WO2006129641A1 - コンピュータシステム及びプログラム生成装置 - Google Patents
コンピュータシステム及びプログラム生成装置 Download PDFInfo
- Publication number
- WO2006129641A1 WO2006129641A1 PCT/JP2006/310744 JP2006310744W WO2006129641A1 WO 2006129641 A1 WO2006129641 A1 WO 2006129641A1 JP 2006310744 W JP2006310744 W JP 2006310744W WO 2006129641 A1 WO2006129641 A1 WO 2006129641A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- program
- secure
- management area
- instruction
- secure program
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/468—Specific access rights for resources, e.g. using capability register
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/74—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
Definitions
- the present invention relates to a technique for preventing unauthorized tampering and analysis of a program.
- some software sold as knockouts requires users to enter passwords to prevent illegal copying.
- Such software includes code (computer program) that checks whether the password is correct. If an unauthorized user identifies the location of the code that performs this check in some way in the software, and if this code is tampered with to invalidate this check, Unauthorized users can use this software without knowing the password.
- paid digital content that can be viewed on a PC (personal computer) has been provided.
- This paid digital content is encrypted to prevent unauthorized copying, and software for viewing the content includes a decryption algorithm and a decryption key for decrypting the encrypted content. If it is possible to analyze the malicious user viewing software and identify the decryption key, it is possible to create software that can illegally copy the digital content.
- Non-Patent Document 1 describes basic principles and specific methods for preventing software analysis.
- Non-Patent Document 2 describes technical problems of TRCS (Tamper Resistant Coding System) developed as a tool for preventing software analysis and countermeasures.
- TRCS Transmission Resistant Coding System
- Non-Patent Document 3 to prevent illegal copying of software The technology to prevent the invalidation of software protection (non-copy-prote technology) is described!
- Non-patent document 1 "Protect software from reverse analysis and modification” Nikkei Electronics 1998. 1. 5 (P209- 220)
- Non-Patent Document 2 "Software tamper resistance technology" Fuji Xerox Technical Report No. 13
- Non-Patent Document 3 "The 'Protect” Shuwa System Publishing 1985
- Patent Document 1 Japanese Patent Laid-Open No. 11 15705
- an object of the present invention is to provide a computer system, an integrated circuit, and a program generation device that can make it difficult for a fraud analyst to specify a secret process.
- the present invention provides a computer system, which reads and decodes each instruction included in a basic program, a normal program, and a secure program, and according to a result of the decoding.
- a processor that operates, and a memory unit that includes a management area and a non-management area different from the management area, and the basic program constitutes an operating system, and the management area includes the management area.
- the normal program includes an instruction to access the management area via the basic program
- the secure program is a program independent of an operating system, An instruction for accessing only the unmanaged area as an access space is included.
- the secure program can access an unmanaged area of the operating system without depending on the basic program that is the operating system.
- the normal program cannot access the non-managed area of the operating system because it can access the management area of the operating system via the basic program that is the operating system.
- the software debugger cannot access the unmanaged area, and can maintain the safety of accessing the unmanaged area by a secure program! It has an excellent effect.
- the management area further stores the basic program and the normal program
- the non-management area further stores the secure program
- the processor includes the processor Read each instruction included in the basic program and normal program stored in the management area, and store each instruction included in the secure program stored in the non-management area! Even if you read it.
- the secure program may include a command for performing a concealment process on information to be concealed stored in the non-management area.
- the software debugger cannot access the confidential information stored in the non-managed area of the operating system by the secure program, and the contents of the confidential information Can be kept safe.
- the management area further includes a basic program in accordance with an instruction from the basic program.
- a switching program including an instruction for switching execution to a secure program is stored, and the processor further reads and decodes an instruction included in the switching program stored in the management area,
- the basic program further includes an instruction for instructing the switching program to switch to a secure program, and the secure program further includes, after the concealment process is completed,
- the secure program power may also include an instruction for switching execution to the basic program.
- the switching program includes an instruction for returning the setting of the stack pointer to the one used by the basic program when switching execution from the secure program to the basic program.
- an instruction for returning the stack pointer setting to that used by the secure program may be included.
- the setting of the stack pointer is returned to that used by the basic program, so that the basic program processing can be continued.
- the stack pointer setting is returned to the one used by the secure program, so that the secure program process can be continued.
- the secure program may be obfuscated! /.
- the data used by the target software is initialized.
- the fraud analyst tries to analyze the software to be analyzed using a software initialization sequence.
- an unauthorized analyst may focus on the data initialization process and identify the location where the confidential information is used.
- the secure program requires an initialization process, and the initialization process includes a plurality of initialization processes. It may be performed by a program.
- each initialization process is performed using a plurality of initialization programs, so that the initialization process is divided and distributed, and the location of use of confidential information focused on the data initialization process by an unauthorized analyst Can be difficult to identify.
- the plurality of initialization programs may be executed prior to the concealment process by the secure program.
- each initialization process is executed by executing each initialization program prior to the confidential process by the secure program, so that an incorrect initial value is used in the confidential process, and an incorrect process is performed. None done.
- a part of the plurality of initialization programs may be executed at a time different from that of the other initial programs.
- Patent Document 1 As a document relating to a high-speed memory initialization process, there is a memory management method disclosed in Patent Document 1. However, this method is not effective for improving the security of the program data initialization process.
- a part of the initialization program is executed immediately after the computer system is reset, and the initialization program included in the secure program is executed when the execution of the secure program is requested. Also good.
- the code executed by the secure program (existing on the ROM) and the work memory used by the secure program (existing on the RAM) are areas outside the OS management. This makes it possible to prevent analysis from a software debugger running on the OS.
- the secure program since the secure program operates in an environment independent of the OS, the portability of the secure program to the OS is very high. Furthermore, since there is no change in the secure program for the OS when porting to another OS, it is possible to port without lowering the security level.
- FIG. 1 is a system configuration diagram showing a configuration of a secure processing system 1.
- FIG. 2 is a block diagram showing a configuration of a compiling device 30.
- FIG. 3 is a block diagram showing a configuration of a compiling device 40.
- FIG. 4 is a block diagram showing configurations of a memory card 20 and a mobile phone 10.
- FIG. 5 is an arrangement diagram showing an arrangement of data in a memory 107.
- FIG. 6 is an arrangement diagram showing the arrangement of each section of binary data.
- FIG. 7 is a diagram showing a correspondence relationship between physical addresses and logical addresses in the memory 107.
- FIG. 8 is an arrangement diagram showing the contents of secure program 202 and secure program work memory 602.
- FIG. 9 is a data structure diagram showing a data structure of an API branch table 800.
- FIG. 10 is a diagram showing a sequence from when the OS program 210 is started after the reset until the application software operating on the OS is started.
- FIG. 11 is a diagram showing a sequence until the initialization process of the ZI section of the secure program 202 is completed.
- FIG. 12 A diagram showing a sequence from the completion of initialization of the ZI section of the secure program 202 to the start of the secure API.
- FIG. 13 is a diagram showing a sequence when an interrupt occurs during execution of the secure program 202.
- the secure processing system 1 includes a compiling device 30, a compiling device 40, a mobile phone 10, and a memory card 20, as shown in FIG.
- the memory card 20 is attached to the mobile phone 10.
- the compiling device 30 is a source that describes and describes the operation of the kernel of an OS (Operating System, also referred to as basic software or basic program) installed in the mobile phone 10.
- OS Operating System
- One or more executable computer programs (referred to as OS-dependent binary data) are generated from a program and other source programs that describe other operations depending on the OS.
- the compiling device 40 also generates one or more executable computer programs (referred to as OS-independent binary data) from the source program describing other operations that do not depend on the OS.
- the cellular phone 10 is a computer system including a CPU (Central Processing Unit), a ROM (Read Only Memory), a RAM (Random Access Memory), and the like, as will be described later.
- the OS-dependent binary data and the OS-independent binary data generated as described above are written into the ROM of the mobile phone 10 by the ROM writer.
- the ROM stores OS-dependent binary data and OS-independent noisy data, which are computer programs, and the cellular phone 10 operates according to the computer program, so that the mobile phone 10 has a part of its functions.
- Part of the computer program that is OS-dependent binary data constitutes the OS, and the other part operates under the control of the OS.
- the memory card 20 stores, as an example, encrypted content generated by encrypting music or video content and a content key used for decrypting the encrypted content.
- the mobile phone 10 operates according to the OS-dependent binary data and the OS-independent binary data written in the ROM, thereby reading the encrypted content from the memory card 20 and using the content key as the read encrypted content. Decrypts using it, generates decryption content, and outputs the generated decrypted content as music or video.
- the compiling device 30 includes an OS-dependent compiling unit 310, an OS-dependent link unit 320, a format conversion unit 330, and an information storage unit 350.
- the compiling device 30 generates binary data to be placed in the OS management area of the memory 107 (to be described later) of the mobile phone 10.
- the compiling device 30 is a computer including a microprocessor, ROM, RAM, a hard disk unit, a display unit, a keyboard, a mouse, and the like. System.
- a computer program is stored in the RAM or the hard disk unit.
- the microprocessor power By operating according to the computer program, the OS-dependent compiling unit 310, the OS-dependent link unit 320, and the format converting unit 330 that constitute the compiling device 30 achieve their functions.
- Information storage unit 350 includes OS kernel source 301a, 301b, 301c,..., Non-secure program source 302a ⁇ 302b ⁇ 302c ⁇ ⁇ secure program call ⁇ source 303a ⁇ 30 3b, 303c, ..., switching device Dry source 304a, 304b, 304c, ⁇ , addressed finale 322, OS dependent library U321a, 321b, 321c, ⁇
- the OS kernel sources 301a, 301b, 301c, ... are computers that are part of the source code (source program) that describes various processes of the OS installed in the mobile phone 10!
- the OS kernel source 301a, 30 lb, 301c,... Describes the OS processing in the entire source code.
- the OS kernel sources 301a, 301b, 301c,... Generally correspond to noisy data stored as an OS program 210 (described later) on the memory 107 of the mobile phone 10.
- Non-secure program source 302a, 302b, 302c, ⁇ are computer programs that are source codes (source programs) in which non-secure processing is described.
- the non-secure program source 302a includes instructions and corresponds to binary data stored as a non-secure program 211 (described later) on the memory 107 of the mobile phone 10.
- the secure program calling unit source 303a describes a process of requesting the switching device driver 213 (described later) to call the V, secure program 202 (described later) stored in the memory 107 of the mobile phone 10.
- Switching device driver In this embodiment, it is assumed that the processing requested to the server 213 is performed by a library call of the OS program 210. The same applies to the secure program call source 303b, 303c,.
- the switching device driver source 304a is a computer program that is a source code (source program) in which processing for branching to the processing of the requested secure program 202 is described. It includes instructions and corresponds to the nounary data stored in the memory 107 as the switching device driver 213 (described later).
- the address specification file 322 is a file that specifies the location address of binary ROM data and RAM data created by the OS-dependent link unit 320.
- the address specification file 322 includes, for each OS-dependent binary data generated by the OS-dependent link unit 320, a physical address indicating a position to be arranged in the memory of the target device (that is, the mobile phone 10). Including.
- the OS-dependent compiling unit 310 includes these OS kernel sources 301a, 301b, 301c, ..., non-secure program sources 302a, 302b, 302c, ..., secure program call source sources 303a, 303b, 303c, ... , Switching device dry source source 304a, 304b, 304c, ⁇ ⁇ ⁇ ⁇ input the program code written in a high-level language into low-level machine code (object code), that is, executable computer program Each generates an object file.
- object code low-level machine code
- the OS dependent link unit 320 performs relocation and symbol resolution for each object file generated by the OS dependent compiling unit 310, and the OS dependent libraries 321a, 321b, 321c, ... If a function symbol exists, link the relevant OS-dependent library to generate OS-dependent binary data.
- the OS dependent link unit 320 arranges ROM data and RAM data at the logical address described in the address specification file 322. (4) Format converter 330
- the format converter 330 converts each OS-dependent binary data generated by the OS-dependent link unit 320 into a format that can be written to the actual ROM memory by the ROM writer, and the OS-dependent binary data 340a, 340b, ... ⁇ And the generated OS dependent binary data 34 0a, 340b, ⁇ are written into the information storage unit 350.
- Data formats generated by the format converter 330 include the Intel HEX format and the Motorola S record format.
- the compiling device 30 sets ROMZRAM that is not managed by the OS as shown below.
- the designated area size “0xlE00000” becomes the OS management RAM area, and the other areas become the RAM area outside the OS management.
- MAP DESC (logical address, physical address, size, domain attribute, (READ attribute, WRITE attribute, CACHE attribute, BUFFER attribute);
- the logical address specifies the logical address to be associated with the physical address
- the physical address specifies the physical address to be associated with the logical address, and the size.
- the size is specified by associating the logical and physical addresses.
- the domain attribute specify whether it is the kernel area or the user area.
- READ attribute set "1" if READ is possible, set “0” if READ is impossible, and "1" if WRITE is possible. If the WRITE is not possible, set “0”.
- For the CACHE attribute set “1” if the cache is valid, set "0” if the cache is invalid, and set the BUFFER attribute to "1” if the BUFFER is valid. If BUFFER is disabled, set “0”.
- MAP_DESC (0xFFB00000,0xllF00000,0x000FFFFF, DOMAIN_KERNEL, 0, l, 1,1)
- MAP_DESC (0xFFA00000,0x00260000,0x000FFFFF, DOMAIN_KERNEL, 0,0, l, 1)
- the domain attribute of the secure program is the kernel domain, and access from normal software running on the OS is prohibited.
- the created object file is linked by the OS-dependent link unit 320.
- the OS-dependent binary data generated by the OS-dependent link unit 320 is converted into a format that can be written in the ROM by the format conversion unit 330, and the OS-dependent binary data 340a, 340b, ... are written to the information storage unit 350.
- the OS uses only the management area as an access space, and sends instructions to mediate access to the management area to the non-secure program (normal program) and a switching device driver (switching program). On the other hand, it includes an instruction for switching to a secure program.
- the non-secure program includes an instruction to access the management area via the OS (basic program).
- the switching device driver (switching program) is set by the OS (basic program) instruction.
- Base program Includes instructions for switching execution to a secure program.
- the secure program includes an instruction for accessing only the non-managed area as an access space and accessing the non-managed area.
- it includes an instruction for switching execution from the secure program to the basic program after completion of the target process of the secure program, for example, the decryption process using the content key of the encrypted content.
- the compiling device 40 includes an OS-independent compiling unit 410, an OS-independent link unit 420, a format conversion unit 430, and an information storage unit 450.
- the compiling device 40 generates binary data to be placed in an area outside the OS management of the memory 107 (to be described later) of the mobile phone 10.
- the compiling device 40 is a computer system including a microprocessor, ROM, RAM, a hard disk unit, a display unit, a keyboard, a mouse, and the like.
- a computer program is stored in the RAM or the hard disk unit.
- the microprocessor power according to the computer program
- the OS-independent compiling unit 410, the OS-independent link unit 420, and the format conversion unit 430 that constitute the compiling device 40 achieve their functions.
- the information storage unit 450 stores secure program sources 401a, 401b, 401c,..., An address specification file 422, an OS-independent library 421a, 421b, 421c,. It also has an area to store OS-independent binary data 440a, 440b, 440c, ....
- the secure program source 401a is a computer program that is a source code (source program) in which processing using secret information is described, and includes computer instructions.
- the secure program source 401a is a code in which a decryption process for decrypting encrypted content is described, and is stored in binary data stored as a secure program 202 (described later) on the memory 107. It corresponds.
- the addressing file 422 is the same as the addressing file 322 described in FIG. However, since the secure program 202 generated in response to the secure program sources 401a, 401b, 401c,... Is placed in an unmanaged area of the OS program 210, the addressing file 422 is stored in the unmanaged area. Specify an address.
- the OS-independent compiling unit 410 converts the source code in which the OS-independent processing is described from a high-level language into a low-level machine code (object).
- the OS-independent compiling unit 410 creates machine code suitable for the CPU 102 architecture.
- the OS-independent link unit 420 performs rearrangement and symbol resolution, and if necessary, links an OS-independent library to create binary data that can be executed by the CPU 102.
- OS independent means that the OS dependent libraries 321a, 321b, 321c, ... are not linked.
- the format conversion unit 430 is the same as the format conversion unit 330 described with reference to FIG.
- the memory card 20 includes a normal area 120, a secure area 130, an input / output unit 122, and a secure processing unit 132.
- the memory card 20 includes a microprocessor, ROM, RAM, and the like. Computer system. A computer program is stored in the RAM. Microprocessor power The memory card 20 achieves a part of its functions by operating according to the computer program.
- the normal area 120 is a storage area that can be freely accessed by an external device.
- the encrypted content 121 is stored.
- the secure area 130 is an area that can be accessed only by authorized external devices, and stores the content key 131.
- the encrypted content 121 is encrypted music data or moving image data, and is encrypted using an encryption algorithm with the content key 131 as an encryption key.
- Each encrypted data is identified by a content ID.
- the encrypted content 121 is encrypted by the common key method, and the decrypted content, that is, music data or moving image data is acquired by using the content key 131 as a decryption key. It shall be possible.
- the input / output unit 122 inputs / outputs various data between the external device, the normal area 120, and the secure processing unit 132.
- the secure processing unit 132 performs mutual authentication with an external device based on a CPRM (Content Protection for Recordable Media) mechanism, and when the authentication is successful, shares the key with the authenticated device. Use the shared key to securely input and output data with external devices.
- CPRM Content Protection for Recordable Media
- the mobile phone 10 includes a debugger IF101, a CPU102, an MMU (Memory Management Unit) 103, an interrupt controller 104, an input unit 105, a display unit 106, a memory 107, an input / output unit 108, and a notch 109. , A code processing unit 110, a DZA conversion unit 111, a wireless communication control unit 112, a speaker 113, a microphone 114, a communication unit 115, and an antenna 116. Each circuit is connected by a bus 117.
- MMU Memory Management Unit
- the memory 107 is composed of ROM and RAM, and stores various programs executed by the CPU 102.
- the CPU 102 includes an instruction fetch unit, an instruction decoder, an arithmetic unit, a program counter, a link register, a stack pointer, etc., fetches an instruction from a program on the memory 107, decodes the fetched instruction, and executes the decoded instruction. .
- the MMU 103 implements a virtual storage function that converts a logical address into a physical address.
- the debugger IF101 is an interface for connecting the mobile phone 10 and an external debugger.
- the interrupt controller 104 detects hardware interrupts such as FIQ and IRQ, software interrupts (SWI), prefetch aborts, data aborts, resets, and other interrupts, and notifies the CPU 102 interrupt detection register to generate interrupts. Is output.
- hardware interrupts such as FIQ and IRQ, software interrupts (SWI), prefetch aborts, data aborts, resets, and other interrupts.
- the communication unit 115 transmits and receives information between the wireless communication control unit 112 and an external device connected to the mobile phone network and the Internet via the antenna 116.
- the wireless communication control unit 112 includes a baseband unit, a modulation / demodulation unit, an amplification unit, and the like, and performs signal processing of various information transmitted / received via the communication unit and the antenna 116.
- the code processing unit 110 performs a decoding process on the music data stored in the notch 109 according to an encoding technique such as MP3 and outputs the result to the DZA conversion unit 111.
- the DZA conversion unit 111 converts the music data decoded by the code processing unit 110 into an analog audio signal and outputs the analog audio signal to the speaker 113.
- the input unit 105 includes various buttons such as a numeric keypad and an enter button, and accepts these operations by the user.
- the display unit 106 includes a VRAM and a liquid crystal screen, and displays various screens.
- the microphone 114 converts sound into an electrical signal and outputs the generated electrical signal to the wireless communication control unit 112.
- the speaker 113 receives an analog signal from the wireless communication control unit 112 and the DZA conversion unit 111, converts the received analog signal into sound, and outputs the sound.
- the configuration of the memory 107 is shown in FIG.
- the memory 107 is composed of ROM and RAM.
- ROM and RAM are not shown separately, but the distinction between ROM and RAM is illustrated in FIG.
- the memory 107 includes an OS program 210, a non-secure program 211, a secure program calling unit 212, a switching device driver 213, a secure program 202, an IPL (Initial Program Loader) program 201. Is remembered.
- two memory areas a management area managed by the OS and an unmanaged area that is not managed by the OS, are allocated and used.
- the non-secure program 211 operating on the OS, the secure program calling unit 212, and the switching device driver 213 are stored in the OS management area.
- the IPL program 201 and the secure program 202 are stored in an OS unmanaged area. This allocation method will be described later.
- the secure program 202 since the secure program 202 operates in an unmanaged area that is not managed by the OS, analysis from a software debugger that operates on the OS becomes impossible, and the secure program can be executed in a secure state. Become.
- IPL program 201 is a code (computer program) written in assembler
- the IPL program 201 is a ZI section A7 described later.
- the OS program 210 is an operating system, and is basic software for initializing hardware used by the OS at the time of kernel initialization, setting the MMU103, managing memory, managing files, providing a user interface, and the like.
- the non-secure program 211, the secure program calling unit 212, and the switching device driver 213 are a group of programs that operate on a memory managed by the OS.
- the non-secure program 211 is an application that does not require execution in a secure environment. For example, an application for managing the GUI of the mobile phone 10, a program for managing a personal schedule, a music playback application, and the like. During content playback, it is necessary to securely decrypt the encrypted content 121 stored in the memory card 20 using the content key 131 stored in the memory card 20.
- the music playback application includes a decryption processing request for calling the secure program calling unit 212. This decryption request is issued when the encrypted content 121 using the content key 131 is restored. Indicates a request for issue processing.
- the secure program calling unit 212 is a calling program for executing the secure program 202, and requests the switching device driver 213 to execute the secure program 202.
- the switching device driver 213 serves as an interface for transferring processing to the secure program 202 stored in the unmanaged area.
- the secure program 202 is a program that processes secret information.
- the secure program 202 is a decryption program that decrypts the encrypted content 121 using the content key 131. Further, immediately after the secure program 202 is activated, the secure program 202 executes a zero initialization process of a ZI section B712, which will be described later.
- the memory 107 is composed of ROM and RAM.
- the memory 107 only needs to include a program storage unit that can store a program and a work memory storage unit that can store a work memory used during program operation.
- HDD Hard Disk Drive
- EEPROM Electrical Erasable Programmable ROM
- Flash ROM etc.
- SDRAM Synchronous DRAM
- SRAM Static RAM
- the OS program 210, the non-secure program 211, the secure program calling unit 212, and the switching device driver 213 described above are generated as one or more OS-dependent binary data in the compiling device 30, and the secure program 202 is In 40, it is generated as one or more OS-independent binary data.
- Each OS dependent binary data is composed of a ZI section 501, an RW section 502, and an RO section 503 as shown in FIG.
- the ZI section 501 is a zero initialization target data area. At the initialization stage of each program, the data in this section must be initialized with zeros.
- the RW section 502 is a readable / writable section, and is a section in which readable / writable data is arranged.
- the RO section 503 is a section that can only be read and in which executable code (instructions) is placed.
- the memory 107 is not described separately as ROM and RAM, but in fact, as shown in Fig. 6, the ZI section and RW section of each OS-dependent binary data are placed in RAM, The one corresponding to the RO section is placed in the ROM.
- each OS-independent binary data 440a, 440b, ⁇ generated by the compiling and linking in the compiling device 40 is composed of a ZI section, an RW section, and an RO section, respectively, as shown in FIG. !
- the ZI sections that make up the secure program 202 must be initialized with zeros. However, if the size of the ZI section is large, the zero initialization process will take time. In electronic devices where the response performance of the terminal is important, we would like to reduce the initialization process time and start up the secure program 202 at high speed.
- the ZI section is divided into a plurality of subsections, and before the secure program 202 is activated, some subsections are zero-initialized, and the secure program 202 is Immediately after activation, zero initialization processing of the remaining subsections is performed.
- the initialization process in the secure program 202 can be performed at high speed. This sequence will be described later with reference to FIGS.
- the address used in each program is a logical address.
- 03 is converted into a physical address and the memory 107 is actually accessed. That is, the address indicating the storage space formed by the memory 107 in the OS program 210, the non-secure program 211, the secure program calling unit 212, the switching device driver 213, and the secure program 202 is a logical address.
- the MMU 103 changes a logical address used in these programs to a physical address, and an area indicating a storage space formed by the memory 107 is accessed by the physical address.
- the MMU 103 is not initialized immediately after the mobile phone 10 is turned on, no logical address is assigned to each program. Also, the physical address and logical address can be converted when the MMU 103 is in a valid state.
- FIG. 7 shows the correspondence between physical addresses and logical addresses in the memory 107.
- the memory 107 includes the secure program 202, the IPL program 201, the OS program 210, the non-secure program 211, the secure program call unit 212, and the switching device driver 213.
- the memory 601 and the secure program work memory 602 are arranged.
- the secure program 202 is arranged in the non-OS management area 651 on the ROM, and the OS program 210, the non-secure program 211, the secure program calling unit 212, and the switching device driver 213 are in the OS management area on the ROM. It is located at 652. Further, the OS main memory 601 is arranged in the OS management area 653 on the RAM, and the secure program work memory 602 is arranged in the OS non-management area 654 on the RAM.
- the IPL program 201 exists in the area in the ROM indicated by the physical addresses 0x08000000 to 0x080C0000.
- the IPL program 201 is a code (program instruction) that is executed before the OS program 210 is activated, and no logical address is assigned to the IPL program 201.
- the character string following Ox is expressed in hexadecimal.
- OS program 210 non-secure program 211, secure program calling unit 212 and The switching device driver 213 exists in the ROM area indicated by the physical address 0x080D0000 to ⁇ , and the logical address OxDOOOOOOO to 0xD3D40 000 is assigned to this area by the OS.
- the OS main memory 601 is the work memory used by the OS and programs running on the OS. It exists in the RAM area from 0x10000000 to OxllEOOOOO, and logical addresses 0xC0000000 to 0xClE00000 are assigned to this area. It is done.
- the secure program 202 has an execution code (program instruction) of the secure program written therein, and exists in an area in the ROM of the physical addresses 0x00260000 to 0x00350000. This area is assigned logical addresses 0xFFA00000 to OxFFAFFFFF. It is done.
- the secure program work memory 602 is a work memory used by the secure program 202, and exists in an area in the RAM from the physical addresses OxllFOOOOO to OxllFFFFFF, and logical addresses 0xFFB00000 to OxFFBFFFFF are assigned to this area.
- the logical address designation as described above is performed in the kernel initialization process of the OS program 210.
- the address specification file 322 stored in the compiling device 30 and used in the OS-dependent link unit 320 and the address specification file 422 stored in the compiling device 40 and used in the OS-independent link unit 420 are! / As described, the address is assigned.
- the physical address and the logical address are assigned as described above.
- the physical address and the logical address are changed depending on the device to be mounted, and the present invention is not limited to this address value. Absent.
- the secure program work memory 602 is composed of a ZI section A711, a ZI section B712, and an RW section 713 obtained by dividing the ZI section into two!
- ZI section A711 and ZI section B712 are zero-initialized before the secure program 202 is executed, and data used by the secure program 202 is stored in the ZI section A711 and ZI section B712. Data storage section.
- the ZI section is divided into a ZI section A711 and a ZI section B712 in order to speed up the initialization process of the secure program 202.
- the initialization process of the secure program 202 can be performed after the content reproduction request by the user.
- the time until completion can be shortened, and the waiting time of the user can be shortened.
- by distributing the initialization processing of the ZI section it is possible to make it difficult for an unauthorized analyst to analyze the secure program 202.
- the RW section 713 is an area in which read / write data used by the secure program 202 is stored.
- secure program work memory 602 may be used as a stack area of the secure program 202.
- Secure program 202 is secure API branch processing 701, ZI section B initialization API
- rOxFFAOlOOOj “ 0xFFA02000 ”and“ 0xFFA03000 ”are stored in an area in the secure program 202 indicated by the start position.
- Secure API branch processing 701 is ZI section B initialization API702, secure API—A7
- API branch table 800 (which will be described later) including branch destination address information to B704 is stored.
- the identifier for identifying each API of the secure program 202 is the secure program call unit 2 12 to the secure API branch process 701 via the switching device driver 213.
- the secure API branch process 701 receives an identifier from the switching device driver 213, extracts a branch destination address corresponding to the identifier received from the API branch table 800, and branches execution to the extracted branch destination address.
- ZI section B initialization API 702 is an execution code (program instruction) for performing zero initialization processing of ZI section B712.
- the secure API—A703 and the secure API—B704 are execution codes (program instructions) for performing API processing of the secure program, respectively.
- the secure API of the secure program is not limited to the two forces described as secure API—A703 and secure API—B704. Good.
- Figure 9 shows the data structure of the API branch table 800.
- the API branch table 800 includes a plurality of branch destination address information 811, 812, and 813.
- the branch destination address information 811, 812, and 813 are included in the secure program 202! / It corresponds to Section B Initialization API 702, Secure API—A703, and Secure API—B704, and each branch destination address information includes an identifier and a branch destination address.
- the identifier is identification information for identifying an API that corresponds to the branch destination address information including the identifier.
- the branch destination address is a logical address indicating a position where the API corresponding to the branch destination address information including the branch destination address is stored in the secure program 202.
- branch destination address information 811, 812, and 813 will be further described.
- the branch destination address information 811 includes an identifier 801 “1” and a branch destination address 802 “0xFFA01000”.
- the identifier 801 “1” is assigned to the ZI section B initialization API 702, and the start position is indicated by the logical address “0xFFA01000”.
- the branch destination address information 812 includes an identifier 803 “2” and a branch destination address 8O4 “0xFFA02000”.
- identifier 803 “2” is assigned to secure API—A703, and in the area within secure program 202 where the start position is indicated by logical address “0xFFA02000”, secure API—A703 is executed. Indicates that a line code (program instruction) is stored.
- branch destination address information 813 includes an identifier 805 “3” and a branch destination address 8O6 “0xFFA03000” as shown in FIG.
- the identifier 805 “3” is assigned to the secure API—B704, and the start address is indicated by the logical address “0xFFA03000”! — Indicates that the execution code (program command) of B704 is stored.
- the API branch table 800 is composed of a plurality of branch destination address information cards including an identifier and a branch destination address.
- the API branch table 800 is not limited to this configuration, and is not limited to this configuration. It is only necessary to store address information for processing to branch to.
- the secure program 202 memory 107 is a secure program work memory used as a work memory (RAM) in an area outside the OS management in the memory 107.
- the initialization process of the secure program RAM data is divided as described above. Specifically, the ZI section initialization process is divided into two stages.
- the mobile phone 10 receives a reset when the user turns on the power (step S900).
- Step S901 the IPL program 201 initializes hardware necessary for starting the OS.
- Step S902 the IPL program 201 performs initialization of data in the ZI section A711.
- the process branches to the kernel (steps S903 to S904).
- the MMU 103 is initialized (step S905), and then various devices included in the mobile phone 10 and used by the OS are executed (step S906).
- step S907 there may be application software that is activated by a user operation.
- step S907 the function as a mobile phone is enabled, and a state where incoming calls, outgoing calls, etc. can be performed, and a user can perform various operations on the mobile phone.
- Fig. 11 shows a sequence until the initialization process of the ZI section of the secure program 202 is completed
- Fig. 12 shows the sequence of the secure API after the initialization of the ZI section of the secure program 202 is completed. The sequence up to startup is shown.
- step S1000 When the user performs a music playback button operation (step S1000), the OS shifts the processing to the secure program calling unit 212 (steps S1001 to S1002). [0102] Next, the secure program calling unit 212 opens the switching device driver 213 (step S1003), specifies "1" as the identifier, makes a library call to the switching device driver 213, and switches to the switching device. Processing proceeds to driver 213 (steps S 1004 to S 1005).
- the switching device driver 213 that has received the identifier “1” branches to the secure API branch process 701, and the process moves to the secure API branch process 701 (steps S1006 to S1007).
- the secure API branch processing 701 returns the stack pointer setting to that used by the secure program 202 (step S1008), and acquires the branch destination address corresponding to the identifier "1" from the API branch table 800. .
- the branch destination address 8O2 “0xFFA01000” of the ZI section B initialization API 702 corresponding to the identifier “1” is acquired, and the execution code stored in the storage location indicated by the logical address “0xFF A01000J”, that is, ZI Branch to section B initialization API 702 (step S1009 to step S1010).
- step S1011 the ZI section B initialization API 702 is executed (step S1011). This completes the initialization of ZI section B712.
- the secure API branch process 701 returns the stack pointer setting to that used by the OS (step S1012).
- the secure program calling unit 212 designates the identifier of the secure API, makes a library call to the switching device driver 213, and the processing moves to the switching device driver 213 (steps S1015 to S1016).
- the switching device driver 213 outputs the specified identifier to the secure API branch process 701, and branches to the secure API branch process 701 (steps S1017 to S1018).
- the secure API branch processing 701 returns the stack pointer setting to that used by the secure program 202 (step S1019), and then receives it from the API branch table 800.
- the branch destination address corresponding to the identified identifier is acquired and branched to the acquired branch destination address (steps S1020 to S1021).
- API processing of the secure program 202 stored at the position indicated by the branch destination address is executed (step S 1022).
- step S1023 the stack pointer setting is returned to the one used by the OS (step S1023), and then the processing moves to the secure program calling unit 212 and the OS (step S1024 to step S1026).
- step S1015 to step S1026 shown in Fig. 12 may be executed a plurality of times after the processing from step S1000 to step S1014 shown in Fig. 11 is completed.
- the completion of all the steps shown in Fig. 11 means that the initialization process of the ZI section to be initialized when the secure program is executed is completed.
- the secure API—A703 is a computer program for acquiring a content key
- the secure API—B704 is a computer program for decrypting the encrypted content 121 using the content key 131.
- the content key 131 is acquired. Next, with the identifier set to “3”, all the steps shown in FIG. 12 are executed, whereby the encryption key content 121 is decrypted using the content key 131.
- the secure program 202 temporarily interrupts processing by the secure program 202 when an interrupt such as IRQ, FIQ, or software interrupt occurs during execution of the secure program 202, and is processed by the secure program 202. After the secure data is encrypted and the processing corresponding to the interrupt is completed, the encrypted data is decrypted and the processing by the secure program 202 is temporarily suspended. Such processing may be executed continuously. Specifically, it is as shown below.
- An initialization completion flag for the secure program 202 is provided in the ZI section A711 that is an area initialized by IPL or the ZI section B712 that is an area initialized by the secure program 202.
- the initialization completion flag is set to “1” after the initialization of the ZI section B 712 by the secure program 202 and is always “1” while the secure program 202 is being executed.
- an initialization completion flag may be provided in the ZI section!
- an initialization completion flag may be provided in the RW section without being limited to the ZI section.
- an interrupt such as IRQ, FIQ, or software interrupt occurs, it branches to the CPU exception vector table.
- an interrupt processing routine is registered for each interrupt factor.
- the exception vector table branches to the interrupt processing routine for each interrupt factor and performs desired interrupt processing.
- the exception vector table is registered in advance to branch to the secure program 202 when an interrupt occurs. By doing this, every time an interrupt occurs, the secure program 202 ⁇ — and the process moves.
- step S1011 When the initialization of ZI section B is completed (step S1011), secure program 202 then sets an initialization completion flag to "1" (step S1201).
- the initialization completion flag is always “1”.
- the secure program 202 starts execution of the secure API (step S1022).
- step S1202 When an interrupt such as IRQ, FIQ, or software interrupt occurs (step S1202), the process moves to the CPU exception vector table. Since the vector is registered in the exception vector table so as to branch to the secure program 202 in advance, the branch is made to the secure program 202 (step S1203).
- interrupt such as IRQ, FIQ, or software interrupt
- secure program 202 After branching to secure program 202, secure program 202 has an initialization completion flag. It is determined whether or not “1” (step S 1204).
- the secure program 202 saves the point when the interrupt occurred because the process targeted for the secure program 202 is being executed. (Step S 1206), and the secure data (runtime data) related to the secure information used by the secure program 202 during execution is encrypted to generate encrypted secure data (Step S 1207). .
- the process proceeds to OS (step S1208), and the OS performs an interrupt process (step SI 209).
- the process proceeds to the secure program 202 (step S1210).
- the secure program 202 determines whether or not the initialization completion flag power is “l” (step S1211).
- step S1211 If the initialization completion flag is “1” (YES in step S1211), the secure program 202 decrypts the encrypted data and generates decrypted secure data (step S1213), and an interrupt occurs. Thus, the process returns to the point where the processing of the secure program 202 was interrupted (step S1214), and the processing of the secure program 202 is continued (step S1215).
- the secure program 202 sets the initialization completion flag to "0" (step S1216), and then the secure program 202 is executed. finish.
- step S1204 If the initialization completion flag is not "1" (NO in step S1204, or step S121
- the secure program 202 may be a decryption program that decrypts encrypted content, and may be a program that handles confidential information without being limited thereto. .
- the switching device driver 213 starts from the OS dependent binary data.
- the secure API branch processing 701 returns the stack pointer setting to that used by the secure program 202, and the stack pointer setting is changed to the OS.
- switching device driver 213 When switching from OS to secure program, switching device driver 213 saves the stack pointer used by the OS at the time of switching, and saves the stack pointer settings in advance. It may contain instructions to return to the stack pointer. The switching device driver 213 also saves the stack pointer used by the secure program at the time of switching when the secure program power is switched to the OS, and the settings of the stack pointer are saved in advance. It may also contain an instruction to return to the stack pointer.
- secure API branching process 701 may perform the above.
- the secure program described above may be a part of the program that constitutes the BIOS (Basic Input / Output System).
- BIOS Basic Input / Output System
- the BIOS is generally a group of programs that control peripheral devices such as disk drives, keyboards, and video cards connected to the computer.
- the compiling device 30 and the compiling device 40 are forces that are assumed to be separate devices.
- the compiling device 30 and the compiling device 40 may be configured as one compiling device including the components.
- This compiling device compiles the source code constituting the operating system to generate a first object, a symbol compiling and relocation of the first object, and a program included in the first library.
- first link part that generates the first software in the executable format that is the operating system and the source code that constitutes the process that uses the confidential information
- second object Executable second software that also has the processing power to use confidential information by linking the second compiling section that generates the symbol, the symbol resolution and rearrangement of the second object, and the program contained in the second library
- tamper resistance is provided for a secure program source.
- a tamper resistance method may be applied to a secure program source!
- the anti-tampering technique is the addition of unnecessary redundant code that does not affect execution to the original code (program instructions), the replacement of one instruction code with another equivalent instruction code, and the complexity of the control structure Either obfuscation such as dividing one module (a set of program instructions) into multiple modules, or encrypting the original code in advance and decrypting it at runtime.
- Secure program by applying anti-tampering technique
- the security level of 202 may be improved.
- the RAM area where the decrypted code is expanded is an area that the OS cannot access, that is, an unmanaged area.
- the zero initialization processing of the ZI section A711 is executed from the IPL program 201, and then the content playback request is made by the user. Therefore, the zero initialization process of ZI section B712 is executed, but it is not limited to this.
- the force for initializing the ZI section with a zero value is not limited to this.
- a fixed value other than zero for example “0xffif”, may be written to the ZI section.
- the present invention includes a program storage unit and a data storage unit, the program storage unit stores first software and second software, and the data storage unit
- the first data storage unit is an area accessible by the first software
- the second data storage unit is an area accessible by the second software.
- the secure processing device is characterized in that the first software is inaccessible to the second data storage unit.
- the first software may be an operating system
- the second software may be software using secret information.
- the first compiler takes the source code of the first software as input and outputs the first object, and the first linker functions to link the symbol resolution, rearrangement, and first library of the first object.
- the first object is input, the first software is output, the first software is executable data created by the first compiler and the first linker, and the second compiler
- the second compiler is different from the first compiler, receives the source code of the second software, outputs a second object, and the second linker is a different linker from the first linker, It has a function of linking symbol resolution and rearrangement of two objects and a second library group, and taking the second object as an input, Outputs software, the second software, but it may also as an executable data created by the second compiler and the second linker.
- the second software may be software having resistance to tampering and analysis.
- the initialization process of the second data storage unit used by the second software may be divided into at least one division initialization process.
- At least one of the division initialization processes may be executed before the execution request for the second software is generated.
- the division initialization process may be distributed and stored in the program storage unit so as to be processed before the execution of the second software.
- the program storage unit may further include an IPL, and the IPL executes at least one of the division initialization processes.
- the program storage unit may further include a switching device driver, and the processing may be transferred to the switching device driver power, the first software power, or the second software.
- the switching device driver manages a first stack pointer used by the first software and a second stack pointer used by the second software, and the first software is executed.
- the switching device driver sets the stack pointer to the first stack pointer, and when the second software is executed, the switching device driver The device driver may set the stack pointer to the second stack pointer.
- each of the above devices is a computer system including a microprocessor, a ROM, a RAM, and the like.
- a computer program is stored in the RAM.
- the computer program is configured by combining a plurality of instruction codes indicating instructions to the computer in order to achieve a predetermined function.
- Microprocessor power Each device achieves its functions by operating according to the computer program. That is, the microprocessor reads each instruction included in the combo program one by one, decodes the read instruction, and operates according to the decoding result.
- System L SI is an ultra-multifunctional LSI manufactured by integrating multiple components on a single chip. Specifically, it is a computer system that includes a microprocessor, ROM, RAM, and so on. Stem. A computer program is stored in the RAM. The microphone processor power By operating according to the computer program, the system LSI achieves its functions.
- each part of the constituent elements constituting each of the above-described devices may be individually made into one chip, or may be made into one chip so as to include a part or all of them. Also, here, it is also called IC, system LSI, super LSI, or ultra LSI, depending on the difference in power integration as LSI.
- the method of circuit integration is not limited to LSI, and may be realized by a dedicated circuit or a general-purpose processor. It is also possible to use an FPGA (Field Programmable Gate Array) that can be programmed after LSI manufacture and a reconfigurable processor that can reconfigure the connection and settings of circuit cells inside the LSI!
- FPGA Field Programmable Gate Array
- each of the above devices may be configured as an IC card that can be attached to and detached from each device or a single module force.
- the IC card or the module is a computer system including a microprocessor, ROM, RAM, and the like.
- the IC card or the module may include the super multifunctional LSI described above.
- the IC card or the module achieves its function by the microprocessor operating according to the computer program. This IC card or module may be tamper resistant! /.
- the present invention may be the method described above. Further, the present invention may be a computer program that realizes these methods by a computer, or may be a digital signal that also has the computer program power.
- the present invention also provides a computer-readable recording medium such as a flexible disk, hard disk, CD-ROM, MO, DVD, DVD-ROM, DVD-RAM, BD (Blu-ray). Disc), semiconductor memory, etc. may be recorded. Further, the present invention may be the computer program or the digital signal recorded on these recording media.
- the present invention may transmit the computer program or the digital signal via an electric communication line, a wireless or wired communication line, a network typified by the Internet, a data broadcast, or the like.
- the present invention may also be a computer system including a microprocessor and a memory.
- the memory may store the computer program, and the microprocessor may operate according to the computer program.
- the secure processing device and method according to the present invention provide a program using secret information.
- the analysis from the software debugger running on the OS can be prevented, and the RAM data initialization processing for programs running outside the OS management can be divided. It has the effect of shortening the processing from the occurrence of a user request until the program is started, and is useful as a secure software processing method.
- Each of the devices that make up the present invention is managed, continuously and repetitively in the content distribution industry that produces and distributes content, and in other industries that handle information that needs to be kept secret. Can be used for
- each device constituting the present invention can be manufactured and sold in the electric appliance manufacturing industry in a management manner, continuously and repeatedly.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Mathematical Physics (AREA)
- Computer Security & Cryptography (AREA)
- Storage Device Security (AREA)
Abstract
Description
Claims
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2007518997A JP4850830B2 (ja) | 2005-06-01 | 2006-05-30 | コンピュータシステム及びプログラム生成装置 |
EP06756740A EP1890237A1 (en) | 2005-06-01 | 2006-05-30 | Computer system and program creating device |
US11/915,198 US7962746B2 (en) | 2005-06-01 | 2006-05-30 | Computer system and program creating device |
CN2006800191820A CN101189586B (zh) | 2005-06-01 | 2006-05-30 | 计算机系统及程序生成装置 |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2005161359 | 2005-06-01 | ||
JP2005-161359 | 2005-06-01 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2006129641A1 true WO2006129641A1 (ja) | 2006-12-07 |
Family
ID=37481570
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2006/310744 WO2006129641A1 (ja) | 2005-06-01 | 2006-05-30 | コンピュータシステム及びプログラム生成装置 |
Country Status (6)
Country | Link |
---|---|
US (1) | US7962746B2 (ja) |
EP (1) | EP1890237A1 (ja) |
JP (1) | JP4850830B2 (ja) |
KR (1) | KR20080014786A (ja) |
CN (1) | CN101189586B (ja) |
WO (1) | WO2006129641A1 (ja) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2009070327A (ja) * | 2007-09-18 | 2009-04-02 | Panasonic Corp | 情報端末及び情報端末の制御方法 |
JP2009223629A (ja) * | 2008-03-17 | 2009-10-01 | Hitachi Software Eng Co Ltd | アプリケーションの実行ファイル及び構成ファイルの漏洩防止装置 |
JP2015195053A (ja) * | 2008-12-31 | 2015-11-05 | インテル コーポレイション | セキュアな埋め込みコンテナの実行のためのプロセッサの拡張 |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7861046B2 (en) * | 2007-06-29 | 2010-12-28 | Sandisk Corporation | Secure digital host sector application flag compression |
US8775824B2 (en) * | 2008-01-02 | 2014-07-08 | Arm Limited | Protecting the security of secure data sent from a central processor for processing by a further processing device |
US9207968B2 (en) * | 2009-11-03 | 2015-12-08 | Mediatek Inc. | Computing system using single operating system to provide normal security services and high security services, and methods thereof |
US20120079278A1 (en) * | 2010-09-28 | 2012-03-29 | Microsoft Corporation | Object security over network |
US8910307B2 (en) | 2012-05-10 | 2014-12-09 | Qualcomm Incorporated | Hardware enforced output security settings |
GB2515047B (en) | 2013-06-12 | 2021-02-10 | Advanced Risc Mach Ltd | Security protection of software libraries in a data processing apparatus |
CN103365687B (zh) * | 2013-06-28 | 2017-02-08 | 北京创毅讯联科技股份有限公司 | 处理器启动方法、装置及提供初始程序装入程序的装置 |
US10754967B1 (en) * | 2014-12-15 | 2020-08-25 | Marvell Asia Pte, Ltd. | Secure interrupt handling between security zones |
KR102000861B1 (ko) * | 2015-01-27 | 2019-07-16 | 애리스 엔터프라이지즈 엘엘씨 | 스트리밍 미디어 및 다른 데이터 흐름들의 보호를 위한 난독화 |
CN108416209B (zh) * | 2018-03-07 | 2021-10-22 | 北京元心科技有限公司 | 程序安全验证方法、装置及终端设备 |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH1115705A (ja) | 1997-06-25 | 1999-01-22 | Sony Corp | メモリ管理方法及び記録媒体、メモリ管理装置 |
JP2002251326A (ja) * | 2001-02-22 | 2002-09-06 | Hitachi Ltd | 耐タンパ計算機システム |
Family Cites Families (54)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH0290330A (ja) * | 1988-09-28 | 1990-03-29 | Hitachi Ltd | プログラム構成方式 |
US5522072A (en) * | 1990-09-04 | 1996-05-28 | At&T Corp. | Arrangement for efficiently transferring program execution between subprograms |
US5303378A (en) * | 1991-05-21 | 1994-04-12 | Compaq Computer Corporation | Reentrant protected mode kernel using virtual 8086 mode interrupt service routines |
US5826057A (en) * | 1992-01-16 | 1998-10-20 | Kabushiki Kaisha Toshiba | Method for managing virtual address space at improved space utilization efficiency |
US5515538A (en) * | 1992-05-29 | 1996-05-07 | Sun Microsystems, Inc. | Apparatus and method for interrupt handling in a multi-threaded operating system kernel |
US5892899A (en) * | 1996-06-13 | 1999-04-06 | Intel Corporation | Tamper resistant methods and apparatus |
US5757919A (en) * | 1996-12-12 | 1998-05-26 | Intel Corporation | Cryptographically protected paging subsystem |
US6393569B1 (en) * | 1996-12-18 | 2002-05-21 | Alexander S. Orenshteyn | Secured system for accessing application services from a remote station |
US6269409B1 (en) * | 1997-09-02 | 2001-07-31 | Lsi Logic Corporation | Method and apparatus for concurrent execution of operating systems |
US6772419B1 (en) * | 1997-09-12 | 2004-08-03 | Hitachi, Ltd. | Multi OS configuration system having an interrupt process program executes independently of operation of the multi OS |
US6996828B1 (en) * | 1997-09-12 | 2006-02-07 | Hitachi, Ltd. | Multi-OS configuration method |
US6385727B1 (en) * | 1998-09-25 | 2002-05-07 | Hughes Electronics Corporation | Apparatus for providing a secure processing environment |
US7140015B1 (en) * | 1999-09-29 | 2006-11-21 | Network Appliance, Inc. | Microkernel for real time applications |
JP2001290665A (ja) * | 2000-04-11 | 2001-10-19 | Nec Software Hokuriku Ltd | プロセッサシステム |
AU2001247941B2 (en) * | 2000-04-11 | 2007-09-06 | Mathis, Richard M. | Method and apparatus for computer memory protection and verification |
US6889378B2 (en) * | 2000-07-24 | 2005-05-03 | Sony Corporation | Information processing method, inter-task communication method, and computer-executable program for the same |
US7149878B1 (en) * | 2000-10-30 | 2006-12-12 | Mips Technologies, Inc. | Changing instruction set architecture mode by comparison of current instruction execution address with boundary address register values |
JP2002353960A (ja) * | 2001-05-30 | 2002-12-06 | Fujitsu Ltd | コード実行装置およびコード配布方法 |
US7272832B2 (en) * | 2001-10-25 | 2007-09-18 | Hewlett-Packard Development Company, L.P. | Method of protecting user process data in a secure platform inaccessible to the operating system and other tasks on top of the secure platform |
JP2003280754A (ja) * | 2002-03-25 | 2003-10-02 | Nec Corp | 隠蔽化ソースプログラム、ソースプログラム変換方法及び装置並びにソース変換プログラム |
JP2003280755A (ja) * | 2002-03-25 | 2003-10-02 | Nec Corp | 自己復元型プログラム、プログラム生成方法及び装置、情報処理装置並びにプログラム |
US7313797B2 (en) * | 2002-09-18 | 2007-12-25 | Wind River Systems, Inc. | Uniprocessor operating system design facilitating fast context switching |
GB2395583B (en) * | 2002-11-18 | 2005-11-30 | Advanced Risc Mach Ltd | Diagnostic data capture control for multi-domain processors |
KR100941104B1 (ko) * | 2002-11-18 | 2010-02-10 | 에이알엠 리미티드 | 데이터 처리 장치, 데이터 처리 방법 및 컴퓨터 프로그램을 기억한 컴퓨터 판독가능한 기억매체 |
GB2411254B (en) * | 2002-11-18 | 2006-06-28 | Advanced Risc Mach Ltd | Monitoring control for multi-domain processors |
KR101099463B1 (ko) * | 2002-11-18 | 2011-12-28 | 에이알엠 리미티드 | 보안 도메인과 비보안 도메인을 갖는 시스템 내에서 가상메모리 어드레스의 물리적 메모리 어드레스로의 매핑 |
US7383587B2 (en) * | 2002-11-18 | 2008-06-03 | Arm Limited | Exception handling control in a secure processing system |
AU2003278342A1 (en) * | 2002-11-18 | 2004-06-15 | Arm Limited | Security mode switching via an exception vector |
DE60308215T2 (de) * | 2002-11-18 | 2007-08-23 | Arm Ltd., Cherry Hinton | Prozessorschaltung zwischen sicheren und nicht sicheren modi |
GB2396930B (en) * | 2002-11-18 | 2005-09-07 | Advanced Risc Mach Ltd | Apparatus and method for managing access to a memory |
GB2396451B (en) * | 2002-11-18 | 2005-12-07 | Advanced Risc Mach Ltd | Delivering data processing requests to a suspended operating system |
GB0226874D0 (en) * | 2002-11-18 | 2002-12-24 | Advanced Risc Mach Ltd | Switching between secure and non-secure processing modes |
US7539853B2 (en) * | 2002-11-18 | 2009-05-26 | Arm Limited | Handling interrupts in data processing of data in which only a portion of a function has been processed |
US7370210B2 (en) * | 2002-11-18 | 2008-05-06 | Arm Limited | Apparatus and method for managing processor configuration data |
GB2411027B (en) * | 2002-11-18 | 2006-03-15 | Advanced Risc Mach Ltd | Control of access to a memory by a device |
US7231476B2 (en) * | 2002-11-18 | 2007-06-12 | Arm Limited | Function control for a processor |
GB2396034B (en) * | 2002-11-18 | 2006-03-08 | Advanced Risc Mach Ltd | Technique for accessing memory in a data processing apparatus |
US7171539B2 (en) * | 2002-11-18 | 2007-01-30 | Arm Limited | Apparatus and method for controlling access to a memory |
GB2396712B (en) * | 2002-11-18 | 2005-12-07 | Advanced Risc Mach Ltd | Handling multiple interrupts in a data processing system utilising multiple operating systems |
US7117284B2 (en) * | 2002-11-18 | 2006-10-03 | Arm Limited | Vectored interrupt control within a system having a secure domain and a non-secure domain |
GB2396713B (en) * | 2002-11-18 | 2005-09-14 | Advanced Risc Mach Ltd | Apparatus and method for controlling access to a memory unit |
US7149862B2 (en) * | 2002-11-18 | 2006-12-12 | Arm Limited | Access control in a data processing apparatus |
US20040168078A1 (en) * | 2002-12-04 | 2004-08-26 | Brodley Carla E. | Apparatus, system and method for protecting function return address |
JP4347582B2 (ja) * | 2003-02-04 | 2009-10-21 | パナソニック株式会社 | 情報処理装置 |
US7401335B2 (en) * | 2003-02-28 | 2008-07-15 | Wind River Systems, Inc. | Single stack kernel |
US20040243783A1 (en) * | 2003-05-30 | 2004-12-02 | Zhimin Ding | Method and apparatus for multi-mode operation in a semiconductor circuit |
US7415618B2 (en) * | 2003-09-25 | 2008-08-19 | Sun Microsystems, Inc. | Permutation of opcode values for application program obfuscation |
KR20070005917A (ko) * | 2003-09-30 | 2007-01-10 | 쟈루나 에스에이 | 운영체제 |
WO2005052769A1 (ja) * | 2003-11-28 | 2005-06-09 | Matsushita Electric Industrial Co.,Ltd. | データ処理装置 |
JP4447977B2 (ja) * | 2004-06-30 | 2010-04-07 | 富士通マイクロエレクトロニクス株式会社 | セキュアプロセッサ、およびセキュアプロセッサ用プログラム。 |
FR2872933B1 (fr) * | 2004-07-06 | 2008-01-25 | Trusted Logic Sa | Procede de partage de temps d'un processeur |
EP2296089B1 (en) * | 2004-08-18 | 2019-07-03 | Red Bend Software | Operating systems |
US7568186B2 (en) * | 2005-06-07 | 2009-07-28 | International Business Machines Corporation | Employing a mirror probe handler for seamless access to arguments of a probed function |
US7797681B2 (en) * | 2006-05-11 | 2010-09-14 | Arm Limited | Stack memory selection upon exception in a data processing system |
-
2006
- 2006-05-30 JP JP2007518997A patent/JP4850830B2/ja active Active
- 2006-05-30 CN CN2006800191820A patent/CN101189586B/zh not_active Expired - Fee Related
- 2006-05-30 WO PCT/JP2006/310744 patent/WO2006129641A1/ja active Application Filing
- 2006-05-30 US US11/915,198 patent/US7962746B2/en active Active
- 2006-05-30 KR KR1020077027157A patent/KR20080014786A/ko not_active Application Discontinuation
- 2006-05-30 EP EP06756740A patent/EP1890237A1/en not_active Withdrawn
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH1115705A (ja) | 1997-06-25 | 1999-01-22 | Sony Corp | メモリ管理方法及び記録媒体、メモリ管理装置 |
JP2002251326A (ja) * | 2001-02-22 | 2002-09-06 | Hitachi Ltd | 耐タンパ計算機システム |
Non-Patent Citations (3)
Title |
---|
"Software no Tai-tampering Technology (Software Tamper Resistant Technology", FUJI XEROX TECHNICAL REPOR, no. 13 |
"The Protect", 1985, SHUWA SYSTEM PUBLICATION |
GYAKU-KAISEKI YA KAIHEN KARA SOFT WO MAMORU: "Protecting Software from Inverse Analysis and Tampering", NIKKEI ELECTRONICS, vol. 1, no. 5, 1998, pages 209 - 220 |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2009070327A (ja) * | 2007-09-18 | 2009-04-02 | Panasonic Corp | 情報端末及び情報端末の制御方法 |
JP2009223629A (ja) * | 2008-03-17 | 2009-10-01 | Hitachi Software Eng Co Ltd | アプリケーションの実行ファイル及び構成ファイルの漏洩防止装置 |
JP2015195053A (ja) * | 2008-12-31 | 2015-11-05 | インテル コーポレイション | セキュアな埋め込みコンテナの実行のためのプロセッサの拡張 |
Also Published As
Publication number | Publication date |
---|---|
CN101189586B (zh) | 2011-06-15 |
US7962746B2 (en) | 2011-06-14 |
CN101189586A (zh) | 2008-05-28 |
JPWO2006129641A1 (ja) | 2009-01-08 |
EP1890237A1 (en) | 2008-02-20 |
US20090106832A1 (en) | 2009-04-23 |
JP4850830B2 (ja) | 2012-01-11 |
KR20080014786A (ko) | 2008-02-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP4850830B2 (ja) | コンピュータシステム及びプログラム生成装置 | |
US11783081B2 (en) | Secure public cloud | |
CN111638943B (zh) | 具有受保护的访客机验证主机控制的装置和方法 | |
JP5821034B2 (ja) | 情報処理装置、仮想マシン生成方法及びアプリ配信システム | |
JP5175856B2 (ja) | セキュアデバイス・システムにおけるフラッシュメモリ・ブロックの保護と方法 | |
US9104602B2 (en) | Method and apparatus for performing mapping within a data processing system having virtual machines | |
WO2011138852A1 (ja) | 情報処理装置、情報処理方法、及びプログラム配信システム | |
JP2010517424A (ja) | Usbトークン上の暗号化キーコンテナ | |
US7908450B2 (en) | Memory management unit, code verifying apparatus, and code decrypting apparatus | |
JP2023047278A (ja) | トランスフォーマ鍵識別子を使用する仮想機械マネージャによる信頼されたドメイン保護メモリへのシームレスなアクセス | |
CN110597496B (zh) | 应用程序的字节码文件获取方法及装置 | |
KR20240038774A (ko) | 보안 가상 머신들의 진단 상태 저장 | |
CN114424166A (zh) | 加密表签名 | |
Tang et al. | Techniques for IoT System Security | |
CN116049844A (zh) | 一种可信平台模块调用方法、系统、装置及存储介质 | |
CN117235711A (zh) | 一种用于隐私保护的数据处理方法和模型训练设备 | |
WO2021011138A1 (en) | A hybrid security-enabled lookahead microprocessor based method and apparatus for securing computer systems and data | |
KR20010069227A (ko) | 컴퓨터 보안 시스템 및 그 보안 방법 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 200680019182.0 Country of ref document: CN |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2007518997 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 11915198 Country of ref document: US |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1020077027157 Country of ref document: KR |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2006756740 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 2006756740 Country of ref document: EP |