Typically, in a system implemented as software, there used to be situations demanding prevention of confidential information such as keys from being analyzed or situations demanding prevention of the contents of operations from being altered. As a system capable of addressing such situations, a processor architecture has been proposed in which a main processor is equipped with two modes, namely, a secure mode and a non-secure mode; and computer programs that need to be prevented from attacks such as alteration or analysis are executed in the secure mode, while general-purpose computer programs are executed in the non-secure mode.
In this architecture, in the secure mode and the non-secure mode, separate operating systems (OS) are run as the operating software. That is, operations such as encrypting and decrypting of data are performed either in a secure OS unit that runs in the secure mode or in application software that runs in the secure OS unit. In contrast, general-purpose operations such as reading data from a secondary storage unit are performed either in a non-secure OS unit that runs in the non-secure mode or in application software that runs in the non-secure OS unit. Thus, in this configuration, operations are performed while switching between the secure mode and the non-secure mode as may be necessary.
Moreover, access control is performed with respect to a main memory. Hence, a memory area in the secure OS unit cannot be read or altered from the non-secure OS unit. As a result, even if the non-secure OS unit or an application program running in the non-secure OS unit has bugs (vulnerability) incorporated therein and if an attempt to intercept or alter the data in the secure OS unit or in an application program running in the secure OS unit is made from the software running in the non-secure mode with an improper use of the bugs; it becomes possible to prevent that attempt from succeeding. For that reason, it becomes possible to prevent attacks made to alter the operations that are to be protected or attacks made to obtain the data that is to be protected.
However, although a method was proposed in which the operating systems are separated and memory access from the non-secure mode to the secure mode is prevented, no technology was put into practice so as to prevent an unauthorized non-secure OS unit from being run or to protect data at the time when an application program running in the secure OS unit outputs the data to the outside of the main memory.