KR20140112399A - Application access control method and electronic device implementing the same - Google Patents

Abstract

A method and apparatus of access control in an electronic apparatus implementing the method are provided. According to various embodiments, the method of operating an electronic apparatus includes: setting a volatile memory as a first area and a second area by a processor of the electronic apparatus including the volatile memory to further increase security of the volatile memory greater than that of the first area; temporarily storing first information drawn from hardware or firmware in the second area by the processor; temporarily storing second information in the second area by the processor; recognizing an access request for the second information of an application program temporarily stored in the first area; and authenticating using at least a portion of the application program in the second area by the processor. Other embodiments are possible.

Description

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an application access control method,

The present disclosure relates to a method of controlling access of an application to a computing asset and an electronic device implementing the same.

Electronic devices such as smart phones, tablet PCs, and the like can be loaded with memories, processors, and operating systems (OSs) and can execute various applications accordingly. Electronic devices can execute online commerce and financial transactions. In the implementation of functions such as online commerce or financial transactions, a common concern is security. For this security, the electronic device can, for example, control the access of the application to a computing asset.

 According to the related art, the access control method may be an access control method based on a public key infrastructure, a password based access control method, and a local access control method.

 A system to which an access control method based on a public key infrastructure is applied is complicated to install and maintain. In addition, if the validity period of the certificate has expired, a new certificate must be issued. Also, the integrity of the certificate is difficult to guarantee because of the risk of loss or damage of the certificate. In addition, it may be costly to issue certificates.

The password-based access control method poses a significant risk of hacking or losing a password. In fact, portal and online service providers are experiencing security problems.

An electronic device to which a local access control method is applied may not request a password from the user. However, data stored in the local storage of the electronic device may be forged or hacked. Therefore, data that requires security requires secure storage.

The present disclosure may provide a method for controlling access of an application to computing resources to safely protect computing resources and an electronic device for implementing the method.

A method of operating an electronic device according to an embodiment of the present disclosure is an operation of setting the volatile memory as a first region and a second region by a processor of an electronic device including a volatile memory, Temporarily storing first information retrieved from the hardware or firmware in the second area by the processor, wherein the second information is temporarily stored in the second area by the processor, Temporarily storing information; recognizing, by the processor, an access request for the second information of an application program temporarily stored in the first area; and

And authenticating, by the processor, using at least a portion of the application program within the second area.

A method of operating an electronic device in accordance with an embodiment of the present disclosure, the method comprising: setting, by a processor of an electronic device including a volatile memory, the volatile memory as a first region and a second region, Temporarily storing first information fetched from the hardware or firmware in the second area by the processor, wherein the first information is temporarily stored in the first area by the processor, Acquiring data representative of the application program in the second area by using at least a part of the application program stored in the first area, encrypting data representing the application program in the second area using the first information The encrypted application program, And storing the represented data in a non-volatile storage of the electronic device.

The electronic device according to one embodiment of the present disclosure includes a volatile memory, a non-volatile storage device, a hardware storage device, and a processor, wherein the processor sets the volatile memory as a first area and a second area, Temporarily storing first information fetched from the hardware storage device in a second area; Temporarily storing second information in the second area, recognizing an access request for the second information of the application program temporarily stored in the first area, and recognizing at least a part of the application program in the second area And perform authentication by using software.

Access control methods and electronic devices in accordance with various embodiments of the present disclosure may control access of an application to computing resources to secure computing resources.

Figure 1 shows a block diagram for an electronic device according to an embodiment of the present disclosure.
Figure 2 shows a block diagram of hardware 200 in accordance with one embodiment of the present disclosure.
FIG. 3 shows a block diagram of a programming module 300 in accordance with one embodiment of the present disclosure.
Figure 4 illustrates the arrangement of products in accordance with one embodiment of the present disclosure.
5 shows a block diagram of hardware 500 in accordance with one embodiment of the present disclosure.
6 is a block diagram of a programming module 600 in accordance with one embodiment of the present disclosure.
7 is a block diagram of a programming module 700 in accordance with one embodiment of the present disclosure.
8 is a diagram for explaining an example of a hash value calculation process.
9 shows access control tables according to an embodiment of the present disclosure.
10 is a flowchart illustrating an application registration method according to an embodiment of the present disclosure.
11 is a flowchart for explaining an application registration method according to another embodiment of the present disclosure.
12 is a flowchart illustrating an application authentication method according to an embodiment of the present disclosure.
13 is a flowchart for explaining an application authentication method according to another embodiment of the present disclosure.
14 is a diagram for explaining an application registration and authentication method according to an embodiment of the present disclosure.

Hereinafter, various embodiments will be described in detail with reference to the accompanying drawings. Note that, in the drawings, the same components are denoted by the same reference symbols as possible. Further, the detailed description of known functions and configurations that may obscure the gist of the present disclosure will be omitted. In the following description, only parts necessary for understanding the operation according to various embodiments of the present disclosure will be described, and the description of other parts will be omitted so as not to obscure the gist of the present disclosure.

The electronic device according to the present disclosure may be a device including a communication function. For example, a smartphone, a tablet personal computer, a mobile phone, a videophone, an e-book reader, a desktop personal computer, a laptop personal computer, netbook computer, personal digital assistant, portable multimedia player (PMP), MP3 player, mobile medical device, electronic bracelet, electronic necklace, electronic apps, camera, Such as wearable devices, electronic clocks, wrist watches, home appliances such as refrigerators, air conditioners, vacuum cleaners, ovens, microwaves, washing machines, air cleaners, A magnetic resonance imaging (MRI), a computed tomography (CT), a camera, an ultrasound machine, etc.), a navigation system, Device, a GPS receiver em receiver, an event data recorder (EDR), a flight data recorder (FDR), a set-top box, a TV box (eg Samsung HomeSync ™, an Applet TV ™ or a Google TV ™) an electronic device, an electronic device, an electronic device, an electronic device, an infotainment device, an electronic equipment for ship (for example, a marine navigation device, a gyro compass, etc.), avionics, game consoles, head-mounted displays, flat panel display devices, electronic frames, electronic albums, furniture or parts of buildings / structures including communication functions, electronic boards, , An electronic signature receiving device or a projector, and the like. It will be apparent to those skilled in the art that the electronic device according to the present disclosure is not limited to the devices described above.

An electronic device according to the present disclosure can be divided into various environments depending on which function or operation is executed or compute in an environment. For example, an electronic device may include a trusted environment and a non-trusted environment. The trust environment may be referred to as a trusted world (trusted world). An untrusted environment can also be referred to as a non-trusted world (non-trusted region) or a non-trusted area.

An untrusted environment may include a common operating system (OS), drivers, middleware, and applications. An example of such a system could be Android. Android can include the Linux kernel, device drivers, Android middleware, and applications.

The trust environment may include security critical components. Security elements can be accessed by components (eg, applications) in an untrusted environment that is on-run time. This approach allows specific security related operations to be performed. In general, a trusted environment may include a secure OS, security drivers, security middleware, and trusted applications (TA). The trust environment may also include special modules. This particular module (eg, monitor) can mediate or control communications between the trusted and untrusted environments. An untrusted environment can not be directly accessed to the trusted environment, and can be set to access the trusted environment only through the monitor. For this purpose, the monitor can be applied, for example, TrustZone technology of ARM (Advance RISC Machine).

Figure 1 shows a block diagram of an electronic device 100 according to one embodiment of the present disclosure.

Referring to FIG. 1, the electronic device 100 may include a bus 110, a processor 120, a memory 130, a user input module 140, a display module 150, or a communication module 160.

The bus 110 may be a circuit that interconnects the components described above and communicates (e.g., control messages) between the components described above.

Processor 120 receives an instruction from other components (e.g., memory 130, user input module 140, display module 150, communication module 160, etc.) described above via bus 110, decodes the received instruction , It is possible to execute an operation or data processing according to the decoded command.

Memory 130 may store instructions or data received from processor 120 or other components (e.g., user input module 140, display module 150, communication module 160, etc.) or generated by processor 120 or other components. The memory 130 may include, for example, a kernel 131, a middleware 132, an application programming interface (API) 133, or an application 134. Each of the above-described programming modules may be composed of software, firmware, hardware, or a combination of at least two of them.

The kernel 131 may control system resources (e.g., bus 110, processor 120, or memory 130, etc.) used to execute an operation or function implemented in the other programming modules, e.g., middleware 132, API 133, Or management. The kernel 131 may also provide an interface through which the individual components of the electronic device 100 can be accessed, controlled or managed in the middleware 132, API 133, or application 134.

The middleware 132 can perform an intermediary function so that the API 133 or the application 134 can communicate with the kernel 131 to exchange data. In addition, the middleware 132 may be configured to communicate system resources (e.g., buses) of the electronic device 100 to at least one application (e.g., a plurality of applications) 134 with respect to work requests received from 110, processor 120, or memory 130, etc.) may be used to perform load balancing for work requests.

The API 133 is an interface through which the application 134 can control the functions provided by the kernel 131 or the middleware 132, and includes at least one interface or function for, for example, file control, window control, image processing, .

The user input module 140 may receive commands or data from a user, for example, and may transmit the received commands or data to the processor 120 or the memory 130 via the bus 110. The display module 150 can display images, images, data, and the like to the user.

The communication module 160 can connect the communication between the other electronic device 102 and the electronic device 100. The communication module 160 may be implemented using a predetermined communication protocol such as wireless fidelity, BT, near field communication (NFC) or predetermined network communication (e.g., Internet, local area network, (e. g., the same type) device as the electronic device 100, or may be an electronic device, e. g., a cellular network, a cellular network, a satellite network or a plain old telephone service (POTS) It may be another (e.g. different type) device.

Figure 2 shows a block diagram of hardware 200 in accordance with various embodiments of the present disclosure.

The hardware 200 may be, for example, the electronic device 100 shown in FIG. 2, the hardware 200 includes one or more processors 210, a subscriber identification module (SIM) card 214, a memory 220, a communication module 230, a sensor module 240, a user input module 250, a display module 260, an interface 270, an audio codec 280, A camera module 291, a power management module 295, a battery 296, an indicator 297, or a motor 298.

The processor 210 (e.g., processor 120) may include one or more application processors (APs) 211 or one or more communication processors (CP) The processor 210 may be, for example, the processor 120 shown in FIG. Although AP 211 and CP 213 are shown as being included in processor 210 in FIG. 2, AP 211 and CP 213 may be included in different IC packages, respectively. According to some embodiments, AP 211 and CP 213 may be included in one IC package.

The AP 211 may control a plurality of hardware or software components connected to the AP 211 by operating an operating system or an application program, and may perform various data processing and calculations including multimedia data. The AP 211 can be implemented, for example, as a system on chip (SoC). According to some embodiments, the processor 210 may further include a graphics processing unit (GPU) (not shown).

The CP 213 can perform the function of managing the data link and converting the communication protocol in communication between the electronic device (e.g., the electronic device 100) including the hardware 200 and other networked electronic devices. CP 213 can be implemented, for example, in SoC. According to some embodiments, the CP 213 may perform at least some of the multimedia control functions. The CP 213 can perform terminal identification and authentication within the communication network using, for example, a subscriber identity module (e.g., SIM card 214). In addition, the CP 213 can provide services such as voice call, video call, text message, or packet data to the user.

In addition, the CP 213 can control data transmission / reception of the communication module 230. In FIG. 2, components such as CP 213, power management module 295, or memory 220 are shown as separate components from AP 211, but according to some embodiments, AP 211 may include at least some of the above- CP 213).

According to some embodiments, AP 211 or CP 213 may load and process commands or data received from at least one of the non-volatile memory or other components connected to each, into volatile memory. In addition, AP 211 or CP 213 may store data in at least one of the other components or in non-volatile memory generated by at least one of the other components.

The SIM card 214 may be a card that implements the subscriber identity module and may be inserted into a slot formed at a specific location in the electronic device. The SIM card 214 may include unique identification information (e.g., ICCID) or subscriber information (e.g., international mobile subscriber identity (IMSI)).

The memory 220 may include an internal memory 222 or an external memory 224. The memory 220 may be, for example, the memory 130 shown in FIG. The built-in memory 222 may be a volatile memory such as a dynamic RAM (DRAM), a static random access memory (SRAM), a synchronous dynamic RAM (SDRAM), or a non-volatile memory (e.g., At least one of an OTPROM (one time programmable ROM), a PROM (programmable ROM), an EPROM (erasable and programmable ROM), an EEPROM (electrically erasable and programmable ROM), a mask ROM, a flash ROM, a NAND flash memory, . According to one embodiment, the internal memory 222 may take the form of a solid state drive (SSD). The external memory 224 may be a flash drive, for example, a compact flash (CF), a secure digital (SD), a micro secure digital (SD), a mini secure digital (SD), an extreme digital .

The communication module 230 may include a wireless communication module 231 or an RF module 234. The communication module 230 may be, for example, the communication module 160 shown in FIG. The wireless communication module 231 may include, for example, a WiFi module 233, a bluetooth module 235, a GPS receiving module 237, or an NFC (near field communication) module 239. For example, the wireless communication module 231 may provide a wireless communication function using a radio frequency. Additionally or alternatively, the wireless communication module 231 may communicate the hardware 200 to a network (e.g., the Internet, a LAN, a WAN, a telecommunication network, a cellular network, a satellite network or a plain old telephone service A network interface (e.g., a LAN card) or a modem for connecting with a network interface (not shown). The NFC module 233 may include a connection terminal for connection with the NFC antenna.

The RF module 234 is capable of transmitting and receiving data, for example, an RF signal or transmitting and receiving a called electronic signal. The RF module 234 may include, for example, a transceiver, a power amplifier module (PAM), a frequency filter, or a low noise amplifier (LNA), although not shown. Further, the RF module 234 may further include a component, for example, a conductor or a lead, for transmitting and receiving electromagnetic waves in free space in wireless communication.

The sensor module 240 includes a gesture sensor 240A, a gyro sensor 240B, an air pressure sensor 240C, a magnetic sensor 240D, an acceleration sensor 240E, a grip sensor 240F, a proximity sensor 240G, an RGB (red, green, blue) sensor 240H, 240I, a temperature / humidity sensor 240J, an illuminance sensor 240K, or an ultraviolet (UV) sensor 240M. The sensor module 240 may measure the physical quantity or sense the operating state of the electronic device, and convert the measured or sensed information into electrical signals. Additionally or alternatively, the sensor module 240 may include an electronic sensor such as, for example, an E-nose sensor (not shown), an EMG sensor (not shown), an EEG sensor (not shown), an electrocardiogram sensor, not shown) or a fingerprint sensor. The sensor module 240 may further include a control circuit for controlling at least one or more sensors belonging to the sensor module 240.

The user input module 250 may include a touch panel 252, a (digital) pen sensor 254, a key 256, or an ultrasonic input device 258. The user input module 250 may be, for example, the user input module 140 shown in FIG. The touch panel 252 can recognize the touch input in at least one of, for example, an electrostatic type, a pressure sensitive type, an infrared type, or an ultrasonic type. Further, the touch panel 252 may further include a controller (not shown). In the case of the electrostatic type, not only the direct touch but also the indirect touch can be recognized. By "direct touch method" may mean a method in which a conductive object (e.g., a finger or a stylus pen) is in direct contact with the touch screen. According to some embodiments, an " indirect touch scheme "is one in which a conductive object (e.g., a gloved finger) surrounded by a nonconductive object is adjacent to the touch screen or a nonconductive object (e.g., Gloves) may contact the touch screen. According to some embodiments, the "indirect touch method" is a method in which a finger touches a non-conductive object in contact with a non-conductive object (e.g., a cover for protecting the touch screen) It may mean. According to some embodiments, an " indirect touch method "is a method of generating an event by proximity to a touch screen within a predetermined distance, without a finger touching the touch screen, usually a method called" hovering, It may mean. The touch panel 252 may further include a tactile layer. In this case, the touch panel 252 can provide a tactile response to the user. The touch panel 252 may be installed on a screen of the display module 260 (i.e., a touch screen). For example, the touch panel 252 may be implemented as an add-on type located on a touch screen or an on-cell type or an in-cell type inserted into the display module 260 have.

(Digital) pen sensor 254 may be implemented using the same or similar method as receiving the touch input of the user, for example, or using a separate recognizing sheet. As the key 256, for example, a keypad or a touch key may be used. The ultrasonic wave input device 258 is a device that can confirm data by sensing a sound wave from a terminal to a microphone (e.g., a microphone 288) through a pen that generates an ultrasonic signal, and is capable of wireless recognition. According to some embodiments, the hardware 200 may utilize the communication module 230 to receive user input from an external device (e.g., a network, computer or server) connected thereto.

The display module 260 may include a panel 262 or a hologram 264. The display module 260 may be, for example, the display module 150 shown in FIG. The panel 262 may be, for example, a liquid-crystal display (LCD) or an active-matrix organic light-emitting diode (AM-OLED). The panel 262 can be embodied, for example, flexible, transparent or wearable. The panel 262 may be composed of a touch panel 252 and one module. The hologram 264 can display a stereoscopic image in the air using the interference of light. According to one embodiment, the display module 260 may further include control circuitry for controlling the panel 262 or the hologram 264.

The interface 270 may include, for example, a high-definition multimedia interface (HDMI) 272, a universal serial bus (USB) 274, a projector 276, or a D-sub (D-subminiature) 278. Additionally or alternatively, the interface 270 may include, for example, a secure digital (SD) / multi-media card (MMC) (not shown) or an IrDA (infrared data association;

The audio codec 280 can convert audio and electrical signals in both directions. The audio codec 280 can convert audio information input or output through, for example, a speaker 282, a receiver 284, an earphone 286, a microphone 288, or the like.

The camera module 291 is a device capable of capturing an image and a moving image. According to one embodiment, the camera module 291 includes at least one image sensor (e.g., a front lens or a rear lens), an image signal processor (ISP) Not shown).

The power management module 295 can manage the power of the hardware 200. Although not shown, the power management module 295 may include, for example, a power management integrated circuit (PMIC), a charger integrated circuit (IC), or a battery fuel gauge.

The PMIC can be mounted, for example, in an integrated circuit or a SoC semiconductor. The charging method can be classified into wired and wireless. The charging IC can charge the battery and can prevent an overvoltage or an overcurrent from the charger. According to one embodiment, the charging IC may comprise a charging IC for at least one of a wired charging mode or a wireless charging mode. Examples of the wireless charging system include a magnetic resonance system, a magnetic induction system or an electromagnetic wave system, and additional circuits for wireless charging, for example, a coil loop, a resonant circuit, a rectifier, have.

The battery gauge can measure, for example, the remaining amount of the battery 296, the voltage during charging, the current or the temperature. The battery 296 can generate electricity to supply power, and can be, for example, a rechargeable battery.

Indicator 297 may indicate a particular state of hardware 200 or a portion thereof (e.g., AP 211), such as a boot state, a message state, or a state of charge. The motor 298 can convert an electrical signal to mechanical vibration. The MCU 299 can control the sensor module 240.

Although not shown, the hardware 200 may include a processing unit (e.g., a GPU) for mobile TV support. The processing device for mobile TV support can process media data according to standards such as digital multimedia broadcasting (DMB), digital video broadcasting (DVB), or media flow. Each of the above-described components of the hardware according to the present disclosure can be composed of one or more components, and the name of the component can be changed according to the type of the electronic device. The hardware according to the present disclosure may be configured to include at least one of the above-described components, and some components may be omitted or further include other additional components. In addition, some of the components of the hardware according to the present disclosure may be combined and configured as an entity, so that the functions of the corresponding components before being combined can be performed in the same manner.

The term "module" as used herein may mean a unit comprising, for example, one or a combination of two or more of hardware, software or firmware. A "module" may be interchangeably used with terms such as, for example, unit, logic, logical block, component or circuit. A "module" may be a minimum unit or a portion of an integrally constructed component. A "module" may be a minimum unit or a portion thereof that performs one or more functions. "Modules" may be implemented either mechanically or electronically. For example, a "module" in accordance with the present disclosure may be implemented as an application-specific integrated circuit (ASIC) chip, field-programmable gate arrays (FPGAs) or programmable logic arrays (FPGAs) logic device).

3 shows a block diagram of a programming module 300 in accordance with various embodiments of the present disclosure.

Referring to FIG. 3, the programming module 300 may be included (e.g., stored) in the electronic device 100 (e.g., memory 130) shown in FIG. At least some of the programming modules 300 may be comprised of software, firmware, hardware, or a combination of at least two of these. The programming module 300 may be implemented in an operating system (OS) that is implemented in hardware (e.g., hardware 200) to control resources associated with an electronic device (e.g., electronic device 100) or a variety of applications . For example, the operating system may be Android, iOS, Windows, Symbian, Tizen, or Bada. 3, the programming module 300 may include a kernel 310, a middleware 330, an application programming interface (API) 360, or an application 370.

The kernel 310 (e.g., kernel 131) may include a system resource manager 311 or a device driver 312. The system resource manager 311 may include, for example, a process management unit 313, a memory management unit 315, or a file system management unit 317. The system resource manager 311 can perform control, allocation, or recovery of system resources. The device driver 312 may include, for example, a display driver 314, a camera driver 316, a Bluetooth driver 318, a shared memory driver 320, a USB driver 322, a keypad driver 324, a WiFi driver 326 or an audio driver 328. Also, according to one embodiment, the device driver 312 may include an inter-process communication (IPC) driver.

The middleware 330 may include a plurality of modules previously implemented in order to provide functions that the application 370 commonly requires. The middleware 330 may also provide functionality through the API 360 so that the application 370 can efficiently use limited system resources within the electronic device. 3, the middleware 330 (e.g., middleware 132) includes a runtime library 335, an application manager 341, a window manager 342, a multimedia manager 343, A resource manager 344, a power manager 345, a database manager 346, a package manager 347, a connectivity manager 348, a notification manager 349, a location manager 350 A graphic manager 351, or a security manager 352. In this case,

The runtime library 335 may include, for example, a library module that the compiler uses to add new functionality through a programming language while the application 370 is running. According to one embodiment, the runtime library 335 may perform functions such as input / output, memory management, or arithmetic functions.

The application manager 341 can manage the life cycle of at least one of the applications 370, for example. The window manager 342 can manage GUI resources used on the screen. The multimedia manager 343 can recognize the format required for reproducing various media files and can encode or decode the media file using a codec suitable for the corresponding format. The resource manager 344 can manage resources such as source code, memory or storage space of at least one of the applications 370.

The power manager 345 operates in conjunction with a basic input / output system (BIOS) or the like to manage a battery or a power source and provide power information necessary for the operation. The database manager 346 may manage to create, retrieve, or modify a database for use by at least one of the applications 370. The package manager 347 can manage installation or update of an application distributed in the form of a package file.

The connection manager 348 may manage wireless connections, such as, for example, WiFi or Bluetooth. The notification manager 349 may display or notify events such as arrival messages, appointments, proximity notifications, etc. in a manner that is not disturbed to the user. The location manager 350 can manage the location information of the electronic device. The graphic manager 351 can manage the graphical effect to be provided to the user or a user interface related thereto. The security manager 352 can provide security functions necessary for system security or user authentication. According to one embodiment, when the electronic device (e.g., electronic device 100) has a telephone function, the middleware 330 may further include a telephony manager (not shown) for managing the voice or video call capability of the electronic device .

The middleware 330 can create and use a new middleware module through various functional combinations of the internal component modules. The middleware 330 can provide a module specialized for each type of operating system in order to provide differentiated functions. In addition, the middleware 330 can dynamically delete some existing components or add new ones. Accordingly, the components described in the embodiments of the present disclosure may be partially replaced with components having other names or having other components or having other functions performing similar functions.

API 360 (API 133, for example) is a set of API programming functions that can be provided in different configurations depending on the operating system. For example, in the case of Android or iOS, for example, one API set can be provided for each platform, and in the case of Tizen, for example, two or more API sets can be provided.

The application 370 (e.g., application 134) may include, for example, a preloaded application or a third party application.

At least some of the programming modules 300 may be implemented with instructions stored on a computer-readable storage medium. The instructions, when executed by one or more processors (e.g., processor 210), may perform one or more functions corresponding to instructions. The computer readable storage medium may be, for example, a memory 260. [ At least some of the programming modules 300 may be implemented (e.g., executed) by, for example, the processor 210. At least some of the programming modules 300 may include, for example, modules, programs, routines, sets of instructions and / or processes, etc., for performing one or more functions.

The names of components of a programming module (e.g., programming module 300) according to the present disclosure may vary depending on the type of operating system. A programming module according to the present disclosure may include at least one or more of the elements described above, some of which may be omitted, or may further include other additional elements. Operations performed by a programming module or other component in accordance with the present disclosure may be processed in a sequential, parallel, iterative, or heuristic manner, and some operations may be omitted, or other operations may be added.

4 shows an arrangement of a configuration according to an embodiment of the present disclosure.

Referring to FIG. 4, some private applications 410 may request a trusted environment to access system resources or application resources in trusted environment hardware 420 (e.g., trusted storage). Where the application resource may mean, for example, a key (e.g., a security key), sensitive data, or access to something. System resources may refer to memory, processors, buses, and the like. The hash-based application access control 440 on the trust platform 430 allows the independent access of applications to their resources while maintaining the confidentiality of each application. User interaction (password entry) is not required while achieving a high (hardware level) security level.

5 shows a block diagram of hardware 500 in accordance with one embodiment of the present disclosure.

The hardware 500 may be, for example, the electronic device 100 shown in FIG. Referring to FIG. 5, the hardware 500 may include a first memory 510, a second memory 520, a third memory 530, and a processor 540.

The first memory 510 may be logically or physically set by the processor 540 to an untrusted environment 511 (first area) and a trusted environment 512 (second area). The first memory 510 may also be a volatile memory (e.g., DRAM).

 The second memory 520 may include an access control module 521, an access control table 522, and applications 523_1 to 523_N. The second memory 520 may be a non-volatile memory (e.g., flash memory).

The third memory 530 may include a secret key (e.g., a secret key 531). The third memory 520 may be a non-volatile memory (e.g., ROM). In FIG. 5, the third memory 530 is shown as a separate component from the processor 500, but according to some embodiments, the third memory 530 may be entirely or partially included in the processor 500.

The processor 510 may be the application processor 211 shown in FIG. When the battery 510 is powered on, the boot program is loaded into the first memory 510 from the second memory 520 (or the third memory 530). The processor 540 accesses the boot program loaded into the first memory 510, decodes the command, and executes a function (e.g., an environment classification, an operating system loading operation) according to the decoding result. The processor 540 may classify all or a portion of the first memory 510 into an untrusted environment 511 and a trusted environment 512 and may load the operating system from the second memory 520 (or third memory 530) into the trusted environment 512 of the first memory 510 have. The processor 540 may access the operating system loaded into the first memory 510 and execute its functions (e.g., the access control module and its table loading operations). The processor 540 may load the access control module 521 and the secret key 530 into the trusted environment 512. According to some embodiments, the secret key 531 may not be loaded into the trusted environment 512. The processor 540 may also load the access control table 522 (e.g., the access control table 612) into the untrusted environment 511 and load at least one of the applications 523_1 to 523_N into the untrusted environment 511. [ According to some embodiments, access control table 522 (e.g., access control table 722 shown in FIG. 7) may be loaded into trusted environment 512. The processor 540 may access the access control module 521 and perform its functions.

 According to another embodiment, the electronic device comprises a volatile memory (first memory 510), a non-volatile storage (e.g. second memory 520), a hardware storage device (e.g. third memory 530) (E.g., untrusted environment 511) and a second area (e.g., trusted environment 512), and the first information (e.g., Secret key) temporarily. (E.g., additional files, static content, application code, user interface strings, animation instructions, application data, contacts, etc.) temporarily storing at least one of an image, a contact, an image, a password, a text, a moving picture, and a content, recognizing an access request for the second information of an application program temporarily stored in the first area, And performing authentication using at least a portion of the application program within the application program. The processor may be configured to map data of at least a portion of the application program to data of a fixed length for the authentication. The processor may be configured to compare and authenticate a first hash value generated using at least a portion of the application program and a previously calculated second hash value. The processor may be configured to use the first information to obtain the second hash value. The processor may be configured to generate the first hash value using code and / or static data of the application. The processor may be configured to temporarily fetch data in the non-volatile storage device containing the second hash value into the second area. The processor may be configured to perform the authentication using the identification information of the application. The processor may be configured to perform the authentication using data that is encrypted with at least a portion of the application stored together and an authentication tag that has encrypted the hash value of the data stored in the application. To allow access to the second information. Wherein the processor is configured to set the volatile memory as a first area and a second area, to temporarily store first information fetched from the hardware storage device in the second area, to temporarily store the application program temporarily stored in the first area, Acquiring data representative of the application program in the second area using at least a part of the first application, encrypting data representing the application program in the second area using the first information, And store the data representative of the program in the non-volatile storage. The processor may be configured to compare data obtained using at least a portion of the application program and a second calculated hash value. The processor may be configured to encrypt and store identification information of the application program. The processor may be configured to store together the authentication data in which encryption of at least a part of the application program is encrypted in the second area and an authentication tag in which the hash value of the data is encrypted.

6 is a block diagram of a programming module 600 in accordance with one embodiment of the present disclosure.

Referring to FIG. 6, programming module 600 may be included (e.g., stored) in electronic device 100 (e.g., memory 130) shown in FIG. At least a portion of programming module 600 may be comprised of software, firmware, hardware, or a combination of at least two of them.

The programming module 600 may include an untrusted environment 610 and a trusted environment 620. The untrusted environment 610 may include applications 611_1-N and an access control table 612. The trust environment 620 may include an access control module 621. All functions of the access control module 621 may be executed in the trusted environment 620. The access control module 621 may be one or a combination of hardware, software, or firmware.

The applications 611_1 to N may be, for example, components of the application 370 shown in Fig. Each of the applications 611_1 to N may request access to the resource from the access control module 621. Applications 611_1-N may each contain application code, static data, and dynamic data. If the application is, for example, an address book application (contact 378), the static data can be a background image, contacts, and the dynamic data can be a number numbered for each contact. The access control table 612 may include records corresponding to the applications 611_1 to N, respectively. These records can be encrypted.

When an application (e.g., application 611_1) requests registration, the access control module 621 may calculate an application hash value and identification information (ID). The access control module 621 can check whether the record corresponding to the calculated hash value and the identification information exists in the access control table 612. [ If there is no check result, the access control module 621 may insert the calculated hash value and identification information into the access control table 612 as a new record. This means successful registration for the application. In addition, the access control module 621 may generate an application token and provide it to the application. If the hash value and the ID of the application are already in the access control table 612, the access control module 621 can deny the registration request because the application is already registered. In addition, the access control module 621 may perform an operation of outputting a registration rejection message to the user. Wherein the output may include at least one of visual feedback, auditory feedback using a speaker, and tactile feedback using a motor.

An application (e.g., application 611_1) may request access control module 621 access to certain resources (access to keys, data, anywhere, or other resources). In response to this request, the access control module 621 may calculate the hash value and ID of the application. The access control module 621 may calculate the hash in various ways. For example, the access control module 621 may obtain some or all of the application's binary path from the operating system (e.g., the operating system of the trusted environment 620 or the operating system of the untrusted environment 610) The value can be calculated. Alternatively, the access control module 621 may compute a hash for some or all of the application's code in memory (e.g., a secure repository managed by a trusted environment 620 or a generic repository managed by an untrusted environment 610).

The access control module 621 may obtain a part or all of the binary path of the application from the operating system and calculate the ID using the obtained binary. Additionally or alternatively, the access control module 621 may calculate the ID using the name of the application stored in memory. Alternatively, the access control module 621 may generate an ID using various information (e.g., application name, operating system name, version information, etc.) of the application stored in the memory. Alternatively, the access control module 621 may set at least one of various information of the application stored in the memory as an application ID.

The access control module 621 can allow access if the record corresponding to the "calculated hash value and ID" is in the access control table 612, since the application has been successfully authenticated. As a result, applications can access resources and perform tasks (eg, reading data, writing data, changing data, using hardware, accessing other applications, etc.).

If the corresponding record is not found in the access control table 612, the access control module 621 can prohibit the access because the authentication of the application has failed. In addition, when the authentication fails, the access control module 621 may perform an operation of outputting a warning message to the user. Wherein the output may include at least one of visual feedback, auditory feedback using a speaker, and tactile feedback using a motor.

According to some embodiments, if authentication fails, the access control module 621 may generate and log an "application upgrade" event. Application upgrades may require user approval. When the application upgrade is approved by the user, the access control module 621 upgrades the application, calculates the ID and hash value of the upgraded application, and stores the corresponding record in the access control table 612 as the " I can update. Thereafter, when the upgraded application requests access, the access control module 621 can grant access.

The access control table 612 may be stored in an untrusted environment 610. In this case, each record in the access control table 612 can be encrypted by an authenticated encryption method. The encryption method may be "Advanced Encryption Standard (AES) -GCM (Galois Counter Mode) (e.g., the process shown in FIG. 8)" Encryption of records in the table may be performed in trusted environment 620. For example, the access control module 621 may encrypt the record and register it in the access control table 612. The decryption of the encrypted record may also be performed in trusted environment 620. For example, the access control module 621 reads the access control table 612 from the untrusted environment 610 and uses the decryption key (e.g., a secret trusted environment key) to retrieve records of the read access control table It can be decrypted. The access control module 621 may compare the decrypted records with the hash value and the ID of the application, respectively, and determine whether a record corresponding to the hash value and the ID exists in the access control table.

The "authenticated encryption process" operating in the trust environment 620 can ensure the confidentiality of the access control table 612. [ The "authenticated encryption process" can also ensure the detection of an integrity violation in the access control table 612. This assurance means that it is not possible (computationally) to modulate a record in the access control table 612 and any unauthorized modification of the access control table 612 can be detected by the access control module 621. Ensuring the detection of an integrity violation in the access control table 612 eventually means ensuring a correct access control decision.

According to some embodiments, the "application requesting access to resources" to access control module 621 may be an application running in trusted environment 620. [

According to some embodiments, a resource that needs to be granted access may be a resource included in the trusted environment 620. Such resources may include at least one of system resources (e.g., memory, processor, bus, etc.) and application resources (e.g., keys, data, other applications, etc.).

7 is a block diagram of a programming module 700 in accordance with one embodiment of the present disclosure.

Referring to FIG. 7, the programming module 700 may be included (e.g., stored) in the electronic device 100 (e.g., memory 130) shown in FIG. Programming module 700 may include an untrusted environment 710 and a trusted environment 720. The untrusted environment 710 may include applications 711_1-N. The trust environment 720 may include an access control module 721 and an access control table 722. Thus, when the access control table 722 is included in the secure trust environment 720, each record in the access control table 722 may not be encrypted.

8 is a diagram for explaining an example of a hash value calculation process.

8, an access control module (e.g., access control module 621) may read all or a portion of application 810 (e.g., code and static data). The access control module may calculate the hash value 830 of all or part of the read application 810 using the designated hash function 820. [ For example, if the size of all or part of the read application 810 is 1GB and the hash function 820 is SHA (Secure Hash Algorithm) -256, then the size of the hash value 830 is 256 bits.

9 shows access control tables according to an embodiment of the present disclosure.

9A, records 910_1 to 910_N in the access control table 910 may include an encrypted "application ID (App_ID)" and an encrypted "application hash value (App_Hash)", respectively. The application ID can be composed of at least one of the entire binary path and name of the application. Of course, it can also be configured in other ways. The integrity of each record is ensured by an "authenticated encryption process " and the integrity of the entire table can also be guaranteed.

According to some embodiments, the hash value in the record may be included in a trusted environment (e.g., trusted environment 620 or 720) by some means (e.g., access control module 621, MAC, etc.). Other values in the record (e.g., application ID) may be included in an untrusted environment (e.g., untrusted environment 610 or 710). Access control table 910 may be included in an untrusted environment (e.g., untrusted environment 610). Alternatively, access control table 910 may be included in a trusted environment (e.g., trusted environment 722).

9B, in the access control table 920, the records 920_1 to 920_N respectively include an encrypted "application hash value (App_Hash)", an encrypted "application related resource (App_Asset)", And authentication information (Auth _k ) for verifying whether or not it is modulated. The authentication information (Auth _k ) may be generated using the application or information related thereto. Access control table 920 may be included in an untrusted environment (e.g., untrusted environment 610). Alternatively, access control table 920 may be included in a trusted environment (e.g., trusted environment 722).

9C, in the access control table 930, the records 930_1 to 930_N include encrypted authentication information (App_Auth_Info), encrypted "application ID (App_ID)", encrypted "application data ) "And an authentication tag (Auth_Tag _K ). Access control table 930 may be included in an untrusted environment (e.g., untrusted environment 610). Alternatively, access control table 930 may be included in a trusted environment (e.g., trusted environment 722).

10 is a flowchart illustrating an application registration method according to an embodiment of the present disclosure.

Referring to FIG. 10, at operation 1010, processor 120 of an electronic device (e.g., electronic device 100) may recognize a registration request for an application. In operation 1020, in response to the registration request, the processor 120 may calculate the hash and ID of the application. At operation 1030, the processor 120 may determine whether a record corresponding to the calculated values (e.g., App1_ID, App1_hash) is present in the access control table. If a corresponding record is not present in the access control table, then at operation 1040 processor 120 may register the calculated values in the access control table. If a corresponding record is present in the access control table, at operation 1050 processor 120 may deny the registration request.

11 is a flowchart for explaining an application registration method according to another embodiment of the present disclosure.

Referring to FIG. 11, at operation 1110, processor 110 of an electronic device (e.g., electronic device 100) may recognize a registration request for an application. In operation 1120, in response to the registration request, the processor 120 may calculate the hash and ID of the application. At operation 1130, the processor 120 may decrypt each record in the access control table. At operation 1140, the processor 120 may determine whether a record corresponding to the calculated values (e.g., App1_ID, App1_hash) is present in the access control table. If a corresponding record is not present in the access control table, processor 120 may encrypt the computed values at operation 1150. In operation 1160, the processor 120 may register the encrypted values in the access control table as a record for the application. If a corresponding record is present in the access control table, at operation 1170 processor 120 may deny the registration request.

12 is a flowchart illustrating an application authentication method according to an embodiment of the present disclosure.

Referring to FIG. 12, at operation 1210, the processor 120 may recognize an application access request for resources. In operation 1220, in response to an access request, the processor 120 may calculate an application hash and an ID. At operation 1230, the processor 120 may determine whether a record corresponding to the calculated values (e.g., App1_ID, App1_hash) is present in the access control table. If a corresponding record is present in the access control table, processor 120 may grant access at operation 1240. If a corresponding record is not present in the access control table, then at operation 1250 processor 120 may issue a security warning.

13 is a flowchart for explaining an application authentication method according to another embodiment of the present disclosure.

Referring to FIG. 13, at operation 1310, the processor 120 may recognize an application access request for resources. In operation 1320, in response to an access request, the processor 120 may calculate the hash and ID of the application. At operation 1330, the processor 120 may decrypt each record in the access control table. At operation 1340, the processor 120 may determine whether a record corresponding to the computed values (e.g., App1_ID, App1_hash) is present in the access control table. If a corresponding record is present in the access control table, processor 120 may grant access at operation 1350. If a corresponding record is not present in the access control table, processor 120 may issue a security alert at operation 1360.

14 is a diagram for explaining an application registration and authentication method according to an embodiment of the present disclosure.

Referring to FIG. 14, an access control module (e.g., access control module 521) may read all or a portion of application 1410, e.g., data 1411. The access control module may encrypt (1413) the data 1411 using the secret key 1412. The access control module may store the encrypted data 1414 in the memory 1415 as a record of the application 1410.

The access control module may obtain the hash value of the data 1411 using the designated hash function 1416 and encrypt (1417) the hash value using the secret key 1412. The access control module may store the encrypted hash value (authentication tag 1418) in the memory 1415 as a record of the application 1410.

The access control module can check whether or not the application is tampered with using the authentication tag 1418. Specifically, the access control module may read the encrypted data 1414 from the memory 1415 and decrypt 1419 using the secret key 1412. The access control module may also read the authentication tag 1418 from the memory 1415 and decrypt 1420 using the secret key 1412. As is well known in the encryption and decryption methods, there are a symmetric key method and an asymmetric key method. If the data 1411 and the hash value are encrypted in an asymmetric key fashion, the encrypted data 1414 and the authentication tag 1418 may be decrypted with a specific decryption key rather than the secret key 1412.

The access control module may calculate the hash value of the decrypted data 1421 using the hash function 1416. [ The access control module may compare the calculated hash value with the decrypted authentication tag 1418 to determine 1422 whether it is the same. If they are the same, the access control module can recognize that the decrypted data 1421 is normal. If not, the access control module can recognize that the decrypted data 1421 is modulated.

 According to another embodiment, a method for authenticating via an electronic device is provided by a processor of an electronic device including a volatile memory, wherein the volatile memory is coupled to a first region (e.g., an untrusted environment) and a second region (e.g., (E. G., A trusted environment) is more secure than the first area, and the first information (e.g., trusted environment) retrieved from the hardware or firmware in the second area by the processor Temporarily storing second information (e.g., additional files, static content, application code, UI string, etc.) in the second area by the processor, user interface strings, animation instructions, application data, contacts, images, passwords, text, video, and content) Storing, by the processor, an access request for the second information of an application program temporarily stored in the first area; and, by the processor, determining, by the processor, And authenticating by using a part thereof. The authenticating operation may include mapping data of at least a portion of the application program to data of a fixed length. The authenticating operation may include comparing and authenticating a first hash value generated using at least a portion of the application program and an already calculated second hash value. The authenticating operation may include using the first information to obtain the second hash value. The operation of generating the first hash value of the application program may include an operation of generating using the code and / or static data of the application program. The authenticating operation may include temporarily fetching data in the non-volatile storage device into the second area including the second hash value. The authenticating operation may include using the identification information of the application. The authenticating operation may include using data that is encrypted at least a part of the application program and an authentication tag that encrypts the hash value of the data. And allowing access to the second information of the application program based on the authenticating operation.

 According to another embodiment, a method of registering through an electronic device is provided by a processor of an electronic device including a volatile memory, wherein the volatile memory is coupled to a first area (e.g., an untrusted environment) and a second area (e.g., Wherein the second area is secured more securely than the first area, the first information (e.g., a secret key) fetched from the hardware or firmware in the second area by the processor is temporarily Obtaining, by the processor, data representative of the application program in the second area using at least a portion of the application program temporarily stored in the first area; Encrypting data representative of the application program in the second area; And storing data representative of the encrypted application program in a non-volatile storage of the electronic device. The act of obtaining data representative of the application program may include mapping at least a portion of the data of the application program to data of a fixed length. And comparing the data representing the application program acquired using at least a part of the application program and the already calculated second hash value. The comparing operation may include obtaining the second hash value using the first information. The comparing operation may include, in the non-volatile storage, temporarily fetching data including the second hash value into the second area. The operation of acquiring data representative of the application program may include generating data representative of the application program using code and / or static data of the application program. The storing operation may include encrypting and storing the identification information of the application program. The storing operation may include storing the data obtained by encrypting at least a part of the application program in the second area and the authentication tag enciphering the hash value of the data together.

The method according to the present disclosure as described above can be recorded in a computer-readable recording medium implemented with program instructions that can be executed through various computers. The recording medium may include a program command, a data file, a data structure, and the like. Also, the program instructions may be those specially designed and constructed for this disclosure or may be available to those skilled in the art of computer software. In addition, a recording medium includes a magnetic medium such as a hard disk, a floppy disk and a magnetic tape, an optical medium such as a CD-ROM and a DVD, and a magnetic optical medium such as a floppy disk. Hardware such as a magneto-optical medium, a ROM, a RAM, a flash memory, and the like may be included. The program instructions may also include machine language code such as those generated by the compiler, as well as high-level language code that may be executed by the computer using an interpreter or the like.

It is to be understood that both the foregoing description and the following detailed description are exemplary and explanatory only and are not intended to limit the scope of the present disclosure. Accordingly, the scope of the present disclosure should be construed as being included within the scope of the present disclosure in addition to the embodiments disclosed herein, all changes or modifications derived from the technical idea of the present disclosure.

100, 102, 104: electronic device 110: bus
120: processor 130: memory
131, 310: Kernel 132, 330: Middleware
133, 360: Application Programming Interface (API)
134, 370: application 140: user input module
150: Display module 160: Communication module
162: network 164: server
200: hardware 210: processor
211: Application processor (AP)
213: Communication Processor (CP)
214: SIM card 220: memory
222: internal memory 224: external memory
230: communication module 231: wireless communication module
233: Wi-Fi 234: RF module
235: BT 237: GPS
239: NFC 240: Sensor Module
240A: Gesture sensor 240B: Gyro sensor
240C: Pressure sensor 240D: Magnetic sensor
240E: Acceleration sensor 240F: Grip sensor
240G: Proximity sensor 240H: RGB sensor
240I: Biosensor 240J: On / Humidity sensor
240K: Light sensor 240M: UV sensor
250: user module 252: touch panel
254: pen sensor 256: key
258: Ultrasonic 260: Display Module
262: Panel 264: Hologram
270: Interface 272: HDMI
274: USB 276: Projector
278: D-SUB 280: Audio codec
282: Speaker 284: Receiver
286: earphone 288: microphone
291: Camera module 295: Power management module
296: Battery 297: Indicator
298: motor 300: programming module
311: System Resource Manager 312: Device Driver
335: Runtime Library 341: Application Manager
342: Window manager 343: Multimedia manager
344: Resource manager 345: Power manager
346: Database Manager 347: Package Manager
348: Connection manager 349: Notification manager
350: Location manager 351: Graphic manager
352: Security Manager 371: Home
372: Dialer 373: SMS / MMS
374: IM 375: Browser
376: Camera 377: Alarm
378: Contact 379: Voice dialing
380: Email 381: Calendar
382: Media Player 383: Album
384: Clock

Claims (53)

A method of controlling access in an electronic device,
The processor of the electronic device recognizing an access request for resources from an application included in a first area of memory;
In response to the access request, the processor executing an access control module included in a second area of the memory to calculate a hash value of the application;
The processor executing the access control module to determine whether a record corresponding to the hash value and the identification information of the application exists in the memory; And
Wherein the processor includes accessing the resource if the corresponding record is present in the memory. The method according to claim 1,
The determining operation may include:
Decrypting a record stored in the first area encrypted with a designated key included in the second area; And
Determining whether the decrypted record corresponds to the hash value and the identification information,
Wherein the second area is an area requiring authentication of access by the processor. The method according to claim 1,
Wherein the memory is a volatile memory. The method according to claim 1,
The act of allowing access to the resource comprises:
Decrypting resources stored in the second area encrypted with a designated key included in the second area; And
Communicating the resource to the application,
Wherein the second area is an area requiring authentication of access by the processor. The method according to claim 1,
Encrypting the resource;
Calculating a first hash value of the resource and encrypting the first hash value with a designated key; And
Further comprising storing the encrypted resource and the encrypted first hash value,
The act of allowing access to the resource comprises:
Decrypting the encrypted resource with the key to calculate a second hash value;
Decrypting the encrypted first hash value with the key,
And allowing access to the resource if the second hash value is equal to the first hash value,
Wherein the key is stored in an area of memory that requires authentication of access by the processor. The method according to claim 1,
The operation of calculating the hash value includes:
Calculating a hash value of at least one of a binary path of the application, a code of the application, and static data of the application. The method according to claim 1,
Wherein,
A binary path of the application, and information stored in association with the application. The method according to claim 1,
And outputting a warning message if the corresponding record is not present in the memory. The method according to claim 1,
The processor recognizing a registration request from a second application;
In response to the registration request, calculating a second hash value of the second application;
Determining whether a record corresponding to the second hash value and the identification information of the second application exists in the memory; And
Storing the second hash value and the identification information of the second application when a record corresponding to the second hash value and the identification information of the second application is not present in the memory. A first memory divided into a first area and a second area;
A second memory for storing a record for access control of the application to the access control table and the resource including the hash value and identification information of the application;
And a processor for loading the access control module into the first area and loading the record into the first area or the second area,
Wherein the access control module loaded into the first area,
Calculating a hash value of the application in response to a resource access request from the application; determining whether a record corresponding to the hash value and identification information of the application exists in the first memory; And to permit access to the resource if the corresponding record is present in the first memory. 11. The method of claim 10,
The determining operation may include:
Decrypting a record stored in the first area encrypted with a designated key included in the second area; And
Determining whether the decrypted record corresponds to the hash value and the identification information,
Wherein the second area is an area requiring authentication of access. 12. The method of claim 11,
Wherein the first memory is a volatile memory. 11. The method of claim 10,
The act of allowing access to the resource comprises:
Decrypting resources stored in the first area encrypted with a designated key included in the second area; And
Communicating the resource to the application,
Wherein the second area is an area requiring authentication of access. 11. The method of claim 10,
The processor comprising:
Classifying the first memory into a first area and a second area,
Loading a key for decryption, stored in a third memory, into the second area,
Electronic device. 11. The method of claim 10,
Wherein the access control module comprises:
Encrypting the resource;
Calculating a first hash value of the resource and encrypting the first hash value with a designated key; And
Further configured to perform the operation of storing the encrypted resource and the encrypted first hash value,
The act of allowing access to the resource comprises:
Decrypting the encrypted resource with the key to calculate a second hash value;
Decrypting the encrypted first hash value with the key,
And allowing access to the resource if the second hash value is equal to the first hash value,
Wherein the key is stored in an area of the first memory requiring authentication of the access. 11. The method of claim 10,
The operation of calculating the hash value includes:
Calculating a hash value of at least one of a binary path of the application, a code of the application, and static data of the application. 11. The method of claim 10,
Wherein,
A binary path of the application, and information stored in association with the application. 11. The method of claim 10,
Wherein the access control module comprises:
And to output a warning message if the corresponding record is not present in the first memory. 11. The method of claim 10,
Wherein the access control module comprises:
Recognizing a registration request from a second application;
In response to the registration request, calculating a second hash value of the second application;
Determining whether a record corresponding to the second hash value and the identification information of the second application exists in the first memory; And
Storing the second hash value and the identification information of the second application when a record corresponding to the second hash value and the identification information of the second application is not present in the first memory, Electronic device. A method of operating an electronic device,
An operation for setting the volatile memory as a first area and a second area by a processor of an electronic device including a volatile memory, the second area being more secure than the first area;
Temporarily storing first information fetched from the hardware or firmware in the second area by the processor;
Temporarily storing second information in the second area by the processor;
Recognizing, by the processor, an access request for the second information of an application program temporarily stored in the first area; And
And authenticating, by the processor, using at least a portion of the application program in the second region. 21. The method of claim 20,
The authenticating operation includes:
And mapping at least a portion of the data of the application program to data of a fixed length. 21. The method of claim 20,
The authenticating operation includes:
And comparing and authenticating a first hash value generated using at least a portion of the application program and an already calculated second hash value. 21. The method of claim 20,
Characterized in that the second information comprises at least one of additional files, static content, application code, UI interface strings, animation instructions, Lt; / RTI > 21. The method of claim 20,
Wherein the second information includes at least one of a contact, an image, a password, text, a moving picture, and contents. 21. The method of claim 20,
Wherein the authenticating comprises using the first information to obtain the second hash value. 23. The method of claim 22,
Wherein the generating of the first hash value of the application program comprises:
Using the code and / or static data of the application program. 21. The method of claim 20,
Wherein the authenticating comprises temporarily fetching data in the non-volatile storage device into the second area that includes the second hash value. 21. The method of claim 20,
Wherein the authenticating operation includes using the identification information of the application program. 21. The method of claim 20,
Wherein the authenticating operation comprises using data that is encrypted at least a portion of the application program and an authentication tag that encrypts the hash value of the data. 21. The method of claim 20,
Further comprising, by the processor, allowing access to the second information of the application program based on the authenticating operation. A method of operating an electronic device,
An operation for setting the volatile memory as a first area and a second area by a processor of an electronic device including a volatile memory, the second area being more secure than the first area;
Temporarily storing first information fetched from the hardware or firmware in the second area by the processor;
Obtaining, by the processor, data representative of the application program in the second area using at least a portion of the application program temporarily stored in the first area;
Encrypting data representing the application program in the second area using the first information;
And storing the data representative of the encrypted application program in a non-volatile storage of the electronic device. 32. The method of claim 31,
Wherein the act of obtaining data representative of the application program comprises mapping data of at least a portion of the application program to data of a fixed length. 32. The method of claim 31,
Further comprising: comparing data that is representative of the application program obtained using at least a portion of the application program and a previously calculated second hash value. 34. The method of claim 33,
Wherein the comparing operation further comprises obtaining the second hash value using the first information. 34. The method of claim 33,
Wherein the comparing comprises temporarily fetching data in the non-volatile storage device into the second area, the data including the second hash value. 32. The method of claim 31,
Wherein the act of obtaining data representative of the application program comprises generating data representative of the application program using code and / or static data of the application program. 32. The method of claim 31,
Wherein the act of storing comprises encrypting and storing identification information of the application. 32. The method of claim 31,
Wherein the act of storing includes storing data together with at least a portion of the application program encrypted in the second region and an authentication tag encrypted with the hash value of the data. In an electronic device,
Volatile memory;
Nonvolatile storage;
Hardware storage;
≪ / RTI >
The processor comprising:
Setting the volatile memory as a first area and a second area,
Temporarily storing first information fetched from the hardware storage device in the second area;
Temporarily storing second information in the second area,
Recognizing an access request for the second information of an application program temporarily stored in the first area,
And perform authentication using at least a part of the application program in the second area. 40. The method of claim 39,
The processor comprising:
And map data of at least a part of the application program to data of a fixed length. 40. The method of claim 39,
The processor comprising:
And compare the first hash value generated using at least a part of the application program with the already calculated second hash value. 40. The method of claim 39,
Wherein the second information comprises at least one of additional files, static content, application code, UI interface strings, animation instructions, . 40. The method of claim 39,
Wherein the second information includes at least one of a contact, an image, a password, text, a moving picture, and contents. 40. The method of claim 39,
The processor comprising:
And to obtain the second hash value using the first information. 42. The method of claim 41,
The processor comprising:
And generate the first hash value using code and / or static data of the application program. 40. The method of claim 39,
The processor comprising:
And temporarily fetch data including the second hash value in the non-volatile storage device into the second area. 40. The method of claim 39,
The processor comprising:
And to perform the authentication using the identification information of the application program. 40. The method of claim 39,
The processor comprising:
And to perform the authentication using data that is encrypted at least a part of the application program and an authentication tag that encrypts the hash value of the data. 40. The method of claim 39,
The processor comprising:
Setting the volatile memory as a first area and a second area,
Temporarily storing first information fetched from the hardware storage device in the second area,
Acquiring data representative of the application program in the second area using at least a part of the application program temporarily stored in the first area,
Encrypting data representing the application program in the second area using the first information,
And store data representing the encrypted application program in the non-volatile storage device. 50. The method of claim 49,
The processor comprising:
And compare the already calculated second hash value with data representing the application program obtained using at least a portion of the application program. 50. The method of claim 49,
The processor comprising:
And to encrypt and store the identification information of the application program. 50. The method of claim 49,
The processor comprising:
And to store, together with the encrypted data, at least a part of the application program in the second area and an authentication tag which encrypts the hash value of the data. 40. The method of claim 39,
The processor comprising:
And to allow access to the second information of the application program based on the authentication.

Images