WO2005096121A1 - Dispositif d'execution - Google Patents

Dispositif d'execution Download PDF

Info

Publication number
WO2005096121A1
WO2005096121A1 PCT/JP2005/006303 JP2005006303W WO2005096121A1 WO 2005096121 A1 WO2005096121 A1 WO 2005096121A1 JP 2005006303 W JP2005006303 W JP 2005006303W WO 2005096121 A1 WO2005096121 A1 WO 2005096121A1
Authority
WO
WIPO (PCT)
Prior art keywords
program
execution
hash value
execution environment
application
Prior art date
Application number
PCT/JP2005/006303
Other languages
English (en)
Japanese (ja)
Inventor
Tomonori Nakamura
Original Assignee
Matsushita Electric Industrial Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Matsushita Electric Industrial Co., Ltd. filed Critical Matsushita Electric Industrial Co., Ltd.
Publication of WO2005096121A1 publication Critical patent/WO2005096121A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
    • H04N21/442Monitoring of processes or resources, e.g. detecting the failure of a recording device, monitoring the downstream bandwidth, the number of times a movie has been viewed, the storage space available from the internal hard disk
    • H04N21/44236Monitoring of piracy processes or activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/40Client devices specifically adapted for the reception of or interaction with content, e.g. set-top-box [STB]; Operations thereof
    • H04N21/43Processing of content or additional data, e.g. demultiplexing additional data from a digital video stream; Elementary client operations, e.g. monitoring of home network or synchronising decoder's clock; Client middleware
    • H04N21/443OS processes, e.g. booting an STB, implementing a Java virtual machine in an STB or power management in an STB
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/16Analogue secrecy systems; Analogue subscription systems
    • H04N7/162Authorising the user terminal, e.g. by paying; Registering the use of a subscription channel, e.g. billing
    • H04N7/163Authorising the user terminal, e.g. by paying; Registering the use of a subscription channel, e.g. billing by receiver means only

Definitions

  • the present invention relates to a technique for detecting tampering of a program, and more particularly to a technique for ensuring normal execution of a program.
  • Patent Document 1 JP 2001-195247 A
  • an object of the present invention to provide an execution device that promptly detects falsification of an execution environment of an application and ensures normal execution of the application.
  • an execution device of the present invention is an execution device that executes an application program, and stores an execution environment program that is a program for interpreting and executing the application program.
  • Storage means prototype information storage means for storing prototype information generated based on the execution environment program in the storage means, and, when executing the application program, before executing the execution environment program, Determining means for generating tampering check information based on the execution environment program at that time, and determining whether the tampering check information and the original form information have a predetermined relationship; and If it is determined that there is a relationship, the execution environment program is executed, and if it is determined that there is no predetermined relationship, And a controlling means for inhibiting the execution of the execution environment program.
  • the execution device having the above-described configuration allows the execution environment program being executed to be tampered with from the relationship between the execution environment program being executed and the original execution environment program. Can be determined and the falsified execution environment program is not executed, so that the application can be prevented from performing an abnormal operation.
  • the relationship between the execution environment program being executed and the original execution environment program includes, for example, a relationship in which a specific portion of the execution environment program matches, and a multiple of the numerical value of the specific portion of the original execution environment program. There is a relationship that is a numerical value of a specific part of the execution environment program inside.
  • the original form information is a hash value generated by a predetermined algorithm based on an execution environment program in the storage means
  • the falsification check information is A hash value generated by the predetermined algorithm based on the execution environment program at the time
  • the predetermined relationship may be a relationship where the original form information and the falsification check information are the same.
  • the execution device can determine before execution of the execution environment program that if the values are not the same, then the execution environment program has been tampered with, and do not execute the tampered execution environment program. In this way, it is possible to prevent the application from performing an abnormal operation.
  • the execution environment program has a plurality of subprograms
  • the prototype information storage means stores a hash value generated for each subprogram based on the subprogram, and Means for generating a hash value based on the subprogram at that time before executing the subprogram when executing the application program, and storing the generated hash value and the original shape information storage means in the original form information storage means!
  • the control means determines whether or not the corresponding hash value is the same. If the determination means determines that the values are the same, the control means executes the subprogram and determines that the values are not the same. In such a case, the execution of the subprogram may be suppressed.
  • the subprogram is a program for performing a process of loading a class constituting an application program.
  • the subprogram may be a program for performing a process of calling a method constituting an application program!
  • the subprogram is used for executing bytecode of an application program.
  • the program may be a program for checking whether the program is suitable.
  • the subprogram is a program that performs a process of compiling bytecode of an application program.
  • the execution device can perform the tampering check in units of subprograms, so that the subprogram that executes a function that should not be tampered with can be inspected in a timely manner.
  • the determining means generates a hash value based on the execution environment program at that time at a predetermined time period, and generates the hash value and the hash value stored in the original form information storage means. May be determined to be the same.
  • the execution device can periodically check the execution environment program for tampering during the execution of the application, so that normal execution of the application can be ensured.
  • the execution environment program or the subprogram further has security information indicating a degree of required security
  • the predetermined time is a time determined according to the security information
  • the execution device can change the cycle of performing the tampering check depending on the degree of difficulty in tampering. Therefore, it is possible to perform a fine tampering check in accordance with the use and importance of the program. become.
  • the application program is created in an object-oriented language
  • the execution device further includes a detection unit that detects that a method of the application program is not called for a certain period of time
  • the determination unit includes: No judgment is made from when the detection means detects until the next time any method is called That's fine.
  • the execution device can perform no falsification check of the execution environment program while the application is not being executed, so that unnecessary power is not consumed. become able to.
  • the control means executes the execution environment program when the judgment means judges that they are the same, and suppresses the execution of the execution environment program when the judgment means judges that they are not the same. Then, the power of the execution device may be cut off.
  • the execution device when the execution device detects that the execution environment program has been tampered with, the execution device can turn off the power of the execution device, thereby preventing an abnormal operation of the application. .
  • the control means executes the execution environment program when the judgment means judges that they are the same, and suppresses the execution of the execution environment program when the judgment means judges that they are not the same. And then run a new execution environment program.
  • the execution device when the execution device detects that the execution environment program has been tampered with, the execution device can execute the new execution environment program that has not been tampered with, so that the execution of the application is not interrupted.
  • the normal operation of can be guaranteed.
  • FIG. 1 is a diagram showing a configuration of an execution device according to the present invention.
  • FIG. 2 is a diagram showing data stored in a program storage unit 1500.
  • FIG. 3 (a) is a diagram showing data stored in a test information storage unit 2600.
  • FIG. 3 (b) is a diagram showing a configuration and an example of contents of a NO / SH value 2620.
  • FIG. 4 is a diagram showing a configuration and an example of contents of load address information 2510.
  • FIG. 5 is a flowchart showing a process of an execution device 1000.
  • FIG. 6 is a flowchart showing a VM load process.
  • FIG. 7 is a flowchart illustrating a VM tampering check process.
  • FIG. 8 is a diagram showing a configuration of a subprogram of the virtual machine 1200.
  • FIG. 9 is a diagram showing a configuration and an example of contents of a hash value 2620 in the second embodiment.
  • FIG. 10 is a diagram showing a configuration and an example of contents of load address information 2510 in the second embodiment.
  • FIG. 11 is a flowchart illustrating a process of an execution device 1000 according to the second embodiment.
  • FIG. 12 is a flowchart illustrating an application execution process according to the second embodiment.
  • FIG. 13 is a diagram showing a configuration example of a class file.
  • FIG. 14 is a diagram showing a configuration example of a method.
  • FIG. 15 (a) is a diagram showing a configuration example of attribute-info
  • FIG. 15 (b) is a diagram showing a content example of attribute-info.
  • FIG. 16 is a diagram showing an example of a security level designating a cycle of tampering check
  • FIG. 16 (b) changes a hash function used for tampering check according to the security level. It is a figure showing an example.
  • FIG. 17 is a flowchart illustrating a process of an application execution process 2.
  • FIG. 18 is a diagram showing an example of an XML file in which security levels are recorded.
  • FIG. 19 is a diagram illustrating a configuration of an execution device that detects an idle state.
  • FIG. 20 is a diagram showing a configuration of a conventional technique.
  • the execution device is free from tampering! ⁇ Tampering checker in a secure execution environment
  • the virtual machine checks at a predetermined timing whether the virtual machine has been tampered with, and if it is determined that the virtual machine has been tampered with, the Stops execution.
  • the virtual machine itself which is the execution environment of the application, attempts to guarantee the normal operation of the application by ensuring that it is operating normally.
  • Java (registered trademark) application running on a Java (registered trademark) virtual machine will be described.
  • FIG. 1 is a diagram illustrating a configuration of an execution device according to the present invention.
  • the execution device 1000 includes an application 1100, a virtual machine 1200, an OS (Operating System) 1300, an application acquisition program 1400, a program storage unit 1500, a first CPU (Central Processing Unit) 1900, and a tamper-resistant execution unit 2000. .
  • the execution device 1000 has a function specific to each device in addition to a function of executing an application (not shown).
  • the execution device 1000 is a Java (registered trademark) such as a digital television, a set-top box, a DVD recorder, a BD (Blu-ray Disc) recorder, a car navigation terminal, a mobile phone, a PDA (Personal Digital Assistance), and the like. ) All electronic devices equipped with virtual machines are applicable.
  • the function of executing the application of the execution apparatus 1000 is the same as the software execution means mounted on a normal personal computer, digital home appliance, or the like.
  • the execution device 1000 is a digital television, an application that converts received digital data into an image and displays the image is executed.
  • the application 1100 is an application to be executed by the execution device 1000, and that the application file outside the device is also downloaded.
  • the virtual machine 1200 is a Java (registered trademark) virtual machine that sequentially analyzes and executes a program described in the Java (registered trademark) language.
  • a virtual machine 1200 software which is a software program, simulates a virtual CPU and executes Java (registered trademark) instruction code. Analyze the code.
  • the OS 1300 is a general term for a technology configured with a kernel and a library that execute other subprograms in parallel, and executes the virtual machine 1200 as a subprogram.
  • Linux is powerful.
  • the application acquisition program 1400 is written in the Java (registered trademark) language, and has a function of reading the application 1100 also from an external file, and executing and controlling processes necessary for executing the application.
  • the program storage unit 1500 has a function of storing a program of the virtual machine 1200 and the like.
  • the program storage unit 1500 is composed of, for example, a ROM (Read Only Memory), and is specifically a nonvolatile memory such as a flash memory and a node disk. Further, a recording medium such as a BD-ROM may be used.
  • the first CPU 1900 has a function of executing the virtual machine 1200, the OS 1300, the application 1100, and the like.
  • a RAM Random Access Memory
  • first memory a working memory (hereinafter, referred to as “first memory”) (not shown).
  • first memory is configured by a primary memory such as a static random access memory (SRAM) and a dynamic random access memory (DRAM).
  • SRAM static random access memory
  • DRAM dynamic random access memory
  • the tamper-resistant execution unit 2000 includes a tampering check unit 2100, a hash value generation unit 2200, a VM loader 2300, a decryption unit 2400, a load address storage unit 2500, an inspection information storage unit 2600, and a second CPU 2900.
  • the tamper-resistant execution unit 2000 is a program execution means that can execute a program safely while defending an attack from a malicious third party.
  • the tampering check unit 2100 has a function of checking whether the virtual machine 1200 has been tampered with. As a result of the inspection, when it is determined that the virtual machine 1200 has been tampered with, the first CPU 1900 has a function of stopping the execution of the virtual machine 1200 and terminating the execution of the application.
  • the hash value generation unit 2200 has a function of obtaining a hash value of the virtual machine 1200.
  • the hash value is a value generated by a hash function, which is an arithmetic technique for generating a fixed-length pseudo-random number from a given original text. Since the hash function includes an irreversible one-way function, the hash value cannot reproduce the original text, and it is extremely difficult to create different data having the same hash value. Therefore, if the NO and ASH values are different, it is extremely likely that the original data is different.
  • one of the virtual machine 1200 loaded in the first memory is used as an original text and one of the hash values is obtained.
  • the Nosh function is predetermined.
  • the VM loader 2300 has a function of performing a process for enabling the first CPU 1900 to execute the virtual machine 1200 after the execution device 1000 is powered on.
  • a virtual machine program stored in the program storage unit 1500 is loaded into the first memory.
  • the decryption unit 2400 has a function of decrypting an encrypted virtual machine program and the like when the VM loader 2300 loads the virtual machine 1200.
  • the load address storage unit 2500 has a function of storing the address on the first memory of the virtual machine 1200 loaded by the VM loader 2300.
  • the inspection information storage unit 2600 has a function of storing information necessary for the falsification checking unit 2100 to check whether the virtual machine 1200 has been tampered with. The information to be stored will be described later with reference to FIG.
  • the second CPU 2900 has a function of executing the VM loader 2300, the falsification checking unit 2100, and the like.
  • second memory a working memory (hereinafter, referred to as "second memory") (not shown).
  • first CPU 1900 and second CPU 2900 can operate independently.
  • the case where the first CPU 1900 and the second CPU 2900 operate independently of each other means, for example, a case where the execution device 1000 includes a plurality of CPUs and one of them is used as the second CPU 2900.
  • Each function of the execution device 1000 is realized by the CPU executing a program stored in a memory or a hard disk of the execution device 1000.
  • FIG. 2 is a diagram showing data stored in the program storage unit 1500.
  • the program storage unit 1500 stores an encrypted virtual machine program 1510, an encrypted application acquisition program 1520, and an encrypted VM startup class name 1530.
  • the encrypted virtual machine program 1510 is an encrypted version of the virtual machine program. In the present embodiment, it is assumed that the virtual machine program is described in Java (registered trademark) language.
  • the encrypted application acquisition program 1520 is obtained by encrypting the application acquisition program.
  • the application acquisition program is a Java (registered trademark) program that reads the application 1100.
  • These programs can be executed by being loaded into the first memory by the loader.
  • the encrypted VM startup class name 1530 is obtained by encrypting the startup class name of the virtual machine, that is, the name of the class to be executed first when starting up the virtual machine.
  • FIG. 3A is a diagram showing data stored in the test information storage unit 2600.
  • FIG. 3B is a diagram showing a configuration and an example of contents of a hash value 2620 among the data stored in the test information storage unit 2600.
  • the inspection information storage unit 2600 stores a decryption key 2610 and a hash value 2620.
  • the decryption key 2610 is a key for decrypting the encrypted virtual machine program 1510 and the like stored in the program storage unit 1500.
  • the hash value 2620 is a hash value generated based on the virtual machine 1200.
  • the VM loader 2300 is a hash value generated based on the virtual machine 1200 when the encrypted virtual machine program 1510 stored in the program storage unit 1500 is loaded into the first memory.
  • the decryption key 2610 and the hash value 2620 are created and stored in advance. Also, it is assumed that, after being loaded into the memory, the virtual machine 1200 does not change the portion that is the basis of the hash value.
  • the hash value 2620 may be created and stored when the encrypted virtual machine program 1510 is first decrypted and loaded.
  • the hash value 2620 is stored in the test information storage unit 2600, and includes a program name 2621 and a correct hash value 2622.
  • the program name 2621 is an identifier of the program.
  • the correct hash value 2622 is the program indicated by the program name 2621, which has been falsified and is the hash value generated from the program.
  • the nose value 2622 is "3a7f55dc5cc7a95e26dfdddeJ".
  • FIG. 4 is a diagram showing a configuration and an example of contents of the load address information 2510.
  • the load address information 2510 is stored in the load address storage unit 2500 and includes a program name 2621, a start address 2512, and an end address 2513.
  • the program name 2621 is an identifier of the program, similarly to the program name 2621 in FIG.
  • the start address 2512 and the end address 2513 are stored in the first memo by the VM loader 2300.
  • 3 shows an address on the first memory of the virtual machine 1200 loaded in the memory. However, it is assumed that the base part of the hash value 2620 is the loaded address.
  • the start address 2512 “040000000” is also loaded between the end address 2513 “04019ffffJ!”.
  • FIG. 5 is a flowchart illustrating the process of the execution device 1000.
  • the user turns on the power of the execution device 1000 (step S100).
  • the energized first CPU 1900 activates the OS 1300 (step S110), and the activated OS 1300 activates the VM loader 2300 (step S200).
  • the activated VM loader 2300 loads the virtual machine 1200 and the application acquisition program 1400 (step S210), and prepares to execute the application 1100.
  • the virtual machine 1200 has been loaded on the first memory, and the load address information 2510 has been created.
  • the application acquisition program 1400 is also loaded on the first memory. The VM load processing will be described later with reference to FIG.
  • Step S120 the virtual machine 1200 is started (Step S120), and the application acquisition program 1400 is started (Step 130).
  • the virtual machine is started by executing the class indicated by the VM start class name (see FIG. 2).
  • the VM loader 2300 starts the application acquisition program 1400.
  • the activated application acquisition program 1400 loads the application 1100 and executes the application 1100 (Step S140).
  • the VM loader 2300 requests the falsification checking unit 2100 to check whether the virtual machine 1200 has been tampered with. .
  • the falsification checking unit 2100 that has received the request checks whether the virtual machine 1200 has been tampered with. That is, VM falsification inspection processing (step S220) is performed. This VM tampering inspection process will be described later with reference to FIG.
  • step S2300 If the tampering check unit 2100 determines that the virtual machine 1200 has been tampered with (step S2300: YES), it notifies the first CPU of this fact, turns off the power of the execution device 1000, and forcibly forces the virtual machine 1200 to operate. Is completed (step S150). At the same time, the processing of the second CPU ends (step S240).
  • step S2300 If the falsification checking unit 2100 determines that the virtual machine 1200 has not been tampered with (step S2300: NO), it waits for a predetermined time (step S250), and executes the falsification checking unit 2100 again. Inspect 1200 for tampering. This virtual machine tampering check is periodically continued until the execution device 1000 is terminated.
  • FIG. 6 is a flowchart showing the VM load process.
  • the VM loader 2300 uses the virtual machine 1200 and the application acquisition program 140 in the following procedure.
  • the encrypted virtual machine program 1510, the encrypted application acquisition program 1520, and the encrypted VM startup class name 1530 are read from the program storage unit 1500 into the second memory (step S300).
  • the VM loader 2300 reads the decryption key 2610 (see FIG. 3) from the inspection information storage unit 2600 (Step S310), and reads the read decryption key 2610 and the encrypted virtual machine program 1510. And the encrypted application acquisition program 1520 and the encrypted VM activation class name 1530 to the decryption unit 2400, and request decryption.
  • the decryption unit 2400 requested to decrypt decrypts the encrypted virtual machine program 1510 and the like using the decryption key 2610 (step S320).
  • FIG. 7 is a flowchart showing the VM tampering inspection process. This processing is performed by the falsification checking unit 2100.
  • the falsification checking unit 2100 reads the load address information 2510 from the load address storage unit 2500 (Step S400), and acquires the loaded start address 2512 and end address 2513 of the virtual machine 1200.
  • the hash value generation unit 2200 that has received the request obtains a hash value by using a previously stored hash function, and returns the hash value to the falsification checking unit 2100 (step S420).
  • the falsification inspection unit 2100 reads the hash value 2620 from the inspection information storage unit 2600, acquires a correct hash value 2622 (Step S420), corrects the hash value determined by the hash value generation unit 2200, It is compared with the Nosh value 2622 (step S430).
  • step S430 If the calculated hash value power is the same as the correct hash value 2622 (step S430: YES), it is determined that the virtual machine 1200 has not been tampered with (step S420).
  • Step S450 it is determined that the virtual machine 1200 has been tampered with.
  • the first embodiment checks at regular intervals whether the virtual machine 1200 has been tampered with.However, the second embodiment does not check the entire virtual machine but uses a subprogram unit constituting the virtual machine. An inspection is performed.
  • the inspection is performed immediately before the subprogram is executed, instead of performing the inspection at a constant cycle. This is because subprograms are created for individual purposes, and even if they are inspected at regular intervals, they are likely to be wasted in many cases.
  • the configuration of the execution device 1000 is the same as that of FIG. Hereinafter, the sub-programs included in the virtual machine 1200 will be described.
  • FIG. 8 is a diagram illustrating a configuration of a subprogram of the virtual machine 1200.
  • the virtual machine 1200 has a bytecode interpreter 1210, a class loader 1220, a verifier 1230, a heap management unit 1240, a native library 1250, and a JIT compiler 1260. Each of these functional blocks is created by a program, and those programs are called subprograms.
  • the bytecode interpreter 1210 has a function of interpreting and executing the bytecode of the application 1100, and performs core processing in a Java (registered trademark) virtual machine. It also has a function to request the tampering check unit 2100 to check for tampering before calling the following subprograms.
  • Neut code is hardware-independent intermediate code obtained by consolidating source written in the Java language.
  • the class loader 1220 has a function of reading and loading a class file constituting the application 1100 from an external file.
  • the class loader 1220 also has a function of unloading a class. This function removes unnecessary classes from the virtual machine 1200 after execution ends.
  • the verifier 1230 has a function of determining a defect in the data format of the class and the security of the Knot code included in the class.
  • the class loader 1220 does not load the class determined to be valid by the verifier 1230.
  • the heap management unit 1240 has a function of creating an object in a heap area (not shown) in the first memory and deleting the object under the control of the Knot code interpreter 1210. Further, the heap management unit 1240 has a function of performing garbage collection. Garbage collection is a function that releases working memory that is no longer required for application execution and makes it available for reuse for other purposes.
  • the native library 1250 is a library called from a Java (registered trademark) application.
  • the native library 1250 includes functions provided by the OS 1300, hardware provided in the execution device 1000, subprograms, and the like. (Registered trademark) application
  • the JIT compiler 1260 translates bytecode into an executable format that the first CPU 1900 can understand. It has a function to translate.
  • execution device 1000 has a function unit for managing threads, a stack area, and the like (not shown) included in a normal Java (registered trademark) virtual machine.
  • FIG. 9 main data used in the second embodiment, which is different from the data used in the first embodiment, will be described with reference to FIGS. 9 and 10.
  • FIG. 9 is a diagram showing a configuration and an example of contents of a hash value 2620 (see FIG. 3) in the second embodiment.
  • the hash value 2630 is stored in the test information storage unit 2600, and includes a subprogram name 2631 and a correct hash value 2632.
  • the subprogram name 2631 is an identifier of the subprogram.
  • the correct hash value 2632 is the subprogram indicated by the subprogram name 2631, and is a hash value generated from the subprogram after being falsified.
  • the subprogram name 2631 is checked immediately before the three subprograms of “class loader”, “bytecode interpreter”, and “JIT compiler” are called. Obviously, the subprogram name 2631 is checked immediately before the three subprograms of “class loader”, “bytecode interpreter”, and “JIT compiler” are called. Obviously, the subprogram name 2631 is checked immediately before the three subprograms of “class loader”, “bytecode interpreter”, and “JIT compiler” are called. Become.
  • FIG. 10 is a diagram showing an example of the configuration and contents of the load address information 2510 (see FIG. 4) in the second embodiment.
  • the load address information 2520 is stored in the load address storage unit 2500 and includes a subprogram name 2631, a start address 2522, and an end address 2523. As in the first embodiment, the hash value obtained from the subprogram loaded between these addresses does not change unless there is tampering.
  • the load address information is recorded at the time of loading, and the corresponding subprogram is executed during execution of the virtual machine.
  • it is called for the first time, it is created at the time of loading.
  • the subprogram name 2631 is a program identifier similar to the subprogram name 2631 in FIG.
  • the start address 2522 and the end address 2523 indicate the address of the virtual machine 1200 loaded into the first memory by the VM loader 2300 on the first memory, and the sub address indicated by the sub program name 2631 Exists in each program.
  • the class loader 1220 (see FIG. 8) is loaded between the start address 2522 “040000000” and the end address 2523 “04000ffff”.
  • decryption key 2610 (see FIG. 3) stored in the test information storage unit 2600 together with the No and hash values is the same as in the first embodiment.
  • FIG. 11 is a flowchart illustrating the processing of the execution device 1000 according to the second embodiment. The difference from the processing of the execution device 1000 according to the first embodiment described with reference to FIG. 5 is as follows.
  • step S220 the VM tampering check process
  • step S250 in FIG. 6 has been deleted.
  • step S500 the application execution process (step S500) corresponds. This processing will be described with reference to FIG.
  • step S220 the presence or absence of tampering is checked by using the load address (see FIG. 10) corresponding to the subprogram to be checked and each correct hash value (see FIG. 9). It is.
  • FIG. 12 is a flowchart illustrating an application execution process according to the second embodiment. This process is repeatedly executed according to the execution of the application.
  • the execution of the application 1100 is started, the bytecode of the application is interpreted by the bytecode interpreter 1210, and the subprogram is executed accordingly.
  • the class loader 1220 is called will be described.
  • the bytecode interpreter 1220 asks the class loader 1220 to load the class to which the method belongs.
  • the bytecode interpreter 1220 requests the tampering checking unit 2100 of the tamper-resistant execution unit 2000 to check whether the class loader 1220 has been tampered with (Step S520, FIG. 11, Step S501, and FIG. 11). 12 request arrows).
  • the falsification checking unit 2100 obtains a hash value from the address of the class loader 1220 (see FIG. 10), compares it with a correct hash value (see FIG. 9), and checks for tampering (FIG. 11: Step S). 220).
  • step S230 NO in FIG. 11
  • the fact is returned to the bytecode interpreter 1220 (response arrow in FIG. 12).
  • the bytecode interpreter 1220 receives the message that the class loader 1220, which is a subprogram, has been tampered with and executes the class loader 1220 (step S540).
  • step S230 YES in FIG. 11
  • a termination process is performed (step S150, step S240).
  • a virtual machine that executes a highly confidential application increases the security level and shortens the tampering check cycle.
  • a hash function that has a higher inspection capability is used as the hash function used for the subprogram.
  • the configuration of the execution device 1000 is the same as that of FIG.
  • FIGS. 13 to 15 show where the security level is specified in the class file.
  • Fig. 16 shows an example of the specified security level.
  • FIG. 13 is a diagram illustrating a configuration example of a class file
  • FIG. 14 is a diagram illustrating a configuration example of a method of the class file.
  • FIG. 15 is a diagram showing a configuration and an example of contents of the attribute information.
  • a new attribute is added to this attribute information so that a security level can be specified.
  • This attribute information is defined in the Java (registered trademark) virtual machine specification document.
  • the user can define and add new attributes. .
  • the class file 7200 is made up of a plurality of elements.
  • the method information (7210, 7220), the attribute information (7230, 7240), and the constant pool information (7250), which are particularly relevant in this embodiment, are used. Only the following will be described, and detailed description of other elements will be omitted.
  • methods-count7210 is the number of methods in the class file 7200
  • methods [methods-count] 7220 is an array of method-info "7221 described with reference to Fig. 14.
  • attributes-count 7230 is the number of attributes of the class file
  • attributes [attributes-count] 7240 is an array of attribute-info 7241 described in FIG.
  • constant—pool [costant—pool—count—1] 7250 is an array holding constants, class names, and the like, and costant—pool—count is the number thereof.
  • metnod-info consists of access-flags7301, name-index 302, descriptor index7303, attributes count7304, and attributes7305.
  • access-flags7301 is a flag for storing conditions under which this method can be called. The conditions that can be called include those that can be called only from the own class and those that can be called from all classes.
  • name-index7302 is an index of the constant-pool, and the entry of the constant-pool in this index indicates the name of this method.
  • descriptor-index7303 is an index of constant-pool, and the entry of this index describes the types of arguments and return values of this method.
  • attributes—count7304 indicates the number of entries of the following attributes7305.
  • attribute s7305 stores the attribute of this method. Attributes include, for example, a code attribute for storing a bytecode.
  • attributes [attributes-count] 7305 is an array of attribute-info 7241 described in FIG.
  • FIG. 15B is a diagram illustrating a configuration example of —info
  • FIG. 15B is a diagram illustrating a content example of attribute—info.
  • the attribute-mfo 7241 includes attribute-name-mdex7401, attribute-length 7402, and info 7403.
  • attribute-name-inde7401 is an index of an entry in the constant-pooll205 that includes the name of this attribute (eg, a code attribute).
  • attribute — length7402 is the number of bytes of info 7403 that follows. info 7403 stores the value of the attribute.
  • the bytecode is stored in the info 7403.
  • a security attribute indicating the security strength required for a method or a class is allowed because an extended attribute that adds a new attribute to these attributes is permitted in the ava (registered trademark) language specification. Shall be newly added.
  • FIG. 15 (b) shows an example of the security attribute.
  • attribute name index7501 value "19" is the 19th of constant pool7250 Indicates that the security entry contains the name of the security attribute.
  • info7503 indicates the security level of the method or class having this security attribute.
  • the Java TM virtual machine 1200 can recognize the security attributes required for the method being executed.
  • FIG. 16 is a diagram illustrating an example of the security level.
  • FIG. 16 (a) is a diagram illustrating an example of a security level for specifying a tampering check cycle
  • FIG. 16 (b) is a diagram illustrating an example of changing a hash function used for tampering check according to the security level. .
  • the security information 2690 shown in FIG. 16A can be used, for example, in the case of the first embodiment for inspecting the entire virtual machine 1200 (see FIG. 1).
  • security information 2680 as shown in FIG. 16B can be used, for example, in the case of the second embodiment where inspection is performed for each subprogram.
  • security level 2691 The higher the value of security level 2691 is! /, The higher the required security degree is! ⁇ , and the class of security level 0 is a method or class that does not need special protection.
  • the security information 2690 includes a security level 2691 and a cycle 2692.
  • the security level 2691 is a numerical value representing the security level, and this value is set in info 7403 (see Fig. 15).
  • the cycle 2692 specifies a cycle for performing tampering inspection. The shorter the period, the higher the security level.
  • the security information 2680 in FIG. 16B includes a security level 2691 and a hash function 2681.
  • the security level 2691 is the same as that in Fig. 16A.
  • the hash function 2681 specifies a hash function for generating a hash value. For example, if a certain subprogram is initially set to a method called with a security level of 2691 "1", the hash value of that subprogram will be the hash function 268 1 "DM5 (Message Digest 5)" in asking, if the security level 2691 "2" is set, the hash value of the sub-program, obtained by Nono Mesh function 2 681 "SHA- 1 (Secure hashing Algorithm 1).”
  • the process according to the security level may be another process! For example, while a class of security level 3 is loaded in the virtual machine 1200, a tampering check is performed once every 10 seconds, but if the security level is at most 1, a tampering check is performed once every 60 seconds. For example, if the security level is 0 and the class is not downloaded, no falsification inspection is performed.
  • the frequency of tampering can be flexibly changed, and unnecessary tampering inspection can be reduced.
  • the target of the tampering check must be a class unit.
  • step S600 An application execution process 2 (step S600) corresponding to the application execution process (step S500) will be described with reference to FIG.
  • FIG. 17 is a flowchart illustrating the process of the application execution process 2. This process is repeatedly executed according to the execution of the application.
  • VM Sod. The execution of the application 1100 is started, the bytecode interpreter 1210 interprets the bytecode of the application, and the method in the virtual machine (hereinafter referred to as "VM Sod. " ) Is executed.
  • the bytecode interpreter 1220 extracts the security level of the VM method (step S610). More specifically, the value of info7503 of the attribute of atribute_name_index7501 force S “19” in the VM method is extracted (see FIG. 15 (b)).
  • step S620 If the retrieved security level is larger than "0" (step S620: YES), that is, if tampering check is performed, the tamper-resistant effective part is checked so as to check whether the VM method is tampered. Request the 2000 tampering inspection unit 2100 (step S630, Fig. 11, step S501, request arrow in Fig. 17).
  • the falsification checking unit 2100 that has received the request for the falsification check of the VM method performs a falsification check process of the requested method (FIG. 11: step S220).
  • the hash value 2630 shown in FIG. 9 needs to record a hash value for each method instead of each subprogram. Similarly, an address needs to be recorded for each method in the load address information 2520 shown in FIG.
  • step S230 NO in FIG. 11
  • the fact is returned to the bytecode interpreter 1220 (response arrow in FIG. 17).
  • the bytecode interpreter 1220 that has received the information that the method has not been tampered executes the method (step S640).
  • step S220 determines that there is tampering (step S220: YES in FIG. 11) If the tampering inspection unit 2100 determines that there is tampering (step S220: YES in FIG. 11), a termination process is performed (step S150, step S240).
  • the execution device according to the present invention has been described based on the embodiment.
  • the execution device can be partially modified, and the present invention is not limited to the above embodiment. That is,
  • the application that is to be periodically checked until the application is activated and terminated is in an idle state, that is, a state in which execution is stopped. During the period, the tampering check may be started again when the execution is started again without performing the tampering check. Alternatively, in the case of the idle state, the period of the tampering inspection may be lengthened. In this case, whether or not the application is idle can be determined by checking the state of the thread managed by the Java TM virtual machine 1200.
  • the frame generated on the stack in the thread is newly generated each time the method is called, and is discarded when the method ends. If the frame is not generated or destroyed for a certain period of time, the thread It can be determined that it is in an idle state. This fixed time depends on the application.
  • an idle detection unit 1600 for detecting the idle state as described above is added to the execution device 1000 (FIG. 19).
  • the first CPU 1900 of the execution device 1000 and the second CPU 2900 of the tamper-resistant execution unit 2000 are physically different CPUs.
  • the method may behave virtually like two CPUs.
  • a specific core may be operated as the second CPU!
  • each of the execution device 1000 and the tamper-resistant execution unit 2000 has a RAM and a ROM.
  • one RAM may be virtually treated as two RAMs.
  • one ROM may be virtually treated as two ROMs.
  • the ROM in the tamper-resistant execution unit 2000 may be loaded on the second CPU 2900.
  • step 5 it is also possible to perform processing to update the virtual machine without turning off the power and continue the processing.
  • the falsification checking unit 2100 that has detected the falsification is instructed to the VM loader 2300, and the virtual machine program is reloaded from the program storage unit 1500. Since the reloaded virtual machine has been tampered with, the new virtual machine is executed and processing of the application is continued.
  • the security level is embedded in the extended attribute of the class file.
  • the security level may be specified using other methods!
  • the application acquisition program 1400 acquires an XML file recording the security level at the same time as the application, and passes it to the virtual machine 1200, so that the virtual machine 1200 can know the security level of the method.
  • Figure 18 shows an example of such an XML file.
  • ku securemethod> 5001 indicates the start of security level setting
  • "ku name> Main.class ⁇ / name>” 5002 specifies the class for which the security level is to be set
  • ⁇ level> l ⁇ / level> 5003 specifies the security level to be set.
  • the application executed by the execution device 1000 is an application acquisition program 1400.
  • the application file power outside the device is also assumed to be downloaded.
  • the application may be downloaded from a server on the Internet. Good.
  • the application acquisition program 1400 uses TLS (Transport Layer Security), HTT
  • TLS is a data transfer method that prevents eavesdropping and falsification of data during communication by means of encryption (see RFC2246).
  • HTTP is a data transfer method generally used in data communication on the Internet (see RFC2616).
  • RFC Request For Comments
  • the application executed by the execution device 1000 may be a Java (registered trademark) application embedded as a digital broadcast data broadcast in an MPEG (Moving Picture Coding Experts Group) 2 transport stream! ,.
  • the application acquisition program 1400 is embedded in the transport stream.
  • This is a program for reading the Java (registered trademark) application into the execution device 1000.
  • a method of embedding a Java (registered trademark) program in an MPEG2 transport stream for example, there is a DSMCC method.
  • the DSMCC method is a method of encoding a file system composed of directories and files used in a computer in packets of an MPEG2 transport stream (MPEG standard ISOZIEC1381
  • the application executed by the execution device 1000 is an SD card (Secure
  • CD-ROM Compact Disk Read Only Memory
  • Digital Versatile Disk recorded on a Blu-ray Disc or the like, may be a Java (registered trademark) application.
  • the application acquisition program 1400 is a program that reads the application with these recording medium powers.
  • an application executed on the execution device 1000 is a RO application in the execution device 1000.
  • Java registered trademark
  • the application acquisition program 1400 is a program for reading the Java (registered trademark) application into the working memory with the ROM power.
  • an application acquisition program 1400 or the like is written in a Java (registered trademark) language.
  • a program written in a native language which has the same function as a Java (registered trademark) program, or a hardware Realized by hardware, it may be.
  • the application executed in the virtual machine is not limited to the application described in the Java (registered trademark) language, but may be the application described in another object-oriented language such as C ++.
  • the JAVA virtual machine itself may be described in an object-oriented language or a non-object-oriented language.
  • the security level is a force such as “0” to “2”.
  • the present invention is not limited to this.
  • the security strength may be set in four or more levels, or two levels in which tampering inspection is necessary and unnecessary.
  • the tamper-resistant execution unit 2000 of the embodiment is, for example, TrustZone (registered trademark) of ARM. ) It can be realized by using technology.
  • TrustZone registered trademark
  • hardware resources such as RAM and ROM can be virtually allocated to an execution environment called a secure domain.
  • the RAM and ROM assigned to the secure domain can be used only by programs that operate in the secure domain, and cannot be used at all by programs that operate outside the secure domain.
  • a conventional CPU has two types of modes, a normal mode in which an application operates and a privileged mode in which an OS or the like operates.
  • a program operating in the privileged mode must be altered from a program operating in the normal mode. I can not do it.
  • TrustZone (R) technology also offers a new special mode called monitor mode.
  • the monitor mode can be entered by executing a special instruction prepared by the CPU.
  • security information called S-bit is reported to peripheral hardware such as RAM and ROM.
  • RAM and ROM compatible with TrustZone® technology are configured to permit reading and writing of data to and from the area allocated to the secure domain only when the S-bit is notified.
  • assigned to the secure domain! / Read / write of data to / from the area is permitted regardless of whether the S-bit is notified or not.
  • the secure execution unit 130 can be realized by a secure domain.
  • Intel's LaGrande technology is similar to the TrustZone (registered trademark) technology, such as virtually separating the domain in which ordinary applications and OSs operate from the domain in which applications requiring protection operate. Provides functions. By using such a technology, the secure execution unit 130 can be realized.
  • the tamper-resistant execution unit 2000 may be a smart card, an IC card, or the like that is detachable from the force execution device 1000 that is built in the execution device 1000.
  • These smart cards and IC cards contain a CPU, memory, and security circuits inside the card.
  • the entire tamper-resistant execution unit 2000 may be realized by hardware.
  • data communication between the first CPU and the second CPU is performed by encryption, and is stolen by a third party. It is necessary to prevent hearing.
  • data is transmitted via a data bus (not shown) connecting both CPUs, the data to be transmitted is encrypted, and the data is decrypted after receiving the data.
  • the Java (registered trademark) virtual machine is described as an example.
  • the execution environment program may be another execution environment or an OS.
  • the abbreviated situation may be subjected to the falsification check.
  • the application is an image display program.
  • the image display program corresponds to the execution environment program of the embodiment, and the image data corresponds to the application of the embodiment. Therefore, this image display program is tampered with and checked.
  • the entire virtual machine is periodically inspected, and in the second embodiment, the sub-program of the virtual machine is inspected immediately before execution. I can't.
  • the tampering determination may be performed at a finer granularity (for example, a function unit) than a subprogram unit.
  • the ability to check for falsification based on whether the hash values generated based on the execution environment program are the same may be a falsification checking method other than this method.
  • a copy of the program to be inspected is stored, and copied with the program being executed. It may be compared with one program to check for tampering.
  • a program for causing the CPU to execute each control process (see FIG. 1 and the like) for realizing each function of the execution device described in the embodiment is recorded on a recording medium or through various communication paths. And can be distributed and distributed.
  • Such recording media include IC cards, optical disks, flexible disks, ROMs, flash memories, and the like.
  • the distributed and distributed programs are provided for use by being stored in a memory or the like that can be read by a CPU of the device, and each function of the execution device described in the embodiment is executed by the CPU executing the program. Is achieved.
  • NTT DoCoMo provides a service called i-appli.
  • a mobile phone terminal downloads a Java (registered trademark) program from an application distribution server on the Internet and executes it on the terminal.
  • DVB Digital Video Broadcasting-Multimedia Home Platform
  • DVB In digital broadcasting based on the MHP standard, digital TV receives and executes a Java TM program multiplexed on a broadcast wave.

Abstract

Un dispositif d'exécution stocke un programme d'environnement d'exécution d'application et une valeur Hash générée selon le programme d'environnement d'exécution juste avant d'exécuter le programme d'environnement de programme et estime si la valeur Hash générée est identique à la valeur Hash stockée. Si elles sont estimées identiques, le programme d'environnement d'exécution est exécuté. Si elles sont estimées non identiques, l'exécution du programme d'environnement d'exécution est supprimée.
PCT/JP2005/006303 2004-04-02 2005-03-31 Dispositif d'execution WO2005096121A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2004-109777 2004-04-02
JP2004109777A JP2007226277A (ja) 2004-04-02 2004-04-02 仮想マシン改ざん検査方法、および仮想マシン改ざん検査装置

Publications (1)

Publication Number Publication Date
WO2005096121A1 true WO2005096121A1 (fr) 2005-10-13

Family

ID=35063959

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2005/006303 WO2005096121A1 (fr) 2004-04-02 2005-03-31 Dispositif d'execution

Country Status (2)

Country Link
JP (1) JP2007226277A (fr)
WO (1) WO2005096121A1 (fr)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007000993A1 (fr) * 2005-06-28 2007-01-04 Matsushita Electric Industrial Co., Ltd. Procédé, système et programme de vérification, dispositif de traitement informatique, support d’enregistrement et programme de certification
JP2008005156A (ja) * 2006-06-21 2008-01-10 Matsushita Electric Ind Co Ltd 情報処理端末および状態通知方法
WO2008096891A1 (fr) * 2007-02-09 2008-08-14 Ntt Docomo, Inc. Dispositif de terminal et procédé d'inspection de logiciel
JP2009009372A (ja) * 2007-06-28 2009-01-15 Panasonic Corp 情報端末、クライアントサーバシステムおよびプログラム
JP2009200803A (ja) * 2008-02-21 2009-09-03 Ricoh Co Ltd 画像形成装置、情報処理方法、及び情報処理プログラム
JP2009211686A (ja) * 2007-12-20 2009-09-17 Fujitsu Ltd 信頼できるコンピューティング方法、コンピューティング取引方法、及びコンピュータシステム
JP2009244982A (ja) * 2008-03-28 2009-10-22 Fujifilm Corp 記憶装置及びデジタルカメラ
JP2010009323A (ja) * 2008-06-26 2010-01-14 Ntt Docomo Inc イメージ検査装置、os装置及びイメージ検査方法
JP2011150656A (ja) * 2010-01-25 2011-08-04 Toyota Infotechnology Center Co Ltd プログラム検査システム
JP2012058991A (ja) * 2010-09-08 2012-03-22 Fujitsu Toshiba Mobile Communications Ltd 情報処理装置
JP2012510650A (ja) * 2008-08-28 2012-05-10 マイクロソフト コーポレーション 感染したホストによる攻撃からの仮想ゲストマシンの保護
JP2012174228A (ja) * 2011-02-24 2012-09-10 Kyocera Corp プログラム保護装置および通信装置
JP2016024821A (ja) * 2014-07-16 2016-02-08 ゼネラル・エレクトリック・カンパニイ 実行中のアプリケーションの信頼性を確認するためのシステムおよび方法
JP2016506107A (ja) * 2012-11-22 2016-02-25 華為技術有限公司Huawei Technologies Co.,Ltd. 仮想マシンのための管理制御方法、装置及びシステム
WO2019155792A1 (fr) * 2018-02-07 2019-08-15 ソニー株式会社 Dispositif de traitement d'informations, procédé de traitement d'informations et programme

Families Citing this family (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4698285B2 (ja) * 2005-05-19 2011-06-08 富士通株式会社 情報処理装置、情報処理方法及びコンピュータプログラム
US8099786B2 (en) * 2006-12-29 2012-01-17 Intel Corporation Embedded mechanism for platform vulnerability assessment
JP4664339B2 (ja) * 2007-09-07 2011-04-06 株式会社オプティム ネットワーク接続方法、ネットワーク装置
JP2009080772A (ja) * 2007-09-27 2009-04-16 Toppan Printing Co Ltd ソフトウェア起動システム、ソフトウェア起動方法、及びソフトウェア起動プログラム
WO2009048158A1 (fr) * 2007-10-09 2009-04-16 Nec Corporation Dispositif de contrôle de fichier, programme de contrôle de fichier et procédé de contrôle de fichier
JP5034921B2 (ja) * 2007-12-14 2012-09-26 ソニー株式会社 情報処理装置、ディスク、および情報処理方法、並びにプログラム
JP2009282751A (ja) * 2008-05-22 2009-12-03 Toyota Infotechnology Center Co Ltd プログラム検査システムおよび方法
JP2010020621A (ja) * 2008-07-11 2010-01-28 Toyota Infotechnology Center Co Ltd プログラム修復システムおよび方法
JP5446167B2 (ja) * 2008-08-13 2014-03-19 富士通株式会社 ウイルス対策方法、コンピュータ、及びプログラム
US20100083381A1 (en) * 2008-09-30 2010-04-01 Khosravi Hormuzd M Hardware-based anti-virus scan service
DK2462507T3 (da) * 2009-08-04 2019-09-23 Univ Carnegie Mellon Fremgangsmåder og apparater til brugerverificerbar sikker sti i tilstedeværelsen af malware
US8635705B2 (en) * 2009-09-25 2014-01-21 Intel Corporation Computer system and method with anti-malware
GB2484717B (en) * 2010-10-21 2018-06-13 Advanced Risc Mach Ltd Security provision for a subject image displayed in a non-secure domain
US20120179904A1 (en) * 2011-01-11 2012-07-12 Safenet, Inc. Remote Pre-Boot Authentication
JP5798959B2 (ja) * 2012-03-16 2015-10-21 株式会社エヌ・ティ・ティ・データ パッケージ生成装置、パッケージ生成方法、プログラム
JP6119345B2 (ja) * 2013-03-21 2017-04-26 大日本印刷株式会社 Icチップ、icカード、検証処理方法、及び検証処理プログラム
JP6065115B2 (ja) 2013-07-02 2017-01-25 富士通株式会社 マシン提供方法,マシン提供システム,およびマシン提供プログラム
JP6201521B2 (ja) * 2013-08-23 2017-09-27 大日本印刷株式会社 情報記憶媒体、バイトコード実行方法、及び情報記憶媒体用プログラム
EP3026559A1 (fr) * 2014-11-28 2016-06-01 Thomson Licensing Procédé et dispositif permettant d'assurer la vérification de l'intégrité d'une application
JP7105640B2 (ja) 2018-07-10 2022-07-25 キヤノン株式会社 画像処理装置、その制御方法、及びプログラム
JP7207519B2 (ja) * 2019-03-19 2023-01-18 日本電気株式会社 情報処理装置、情報処理方法及びプログラム
JP7290166B2 (ja) * 2019-07-22 2023-06-13 日本電気株式会社 セキュリティ管理装置、セキュリティ管理方法、及びプログラム

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH11338699A (ja) * 1998-05-11 1999-12-10 Internatl Business Mach Corp <Ibm> プログラム処理方法、指定メソッドに関連するフレームの深さを検出する方法、検出方法、及びコンピュータ
JP2003511772A (ja) * 1999-10-08 2003-03-25 ジェネラル・インスツルメント・コーポレイション オブジェクトおよびリソースセキュリティシステム

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH11338699A (ja) * 1998-05-11 1999-12-10 Internatl Business Mach Corp <Ibm> プログラム処理方法、指定メソッドに関連するフレームの深さを検出する方法、検出方法、及びコンピュータ
JP2003511772A (ja) * 1999-10-08 2003-03-25 ジェネラル・インスツルメント・コーポレイション オブジェクトおよびリソースセキュリティシステム

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
GARFINKEL T. ET AL.: "Terra: A virual Machine-Based Platform For Trusted Computing", 22 October 2003 (2003-10-22), XP002340992 *

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007000993A1 (fr) * 2005-06-28 2007-01-04 Matsushita Electric Industrial Co., Ltd. Procédé, système et programme de vérification, dispositif de traitement informatique, support d’enregistrement et programme de certification
US8474049B2 (en) 2005-06-28 2013-06-25 Panasonic Corporation Verification method, information processing device, recording medium, verification system, certification program, and verification program
JP2008005156A (ja) * 2006-06-21 2008-01-10 Matsushita Electric Ind Co Ltd 情報処理端末および状態通知方法
US8392988B2 (en) 2007-02-09 2013-03-05 Ntt Docomo, Inc. Terminal device and method for checking a software program
WO2008096891A1 (fr) * 2007-02-09 2008-08-14 Ntt Docomo, Inc. Dispositif de terminal et procédé d'inspection de logiciel
EP2120176A4 (fr) * 2007-02-09 2016-05-18 Ntt Docomo Inc Dispositif de terminal et procédé d'inspection de logiciel
JP2009009372A (ja) * 2007-06-28 2009-01-15 Panasonic Corp 情報端末、クライアントサーバシステムおよびプログラム
JP2009211686A (ja) * 2007-12-20 2009-09-17 Fujitsu Ltd 信頼できるコンピューティング方法、コンピューティング取引方法、及びコンピュータシステム
US8539551B2 (en) 2007-12-20 2013-09-17 Fujitsu Limited Trusted virtual machine as a client
JP2009200803A (ja) * 2008-02-21 2009-09-03 Ricoh Co Ltd 画像形成装置、情報処理方法、及び情報処理プログラム
JP2009244982A (ja) * 2008-03-28 2009-10-22 Fujifilm Corp 記憶装置及びデジタルカメラ
JP2010009323A (ja) * 2008-06-26 2010-01-14 Ntt Docomo Inc イメージ検査装置、os装置及びイメージ検査方法
JP2012510650A (ja) * 2008-08-28 2012-05-10 マイクロソフト コーポレーション 感染したホストによる攻撃からの仮想ゲストマシンの保護
US8954897B2 (en) 2008-08-28 2015-02-10 Microsoft Corporation Protecting a virtual guest machine from attacks by an infected host
JP2011150656A (ja) * 2010-01-25 2011-08-04 Toyota Infotechnology Center Co Ltd プログラム検査システム
JP2012058991A (ja) * 2010-09-08 2012-03-22 Fujitsu Toshiba Mobile Communications Ltd 情報処理装置
JP2012174228A (ja) * 2011-02-24 2012-09-10 Kyocera Corp プログラム保護装置および通信装置
JP2016506107A (ja) * 2012-11-22 2016-02-25 華為技術有限公司Huawei Technologies Co.,Ltd. 仮想マシンのための管理制御方法、装置及びシステム
US9698988B2 (en) 2012-11-22 2017-07-04 Huawei Technologies Co., Ltd. Management control method, apparatus, and system for virtual machine
JP2016024821A (ja) * 2014-07-16 2016-02-08 ゼネラル・エレクトリック・カンパニイ 実行中のアプリケーションの信頼性を確認するためのシステムおよび方法
WO2019155792A1 (fr) * 2018-02-07 2019-08-15 ソニー株式会社 Dispositif de traitement d'informations, procédé de traitement d'informations et programme
JPWO2019155792A1 (ja) * 2018-02-07 2021-02-12 ソニー株式会社 情報処理装置、情報処理方法、およびプログラム
JP7200952B2 (ja) 2018-02-07 2023-01-10 ソニーグループ株式会社 情報処理装置、情報処理方法、およびプログラム

Also Published As

Publication number Publication date
JP2007226277A (ja) 2007-09-06

Similar Documents

Publication Publication Date Title
WO2005096121A1 (fr) Dispositif d&#39;execution
JP4891902B2 (ja) 電子機器、更新サーバ装置、鍵更新装置
US20080270806A1 (en) Execution Device
EP1906330B1 (fr) Système de traitement d&#39;informations, procédé de traitement d&#39;informations, programme de traitement d&#39;informations, support lisible sur ordinateur et signal de données informatiques
US20100146304A1 (en) Execution device
US7469346B2 (en) Dual virtual machine architecture for media devices
CN108229112B (zh) 一种保护应用程序、应用程序的运行方法以及装置
US20070271446A1 (en) Application Execution Device and Application Execution Device Application Execution Method
WO2005098570A1 (fr) Dispositif d’exécution
CA2612631A1 (fr) Mise a jour automatique de composants lisibles par ordinateur pour assister un environnement de confidentialite
US7805758B2 (en) Information processing apparatus
JP2005202523A (ja) コンピュータ装置及びプロセス制御方法
JP2008040853A (ja) アプリケーション実行方法およびアプリケーション実行装置
JP2009169868A (ja) 記憶領域アクセス装置及び記憶領域のアクセス方法
JP4120702B2 (ja) 情報処理システムおよびプログラム
KR20190060181A (ko) 공유 오브젝트의 코드 보호를 위한 보안 제공 장치와 방법, 및 보안 실행 장치와 방법
WO2023279319A1 (fr) Paquetages de données protégés
CN112131612A (zh) 一种cf卡数据防篡改方法、装置、设备及介质
WO2011114621A1 (fr) Dispositif d&#39;exécution de programme, procédé de traitement d&#39;informations, programme de traitement d&#39;informations, support d&#39;enregistrement et circuit intégré
KR20180100779A (ko) 안드로이드용 어플리케이션의 멀티 실행 파일을 위한 암호화 방법

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP