In a 1-chip microcomputer in which a nonvolatile memory with large memory capacity is provided as a program memory, a plurality of application programs, suitable for a variety of usages, are stored in advance in the program memory, the respective application programs are selected for execution. A built-in memory in the 1-chip microcomputer is accessed by a CPU. Accordingly, any one of the programs operated under the same CPU can access to the data which fall within an accessible range of the CPU. In this case, when a plurality of application programs are loaded, one application program can access instruction codes and data of the other application program. As a result, it is most likely that the other application program or the data are altered and/or read out, thereby arising the problem that the security therefor is damaged.
In order to solve the foregoing problem, the Japanese unexamined patent publication No. 8-55204 (published on Feb. 27, 1996) discloses as follows. More specifically, the patent publication discloses the method in which a CPU is provided with members such as a program segment register, a program counter, and a register for accessing to the data on the memory, and in which the address to be executed and read/written is found based on the operations made by the members so as to limit the memory access.
An IC card in which the foregoing method for limiting the memory access is used, as shown in FIG. 8, is provided with a CPU 101, a ROM 102, a RAM 103, and an EEPROM 104. The structure and the functions of the CPU 101 allow to solve the foregoing problem.
As shown in FIG. 9, the CPU 101 is provided with (a) a program segment register (PSR) 201 for resetting only once a registered value after resetting the CPU 101, (b) an offset register (DR) 202 of data access use for accessing to the data on the memory, (c) an address addition means 205 for generating an execution address in response to a program counter (PC) 203 and the program segment register 201, (d) an address addition means 204 for generating a writing address in response to the data read out from the offset register 202 and the program segment register 201, and (f) an address multiplication means 206 for generating an offset address that is commonly used for generating of the execution address, generating of the data reading address, and the data writing address.
Note that the program segment register 201 is used for storing ID (Identification) number of a target application program that has been received from outside. The offset register 202 of data access use is used for storing the offset value for giving the offset to the reading and writing address.
The program counter 203 points to the address of the execution instruction of the program. For example, when it is assumed that the ID number of the target application program that has been received from outside is “2”, the numeral value “2” is stored in the program segment register 201. When the address to be executed is set to 1000 times as many as the program segment register 201 as the absolute offset value, the program execution address is jumped to address of (2×1000). Thereafter, the address to be executed is specified based on the value of the program segment register 201 and the pointing value of the program counter 203 so that the execution address becomes equal to an address of (2×1000+the pointing value of the program counter 203).
The respective reading and writing addresses of the data are found based on the registered values of the program segment register 201 and the offset register 202 of data access use so that an address of (2×1000+the registered value of the offset register 202 of data access use) is specified to be executed.
Thus, while the application program specified by the ID number of a target application program that has been stored in the program segment register 201, it becomes only possible to access to (a) the address range in which such a target application program has been stored and to (b) RAMS.
Accordingly, in the case where a plurality of application programs are loaded in the program memory, it is not be allowed that one of the application programs accesses to the instruction codes and data of the other application programs, thereby maintaining the security.
However, according to the foregoing conventional method for limiting the address, since it is limited once to set the program segment register, it is allowed to execute only one of the application programs after the CPU is reset. Thus, it is necessary to reset the CPU again in order to consecutively execute the other application programs. In addition, there arises the problem that it is not possible to communicate among the application programs. Thus, the foregoing conventional method has the above problems concerning the convenience.
For example, in the case of an IC card in accordance with the foregoing conventional method in which a plurality of application programs are loaded, the execution of the other application program can not be made until the IC card is separated from reader and writer in an IC card system, i.e., until the power source is cut off.
Thus, in the case of intending to execute a series of plural application programs, every time one of the application programs finishes executing, it is necessary to load again the IC card after separating the IC card from the reader and writer. Therefore, the IC card should repeat the initialization proceeding for every loading of the IC card. This arises the problem that it takes a longer time to carry out such a series of proceedings and the problem that it is necessary to load and unload the IC card so often.
When returning to an original address (a return address) after executing a subroutine call in the currently executing application program, such a return address is temporarily stored in RAM in general. In the circumstances, when the return address is rewritten to another address by accident or by intention, it is most likely that the application program goes out of order or it is most likely to cause erroneous access with respect to the other application program. In any way, it is most likely that the CPU goes out of order. The foregoing conventional method for limiting the address, however, takes no appropriate steps against such a case.