1. Field of the Invention
The present invention relates to a communication contention management device, an auxiliary communication contention management device, and a communication contention management system each provided in a communication terminal having multiple program execution environments and a connection resource to be used for connection to an access point to a communication network, and a communication contention management method.
2. Description of the Related Art
A mobile telephone terminal and a FDA or PC with a communication function (hereinafter, referred to as a communication terminal) are connectable to an access point by designating an access point name (APN) in a cellular communication and also connectable to an access point by designating a service set identifier (SSID) as an access point identifier in a wireless LAN. A communication terminal can selectively use communication services of different service providers by switching between connections to different access points. Similarly, even when one service provider provides multiple communication services respectively having different access points, a communication terminal can selectively use the communication services by switching between connections to the access points.
For such communication terminal, proposed is an arbitration method to deal with a case where a contention occurs between requests to connect to an access point by using a connection resource such as a radio transmitter-receiver unit (see, for example, International Patent Publication No. WO2006/119471).
Specifically, when a connection resource needed for a connection request from a program, such as an application program, is unavailable, the connection request is suspended without being executed. Then, when the connection resource becomes available, the connection resource is preferentially allocated to the program. More specifically, even when a connection request made by a first program (for example, a data communication application program) is suspended and thereafter a connection request needing to use the same connection resource is made by a second program (for example, a GPS application), the use of the connection resource is restricted in such a manner that the connection resource is not allocated to the second program. Furthermore, International Patent Publication No. WO2006/119471 discloses that a connection resource is allocated according to a priority given to each application program.
Meanwhile, there has been recently known a method of providing such a communication terminal as above with a so-called virtual machine monitor (VMM) that is software or hardware allowing multiple operating systems (OSs) to run in parallel. Multiple program execution environments can be provided on the VMM and multiple processes are executed in parallel in the multiple execution environments. This configuration is referred to as a hypervisor-type virtualization terminal architecture. In this architecture, there is a case where a secure execution environment and an insecure execution environment coexist in one communication terminal. The insecure execution environment means herein, for example, an execution environment in which software can be installed and executed by a third party.
The execution environments can communicate with each other by using an inter-virtual machine communication facility (hereinafter an inter-VM communication facility). Thus, the inter-VM communication facility can be also used for arbitration for a case where a contention occurs between connection requests.
Specifically, an auxiliary communication contention management device provided in each of multiple execution environments using the connection resource receives a connection request from the execution environment. The auxiliary communication contention management device issues a connection request to a communication contention management device which manages a contention in the entire system. The communication contention management device permits the connection request when the connection resource needed for the connection request is available. When there is a security policy for access restriction to prohibit a certain execution environment from connecting to a particular access point, the communication contention management device determines permission or rejection for the connection request according to the security policy, and restricts the access.
However, when the conventional arbitration method dealing with a case where a contention occurs between connection requests is used in the hypervisor-type virtualization terminal architecture, the following problems are observed.
Firstly, when the communication contention management device runs on the insecure execution environment, the attack of malicious software causes the access restriction to be invalidated or bypassed. This may bring about a security problem that a certain execution environment establishes a connection to an access point despite of the prohibition by the security policy, and also another security problem that malicious software in the insecure execution environment occupies the connection by exclusively using the connection resource.
Secondly, to maintain the security, it is desirable that the communication contention management device should run on a secure execution environment isolated from an insecure execution environment in a communication terminal having multiple execution environments. However, in the case where the auxiliary communication contention management device of a connection requestor and the communication contention management device operate in the different execution environments, a changeover between the execution environments and inter-VM communications for a connection request go for nothing if the connection request is rejected due to a contention for the connection resource.
This results in the waste of system resources (such as a battery and a CPU capability). Furthermore, every time the contention state for the connection resource is changed, the communication contention management device may notify the auxiliary communication contention management device that the contention state is changed. However, such notification also results in the waste of the system resources.
Accordingly, an object of the present invention is to provide a communication contention management device, an auxiliary communication contention management device, a communication contention management system, and a communication contention management method which are capable of proper access restriction in a communication terminal having multiple program execution environments and a connection resource to be used for connection to an access point to a communication network, the access restriction prohibiting a certain execution environment from connecting to a particular access point according to a security policy, and which also are capable of preventing system resources from being wasted by a needless changeover or communication between execution environments.