Conventional TVs and cellular phones allow users to download application software (hereafter referred to as “application”) so as to add a new function after the purchase of a device (a TV or cellular phone), and use the application software. Access by such an application to various resources in the device is limited conventionally. Here, examples of the resources in the device include position information such as GPS (Global Positioning System), and data generated by another application such as a dial function, an address book, a bookmark, and image data. However, in recent years, the access limitation has been eased to allow the development of a variety of applications, and devices which allow access to the position information and the data such as the dial function and the address book have become available. In the future, it is considered that devices which allow the users to install device driver software (hereafter referred to as “device driver”) so as to add new hardware would become available.
Moreover, only the specific application development companies conventionally develop and distribute the applications. However, in recent years, a system is being developed in which general users can develop and distribute applications. In such a system, in order for the general users to easily develop applications, development tools generally used in a personal computer (hereafter referred to as “PC”) are available for the development of applications, and debuggers can be connected to devices for sale.
At the same time, the leakage of data such as personal information stored in the PC, the cellular phone, or the like has become a problem. Especially in the PC, malicious software which is downloaded from an open network such as the Internet reads the data such as the personal information or the like stored in a storage device of the PC, and transmits the data to outside of the PC via the network despite a user's intention. Moreover, the malicious software causes a user to download the malicious software by making, with the use of an email or the like, the user believe that the malicious software itself is a useful software for the user, or by exploiting the vulnerability of software which operates on the PC.
In particular, a device driver can access data deployed by an application on a memory. For this reason, a device driver in a device to which the device driver can be installed accesses data that is undesirable to be disclosed to another application such as the personal information, and thus the device has a high risk of the leakage.
In such a manner, the downloaded application (hereafter referred to as “DL application”) and the downloaded device driver (hereafter referred to as “DL device driver”) can access many resources in the PC, the TV, and the cellular phone. Moreover, the general users can develop and distribute applications and device drivers, which increases the threat of attacks against the personal information stored in the device. Specifically, such a situation makes it easier for malicious attackers to develop and install attack applications (hereafter referred to as “malicious applications”) and attack device drivers (hereafter referred to as “malicious device drivers”). This enables the malicious applications and the malicious device drivers to access information in the device, which increases the danger of the leakage and tampering of information.
There has conventionally been a method of separating execution environments in each of which a software is executed, as a method of protecting, from a DL application and a DL device driver, an original function of a device such as a telephone function in a cellular phone (see NPL 1, for example). NPL 1 discloses, as the method of separating execution environments, a method of separating execution environments using a CPU having a plurality of modes such as a normal mode and a secure mode, and a method of separating execution environments using a virtualization technology. FIG. 27 is a diagram showing the conventional method of separating execution environments using a virtualization technology which is disclosed by NPL 1.
In FIG. 27, a virtual machine 30 executes an operating system (hereafter referred to as “OS”) and an application which are selected and developed by, for example, a telecommunications carrier of cellular phone. A virtual machine 40 executes applications for providing, by an enterprise other than the telecommunications carrier, a schedule and email service for workers of the enterprise. A virtualization software 20 provides, for the virtual machines 30 and 40, a virtual hardware function obtained by virtualizing a hardware 10. In addition, the virtualization software 20 controls the operations of the virtual machines 30 and 40.
The configuration shown in FIG. 27 makes it possible to separate the virtual machine 30 which provides a communication function that is the basic function of the cellular phone and the virtual machine 40 which provides the service for the workers, in addition to the OS.
Consequently, the malicious application or the malicious device driver does not influence the applications and the OS of the telecommunications carrier which operate on the virtual machine 30, even when, for example, the virtual machine 40 has a function which allows the user to freely download applications and device drivers and the malicious application or the malicious device driver operates on the virtual machine 40.
Furthermore, there is a method of dynamically creating a virtual machine using a VM creating device as a method of causing a virtual machine providing additional service for a device such as the virtual machine 40 to operate when needed (see PLT 1, for example). FIG. 28 is a block diagram showing a conventional virtual machine creating system described in PTL 1.
In FIG. 28, an OS 72 requests a VMM (virtual machine manager) 60 to create a virtual machine. As a result, a VM creating device 90 creates a virtual machine 80. Upon the creation, the virtual machine 80 becomes a copy of a virtual machine 70 at the time when the OS 72 requests the creation of the virtual machine.