1. Field of the Invention
The present invention relates to a program execution control technique in an information processing apparatus in which program execution is switched among a plurality of programs.
2. Description of Related Art
Techniques for protecting memories from unauthorized memory access, i.e., the so-called memory protection techniques have been well known. When access is carried out by a program executing device such as a CPU (Central Processing Unit) to a memory, such a memory protection technique in the related art verifies the validity of the memory access request output from the CPU or the like by comparing and checking access destination address information contained in the memory access request against memory protection information representing memory areas to which access by the program is permitted. In this way, it is possible to detect unauthorized memory access to memory areas to which access is not permitted, and thus to protect the memory from unauthorized memory access. Furthermore, it is also possible to provide peripheral device protection in which unauthorized access from an instruction execution device such as a CPU to peripheral devices such a clock device, a reset device, and an interrupt controller can be prevented by using a similar technique to that for the memory protection (for example, see Japanese Patent Translation Publication No. 2006-523347).
For example, Japanese Unexamined Patent Application Publication No. 61-75446 (Kimura et al.) discloses an address comparison method for memory protection in an information processing apparatus. To be more precise, the address comparison method disclosed in Kimura et al. determines whether or not an access destination address accessed by a program is within a certain range in a partial memory space to which access is permitted (access permission range) by comparing the access destination address with the lower limit address and the upper limit address of the access permission range. Then, access to the partial memory space is permitted only when the access destination address is within the access permission range.
However, the above-described protection technique in which the permission for each access is controlled at the time when access to a memory or a peripheral device occurs has the problem described below. This problem occurs when an application program 1 calls another application program (a subprogram, a function, or the like), e.g., when an application program 1 calls a driver program used to operate a communication interface and requests it to carry out data transfer.
That is, in such a case where a malfunction occurs in the application program 1 or a case where the application program 1 is a harmful malevolent program, there is a possibility that an unauthorized process such as unauthorized external transfer of security information and unauthorized overwriting of original data in memory areas that are used for other programs or an operating system (OS) with externally received data is carried out. It may be expected that when such an unauthorized application program 1 attempts to directly access to a memory area where security information is recorded or to a memory area which is used by other programs or an OS, the above-described memory protection technique will prevent such unauthorized memory access. However, when such an unauthorized application program 1 attempts indirect memory access through another application program 2 such as a device driver for communication, it is very difficult to perform substantially sufficient memory protection by using the above-described memory protection technique. For example, if the application program 2 that is called from the unauthorized application program 1 is permitted to access to a wider range of the memory area in comparison to the application program 1, the memory protection could become insufficient. That is, in a case where designation to a memory area, the access of which is not permitted to the application program 1 but is permitted to the application program 2, is included in the arguments that are passed to the application program 2 as the application program 2 is called, and then the application program 2 attempts to access to that memory area, the above-described memory protection technique could not provide sufficient memory protection. Since the application program 2 carries out memory access to the memory area that is permitted to the application program 2, it is very difficult to detect that access as unauthorized access at the time when the actual memory access is carried out by the application program 2.
Accordingly, to cope with such a problem in the memory protection relating to the above-described program call, a check is carried out by the OS or the application program 2 to determine whether or not an address designated in the arguments at the time of the program call for the application program 2 is legitimate for the application program 1, i.e., whether or not the address belongs to an memory area to which the application program 1 is permitted to access before the actual execution of the application program 2 is started.
This check is carried out, for example, by the intervention of the OS in the program call for the application program 2. Specifically, when a program call occurs, the OS checks the access authority of the caller application program 1 in regard to access destinations included in the arguments passed from the application program 1. Then, only when the validity of the access authority is confirmed, the execution of the application program 2 is started.
In order to carry out a check, at the occurrence of a program call, on the access authority of the caller application program 1 in regard to access destinations included in the arguments passed from the application program 1 by using mainly software that is executed by an instruction execution device, such as the OS or the called application program 2, the following procedure needs to be carried out. That is, the OS or the application program 2 is required not only to read memory protection information into a storage portion such as a register in the CPU, but also to carry out calculation to compare the set values in the read memory protection information with the contents of the arguments. Furthermore, the memory area to which access by a program is permitted is not always limited to a single continuous memory area. Instead, such access is often permitted to several divided memory areas. In such a case where the access is permitted to several memory areas, the memory protection information contains several set values for their respective memory areas, and these several set values needs to be checked one by one. Therefore, the time needed for the checking process also increases in proportion to the increase in the number of set values for the memory protection.