On an information communication terminal device such as a mobile phone, the basic processing (for example, call processing function, browser function for accessing the Internet, electronic mail function, screen control function, etc.) for implementing the basic function of the terminal device is usually installed in advance with the operating system. Additional processing (program) other than the basic processing described above is downloaded from an external source, such as the network, onto the terminal device by the user operation for execution and installation thereon. However, when the downloaded additional processing is executed, there is a possibility that the operating system and the basic processing are subjected to an attack from the additional processing.
FIG. 21 is a diagram schematically showing an example of the typical configuration of an information communication terminal device that executes downloaded additional processing. FIG. 21 is a block diagram schematically illustrating a well-known typical device configuration. In the description below, the additional processing is an application program or a device driver (also called an “I/O driver” that is software for processing an access request to a device and for processing an interrupt from a device) provided in native code (binary code generated by compiling or assembling on the vendor side).
When additional processing 23 is downloaded and executed (or is included into the operation system and executed when the additional processing 23 is a device driver) in the configuration shown in FIG. 21, there is a possibility that basic processing 22, an operating system (termed an OS) 21, a CPU (Central Processing Unit) 10, a memory 50, and an input/output (I/O) device 60 are directly attacked by the additional processing 23. The reason is that no means is installed for limiting an attack from the additional processing 23 to the basic processing 22, CPU 10, OS 21, memory 50, or input/output device (I/O) 60 and for implementing the safe execution environment. That is, in the configuration shown in FIG. 21, the additional processing 23 can arbitrarily issue a processing request to the basic processing 22, a processing request to the OS 21, and a processing request to the CPU 10, memory 50, and input/output device 60 and can freely access the hardware and software resources. For this reason, the additional processing 23, if malicious (or not malicious but infected by a virus), freely attacks the vulnerable OS 21, basic processing 22, and so on.
In some cases, an additional device driver is incorporated into the kernel of the OS 21, for example, as a resident (permanently resident) driver and, in this case, the reliability of the device driver directly affects the reliability and performance of the OS 21. The reason for this is apparent from the characteristics of a device driver that the device driver includes the processing settings to the device and the interrupt service that will be activated by the scheduler when an interrupt is received from the device and that the execution duration of the interrupt service (during which re-scheduling is inhibited) is limited to a very short time (for example, shorter than milliseconds) to maintain the processing performance. That is, an additional device driver, if malicious, can easily reduce the processing performance of an information processing device. This applies also to a non-resident, loadable driver (driver selectively loaded into, or unloaded from, memory). If an attack is made by a malicious driver that is installed as additional processing, the kernel of the OS 21 is attacked directly and a fatal (virtually inoperative) condition may result.
To solve this problem, several architectures have conventionally been proposed to limit the execution environment of downloaded additional processing for protecting the basic processing. The following outlines typical examples.
FIG. 22 is a diagram showing one typical example of the configuration that provides the software-based execution protection environment for additional processing. In the example shown in FIG. 22, the additional processing 23 coded in native code is executed on a virtual machine 24. For example, if the additional processing 23 is described in the JAVA (registered trademark) byte code, the downloaded JAVA (registered trademark) byte code is executed on a JVM (JAVA (registered trademark) virtual machine) that constitutes the virtual machine 24.
In this configuration, the basic processing 22 and the OS 21 are separated from the additional processing 23 on a software basis to ensure its security. That is, the additional processing 23 accesses the OS 21, CPU 10, memory 50, and input/output device 60 only via the virtual machine 24. Usually, the virtual machine 24 is not given an authority to execute in the kernel mode (for example, to execute a privileged instruction) of the OS 21 and, therefore, the additional processing 23 cannot directly operate the OS 21. Because the virtual machine 24 usually executes an instruction code received from the additional processing 23 in the interpreter mode, it is easy to monitor if the instruction and the operation of the additional processing 23 is correct. For example, by limiting an invalid access (for example, a large amount of data output to the network or the display) from the additional processing 23 to the hardware resources or software resources, the virtual machine 24 can also work as a software-based protective filter, protective wall, or protective gate. In this way, the basic processing 22 and the OS 21 are separated from the additional processing 23 via the virtual machine 24 on a software basis.
However, the virtual machine scheme shown in FIG. 22 has the following problems.
The system security is compromised when the downloaded additional processing 23 attacks a vulnerable point (for example, a security hole) of the virtual machine 24.
Furthermore, because the instruction codes such as JAVA (registered trade mark) byte codes are executed usually in the interpreter mode in which an instruction is interpreted and executed, one by one, the execution speed of the virtual machine 24 such as a JAVA (registered trademark) virtual machine is slow.
In addition, before executing the additional processing 23, the virtual machine 24 issues a system call to request the OS 21 to perform processing and, because the overhead of the system call is large, the processing speed is low. For example, the virtual machine 24 issues one or more system calls corresponding to one instruction of the additional processing 23. There are executed a sequence of control operations, including for example, context-switching from user mode to system mode caused by the issuing of a system call, decoding of the packet data of the system call and validity checking of parameters (error detection processing) in the system call by the system call entry module of the OS 21, dispatching of processing (dispatch), passing of processing result and the context switching at the time of completion of the processing, switching from the kernel space to the user space and the like and the overhead becomes large.
In the configuration shown in FIG. 22, a device driver cannot be included into the OS 21 as the additional processing 23. As apparent from FIG. 22, the virtual machine 24 is in a layer higher than that of the OS 21. The virtual machine 24 is configured in such a way that it issues a processing request to the OS 21, receives the processing result from the OS 21, and returns the result to the additional processing 23 as necessary, based on the code of the additional processing 23. Thus, an attempt to include the additional processing into the OS 21 as a device driver requires that the virtual machine, which controls the execution of the additional processing, be also included into the OS 21. In principle, such a configuration is impossible in the virtual machine mode shown in FIG. 22.
As another software-based security management architecture, the configuration shown in FIG. 23 is also known. As shown in FIG. 23, the additional processing 23, to which a certificate 25 which is for certifying the authenticity of the additional processing is attached, is downloaded onto a terminal (information processing device). The terminal side checks the contents of the attached certificate 25 and, if the attached certificate 25 is authenticated successfully, the downloaded additional processing 23 is installed and executed. A digital signature (ITU-T X509) may be used for the certificate 25. For example, the certificate 25 stores a certifying organization, its public key, and the digital signature (signature generated by encrypting the certifying organization or public key with the private key of the CA) of the CA (Certificate Authority). To authenticate the certificate, the digital signature of the CA is decrypted by the public key of the CA to check if the result matches the content of certificate data and, if they match, the data of the certificate is determined authentic. Alternatively, the certificate 25, provided it can certify an authentic vendor, may be any certificate. The driver signing function of a device driver is implemented on Windows (registered trademark) 2000.
The architecture shown in FIG. 23, in which the additional processing 23 can be provided in native code, makes the execution faster than that of the virtual machine method shown in FIG. 22. In addition, an application and a device driver can be executed as the additional processing 23. However, the system reliability depends absolutely on the security of the additional processing 23. That is, a problem with the additional processing 23 that cannot be detected in advance, if any, may cause a fatal damage to the system.
FIG. 24 is a diagram showing the configuration of a processor that performs hardware based security management. Referring to FIG. 24, a CPU 11 has two modes, secure mode 12 and non-secure mode 13, and the downloaded additional processing 23 and the OS 21B corresponding to the additional processing 23 are executed only in the non-secure mode 13. A memory management unit 14 manages the memory area (address space) executed in the non-secure mode 13 and the memory area accessed in the secure mode 12 separately and inhibits access from the non-secure mode 13 to the memory area in the secure mode 12. That is, the memory management unit 14 controls memory access from the non-secure mode 13 and inhibits access from the non-secure mode 13 to the memory area in the secure mode 12.
Thus, in the configuration shown in FIG. 24, the basic processing 22 is executed in the secure mode 12 and the CPU is virtually separated from the CPU for executing the additional processing 23 to increase security.
However, the secure mode and the non-secure mode are executed on the CPU in a time-division manner and, if control is not returned from the non-secure mode, the system operation in the secure mode is not executed.
Since the non-secure mode and the secure mode are subjected the time-division processing, an overhead such as a mode transition and the like is required when the mode is switched.
Another problem is that, when the additional processing 23 is a device driver that is embedded within the OS 21B of the non-secure mode and if the driver is malicious, there is a possibility that control is not returned to the secure mode and the system is fatally damaged.
Patent Document 1, which will be given below, discloses a processor that has a separation area in a system memory, as in the configuration shown in FIG. 24, to provide a normal execution mode and a separation execution mode. In the device described in Patent Document 1, the normal execution mode is a mode in which the processor runs in the non-security environment, that is, in the usual operation mode that has not the security function provided in the separation execution mode with access to the separation area inhibited from the normal execution mode, while the separation execution mode is a mode in which the execution of a predetermined separation instruction is supported. This configuration also requires a mode transition overhead at switching time because the normal execution mode and the separation execution mode are executed in the time division mode.
Another configuration is disclosed in which two processor units and a switch unit are provided. In this configuration, one of the processor units is connected to the public data communication network, and the other processor unit, which is not connected to the public data communication network, functions as a data security unit (see Patent Document 2 which will be given below). In the system described in Patent Document 2, the processor unit connected to the public data communication network and the data security unit are separated by a switch to ensure the security of the data security unit. However, no countermeasure is taken for the processor unit, connected to the public data communication network, against an attack that may result from the execution of the additional processing described above (additional processing downloaded from the network). Although the data security unit is safe, the processor unit connected to the public data communication network has not security mechanism effective for an attack by the additional processing. For this reason, one of the schemes described above must be employed to perform the security management of the processor unit connected to the public data communication network.
A still another configuration is disclosed in Patent Document 3 for use in a system where a separated execution program or the operating system are executed simultaneously on a processor. During the execution of a first program in this configuration, the memory space used only by the first program is set and the communication between the first program and the computer execution environment is performed via a single link, including the use of shared memory space, a dedicated interrupt, or a dedicated I/O port, to protect the execution environment against an incorrect program. In the restricted execution environment, the first program is not allowed to access the resources of the processor except the memory space that is set and the single link. Because, in the system described in Patent Document 3, the first program is not allowed to access the resources of the processor except the memory space that is set and the single link (use of shared memory space, dedicated interrupt, or dedicated I/O port), the first program cannot be used as a device driver and therefore cannot be applied to the additional processing including a device driver.
Patent Document 4, a publication given below disclosing a technology related to the inter-processor communication means used in the present invention that will be described later, discloses the inter-CPU communication scheme for use in a multiprocessor system. Patent Document 4 describes the following configuration as a conventional technology. That is, when a CPU 2 interrupts a CPU 1 during the inter-CPU communication via the shared memory in a multiprocessor system, the CPU 2 writes communication information in its own inter-CPU communication information writing area in the fixed area provided for the CPU 1 to generate an interrupt and, upon detecting the interrupt, the CPU 1 accesses the inter-CPU communication information writing area corresponding to the CPU 2 to execute the interrupt processing. In addition, Patent Document 4 describes an invention that reduces the number of accesses to the shared memory.    Patent Document 1: Japanese patent Kohyo Publication No. JP-P2004-500666A    Patent Document 2: Japanese patent Kohyo Publication No. JP-P2002-542537A    Patent Document 3: Japanese patent Kohyo Publication No. JP-P2002-533791A    Patent Document 4: Japanese Patent Kokai Publication No. JP-A-6-332864