WO2019012956A1 - Sensing device, sensing system, and server - Google Patents

Sensing device, sensing system, and server Download PDF

Info

Publication number
WO2019012956A1
WO2019012956A1 PCT/JP2018/023825 JP2018023825W WO2019012956A1 WO 2019012956 A1 WO2019012956 A1 WO 2019012956A1 JP 2018023825 W JP2018023825 W JP 2018023825W WO 2019012956 A1 WO2019012956 A1 WO 2019012956A1
Authority
WO
WIPO (PCT)
Prior art keywords
unit
virtual machine
data
communication unit
encrypted data
Prior art date
Application number
PCT/JP2018/023825
Other languages
French (fr)
Japanese (ja)
Inventor
秀一 加藤
将偉 江川
Original Assignee
株式会社Seltech
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社Seltech filed Critical 株式会社Seltech
Publication of WO2019012956A1 publication Critical patent/WO2019012956A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines

Definitions

  • the present invention relates to a sensing device equipped with a hypervisor, a sensing system including the sensing device, and a server equipped with a hypervisor.
  • servers and storage can be used scalablely and inexpensively without initial cost.
  • electronic components have become smaller, higher-performance and less expensive, and research on data analysis technology such as machine learning and artificial intelligence has progressed, making it an open environment.
  • IoT Internet of Things
  • things such as sensors and devices are connected to the Internet and controlled by a cloud and a server
  • cloud and a server has attracted attention.
  • IoT has the potential to improve and extend business and customer experiences in a variety of applications.
  • IoT In terms of use in everyday life, IoT is to connect and control household appliances such as electronic tablets, security cameras, audio visual devices, lights, curtains, shutters, air conditioners, floor heating, etc. to the Internet. This makes it possible to provide a comfortable environment without user operation, and to provide benefits such as energy saving and safety.
  • risks include, for example, eavesdropping on communication, leakage of authentication information for accessing servers and cloud services, risk of remote access to devices, risk of being loaded with malware, risk of hijacking control of devices, etc.
  • risks include, for example, eavesdropping on communication, leakage of authentication information for accessing servers and cloud services, risk of remote access to devices, risk of being loaded with malware, risk of hijacking control of devices, etc.
  • the risk of security is even greater, as thousands of thousands of sensors and devices can be considered.
  • Patent Document 1 describes an invention in which an IoT gateway device verifies a client device based on an RSSI value. Therefore, even if an unauthorized client device attempts to access the IoT gateway device by forging a legitimate / regular MAC address, the IoT gateway device blocks the unauthorized client device by verifying the RSSI value of the connected client device. Can enhance the connection security of the IoT system.
  • Patent Document 1 The invention described in Patent Document 1 is premised that the client device is connected to the Internet via the IoT gateway device. Therefore, it can not be applied to an environment where such a gateway can not be installed.
  • this invention makes it a subject to prevent the leak of information, even if it receives an attack from an external network.
  • the sensing device of the present invention In a sensing device including a hypervisor, which comprises a physical NIC (Network Interface Card), is connected to a sensor, and implements the first and second virtual machines,
  • the first virtual machine is A network communication unit that controls the physical NIC to communicate with an external management device;
  • a first inter-OS communication unit that communicates with the second virtual machine; Equipped with The second virtual machine is A control unit that controls the sensor;
  • a decryption unit that decrypts encrypted data and inputs the decrypted data to the control unit;
  • An encryption unit that encrypts data output from the control unit;
  • the encrypted data is received from the management device via the first virtual machine and delivered to the decryption unit, and the encrypted data encrypted by the encryption unit is transmitted to the management device via the first virtual machine.
  • a second inter-OS communication unit And the like. Other means will be described in the form for carrying out the invention.
  • FIG. 1 is a block diagram which shows the outline of sensing system S in 1st Embodiment.
  • the image processing apparatus 1 sensing device connected to the imaging device 5 is operating in a state of being connected to the external network 9.
  • the image processing apparatus 1 embodies a rich OS (Operating System) 11 that relays communication with the external network 9 and a secure OS 12 that transmits and receives control commands and their responses with the imaging device 5.
  • the rich OS 11 first virtual machine
  • the secure OS 12 second virtual machine
  • the imaging device 5 is a camera capable of capturing a two-dimensional image, and includes, for example, a solid-state imaging device (sensor), a lens barrel, and an image processing circuit.
  • a management apparatus 2 and an attacker terminal 8 are communicably connected to the external network 9.
  • the management device 2 transmits a control command of the imaging device 5 to the image processing device 1 and receives a response, device information, and recording information. Communication data between the management device 2 and the image processing device 1 is encrypted.
  • the attacker terminal 8 intercepts communication data between the image processing device 1 and the imaging device 5 and tries to illegally obtain control authority of the image processing device 1.
  • the rich OS 11 directly connected to the external network 9 is constructed on the premise of being attacked.
  • FIG. 2 is a block diagram showing an example of the management device 2 and the image processing device 1.
  • the management device 2 includes a physical NIC (Network Interface Card) 25 for realizing the OS 20 and communicating with the external network 9 of FIG. 1, and further stores an encryption key 24.
  • a control unit 201, an encryption unit 202, a network communication unit 203, a decryption unit 204, and a display unit 205 are embodied on the OS 20 by middleware (not shown).
  • the control unit 201 generates a control command for controlling the imaging device 5.
  • the encryption unit 202 encrypts the control command generated by the control unit 201 with the encryption key 24.
  • the network communication unit 203 controls the physical NIC 25 and transmits / receives communication data to / from the image processing apparatus 1 via the external network 9 of FIG. 1.
  • the network communication unit 203 transmits the encrypted data encrypted by the encryption unit 202 to the image processing apparatus 1 and receives the encrypted data from the image processing apparatus 1.
  • the decryption unit 204 decrypts the encrypted data received from the image processing apparatus 1 using the encryption key 24, and obtains a response, apparatus information, recording information, and the like.
  • the display unit 205 displays the response decoded by the decoding unit 204, device information, and recording information.
  • the image processing apparatus 1 has a rich OS 11 and a secure OS 12 embodied by the hypervisor 13 and includes a physical NIC 15 for communicating with the external network 9.
  • the image processing apparatus 1 further stores the encryption key 14 in a secure storage (not shown).
  • the secure storage in which the encryption key 14 is stored is accessible by the secure OS 12.
  • the rich OS 11 can not access this secure storage. For example, although the same value as the encryption key 24 of the management device 2 is stored in the encryption key 14, a different value may be stored.
  • the hypervisor 13 is a control program for realizing a virtual machine which is one of computer virtualization technologies.
  • the hypervisor 13 implements a first virtual machine that embodies the rich OS 11 and a second virtual machine that embodies the secure OS 12.
  • the setting of the hypervisor 13 makes it impossible for the rich OS 11 to interfere with the secure OS 12 and the encryption key 14 managed by the secure OS 12.
  • the first virtual machine that embodies the rich OS 11 and the second virtual machine that embodies the secure OS 12 can be independently used in parallel and do not interfere with each other. This can increase system reliability and availability.
  • the rich OS 11 and the hypervisor 13 only relay the communication between the management device 2 and the secure OS 12 and do not interfere with the data to be transmitted / received.
  • the rich OS 11 relays communication between the management device 2 and the secure OS 12.
  • a network communication unit 111 and an inter-OS communication unit 112 (a first inter-OS communication unit) are embodied on the rich OS 11.
  • the network communication unit 111 controls the physical NIC 15, and transmits and receives communication data to and from the management apparatus 2 via the external network 9 of FIG.
  • the inter-OS communication unit 112 transmits and receives communication data to and from the secure OS 12 via, for example, the hypervisor 13.
  • the protocol used by the image processing apparatus 1 for communication with the management apparatus 2 is not particularly specified.
  • any protocol from layer 7 to layer 1 of the OSI (Open Systems Interconnection) reference model may be used, and a plurality of protocols may be combined and used.
  • Protocols in the seventh layer of the OSI reference model include Network File System (NFS), Simple Network Management Protocol (SNMP), Domain Name System (DNS), Network Time Protocol (NTP), Finger, and News Network Transfer Protocol (NNTP). , Lightweight Directory Access Protocol (LDAP), Dynamic Host Configuration Protocol (DHCP), Internet Relay Chat (IRC), and the like.
  • Protocols in the sixth layer of the OSI reference model include SDP (Session Description Protocol), HTML, XML and the like. Protocols in the fifth layer of the OSI reference model include Session Initiation Protocol (SIP), Hyper Text Transfer Protocol (HTTP), Simple Mail Transfer Protocol (SMTP), File Transfer Protocol (FTP), and Post Office Protocol Version 3 (POP3). There are Telnet (Remote Terminal Access Protocol), IMAP (Internet Message Access Protocol), and the like.
  • SIP Session Initiation Protocol
  • HTTP Hyper Text Transfer Protocol
  • SMTP Simple Mail Transfer Protocol
  • FTP File Transfer Protocol
  • POP3 Post Office Protocol Version 3
  • Telnet Remote Terminal Access Protocol
  • IMAP Internet Message Access Protocol
  • Protocols in the fourth layer of the OSI reference model include: Sequenced Packet Exchange (SPX), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Secure Sockets Layer (SSL), Transport Layer Security (TLS), and IPSec (IP) Security Protocol).
  • SPX Sequenced Packet Exchange
  • TCP Transmission Control Protocol
  • UDP User Datagram Protocol
  • SSL Secure Sockets Layer
  • TLS Transport Layer Security
  • IP IPSec
  • Protocols in the third layer of the OSI reference model include Internet Control Message Protocol (ICMP), Internet Protocol (IP), Internet Protocol version 6 (IPv6), and Internetwork Packet Exchange (IPX).
  • Protocols of the second layer of the OSI reference model include Ethernet (registered trademark) and token ring.
  • Protocols of the first layer of the OSI reference model include 10Base-T, 100BASE-TX, 1000BASE-T and the like.
  • the rich OS 11 performs data transmission and reception processing, but does not participate in the content of the transmission and reception data.
  • the secure OS 12 executes data encryption / decryption processing and control of the imaging device 5, and an RTOS (Realtime OS) such as ITRON (registered trademark) / T-Kernel or QNX (registered trademark) is adopted. You may also run a virtual machine on OS-less (no OS).
  • the secure OS 12 executes control of the imaging device 5 and transmission of device information in accordance with the control command received from the management device 2. During the execution of the recording process, the secure OS 12 sequentially transmits the recording information to the management device 2.
  • the inter-OS communication unit 122 (second inter-OS communication unit), the decryption unit 123, the control unit 121, and the encryption unit 124 are embodied by middleware (not shown).
  • the inter-OS communication unit 122 exchanges communication data with the rich OS 11 via, for example, the hypervisor 13.
  • the inter-OS communication unit 122 receives the encrypted data from the management apparatus 2 via the rich OS 11 and delivers the encrypted data to the decryption unit 123, and transmits the encrypted data encrypted by the encryption unit 124 to the management apparatus 2 via the rich OS 11. .
  • the decryption unit 123 decrypts the encrypted data transmitted from the management device 2 using the encryption key 14 to obtain a control command, and inputs the control command to the control unit 121.
  • the control unit 121 transmits the control command decoded by the decoding unit 123 to the imaging device 5, and receives a response, device information, and recording information from the imaging device 5. Thus, the control unit 121 controls the imaging device 5. The control unit 121 outputs the response, the device information, and the recording information received from the imaging device 5 to the encryption unit 124.
  • the encryption unit 124 encrypts the response, the device information, and the recording information received by the control unit 121 with the encryption key 14.
  • the encrypted data encrypted by the encryption unit 124 is transmitted to the rich OS 11 via the inter-OS communication unit 122.
  • the rich OS 11 transmits this encrypted data to the management device 2.
  • encryption / decryption processing of data is executed by the secure OS 12.
  • the rich OS 11 relays the encrypted data transmitted from the management device 2 to the secure OS 12.
  • the rich OS 11 relays the encrypted data transmitted from the secure OS 12 to the management device 2.
  • Transmission / reception data between the management device 2 and the image processing device 1 is encrypted. Even if transmission / reception data between the management apparatus 2 and the image processing apparatus 1 is intercepted by an external attacker terminal 8 or the like, analysis of encrypted transmission / reception data is impossible unless the encryption key 14 is known. is there. Even if the rich OS 11 is taken over by an external attacker terminal 8 or the like, interference with the hypervisor 13 and the secure OS 12 is impossible, and the encryption key 14 is protected. If the encryption key 14 is protected, analysis of encrypted transmission / reception data is impossible. Thus, even if the rich OS is attacked by the external network and taken over by the intruder, the information managed by the secure OS 12 will not leak.
  • FIG. 3 is a sequence diagram for explaining the operation of the sensing system S.
  • the management device 2 receives a control instruction (step S10), and the control unit 201 generates a control command.
  • the management device 2 encrypts the control command by the encryption unit 202 (step S11), and transmits the encrypted data to the rich OS 11 (step S12).
  • the rich OS 11 transmits the encrypted data to the hypervisor 13 by the inter-OS communication unit 112 (step S13).
  • the hypervisor 13 relays the encrypted data to the secure OS 12 (step S14).
  • the rich OS 11 and the hypervisor 13 do not participate in the content of transmission / reception data.
  • the secure OS 12 When the secure OS 12 receives the encrypted data by the inter-OS communication unit 122, the secure OS 12 decrypts the data (step S15) to obtain a control command. Further, the secure OS 12 transmits the decrypted control command to the imaging device 5 (step S16). Thereby, the sensing system S can control the imaging device 5.
  • the imaging device 5 senses external information (step S17). Specifically, the imaging device 5 captures an optical image with a lens barrel and an imaging device (not shown). The imaging device 5 further responds to the secure OS 12 as transmission information that is the captured optical image (step S18).
  • the secure OS 12 receives the transmission information from the imaging device 5, the secure OS 12 encrypts the transmission information (step S19).
  • the secure OS 12 relays the encrypted data to the hypervisor 13 (step S20).
  • the hypervisor 13 relays the data received from the secure OS 12 to the rich OS 11 (step S21).
  • the rich OS 11 When the rich OS 11 receives the encrypted data by the inter-OS communication unit 122, the rich OS 11 relays the data to the management device 2 (step S22). Thus, the rich OS 11 and the hypervisor 13 do not participate in the content of transmission / reception data.
  • the management device 2 When the management device 2 receives the encrypted data from the rich OS 11 (image processing device 1), the management device 2 decrypts it by the decryption unit 204 (step S23), and outputs this transmission information to the display unit 205 (step S24).
  • the rich OS 11 relays data received from the management device 2 to the secure OS 12 and relays data received from the secure OS 12 to the management device 2.
  • the rich OS 11 is not involved in the content of transmission / reception data.
  • each virtual machine on the hypervisor 13 is independently available in parallel and does not interfere with each other. That is, the rich OS 11 and the secure OS 12 do not interfere with each other. Therefore, even if the rich OS 11 is hijacked by an attack from the attacker terminal 8, the hypervisor 13 and the secure OS 12 are not hijacked, and information managed by the secure OS 12 is not leaked.
  • FIG. 4 is a sequence diagram for explaining the update operation of the encryption key 14.
  • the encryption key 14 is stored on secure storage.
  • the update of the encryption key 14 is performed according to an instruction from the management device 2. This updating operation will be described in the following steps S30 to S36.
  • the encryption unit 202 of the management device 2 sends the public key to the encryption unit 124 of the image processing device 1 (step S30).
  • the encryption unit 124 of the image processing apparatus 1 generates a secret value using, for example, a random number generator (step S31), and encrypts the secret value with a public key (step S32).
  • the encryption unit 124 further transmits the encrypted secret value to the management device 2 (step S33).
  • the encryption unit 202 of the management device 2 decrypts the encrypted secret value with the secret key (step S34).
  • the encryption unit 202 transmits this secret value to the encryption unit 124 of the image processing apparatus 1, and inquires whether encryption communication is possible (step S35).
  • the encryption unit 124 responds that encryption communication is possible with this secret value (step S36). Thereafter, encrypted communication is performed using this secret value as the encryption key 14 (step S37).
  • FIG. 5 is a block diagram which shows the outline of sensing system S in 2nd Embodiment.
  • the sensing system S of the second embodiment includes a management device 2A different from that of the first embodiment.
  • the management device 2A embodies a front end OS 21 (third virtual machine) and a back end OS 22 (fourth virtual machine).
  • the front end OS 21 is responsible for communication processing
  • the back end OS 22 is responsible for device control.
  • the front end OS 21 is responsible for communication processing
  • the back end OS 22 is responsible for device control.
  • FIG. 6 is a block diagram showing an example of the management apparatus 2A and the image processing apparatus 1.
  • the image processing apparatus 1 of the second embodiment is configured in the same manner as the image processing apparatus 1 of the first embodiment.
  • the management apparatus 2A of the second embodiment differs from the first embodiment in that the front end OS 21 and the back end OS 22 are embodied by the hypervisor 23.
  • the management device 2A further includes a physical NIC 25 for communicating with the external network 9 of FIG. 1, and further stores the encryption key 24 in a secure storage (not shown).
  • the secure storage in which the encryption key 24 is stored is accessible by the back end OS 22 and is not accessible by the front end OS 21.
  • the hypervisor 23 is a control program for realizing a virtual machine which is one of computer virtualization technologies.
  • the hypervisor 23 realizes a third virtual machine that embodies the front end OS 21 and a fourth virtual machine that embodies the back end OS 22.
  • the front end OS 21 relays communication between the back end OS 22 and the image processing apparatus 1.
  • a network communication unit 211 and an inter-OS communication unit 212 are embodied on the front end OS 21.
  • the network communication unit 211 controls the physical NIC 25 and transmits and receives communication data via the external network 9 of FIG. 1.
  • the inter-OS communication unit 212 (third inter-OS communication unit) transmits and receives communication data to and from the back end OS 22 via, for example, the hypervisor 23.
  • the front end OS 21 performs data transmission and reception processing, and does not participate in the content of the transmission and reception data.
  • the back end OS 22 executes data encryption / decryption processing.
  • the back end OS 22 generates a control command to execute control of the imaging device 5 and reception of device information.
  • the back end OS 22 sequentially receives recording information from the image processing apparatus 1 while the recording process is being performed.
  • a control unit 225, an encryption unit 223, an inter-OS communication unit 222, a decryption unit 224, and a display unit 226 are embodied by middleware (not shown) on the back end OS 22.
  • the control unit 225 generates a control command for controlling the imaging device 5.
  • the encryption unit 223 (second encryption unit) encrypts the control command generated by the control unit 225 using the encryption key 24.
  • the inter-OS communication unit 222 (fourth inter-OS communication unit) transmits / receives communication data to / from the front end OS 21 via the hypervisor 23, for example.
  • the inter-OS communication unit 222 transmits the encrypted data encrypted by the encryption unit 223 to the image processing apparatus 1 via the front end OS 21.
  • the inter-OS communication unit 222 receives encrypted data from the image processing apparatus 1 via the front end OS 21 and delivers the encrypted data to the decryption unit 224.
  • the decryption unit 224 (second decryption unit) decrypts the encrypted data received from the image processing apparatus 1 using the encryption key 14, and obtains a response, device information, recording information, and the like.
  • the display unit 205 displays the response decoded by the decoding unit 204, device information, and recording information.
  • encryption / decryption processing of data is executed by the back end OS 22.
  • the front end OS 21 relays the encrypted data transmitted from the back end OS 22 to the image processing apparatus 1.
  • the front end OS 21 relays the encrypted data transmitted from the image processing apparatus 1 to the back end OS 22. Even if the external attacker terminal 8 hijacks the front end OS 21, interference with the back end OS 22 is impossible, and the encryption key 24 is protected. If the encryption key 24 is protected, analysis of encrypted transmission / reception data is impossible.
  • FIG. 7 is a sequence diagram for explaining the operation of the sensing system S.
  • the back end OS 22 of the management device 2 receives the control instruction (step S40), and the control unit 225 generates a control command.
  • the management device 2 encrypts the control command by the encryption unit 223 (step S41), and transmits the encrypted data to the hypervisor 23 (step S42).
  • the hypervisor 23 relays the encrypted data to the front end OS 21 (step S43).
  • the front end OS 21 transmits the encrypted data to the rich OS 11 (step S44).
  • the hypervisor 23 and the front end OS 21 do not participate in the content of transmission / reception data.
  • the rich OS 11 transmits the encrypted data to the hypervisor 13 by the inter-OS communication unit 112 (step S45).
  • the hypervisor 13 relays the encrypted data to the secure OS 12 (step S46).
  • the rich OS 11 and the hypervisor 13 do not participate in the content of transmission / reception data.
  • the secure OS 12 When the secure OS 12 receives the encrypted data by the inter-OS communication unit 122, the secure OS 12 decrypts the data (step S47) to obtain a control command. Further, the secure OS 12 transmits the decrypted control command to the imaging device 5 (step S48). Thereby, the sensing system S can control the imaging device 5.
  • the imaging device 5 senses external information (step S49). Specifically, the imaging device 5 captures an optical image with a lens barrel and an imaging device (not shown). The imaging device 5 further responds to the secure OS 12 as transmission information that is the captured optical image (step S50).
  • the secure OS 12 receives the transmission information from the imaging device 5, the secure OS 12 encrypts the transmission information (step S51).
  • the secure OS 12 relays the encrypted data to the hypervisor 13 (step S52).
  • the hypervisor 13 relays the data received from the secure OS 12 to the rich OS 11 (step S53).
  • the rich OS 11 When the rich OS 11 receives the encrypted data from the hypervisor 13 by the inter-OS communication unit 112, the rich OS 11 relays it to the front end OS 21 of the management device 2 (step S54). Thus, the rich OS 11 and the hypervisor 13 do not participate in the content of transmission / reception data.
  • the front end OS 21 of the management device 2 When the front end OS 21 of the management device 2 receives the encrypted data from the rich OS 11 (image processing device 1), the front end OS 21 relays it to the hypervisor 23 (step S55).
  • the hypervisor 23 relays the data received from the front end OS 21 to the back end OS 22 (step S56).
  • the back end OS 22 receives the encrypted data, the back end OS 22 decrypts the data by the decryption unit 224 (step S57), and outputs this transmission information to the display unit 226 (step S58).
  • the virtual machines on the hypervisor 23 can be independently used in parallel and do not interfere with each other. Even if the front end OS 21 is hijacked by an attack from the attacker terminal 8, the hypervisor 23 and the back end OS 22 are not hijacked. Further, the front end OS 21 relays data received from the back end OS 22 to the image processing apparatus 1 and relays data received from the image processing apparatus 1 to the back end OS 22. The front end OS 21 is not involved in the content of transmission / reception data. Therefore, even if the front end OS 21 is hijacked by an attack from the attacker terminal 8, the hypervisor 23 and the back end OS 22 are not hijacked, and information managed by the back end OS 22 is not leaked.
  • the sensing system S of the second embodiment control of the imaging device 5 via the external network 9 and reception of image information can be realized safely. Even when an attack from the external network 9 is received, the sensing system S can prevent leakage of important information (device information, recording information, cryptographic processing related information).
  • FIG. 8 is a configuration diagram showing an outline of the server 4 and the terminal 3 in the third embodiment.
  • a front end OS 41 and a back end OS 42 are embodied by the hypervisor 43.
  • the server 4 further includes a physical NIC 45 for communicating with an external network, and further stores the encryption key 44 in a secure storage (not shown).
  • the secure storage in which the encryption key 44 is stored is accessible to the back end OS 42.
  • the front end OS 41 can not access this secure storage.
  • the hypervisor 43 is a control program for realizing a virtual machine which is one of computer virtualization technologies.
  • the hypervisor 43 realizes a third virtual machine that embodies the front end OS 41 and a fourth virtual machine that embodies the back end OS 42.
  • the front end OS 41 relays communication between the back end OS 42 and the terminal 3.
  • a network communication unit 411 and an inter-OS communication unit 412 are embodied on the front end OS 41.
  • the network communication unit 411 controls the physical NIC 45, and transmits / receives communication data to / from the terminal 3 via an external network.
  • the inter-OS communication unit 412 (first inter-OS communication unit) transmits / receives communication data to / from the back end OS 42 via the hypervisor 43, for example.
  • the front end OS 41 performs data transmission and reception processing, and does not participate in the content of the transmission and reception data.
  • the back end OS 42 executes data decryption processing and encryption processing.
  • the backend OS 42 executes the request from the terminal 3 by the application unit 421.
  • an application unit 421, an encryption unit 423, an inter-OS communication unit 422, and a decryption unit 424 are embodied by middleware (not shown).
  • the application unit 421 (processing unit) executes the request of the terminal 3 and returns its response.
  • the encryption unit 423 encrypts the response output from the application unit 421 using the encryption key 44.
  • the inter-OS communication unit 422 (second inter-OS communication unit) transmits / receives communication data to / from the front end OS 41 via the hypervisor 43, for example.
  • the inter-OS communication unit 422 receives the encrypted data from the terminal 3 via the front end OS 41 and delivers it to the decrypting unit 424, and transmits the encrypted data encrypted by the encrypting unit 423 to the terminal 3 via the front end OS 41.
  • the decryption unit 424 decrypts the encrypted data received from the terminal 3 using the encryption key 44 and obtains the request of the terminal 3.
  • the decryption unit 424 further inputs the decrypted request of the terminal 3 to the application unit 421.
  • encryption / decryption processing of data is executed by the back end OS 42.
  • the front end OS 41 relays the encrypted data transmitted from the back end OS 42 to the terminal 3.
  • the front end OS 41 relays the encrypted data transmitted from the terminal 3 to the back end OS 42. Even if the front end OS 41 is hijacked by an external attacker terminal or the like, the encryption key 44 is protected because interference with the back end OS 42 is impossible. If the encryption key 44 is protected, analysis of encrypted transmission / reception data is impossible.
  • the terminal 3 has a front end OS 31 and a back end OS 32 embodied by the hypervisor 33.
  • the terminal 3 further includes a physical NIC 35 for communicating with the external network 9, and stores the encryption key 34 in a secure storage (not shown).
  • the secure storage in which the encryption key 34 is stored is accessible to the back end OS 32.
  • the front end OS 31 can not access this secure storage.
  • the hypervisor 33 is a control program for realizing a virtual machine which is one of computer virtualization technologies.
  • the hypervisor 33 realizes a first virtual machine that embodies the front end OS 31 and a second virtual machine that embodies the back end OS 32.
  • interference from the front end OS 31 to the back end OS 32 and interference with the encryption key 34 managed by the back end OS 32 are not possible.
  • the front end OS 31 only relays communication between the server 4 and the back end OS 32 and does not interfere with data to be transmitted or received.
  • the front end OS 31 relays communication between the server 4 and the back end OS 32.
  • a network communication unit 311 and an inter-OS communication unit 312 are embodied on the front end OS 31.
  • the network communication unit 311 controls the physical NIC 35, and transmits and receives communication data via an external network.
  • the inter-OS communication unit 312 transmits and receives communication data to and from the back-end OS 32 via, for example, the hypervisor 33.
  • the protocol used by the terminal 3 in communication with the server 4 is not particularly specified. For example, any protocol from the seventh layer to the first layer of the OSI reference model may be used.
  • the front end OS 31 performs data transmission and reception processing, and does not participate in the content of the transmission and reception data.
  • the back end OS 32 executes data encryption / decryption processing.
  • the back end OS 32 executes a request to the application unit 421 on the server 4 based on the input information of the display operation unit 321, and displays the response received from the server 4 on the display operation unit 321.
  • the inter-OS communication unit 322, the decryption unit 323, the display operation unit 321, and the encryption unit 324 are embodied by middleware (not shown) or the like on the back end OS 32.
  • the inter-OS communication unit 322 transmits and receives communication data to and from the front end OS 31 via, for example, the hypervisor 33.
  • the decryption unit 323 decrypts the encrypted data transmitted from the server 4 using the encryption key 34 to obtain a control command.
  • the display operation unit 321 delivers the input information to the encryption unit 324, and displays the response decrypted by the decryption unit 323.
  • the encryption unit 324 encrypts the information input by the display operation unit 321 with the encryption key 34.
  • the encrypted data encrypted by the encryption unit 324 is transmitted to the front end OS 31 via the inter-OS communication unit 322.
  • the front end OS 31 transmits this encrypted data to the server 4.
  • the encryption / decryption processing of data is executed by the back end OS 32.
  • the front end OS 31 relays the encrypted data transmitted from the server 4 to the back end OS 32.
  • the front end OS 31 relays the encrypted data transmitted from the back end OS 32 to the server 4.
  • the encryption key 34 is protected because interference with the back end OS 32 is impossible. If the encryption key 34 is protected, analysis of encrypted transmission / reception data is impossible. Thereby, communication between the server 4 and the terminal 3 via the network can be realized safely, and leakage of important information can be prevented even if an attack from an external network is received.
  • the device connected to the management device 2 is not limited to a camera, and may be any type of sensor.
  • the management device 2 may operate to simply receive information sensed by the sensor without controlling the sensor.
  • Data encryption and decryption processing is not limited to the back-end OS and secure OS.
  • the hypervisor may execute data encryption and decryption processing.
  • the management device 2 may not have a display unit, and may have a function of only storing captured data in a storage unit.
  • the encryption key 14 stored in the image processing apparatus 1 and the encryption key 24 stored in the management apparatus 2 may be identical or different keys may be used without limitation.
  • S Sensing system 1 Image processing device (sensing device) 11 rich OS (first virtual machine) 12 Secure OS (second virtual machine) 111, 203, 211, 311, 411 network communication units 121, 201, 225 control units 112, 312 inter-OS communication unit (first inter-OS communication unit) 212 Inter-OS communication unit (third inter-OS communication unit) 412 Inter-OS communication unit 122, 322 Inter-OS communication unit (second inter-OS communication unit) 222 Inter-OS Communication Unit (Fourth Inter-OS Communication Unit) 422 Inter-OS communication unit 123 Decoding unit (first decoding unit) 224 Decoding unit (second decoding unit) 204, 323, 424 decryption unit 124 encryption unit (first encryption unit) 223 encryption unit (second encryption unit) 202, 324, 423 encryption unit 13, 23, 33, 43 Hypervisor 14, 24, 34, 44 Encryption key 15, 25, 35, 45 Physical NIC 2, 2A Management device 20 OS 205, 226 display unit 21 front end OS (third virtual machine) 41 front end OS (

Abstract

The objective of the present invention is to prevent leakage of information even when attacked from an external network. An image processing device (1) is provided with a physical network interface card (NIC) (15), is connected to an image capturing device (5), and includes a hypervisor (13) which embodies a rich OS (11) and a secure OS (12). The rich OS (11) is provided with a network communication unit (111) which communicates with a management device (2) via the physical NIC (15), and an inter-OS communication unit (112) which communicates with the secure OS (12). The secure OS (12) is provided with: a control unit (121) which controls the image capturing device (5); a decrypting unit (123) which decrypts encrypted data; an encrypting unit (124) which encrypts data output from the control unit (121); and an inter-OS communication unit (122) which receives encrypted data from the management device (2) via the rich OS (11) and delivers the same to the decrypting unit (123), and transmits encrypted data encrypted by the encrypting unit (124) to the management device (2) via the rich OS (11).

Description

センシング装置、センシングシステム、およびサーバSensing device, sensing system, and server
 本発明は、ハイパーバイザを搭載したセンシング装置、このセンシング装置を含むセンシングシステム、ハイパーバイザを搭載したサーバに関する。 The present invention relates to a sensing device equipped with a hypervisor, a sensing system including the sensing device, and a server equipped with a hypervisor.
 近年のネットワーク技術の進化に伴い、サーバやストレージが初期費用無しにスケーラブルかつ安価に利用できるようになっている。また、電子工学の進化により、電子部品は小さく高性能で安価になり、機械学習や人工知能などデータ解析技術も研究が進み、オープンに利用できる環境になった。 With the recent advancement of network technology, servers and storage can be used scalablely and inexpensively without initial cost. In addition, with the evolution of electronics, electronic components have become smaller, higher-performance and less expensive, and research on data analysis technology such as machine learning and artificial intelligence has progressed, making it an open environment.
 これらに伴い、センサやデバイスといった「モノ」をインターネットに接続し、クラウドやサーバによって制御するIoT(Internet of Things)が注目されている。IoTは、様々な用途でビジネスやカスタマーエクスペリエンスを改善・拡張することができる可能性を有している。 Along with these, the Internet of Things (IoT), in which "things" such as sensors and devices are connected to the Internet and controlled by a cloud and a server, has attracted attention. IoT has the potential to improve and extend business and customer experiences in a variety of applications.
 身近な暮らしにおける活用でいうと、IoTは、電子錠、セキュリティカメラ、オーディオ・ビジュアル機器、照明、カーテン、シャッタ、エアコン、床暖房など家庭内の電化製品をインターネットに接続し制御することである。これによりユーザ操作なしに快適な環境を提供したり、省エネルギや安全性などのメリットを提供することが可能となる。 In terms of use in everyday life, IoT is to connect and control household appliances such as electronic tablets, security cameras, audio visual devices, lights, curtains, shutters, air conditioners, floor heating, etc. to the Internet. This makes it possible to provide a comfortable environment without user operation, and to provide benefits such as energy saving and safety.
 自動車における活用でいうと、車載センサ・車載デバイスをインターネットに接続し、得られたデータを利用することでパーソナルな運転を適正化することや、故障の兆候を捉えて修理を促すことが考えられる。更に車載センサがセンシングした情報を統合データベースに格納すれば、天候や渋滞の情報を元に様々な情報サービスが可能となる。
 健康・医療における活用でいうと、インターネットに接続されたウェアラブルセンサによって健康状態を計測し、病気の兆候を捉えて警告することなどが可能となる。 In terms of utilization in automobiles, it may be possible to connect personal sensors and devices to the Internet and optimize personal operation by using the obtained data, or to prompt repair after catching signs of failure. . Furthermore, if the information sensed by the in-vehicle sensor is stored in the integrated database, various information services can be made based on the information on weather and traffic congestion.
In terms of utilization in health and medical treatment, it is possible to measure health status by a wearable sensor connected to the Internet, and to catch and warn of signs of illness.
 IoT技術において、センサやデバイスといった「モノ」は常時ネットワーク接続され、データの収集やフィードバックを受けることができる。その反面、常時インターネットに接続されるので、これらセンサやデバイスは、既存のシステムと同様のリスクに直面する。ここでリスクとは、例えば通信の盗聴、サーバやクラウドサービスへアクセスするための認証情報の漏れ、デバイスにリモートアクセスされるリスク、マルウェアを仕込まれるリスク、機器の制御を乗っ取られるリスクなどのことをいう。IoT技術では、センサやデバイスが数千~数万におよぶことが考えられるため、セキュリティのリスクはより一層高まる。 In IoT technology, "things" such as sensors and devices are always connected via a network, and can receive data collection and feedback. On the other hand, because they are always connected to the Internet, these sensors and devices face the same risks as existing systems. Here, risks include, for example, eavesdropping on communication, leakage of authentication information for accessing servers and cloud services, risk of remote access to devices, risk of being loaded with malware, risk of hijacking control of devices, etc. Say. With IoT technology, the risk of security is even greater, as thousands of thousands of sensors and devices can be considered.
 特許文献1には、IoTゲートウェイ装置がクライアント装置をRSSI値に基づいて検証する発明が記載されている。よって、不正クライアント装置が正当/正規のMACアドレスを偽造してIoTゲートウェイ装置にアクセスしようと試みても、IoTゲートウェイ装置は接続されるクライアント装置のRSSI値を検証することによって不正クライアント装置をブロックすることができ、IoTシステムの接続セキュリティを高めることができる。 Patent Document 1 describes an invention in which an IoT gateway device verifies a client device based on an RSSI value. Therefore, even if an unauthorized client device attempts to access the IoT gateway device by forging a legitimate / regular MAC address, the IoT gateway device blocks the unauthorized client device by verifying the RSSI value of the connected client device. Can enhance the connection security of the IoT system.
特開2017-46338号公報JP 2017-46338 A
 特許文献1に記載されている発明は、クライアント装置がIoTゲートウェイ装置を介してインターネットに接続されることが前提となっている。よって、このようなゲートウェイを設置できない環境には適用できない。 The invention described in Patent Document 1 is premised that the client device is connected to the Internet via the IoT gateway device. Therefore, it can not be applied to an environment where such a gateway can not be installed.
 そこで、本発明は、外部ネットワークからの攻撃を受けても情報の漏洩を防ぐことを課題とする。 Then, this invention makes it a subject to prevent the leak of information, even if it receives an attack from an external network.
 前記した課題を解決するため、本発明のセンシング装置は、
 物理NIC(Network Interface Card)を備え、センサに接続されており、第1,第2の仮想マシンを具現化するハイパーバイザを含むセンシング装置において、
 前記第1の仮想マシンは、
 前記物理NICを制御して外部の管理装置と通信するネットワーク通信部と、
 前記第2の仮想マシンと通信する第1のOS間通信部と、
 を備え、
 前記第2の仮想マシンは、
 前記センサを制御する制御部と、
 暗号データを復号して前記制御部に対して入力する復号部と、
 前記制御部から出力されたデータを暗号化する暗号部と、
 前記第1の仮想マシンを介して前記管理装置から暗号データを受信して前記復号部に引渡し、前記暗号部が暗号化した暗号データを前記第1の仮想マシンを介して前記管理装置に送信する第2のOS間通信部と、
 を備えることを特徴とする。
 その他の手段については、発明を実施するための形態のなかで説明する。 In order to solve the above-mentioned subject, the sensing device of the present invention,
In a sensing device including a hypervisor, which comprises a physical NIC (Network Interface Card), is connected to a sensor, and implements the first and second virtual machines,
The first virtual machine is
A network communication unit that controls the physical NIC to communicate with an external management device;
A first inter-OS communication unit that communicates with the second virtual machine;
Equipped with
The second virtual machine is
A control unit that controls the sensor;
A decryption unit that decrypts encrypted data and inputs the decrypted data to the control unit;
An encryption unit that encrypts data output from the control unit;
The encrypted data is received from the management device via the first virtual machine and delivered to the decryption unit, and the encrypted data encrypted by the encryption unit is transmitted to the management device via the first virtual machine. A second inter-OS communication unit,
And the like.
Other means will be described in the form for carrying out the invention.
 本発明によれば、外部ネットワークからの攻撃を受けても情報の漏洩を防ぐことが可能となる。 According to the present invention, it is possible to prevent the leakage of information even under an attack from an external network.
第1の実施形態におけるセンシングシステムの概略を示す構成図である。It is a block diagram which shows the outline of the sensing system in 1st Embodiment. 管理装置と画像処理装置の一例を示すブロック図である。It is a block diagram showing an example of a controlling device and an image processing device. センシングシステムの動作を説明するシーケンス図である。It is a sequence diagram explaining operation of a sensing system. 暗号鍵の更新動作を説明するシーケンス図である。It is a sequence diagram explaining update operation of an encryption key. 第2の実施形態におけるセンシングシステムの概略を示す構成図である。It is a block diagram which shows the outline of the sensing system in 2nd Embodiment. 管理装置と画像処理装置の一例を示すブロック図である。It is a block diagram showing an example of a controlling device and an image processing device. センシングシステムの動作を説明するシーケンス図である。It is a sequence diagram explaining operation of a sensing system. 第3の実施形態におけるサーバ装置と端末の概略を示す構成図である。It is a block diagram which shows the outline of the server apparatus in 3rd Embodiment, and a terminal.
 以降、本発明を実施するための形態を、各図を参照して詳細に説明する。
 図1は、第1の実施形態におけるセンシングシステムSの概略を示す構成図である。
 撮像装置5に接続された画像処理装置1(センシング装置)は、外部ネットワーク9に接続された状態で稼働している。画像処理装置1は、外部ネットワーク9との間の通信を中継するリッチOS(Operating System)11と、撮像装置5との間で制御コマンドやその応答を送受信するセキュアOS12とを具現化している。リッチOS11(第1の仮想マシン)が通信処理を担い、セキュアOS12(第2の仮想マシン)が装置制御を担っている。
 撮像装置5は、二次元画像を撮像可能なカメラであり、例えば固体撮像素子(センサ)と鏡筒と画像処理回路を備えている。
 外部ネットワーク9には、画像処理装置1に加えて、管理装置2および攻撃者端末8が通信可能に接続されている。 Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
FIG. 1: is a block diagram which shows the outline of sensing system S in 1st Embodiment.
The image processing apparatus 1 (sensing device) connected to the imaging device 5 is operating in a state of being connected to the external network 9. The image processing apparatus 1 embodies a rich OS (Operating System) 11 that relays communication with the external network 9 and a secure OS 12 that transmits and receives control commands and their responses with the imaging device 5. The rich OS 11 (first virtual machine) is responsible for communication processing, and the secure OS 12 (second virtual machine) is responsible for device control.
The imaging device 5 is a camera capable of capturing a two-dimensional image, and includes, for example, a solid-state imaging device (sensor), a lens barrel, and an image processing circuit.
In addition to the image processing apparatus 1, a management apparatus 2 and an attacker terminal 8 are communicably connected to the external network 9.
 管理装置2は、画像処理装置1に対して撮像装置5の制御コマンドを送信し、その応答や装置情報、録画情報を受信する。管理装置2と画像処理装置1との間の通信データは暗号化されている。 The management device 2 transmits a control command of the imaging device 5 to the image processing device 1 and receives a response, device information, and recording information. Communication data between the management device 2 and the image processing device 1 is encrypted.
 攻撃者端末8は、画像処理装置1と撮像装置5との間の通信データを傍受したり、画像処理装置1の制御権限を不正に取得しようとする。第1の実施形態のセンシングシステムSでは、外部ネットワーク9と直接に接続されているリッチOS11は、攻撃される前提で構築されている。 The attacker terminal 8 intercepts communication data between the image processing device 1 and the imaging device 5 and tries to illegally obtain control authority of the image processing device 1. In the sensing system S of the first embodiment, the rich OS 11 directly connected to the external network 9 is constructed on the premise of being attacked.
 図2は、管理装置2と画像処理装置1の一例を示すブロック図である。
 管理装置2は、OS20が具現化され、図1の外部ネットワーク9と通信するための物理NIC(Network Interface Card)25を含み、更に暗号鍵24を格納している。
 OS20上には、制御部201、暗号部202、ネットワーク通信部203、復号部204、表示部205が、不図示のミドルウェアなどによって具現化されている。 FIG. 2 is a block diagram showing an example of the management device 2 and the image processing device 1.
The management device 2 includes a physical NIC (Network Interface Card) 25 for realizing the OS 20 and communicating with the external network 9 of FIG. 1, and further stores an encryption key 24.
A control unit 201, an encryption unit 202, a network communication unit 203, a decryption unit 204, and a display unit 205 are embodied on the OS 20 by middleware (not shown).
 制御部201は、撮像装置5を制御するための制御コマンドを生成する。暗号部202は、制御部201が生成した制御コマンドを暗号鍵24によって暗号化する。
 ネットワーク通信部203は、物理NIC25を制御するものであり、図1の外部ネットワーク9を介して画像処理装置1と通信データを送受信する。ここでネットワーク通信部203は、暗号部202が暗号化した暗号データを画像処理装置1に送信し、画像処理装置1から暗号データを受信する。 The control unit 201 generates a control command for controlling the imaging device 5. The encryption unit 202 encrypts the control command generated by the control unit 201 with the encryption key 24.
The network communication unit 203 controls the physical NIC 25 and transmits / receives communication data to / from the image processing apparatus 1 via the external network 9 of FIG. 1. Here, the network communication unit 203 transmits the encrypted data encrypted by the encryption unit 202 to the image processing apparatus 1 and receives the encrypted data from the image processing apparatus 1.
 復号部204は、画像処理装置1から受信した暗号データを暗号鍵24によって復号し、応答や装置情報、録画情報などを得る。表示部205は、これら復号部204が復号した応答や装置情報、録画情報を表示する。 The decryption unit 204 decrypts the encrypted data received from the image processing apparatus 1 using the encryption key 24, and obtains a response, apparatus information, recording information, and the like. The display unit 205 displays the response decoded by the decoding unit 204, device information, and recording information.
 画像処理装置1は、ハイパーバイザ13によってリッチOS11とセキュアOS12とが具現化され、外部ネットワーク9と通信するための物理NIC15を含んでいる。画像処理装置1は更に、暗号鍵14を不図示のセキュア・ストレージに格納している。暗号鍵14が格納されているセキュア・ストレージは、セキュアOS12がアクセス可能である。しかし、リッチOS11は、このセキュア・ストレージにアクセスすることができない。この暗号鍵14には、例えば管理装置2の暗号鍵24とは同一の値が格納されているが、異なる値が格納されていてもよい。 The image processing apparatus 1 has a rich OS 11 and a secure OS 12 embodied by the hypervisor 13 and includes a physical NIC 15 for communicating with the external network 9. The image processing apparatus 1 further stores the encryption key 14 in a secure storage (not shown). The secure storage in which the encryption key 14 is stored is accessible by the secure OS 12. However, the rich OS 11 can not access this secure storage. For example, although the same value as the encryption key 24 of the management device 2 is stored in the encryption key 14, a different value may be stored.
 ハイパーバイザ13は、コンピュータの仮想化技術のひとつである仮想マシンを実現するための、制御プログラムである。ここでハイパーバイザ13は、リッチOS11を具現化する第1の仮想マシンと、セキュアOS12を具現化する第2の仮想マシンとを実現している。
 ハイパーバイザ13の設定により、リッチOS11からセキュアOS12やセキュアOS12が管理する暗号鍵14への干渉は不可能となっている。リッチOS11を具現化する第1の仮想マシンと、セキュアOS12を具現化する第2の仮想マシンは、独立して並行使用でき、かつ相互に干渉しない。これにより、システムの信頼性と可用性を高めることができる。
 リッチOS11とハイパーバイザ13は、管理装置2とセキュアOS12との間の通信を中継するだけで、送受信されるデータには干渉しない。 The hypervisor 13 is a control program for realizing a virtual machine which is one of computer virtualization technologies. Here, the hypervisor 13 implements a first virtual machine that embodies the rich OS 11 and a second virtual machine that embodies the secure OS 12.
The setting of the hypervisor 13 makes it impossible for the rich OS 11 to interfere with the secure OS 12 and the encryption key 14 managed by the secure OS 12. The first virtual machine that embodies the rich OS 11 and the second virtual machine that embodies the secure OS 12 can be independently used in parallel and do not interfere with each other. This can increase system reliability and availability.
The rich OS 11 and the hypervisor 13 only relay the communication between the management device 2 and the secure OS 12 and do not interfere with the data to be transmitted / received.
 リッチOS11は、管理装置2とセキュアOS12との間の通信を中継するものである。リッチOS11上には、ネットワーク通信部111、OS間通信部112(第1のOS間通信部)が具現化されている。ネットワーク通信部111は、物理NIC15を制御するものであり、図1の外部ネットワーク9を介して管理装置2との間で通信データを送受信する。OS間通信部112は、例えばハイパーバイザ13を経由してセキュアOS12との間で通信データを送受信する。 The rich OS 11 relays communication between the management device 2 and the secure OS 12. A network communication unit 111 and an inter-OS communication unit 112 (a first inter-OS communication unit) are embodied on the rich OS 11. The network communication unit 111 controls the physical NIC 15, and transmits and receives communication data to and from the management apparatus 2 via the external network 9 of FIG. The inter-OS communication unit 112 transmits and receives communication data to and from the secure OS 12 via, for example, the hypervisor 13.
 画像処理装置1が管理装置2との通信で利用するプロトコルは特に指定しない。例えばOSI(Open Systems Interconnection)参照モデルの第7層から第1層までのいずれのプロトコルであってもよく、更に複数のプロトコルを組み合わせて利用してもよい。 The protocol used by the image processing apparatus 1 for communication with the management apparatus 2 is not particularly specified. For example, any protocol from layer 7 to layer 1 of the OSI (Open Systems Interconnection) reference model may be used, and a plurality of protocols may be combined and used.
 OSI参照モデルの第7層のプロトコルには、NFS(Network File System)、SNMP(Simple Network Management Protocol)、DNS(Domain Name System)、NTP(Network Time Protocol)、Finger、NNTP(News Network Transfer Protocol)、LDAP(Lightweight Directory Access Protocol)、DHCP(Dynamic Host Configuration Protocol)、IRC(Internet Relay Chat)などがある。 Protocols in the seventh layer of the OSI reference model include Network File System (NFS), Simple Network Management Protocol (SNMP), Domain Name System (DNS), Network Time Protocol (NTP), Finger, and News Network Transfer Protocol (NNTP). , Lightweight Directory Access Protocol (LDAP), Dynamic Host Configuration Protocol (DHCP), Internet Relay Chat (IRC), and the like.
 OSI参照モデルの第6層のプロトコルには、SDP(Session Description Protocol)、HTML、XMLなどがある。
 OSI参照モデルの第5層のプロトコルには、SIP(Session Initiation Protocol)、HTTP(HyperText Transfer Protocol)、SMTP(Simple Mail Transfer Protocol)、FTP(File Transfer Protocol)、POP3(Post Office Protocol Version 3)、Telnet(遠隔端末アクセスプロトコル)、IMAP(Internet Message Access Protocol)などがある。 Protocols in the sixth layer of the OSI reference model include SDP (Session Description Protocol), HTML, XML and the like.
Protocols in the fifth layer of the OSI reference model include Session Initiation Protocol (SIP), Hyper Text Transfer Protocol (HTTP), Simple Mail Transfer Protocol (SMTP), File Transfer Protocol (FTP), and Post Office Protocol Version 3 (POP3). There are Telnet (Remote Terminal Access Protocol), IMAP (Internet Message Access Protocol), and the like.
 OSI参照モデルの第4層のプロトコルには、SPX(Sequenced Packet Exchange)、TCP(Transmission Control Protocol)、UDP(User Datagram Protocol)、SSL(Secure Sockets Layer)、TLS(Transport Layer Security)、IPSec(IP Security Protocol)などがある。 Protocols in the fourth layer of the OSI reference model include: Sequenced Packet Exchange (SPX), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Secure Sockets Layer (SSL), Transport Layer Security (TLS), and IPSec (IP) Security Protocol).
 OSI参照モデルの第3層のプロトコルには、ICMP(Internet Control Message Protocol)、IP(Internet Protocol)、IPv6(Internet Protocol version 6)、IPX(Internetwork Packet Exchange)などがある。
 OSI参照モデルの第2層のプロトコルには、イーサネット(登録商標)やトークンリングなどがある。
 OSI参照モデルの第1層のプロトコルには、10Base-T、100BASE-TX、1000BASE-Tなどがある。 Protocols in the third layer of the OSI reference model include Internet Control Message Protocol (ICMP), Internet Protocol (IP), Internet Protocol version 6 (IPv6), and Internetwork Packet Exchange (IPX).
Protocols of the second layer of the OSI reference model include Ethernet (registered trademark) and token ring.
Protocols of the first layer of the OSI reference model include 10Base-T, 100BASE-TX, 1000BASE-T and the like.
 そこで、多彩な通信プロトコルをサポートするLinux(登録商標)やWindows(登録商標)などをリッチOS11に採用することで、管理装置2との通信において通信プロトコルを柔軟に選択可能となる。リッチOS11は、データの送受信処理を行うが、送受信データの内容には関与しない。 Therefore, by adopting Linux (registered trademark) or Windows (registered trademark) or the like that supports various communication protocols as the rich OS 11, it is possible to flexibly select a communication protocol in communication with the management apparatus 2. The rich OS 11 performs data transmission and reception processing, but does not participate in the content of the transmission and reception data.
 セキュアOS12は、データの暗号・復号処理と撮像装置5の制御とを実行するものであり、ITRON(登録商標)/T-Kernel、QNX(登録商標)などのRTOS(Realtime OS)が採用されるとよく、またOS-less(OS無し)に仮想マシンを動作させてもよい。セキュアOS12は、管理装置2から受信した制御コマンドに従い、撮像装置5の制御や装置情報の送信を実行する。録画処理の実行中において、セキュアOS12は、録画情報を管理装置2へ逐次送信する。 The secure OS 12 executes data encryption / decryption processing and control of the imaging device 5, and an RTOS (Realtime OS) such as ITRON (registered trademark) / T-Kernel or QNX (registered trademark) is adopted. You may also run a virtual machine on OS-less (no OS). The secure OS 12 executes control of the imaging device 5 and transmission of device information in accordance with the control command received from the management device 2. During the execution of the recording process, the secure OS 12 sequentially transmits the recording information to the management device 2.
 セキュアOS12上には、OS間通信部122(第2のOS間通信部)、復号部123、制御部121、暗号部124が不図示のミドルウェアなどによって具現化されている。OS間通信部122は、例えばハイパーバイザ13を経由してリッチOS11との間で通信データを送受信する。OS間通信部122は、リッチOS11を介して管理装置2から暗号データを受信して復号部123に引渡し、暗号部124が暗号化した暗号データを、リッチOS11を介して管理装置2に送信する。
 復号部123は、管理装置2から送信された暗号データを暗号鍵14によって復号して制御コマンドを得て、制御部121に入力する。
 制御部121は、復号部123が復号した制御コマンドを撮像装置5に送信して、撮像装置5から応答や装置情報、録画情報を受信する。これにより制御部121は、撮像装置5を制御する。制御部121は、撮像装置5から受信した応答や装置情報、録画情報を暗号部124に出力する。 On the secure OS 12, the inter-OS communication unit 122 (second inter-OS communication unit), the decryption unit 123, the control unit 121, and the encryption unit 124 are embodied by middleware (not shown). The inter-OS communication unit 122 exchanges communication data with the rich OS 11 via, for example, the hypervisor 13. The inter-OS communication unit 122 receives the encrypted data from the management apparatus 2 via the rich OS 11 and delivers the encrypted data to the decryption unit 123, and transmits the encrypted data encrypted by the encryption unit 124 to the management apparatus 2 via the rich OS 11. .
The decryption unit 123 decrypts the encrypted data transmitted from the management device 2 using the encryption key 14 to obtain a control command, and inputs the control command to the control unit 121.
The control unit 121 transmits the control command decoded by the decoding unit 123 to the imaging device 5, and receives a response, device information, and recording information from the imaging device 5. Thus, the control unit 121 controls the imaging device 5. The control unit 121 outputs the response, the device information, and the recording information received from the imaging device 5 to the encryption unit 124.
 暗号部124は、制御部121が受信した応答や装置情報、録画情報を暗号鍵14によって暗号化する。暗号部124が暗号化した暗号データは、OS間通信部122を介してリッチOS11に送信される。リッチOS11は、この暗号データを管理装置2に送信する。 The encryption unit 124 encrypts the response, the device information, and the recording information received by the control unit 121 with the encryption key 14. The encrypted data encrypted by the encryption unit 124 is transmitted to the rich OS 11 via the inter-OS communication unit 122. The rich OS 11 transmits this encrypted data to the management device 2.
 つまり、データの暗号・復号処理はセキュアOS12で実行される。管理装置2から送信された暗号データは、リッチOS11がセキュアOS12に中継する。セキュアOS12から送信された暗号データは、リッチOS11が管理装置2に中継する。
 管理装置2と画像処理装置1との間の送受信データは暗号化されている。外部の攻撃者端末8などにより、管理装置2と画像処理装置1との間の送受信データが傍受されても、暗号鍵14が知られない限り、暗号化された送受信データの解析は不可能である。
 外部の攻撃者端末8などにより、このリッチOS11が乗っ取られても、ハイパーバイザ13やセキュアOS12への干渉は不可能であり、暗号鍵14は保護されている。暗号鍵14が保護されていれば、暗号化された送受信データの解析は不可能である。これにより、リッチOSが外部ネットワークからの攻撃を受け、侵入者によって乗っ取られたとしても、セキュアOS12が管理する情報が漏洩することはない。 That is, encryption / decryption processing of data is executed by the secure OS 12. The rich OS 11 relays the encrypted data transmitted from the management device 2 to the secure OS 12. The rich OS 11 relays the encrypted data transmitted from the secure OS 12 to the management device 2.
Transmission / reception data between the management device 2 and the image processing device 1 is encrypted. Even if transmission / reception data between the management apparatus 2 and the image processing apparatus 1 is intercepted by an external attacker terminal 8 or the like, analysis of encrypted transmission / reception data is impossible unless the encryption key 14 is known. is there.
Even if the rich OS 11 is taken over by an external attacker terminal 8 or the like, interference with the hypervisor 13 and the secure OS 12 is impossible, and the encryption key 14 is protected. If the encryption key 14 is protected, analysis of encrypted transmission / reception data is impossible. Thus, even if the rich OS is attacked by the external network and taken over by the intruder, the information managed by the secure OS 12 will not leak.
 図3は、センシングシステムSの動作を説明するシーケンス図である。
 最初、管理装置2は、制御指示を受け付けて(ステップS10)、制御部201によって制御コマンドを生成する。管理装置2は、暗号部202によって制御コマンドを暗号化し(ステップS11)、暗号化されたデータをリッチOS11に送信する(ステップS12)。 FIG. 3 is a sequence diagram for explaining the operation of the sensing system S.
First, the management device 2 receives a control instruction (step S10), and the control unit 201 generates a control command. The management device 2 encrypts the control command by the encryption unit 202 (step S11), and transmits the encrypted data to the rich OS 11 (step S12).
 リッチOS11は、OS間通信部112によってハイパーバイザ13に暗号化されたデータを送信する(ステップS13)。ハイパーバイザ13は、暗号化されたデータをセキュアOS12に中継する(ステップS14)。このように、リッチOS11とハイパーバイザ13は、送受信データの内容には関与しない。 The rich OS 11 transmits the encrypted data to the hypervisor 13 by the inter-OS communication unit 112 (step S13). The hypervisor 13 relays the encrypted data to the secure OS 12 (step S14). Thus, the rich OS 11 and the hypervisor 13 do not participate in the content of transmission / reception data.
 セキュアOS12は、暗号化されたデータをOS間通信部122によって受信すると、このデータを復号化し(ステップS15)、制御コマンドを得る。更にセキュアOS12は、復号化された制御コマンドを撮像装置5に送信する(ステップS16)。これにより、センシングシステムSは、撮像装置5を制御することができる。
 撮像装置5は、外部情報をセンシングする(ステップS17)。具体的にいうと、撮像装置5は、不図示の鏡筒と撮像素子によって光学像を撮像する。撮像装置5は更に、撮像した光学像を送信情報としてセキュアOS12に応答する(ステップS18)。
 セキュアOS12は、撮像装置5から送信情報を受信すると、この送信情報を暗号化する(ステップS19)。セキュアOS12は、暗号化されたデータをハイパーバイザ13に中継する(ステップS20)。ハイパーバイザ13は、セキュアOS12から受信したデータをリッチOS11に中継する(ステップS21)。 When the secure OS 12 receives the encrypted data by the inter-OS communication unit 122, the secure OS 12 decrypts the data (step S15) to obtain a control command. Further, the secure OS 12 transmits the decrypted control command to the imaging device 5 (step S16). Thereby, the sensing system S can control the imaging device 5.
The imaging device 5 senses external information (step S17). Specifically, the imaging device 5 captures an optical image with a lens barrel and an imaging device (not shown). The imaging device 5 further responds to the secure OS 12 as transmission information that is the captured optical image (step S18).
When the secure OS 12 receives the transmission information from the imaging device 5, the secure OS 12 encrypts the transmission information (step S19). The secure OS 12 relays the encrypted data to the hypervisor 13 (step S20). The hypervisor 13 relays the data received from the secure OS 12 to the rich OS 11 (step S21).
 リッチOS11は、暗号化されたデータをOS間通信部122によって受信すると、管理装置2に中継する(ステップS22)。このように、リッチOS11とハイパーバイザ13は、送受信データの内容には関与しない。 When the rich OS 11 receives the encrypted data by the inter-OS communication unit 122, the rich OS 11 relays the data to the management device 2 (step S22). Thus, the rich OS 11 and the hypervisor 13 do not participate in the content of transmission / reception data.
 管理装置2は、リッチOS11(画像処理装置1)から暗号化されたデータを受信すると、復号部204によって復号化し(ステップS23)、この送信情報を表示部205に出力する(ステップS24)。 When the management device 2 receives the encrypted data from the rich OS 11 (image processing device 1), the management device 2 decrypts it by the decryption unit 204 (step S23), and outputs this transmission information to the display unit 205 (step S24).
 リッチOS11は、管理装置2から受信したデータをセキュアOS12へ中継し、セキュアOS12から受信したデータを管理装置2へ中継している。このリッチOS11は、送受信データの内容には関与していない。また、ハイパーバイザ13上の各仮想マシンは独立して並行に使用可能であり、かつ相互に干渉しない。つまりリッチOS11とセキュアOS12とは相互に干渉することはない。よってリッチOS11が攻撃者端末8からの攻撃によって乗っ取られたとしても、ハイパーバイザ13やセキュアOS12を乗っ取られることはなく、セキュアOS12が管理する情報が漏洩することはない。 The rich OS 11 relays data received from the management device 2 to the secure OS 12 and relays data received from the secure OS 12 to the management device 2. The rich OS 11 is not involved in the content of transmission / reception data. Also, each virtual machine on the hypervisor 13 is independently available in parallel and does not interfere with each other. That is, the rich OS 11 and the secure OS 12 do not interfere with each other. Therefore, even if the rich OS 11 is hijacked by an attack from the attacker terminal 8, the hypervisor 13 and the secure OS 12 are not hijacked, and information managed by the secure OS 12 is not leaked.
 図4は、暗号鍵14の更新動作を説明するシーケンス図である。
 暗号鍵14はセキュア・ストレージへ保存される。暗号鍵14の更新は、管理装置2からの指示によって行われる。この更新動作を、以下のステップS30~S36で説明する。
 管理装置2の暗号部202は、画像処理装置1の暗号部124に対して公開鍵を送付する(ステップS30)。 FIG. 4 is a sequence diagram for explaining the update operation of the encryption key 14.
The encryption key 14 is stored on secure storage. The update of the encryption key 14 is performed according to an instruction from the management device 2. This updating operation will be described in the following steps S30 to S36.
The encryption unit 202 of the management device 2 sends the public key to the encryption unit 124 of the image processing device 1 (step S30).
 画像処理装置1の暗号部124は、例えば乱数発生器などにより秘密値を生成し(ステップS31)、この秘密値を公開鍵で暗号化する(ステップS32)。暗号部124は更に、暗号化した秘密値を管理装置2に送信する(ステップS33)。 The encryption unit 124 of the image processing apparatus 1 generates a secret value using, for example, a random number generator (step S31), and encrypts the secret value with a public key (step S32). The encryption unit 124 further transmits the encrypted secret value to the management device 2 (step S33).
 管理装置2の暗号部202は、暗号化された秘密値を秘密鍵によって復号化する(ステップS34)。暗号部202は、この秘密値を画像処理装置1の暗号部124に送信し、暗号通信が可能か否かを問い合わせる(ステップS35)。暗号部124は、この秘密値で暗号通信が可能である旨を応答する(ステップS36)。以降、この秘密値を暗号鍵14として、暗号化通信が行われる(ステップS37)。 The encryption unit 202 of the management device 2 decrypts the encrypted secret value with the secret key (step S34). The encryption unit 202 transmits this secret value to the encryption unit 124 of the image processing apparatus 1, and inquires whether encryption communication is possible (step S35). The encryption unit 124 responds that encryption communication is possible with this secret value (step S36). Thereafter, encrypted communication is performed using this secret value as the encryption key 14 (step S37).
 暗号鍵14により、ネットワークを介した撮像装置5の制御や画像情報の受信を安全に実現することができる。また外部ネットワーク9に接続された攻撃者端末8からの攻撃を受けても、重要な情報(装置情報、録画情報、暗号処理関連情報)の漏洩を防ぐことができる。 With the encryption key 14, control of the imaging device 5 via the network and reception of image information can be realized safely. In addition, even when an attack from an attacker terminal 8 connected to the external network 9 is received, leakage of important information (apparatus information, recording information, encryption processing related information) can be prevented.
 図5は、第2の実施形態におけるセンシングシステムSの概略を示す構成図である。
 第2の実施形態のセンシングシステムSは、第1の実施形態とは異なる管理装置2Aを含んでいる。この管理装置2Aは、フロントエンドOS21(第3の仮想マシン)と、バックエンドOS22(第4の仮想マシン)とを具現化している。フロントエンドOS21が通信処理を担い、バックエンドOS22が装置制御を担っている。
 第1の実施形態と同様に、外部の攻撃者端末8などからフロントエンドOS21が乗っ取られても、バックエンドOS22への干渉は不可能である。 FIG. 5: is a block diagram which shows the outline of sensing system S in 2nd Embodiment.
The sensing system S of the second embodiment includes a management device 2A different from that of the first embodiment. The management device 2A embodies a front end OS 21 (third virtual machine) and a back end OS 22 (fourth virtual machine). The front end OS 21 is responsible for communication processing, and the back end OS 22 is responsible for device control.
As in the first embodiment, even if the front end OS 21 is hijacked by an external attacker terminal 8 or the like, interference with the back end OS 22 is impossible.
 図6は、管理装置2Aと画像処理装置1の一例を示すブロック図である。
 第2の実施形態の画像処理装置1は、第1の実施形態の画像処理装置1と同様に構成されている。
 第2の実施形態の管理装置2Aは、第1の実施形態とは異なり、ハイパーバイザ23によってフロントエンドOS21とバックエンドOS22が具現化されている。管理装置2Aは更に、図1の外部ネットワーク9と通信するための物理NIC25を含み、更に暗号鍵24を不図示のセキュア・ストレージに格納している。暗号鍵24が格納されたセキュア・ストレージは、バックエンドOS22がアクセス可能であり、かつフロントエンドOS21がアクセスできない。 FIG. 6 is a block diagram showing an example of the management apparatus 2A and the image processing apparatus 1.
The image processing apparatus 1 of the second embodiment is configured in the same manner as the image processing apparatus 1 of the first embodiment.
The management apparatus 2A of the second embodiment differs from the first embodiment in that the front end OS 21 and the back end OS 22 are embodied by the hypervisor 23. The management device 2A further includes a physical NIC 25 for communicating with the external network 9 of FIG. 1, and further stores the encryption key 24 in a secure storage (not shown). The secure storage in which the encryption key 24 is stored is accessible by the back end OS 22 and is not accessible by the front end OS 21.
 ハイパーバイザ23は、コンピュータの仮想化技術のひとつである仮想マシンを実現するための、制御プログラムである。ここでハイパーバイザ23は、フロントエンドOS21を具現化する第3の仮想マシンと、バックエンドOS22を具現化する第4の仮想マシンとを実現している。 The hypervisor 23 is a control program for realizing a virtual machine which is one of computer virtualization technologies. Here, the hypervisor 23 realizes a third virtual machine that embodies the front end OS 21 and a fourth virtual machine that embodies the back end OS 22.
 フロントエンドOS21は、バックエンドOS22と画像処理装置1との間の通信を中継するものである。フロントエンドOS21上には、ネットワーク通信部211、OS間通信部212が具現化されている。ネットワーク通信部211は、物理NIC25を制御するものであり、図1の外部ネットワーク9を介して通信データを送受信する。OS間通信部212(第3のOS間通信部)は、例えばハイパーバイザ23を経由してバックエンドOS22との間で通信データを送受信する。フロントエンドOS21はデータの送受信処理を行い、送受信データの内容には関与しない。 The front end OS 21 relays communication between the back end OS 22 and the image processing apparatus 1. A network communication unit 211 and an inter-OS communication unit 212 are embodied on the front end OS 21. The network communication unit 211 controls the physical NIC 25 and transmits and receives communication data via the external network 9 of FIG. 1. The inter-OS communication unit 212 (third inter-OS communication unit) transmits and receives communication data to and from the back end OS 22 via, for example, the hypervisor 23. The front end OS 21 performs data transmission and reception processing, and does not participate in the content of the transmission and reception data.
 バックエンドOS22は、データの暗号・復号処理を実行するものである。バックエンドOS22は、制御コマンドを生成して、撮像装置5の制御や装置情報の受信を実行する。録画処理の実行中において、バックエンドOS22は、画像処理装置1から録画情報を逐次受信する。 The back end OS 22 executes data encryption / decryption processing. The back end OS 22 generates a control command to execute control of the imaging device 5 and reception of device information. The back end OS 22 sequentially receives recording information from the image processing apparatus 1 while the recording process is being performed.
 バックエンドOS22上には、制御部225、暗号部223、OS間通信部222、復号部224、表示部226が不図示のミドルウェアなどによって具現化されている。制御部225は、撮像装置5を制御するための制御コマンドを生成する。暗号部223(第2の暗号部)は、制御部225が生成した制御コマンドを暗号鍵24によって暗号化する。 A control unit 225, an encryption unit 223, an inter-OS communication unit 222, a decryption unit 224, and a display unit 226 are embodied by middleware (not shown) on the back end OS 22. The control unit 225 generates a control command for controlling the imaging device 5. The encryption unit 223 (second encryption unit) encrypts the control command generated by the control unit 225 using the encryption key 24.
 OS間通信部222(第4のOS間通信部)は、例えばハイパーバイザ23を経由してフロントエンドOS21との間で通信データを送受信する。OS間通信部222は、暗号部223が暗号化した暗号データを、フロントエンドOS21を介して画像処理装置1に送信する。OS間通信部222は更に、フロントエンドOS21を介して画像処理装置1から暗号データを受信して復号部224に引き渡す。
 復号部224(第2の復号部)は、画像処理装置1から受信した暗号データを暗号鍵14によって復号し、その応答や装置情報、録画情報などを得る。表示部205は、これら復号部204が復号した応答や装置情報、録画情報を表示する。 The inter-OS communication unit 222 (fourth inter-OS communication unit) transmits / receives communication data to / from the front end OS 21 via the hypervisor 23, for example. The inter-OS communication unit 222 transmits the encrypted data encrypted by the encryption unit 223 to the image processing apparatus 1 via the front end OS 21. Furthermore, the inter-OS communication unit 222 receives encrypted data from the image processing apparatus 1 via the front end OS 21 and delivers the encrypted data to the decryption unit 224.
The decryption unit 224 (second decryption unit) decrypts the encrypted data received from the image processing apparatus 1 using the encryption key 14, and obtains a response, device information, recording information, and the like. The display unit 205 displays the response decoded by the decoding unit 204, device information, and recording information.
 つまり、データの暗号・復号処理はバックエンドOS22で実行される。バックエンドOS22から送信された暗号データは、フロントエンドOS21が画像処理装置1に中継する。画像処理装置1から送信された暗号データは、フロントエンドOS21がバックエンドOS22に中継する。
 外部の攻撃者端末8などがフロントエンドOS21を乗っ取っても、バックエンドOS22への干渉は不可能であり、暗号鍵24は保護されている。暗号鍵24が保護されていれば、暗号化された送受信データの解析は不可能である。 That is, encryption / decryption processing of data is executed by the back end OS 22. The front end OS 21 relays the encrypted data transmitted from the back end OS 22 to the image processing apparatus 1. The front end OS 21 relays the encrypted data transmitted from the image processing apparatus 1 to the back end OS 22.
Even if the external attacker terminal 8 hijacks the front end OS 21, interference with the back end OS 22 is impossible, and the encryption key 24 is protected. If the encryption key 24 is protected, analysis of encrypted transmission / reception data is impossible.
 図7は、センシングシステムSの動作を説明するシーケンス図である。
 最初、管理装置2のバックエンドOS22は、制御指示を受け付けて(ステップS40)、制御部225によって制御コマンドを生成する。管理装置2は、暗号部223によって制御コマンドを暗号化し(ステップS41)、暗号化されたデータをハイパーバイザ23に送信する(ステップS42)。ハイパーバイザ23は、暗号化されたデータをフロントエンドOS21に中継する(ステップS43)。フロントエンドOS21は、暗号化されたデータをリッチOS11に送信する(ステップS44)。このように、ハイパーバイザ23とフロントエンドOS21は、送受信データの内容には関与しない。 FIG. 7 is a sequence diagram for explaining the operation of the sensing system S.
First, the back end OS 22 of the management device 2 receives the control instruction (step S40), and the control unit 225 generates a control command. The management device 2 encrypts the control command by the encryption unit 223 (step S41), and transmits the encrypted data to the hypervisor 23 (step S42). The hypervisor 23 relays the encrypted data to the front end OS 21 (step S43). The front end OS 21 transmits the encrypted data to the rich OS 11 (step S44). Thus, the hypervisor 23 and the front end OS 21 do not participate in the content of transmission / reception data.
 リッチOS11は、OS間通信部112によって、暗号化されたデータをハイパーバイザ13に送信する(ステップS45)。ハイパーバイザ13は、暗号化されたデータをセキュアOS12に中継する(ステップS46)。このように、リッチOS11とハイパーバイザ13は、送受信データの内容には関与しない。 The rich OS 11 transmits the encrypted data to the hypervisor 13 by the inter-OS communication unit 112 (step S45). The hypervisor 13 relays the encrypted data to the secure OS 12 (step S46). Thus, the rich OS 11 and the hypervisor 13 do not participate in the content of transmission / reception data.
 セキュアOS12は、暗号化されたデータをOS間通信部122によって受信すると、このデータを復号化し(ステップS47)、制御コマンドを得る。更にセキュアOS12は、復号化された制御コマンドを撮像装置5に送信する(ステップS48)。これにより、センシングシステムSは、撮像装置5を制御することができる。
 撮像装置5は、外部情報をセンシングする(ステップS49)。具体的にいうと、撮像装置5は、不図示の鏡筒と撮像素子によって光学像を撮像する。撮像装置5は更に、撮像した光学像を送信情報としてセキュアOS12に応答する(ステップS50)。
 セキュアOS12は、撮像装置5から送信情報を受信すると、この送信情報を暗号化する(ステップS51)。セキュアOS12は、暗号化されたデータをハイパーバイザ13に中継する(ステップS52)。ハイパーバイザ13は、セキュアOS12から受信したデータをリッチOS11に中継する(ステップS53)。 When the secure OS 12 receives the encrypted data by the inter-OS communication unit 122, the secure OS 12 decrypts the data (step S47) to obtain a control command. Further, the secure OS 12 transmits the decrypted control command to the imaging device 5 (step S48). Thereby, the sensing system S can control the imaging device 5.
The imaging device 5 senses external information (step S49). Specifically, the imaging device 5 captures an optical image with a lens barrel and an imaging device (not shown). The imaging device 5 further responds to the secure OS 12 as transmission information that is the captured optical image (step S50).
When the secure OS 12 receives the transmission information from the imaging device 5, the secure OS 12 encrypts the transmission information (step S51). The secure OS 12 relays the encrypted data to the hypervisor 13 (step S52). The hypervisor 13 relays the data received from the secure OS 12 to the rich OS 11 (step S53).
 リッチOS11は、OS間通信部112によって、暗号化されたデータをハイパーバイザ13から受信すると、管理装置2のフロントエンドOS21に中継する(ステップS54)。このように、リッチOS11とハイパーバイザ13は、送受信データの内容には関与しない。 When the rich OS 11 receives the encrypted data from the hypervisor 13 by the inter-OS communication unit 112, the rich OS 11 relays it to the front end OS 21 of the management device 2 (step S54). Thus, the rich OS 11 and the hypervisor 13 do not participate in the content of transmission / reception data.
 管理装置2のフロントエンドOS21は、リッチOS11(画像処理装置1)から暗号化されたデータを受信すると、ハイパーバイザ23に中継する(ステップS55)。ハイパーバイザ23は、フロントエンドOS21から受信したデータをバックエンドOS22に中継する(ステップS56)。
 バックエンドOS22は、暗号化されたデータを受信すると、復号部224によって復号化し(ステップS57)、この送信情報を表示部226に出力する(ステップS58)。 When the front end OS 21 of the management device 2 receives the encrypted data from the rich OS 11 (image processing device 1), the front end OS 21 relays it to the hypervisor 23 (step S55). The hypervisor 23 relays the data received from the front end OS 21 to the back end OS 22 (step S56).
When the back end OS 22 receives the encrypted data, the back end OS 22 decrypts the data by the decryption unit 224 (step S57), and outputs this transmission information to the display unit 226 (step S58).
 ハイパーバイザ23上の各仮想マシンは独立して並行に使用可能であり、かつ相互に干渉しない。フロントエンドOS21が攻撃者端末8からの攻撃によって乗っ取られたとしても、ハイパーバイザ23やバックエンドOS22を乗っ取られることはない。
 更にフロントエンドOS21は、バックエンドOS22から受信したデータを画像処理装置1へ中継し、画像処理装置1から受信したデータをバックエンドOS22へ中継している。このフロントエンドOS21は、送受信データの内容には関与していない。よって、フロントエンドOS21が攻撃者端末8からの攻撃によって乗っ取られたとしても、ハイパーバイザ23やバックエンドOS22を乗っ取られることはなく、バックエンドOS22が管理する情報が漏洩することはない。 The virtual machines on the hypervisor 23 can be independently used in parallel and do not interfere with each other. Even if the front end OS 21 is hijacked by an attack from the attacker terminal 8, the hypervisor 23 and the back end OS 22 are not hijacked.
Further, the front end OS 21 relays data received from the back end OS 22 to the image processing apparatus 1 and relays data received from the image processing apparatus 1 to the back end OS 22. The front end OS 21 is not involved in the content of transmission / reception data. Therefore, even if the front end OS 21 is hijacked by an attack from the attacker terminal 8, the hypervisor 23 and the back end OS 22 are not hijacked, and information managed by the back end OS 22 is not leaked.
 第2の実施形態のセンシングシステムSによれば、外部ネットワーク9を介した撮像装置5の制御や画像情報の受信を安全に実現することができる。外部ネットワーク9からの攻撃を受けても、センシングシステムSは、重要な情報(装置情報、録画情報、暗号処理関連情報)の漏洩を防ぐことができる。 According to the sensing system S of the second embodiment, control of the imaging device 5 via the external network 9 and reception of image information can be realized safely. Even when an attack from the external network 9 is received, the sensing system S can prevent leakage of important information (device information, recording information, cryptographic processing related information).
 図8は、第3の実施形態におけるサーバ4と端末3の概略を示す構成図である。
 第3の実施形態のサーバ4は、ハイパーバイザ43によってフロントエンドOS41とバックエンドOS42が具現化されている。サーバ4は更に、外部ネットワークと通信するための物理NIC45を含み、更に暗号鍵44を不図示のセキュア・ストレージに格納している。暗号鍵44が格納されているセキュア・ストレージは、バックエンドOS42がアクセス可能である。しかし、フロントエンドOS41は、このセキュア・ストレージにアクセスすることができない。 FIG. 8 is a configuration diagram showing an outline of the server 4 and the terminal 3 in the third embodiment.
In the server 4 of the third embodiment, a front end OS 41 and a back end OS 42 are embodied by the hypervisor 43. The server 4 further includes a physical NIC 45 for communicating with an external network, and further stores the encryption key 44 in a secure storage (not shown). The secure storage in which the encryption key 44 is stored is accessible to the back end OS 42. However, the front end OS 41 can not access this secure storage.
 ハイパーバイザ43は、コンピュータの仮想化技術のひとつである仮想マシンを実現するための、制御プログラムである。ここでハイパーバイザ43は、フロントエンドOS41を具現化する第3の仮想マシンと、バックエンドOS42を具現化する第4の仮想マシンとを実現している。 The hypervisor 43 is a control program for realizing a virtual machine which is one of computer virtualization technologies. Here, the hypervisor 43 realizes a third virtual machine that embodies the front end OS 41 and a fourth virtual machine that embodies the back end OS 42.
 フロントエンドOS41は、バックエンドOS42と端末3との間の通信を中継するものである。フロントエンドOS41上には、ネットワーク通信部411、OS間通信部412が具現化されている。
 ネットワーク通信部411は、物理NIC45を制御するものであり、外部ネットワークを介して端末3と通信データを送受信する。
 OS間通信部412(第1のOS間通信部)は、例えばハイパーバイザ43を経由してバックエンドOS42との間で通信データを送受信する。フロントエンドOS41はデータの送受信処理を行い、送受信データの内容には関与しない。 The front end OS 41 relays communication between the back end OS 42 and the terminal 3. A network communication unit 411 and an inter-OS communication unit 412 are embodied on the front end OS 41.
The network communication unit 411 controls the physical NIC 45, and transmits / receives communication data to / from the terminal 3 via an external network.
The inter-OS communication unit 412 (first inter-OS communication unit) transmits / receives communication data to / from the back end OS 42 via the hypervisor 43, for example. The front end OS 41 performs data transmission and reception processing, and does not participate in the content of the transmission and reception data.
 バックエンドOS42は、データの復号処理と暗号処理とを実行するものである。バックエンドOS42は、アプリケーション部421により端末3からの要求を実行する。 The back end OS 42 executes data decryption processing and encryption processing. The backend OS 42 executes the request from the terminal 3 by the application unit 421.
 バックエンドOS42上には、アプリケーション部421、暗号部423、OS間通信部422、復号部424が不図示のミドルウェアなどによって具現化されている。アプリケーション部421(処理部)は、端末3の要求を実行して、その応答を返す。暗号部423は、アプリケーション部421から出力された応答を暗号鍵44によって暗号化する。 On the backend OS 42, an application unit 421, an encryption unit 423, an inter-OS communication unit 422, and a decryption unit 424 are embodied by middleware (not shown). The application unit 421 (processing unit) executes the request of the terminal 3 and returns its response. The encryption unit 423 encrypts the response output from the application unit 421 using the encryption key 44.
 OS間通信部422(第2のOS間通信部)は、例えばハイパーバイザ43を経由してフロントエンドOS41との間で通信データを送受信する。OS間通信部422は、フロントエンドOS41を介して端末3から暗号データを受信して復号部424に引渡し、暗号部423が暗号化した暗号データを、フロントエンドOS41を介して端末3に送信する。
 復号部424は、端末3から受信した暗号データを暗号鍵44によって復号し、端末3の要求を得る。復号部424は更に、復号した端末3の要求をアプリケーション部421に対して入力する。 The inter-OS communication unit 422 (second inter-OS communication unit) transmits / receives communication data to / from the front end OS 41 via the hypervisor 43, for example. The inter-OS communication unit 422 receives the encrypted data from the terminal 3 via the front end OS 41 and delivers it to the decrypting unit 424, and transmits the encrypted data encrypted by the encrypting unit 423 to the terminal 3 via the front end OS 41. .
The decryption unit 424 decrypts the encrypted data received from the terminal 3 using the encryption key 44 and obtains the request of the terminal 3. The decryption unit 424 further inputs the decrypted request of the terminal 3 to the application unit 421.
 つまり、データの暗号・復号処理はバックエンドOS42で実行される。バックエンドOS42から送信された暗号データは、フロントエンドOS41が端末3に中継する。端末3から送信された暗号データは、フロントエンドOS41がバックエンドOS42に中継する。
 外部の攻撃者端末などからフロントエンドOS41が乗っ取られても、バックエンドOS42への干渉が不可能な為、暗号鍵44は保護されている。暗号鍵44が保護されていれば、暗号化された送受信データの解析は不可能である。 That is, encryption / decryption processing of data is executed by the back end OS 42. The front end OS 41 relays the encrypted data transmitted from the back end OS 42 to the terminal 3. The front end OS 41 relays the encrypted data transmitted from the terminal 3 to the back end OS 42.
Even if the front end OS 41 is hijacked by an external attacker terminal or the like, the encryption key 44 is protected because interference with the back end OS 42 is impossible. If the encryption key 44 is protected, analysis of encrypted transmission / reception data is impossible.
 端末3は、ハイパーバイザ33によってフロントエンドOS31とバックエンドOS32とが具現化されている。端末3は更に、外部ネットワーク9と通信するための物理NIC35を含み、暗号鍵34を不図示のセキュア・ストレージに格納している。暗号鍵34が格納されているセキュア・ストレージは、バックエンドOS32がアクセス可能である。しかし、フロントエンドOS31は、このセキュア・ストレージにアクセスすることができない。 The terminal 3 has a front end OS 31 and a back end OS 32 embodied by the hypervisor 33. The terminal 3 further includes a physical NIC 35 for communicating with the external network 9, and stores the encryption key 34 in a secure storage (not shown). The secure storage in which the encryption key 34 is stored is accessible to the back end OS 32. However, the front end OS 31 can not access this secure storage.
 ハイパーバイザ33は、コンピュータの仮想化技術のひとつである仮想マシンを実現するための、制御プログラムである。ここでハイパーバイザ33は、フロントエンドOS31を具現化する第1の仮想マシンと、バックエンドOS32を具現化する第2の仮想マシンとを実現している。
 ハイパーバイザ33の設定によりフロントエンドOS31からバックエンドOS32への干渉や、バックエンドOS32が管理する暗号鍵34への干渉は不可能となっている。フロントエンドOS31は、サーバ4とバックエンドOS32との間の通信を中継するだけで、送受信されるデータには干渉しない。 The hypervisor 33 is a control program for realizing a virtual machine which is one of computer virtualization technologies. Here, the hypervisor 33 realizes a first virtual machine that embodies the front end OS 31 and a second virtual machine that embodies the back end OS 32.
With the setting of the hypervisor 33, interference from the front end OS 31 to the back end OS 32 and interference with the encryption key 34 managed by the back end OS 32 are not possible. The front end OS 31 only relays communication between the server 4 and the back end OS 32 and does not interfere with data to be transmitted or received.
 フロントエンドOS31は、サーバ4とバックエンドOS32との間の通信を中継するものである。フロントエンドOS31上には、ネットワーク通信部311、OS間通信部312が具現化されている。ネットワーク通信部311は、物理NIC35を制御するものであり、外部ネットワークを介して通信データを送受信する。OS間通信部312は、例えばハイパーバイザ33を経由してバックエンドOS32との間で通信データを送受信する。 The front end OS 31 relays communication between the server 4 and the back end OS 32. A network communication unit 311 and an inter-OS communication unit 312 are embodied on the front end OS 31. The network communication unit 311 controls the physical NIC 35, and transmits and receives communication data via an external network. The inter-OS communication unit 312 transmits and receives communication data to and from the back-end OS 32 via, for example, the hypervisor 33.
 端末3がサーバ4との通信で利用するプロトコルは特に指定しない。例えばOSI参照モデルの第7層から第1層までのいずれのプロトコルであってもよい。フロントエンドOS31はデータの送受信処理を行い、送受信データの内容には関与しない。 The protocol used by the terminal 3 in communication with the server 4 is not particularly specified. For example, any protocol from the seventh layer to the first layer of the OSI reference model may be used. The front end OS 31 performs data transmission and reception processing, and does not participate in the content of the transmission and reception data.
 バックエンドOS32は、データの暗号・復号処理を実行するものである。バックエンドOS32は、表示操作部321の入力情報に基づいてサーバ4上のアプリケーション部421に要求を実行し、サーバ4から受信した応答を表示操作部321に表示する。 The back end OS 32 executes data encryption / decryption processing. The back end OS 32 executes a request to the application unit 421 on the server 4 based on the input information of the display operation unit 321, and displays the response received from the server 4 on the display operation unit 321.
 バックエンドOS32上には、OS間通信部322、復号部323、表示操作部321、暗号部324が不図示のミドルウェアなどによって具現化されている。OS間通信部322は、例えばハイパーバイザ33を経由してフロントエンドOS31との間で通信データを送受信する。復号部323は、サーバ4から送信された暗号データを暗号鍵34によって復号して制御コマンドを得る。表示操作部321は、入力された情報を暗号部324に引渡し、復号部323によって復号された応答を表示する。 The inter-OS communication unit 322, the decryption unit 323, the display operation unit 321, and the encryption unit 324 are embodied by middleware (not shown) or the like on the back end OS 32. The inter-OS communication unit 322 transmits and receives communication data to and from the front end OS 31 via, for example, the hypervisor 33. The decryption unit 323 decrypts the encrypted data transmitted from the server 4 using the encryption key 34 to obtain a control command. The display operation unit 321 delivers the input information to the encryption unit 324, and displays the response decrypted by the decryption unit 323.
 暗号部324は、表示操作部321によって入力された情報を暗号鍵34によって暗号化する。暗号部324が暗号化した暗号データは、OS間通信部322を介してフロントエンドOS31に送信される。フロントエンドOS31は、この暗号データをサーバ4に送信する。 The encryption unit 324 encrypts the information input by the display operation unit 321 with the encryption key 34. The encrypted data encrypted by the encryption unit 324 is transmitted to the front end OS 31 via the inter-OS communication unit 322. The front end OS 31 transmits this encrypted data to the server 4.
 つまり、データの暗号・復号処理はバックエンドOS32で実行される。サーバ4から送信された暗号データは、フロントエンドOS31がバックエンドOS32に中継する。バックエンドOS32から送信された暗号データは、フロントエンドOS31がサーバ4に中継する。
 外部の攻撃者端末などからフロントエンドOS31が乗っ取られても、バックエンドOS32への干渉が不可能な為、暗号鍵34は保護されている。暗号鍵34が保護されていれば、暗号化された送受信データの解析は不可能である。これにより、ネットワークを介したサーバ4と端末3との通信を安全に実現し、外部ネットワークからの攻撃を受けても、重要な情報の漏洩を防ぐことができる。 That is, the encryption / decryption processing of data is executed by the back end OS 32. The front end OS 31 relays the encrypted data transmitted from the server 4 to the back end OS 32. The front end OS 31 relays the encrypted data transmitted from the back end OS 32 to the server 4.
Even if the front end OS 31 is taken over from an external attacker terminal or the like, the encryption key 34 is protected because interference with the back end OS 32 is impossible. If the encryption key 34 is protected, analysis of encrypted transmission / reception data is impossible. Thereby, communication between the server 4 and the terminal 3 via the network can be realized safely, and leakage of important information can be prevented even if an attack from an external network is received.
(変形例)
 本発明は、上記実施形態に限定されることなく、本発明の趣旨を逸脱しない範囲で、変更実施が可能であり、例えば、次の(a)~(e)のようなものがある。 (Modification)
The present invention is not limited to the above embodiment, and modifications can be made without departing from the scope of the present invention, and there are, for example, the following (a) to (e).
(a) 管理装置2に接続される装置は、カメラに限定されず、任意種類のセンサであってもよい。例えば、リニアイメージセンサ、光センサ、マイク、温度計、湿度計、気圧計、脈拍計、圧力計、電圧計、電流計、磁気センサ、回転角センサ、タコジェネレータ、加速度センサ、硬度計、流速計、流量計、地震センサ、GPS(Global Positioning System)を用いた測位センサのうちいずれかであってもよい。
(b) 管理装置2は、センサを制御することなく、単にセンサがセンシングした情報を受信するように動作してもよい。
(c) データの暗号処理や復号処理を実行するのは、バックエンドOSやセキュアOSに限定されない。ハイパーバイザがデータの暗号処理や復号処理を実行してもよい。
(d) 管理装置2は、表示部を備えず、撮影したデータを記憶部に格納するだけの機能を有していてもよい。
(e) 画像処理装置1が格納する暗号鍵14と管理装置2が格納する暗号鍵24は、同一でもよく、また、異なる鍵を用いてもよく、限定されない。 (A) The device connected to the management device 2 is not limited to a camera, and may be any type of sensor. For example, a linear image sensor, an optical sensor, a microphone, a thermometer, a hygrometer, a barometer, a pulse meter, a pressure gauge, a voltmeter, an ammeter, a magnetic sensor, a rotation angle sensor, a tacho generator, an acceleration sensor, a hardness meter, a current meter , A flow meter, an earthquake sensor, or a positioning sensor using a GPS (Global Positioning System).
(B) The management device 2 may operate to simply receive information sensed by the sensor without controlling the sensor.
(C) Data encryption and decryption processing is not limited to the back-end OS and secure OS. The hypervisor may execute data encryption and decryption processing.
(D) The management device 2 may not have a display unit, and may have a function of only storing captured data in a storage unit.
(E) The encryption key 14 stored in the image processing apparatus 1 and the encryption key 24 stored in the management apparatus 2 may be identical or different keys may be used without limitation.
S センシングシステム
1 画像処理装置(センシング装置)
11 リッチOS (第1の仮想マシン)
12 セキュアOS (第2の仮想マシン)
111,203,211,311,411 ネットワーク通信部
121,201,225 制御部
112,312 OS間通信部 (第1のOS間通信部)
212 OS間通信部 (第3のOS間通信部)
412 OS間通信部
122,322 OS間通信部 (第2のOS間通信部)
222 OS間通信部 (第4のOS間通信部)
422 OS間通信部
123 復号部 (第1の復号部)
224 復号部 (第2の復号部)
204,323,424 復号部
124 暗号部 (第1の暗号部)
223 暗号部 (第2の暗号部)
202,324,423 暗号部
13,23,33,43 ハイパーバイザ
14,24,34,44 暗号鍵
15,25,35,45 物理NIC
2,2A 管理装置
20 OS
205,226 表示部
21 フロントエンドOS (第3の仮想マシン)
41 フロントエンドOS (第1の仮想マシン)
31 フロントエンドOS
22 バックエンドOS (第4の仮想マシン)
42 バックエンドOS (第2の仮想マシン)
32 バックエンドOS
3 端末
321 表示操作部
4 サーバ
421 アプリケーション部(処理部)
5 撮像装置 (センサ)
8 攻撃者端末
9 外部ネットワーク S Sensing system 1 Image processing device (sensing device)
11 rich OS (first virtual machine)
12 Secure OS (second virtual machine)
111, 203, 211, 311, 411 network communication units 121, 201, 225 control units 112, 312 inter-OS communication unit (first inter-OS communication unit)
212 Inter-OS communication unit (third inter-OS communication unit)
412 Inter-OS communication unit 122, 322 Inter-OS communication unit (second inter-OS communication unit)
222 Inter-OS Communication Unit (Fourth Inter-OS Communication Unit)
422 Inter-OS communication unit 123 Decoding unit (first decoding unit)
224 Decoding unit (second decoding unit)
204, 323, 424 decryption unit 124 encryption unit (first encryption unit)
223 encryption unit (second encryption unit)
202, 324, 423 encryption unit 13, 23, 33, 43 Hypervisor 14, 24, 34, 44 Encryption key 15, 25, 35, 45 Physical NIC
2, 2A Management device 20 OS
205, 226 display unit 21 front end OS (third virtual machine)
41 front end OS (first virtual machine)
31 Frontend OS
22 backend OS (the fourth virtual machine)
42 backend OS (second virtual machine)
32 backend OS
3 terminal 321 display operation unit 4 server 421 application unit (processing unit)
5 Imager (sensor)
8 Attacker terminal 9 External network

Claims (5)

  1.  物理NIC(Network Interface Card)を備え、センサに接続されており、第1,第2の仮想マシンを具現化するハイパーバイザを含むセンシング装置において、
     前記第1の仮想マシンは、
     前記物理NICを制御して外部の管理装置と通信するネットワーク通信部と、
     前記第2の仮想マシンと通信する第1のOS間通信部と、
     を備え、
     前記第2の仮想マシンは、
     前記センサを制御する制御部と、
     暗号データを復号して前記制御部に対して入力する復号部と、
     前記制御部から出力されたデータを暗号化する暗号部と、
     前記第1の仮想マシンを介して前記管理装置から暗号データを受信して前記復号部に引渡し、前記暗号部が暗号化した暗号データを前記第1の仮想マシンを介して前記管理装置に送信する第2のOS間通信部と、
     を備える、ことを特徴とするセンシング装置。     In a sensing device including a hypervisor, which comprises a physical NIC (Network Interface Card), is connected to a sensor, and implements the first and second virtual machines,
    The first virtual machine is
    A network communication unit that controls the physical NIC to communicate with an external management device;
    A first inter-OS communication unit that communicates with the second virtual machine;
    Equipped with
    The second virtual machine is
    A control unit that controls the sensor;
    A decryption unit that decrypts encrypted data and inputs the decrypted data to the control unit;
    An encryption unit that encrypts data output from the control unit;
    The encrypted data is received from the management device via the first virtual machine and delivered to the decryption unit, and the encrypted data encrypted by the encryption unit is transmitted to the management device via the first virtual machine. A second inter-OS communication unit,
    A sensing device comprising:
  2.  前記制御部は、前記復号部から入力されたデータによって前記センサを制御し、当該センサから取得したデータを前記暗号部に出力する、
     ことを特徴とする請求項1に記載のセンシング装置。     The control unit controls the sensor according to data input from the decryption unit, and outputs data acquired from the sensor to the encryption unit.
    The sensing device according to claim 1,
  3.  前記センサは、カメラ、リニアイメージセンサ、光センサ、マイク、温度計、湿度計、気圧計、脈拍計、圧力計、電圧計、電流計、磁気センサ、回転角センサ、タコジェネレータ、加速度センサ、硬度計、流速計、流量計、地震センサ、GPS(Global Positioning System)測位センサのうちいずれかである、
     ことを特徴とする請求項2に記載のセンシング装置。     The sensor includes a camera, a linear image sensor, a light sensor, a microphone, a thermometer, a hygrometer, a barometer, a pulse meter, a pressure gauge, a voltmeter, an ammeter, a magnetic sensor, a rotation angle sensor, a tacho generator, an acceleration sensor, hardness A flowmeter, a flow meter, an earthquake sensor, or a GPS (Global Positioning System) positioning sensor,
    The sensing device according to claim 2,
  4.  第1の物理NICを備え、センサに接続されており、第1,第2の仮想マシンを具現化するハイパーバイザを含むセンシング装置と、
     第2の物理NICを備え、第3,第4の仮想マシンを具現化するハイパーバイザを含む管理装置と、
     を備えるセンシングシステムであって、
     前記第1の仮想マシンは、
     前記第1の物理NICを制御して外部の前記管理装置と通信するネットワーク通信部と、
     前記第2の仮想マシンと通信する第1のOS間通信部と、
     を備え、
     前記第2の仮想マシンは、
     前記センサを制御する制御部と、
     暗号データを復号して前記制御部に対する入力データとする第1の復号部と、
     前記制御部から出力された出力データを暗号化する第1の暗号部と、
     前記第1の仮想マシンを介して前記管理装置から暗号データを受信して前記第1の復号部に引渡し、前記第1の暗号部が暗号化した暗号データを前記第1の仮想マシンを介して前記管理装置に送信する第2のOS間通信部と、
     を備え、
     前記第3の仮想マシンは、
     前記第2の物理NICを制御して前記センシング装置と通信するネットワーク通信部と、
     前記第4の仮想マシンと通信する第3のOS間通信部と、
     を備え、
     前記第4の仮想マシンは、
     データを暗号化する第2の暗号部と、
     暗号データを復号する第2の復号部と、
     前記第2の暗号部が暗号化した暗号データを前記第3の仮想マシンを介して前記センシング装置に送信し、前記第3の仮想マシンを介して前記センシング装置から暗号データを受信して前記第2の復号部に引き渡す第4のOS間通信部と、
     を備えることを特徴とするセンシングシステム。     A sensing device comprising a hypervisor comprising a first physical NIC and connected to the sensor, the hypervisor embodying the first and second virtual machines;
    A management apparatus including a hypervisor which has a second physical NIC and which embodies third and fourth virtual machines;
    A sensing system comprising
    The first virtual machine is
    A network communication unit that controls the first physical NIC to communicate with the external management apparatus;
    A first inter-OS communication unit that communicates with the second virtual machine;
    Equipped with
    The second virtual machine is
    A control unit that controls the sensor;
    A first decryption unit that decrypts encrypted data to be input data to the control unit;
    A first encryption unit that encrypts output data output from the control unit;
    The encrypted data is received from the management apparatus via the first virtual machine and delivered to the first decryption unit, and the encrypted data encrypted by the first encryption unit is transmitted via the first virtual machine A second inter-OS communication unit that transmits to the management apparatus;
    Equipped with
    The third virtual machine is
    A network communication unit that controls the second physical NIC to communicate with the sensing device;
    A third inter-OS communication unit that communicates with the fourth virtual machine;
    Equipped with
    The fourth virtual machine is
    A second encryption unit that encrypts data;
    A second decryption unit that decrypts the encrypted data;
    The encrypted data encrypted by the second encryption unit is transmitted to the sensing device via the third virtual machine, and the encrypted data is received from the sensing device via the third virtual machine, and A fourth inter-OS communication unit handed over to the second decryption unit;
    A sensing system comprising:
  5.  物理NICを備え、第1,第2の仮想マシンを具現化するハイパーバイザを含むサーバにおいて、
     前記第1の仮想マシンは、
     前記物理NICを制御して外部の端末と通信するネットワーク通信部と、
     前記第2の仮想マシンと通信する第1のOS間通信部と、
     を備え、
     前記第2の仮想マシンは、
     入力されたデータを処理してデータを出力する処理部と、
     前記端末が送信した暗号データを復号して前記処理部に対して入力する復号部と、
     前記処理部から出力されたデータを暗号化する暗号部と、
     前記第1の仮想マシンを介して前記端末から暗号データを受信して前記復号部に引渡し、前記暗号部が暗号化した暗号データを前記第1の仮想マシンを介して前記端末に送信する第2のOS間通信部と、
     を備えることを特徴とするサーバ。     In a server including a hypervisor having a physical NIC and embodying first and second virtual machines,
    The first virtual machine is
    A network communication unit that controls the physical NIC to communicate with an external terminal;
    A first inter-OS communication unit that communicates with the second virtual machine;
    Equipped with
    The second virtual machine is
    A processing unit that processes the input data and outputs the data;
    A decryption unit that decrypts encrypted data transmitted by the terminal and inputs the decrypted data to the processing unit;
    An encryption unit that encrypts data output from the processing unit;
    Second receiving encrypted data from the terminal via the first virtual machine and delivering the encrypted data to the decrypting unit, and transmitting the encrypted data encrypted by the encrypting unit to the terminal via the first virtual machine; The inter-OS communication unit,
    A server comprising:
PCT/JP2018/023825 2017-07-11 2018-06-22 Sensing device, sensing system, and server WO2019012956A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2017135669 2017-07-11
JP2017-135669 2017-07-11

Publications (1)

Publication Number Publication Date
WO2019012956A1 true WO2019012956A1 (en) 2019-01-17

Family

ID=65001588

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2018/023825 WO2019012956A1 (en) 2017-07-11 2018-06-22 Sensing device, sensing system, and server

Country Status (1)

Country Link
WO (1) WO2019012956A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021005978A1 (en) * 2019-07-09 2021-01-14 株式会社デンソー Arithmetic device and data transmission method
JP2021026582A (en) * 2019-08-07 2021-02-22 日本電産サンキョー株式会社 Authentication system and authentication method
JP7454020B2 (en) 2021-09-06 2024-03-21 アクシス アーベー Method and system for enabling secure processing of data using processing applications

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009078217A1 (en) * 2007-12-19 2009-06-25 Konica Minolta Holdings, Inc. Network system and data transmission method
JP2015064677A (en) * 2013-09-24 2015-04-09 株式会社東芝 Information processor, information processing system and program
WO2017034008A1 (en) * 2015-08-25 2017-03-02 株式会社Seltech System with hypervisor

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009078217A1 (en) * 2007-12-19 2009-06-25 Konica Minolta Holdings, Inc. Network system and data transmission method
JP2015064677A (en) * 2013-09-24 2015-04-09 株式会社東芝 Information processor, information processing system and program
WO2017034008A1 (en) * 2015-08-25 2017-03-02 株式会社Seltech System with hypervisor

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021005978A1 (en) * 2019-07-09 2021-01-14 株式会社デンソー Arithmetic device and data transmission method
JP2021012653A (en) * 2019-07-09 2021-02-04 株式会社デンソー Arithmetic device and data transmission method
JP7131498B2 (en) 2019-07-09 2022-09-06 株式会社デンソー Arithmetic device and data transmission method
JP2021026582A (en) * 2019-08-07 2021-02-22 日本電産サンキョー株式会社 Authentication system and authentication method
JP7454020B2 (en) 2021-09-06 2024-03-21 アクシス アーベー Method and system for enabling secure processing of data using processing applications

Similar Documents

Publication Publication Date Title
US11483143B2 (en) Enhanced monitoring and protection of enterprise data
US10812526B2 (en) Moving target defense for securing internet of things (IoT)
Pereira et al. An authentication and access control framework for CoAP-based Internet of Things
US9876773B1 (en) Packet authentication and encryption in virtual networks
WO2019012956A1 (en) Sensing device, sensing system, and server
US11652799B2 (en) Rotating internet protocol addresses in a virtual private network
US11838148B2 (en) Providing a split-configuration virtual private network
US11290434B2 (en) Communication device, method of controlling communication device, and non-transitory computer-readable storage medium
CN112839062B (en) Port hiding method, device and equipment with mixed authentication signals
Taylor et al. Validating security protocols with cloud-based middleboxes
CN113273235B (en) Method and system for establishing a secure communication session
JP4073931B2 (en) Terminal, communication apparatus, communication establishment method and authentication method
Gao et al. SecT: A lightweight secure thing-centered IoT communication system
Khan et al. CoAP-based request-response interaction model for the Internet of Things
CN106850633A (en) A kind of method for authenticating and device
US20220021663A1 (en) Communication module
Sørensen et al. Automatic profile-based firewall for iot devices
Assaig et al. Development of a lightweight IoT security system
Mohamed et al. An authentication mechanism for accessing mobile web services
Unger et al. How much security for switching a light bulb—The SOA way
Weber et al. How to Prevent Misuse of IoTAG?
Kim et al. Auto-configurable Security Mechanism for NFV
Välimaa MQTT client implementation in IEC 61131-3 compatible programming environment
Urama et al. SDN-Based Cryptographic Client Authentication: A New Approach to DHCP Starvation Mitigation
JP2024515154A (en) Secure key management device, authentication system, wide area network, and method for generating session keys - Patents.com

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18831017

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18831017

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP