific address space of said recording means. The method according to any one of claims 1 to 6, And an informing means for notifying a control situation of the access to the recording means by the control means. An access control method for controlling access to recording means by data processing means for processing data on the basis of a predetermined command code, An acquisition step of acquiring information about an instruction code executed by the data processing means; And a control step of controlling access to the recording means by the data processing means based on the information about the command code acquired in the acquiring step. An access control program comprising causing a computer to execute the access control method according to claim 8.

Images