1. Technical Field
The present invention relates to an information processing device, an information processing method, and a program distribution system which prevent unauthorized access to data.
2. Background Art
Conventional cellular phones allow users to download application software (hereafter referred to as “application”) so as to add a new function after the purchase of the device (cellular phone), and use the application software. With such an application, access to various resources within the device is limited conventionally. Here, examples of the resources in the device include position information generated by, for example, GPS (Global Positioning System), and data generated by another application such as a dial function, an address book, a bookmark, and image data. However, in recent years, the access limitation has been eased to allow the development of a variety of applications, and devices which allow access to the position information and the data such as the dial function and the address book have become available. For instance, Android™ offered by Google Inc. allows applications downloaded from Android Market, an application distribution site, to access, for example, the address book, the bookmark, the GPS information, and a network function.
In the future, it is considered that devices which allow the users to install device driver software (hereafter referred to as “device driver”) so as to add new hardware would become available.
Moreover, only specific application development companies conventionally develop and distribute the applications. However, in recent years, a system is being developed in which general users can develop and distribute applications. In such a system, in order for the general users to easily develop applications, development tools generally used in a personal computer (hereafter referred to as “PC”) are available for the development of applications, and debuggers can be connected to devices for sale.
At the same time, the leakage of data such as personal information (name, address, telephone number, email address, credit card number, and so on) or personal content (picture, video, email, and position information) has become a problem. Especially in the PC, malicious software which is downloaded from an open network such as the Internet reads the data such as the personal information and personal content stored in a storage device of the PC, and transmits the data to outside of the PC via the network despite a user's intention, which causes the leak of the data. Moreover, the malicious software causes a user (him or her) to download the malicious software by making, with, for example, the use of an email, the user believe that the malicious software itself is a useful software for the user, or by exploiting the vulnerability of software which operates on the PC.
In particular, a device driver can access data deployed by an application on a memory. For this reason, a device driver in a device to which the device driver can be installed accesses data that is not desirable to be disclosed to another application such as the personal information, and thus the device has a high risk of the leakage.
In such a manner, the downloaded application (hereafter referred to as “DL application”) and the downloaded device driver (hereafter referred to as “DL device driver”) can access many resources in the PC and the cellular phone. Moreover, it is considered that the general users can develop and distribute the applications, and further would be able to develop and distribute device drivers in the future. As a result, malicious attackers can develop and install attack applications (hereafter referred to as “malicious applications”) and attack device drivers (hereafter referred to as “malicious device drivers”). This situation enables the malicious application and the malicious device driver to access information in the device, which increases the danger of the leakage and tampering of information.
Moreover, the malicious application or the malicious device driver can not only actively access the information in the device but also leak the information in the device by obtaining the information using dynamic data link with other applications. For instance, Android offered by Google Inc. has a function to request another application to process data, which is called “Intent”. An origin of the request for the processing calls this function with parameters which are the processing to be requested, data to be processed, and a type of the data. A system which has been requested to perform the processing selects, for the type of the data specified by the parameter, an application which can perform the processing also specified by the parameter. Here, when there are selectable applications, the system presents a list of the applications to the user, and allows the user to select one of the applications. Then, the system starts the selected application, and requests the started application to process the data. Here, it is assumed that a malicious application developed by a malicious attacker declares to the system that every processing can be performed for all the types of data. Then, the malicious application can obtain all the data exchanged using the dynamic data link. This poses a danger that the malicious application obtains personal information or personal content exchanged between the applications, and leaks the personal information or personal content to outside.
There has conventionally been a method of separating execution environments in each of which a software is executed, as a method of protecting, from a DL application and a DL device driver, an original function of a device such as a telephone function in a cellular phone (see NPL 1, for example). NPL 1 discloses, as the method of separating execution environments, a method of separating execution environments using a CPU having a plurality of modes such as a normal mode and a secure mode, and a method of separating execution environment using a virtualization technology.
FIG. 32 is a diagram showing the conventional method of separating execution environments using a virtualization technology which is disclosed by NPL 1
In FIG. 32, a virtual machine 30 executes an operating system (hereafter referred to as “OS”) and an application which are selected and developed by, for example, a telecommunications carrier of cellular phone. A virtual machine 40 executes applications for providing, by an enterprise other than the telecommunications carrier, a schedule and email service for workers of the enterprise. A virtualization software 20 provides, for the virtual machines 30 and 40, a virtual hardware function obtained by virtualizing a hardware 10. In addition, the virtualization software 20 controls the operations of the virtual machines 30 and 40.
As shown in FIG. 32, the method of separating execution environments described in NPL 1 makes it possible to separate the virtual machine 30 which provides a communication function that is the basic function of the cellular phone and the virtual machine 40 which provides the service for the workers, in addition to the OS.
For example, this enables the malicious application or malicious device driver not to influence a group of applications for telecommunications carrier 33 and an OS for telecommunications carrier 32 which operate on the virtual machine 30, even when the virtual machine 40 has a function which allows the user to freely download applications and device drivers and when a malicious application or malicious device driver operates on the virtual machine 40. Moreover, even when data processing is performed, using the dynamic data link with other applications, between applications included in the group of applications for telecommunications carrier 33, the malicious application or malicious device driver cannot obtain data of the group of applications for enterprise 33.