In recent years, awareness of computer security has been increased with the popularization of information devices such as a personal computer (PC). For such a reason, in order to securely execute software having data to be protected stored in a computer such as personal information or the like, the data in the software needs to be divided into data to be protected having confidentiality and data not to be protected that can be taken/returned to/from the outside in use so as to be handled separately from each other so that the data to be protected in the software cannot be leaked out. The confidentiality means “ensuring that information is accessible only to those authorized to have access.” For example, in a case in which data to be protected is present within a computer, the data is prevented from being needlessly read out through division of areas accessible to users based on privileged mode and normal mode of an operating system (OS). As another example, according to the technology disclosed in JP-A 2004-240536 (KOKAI), misuse of the data to be protected is avoided by disabling reading out of data and instructions in a secure memory area, not by memory protection through mode switching. That is, as for a memory area accessed by a processor, there are a secure area and an insecure area. A sort of security tag indicating that the information is secure is given to information read from the secure area to a register, and a mechanism is provided which can prevent the data from being written into the insecure area. With such a mechanism, the information in the secure area is prevented from being leaked out to the insecure area.
As a method of realizing a memory area (a protected memory area) called a secure area in JP-A 2004-240536 (KOKAI), in addition to a technology based only on access control, there is a technology of combining an encryption mechanism with access control of a memory in a chip as disclosed in “Multi-vendor Secure Processor under a Hostile Operating System,” Hashimoto et al., Transactions of information Processing Society of Japan, Vol. 45, No. SIG03. When protection is realized in this way through a combination with the encryption mechanism, the protection is conceptually classified into protection of confidentiality to protect secrets and protection of integrity to prevent falsifications. In some cases, only one type of protection is provided. However, it is also possible to provide protection for both confidentiality and integrity. The integrity refers to correctness and accuracy of information.
The method disclosed in JP-A 2004-240536 (KOKAI) realizes separation of data into data to be protected and data not to be protected. However, taking into consideration the case of implementation of security protocol, mixing of the data to be protected and the data not to be protected is inevitable in calculation of function. For example, in a case of a function performing encryption, the function encrypts a message, which is expected to be secretly exchanged, using a secret key to convert the message into a ciphertext which can be returned to the outside, and then outputs it. The “convert the message into a ciphertext which can be returned to the outside” means “changing the data into data not to be protected.” That is, it means “the information of the data to be protected and the secret key is not leaked out” even if the ciphertext is returned to the outside. As for this case, the method of JP-A 2004-240536 (KOKAI) provides a mechanism that cancels the security tag in exceptional cases so that the data to be protected and the data not to be protected can be mixed. However, there is a concern that this mechanism cannot be protected from being misused. In other words, if the security tag is canceled erroneously, the data to be protected is likely to be accidentally returned to the outside.
The technology disclosed in “Cryptographically-masked Flows,” Askarov et al., 2006 is a technology of executing data exchange between program portions having different security levels while preventing information having a high level from being leaked to a low level section when some sets of data and program portions having different security levels (protection attributes) are present within a program, by a method called Information Flow Analysis. Specifically, type checking is performed when data is transferred between security levels, and a programmer is explicitly forced to perform a specific operation or an encryption operation is performed when a piece of data with a high level is converted to a low level. Incidentally, the data conversion from a low level to a high level is unconditionally possible. This method allows the data to be protected and the data not to be protected to be mixed by means of a change in security level through an encryption operation.
In the technology of “Multi-vendor Secure Processor under a Hostile Operating System”, encryption keys used to output the data to be protected are limited to values that a program statically possesses and derivative values from the statically possessed values. Accordingly, it is prohibited to use a value sent from the outside or a value shared with the outside as an encryption key. This method of using such an encryption key is common practice in the field of security protocol. However, it is difficult to apply the technology of “Multi-vendor Secure Processor under a Hostile Operating System” to general security protocols. Accordingly, for secure implementation of the security protocol, it is required to appropriately determine protection attributes for respective variables of a program.