In an information communication terminal device such as a mobile phone, basic processing for realizing a basic function of the terminal device (e.g. a call processing function, a browsing function for Internet access, an electronic mailing function, a screen control function and the like) is commonly installed together with an operating system in advance and other additional processing (program) than the above-described basic processing is downloaded into the terminal device from the outside such as a network by user operation or the like and executed for installation. When the downloaded additional processing is executed, however, an operating system, basis processing and the like might be subjected to an attack by the additional processing.
FIG. 42 is a diagram schematically showing one example of a typical structure of an information communication terminal device which executes downloaded additional processing. Illustrated schematically in FIG. 42 is a block diagram of a well-known typical device structure. In the following, description will be made of a case where additional processing is an application program or a device driver (software which makes an access request to a device and executes processing of interruption from a device and which is also referred to as “I/O driver”) provided by a native code (a binary code compiled or subjected to assembly processing on a provider side).
In the structure shown in FIG. 42, when an additional processing 23 is downloaded and executed (in a case where the additional processing 23 is a device driver, when the processing is incorporated into an operating system and executed), a basic processing 22, an operating system (called “OS”) 21, a CPU (Control Processing Unit) 10, a memory 50 and an input/output device (I/O) 60 might be directly attacked by the additional processing 23. The reason is that no means is mounted for restricting attack to the basic processing 22, the CPU 10, the OS 21, the memory 50 or the input/output device (I/O) from the additional processing 23 to realize safe execution environments. More specifically, in a case of the structure shown in FIG. 42, the additional processing 23 is assumed to be capable of arbitrarily issuing a processing request to the basic processing 22, a processing request to the OS 21 and processing requests to the CPU 10, the memory 50 and the input/output device 60 and be allowed to freely access each resource of hardware and software. As a result, the malicious additional processing 23 (or additional processing affected by virus or the like even without malicious intent) is allowed to freely attack the defenseless OS 21, basic processing 22 and the like.
There is a case where an additional device driver is incorporated in a kernel of the OS 21 as a resident driver, for example, in which case reliability of the device driver will directly affect reliability and performance of the OS 21. This is clear also from properties of a device driver that the device driver includes processing setting to a device and interruption service to be started by a scheduler at an interruption from a device and that execution time of the interruption service (during which time re-scheduling is inhibited) is limited to a time significantly short because of processing performance (e.g. less than a millisecond). In other words, if an additional device driver is a driver with malicious intent, processing performance of an information processing device could be deteriorated with ease. This is also the case with a loadable driver (a driver selectively loaded or unloaded to/from memory) not a resident driver. Thus, when a driver with malicious intent installed as additional processing attacks, the kernel of the OS 21 will be directly attacked to be fatal (goes substantially inoperable).
Under these circumstances, currently proposed are various kinds of design architectures for protecting basic processing and the like by limiting execution environments of a downloaded additional processing. In the following, outlines will be given with respect to several typical examples.
FIG. 43 is a diagram showing one typical example of a structure which presents environments for protecting execution of additional processing by software. In the example shown in FIG. 43, the additional processing 23 by native codes is designed to be executed on a virtual machine 24. As an example, assuming that the additional processing 23 is described in JAVA (registered trademark) byte codes, a downloaded JAVA (registered trademark) byte code will be executed on JVM (registered trademark) virtual machine) forming the virtual machine 24.
In such a structure, the basic processing 22, the OS 21 and the like are separated from the additional processing 23 in terms of software to have their securities ensured. More specifically, the additional processing 23 accesses the OS 21, the CPU 10, the memory 50, the I/O 60 and the like only through the virtual machine 24. The virtual machine 24 is not ordinarily authorized to do execution in a kernel mode of the OS 21 (e.g. execution of a privileged instruction) or the like and therefore, the additional processing 23 is not allowed to directly operate the OS 21. In addition, since the virtual machine 24 in general executes an instruction code of the additional processing 23 in an interpreter method, monitoring adequacy of instructions/operation of the additional processing 23 is easy and by, for example, limiting unauthorized access (e.g. output of multiple data on a network or a screen and the like) to hardware resources and software resources from the additional processing 23, the virtual machine 24 is allowed to serve as a protective filter or a protective barrier, or a protective gate in terms of software. Thus, the basic processing 22, the OS 21 and the like are separated from the additional processing 23 through the virtual machine 24 in terms of software.
The virtual machine system shown in FIG. 43, however, has the following problems.
When the downloaded additional processing 23 attacks the virtual machine 24 through a hole (e.g. security hole) or other, system security will be damaged.
In addition, since the virtual machine 24 such as a JAVA (registered trademark) virtual machine is in general adopts an interpreter method of interpreting and executing instruction codes such as JAVA (registered trademark) byte codes one instruction by one instruction, its execution rate is low.
Furthermore, although the virtual machine 24 makes a processing request to the OS 21 by issuing a system call at the time of execution of the additional processing 23, because an overhead of the system call is large, processing execution is slow. In the virtual machine 24, for example, one or a plurality of system calls corresponding to one instruction of the additional processing 23 are issued. A series of such control is executed to have a large overhead as context switching from a user mode to a system mode by system call issuance, decoding of packet data of a system call at a system call entry unit of the OS 21, justification check (error detection processing) of a parameter and the like, distribution (dispatch) of processing and furthermore, transfer of a processing result at the time of processing end, context switching, switching from a kernel space to a user space and the like.
Then, in a case of the structure shown in FIG. 43, it is not possible to incorporate a device driver as the additional processing 23 into the OS 21. As is clear from FIG. 43, the virtual machine 24 locates in the upper layer above the OS 21. With the virtual machine 24 structured to make a processing request to the OS 21 based on the codes of the additional processing 23, receive a processing result from the OS 21 and return the same to the additional processing 23 when necessary, incorporating additional processing as a device driver into the OS 21 requires incorporation of a virtual machine as well which controls execution of the additional processing into the OS 21, so that such a structure is in principle impossible in such the virtual machine system shown in FIG. 43.
Known as another security management system by software is such a structure as shown in FIG. 44, for example. As shown in FIG. 44, the additional processing 23 is downloaded into a terminal (information processing device) with a certificate 25 attached for certifying that it can be trusted. The terminal side is structured to check the contents of the attached certificate 25 and when authenticating that the attached certificate 25 is a proper certificate, allow installation and execution of the downloaded additional processing 23. As the certificate 25, digital signing (ITU-T XS09) may be used. With an organization to be certified and its public key, and digital signing of CA (certification authority) (encipherment of an organization to be certified or a public key by a secret key of CA), for example, stored in the certificate 25, when authenticating the certificate, decode a part of CA digital signing by the public key of CA to check whether the decoded contents coincide with the contents of the data of the certificate and determine that the data of the certificate is reliable when they coincide with each other. Alternatively, the certificate 25 may be an arbitrary certificate as long as it certifies a true vender. Driver signing of a device driver is mounted also on Windows (registered trademark) 2000, for example.
In a case of the system shown in FIG. 44, the additional processing 23 can be provided by a native code, which enables higher-speed execution than in the virtual machine system shown in FIG. 43. Execution of an application and a device driver is also possible as the additional processing 23. System reliability, however, wholly depends on security of the additional processing 23. In other words, when the additional processing 23 has a problem which can not be sensed in advance, the system might be fatally damaged.
FIG. 45 is a diagram showing a structure of a processor which executes security management by hardware. With reference to FIG. 45, a CPU 11 has a secure mode 12 and a non-secure mode 13, and the downloaded additional processing 23 and an OS 21B corresponding to the additional processing 23 are mainly executed in the non-secure mode 13. Then, a memory management unit 14 manages a region (address space) of memory executed in the non-secure mode 13 separately from a region of memory accessed in the secure mode 12, so that an access to a memory region in the secure mode 12 from the non-secure mode 13 is inhibited. In other words, the memory management unit 14 executes memory access control from the non-secure mode 13 and control for inhibiting an access to a memory region in the secure mode 12 from the non-secure mode 13.
Thus, in the structure shown in FIG. 45, the basic processing 22 is executed in the secure mode 12 to virtually separate a CPU which executes the additional processing 23 and another CPU, thereby improving security.
The secure mode and the non-secure mode are, however, executed on a time division basis on the CPU and no system operation in the secure mode is executed unless returned from the non-secure mode.
In addition, since the non-secure mode and the secure mode are processed on a time division basis, such overhead as mode shift is generated at its switching.
Furthermore, when the additional processing 23 is incorporated as a device driver into the OS 21B in the non-secure mode, if the driver has malicious intent, return to the secure mode might be disabled to cause fatal damage to the system.
Referred to as a processor with a separation region provided in system memory and comprising a normal execution mode and a separated execution mode similarly to the structure shown in FIG. 45 is recitation of Japanese Translation of PCT International Application No. 2004-50666 (Literature 1). The device recited in Literature 1, with the normal execution mode being a mode operable in an ordinary operation mode without a security function provided to the processor in non-secure environments, that is, in the separated execution mode, is structured to inhibit an access to a separated region from the normal execution mode and support execution of a predetermined separation instruction in the separated execution mode. Even with such a structure, because the normal execution mode and the separated execution mode are processed on a time division basis, such overhead is generated as mode shift at its switching.
Also disclosed is a structure comprising two processor units and a switch unit, with one processor unit connected to a public data communication network and other processor unit not connected to the public data communication network but functioning as a data security unit (see Japanese Translation of PCT International Application No. 2002-542537 (see Literature 2)). The system recited in Literature 2 has the processor unit connected to the public data communication network and the data security unit separated by a switch, thereby ensuring security of the data security unit. The device, however, takes into no consideration a countermeasure against an attack to the processor unit connected to the public data communication network by the execution of the above-described additional processing (additional processing downloaded from a network or the like). While the data security unit is safe, the processor unit connected to the public data communication network fails to have a security mechanism effective to an attack by additional processing. For realizing security management in the processor unit connected to the public data communication network, therefore, it is necessary to adopt any of the above-described systems.
Furthermore, recited in Japanese Translation of PCT International Application No. 2002-533791 (Literature 3) is the system simultaneously executing an execution program or an operating system separated on a processor, in which for protecting false program execution environments, a memory space used only by a first program is set while the first program is executed, communication between the first program and a computer execution environment is executed through a single link including use of a shared memory space, dedicated interruption or a dedicated I/O port, and the first program has its access to resources on a processor restricted excluding a set memory space and a single link under a limited execution environment. In a case of the method recited in Literature 3, since the first program has its access to resources on a processor restricted excluding a set memory space and a single link (use of a shared memory space, dedicated interruption or a dedicated I/O port), the first program can not be used as a device driver and therefore can not be applied to additional processing including a device driver.
As publication disclosing a technique related to an inter-processor communication unit used in the present invention which will be described later, Japanese Patent Laying-Open No. H6-332864 (Literature 4) discloses the system for communication between CPUs in a multiprocessor system. Recited in Literature 4 as its related art is a structure in which at the execution of communication between CPUs by a multiprocessor by using a shared memory, when generating an interruption to a CPU1, a CPU2 writes communication information into an inter-CPU communication information write region for its own use in a fixed region for the CPU1 to generate an interruption and when an interruption occurs, the CPU1 accesses an inter-CPU communication information write region corresponding to the CPU2 to execute interruption processing and further recited is the invention intended to reduce the number of accesses of a shared memory.
Japanese Patent Laying-Open No. 2001-154999 (Literature 5) proposes the parallel computation system in which a processor analysis circuit detects a failure at the start-up of its own processor to ask a service processor for recovery and the service processor executes processing for the recovery.
Literature 1: Japanese Translation of PCT International Application No. 2004-500666.
Literature 2: Japanese Translation of PCT International Application No. 2002-542537.
Literature 3: Japanese Translation of PCT
International Application No. 2002-533791.
Literature 4: Japanese Patent Laying-Open No. H6-332864.
Literature 5: Japanese Patent Laying-Open No. 2001-154999.
As described above, related devices with a countermeasure for ensuring security against an attack from downloaded malicious or false additional processing in practice have various kinds of problems remaining such as a problem in processing performance, a problem that execution of a device driver is impossible and a problem in ensuring security. In particular, as shown in FIG. 43 and FIG. 45, related to an information processing device, a design architecture which disables downloading of an additional device driver from outside the device shows that addition of a device and addition of a function are substantially impossible and in this term, has limited availability.
On the other hand, since when operating an additional device driver in a kernel mode, for example, reliability of an OS and a system is directly affected as described above, drastic improvement in ensuring security and in reliability is demanded.
Also recovery processing in a related parallel computation system whose one example is the technique disclosed in Literature 5 has a problem that processing will be executed in response to such a request with malicious intent as a notified recovery request including virus.
An object of the present invention is therefore to provide an information processing device, a recovery device, a program and a recovery method which enable a domain developing a fault due to added application program and device driver to be recovered with its security and reliability ensured.