WO2015128933A1 - Appareil de traitement de données et procédé de communication sécurisée - Google Patents

Appareil de traitement de données et procédé de communication sécurisée Download PDF

Info

Publication number
WO2015128933A1
WO2015128933A1 PCT/JP2014/054495 JP2014054495W WO2015128933A1 WO 2015128933 A1 WO2015128933 A1 WO 2015128933A1 JP 2014054495 W JP2014054495 W JP 2014054495W WO 2015128933 A1 WO2015128933 A1 WO 2015128933A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
unit
storage device
arithmetic
communication
Prior art date
Application number
PCT/JP2014/054495
Other languages
English (en)
Japanese (ja)
Inventor
松本 典剛
山田 勉
Original Assignee
株式会社日立製作所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社日立製作所 filed Critical 株式会社日立製作所
Priority to PCT/JP2014/054495 priority Critical patent/WO2015128933A1/fr
Publication of WO2015128933A1 publication Critical patent/WO2015128933A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1458Protection against unauthorised use of memory or access to memory by checking the subject access rights
    • G06F12/1483Protection against unauthorised use of memory or access to memory by checking the subject access rights using an access-table, e.g. matrix or list
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1416Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
    • G06F12/1425Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block
    • G06F12/1433Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block for a module or a part of a module
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1458Protection against unauthorised use of memory or access to memory by checking the subject access rights
    • G06F12/1491Protection against unauthorised use of memory or access to memory by checking the subject access rights in a hierarchical protection system, e.g. privilege levels, memory rings
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/10Providing a specific technical effect
    • G06F2212/1052Security improvement

Definitions

  • the present invention relates to a data processing device in which a plurality of arithmetic devices perform data processing using a storage device, and a secure communication method via a storage device between the plurality of arithmetic devices.
  • a shared memory, a plurality of processors, a router group, and an address protection device are provided, and the address protection device inspects a memory access packet passing through a first router connected to the shared memory and detects a violation memory access.
  • An information processing apparatus is disclosed (see, for example, Patent Document 1).
  • the area used in the shared memory and the attributes of the shared memory are fixed. In that case, there is a problem that it is difficult to recover again. Further, the above-described known technique does not disclose a countermeasure when the rule for access control itself is illegally rewritten.
  • the present invention has been made in view of the above points, and aims to more securely perform data communication between a plurality of arithmetic devices via a storage device.
  • a data processing device is a data processing device in which a plurality of arithmetic devices perform data processing using a storage device.
  • the communication path switching unit switches a communication path and a communication direction between the arithmetic device and the storage device.
  • the data flow control unit monitors the data flow between the arithmetic device and the storage device.
  • the attribute control unit sets attributes of the storage device including whether or not the storage device can be shared among a plurality of arithmetic devices in accordance with an instruction from the data flow control unit.
  • the area selection unit selects a data area to be used in the storage device in accordance with an instruction from the data flow control unit.
  • the communication path control unit sets a communication path and a communication direction between the arithmetic device and the storage device. Then, the data flow control unit instructs the attribute control unit, the region selection unit, and the communication path control unit according to a communication rule and a data flow state when a preset arithmetic device accesses the storage device, The attribute of the storage device is set via the communication path switching unit, the data area used in the storage device is selected, and the communication path and communication direction between the arithmetic device and the storage device are set.
  • a data processing device including a storage device and a plurality of arithmetic devices that perform data processing using the storage device includes data between the arithmetic device and the storage device. Monitor the flow.
  • the data processing device stores whether or not the storage device can be shared among the plurality of processing devices in accordance with a communication rule and a data flow state when a preset processing device accesses the storage device.
  • the device attributes are set, the data area to be used in the storage device is selected, and the communication path and communication direction between the arithmetic device and the storage device are set.
  • the data processing device switches the communication path and the communication direction between the arithmetic device and the storage device according to the contents of these settings.
  • the setting of attributes of the storage device (whether or not the storage device can be shared among a plurality of arithmetic devices) and the data used in the storage device according to the communication rule and the data flow state set in advance.
  • the area is selected, and the communication path and communication direction between the arithmetic device and the storage device are switched.
  • by setting the area of the shared storage device to the minimum necessary or every time data access occurs, the risk of contamination of the shared storage device can be reduced.
  • FIG. 2 is a diagram illustrating an example of setting the communication path, the communication direction, and the attribute of the storage unit in the first embodiment.
  • FIG. 2A is a first setting example
  • FIG. 2B is a second setting example
  • FIG. 4 is a diagram illustrating an example of a white list and a black list according to the first embodiment.
  • FIG. 4A is an example of a white list
  • FIG. 4B is an example of a black list.
  • FIG. 1 It is a figure which shows the example of the memory
  • FIG. 12 is a diagram illustrating a setting example of the communication path, the communication direction, and the attribute of the storage unit in the second embodiment.
  • FIG. 12A is a first setting example
  • FIG. 12B is a second setting example.
  • FIG. 14 is a diagram illustrating an example of processing according to the processing flow of the load distribution unit according to the second embodiment.
  • FIG. 14A is a setting example before the security level is changed
  • FIG. 14B is a setting example after the security level is changed.
  • FIG. 1 shows an example of the configuration of a data processing apparatus according to the first embodiment of the present invention.
  • the data processing device 1 includes operation units 2A and 2B (an example of an operation device), storage units 3A, 3B, and 3C (an example of a storage device), an access control unit 4, and a communication path switching unit 5.
  • the computing units 2A and 2B are collectively referred to as the computing unit 2
  • the storage units 3A, 3B, and 3C are collectively referred to as the storage unit 3.
  • An instruction is input to the data processing apparatus 1 from the external input unit 50.
  • the input unit 50 is, for example, an operation unit that receives a user operation or a communication unit that receives an instruction from a network.
  • the calculation unit 2 has a function of reading and writing data from and to the storage unit 3 and performing calculation processing in accordance with instructions stored in the storage unit 3.
  • the computing unit 2 is, for example, a processor, a core of the processor, or an integrated circuit such as an LSI (Large Scale Integration). Further, the calculation unit 2 may have a register or a cache for temporarily holding data in the storage unit 3 and intermediate data for calculation processing.
  • LSI Large Scale Integration
  • the storage unit 3 has a function of holding data such as programs.
  • the storage unit 3 may be, for example, a recording medium such as a volatile memory, a non-volatile memory, a hard disk, a CD (Compact Disc), a DVD (Digital Versatile Disc), or a Blu-ray disc.
  • the storage units 3A, 3B, and 3C may be separate memories or the like, or may be different areas inside the same memory or the like.
  • the communication path switching unit 5 is disposed between the plurality of calculation units 2 and the storage unit 3, and switches the communication path and communication direction between the calculation unit 2 and the storage unit 3 in accordance with instructions from the access control unit 4. Have For example, the communication path switching unit 5 determines which area in the storage unit 3 the calculation unit 2A and the calculation unit 2B can directly communicate with. The attributes of the storage unit 3 will be described later.
  • the communication path switching unit 5 can permit the access when the calculation unit 2 tries to access a specific area of the storage unit 3 according to the set communication path and communication direction and the attributes of the storage unit 3. If it is not permitted, stop execution. At that time, the communication path switching unit 5 generates an interrupt to the other calculation unit 2 if it is permitted, and notifies an error to the calculation unit 2 that has attempted access if it cannot be permitted. Processing may be executed.
  • the access control unit 4 includes a data flow control unit 6, an attribute control unit 7, an area selection unit 8, and a communication path control unit 9.
  • the access control unit 4 has a function of determining a processing method of the communication path switching unit 5 by setting a communication rule when the calculation unit 2 accesses the storage unit 3.
  • the access control unit 4 and the communication path switching unit 5 may be implemented by hardware or software different from the calculation unit 2, and any one of the calculation units 2 is connected to the access control unit 4 or the communication path switching unit 5. It may have a function. However, it is assumed that not all the arithmetic units 2 have the functions of the access control unit 4 and the communication path switching unit 5 at the same time.
  • FIG. 1 shows two calculation units 2 and three storage units 3, the number of calculation units 2 and storage units 3 constituting the data processing apparatus 1 is not particularly limited. Further, all or a part of the functions of the access control unit 4 and the communication path switching unit 5 may be implemented as software, or may be implemented as hardware such as a logic circuit. 1 shows an example in which the calculation unit 2 is connected to the communication path switching unit 5, the calculation unit 2 may be connected to the access control unit 4. Further, the access control unit 4 and the communication path switching unit 5 may be integrally implemented as software or hardware.
  • the data flow control unit 6 monitors the data flow between the calculation unit 2 and the storage unit 3, and according to a communication rule and a state of the data flow when the calculation unit 2 is set in advance to access the storage unit 3.
  • the attribute control unit 7, the region selection unit 8, and the communication path control unit 9 have a function of instructing processing.
  • the data flow control unit 6 communicates between the calculation unit 2 and the storage unit 3 when a data access for performing data communication between the plurality of calculation units 2 via the storage unit 3 occurs. Judgment of permission or non-permission. When communication is permitted, control is performed to instruct the attribute control unit 7, the region selection unit 8, and the communication path control unit 9 to generate a data communication path between the calculation unit 2 and the storage unit 3. To do.
  • the attribute control unit 7 has a function of setting the attributes of the storage unit 3 including whether or not the storage unit 3 can be shared among the plurality of calculation units 2 in accordance with instructions from the data flow control unit 6.
  • FIG. 9 shows an example of a management table in which attributes of the storage unit 3 are set.
  • the “calculation unit” is an item for setting a calculation unit that uses the address area among the plurality of calculation units 2.
  • “Privilege” is an item for setting whether or not to perform access control according to the privilege mode of the computing unit 2 (if not, perform access control according to the user mode of the computing unit 2).
  • “Sharing” is an item for setting whether or not data sharing from a plurality of calculation units 2 is permitted.
  • “Write” and “Read” are items for setting whether or not data writing to the address area and data reading from the address area are permitted.
  • “Cache” is an item for setting whether or not to permit use of the cache when accessing the address area.
  • “Secure” is an item for setting whether or not the data stored in the address area is encrypted and secured. The setting of the attributes of the storage unit 3 is to set various items including whether or not the storage unit 3 can be shared among the plurality of calculation units 2 as illustrated in FIG.
  • an address area not set in the management table 13 of FIG. 9 may be inaccessible from any arithmetic unit 2, or conversely, may be accessible from any arithmetic unit 2.
  • the area selection unit 8 has a function of selecting an area of the storage unit 3 used by the calculation unit 2 in accordance with an instruction from the data flow control unit 6.
  • the area of the storage unit 3 is, for example, an address or an address range, and may be any of a logical address, a virtual address, and a physical address. Alternatively, the area of the storage unit 3 may be physical position information that is distinguished by identification information such as an ID (Identification) number instead of an address.
  • the access control unit 4 controls data access to the storage unit 3 of the calculation unit 2 by using a management table in which each attribute is defined for each address area of the storage unit 3. The format of the management table shown in FIG.
  • the management table may have a format other than the format shown in FIG.
  • the access control unit 4 instead of the access control unit 4 managing the areas of the storage units 3, the storage unit 3 areas that are accessed by the calculation unit 2 are separately managed as logical addresses or virtual addresses, and the access control unit 4 The physical address may be monitored.
  • the communication path control unit 9 has a function of controlling a communication path and a communication direction of data processed by the calculation unit 2 in accordance with an instruction from the data flow control unit 6.
  • the communication path indicates what path (transmission source and transmission destination) the data processed by the calculation unit 2 passes through.
  • the storage unit 3A is a dedicated area accessible only by the calculation unit 2A
  • the storage unit 3B is a dedicated area accessible only by the calculation unit 2B
  • the storage unit 3C is the calculation unit 2A and the calculation unit 2B. Assume that both are accessible shared areas.
  • the calculation unit 2A in order to transmit the data processed by the calculation unit 2A to the calculation unit 2B, the calculation unit 2A first writes the data read from the storage unit 3A to the storage unit 3C.
  • the calculation unit 2B reads data from the storage unit 3C and writes it to the storage unit 3B.
  • the communication path is between the computing unit 2A and the storage unit 3A, between the computing unit 2A and the storage unit 3C, and between the computing unit 2B and the storage unit 3C.
  • the communication direction is determined from the storage unit 3A to the calculation unit 2A, the calculation unit 2A to the storage unit 3C, the storage unit 3C to the calculation unit 2B, and the calculation unit 2B to the storage unit. 3B.
  • the communication direction may be simply expressed as “calculation unit 2A to calculation unit 2B”.
  • FIG. 2 shows an example of setting the communication path and communication direction between the calculation unit 2 and the storage unit 3 and the attributes of the storage unit 3.
  • the storage units 3A-1 to 3A-5, storage units 3B-1 to 3B-4, and storage units 3C-1 to 3C-3 in FIG. 2 are the storage unit 3A, storage unit 3B, and storage unit in FIG. It is an area of a part of 3C.
  • a bidirectional communication path is set between the calculation unit 2A and the storage unit 3A-1, and bidirectional communication is also performed between the calculation unit 2A and the storage unit 3A-2.
  • the road is set.
  • a one-way communication path from the calculation unit 2A to the storage unit 3C-1 is set, and a one-way communication path from the storage unit 3C-1 to the calculation unit 2B is set.
  • a bidirectional communication path is set between the calculation unit 2B and the storage unit 3B-1.
  • the attribute of the storage unit 3A-1 is set so as to permit data reading and data writing in the privileged mode without permitting data sharing. Further, the attribute of the storage unit 3A-2 is set so that data sharing is not permitted and data reading and data writing are permitted in the user mode.
  • the attributes of the storage unit 3C-1 are set so that data sharing is permitted, the arithmetic unit 2A is permitted only to write data in the privileged mode, and the arithmetic unit 2B is permitted only to read data in the privileged mode. ing. Further, the attribute of the storage unit 3B-1 is set so that data sharing is not permitted and data reading and data writing are permitted in the user mode.
  • a one-way communication path from the storage unit 3A-3 to the calculation unit 2A is set, and a one-way communication path from the calculation unit 2A to the storage unit 3A-4 is set.
  • a one-way communication path from the storage unit 3C-2 to the calculation unit 2A is set.
  • a one-way communication path from the calculation unit 2B to the storage unit 3C-2 is set, a one-way communication path from the storage unit 3B-2 to the calculation unit 2B is set, and the calculation unit 2B to the storage unit 3B- A one-way communication path to 3 is set.
  • the attributes of the storage unit 3A-3 are set so that data sharing is not permitted and only data reading is permitted in the user mode. Further, the attribute of the storage unit 3A-4 is set so that data sharing is not permitted, and only data writing is permitted in the user mode.
  • the attribute of the storage unit 3C-2 is set so that data sharing is permitted, the arithmetic unit 2A is permitted only to read data in the privileged mode, and the arithmetic unit 2B is permitted only to write data in the privileged mode. ing. Further, the attribute of the storage unit 3B-2 is set so that data sharing is not permitted and only data reading is permitted in the privileged mode. Further, the attribute of the storage unit 3B-3 is set so that data sharing is not permitted, and only data writing is permitted in the privileged mode.
  • the feature of the setting example of FIG. 2B is that data transfer from the computing unit 2B to the computing unit 2A is permitted only in the privileged mode, and even if there is an abnormality in the data, the user mode of the computing unit 2A is affected. It is not.
  • a one-way communication path from the calculation unit 2A to the storage unit 3A-5 is set, and a one-way communication path from the storage unit 3A-5 to the storage unit 3C-3 is set. is doing.
  • a one-way communication path from the storage unit 3C-3 to the storage unit 3B-4 is set, and a one-way communication path from the storage unit 3B-4 to the calculation unit 2B is set.
  • DMA direct memory access
  • the attribute of the storage unit 3A-5 does not permit data sharing, permits only the data write in the privileged mode for the arithmetic unit 2A, and permits only data read in the privileged mode for direct memory access. Is set.
  • the attribute of the storage unit 3C-3 is set to permit data sharing and to permit data reading and data writing in a privileged mode for direct memory access.
  • the attribute of the storage unit 3B-4 is set so that data sharing is not permitted, the arithmetic unit 2B is permitted only to read data, and only direct data access is permitted for direct memory access.
  • a feature of the setting example of FIG. 2C is that data transfer from the computing unit 2A to the computing unit 2B can be executed securely and at high speed.
  • the communication path and communication direction between the calculation unit 2 and the storage unit 3, and the storage unit 3 according to requests such as the purpose of use of data, high speed, and the severity of security. It is possible to set attributes.
  • FIG. 3 shows an example of the processing flow of the access control unit 4.
  • the data flow control unit 6 in the access control unit 4 monitors the data flows in the calculation unit 2 and the storage unit 3 and determines whether or not the generated data flow conforms to a prescribed communication rule (step S301 and step S301). S302).
  • the default communication rules are those in which the communication direction, the attributes of the storage unit 3 to be accessed, and the like are set. For example, communication rules that cannot permit communication are registered as a black list, and communication rules that allow communication are allowed. Is registered as a white list. The generated data access is checked against the black list, and if it matches the communication rule registered in the black list (YES in step S301), the access control unit 4 assumes that the prohibited access has occurred and gives an error. A notification or warning is issued (step S310), and the process ends. On the other hand, if the generated data access is not registered in the black list (NO in step S301) and matches the communication rule registered in the white list (YES in step S302), the access control unit 4 The data access is permitted and the process is terminated.
  • the access control unit 4 For access that is not registered in the white list or black list, the access control unit 4 continues the subsequent processing as undefined or provisional data access. Note that the order of the process of step S301 and the process of step S302 may be reversed. An advantage of executing the determination based on the white list in step S302 is that the permitted data access can be executed quickly. On the other hand, an advantage of executing the blacklist determination in step S301 first is that the prohibited data access can be quickly eliminated. Whether to execute step S301 or step 302 first may be fixed in advance as a setting of the access control unit 4, or may be changed during the process.
  • FIG. 4 shows an example of a white list and a black list.
  • FIG. 4A shows an example of a white list.
  • the white list is a target (which storage unit 3) to be permitted to each arithmetic unit 2, access (write or read), and operation mode (user mode or privilege mode). May be registered.
  • the white list may be a list in which combinations of permitted transmission sources and transmission destinations are registered, as in the white list 10B on the right side of FIG. 4A.
  • FIG. 4B shows an example of a black list.
  • the black list may be a list in which combinations of targets, access, and operation modes that are not permitted to each computing unit 2 are registered.
  • the black list may be registered with a combination of a transmission source and a transmission destination of data that is not permitted, like the black list 11B on the right side of FIG. 4B.
  • the white list and the black list may be registered with combinations of items other than the items shown in FIG. 4 or may have a format other than the format shown in FIG.
  • the area selection unit 8 in the access control unit 4 determines whether or not the area of the storage unit 3 that can be used for the generated data flow can be secured. (Step S303).
  • the determination in step S303 is performed with reference to, for example, a management table in which attributes for each address area of the storage unit 3 are set as shown in FIG.
  • the access control unit 4 notifies an error or issues a warning (step S310) and ends the process.
  • the communication path control unit 9 in the access control unit 4 communicates between the calculation unit 2 and the storage unit 3 and the communication direction (in FIG. 3 simply abbreviated as a communication path). Set).
  • the attribute control part 7 in the access control part 4 sets the attribute of the area
  • step S304 for example, the communication path, communication direction, and attributes as shown in FIG. 2 are set.
  • the data flow control unit 6 holds a plurality of setting patterns in advance as a list, and sequentially or randomly from among them. There is a way to choose.
  • the data flow control unit 6 may select a necessary address and size of the storage unit 3, a communication path, a communication direction, and attribute information according to the data protocol type and data size.
  • FIG. 5 shows an example of storage unit setting information in which the address, size, communication path, and attribute of the storage unit 3 are set according to the protocol type.
  • the storage unit setting information 12 in the case of the protocol type A, a small size area is secured at the address in the memory, the communication path via the arithmetic unit 2 is set, and the privilege mode and secure access attributes are set. ing.
  • the storage unit setting information 12 in the case of the protocol type B, a medium-sized area is secured at the address in the large-capacity HDD, a communication path that does not pass through the arithmetic unit 2 is set using DMA, and the user The mode attribute is set.
  • the storage unit setting information 12 in the case of the protocol type C, a large size area is secured at the address in the external storage device, a communication path that does not pass through the arithmetic unit 2 is set using DMA, and the user The mode and secure access attributes are set.
  • step S305 the access control unit 4 determines whether or not the read or write data access has been normally executed normally as requested by the calculation unit 2 (step S305). For example, in step S305, if the generated data access does not conform to the communication path, communication direction, or attribute set in step S304, the data access is not performed as requested, and the access control unit 4 determines that there is an abnormality. .
  • the access control unit 4 may determine the completion of normal data transmission / reception based on this notification. If the data access is not normally completed, the access control unit 4 notifies an error or issues a warning (step S310), and ends the process.
  • the communication path, communication direction, and attributes set in step S304 may be fixed in advance so that they cannot be changed.
  • the communication path, communication direction, and attribute may not be changed. Then, even if the communication rules such as the black list and the white list are illegally rewritten after setting the communication channel, communication direction, and attributes in step S304, the communication channel, communication direction, and attribute settings are secure. Therefore, it is possible to detect and eliminate unauthorized data access.
  • the access control unit 4 determines whether it is necessary to continue the processing by changing the attribute of the used communication path or the area of the storage unit 3 (step S306). ). For example, in step S306, when data access is processed via a plurality of storage units 3, it is determined that the process needs to be continued. When it is necessary to continue the process, the communication path control unit 9 and the attribute control unit 7 in the access control unit 4 execute the process of setting the communication path, the communication direction, and the attribute in step S304 again.
  • the access control unit 4 newly permits the data flow (communication path and communication) for the area of the storage unit 3 used in step S304 and the attributes set for the area. It is determined whether it is necessary to register in the white list 10 as the (communication direction) or to release the used area (step S307).
  • the access control unit 4 registers the used area and the attribute set for the area in the white list 10 (step S308), and ends the process. By this registration, a new data communication path is generated between the calculation unit 2 and the storage unit 3. If the data is registered in the white list 10, the processing after step S303 can be omitted at the high speed when the same data flow occurs next time. If it is necessary to release the used area of the storage unit 3, the access control unit 4 releases the area to make it an unused area (step S309), and ends the process. When the used area is released, data access according to the communication path, communication direction and attributes set in step S304 can be executed only once.
  • the access control unit 4 ends the process without doing anything. In this case, data access according to the communication path, communication direction, and attribute set in step S304 can be executed again. Whether to register in the white list 10 or release the used area of the storage unit 3 may be arbitrarily selected by a user instruction using the input unit 50 of FIG. 1, or determined in advance as a system setting You may keep it.
  • the processing after step S303 may be valid only at the time of initial setting of the data processing device 1, for example, and may be invalid at the time of normal operation of the data processing device 1. By doing so, it is possible to prevent an unauthorized communication rule from being added during the operation of the data processing device 1.
  • FIG. 6 shows an example of a data flow when the program processed by the calculation unit 2A transmits data to the program processed by the calculation unit 2B.
  • the arithmetic unit 2A handles data with higher importance.
  • the arithmetic unit 2A requests the access control unit 4 for data transfer (processing S601).
  • the access control unit 4 sets the communication path between the computing unit 2A and the storage unit 3A, the communication direction (simply abbreviated as “communication path” in FIG. 6), and the attributes of the storage unit 3A (processing S602).
  • the computing unit 2A reads data from the storage unit 3A (processing S603).
  • the calculation unit 2A requests the access control unit 4 to transfer data (processing S604).
  • the access control unit 4 sets the communication path between the calculation unit 2A and the storage unit 3C, the communication direction, and the attributes of the storage unit 3C (processing S605).
  • the computing unit 2A writes data to the storage unit 3C (processing S606), and notifies the computing unit 2B with an interrupt or the like (processing S607). Further, the calculation unit 2A notifies the calculation unit 2B of the address, size, and the like as area information of the shared storage unit 3C (processing S608).
  • ID information is added at the time of interrupt notification in step S607, and in step S608, an address is set according to a rule defined in advance between the calculation unit 2A and the calculation unit 2B based on the ID information. May be.
  • an interface for directly exchanging region information may be prepared between the calculation unit 2A and the calculation unit 2B without using the storage unit 3, and the interface may be used in step S608.
  • the calculation unit 2B requests the access control unit 4 to transfer data (processing S609).
  • the access control unit 4 sets the communication path, the communication direction, and the attributes of the storage unit 3C between the storage unit 3C and the calculation unit 2B (processing S610).
  • the access control unit 4 changes the attribute so that the calculation unit 2B can access the storage unit 3C
  • the calculation unit 2A sets the attribute so that the calculation unit 2C cannot access the storage unit 3C. change.
  • the computing unit 2B reads data from the storage unit 3C (processing S611).
  • the calculation unit 2B may notify the calculation unit 2A by an interrupt or the like in order to notify that the data has been normally received (step S612).
  • the arithmetic unit 2A may execute data retransmission processing or the like when the notification from the arithmetic unit 2B is not performed within a predetermined time.
  • the calculation unit 2B requests the access control unit 4 to transfer data (processing S613).
  • the access control unit 4 sets the communication path between the storage unit 3B and the calculation unit 2B, the communication direction, and the attributes of the storage unit 3B (processing S614).
  • the calculation unit 2B writes data to the storage unit 3B (processing S615).
  • the access control unit 4 sets the attribute of the storage unit 3B (processing S616).
  • the access control unit 4 executes a process for setting the user application to access the data in the storage unit 3B by changing from the privilege mode to the user mode.
  • the data transfer request in steps S601, S604, S609, and S613, and the processing relating to the setting of the communication path and attribute in steps S602, S605, and S614 are divided as illustrated in FIG. Alternatively, it may be executed at the time when the arithmetic unit 2 first requests the access control unit 4 to transfer data.
  • the processing content of the access control unit 4 may be substituted by the calculation unit 2 on the side that handles data with higher importance, that is, the calculation unit 2A.
  • FIG. 7 shows an example of a data flow when the program processed by the calculation unit 2B transmits data to the program processed by the calculation unit 2A. In the example of FIG. 7 also, it is assumed that the calculation unit 2A handles data with higher importance.
  • the calculation unit 2B requests the access control unit 4 to transfer data to the calculation unit 2A (processing S701).
  • the access control unit 4 collectively executes setting of necessary communication paths, communication directions (simply abbreviated as communication paths in FIG. 7) and attributes for the storage units 3A, 3B, and 3C (processing) S702 to S704).
  • the setting of the communication path, communication direction, and attribute for each storage unit 3A, storage unit 3B, and storage unit 3C is executed immediately before data transfer to the storage unit. May be.
  • the calculation unit 2B reads data from the storage unit 3B (processing S705), and notifies the calculation unit 2A by an interruption or the like (processing S706) to notify that the data transfer is ready.
  • the calculation unit 2A notifies the calculation unit 2B of the address, size, and the like as the area information of the shared storage unit 3C (processing S707).
  • the processing in the case where the calculation unit 2B handles data with higher importance is processing in which the calculation unit 2A and the calculation unit 2B in FIG. 6 are interchanged.
  • the access control unit 4 may switch processing by determining which computing unit 2 is handling data of higher importance and notifying the computing unit 2.
  • the computing unit 2B writes data to the storage unit 3C, which is a shared area designated by the computing unit 2A (processing S708), and notifies the computing unit 2A of the completion of processing by an interrupt or the like (processing S709). ).
  • the access control unit 4 sets the communication path, communication direction, and attributes of the storage unit 3C between the calculation unit 2A and the storage unit 3C (processing S710). In this process S710, for example, the access control unit 4 sets so that the calculation unit 2B cannot access the storage unit 3C.
  • the calculation unit 2A reads data from the storage unit 3C (processing S711).
  • notification may be made by interruption or the like (processing S712).
  • the arithmetic unit 2B may execute data retransmission processing or the like when the notification from the arithmetic unit 2A is not performed within a predetermined time.
  • the calculation unit 2A writes data to the storage unit 3A (processing S713).
  • the access control unit 4 performs processing such as changing the attribute of the storage unit 3A (processing S714). Note that the processing content of the access control unit 4 may be substituted by the calculation unit 2 on the side that handles data with higher importance, that is, the calculation unit 2A.
  • FIG. 8 shows another example of the data flow when the program processed by the arithmetic unit 2A transmits data to the program processed by the arithmetic unit 2B, different from FIG. In the example of FIG. 8, it is assumed that the arithmetic unit 2A handles data with higher importance.
  • the computing unit 2A requests data transfer to the access control unit 4 (process S801), and the access control unit 4 communicates the communication path and communication direction between the computing unit 2A and the storage unit 3 (in FIG. 8, simply communication).
  • the attribute of the storage unit 3 is set (processing S802).
  • the calculation unit 2A writes data to the storage unit 3 (process S803), and the access control unit 4 sets the communication path, communication direction, and attributes of the storage unit 3 between the calculation unit 2B and the storage unit 3 (process). S804).
  • the access control unit 4 changes from a state where only the arithmetic unit 2A can write data to the storage unit 3 to a state where only the arithmetic unit 2B can read data from the storage unit 3.
  • the calculation unit 2A notifies the calculation unit 2B by an interrupt or the like (processing S805), and notifies the calculation unit 2B of an address, a size, and the like as area information of the shared storage unit 3 (processing S806).
  • the calculation unit 2B reads the data from the storage unit 3 (processing S807), and notifies the calculation unit 2A with an interrupt or the like to notify that the data has been normally received (processing S808).
  • the arithmetic unit 2A may execute data retransmission processing or the like when the notification from the arithmetic unit 2B is not performed within a predetermined time.
  • the access control unit 4 sets the communication path, the communication direction, and the attributes of the storage unit 3 between the calculation unit 2B and the storage unit 3 (processing S809). In this process S809, the access control unit 4 enables the user application to access the data in the storage unit 3, for example, by changing from the privilege mode to the user mode.
  • the main difference between the example of FIG. 8 and the example of FIG. 6 is that in the example of FIG. 8, there is only one area of the storage unit 3 (for example, the shared storage unit 3C shown in FIG. (Only the area of the copy) is used, and the data can be transferred at higher speed.
  • the storage unit 3 for example, the shared storage unit 3C shown in FIG. (Only the area of the copy) is used, and the data can be transferred at higher speed.
  • the attribute of the storage unit 3 (the storage unit 3 among the plurality of calculation units 2 is selected according to the communication rule and the data flow state set in advance.
  • the setting of the communication path between the calculation unit 2 and the storage unit 3 and the communication direction are performed.
  • the risk of contamination of the shared storage unit 3 is reduced by setting the area of the shared storage unit 3 to the minimum necessary or setting (disposable) every time data access occurs. Can do.
  • FIG. 10 shows a configuration example of a data processing apparatus according to the second embodiment of the present invention.
  • the data processing device 21 includes a plurality of calculation units 2, a plurality of storage units 3, an access control unit 22, a communication path switching unit 23, a load distribution unit 24, a security level setting unit 25, and an abnormality detection unit 26. It consists of.
  • An instruction is input to the data processing device 21 from the external input unit 50, as in the data processing device 1 in the first embodiment.
  • the calculation unit 2 and the storage unit 3 have the same functions as the calculation unit 2 and the storage unit 3 in the first embodiment.
  • the communication path switching unit 23 has a function of switching communication paths and communication directions between the plurality of calculation units 2 and the storage unit 3 and attributes of the storage unit 3 in accordance with instructions from the load distribution unit 24 or the access control unit 22.
  • the access control unit 22 responds to one or more instructions from the security level setting unit 25, the abnormality detection unit 26, and the load distribution unit 24. Correspondingly, it has a function of determining the processing method of the communication path switching unit 23.
  • the load distribution unit 24 monitors the processing states of the plurality of arithmetic units 2 and performs ordering and coherence (relevance) management when data access occurs at the same time, and the processing load is concentrated on some arithmetic units 2 In this case, it has a function of instructing the load balance such as distributing the processing to the other arithmetic units 2. For example, when the transfer source and transfer destination calculation units 2 have the same communication rule, the load distribution unit 24 transfers part of the processing of the transfer source calculation unit 2 to the transfer destination calculation unit 2. Allow migration. Further, the load distribution unit 24 gives an instruction for setting a communication path, a communication direction, and an attribute of the storage unit 3 with the storage unit 3 to be accessed according to the processing state of each calculation unit 2. 22 or a function to send to the communication path switching unit 23.
  • the security level setting unit 25 has a function of determining a security level according to an instruction from the outside or a predetermined standard and instructing the access control unit 22 of a data access method according to the security level.
  • the security level is, for example, SAL (Security level) defined by IEC62243 which is an international standard.
  • SAL Security level
  • IEC62243 an international standard.
  • an evaluation index related to information security determined by various organizations and standards may be used as the security level.
  • the abnormality detection unit 26 monitors the data flow generated between the calculation unit 2 and the storage unit 3 and detects an abnormal data access in which unauthorized access is suspected.
  • the abnormality detection unit 26 notifies the access control unit 22 when an abnormal access such as a DoS (Denialenof Service) attack in which a large number of computers transmit data all at once occurs, and the abnormal access is detected. It has a function of issuing a command such as disconnecting the generated communication path.
  • DoS Denialenof Service
  • FIG. 11 shows an example of the processing flow of the access control unit 22.
  • the access control unit 22 determines the level of the required security level according to the instruction of the security level setting unit 25 (step S1101).
  • the level of the security level is three levels, low, medium, and high.
  • the level may be defined in any way as long as it can be quantitatively distinguished.
  • the access control unit 22 selects a data access method according to the level of the security level. That is, when the security level is low, the access control unit 22 does not particularly limit the data communication between the calculation unit 2 and the storage unit 3 and sets to permit all communication (step S1102). .
  • the black list or white list described in the first embodiment as a method of permitting all communication, for example, there is a method of canceling all information registered in these lists.
  • the access control unit 22 sets the access control unit 22 to perform processing with the initial setting (step S1103).
  • a black list or a white list as a method of performing the process of the access control unit 22 with the initial setting, for example, there is a method of using the information registered in these lists without changing the initial state. is there.
  • the access control unit 22 executes access control that is stricter than the initial setting (step S1104).
  • a blacklist or whitelist as a method of executing access control that is stricter than the initial setting, for example, a new communication path, communication direction, or attribute combination that is not permitted is added to the blacklist or permitted.
  • a data communication path corresponding to the degree of the security level set by the security level setting unit 25 can be generated between the calculation unit 2 and the storage unit 3.
  • the data access method in steps S1102 to S1104 is provided with a plurality of conditions (for example, a white list and a black list) as conditions for setting the communication path, communication direction, and attribute for each security level.
  • a method of selecting a setting that matches the security level from among them may be used.
  • the access control unit 22 determines whether or not an area of the storage unit 3 that can be used for the generated data flow can be secured (step S1105). If an available area cannot be secured, the access control unit 22 notifies an error or issues a warning (step S1106) and ends the process. When an available area can be secured, the access control unit 22 uses the data access method set in accordance with the security level, the communication path between the calculation unit 2 and the storage unit 3, the communication direction ( In FIG. 11, the communication path is simply abbreviated) and the attributes of the storage unit 3 are set (step S1107).
  • FIG. 12 shows an example of setting the communication path, communication direction, and attributes of the storage unit 3 between the calculation unit 2 and the storage unit 3 in step S1107.
  • each computing unit 2 is shown as computing units 2A to 2D
  • each storage unit 3 is shown as storage units 3A to 3D (or storage units 3A to 3C).
  • a bidirectional communication path is set between the calculation unit 2A and the storage unit 3A, a bidirectional communication path from the calculation unit 2A to the storage unit 3B is set, and the calculation unit 2A to the storage unit A one-way communication path to 3C is set.
  • a bidirectional communication path is set between the calculation unit 2B and the storage unit 3B, and a one-way communication path from the calculation unit 2B to the storage unit 3C is set.
  • a one-way communication path from the storage unit 3C to the calculation unit 2C is set, and a bidirectional communication path is set between the calculation unit 2C and the storage unit 3D.
  • a one-way communication path from the storage unit 3D to the calculation unit 2D is set.
  • the attributes of the storage unit 3A are set so as to allow data reading and data writing without allowing data sharing. Further, the attributes of the storage unit 3B are set so as to permit data sharing and allow data reading and data writing.
  • the attributes of the storage unit 3C are set so that data sharing is permitted, the arithmetic units 2A and 2B are permitted to write data only in the privileged mode, and the arithmetic unit 2C is permitted only to read data in the privileged mode. ing.
  • the attributes of the storage unit 3D are set so that data sharing is permitted, the arithmetic unit 2C is permitted to read and write data, and the arithmetic unit 2D is permitted only to read data.
  • the feature of the setting example of FIG. 12A is that the calculation unit 2A can share processing only with the calculation unit 2B without being affected by the processing data of the calculation unit 2C and the calculation unit 2D.
  • a one-way communication path from the calculation unit 2A to the storage unit 3A is set.
  • a one-way communication path from the calculation unit 2B to the storage unit 3B is set.
  • a one-way communication path from the storage unit 3C to the calculation unit 2C is set, and a one-way communication path from the storage unit 3C to the calculation unit 2D is set.
  • a one-way communication path from the storage unit 3A to the storage unit 3B is set, and a one-way communication path from the storage unit 3B to the storage unit 3C is set.
  • the attributes of the storage unit 3A are set so that data sharing is not permitted, the arithmetic unit 2A is allowed only to write data, and direct memory access (DMA) is allowed only to read data. .
  • the attributes of the storage unit 3B are set so as to permit data sharing, permit only the data writing to the arithmetic unit 2B, and permit data reading and data writing for direct memory access.
  • the attributes of the storage unit 3C are set so as to permit data sharing, allow only the data reading to the arithmetic units 2C and 2D, and allow only data writing for direct memory access.
  • the feature of the setting example of FIG. 12B is that the calculation unit 2A transmits its own data to the calculation unit 2C and the calculation unit 2D at high speed together with the processing data of the calculation unit 2B while safely processing the data held by the calculation unit 2A. Is possible.
  • the setting of the communication path, communication direction, and attribute as shown in FIGS. 12A and 12B can be defined, for example, in the form of a white list or black list as shown in FIG. 4 in the first embodiment. Is possible.
  • the access control unit 22 determines whether or not the actual read or write data access has been normally executed as requested by the calculation unit 2 (step S1108). ). For example, in step S1108, if the generated data access does not conform to the communication path or attribute set in step S1107, the access control unit 22 determines that there is an abnormality. Alternatively, in the case of data communication between a plurality of calculation units 2, the calculation unit 2 on the data reception side notifies the transmission-side calculation unit 2 that the reception has been completed by an interrupt or the like, and step S1108 Then, the access control unit 22 may determine that normal data transmission / reception has been completed based on this notification. If the data access cannot be completed normally, the access control unit 22 notifies an error or issues a warning (step S1111).
  • the access control unit 22 determines whether or not the abnormality detection unit 26 has been notified that an abnormal data access such as a DoS attack has been detected (step S1109). When notified that an abnormal data access has been detected, the access control unit 22 notifies an error or issues a warning (step S1111).
  • step S1111 the access control unit 22 determines whether it is necessary to block the communication path in which an abnormality has occurred or to change the setting of a normal communication path (step S1112). If necessary, the access control unit 4 executes the process of setting the communication path, communication direction, and attribute in step S1107 again, and changes at least one setting. For example, if an abnormality has occurred in a communication path that has been permitted for communication so far, in step S1107, the communication path and attribute settings are changed to block the communication path. Alternatively, in order to protect a normal communication path, processing such as newly generating another communication path is executed in step S1107. Alternatively, in order to protect normal data access, in step S1107, a communication path in which an abnormality has occurred may be left as it is, and a new normal communication path may be generated.
  • step S1109 When it is not notified in step S1109 that unauthorized data access has been detected, the access control unit 22 needs to change the used communication path and the attributes of the area of the storage unit 3 and continue the processing. It is determined whether or not there is (step S1110). In step S1112, the access control unit 22 also sets the attributes of the used communication path and the area of the storage unit 3 when it is not necessary to block the communication path in which an abnormality has occurred or to change the setting of the normal communication path. It is determined whether or not it is necessary to continue the process after changing (step S1110). When it is necessary to continue the process, the access control unit 22 executes the process of setting the communication path, the communication direction, and the attribute in step S1107 again. When the continuation of the process is unnecessary, the access control unit 4 ends the process.
  • FIG. 13 shows an example of the processing flow of the load distribution unit 24.
  • the load distribution unit 24 monitors the processing state of the calculation unit 2 and determines whether the processing load is concentrated on some of the calculation units 2 (step S1301).
  • a known technique can be used for the determination in step S1301. For example, the operation rates with respect to time of the respective calculation units 2 are compared, and it is determined that a processing load is applied to the calculation unit 2 having a high operation rate. Alternatively, the processing unit 2 side may notify the load distribution unit 24 that the processing load is increasing. If the processing load is concentrated on some of the computing units 2, the load distribution unit 24 determines whether or not load distribution is possible (step S1302). For the determination in step S1302, for example, a known technique for determining whether or not a part of the data processing can be transferred to another operation unit 2 that is in a suspended state or has a low operation rate may be used.
  • step S1303 when the data processing of the calculation unit 2 can be transferred to another calculation unit 2, the load distribution unit 24 determines whether or not the security condition is satisfied (step S1303).
  • a security level is set in each calculation unit 2 and storage unit 3, and the calculation unit 2 or storage having a security level equal to or higher than the security level of the calculation unit 2 where the processing load is concentrated.
  • a method of determining that the process can be transferred only to the unit 3 is used. If the security condition is not satisfied and data processing cannot be transferred, the load distribution unit 24 sets the security level, sets the communication path and communication direction between the calculation unit 2 and the storage unit 3, It is determined whether or not the change can be made by changing the attribute setting of the storage unit 3 (step S1307).
  • step S1303 If it is finally determined in step S1302, step S1303, or step S1307 that load distribution is impossible, the load distribution unit 24 performs error notification or the like (step S1308), and ends the process.
  • the load distribution unit 24 sets a necessary communication path, a communication direction (simply abbreviated as “communication path” in FIG. 13), an attribute of the storage unit 3, and a security level. Is sent to the access control unit 22 or the communication path switching unit 23 (step S1304).
  • FIG. 14 shows an example of processing by steps S1303, S1307, and S1304 of FIG. First, it is assumed that the security level, the communication path, and the attributes of the storage unit 3 are set as in the example of FIG. 14A.
  • the individual calculation units 2 are shown as calculation units 2A to 2D
  • the individual storage units 3 are shown as storage units 3A to 3D.
  • the calculation unit 2A and the storage unit 3A are set to the security level 3
  • the calculation unit 2B, the storage unit 3B, and the storage unit 3C are set to the security level 2
  • the unit 3D is set to security level 1.
  • the security level is 3 high, 2 is intermediate, and 1 is low.
  • a bidirectional communication path is set between the calculation unit 2A and the storage unit 3A.
  • a bidirectional communication path is set between the calculation unit 2B and the storage unit 3B, and a bidirectional communication path is also set between the calculation unit 2B and the storage unit 3C.
  • a one-way communication path only for reading data from the storage unit 3C to the calculation unit 2C is set, and a bidirectional communication path is set between the calculation unit 2C and the storage unit 3D.
  • a bidirectional communication path is set between the calculation unit 2D and the storage unit 3D.
  • the attributes of the storage units 3A, 3B, and 3D are set to permit data reading and data writing.
  • the attributes of the storage unit 3C are set so that the calculation unit 2B is allowed to read and write data, and the calculation unit 2C is allowed only to read data.
  • step S1302 in FIG. 14A As shown in FIG. 14A, in the state in which the security level, the communication path, and the attributes of the storage unit 3 are set, the load on the calculation unit 2D is concentrated. In step S1302 in FIG. Assume that it is determined that the process can be transferred. In this case, since the security level of the storage unit 3D used by the calculation unit 2D and the calculation unit 2D and the security level of the calculation unit 2C all match as the security condition determination processing in step S1303 of FIG. It is determined that 2D processing can be transferred to the calculation unit 2C.
  • the load distribution unit 24 determines that load distribution is not possible because the security levels of the calculation unit 2A and the calculation unit 2B do not match and there is no sharable storage unit 3 in the process of step S1303 of FIG. To do.
  • the load distribution unit 24 determines whether or not the security levels of the calculation unit 2B and the storage unit 3B can be changed in step S1307 of FIG. .
  • the load distribution unit 24 checks the processing state of the calculation unit 2B, and when the calculation unit 2C and the storage unit 3C are shared and executing a common process, the security level of the calculation unit 2B cannot be changed. Is determined.
  • the load distribution unit 24 determines that the security level of the computing unit 2B can be changed.
  • FIG. 14B shows the contents of the instruction sent by the load distribution unit 24 to the access control unit 22 or the communication path switching unit 23 in step S1304 of FIG.
  • the load distribution unit 24 instructs the access control unit 22 (data flow control unit) to change the security level of the calculation unit 2B and the storage unit 3B from 2 to 3. Further, the load distribution unit 24 instructs the access control unit 22 (data flow control unit) to change the communication path between the calculation unit 2A and the storage unit 3B to a bidirectional communication path. In this way, secure communication can be ensured by changing the security level of the migration destination computation unit 2 and the shared storage unit 3 in accordance with the migration source computation unit 2 and migrating data processing. .
  • the load distribution unit 24 communicates between the calculation unit 2B and the storage unit 3C.
  • the attributes of the road and the storage unit 3C are changed. That is, the load distribution unit 24 changes the communication path between the calculation unit 2B and the storage unit 3C to a one-way communication path from the calculation unit 2B to the storage unit 3C, and calculates the attribute of the storage unit 3C.
  • the unit 2B is changed so as to permit only data writing.
  • the communication path between the calculation unit 2B and the storage unit 3C is disconnected. Also good.
  • step S1304 After outputting an instruction for setting the security level, communication path, communication direction, and attributes of the storage unit 3 in step S1304, the load distribution unit 24 actually performs data transmission between the calculation units 2. Processing transition is executed (step S1305).
  • the transfer of processing between the calculation units 2 for example, by performing processing according to the data flow as illustrated in FIGS. 6, 7, and 8 of the first embodiment, The processing data of the unit 2 can be securely transferred to the calculation unit 2 as a transfer destination.
  • step S1305 the load distribution unit 24 determines whether or not all the load distribution processing of the calculation unit 2 has been normally executed (step S1306). If an abnormality has occurred, the load distribution unit 24 performs error notification or the like (step S1308) and ends the process. If the necessary migration process remains, the load distribution unit 24 repeats the process from step S1304 again. Then, when all the load distribution processing of the calculation unit 2 is normally executed, the load distribution unit 24 ends the processing.
  • the required security level is achieved. It is possible to construct suitable data access.
  • the processing load is distributed using a plurality (three or more) of the arithmetic units 2, it is possible to securely execute the process transition.
  • FIG. 15 shows a configuration example of a data processing apparatus according to the third embodiment of the present invention.
  • the data processing device 31 includes computing units 2A and 2B (an example of a computing device), an access control unit 32, a communication path switching unit 33, virtual communication path switching units 34A and 34B, and storage units 3A, 3B, and 3C ( An example of a storage device) and virtual storage units 35A and 35B (an example of a virtual storage area).
  • the computing units 2A and 2B are collectively referred to as the computing unit 2
  • the storage units 3A, 3B, and 3C are collectively referred to as the storage unit 3.
  • the virtual communication path switching units 34A and 34B are collectively referred to as a virtual communication path switching unit 34, and the virtual storage units 35A and 35B are collectively referred to as a virtual storage unit 35.
  • an instruction is input to the data processing device 31 from the external input unit 50.
  • the calculation unit 2 and the storage unit 3 have the same functions as the calculation unit 2 and the storage unit 3 in the first embodiment, or the calculation unit 2 and the storage unit 3 in the second embodiment. Further, the calculation unit 2 has a function of controlling the virtual communication path switching unit 34 according to an instruction from the access control unit 32 and setting the communication path between the calculation unit 2 and the virtual storage unit 35 and the attributes of the virtual storage unit 35. Have.
  • the virtual storage unit 35 is an alternative area of the storage unit 3 and is a virtual storage area that can be directly accessed by the calculation unit 2.
  • the virtual storage unit 35 is a virtual memory or a cache memory.
  • the virtual communication path switching unit 34 has a function of switching the communication path and communication direction between the calculation unit 2 and the virtual storage unit 35 and the attributes of the virtual storage unit 35 in accordance with instructions from the calculation unit 2 or the access control unit 32.
  • the virtual communication path switching unit 34 is hardware or software for managing a memory address map of a processor, as represented by an MMU (memory management unit) of the processor.
  • the access control unit 32 has a function equivalent to that of the access control unit 4 in the first embodiment or the access control unit 22 in the second embodiment.
  • the access control unit 32 has a function of controlling the processing method of the virtual channel switching unit 34 or the channel switching unit 33 directly or via the calculation unit 2.
  • the data flow control unit (not shown) in the access control unit 32 depends on the content of data access that occurs between the calculation unit 2 and the virtual storage unit 35 or between the virtual storage unit 35 and the storage unit 3.
  • the access control unit 32 has a function of determining a processing method of an attribute control unit (not shown), a region selection unit, and a communication path control unit.
  • the attribute control unit in the access control unit 32 has a function of setting attributes of the storage unit 3 and the virtual storage unit 35 in accordance with instructions from the data flow control unit.
  • the area selection unit in the access control unit 32 selects a data area to be used in the storage unit 3 or the virtual storage unit 35 in accordance with an instruction from the data flow control unit.
  • the communication path control unit in the access control unit 32 sets a correspondence relationship between the virtual storage unit 35 and the storage unit 3 in accordance with an instruction from the data flow control unit.
  • the communication path switching unit 33 has a function equivalent to that of the communication path switching unit 5 in the first embodiment or the communication path switching unit 23 in the second embodiment. However, the communication path switching unit 33 has a function of switching the correspondence relationship between the virtual storage unit 35 and the storage unit 3 in accordance with an instruction from the access control unit 32.
  • the data processing device 31 in FIG. 15 may include the security level setting unit 25, the load distribution unit 24, and the abnormality detection unit 26 in the second embodiment.
  • FIG. 16 shows the communication path and communication direction between the calculation unit 2 and the virtual storage unit 35, the communication path and communication direction between the virtual storage unit 35 and the storage unit 3, the attributes of the virtual storage unit 35, and the storage unit 3.
  • An example of setting attributes is shown.
  • the description of the virtual communication path switching units 34A and 34B in FIG. 15 is omitted.
  • a bi-directional communication path is set between the arithmetic unit 2A and the virtual storage unit 35A, and the arithmetic unit 2A enables full access to the virtual storage unit 35A for data reading and data writing. Is set.
  • a bidirectional communication path is set between the calculation unit 2B and the virtual storage unit 35B, and the calculation unit 2B is set to allow full access for data reading and data writing to the virtual storage unit 35B.
  • the virtual storage unit 35A is divided into a user area 36 and a privilege area 37.
  • a two-way communication path is set between the user area 36 of the virtual storage unit 35A and the non-shared user area of the storage unit 3A, and the user area 36 of the virtual storage unit 35A reads and writes data to the non-shared user area. It is set to allow full access for data writing.
  • a one-way communication path is set from the privileged area 37 of the virtual storage unit 35A to the shared storage unit 3C-1, and only data is written to the storage unit 3C-1 in the privileged area 37 of the virtual storage unit 35A. Is set to allow.
  • a one-way communication path from the shared storage unit 3C-2 to the privileged area 37 of the virtual storage unit 35A is set, and only data read from the storage unit 3C-2 is permitted to the privileged area 37 of the virtual storage unit 35A. It is set to be.
  • the storage unit 3C-1 and the storage unit 3C-2 are the same area or different areas of the storage unit 3C in FIG.
  • the virtual storage unit 35B is similarly divided into a user area 36 and a privilege area 37.
  • a two-way communication path is set between the user area 36 of the virtual storage unit 35B and the non-shared user area of the storage unit 3B, and the user area 36 of the virtual storage unit 35B reads and writes data to this non-shared user area. It is set to allow full access for data writing.
  • a one-way communication path from the privileged area 37 of the virtual storage unit 35B to the shared storage unit 3C-2 is set, and only data is written to the storage unit 3C-2 in the privileged area 37 of the virtual storage unit 35B. Is set to allow.
  • a one-way communication path from the shared storage unit 3C-1 to the privileged area 37 of the virtual storage unit 35B is set, and only data read from the storage unit 3C-1 is permitted to the privileged area 37 of the virtual storage unit 35B. It is set to be.
  • access control is performed in the actual storage unit 3 by setting the communication path, the attribute of the virtual storage unit 35, and the attribute of the storage unit 3. Hence full access to 35 is possible.
  • FIG. 17 shows an example of the processing flow of the access control unit 32.
  • the access control unit 32 monitors the data flow between the calculation unit 2 and the virtual storage unit 35 or between the virtual storage unit 35 and the storage unit 3, and a specific area in the virtual storage unit 35 or the storage unit 3. It is monitored whether or not an access has occurred (step S1701). For example, in step S1701, it is determined whether or not the access is to the privileged area 37 with the privileged area 37 in the virtual storage unit 35 as shown in FIG. 16 as a specific area. Here, if it is an access outside a specific area, for example, an access to the user area 36 in the virtual storage unit 35, the access control unit 32 ends the process.
  • the access control unit 32 seems to have registered the access in the white list (or not registered in the black list) described in the first embodiment. It is determined whether the access is permitted (step S1702). In the case of unauthorized access that is not registered in the white list, the access control unit 32 notifies an error or issues a warning (step S1708) and ends the process.
  • the access control unit 32 determines the communication path and communication direction between the calculation unit 2 and the virtual storage unit 35, the virtual storage unit 35, and the storage unit 3. It is determined whether or not it is necessary to change the communication path, communication direction (simply abbreviated as communication path in FIG. 17), the attribute of the virtual storage unit 35, and the attribute of the storage unit 3 (step S1703). ). When the change is necessary, the access control unit 32 determines whether the area of the storage unit 3 or the virtual storage unit 35 that can be used for the generated data flow can be secured (step S1704). If an available area cannot be secured, the access control unit 32 notifies an error or issues a warning (step S1708) and ends the process.
  • the access control unit 32 determines the communication path between the calculation unit 2 and the virtual storage unit 35, the communication direction, and the communication path between the virtual storage unit 35 and the storage unit 3.
  • the communication direction, the virtual storage unit 35 attribute, and the storage unit 3 attribute are set (step S1705).
  • step S1706 determines whether or not the data access for reading or writing is actually executed normally as requested by the arithmetic unit 2. Determination is made (step S1706). For example, in step S1706, if the generated data access does not conform to the communication path or attribute set in step S1705, the access control unit 32 determines that there is an abnormality. Alternatively, in the case of data communication among a plurality of calculation units 2, the calculation unit 2 on the data reception side notifies the transmission-side calculation unit 2 that reception has been completed by an interrupt or the like, and step S1706. Then, the access control unit 32 may determine the completion of normal data transmission / reception based on this notification. If the data access is not normally completed, the access control unit 32 notifies an error or issues a warning (step S1708), and ends the process.
  • the access control unit 32 determines whether or not the process needs to be continued (step S1707). For example, when data access is processed via a plurality of storage units 3 or arithmetic units 2, it is determined in step S1707 that the process needs to be continued. When it is necessary to continue the process, the access control unit 32 executes the processes after step S1703 again. If it is not necessary to continue the process, the access control unit 32 ends the process.
  • FIG. 18 shows the calculation when the communication path, communication direction, and attribute as shown in FIG. 16 are set, and the specific area in step S1701 of FIG. 17 is the privileged area 37 of the virtual storage unit 35.
  • the example of the data flow in the case of transmitting / receiving data between the part 2A and the calculating part 2B is shown.
  • processing S1801 to S1805 is a data flow when the program processed by the calculation unit 2A transmits data to the program processed by the calculation unit 2B.
  • the computing unit 2A transfers data to the virtual storage unit 35A (processing S1801).
  • data is written to the storage unit 3C-1 corresponding to the privileged area 37 of the virtual storage unit 35A.
  • the access control unit 32 determines whether or not the data access of the calculation unit 2A is permitted access, and if permitted, the attribute of the storage unit 3C-1 is changed to the virtual storage of the calculation unit 2B.
  • the setting is changed so that data can be read from the unit 35B side (step S1802).
  • the access control unit 32 sets the attribute of the storage unit 3C-1 to a state in which only the data can be written from the calculation unit 2A as non-shared at first, and the data from the calculation unit 2A is set.
  • the calculation unit 2A notifies the calculation unit 2B by an interrupt or the like (processing S1803).
  • FIG. 18 it is assumed that the communication path and the communication direction are set to the contents shown in FIG. 16, and therefore the communication path and the communication direction are not set again.
  • the calculation unit 2B reads data from the virtual storage unit 35B (processing S1804).
  • data is read from the storage unit 3C-1 corresponding to the privileged area 37 of the virtual storage unit 35B.
  • the calculation unit 2B notifies the calculation unit 2A with an interrupt or the like in order to notify that the data has been normally received from the calculation unit 2A (processing S1805).
  • Processes S1806 to S1810 are data flows when the program processed by the calculation unit 2B transmits data to the program processed by the calculation unit 2A.
  • the computing unit 2B transfers data to the virtual storage unit 35B (processing S1806).
  • data is written to the storage unit 3C-2 corresponding to the privileged area 37 of the virtual storage unit 35B.
  • the access control unit 32 determines whether or not the data access of the calculation unit 2B is permitted. If the access is permitted, the access control unit 32 sets the attribute of the storage unit 3C-2 to the virtual storage of the calculation unit 2A. The setting is changed so that data can be read from the unit 35A side (step S1807). For example, in process S1807, the access control unit 32 sets the attribute of the storage unit 3C-2 to be in a state where it is initially unshared so that only data can be written from the calculation unit 2B, and the data from the calculation unit 2B is set. When the writing is completed, the state is changed so that only data reading from the arithmetic unit 2A is possible. In addition, the calculation unit 2B notifies the calculation unit 2A by an interrupt or the like (processing S1808).
  • the computing unit 2A reads data from the virtual storage unit 35A (processing S1809).
  • data is read from the storage unit 3C-2 corresponding to the privileged area 37 of the virtual storage unit 35A.
  • the arithmetic unit 2A notifies the arithmetic unit 2B by an interrupt or the like in order to notify that data has been normally received from the arithmetic unit 2B (processing S1810).
  • the same area of the storage unit 3C may be used, or separate areas of the storage unit 3C may be used. Good. When separate areas are used, data transmission / reception between the arithmetic unit 2A and the arithmetic unit 2B can be executed securely in full duplex.
  • FIG. 17 shows an example in which the access control unit 32 executes permitted data access as registered in the white list.
  • the access control unit 32 other than that, executes data access that is not registered in the white list or the black list as in the processing flow of the access control unit 4 in FIG. 3 in the first embodiment. May be.
  • the arithmetic unit 2A and the program of the arithmetic unit 2B can freely access data to the virtual storage unit 35.
  • the control unit 32 monitors and controls data access between the virtual storage unit 35 and the storage unit 3. Therefore, in addition to obtaining the same effect as the first embodiment, it is possible to execute data communication more securely by preventing the arithmetic unit 2 from directly accessing the storage unit 3. It is.
  • the present invention is not limited to the above-described embodiments, and includes other modifications and application examples without departing from the gist of the present invention described in the claims.
  • the above-described embodiments have been described in detail for easy understanding of the present invention, and are not necessarily limited to those having all the configurations described.
  • a part of the configuration of an embodiment can be replaced with the configuration of another embodiment, and the configuration of another embodiment can be added to the configuration of an embodiment. Is also possible. Further, it is possible to add, replace, or delete other configurations for a part of the configuration of each embodiment.
  • each of the above-described configurations, functions, processing units, processing means, and the like may be realized by hardware by designing a part or all of them with, for example, an integrated circuit.
  • each of the above-described configurations, functions, and the like may be realized by software for interpreting and executing a program that realizes each function by the processor.
  • Information such as programs, tables, and files that realize each function can be held in a recording device such as a memory, a hard disk, or an SSD (Solid State Drive), or a recording medium such as an IC card, an SD card, or an optical disk. .
  • control lines and information lines indicate what is considered necessary for the explanation, and not all control lines and information lines on the product are necessarily shown. Actually, it may be considered that almost all the components are connected to each other.
  • an access control unit, a communication path switching unit, and a shared storage unit are mounted in a FPGA (Field Programmable Gate Array) that is a logic device that can rewrite a circuit.
  • FPGA Field Programmable Gate Array

Abstract

 L'invention concerne un appareil de traitement de données comportant un dispositif de mémorisation et une pluralité de dispositifs de calcul pour traiter des données à l'aide du dispositif de mémorisation, le flux de données entre les dispositifs de calcul et le dispositif de mémorisation étant surveillé. Les attributs du dispositif de mémorisation, comprenant le point de savoir si le dispositif de mémorisation peut ou non être partagé entre la pluralité de dispositifs de calcul, sont réglés selon une règle de communication pouvant être appliquée lorsqu'un dispositif de calcul préétabli a accès au dispositif de mémorisation, et également selon l'état du flux de données impliqué ; des zones de données à utiliser dans le dispositif de mémorisation sont sélectionnées ; et des canaux de communication et des directions de communication entre les dispositifs de calcul et le dispositif de mémorisation sont réglés. Les canaux de communication et les directions de communication entre les dispositifs de calcul et le dispositif de mémorisation sont commutés en fonction du contenu des réglages.
PCT/JP2014/054495 2014-02-25 2014-02-25 Appareil de traitement de données et procédé de communication sécurisée WO2015128933A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2014/054495 WO2015128933A1 (fr) 2014-02-25 2014-02-25 Appareil de traitement de données et procédé de communication sécurisée

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2014/054495 WO2015128933A1 (fr) 2014-02-25 2014-02-25 Appareil de traitement de données et procédé de communication sécurisée

Publications (1)

Publication Number Publication Date
WO2015128933A1 true WO2015128933A1 (fr) 2015-09-03

Family

ID=54008305

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2014/054495 WO2015128933A1 (fr) 2014-02-25 2014-02-25 Appareil de traitement de données et procédé de communication sécurisée

Country Status (1)

Country Link
WO (1) WO2015128933A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS61290565A (ja) * 1985-06-19 1986-12-20 Yokogawa Electric Corp 多重プロセツサ結合回路
JP2000235558A (ja) * 1999-02-16 2000-08-29 Hitachi Ltd 主記憶共有型マルチプロセッサシステム及びその共有領域設定方法
US20030069938A1 (en) * 2001-10-04 2003-04-10 Russell Lance W. Shared memory coupling of network infrastructure devices
JP2008123031A (ja) * 2006-11-08 2008-05-29 Toyota Motor Corp 共有メモリ管理装置及び該装置を備えたマルチプロセッサシステム
JP2009199414A (ja) * 2008-02-22 2009-09-03 Renesas Technology Corp マイクロコンピュータ

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS61290565A (ja) * 1985-06-19 1986-12-20 Yokogawa Electric Corp 多重プロセツサ結合回路
JP2000235558A (ja) * 1999-02-16 2000-08-29 Hitachi Ltd 主記憶共有型マルチプロセッサシステム及びその共有領域設定方法
US20030069938A1 (en) * 2001-10-04 2003-04-10 Russell Lance W. Shared memory coupling of network infrastructure devices
JP2008123031A (ja) * 2006-11-08 2008-05-29 Toyota Motor Corp 共有メモリ管理装置及び該装置を備えたマルチプロセッサシステム
JP2009199414A (ja) * 2008-02-22 2009-09-03 Renesas Technology Corp マイクロコンピュータ

Similar Documents

Publication Publication Date Title
US20230110230A1 (en) Technologies for secure i/o with memory encryption engines
US8751741B2 (en) Methods and structure for implementing logical device consistency in a clustered storage system
JP4872001B2 (ja) メモリ・アクセス安全性管理
KR20190074194A (ko) 저장 디바이스 메모리 공간에의 직접적인 호스트 액세스
JP6736456B2 (ja) 情報処理装置およびプログラム
US8955144B2 (en) Protecting information processing system secrets from debug attacks
US20170033970A9 (en) Migration of full-disk encrypted virtualized storage between blade servers
CN100590614C (zh) 一种虚拟技术下硬盘数据的保护方法和保护系统
CN105765535B (zh) 对cpu进行独占受控访问的硬件虚拟化模块
CN102271153A (zh) 用于虚拟化tpm访问的系统、方法以及装置
TWI703469B (zh) 安全輸入/輸出裝置管理設備、方法及系統
KR102105760B1 (ko) 하드웨어 보안 기술 기반 gpu 컴퓨팅 보호 기법
US9830295B2 (en) Resource domain partioning in a data processing system
JP5100133B2 (ja) 情報処理装置
WO2015131446A1 (fr) Procédé et dispositif de commande d'accès sécurisé basé sur un protocole de bus sur puce
EP2081127A1 (fr) Contrôleur pour le contrôle de paramètres logiques liés au support informatique
JP4724640B2 (ja) ストレージ仮想化スイッチ
EP3274896B1 (fr) Configuration d'un contrôleur de mémoire pour la copie sur écriture avec un contrôleur de ressources
JP2004151798A (ja) 記憶装置の管理用計算機、およびプログラム
TW201621678A (zh) 特權等級指出技術
JP2010055548A (ja) スイッチ装置およびコピー制御方法
US8281157B2 (en) Storage system, control method therefor, and program
WO2015128933A1 (fr) Appareil de traitement de données et procédé de communication sécurisée
EP3782066A1 (fr) Défense contre une séquence de non-opérations (nop sled)
JP6721825B2 (ja) データ保護プログラム、データ保護方法、及びデータ保護装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14883831

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14883831

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP