JP2003036206A - Unauthorized access monitoring device, IC card, unauthorized access monitoring method - Google Patents

Abstract

(57) [Summary] [Problem] To provide an unauthorized access monitoring device, an IC card, and an unauthorized access monitoring method that use a simple configuration to prevent an application from illegally accessing a predetermined memory area and also prevent reverse engineering. provide. An access monitoring unit monitors access to a predetermined memory area, and a detection signal generation unit outputs an unauthorized detection signal indicating that there is an unauthorized access based on a monitoring result of the access monitoring unit and access information. Provided are an unauthorized access monitoring device, an IC card, and an unauthorized access monitoring method that occur.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an unauthorized access monitoring device, an IC card, and an unauthorized access monitoring method for monitoring unauthorized access to a memory area, preventing the unauthorized access, and preventing reverse engineering.

[0002]

2. Description of the Related Art Currently, a magnetic recording card is used as a means for easily authenticating an individual. The magnetic recording card is used as, for example, a bank card, stores an ID for identifying an individual in the magnetic recording card, causes a predetermined card reader to recognize the magnetic recording card, and causes the ID to be read. The main usage is to authenticate an individual by the user entering the corresponding password.

Further, in recent years, IC (Integrated Circuit) cards are becoming popular in place of the above magnetic recording cards. Since the IC card can easily rewrite the stored information, it is possible to provide a wider variety of services than the magnetic recording card. For example,
As a service using the IC card, information corresponding to banknotes, coins, and the like is stored in the IC card as electronic money, and using the IC card, the user can shop at various places as if he / she has cash. There is a money service.

In the above electronic money service, for example, IC
The card is provided as a dedicated card for electronic money services. When the IC card is provided only for a predetermined service, the IC card is an application 250 that provides an electronic money service on, for example, an IC card OS (Operating System) as shown in FIG.
1 works. In this configuration, the application 2
Since 501 is dedicated to the electronic money service, it does not need to be rewritten, that is, it is stored in the ROM 2403, for example, like the IC card OS.

Further, in addition to the electronic money, an IC card that can receive various services with one card has been developed. That is, for example, the IC
The card stores user information such as the owner's (user's) address and telephone number, and uses the user information stored in the IC card to receive administrative services, or when a doctor has previously diagnosed the patient. By storing information such as a medical record (treatment history), it is a multi-purpose IC card that can receive an appropriate diagnosis based on the treatment history when a different doctor is consulted.

In the above multipurpose IC card, FIG.
As shown in FIG. 3, an EEPROM (Electrically Erasable) is stored in the IC card OS stored in the ROM 2403.
By storing a plurality of applications 2501-2503 in the Programmable Read-Only Memory 2405,
A typical configuration is to provide a plurality of services with a single IC card. The EEPROM is FeRAM.
(Ferroelectric RandomAccess Memory) etc.,
That is, any rewritable nonvolatile memory may be used.

With this configuration, for example, by storing the application in the readable / writable EEPROM 2405 and downloading or erasing the application as needed, it becomes possible to provide the function required by the user at any time.

An IC card system using a conventional IC card will be described below with reference to FIGS. 24, 25, 26 and 27.

In FIG. 24, the IC card 2401 is
CPU (Central Processing Unit) 2402, ROM
(Read Only Memory) 2403, RAM (Random Acces
s Memory) 2404, EEPROM 2405, EEPR
An OM writing circuit 2406 and an external communication circuit 2406 are provided. The EEPROM writing circuit 2406 is used to obtain a high voltage necessary for erasing data when rewriting the information stored in the EEPROM 2405.

When the IC card 2401 provides a function provided in the application 2603, for example, the CPU 2402 first reads and executes the IC card OS stored in the IC card OS storage area 2607 in the ROM 2403, and the IC card concerned is executed. Under the control of the OS, for example, the application stored in the application storage area 2603 in the EEPROM 2405 is read and executed.

Here, the IC card OS has, for example, a memory area required for various calculations in the RAM 2404.
It is secured as a work area 2602. Similarly, the application secures an application work area 2601 in the RAM 2404 and uses it for various calculations as needed.

Information used by the IC card OS and various applications, for example, each IC card 240 is used.
The card ID information unique to No. 1, the key information for decryption, the index information indicating the writing area, and the like are the work area of the OS (OS work area 260
5) That is, stored (stored) in the EEPROM 2405.
Has been done. Further, various information of the user who uses the IC card is stored in, for example, the user information storage area 2604.

The basic operation and configuration of the IC card 2401 have been described above, and a case where the IC card provides the function of electronic money will be briefly described. When the IC card provides the electronic money function, various processes for causing the IC card to perform the electronic money function are described in a predetermined programming language and stored in the ROM 2403 or the EEPROM 2405 as an application.

First, when the IC card functions as electronic money, for example, the amount information of the IC card 2401 is stored in the OS work area 2605 in the EEPROM 2405. The amount information is the IC card 24
This is a value in which the price of the product is reduced by purchasing the product using 01, for example, 10,000.
It can be shown as a circle.

When the user of the IC card 2401 purchases a product of 3000 yen using the IC card 2401, the user uses the IC card 2401 as an IC.
The card reader / writer 2408 is inserted. However, the I
When the C card 2401 can read and write in a non-contact manner (non-contact type IC card), it is only necessary to bring it closer to a distance where the IC card reader / writer 2408 can communicate.

The IC card reader / writer 2408 has an I
When the C card 2401 is inserted, the IC card 24
The application 2603 in 01 is the external communication circuit 2407 that constitutes the IC card 2401 and the I
Host PC 24 via C card reader / writer 2408
09 to authenticate each other's devices (IC card and IC card reader / writer, or IC card and host PC) as to whether or not they are valid communication destinations. The authentication is performed as follows. That is, when the application needs to perform authentication, the OS-API (Applicatio
(n Program Interface) entry 2606 (memory area) and calls a predetermined API provided by the IC card OS.

Here, for example, when the authentication API is called, the IC card OS calls another API described in the authentication API or a subroutine in the IC card OS to perform a predetermined process, thereby performing IC processing. Authentication with the card reader / writer 2408 or the host PC 2409 is performed. For example, if there is a problem with the authentication, “1” is returned, and if there is no problem, “0” is returned to the application 2603 as a result code.

The application 2603 that has received the result code then performs processing according to the received result code.

If it is confirmed by the above authentication that the mutual devices are valid, then the host PC 2409
A request for reducing 3000 yen from the amount information is transmitted to the IC card 2401 via the IC card reader / writer 2408.

When the application receives the 3000 yen reduction request, the IC card OS is requested to reduce 3000 yen from the amount information stored in the OS work area 2605 by using a predetermined API as described above. Send.

I received a request for a reduction through the above API
The C card OS confirms the money amount information in the OS work area (internal processing 1, FIG. 27: S2701), and if the money amount information is larger than the requested amount, deducts 3000 yen (internal processing 2, FIG. 27: S2702). ), And notifies the application 2603 of the information indicating the reduction (internal processing 3, FIG. 27: S2703). The command received through the API (S2701 to 2703 above) is the IC card O
This is executed as the processing of S (internal processing).

Next, the application that has received the notification communicates with the host PC 2409 via the external communication circuit 2407 and the IC card reader / writer 2408,
Information indicating that 3000 yen has been reduced from the amount information in the IC card 2401 is notified. The above host PC
The API, for example, is also used for communication with the 2409.

As described above, the money amount information stored in the IC card 2401 is reduced (changed) by a predetermined amount, and the information indicating the reduction is the host PC 2409.
Be recognized in. Thereafter, the information indicating that the amount has been reduced is sent to the server system 2411 that manages the electronic money from the host PC via the Internet 2410, for example.
Is transmitted to the server and various processes (use history management, etc.) are performed.

The above is the outline of the electronic money service using the IC card. Furthermore, in the configuration in which the IC card has a plurality of functions, that is, in the configuration in which an application is downloaded or erased as necessary as shown in FIG. As with the processing of monetary information, I
Host PC 24 via C card reader / writer 2408
Various applications can be downloaded by communicating with 09.

[0025]

According to the above-mentioned conventional IC card, various applications can be downloaded in order to make the IC card versatile and to allow highly flexible operation. In addition, when an application is downloaded, it is usually authenticated whether the application is correct (trustworthy).

However, even if there is no problem in the above authentication, the downloaded application is not always reliable, and it is sufficiently expected that a malicious application will be downloaded after clearing the above authentication. It

Once the malicious application is downloaded into the IC card and executed further, it becomes possible to freely access important information in the IC card, such as user information, amount information, and card ID information. Various troubles such as loss and leakage of the important information may occur.

In other words, in the conventional IC card, when a malicious application clears the authentication and is downloaded into the IC card and executed, the malicious operation (processing) of the malicious application, for example, the application. However, there has been no protection measure against unauthorized access to a memory area that cannot be accessed conventionally.

In addition, even an application having no malicious intent, for example, erases stored data by performing an illegal access to a memory area or the like which is conventionally inaccessible due to an unexpected operation due to a bug or the like. It may be processed.

Furthermore, as a technique for preventing unauthorized access to a predetermined memory area, an MMU (Memory Man) installed as hardware in a general-purpose personal computer or the like.
It is also possible to use the agement Unit). However, the MMU is applied to a relatively large-scale computer using a large amount of memory, handles only a small amount of memory such as an IC card, and limits physical size and strength (than the card size). It is difficult to apply it to a system that is small and needs to have some flexibility).

That is, an IC chip that realizes the function of an IC card is usually embedded in a card made of plastic. Therefore, it is necessary to assume that the card itself is easily bent or pressure is applied, and the size of the IC chip itself is limited, so that there is a restriction that a complicated circuit cannot be built in. Further, among IC cards, a non-contact type IC card is connected to the IC card reader / writer via an antenna formed in the IC card.
Since power is supplied to the C chip, there is a restriction that the supplied power is extremely small and a complicated circuit cannot be driven.

Due to the above-mentioned restrictions, it is difficult to apply the above-described MMU to the IC card, and unauthorized access to a predetermined memory area can be performed by a simple circuit suitable for the characteristics of the IC card. It is essential to realize it.

In addition, the IC card often plays an alternative role of money, and is easily the target of reverse engineering. Therefore, even if any countermeasure is taken against fraud, the countermeasure may be meaningless by being analyzed by reverse engineering or the like.

The present invention has been proposed based on the above conventional circumstances, and uses a simple structure to prevent unauthorized access to a predetermined memory area by an application and also to prevent reverse engineering. An object is to provide an unauthorized access monitoring device, an IC card, and an unauthorized access monitoring method.

[0035]

The present invention employs the following means in order to achieve the above object. That is, the present invention is premised on an unauthorized access monitoring device that monitors unauthorized access to a memory area. Here, the access monitoring means monitors access to a predetermined memory area,
The detection signal generating means generates a fraud detection signal indicating that there is an unauthorized access based on the monitoring result of the access monitoring means and the access information. The access information is information that can identify the program that is accessing the memory area, and is, for example, information that indicates whether the access is by the OS. The access information may be managed by the access information management means, and in this case, the access information management means transmits the access information to the detection signal generation means.

With the above configuration, it is possible to monitor the access to the predetermined memory area and, when the predetermined memory area is accessed, further determine whether the access is from the OS or the application. Becomes
Therefore, by knowing the access to the memory area where the access by the application is prohibited, it is possible to prevent various troubles such as the loss or leakage of the important information by the malicious application.

Further, in the configuration including the interrupt signal generating means for transmitting the interrupt signal to the CPU upon receiving the illegality detecting signal generated by the detecting signal generating means, a predetermined program is executed when an illegal access is made. Since it is possible to execute, it becomes possible to deal with various unauthorized access.

Furthermore, the access monitoring means includes an address storage means for storing an address of a predetermined memory area, and C
Comparing means for monitoring access to the predetermined memory area by comparing the address acquired from the address bus used when the PU accesses the memory area with the address of the predetermined memory area stored in the address storing means And a configuration in which the CPU monitors the control bus that transmits an instruction when the CPU accesses the memory area, and outputs the monitoring result according to the instruction.

With this configuration, it is possible to perform access monitoring corresponding to various access modes (reading, writing, etc.) of the CPU.

The access information management means is configured to control access information based on a command received via a predetermined interface used when an application uses a function provided by the OS, and for example, a predetermined interface is used. , API, it is possible to easily manage the access information by using the conventional technique.

Furthermore, by including the address of the external communication circuit or the EEPROM writing circuit used for communication with the outside in the predetermined memory area, the external communication circuit or the E
It is possible to monitor unauthorized access to the EPROM writing circuit.

Further, there is a configuration in which the interrupt processing is used to prevent the OS from intervening in the unauthorized access monitoring processing.

With this configuration, by coordinating the processing between the applications by using the interrupt processing by the hardware, it is possible to surely prevent the malfunction and the unauthorized access by the software (program), and therefore, the address information described later. It is possible to solve the update problem and the access information update problem, and to make it possible to link the processes between the applications.

Furthermore, there is provided program notifying means for monitoring the control bus and notifying the program being executed on the basis of the instruction and the address obtained from the address bus and the address stored in the address storing means. There is a configuration for changing the access information based on.

Even with this configuration, the address information update problem and the access information update problem, which will be described later, can be solved and the application can be easily described as a series of processes, so that the application development efficiency can be improved. Become.

As a structure for preventing a reverse engineer, a clock is input from a clock supply means for supplying a clock to a CPU, and a determination means for determining whether or not the speed of the clock is normal and a result determined by the determination means Based on this, there is a configuration including an invalidation unit that transmits a fraud detection signal to the interrupt signal generation unit.

The above-mentioned judging means judges whether or not the speed of the clock given to the CPU is normal by comparing the inputted clock with the reference voltage which is the threshold value for transmitting the fraud detection signal, and the inputted clock. And a clock generated by an independent clock generating means for generating a clock independent of the clock given to the CPU,
There is a configuration for determining whether or not the speed of the clock given to the CPU is normal.

The above-mentioned unauthorized access monitoring device can be configured by a simple circuit or program, and therefore can be easily applied to an IC card having physical size and strength restrictions. That is, the unauthorized access monitoring device
It can be applied to IC cards without problems.

Conventionally, there is no means for preventing the illegal operation (processing) of the malicious application downloaded in the IC card, but the illegal access monitoring device is
By providing the C card, it is possible to prevent the illegal operation (processing).

[0050]

BEST MODE FOR CARRYING OUT THE INVENTION Embodiments of the present invention will be described below with reference to the accompanying drawings to provide an understanding of the present invention.
It should be noted that the following embodiment is an example in which the present invention is embodied, and does not limit the technical scope of the present invention. Further, in the following embodiments, in order to provide understanding,
The OS and the application are used properly.
Both S and the application are programs.

(First Embodiment) FIG. 1 shows the first embodiment.
2 is a schematic functional block diagram of an unauthorized access prevention device and an IC card in FIG. Here, the IC card according to the first embodiment has the CPU 102, the ROM 103, and the RAM 1 similarly to the configuration of the IC card described in the above-mentioned related art.
04, EEPROM 105, EEPROM writing circuit 10
6 and the external communication circuit 107.

Here, as in the prior art, for example, the above RA
An application work area 301 and an OS work area 302 are secured in the M104 as shown in FIG.
In the application storage area 303 of the OM 105, the application (program) is stored in the user information storage area 3
User information and the like are stored in 04, and an OS work area 305 is secured if necessary. Furthermore, the external communication circuit 107 is used when communicating with an IC card reader / writer or an external terminal such as a host PC, and EEPRO
The point that the M writing circuit 106 is used to obtain a high voltage necessary for erasing data when rewriting the information in the EEPROM 105 is also similar to the above-mentioned conventional technique.

In the first embodiment, in addition to the above, the access monitoring means 110 and the detection signal generating means 11 are further added.
1, the access information management means 112, and the interrupt signal generation means 113 are provided to configure the unauthorized access monitoring device 100, and the details of the processing of each means will be described later.

First, referring to FIGS. 1, 2, and 3, the CPU
102 is a ROM 103, a RAM 103, and an EEPROM 1
A method of reading and writing data (including programs) stored in 05 will be described.

When reading data in a certain memory area in each memory, the CPU 102 uses three buses connected to each memory by the CPU 102. That is, here, the address bus 201, the data bus 202, and the control bus 203.

When the CPU 102 reads out predetermined data from the data stored in each of the memories, the ROM 103 and the RAM 1 via the address bus 201.
04, the target address is transmitted to the EEPROM 105. At this time, by sending a "read" command from the control bus 203 at the same time, the fact that the data stored at the address is read out is transmitted. The above address,
Each memory receiving the "read" command reads the content of the address from the above address if the corresponding address is the address assigned to itself. Next, the CPU
Reference numeral 102 denotes the signal (content) read by each memory,
Received via the data bus 202.

The above is the process of reading data from each memory. When writing data, the CPU 102
An address is sent via the address bus 201, a “write” command is sent via the control bus 203, and data to be written is sent via the data bus 202.

The memory receiving the above-mentioned signals (commands) writes the data by storing the transmitted data in a predetermined memory area.

Now, the reading and writing are performed by the CPU 102, but it is the IC card OS that controls the CPU here, and the IC card O
Under the control of S, the application performs various processes. The application secures a work area required for processing the application as the application work area 301 in the RAM 104, for example.

Here, for example, an IC card OS or the like capable of executing a plurality of applications is provided with an interface, for example an API, for providing the above-mentioned applications with the basic functions of the IC card OS. The API is, for example, the OS-AP in the ROM 103 of FIG.
It is stored in the I entry, called by the application, and then executed by the IC card OS. Specifically, when the application requires the address of the user, for example, the application acquires the address acquisition A.
Call PI. When the address acquisition API is called, the IC card OS reads the user's address from the user information storage area 304 stored in the EEPROM 105 by executing the address acquisition API, and notifies the application of the address. To do.

The above is the general processing of the application, that is, the memory area read (accessed) by the application is limited to the application work area 301 and the OS-API entry 306. In other words, the application is a memory area other than the application work area 301 and the OS-API entry 306, that is, the OS work area 302, the application storage area 303, the user information storage area 304, the OS work area 305, the IC card OS storage area 307. When the user accesses to, the access can be considered as an unauthorized access (unauthorized access).

In order to detect the unauthorized access, first, it is necessary to recognize whether the program accessing each memory area is the IC card OS or the application. The recognition is the access information management means 112. It can be recognized by the access information managed by. That is, first, the IC card OS is activated and the I
When the C card OS runs a predetermined application, the IC card OS executes the application by EEPR.
After reading from the application storage area 303 in the OM 105,
A command for changing the access information to, for example, "1" is transmitted (FIG. 5B: S510).

"1" of the access information indicates that the application mode, that is, the program currently operating (processing) on the CPU is an application.

It is assumed that the above-mentioned application needs to refer to the user's address contained in the user information 304, for example, by performing processing using the application work area 301 to provide various functions. In this case, the application calls, for example, the address acquisition API from the OS-API entry 306, and executes the process.
Hand over to C card OS.

The IC card OS to which the processing is handed over together with the call for the address acquisition API first sends the access information to the access information management means 112 in the first processing in the API (address acquisition API). Send an instruction to change to 0 "(OS mode) (FIG. 5 (b): S51
1).

Upon receipt of the above command, the access information management means 112 changes the content of the managed access information to "0" (FIG. 5 (b): S511 Yes → S512, FIG. 4 :).
S401).

After the content of the access information is changed to "0", the IC card OS may change another API,
By accessing and executing various subroutines stored in the IC card OS storage area 307, for example, internal processes 1 to 3 (FIG. 4: S402 to S404) are executed.

When the acquisition of the user's address stored in the user information 304 by the internal processes 1 to 3, here the IC card OS, is completed, the IC card OS makes access information to the access information management means 112. Send an instruction to change to "1" (application mode).

Upon receipt of the above command, the access information management means 112 changes the content of the access information to be managed to "1" (FIG. 5 (b): S513 Yes → S514, FIG. 4 :).
S405).

As described above, by inserting the instruction to change the access information at the beginning and the end of the API, the predetermined memory area is accessed as the OS mode when the API provided by the IC card OS is used. can do. By using the API, the access information can be easily managed by using the conventional technique.

Next, based on the above-mentioned access information state, the access monitoring means 110 and the detection signal generating means 1
11 and the processing of the interrupt signal generating means 113 will be described.

The access processing to each memory by the CPU 102 is as described above, but the access monitoring means 110 constantly monitors the address bus 201 (FIG. 5 (a): S501). That is, when the CPU 102 accesses each memory, the access monitoring unit 110 can know the access and the memory area (memory address) being accessed (FIG. 5A: S502). ).

When the access is made, the comparison means 202 constituting the access monitoring means 110 has a memory area for monitoring the access, that is, here, the OS work area 302, the application storage area 303, and the user information storage area 304. , OS work area 305, IC card OS
The address is read from the address storage unit 201 that stores the address (range: memory area) of the storage area 307 and is compared with the memory address currently referred to by the CPU 102.

Here, the comparing means 202 compares the address stored in the address storing means 201 with the address currently referred to by the CPU 102, and when they match (or are within the range), Notifies the detection signal generating means 111 that the access may be an unauthorized access to a predetermined memory area (FIG. 5 (a): S503 Yes → S504).

Subsequently, the detection signal generating means 111, which has received the notification from the access monitoring means 110, refers to the access information managed by the access information management means 112 (FIG. 6 (a): S601 → S602).

Here, when the access information is "1" (application mode), the access to the memory area is not the access by the IC card OS but the access by the application, that is, the unauthorized access. Therefore, a fraud detection signal is transmitted to the interrupt signal generating means 113 (FIG. 6A: S603Ye).
s → S604).

When the interrupt signal generation means 113 receives the fraud detection signal from the detection signal generation means 111, it outputs C
An interrupt signal is transmitted to the PU 102 (see FIG. 6).
(B): S610 → S611).

When the CPU 102 receives the interrupt signal,
The processing of the application that had been done until then is interrupted,
For example, a routine called a predetermined interrupt handler, that is, a program is executed in response to an interrupt signal.

Here, the CP performed when the interrupt signal is received
Although any processing may be performed by the U102, for example, the application may have malicious intent, so that the function of the IC card itself is stopped or only the application is deleted. Such processing is possible.

As described above, the access to the predetermined memory area is monitored, and when the predetermined memory area is accessed, it is further determined whether the access is from the OS or the application. It is possible to know the access to the memory area for which access by the application is prohibited. Therefore, it is possible to prevent various troubles such as loss or leakage of important information due to a malicious application.

Further, each of the above means (access monitoring means 11
0, access information management means 112, detection signal generation means 1
Since 11 and the interrupt signal generating means 113) can be configured by a simple circuit or program, they can be easily applied to an IC card having physical size and strength restrictions.

Furthermore, in the past, there was no means for preventing the illegal operation (processing) of the malicious application downloaded in the IC card. However, by applying the present invention, the illegal operation (processing) is prevented. It becomes possible to prevent it.

The access information management means 112 is
For example, although the access information is stored in the register of the CPU 102, it is not always necessary to store it as information.
The access information management means 112 may transmit a signal for turning on / off the operation to the detection signal generation means 111.

Furthermore, the access monitoring means 110 described above.
By monitoring the control bus 203 in addition to the address bus 201, it becomes possible to further monitor unauthorized access according to data reading and writing. That is, it is possible to perform a process in which the application is allowed to access at the time of reading but the access is illegally performed at the time of writing.

(Second Embodiment) In the second embodiment, a case will be described in which the access monitoring means 110 monitors unauthorized access to the external communication circuit 107 and the EEPROM writing circuit 106.

In the above-described first embodiment, the CPU 102 makes the R
The access processing to the OM 103, the RAM 104, and the EEPROM 105 has been briefly described.
The external access circuit 102 also accesses the external communication circuit 107 and the EEPROM writing circuit 106 in the same manner.

That is, when viewed from the CPU 102, the same addresses as those in the above memories are given to the external communication circuit 107 and the EEPROM writing circuit 106, and CP
The U 102 transmits and receives predetermined data by transmitting a command and data to the address.

Therefore, the external communication circuit 107 and the EEPROM writing circuit 1 are stored in the address storing means 201 which constitutes the access monitoring means 110 in the first embodiment.
By storing the address 06, it is possible to monitor unauthorized access to the external communication circuit 107 and the EEPROM writing circuit 106.

(Third Embodiment) Next, the third embodiment will be described.
In the IC card 1
A process for operating on 01 will be described.

FIG. 7 shows the RAM 104, the EEPROM 105, and the RO when a plurality of applications (application A, application B) are executed.
It is an image figure of each memory area of M103. That is, when, for example, two applications A and B stored in the application storage area 303 are respectively executed, the application work area 301 includes the application A work area 701, which is the work area of the application A, and the application A work area 701. An application B work area 702, which is a work area, is provided.

Here, for example, it is assumed that the application A is an unauthorized application. If the application A can freely access the application B work area 702, it is conceivable that the application A may prevent the application B from functioning normally, or the function of the application B may be abused.

To give a concrete example, for example, the downloaded application A is a program for conducting electronic commerce, and the application A uses the electronic money management program (application B) provided in advance in the IC card to perform electronic transactions. This is the case when the amount of money corresponding to a commercial transaction is reduced. If the application A can illegally access the electronic money management program, the electronic money stored in the IC card is not reduced even if the electronic money transaction is performed to purchase the article. Will be possible.

Therefore, in the third embodiment, immediately before the IC card OS passes the processing to the application, that is, when the command for changing the access information to “1” is transmitted to the access information management means 112, The contents of the address storage means 201 in the access monitoring means 110 are changed.

For example, when processing is transferred to the application A, the IC card OS uses the address storage means 2
The address of the application B work area 702 is stored in 01. As a result, for example, the application A is subsequently used by the application B work area 70.
When 2 is accessed, the detection signal generation means 111 issues a detection signal as described in the first embodiment. That is, the application A cannot access the memory area related to the processing of the application B. Of course, when the processing is transferred to the application B, the IC card OS stores in the address storage unit 201.
The address of the application A work area 701 is stored, and the address of the application B work area 702 is deleted.

As described above, by making the address stored in the address storage means rewritable by the IC card OS, it is possible to prevent unauthorized access between applications even when a plurality of applications are activated. It will be possible.

The memory address of each application work area may be determined in advance, or may be a memory address dynamically assigned when starting each application.

(Fourth Embodiment) Next, a fourth embodiment will be described.
In the following, a monitoring process for unauthorized access that does not depend on the OS will be described.

In the above-described first to third embodiments, description has been made assuming that the application has malicious intent or bug. However, the OS is also a broad application and may be provided as a malicious program. In addition, the OS tends to have a larger program scale (the number of steps) than the application, and it can be said that there is a higher possibility that the OS has a bug. It is not preferable to completely trust such an OS from the viewpoint of security.

The disadvantages of the first to third embodiments are as follows. Specifically, when operating a plurality of applications in the first to third embodiments, the address to be stored in the address storage means 201 is changed. , Point that needs to be updated by OS (hereinafter referred to as address information update problem),
Further, in the access information stored in the access information management unit 112, the OS needs to change whether the program currently being processed is the OS or a program other than the OS (application). (Hereinafter referred to as the access information update problem).

In other words, it can be said that it is better to avoid the execution of the above security-related processing by an OS that is not sufficiently trusted.

Therefore, three examples of configurations for easily solving the above problems will be given below. However, it is stated in advance that the following example does not sufficiently solve the above problem, and each problem is also described.

The first example has a configuration in which a plurality of CPUs are provided. That is, for example, as shown in FIG. 8A, in the IC card 801, for example, two applications (application 1 (802) and application 2 (8
05) OS on different CPUs 804 and 807 respectively
1 (803) and OS2 (806). By doing so, an embodiment similar to that of the above-described first embodiment is realized, the address update problem can be solved, and a plurality of applications can be executed by one IC card.

However, the above-mentioned access information problem still remains, and the same number of CPUs as the number of applications that can be executed at the same time are required, and the cost of the IC card increases. In addition, the application 1 (802) and the application 2 (80
There is a new problem that cooperation processing with 5) cannot be performed.

Next, a second example is shown in FIG. In the IC card 810, for example, two applications (application 1 (812), application 2
(815) is operated on the same CPU 817. At this time, control of each application is controlled by OS1 (8
13), OS2 (816). Since the OS is assigned to each application, as a result, the OS
Can be regarded as an application,
An application 1 memory area 811 and an application 2 memory area 814 are allocated respectively.

In this case, the problem that the cost of the IC card becomes high is solved, and since one OS is assigned to one application, access between the application 1 (812) and the OS 1 (813) is performed. No information processing is required. However, it is necessary to process access information between the application 1 memory area 811 and the application 2 memory area 814. Further, for example, when the application 1 accesses the application 2 memory area 814, the access monitoring means 110, the detection signal generating means 111, and the interrupt signal generating means 113 stop the processing, for example. As a result, the problem that cooperation processing cannot be performed between the application 1 (812) and the application 2 (815) cannot be solved.

Next, FIG. 9 shows a third example. Third example IC
In the card 901, in the IC card 810,
Shared area 9 that is not monitored by the access monitoring unit 110
02 is provided. Here, for example, the application 1 (812) writes a command to the application 2 (815) in the shared area 902, and the application 2 (815) reads the command from the shared area 902 and executes the command. Is written in the shared area 902. Subsequently, the application 812 continues the process by reading the result from the shared area 902.

With this configuration, it is possible to perform the cooperative processing between the applications at first glance, but here, for example, it is necessary to notify the application 2 (815) of the information indicating that the application 1 (812) has written the command. is there. However, the above application 1 (812)
Sends the above notification via OS1 (813),
Since 1 (813) is present, the problem cannot be solved. Of course, it is out of the question that the application 1 (812) directly calls the application 2 (815).

Therefore, in the fourth embodiment, the unauthorized access monitoring apparatus having stronger security by avoiding execution of security-related processing by the OS,
The processing of the IC card will be described.

In order to provide an understanding of the fourth embodiment,
First, the outline of the conventional interrupt processing will be briefly described with reference to FIG.

Data transfer from a device such as a keyboard or a mouse to the CPU is performed completely asynchronously with the processing of the CPU. For this reason, it is inefficient if the CPU waits for a keyboard input that is unknown when it will occur. Therefore, the interrupt processing is to cause the CPU to execute another program, interrupt the processing of the other program when the input from the keyboard occurs, and cause the keyboard processing to be performed.

The above example will be specifically described with reference to FIG. FIG. 10 is a schematic diagram for explaining the interrupt processing.

First, the CPU 1001 has the memory 1002.
The program is read from a predetermined address of and the program is sequentially executed. Here, for example, the CPU 100
It is assumed that 1 is executing the command stored in the address B of the program 1010 stored in the address A to the address C. The address B of the command currently being executed is the program counter 1003 of the CPU 1001.
The address of the program counter 1003 is changed every time each command is executed.

Here, when an input is made from a device 1004 such as a keyboard or a mouse, an interrupt signal 1005 is transmitted from the device 1004 to the CPU 1001. Here, an interrupt is determined for each device, and for example, the interrupt from the device 1004 is “interrupt 1”.

The interrupt signal 1005 is the CPU 100.
1, the CPU 1001 temporarily saves the address B of the currently executing program 1010 stored in the program counter 1003, and refers to the interrupt vector 1 (1006) corresponding to the “interrupt 1”. To do. Here, the interrupt vector is a memory area containing the address of the interrupt handler, and the interrupt handler is a small program code executed when an interrupt occurs.

The CPU 1001 refers to the interrupt vector 1 (1006) to obtain the address of the interrupt handler, that is, the interrupt program 1 (1008) stored from address C to address D here.

When the CPU 1001 obtains the start address of the interrupt program 1 (1008), the CPU 1001 stores the start address in the program counter 1003 and sequentially executes the interrupt program 1008.

As a result, the instruction input from the device 1004 is executed as the interrupt program 1 and the mouse cursor is moved, for example.

When the processing of the interrupt program 1 (1008) is completed, the saved address B is written in the program counter 1003, and the program 1010 is executed from the address B.

The above is an example of conventional interrupt processing.
The interrupt process is started by an interrupt signal, and a predetermined interrupt program is executed. Therefore, it can be said that the process is very reliable.

The conventional interrupt processing has been described, but in the fourth embodiment, stronger security is realized by using the interrupt processing.

First, the relationship between the applications in the fourth embodiment will be briefly described. FIG. 12 shows that the application 1 (1
205) is the image being executed, and the application 2 (1209) can also be executed if necessary. Specifically, as described in the third embodiment, for example, the downloaded application 1 is a program for conducting electronic commerce, and the application 1
However, there may be a case where an electronic money management program (application 2) provided in advance in the IC card is used to reduce the amount of money according to the electronic commerce. still,
In the fourth embodiment, the application 1 (1205)
For example, the application (1209) does not operate as multitask using time sharing, and the application 1 (1205) calls the application 2 (1209).

The above application 1 (1205)
Are stored in the application 1 memory area (1204), and the application 1 memory area (1
204) is another program OS1 (1206)
And an interrupt program 1 (1207) are stored to form a group of programs. For the sake of understanding, for example, the application 1 (1205) and the OS 1 (120
There is no problem if 6) is defined together as application 1.

Furthermore, application 1 memory area 12
As with 04, an application 2 memory area 1208 is provided, and application 2 (1209), OS2
(1210) and the interrupt program 2 (1211) are stored. Of course, when there are further applications 3 and 4, the applications 3 and 4 memory storage areas are similarly provided.

Access to the application 1 memory area 1204 and the application 2 memory area 1208 is monitored by the access monitoring means 1101. Others are provided with a detection signal generation means 1108, an interrupt signal generation means 1106, an access information management means 1108, and a shared area 1202, but the details of the processing will be described in order.

FIG. 11 shows the hardware configuration of the image shown in FIG.

In FIG. 11, the access monitoring means 1
The address of the memory area stored by the address storage unit 1102 forming 101 is stored in units of applications. That is, the address of the memory area corresponding to the application 1 memory area 1204 in FIG.
It is stored at address 1103 of the application 1 memory area, and is also stored in the application 2 memory area 1
The address of the memory area corresponding to 208 is stored in the address 1104 of the application 2 memory area. The application unit may be an address composed of a memory area in which a predetermined application (program) is stored and a memory area permitted to be accessed by the application (program).

Further, the memory image 130 shown in FIG.
1 is a ROM 103, a RAM 104, an EEPROM 105
It is an image showing the area of each program above. The memory image 1301 stores a program belonging to the application 1 memory area 1204 and a program belonging to the application 2 memory area 1208,
Further, a memory used as a shared area (shared area 12
02) is secured.

That is, the interrupt vector 1 (1310), application 1 (1311), OS 1 (1312), interrupt program 1 (1313), data 1 (1314) shown in the memory image 1301 are stored in the application 1 memory area 1204. And the data used by the program, the address of which is the address 1 of the application 1 memory area.
It is stored in 103.

Similarly, interrupt vector 2 (132
0), application 2 (1321), OS2 (13
22), interrupt program 2 (1323), data 2
(1324) is the application 2 memory area 1
A program belonging to 208 and data used by the program, the address of which is stored in the address 1104 of the application 2 memory area.

Next, based on the above configuration, the operation of each application will be described below. For the sake of understanding, the processing of the application 1 (1205) is the processing shown by the broken line 1420 in FIG. The access information stored in the access information management means 1108 is
It is assumed that the currently operating program is “1” indicating that it belongs to the application 1 memory area 1204.

First, in the state where the application 1 (1205) is performing the internal processing 1 (S1401), for example, access to each memory from the CPU 102 is always interrupt vector 1 (1310), application 1
(1311), OS1 (1312), interrupt program 1 (1313), data 1 (1314),
Alternatively, the access is to the shared area 1202. The access is performed by the comparison means 1105 via the address bus 201.
Is constantly monitored. Here, the comparison means 1105
Based on the address stored in the address storage means 1102 and the address obtained via the address bus 201, "1" indicating that the memory area currently accessed corresponds to the application 1 memory area 1204 is set. It is outputting.

Upon receiving the output "1", the detection signal generation means 1108 acquires the access information from the access information management means 1107. Here, since the access information is “1” indicating that the currently operating program belongs to the application 1 memory area 1204, the detection signal generation means 1108 does not generate a detection signal.

In the state where the application 1 (1205) is performing the processing (FIG. 14: S1401), the value of the access information is “1”, so the memory image 1
It is in the state of 301. That is, the memory image 13
Interrupt vector 2 which is the area indicated by the dot in 01
(1320), application 2 (1321), OS
2 (1322), interrupt program 2 (1323),
Data 2 (1324) indicates a state where access is prohibited. In this state, when the application accesses, for example, the application 2 (1321) area, the comparison means 1105 outputs, for example, “2” indicating that it belongs to the application 2 memory area 1204. Therefore, the detection signal generation means 1108 The detection signal is generated based on the access information “1”. In this case, the interrupt signal generation means 1106 receives the detection signal, for example, and causes the CPU 102 to generate a predetermined interrupt, and for example, stops the processing of the CPU 102 or forcibly terminates the application that has made an unauthorized access.

Subsequently, the application 1 (120
5) performs the cooperative processing with the application 2 (1209), the application 1 (1205)
In the shared area 1202, the application 2 (120
Command for 9) and application 1 (12
05) is written (FIG. 14: S1402-
1).

Next, the application 1 (120
5) sends a predetermined signal from the CPU 102 to the interrupt signal generating means 1106 using the command for generating the interrupt 2 (FIG. 14: S1402-2). In other words, the application 1 (1205) only needs to call the interrupt program 2 (1211) corresponding to the interrupt 2. However, if the application (including the OS) is directly called, the security becomes weak. Through the interrupt processing by.

Upon receiving the above signal from the CPU, the interrupt signal generating means 1106 transmits an interrupt signal corresponding to the signal to the CPU 102, and at the same time, causes the access information managing means 1107 to perform the interrupt processing 2. The information indicating that is transmitted is transmitted.

Upon receiving the information indicating that the interrupt signal has been transmitted, the access information management means 1107
The access information stored in the access information management means 1107 is changed to "2". As a result, the memory image 1301 shown in FIG. 13 is changed to the memory image 1302, that is, the interrupt vector 1 (1310), the application 1 (1311), the OS 1 (1312), which is the area shown by the dot in the memory image 1302. ),
Interrupt program 1 (1313), data 1 (131
In 4), access is prohibited.

Further, the CPU that has received the interrupt signal
Reference numeral 102 denotes a process corresponding to the interrupt signal, that is, an interrupt vector 2 (132) corresponding to the interrupt signal.
0) to execute the interrupt program 2 (1323).

In this state, the CPU 102 refers to the memory area (interrupt program 2) belonging to the application 2 memory area 1208. Therefore, the comparison means 1105 outputs, for example, "2" to the detection signal generation means 1108 based on the address 1104 of the application 2 memory area.

However, since the access information has already been changed to "2" based on the notification from the interrupt signal generating means 1106, the detecting signal generating means 1108 does not generate the detecting signal.

In the processing of the interrupt program 2 (1323), as shown in FIG.
Command stored in 2 and application 1
The code indicating the is extracted (FIG. 14: S1403). Subsequently, the interrupt program 2 (1323) performs processing based on the extracted command, and the result and the code indicating the application 1 are added to the shared area 120.
2 (FIGS. 14 and 15: S1404 to S140)
5). Next, the interrupt program 2 (1323)
Generates an interrupt 1 based on the extracted code indicating the application 1. That is, interrupt 1
A predetermined signal using the command for generating
2 to the interrupt signal generating means 1106 (FIG. 14:
S1406).

Upon receiving the above signal from the CPU, the interrupt signal generating means 1106 transmits an interrupt signal corresponding to the signal to the CPU 102, and at the same time, an interrupt signal for performing the interrupt processing 1 to the access information managing means 1107. The information indicating that is transmitted is transmitted.

When the information indicating that the interrupt signal has been transmitted is received, the access information management means 1107
The access information stored in the access information management means 1107 is changed to "1". As a result, the memory image 1302 shown in FIG. 13 is changed to the memory image 1301, that is, the interrupt vector 2 (1320), the application 2 (1321), the OS 2 (1322) which is the area shown by the dot in the memory image 1301. ),
Interrupt program 2 (1323), data 2 (132
In 4), access is prohibited.

Also, the CPU that has received the interrupt signal
Reference numeral 102 denotes a process corresponding to the interrupt signal, that is, an interrupt vector 1 (131 corresponding to the interrupt signal.
0) to execute the interrupt program 1 (1313).

Interrupt program 1 (1313)
Refers to the shared area 1202 and extracts the result stored in the area (FIG. 14: S1407). Further, based on the code indicating the application 1, a process in which the application 1 causes the interrupt 2 (see FIG. 1).
4: S1402-2) to call the internal processing 2 (FIG. 14: S1407 to S1408).

The application 1 (1205) called by the interrupt program 1 (1207) is
The called internal process 2 is executed (FIG. 14: S140).
9).

As a result, the cooperation process between the application 1 and the application 2 is completed.

As described above, by coordinating the processing between applications using the interrupt processing by hardware, it is not necessary to update the address stored in the address storing means by the OS, that is, the address information updating problem. Can be solved. Further, since the access information stored in the access information management means is updated by the interrupt signal generation means based on the interrupt processing, the problem that the OS changes the access information, that is, the access information update problem is solved. Is possible. Therefore,
It is possible to provide an unauthorized access monitoring device and an IC card which can solve the address information update problem and the access information update problem and can cooperate with the processing between applications.

It is possible to call the processing of the application 1 from the application 2. In such a case, the application 1 in the processing described above
And the problem can be solved by replacing the part related to the application 2. However, in this case, it is necessary to separately prepare an interrupt program for transmitting a command and an interrupt program for extracting a result, and further prepare an interrupt corresponding to each interrupt program. In order to save this waste, the interrupt program determines, as shown in FIG. 15, whether the information stored in the shared area is a command or a result in the process immediately after the start (S1501), and branches according to the determination. To do so. As a result, it is only necessary to provide one interrupt program for each application that performs cooperative processing with other applications.

Further, by storing the program or address called by each interrupt program in the shared area in the same manner as the command, the call destination can be freely set within the range permitted by the access monitoring means.

(Fifth Embodiment) Next, FIGS.
An unauthorized access monitoring process different from the fourth embodiment will be described with reference to FIG.

In the fourth embodiment, for example, a series of programs stored in the application 1 memory area 1204 is composed of the application 1 (1420) shown in FIG. 14 and the interrupt program shown in FIG. 15 excluding the OS. Will be. In other words, in developing an application, the developer has to be aware of the cooperation between the application and the interrupt program, and it is expected that the description will be complicated and the development efficiency will be reduced.

Therefore, in the fifth embodiment, an unauthorized access monitoring process which does not depend on the OS and which can improve the efficiency of application development will be described. Also in the fifth embodiment, in order to solve the address information update problem and the access information update problem, the following configuration is adopted.

That is, the IC card 1801 shown in FIG.
Has the same configuration as the IC card 1201 in the fourth embodiment, but has an interruption information holding area 1802 in a predetermined memory area. Furthermore, the access monitoring means 18
Reference numeral 05 includes address storage means 1901. here,
The address of each memory area stored in the address storage means 1901 is divided into: an application 1 memory area address 1902; an application 2 memory area address 1903; an interrupt program memory area address 1904; and rewriting by a program. It is fixed so that it cannot be done.

Further, at the address 1902 of the application 1 memory area, the memory image 200 of FIG.
The address of the memory area indicated by the outline of 1 is stored. That is, application 1 (1311) and OS
1 (1312) memory area and these programs (application 1 (1311) and OS 1 (131
2)) is the accessible memory area Data 1 (1
314), interrupt vector 1 (1310), interrupt vector 2 (1320), and the address of the shared area 1202. Application 1 (131
1) is application 1 (1610) in FIG.
The OS1 (1312) corresponds to the OS1 (1206) in FIG.

Further, at the address 1903 of the application 2 memory area, the memory image 2003 of FIG.
The address of the memory area shown in white is stored. That is, the application 2 (1321) and the OS
2 (1322) memory area and these programs (application 2 (1321) and OS 2 (132
2)) is the accessible memory area, data 2 (1
324), interrupt vector 1 (1310), interrupt vector 2 (1320), and the address of the shared area 1202. Application 2 (132
1) is application 2 (1710) in FIG.
The OS2 (1322) corresponds to the OS2 (1210) in FIG.

Further, at the address 1904 of the interrupt program memory area, the memory image 200 of FIG.
The addresses of the memory areas indicated by white circles 2 are stored. That is, the interrupt program 1 (1313), the interrupt program 2 (1323), the interruption information holding area 20
It is composed of addresses 04. Interrupt program 1 (1313) and interrupt program 2 (132
3) is the interrupt program 1 (162 in FIG. 18).
0) and interrupt program 2 (1720) correspond to each. Further, the interruption information holding area 2004 corresponds to the interruption information holding area 1802 in FIG.

Therefore, it can be said that the addresses of the respective memory areas stored in the address storage means 1901 have a memory area in which a predetermined program is stored and a memory area permitted by the program as one unit.

Further, the access monitoring means 1805 is
The comparison means 1905 and the program notification means 1906 are provided, but the details will be described later.

Next, based on the above configuration, the operation of each application will be described below. With the above configuration, the processing of the application 1 shown in the fourth embodiment is the same as the application 1 (1610) shown in FIG.
It becomes possible to show as.

First, when the application 1 (1610) performs processing, the CPU 102 is a memory area in which the application 1 (1610) is stored.
The application 1 is read from the application 1 (1311). At this time, the address of the memory area of the application 1 (1311) is sent to the address bus 201, and an instruction fetch signal indicating reading of the program is sent to the control bus 203.

When the address and instruction fetch signal is transmitted, the signal is transmitted to the access monitoring means 1805 which monitors the bus. That is, the address is transmitted to the comparison means 1905, and the instruction fetch signal is transmitted to the program notification means 1906.

When the comparison means acquires the address, it refers to the address storage means 1901 to determine which application (program) the address corresponds to. Here, since the program being executed is the application 1 (1610), the address is the address 19 of the application 1 memory area.
It is determined to correspond to 02.

When the comparing means 1905 judges the application corresponding to the address, it sends the information of the application to the detection signal generating means 1807. Here, it is assumed to be “1”, for example.

Further, the comparing means 1905 notifies the program notifying means 1906 of information that the application corresponding to the address is "1".

On the other hand, the program notification means 1906 described above.
Transmits "1" indicating the program currently being executed to the access information management means 1806 based on the instruction fetch signal transmitted from the control bus and "1" obtained from the comparison means. .

The access information management means 1806 changes the access information to "1" based on the information transmitted from the program notification means 1906. The "1" is
Indicates that the program currently being executed corresponds to application 1.

As a result, the memory image showing whether or not the memory area can be accessed becomes the memory image 2001 shown in FIG. That is, the memory image 200
Interrupt program 1 which is the area indicated by the dot in 1
(1313), application 2 (1321), OS
2 (1322), interrupt program 2 (1323),
Data 2 (1324) and interruption information holding area 2004
Indicates that access is prohibited.

As described above, the access monitoring means can determine the program accessing the memory area based on the information from the address storage means 1901 and the address bus and the control bus.

Then, the application 1 (161)
0) is read by the CPU 102, the application 1 (1610) executes the internal processing 1 (FIG. 1).
6: S1401). The processing content of the internal processing 1 may be the same as that shown in the fourth embodiment.

The application 1 (1610) uses, for example, the data 1 (1314) based on the internal processing 1.
Suppose you have accessed. In this case, the data 1 (13
The address of 14) refers to the address 1902 of the application 1 memory area by the comparing means 1905 referring to the address storing means 1901 via the address bus 201.
"1" indicating that the detection signal generating means 1 corresponds to
Send to 807.

In this case, since the data 1 (1314) is referenced, no instruction fetch signal is transmitted to the control bus, and the program notification means 1906 is executed by the access information management means 1806. Do not notify the program. That is, the access information remains "1".

The detection signal generating means 1807 has no problem in accessing the memory area based on "1" transmitted from the comparing means 1905 and "1" obtained from the access information managing means 1806. It is determined that there is not, and the fraud detection signal is not generated.

However, the above application 1 (161
0) refers to, for example, data 2 (1324), the comparing unit 1905 determines that the address being accessed is the address 190 of the application 2 memory area.
For example, “2” indicating 3 is transmitted to the detection signal derivation means 1807. Therefore, the detection signal generating means 1
807 is “2” obtained from the comparison means 1905.
And "1" obtained from the access information management means 1806, it is determined that the access to the memory area is an unauthorized access, and an unauthorized access detection signal is generated.

By the way, the internal process 1 is a process which is not associated with the application 2 (1710). Here, when the application 1 (1610) performs cooperative processing with the application 2 (1710), an interrupt 2 is generated after writing a command in the shared area, as in the fourth embodiment (FIG. 16: S1402). -1
→ S1402-2).

When the interrupt 2 occurs, the CPU 10
2 (application 1) causes interrupt vector 2 (1
320), and the interrupt program 2 is read. At this time, since the CPU 102 reads the interrupt program 2, the comparing means 1905 determines that the currently accessed address is the address 1904 of the interrupt program memory area based on the information obtained from the address bus.
Then, for example, “3” indicating that it corresponds to is transmitted to the detection signal generating means 1807.

Further, the program notifying means is "3" obtained from the comparing means 1906 and the control bus 2
The access information is changed to, for example, "3" by transmitting "3" indicating the program currently being executed to the access information management means 1806 based on the command fetch signal obtained from 03.

As a result, the memory image 2002 showing whether or not the memory area can be accessed becomes the memory image 2002 shown in FIG. That is, the memory image 200
Application 1 which is the area indicated by the dot in 2
(1311), application 2 (1321), OS
1 (1312), OS2 (1322), data 1 (13
14), the data 2 (1324), and the interruption information holding area 2004 are in a state where access is prohibited. However, as will be described later, since the interrupt program may be provided as a fixed program in advance, all areas may be accessible, for example.

As described above, the program to be executed is changed from the application 1 (1610) to the interrupt program 2
Even if changed to (1620), the detection signal generating means 1
807 does not generate the fraud detection signal.

Then, the interrupt program 2 (1620) read by the CPU 102 performs the following processing.

That is, the interrupt program 2 (162
0) first stores all storage areas such as registers currently in the CPU 102 in the interruption information holding area 2004 as interruption information, so that the application 1 (16
10) enables the restart immediately after the interrupt 2 is generated (FIG. 16: S1621).

Subsequently, the interruption information holding area 20 is previously set.
The interruption information of the application 2 (1710) stored in 04 is retrieved, and the application 2 (1710) is interrupted.
Is restarted (FIG. 16: S1622 → S1623). However, if there is no interruption information, the application 2 (1702) is executed from the beginning.

When the application 2 (1710) is restarted, the CPU 2 causes the application 2
(1710) is read. At this time, since the CPU 102 reads the application 2 (1710), the comparison means 1905 indicates that the currently accessed address corresponds to the address 1903 of the application 2 memory area based on the information obtained from the address bus. For example, “2” is transmitted to the detection signal generating means 1807.

Further, the program notifying means is "2" obtained from the comparing means 1906 and the control bus 2
The access information is changed to, for example, "2" by transmitting "2" indicating the program currently being executed to the access information management means 1806 based on the instruction fetch signal obtained from 03.

As a result, the memory image showing whether or not the memory area can be accessed becomes the memory image 2003 shown in FIG. That is, the memory image 200
Application 1 which is the area indicated by the dot in 3
(1311), OS1 (1312), interrupt program 1 (1313), interrupt program 2 (132
3), data 1 (1314), and interruption information holding area 2
004 is a state in which access is prohibited.

The application 2 (1710) is
After that, the command is fetched from the shared area 1202, the process, the result is written, etc., but the details are omitted because it is the same as that of the fourth embodiment (FIG. 17: S1403 to S1403.
1405).

Subsequently, the application 2 (171)
0) generates an interrupt 1 (FIG. 17: S140)
6).

When the interrupt 1 is generated, the interrupt program 1 (1
720) and the access information management means 1
The access information of 806 is changed to "3".

Next, the interrupt program 1 (172
0) first stores all storage areas such as registers currently in the CPU 102 in the interruption information holding area 2004 as interruption information, so that the application 2 (17)
10) enables restarting immediately after the interrupt 2 is generated (FIG. 17: S1721). In this example,
Since the application 2 (1710) has finished the processing, the application 2 (1710) concerned is restarted.
Will be executed from the beginning.

Subsequently, the interruption information holding area 20 is previously set.
The interruption information of the application 1 (1610) stored in 04 is retrieved, and the application 1 (1610) is interrupted.
Is restarted (FIG. 17: S1722 → S1723). By extracting the interruption information, each storage area in the CPU 102 returns immediately after the application 1 (1610) performs the interrupt 2 generation process, so that the application 1 (1610) executes the subsequent result retrieval process ( FIG. 17: S1407). Further, similarly to the above, the access information is changed to "1" by monitoring the address bus 201 and the control bus 203.

The application 1 (1610) is
Similar to the result retrieval process shown in the fourth embodiment,
The result written by the application 2 (1710) is taken out from the shared area 1202, and continuous internal processing 2 is performed (FIG. 16: S1407 → S1409).

The processing of each of the applications 1 and 2 and the interrupt programs 1 and 2 has been described above. As a result, the processing of the application 1 (1610) is as follows.
As shown in FIG. 16, it can be described as a series of processes including a process of cooperation with the application 2. The application 2 (1710) can also be described as a series of processes from the command fetch to the end of the process. Further, since the interrupt program 1 (1720) and the interrupt program 2 (1620) are completely independent processes from the applications 1 and 2, it is possible to describe them in advance in, for example, the ROM 103 in the memory area.

As described above, by storing the memory area in which the predetermined program is stored and the memory area permitted to be accessed by the program as one unit in the address storing means, the address to be stored in the address storing means is stored. , OS does not need to be updated, that is, the address information update problem can be solved.

Further, since the comparing means notifies the program corresponding to the accessed address as a monitoring result and the program notifying means notifies the program being executed, the access information managing means changes the access information. , The problem that the OS changes the access information,
That is, it becomes possible to solve the above access information update problem.

Further, as shown in FIG. 16 and FIG.
Since the application can be easily described as a series of processes, it is possible to improve the development efficiency of the application.

(Sixth Embodiment) In the above first to fifth embodiments, by monitoring access to a predetermined memory area,
Although the method of preventing the illegal processing by the program has been described, the sixth embodiment will explain the processing of the illegal access monitoring device having resistance to reverse engineering.

Reverse engineering means analyzing a product and searching for its specifications, basic design, etc. In some cases, it may be abused. For example, it is possible to invalidate the function of the unauthorized access monitoring device by analyzing the operation of the CPU in the first to fifth embodiments and predicting the operation of the access monitoring means, the detection signal generating means and the like. Could be.

Therefore, the sixth embodiment provides an unauthorized access monitoring device having resistance to the reverse engineering.

First, one means of reverse engineering will be briefly described before the description of the unauthorized access monitoring apparatus according to the sixth embodiment.

[0200] A CPU normally provided in an IC card or the like
The clock speed is high, so it is very difficult to analyze each operation. Therefore, each operation of the CPU is analyzed by giving a clock slower than usual to the CPU.

Therefore, in the sixth embodiment, it is judged whether the clock given to the CPU is normal, and when it is judged that the clock is not normal, for example, the operation of the CPU is stopped.

That is, the unauthorized access monitoring apparatus 2100 according to the sixth embodiment has a revocation means 2101 in addition to the unauthorized access monitoring apparatus 100 according to the first embodiment, as shown in FIG. The invalidation means 2101
The clock supplied from the clock supply means 2102 to the CPU 102 is input to determine whether or not the speed of the clock is normal. Here, the clock supply means 2
102 is conventionally provided for determining the processing speed of the CPU.

A method for the invalidating means 2101 to judge whether or not the speed of the clock given to the CPU is normal will be described below.

In the first example, as shown in FIG. 22A, for example, the invalidating means 2101 is supplied with the clock (CPU clock) given to the CPU and the reference voltage. Here, a capacitor 2202 is connected to the line 2203 to which the CPU clock is input to delay the drop in the voltage value of the CPU clock.

FIG. 22B shows a voltage image of the CPU clock when the CPU clock is normal.
That is, the determination unit 220 that constitutes the invalidation unit 2101
In the CPU clock given to the constant voltage Vx of 1, the voltage Vy becomes the minimum value by the capacitor 2202.
The voltage Vy is set so as not to fall below the reference voltage Vz, which is a threshold value (Vx>
Vy> Vz).

Here, it is assumed that an illegal clock is given to the CPU 102 for reverse engineering, for example. As described above, the incorrect clock is slower than the normal clock. For this reason,
The voltage image of the CPU clock is shown in FIG. 22, for example.
As shown in (c), the reference voltage becomes Vz or less. Therefore, the determining means 2201 causes the interrupt signal generating means 11 when the CPU clock falls below the reference voltage Vz which is the threshold value (point 2204).
The injustice detection signal is transmitted to No. 3.

The interrupt signal generating means 113 which has received the fraud detection signal transmits an interrupt signal to the CPU 102.

CPU 102 which has received the interrupt signal
Corresponds to the above reverse engineering by stopping the processing of the CPU 102 or moving a predetermined interrupt program.

Subsequently, the second example will be described. Second
In the example, as shown in FIG. 23A, for example, the invalidating unit 2101 is input with the clock (CPU clock) given to the CPU. Further, in the invalidating means 2101, an independent clock generating means 2303 for generating a clock independent of the CPU clock,
A counter 2302 for counting the pulses of the independent clock from the independent clock generating means 2303 is provided.

The processing of the invalidation means 2001 will be described below based on the above configuration.

First, the counter 2302 counts the independent clock pulse supplied from the independent clock generating means 2303. However, when the CPU clock pulse is received, the count is reset to zero (reset).
To When the count number of the independent clock pulse becomes 2, the determining unit 2301 determines that the CPU clock is invalid.

FIG. 23B shows an image when the normal CPU clock is applied. That is,
The pulse of the independent clock 2305 is the counter 2302.
However, since the CPU clock 2304 is fast enough, the counter is immediately reset.

In this state, the count number never becomes 2. That is, the CPU clock is in a normal state.

Here, it is assumed that an illegal clock is given to the CPU 102 for reverse engineering, for example. As described above, the incorrect clock is slower than the normal clock. For this reason,
The counter 2302 counts the pulse of the independent clock 2307 a plurality of times (2 or more) (FIG. 23 (c)). In this case, the determination means 2301
Sends a fraud detection signal to the interrupt signal generating means 113.

The subsequent processing is the same as in the first example.

As described above, the invalidating means inputs the clock given to the CPU, determines whether or not the speed of the clock is normal, and transmits the fraud detection signal in accordance with the determination. It is possible to prevent analysis of each operation by reverse engineering that gives a slower clock to the CPU.

[0217]

The access monitoring means monitors the access to the predetermined memory area, and the detection signal generating means detects the unauthorized access based on the monitoring result of the access monitoring means and the access information. To occur. Therefore, by knowing the access to the memory area where the access by the application is prohibited, it is possible to prevent various troubles such as the loss or leakage of the important information by the malicious application.

Furthermore, by providing an interrupt signal generating means for transmitting an interrupt signal to the CPU in response to the illegality detection signal generated by the detection signal generating means, a predetermined program can be executed in case of illegal access. Since it can be executed, various measures can be taken against unauthorized access.

Furthermore, the access monitoring means includes an address storage means for storing an address of a predetermined memory area, and C
Comparing means for monitoring access to the predetermined memory area by comparing the address acquired from the address bus used when the PU accesses the memory area with the address of the predetermined memory area stored in the address storing means By including the above, it is possible to perform access monitoring corresponding to various access modes (read, write, etc.) of the CPU.

Furthermore, the access information management means is the OS.
Is configured to control access information based on a command received through a predetermined interface used when an application uses a function provided by, for example, using a conventional technique by using an API for the predetermined interface. The access information can be easily managed.

Furthermore, by coordinating the processing between the applications using the interrupt processing by the hardware, it is possible to surely prevent the malfunction and the unauthorized access by the software (program). Solved the access information update problem,
Moreover, the processing between the applications can be linked.

Furthermore, the clock is supplied from the clock supplying means for supplying the CPU with the clock, and the judging means for judging whether or not the speed of the clock is normal, and the interrupt signal generating means based on the result judged by the judging means. By providing the invalidation means for transmitting the fraud detection signal, it is possible to prevent the reverse engineer.

[Brief description of drawings]

FIG. 1 is a schematic functional block diagram of an unauthorized access monitoring device and an IC card according to the present invention.

FIG. 2 is a detailed block diagram of an unauthorized access monitoring device.

FIG. 3 is an image diagram of a memory area showing an access monitoring target.

FIG. 4 is a flowchart showing access information change using API.

FIG. 5 is a flowchart showing processing of an access monitoring unit and an access information management unit.

FIG. 6 is a flowchart showing the processing of a detection signal generating means and an interrupt signal generating means.

FIG. 7 is an image diagram of each memory area when a plurality of applications are executed.

FIG. 8 is a diagram showing a configuration example in which a plurality of CPUs are provided.

FIG. 9 is a diagram showing a configuration example in which a shared area is provided.

FIG. 10 is a schematic diagram for explaining interrupt processing.

FIG. 11 is a schematic diagram of each means according to the fourth embodiment.

FIG. 12 is a diagram showing an image in which an application is executed on a CPU according to the fourth embodiment.

FIG. 13 is a diagram showing a memory image in the fourth embodiment.

FIG. 14 is a flowchart showing a series of program processing according to the fourth embodiment.

FIG. 15 is a flowchart showing the processing of an interrupt program according to the fourth embodiment.

FIG. 16 is a first flowchart showing a series of program processing according to the fifth embodiment.

FIG. 17 is a second flowchart showing a series of program processing according to the sixth embodiment.

FIG. 18 is a diagram showing an image of an application being executed on a CPU according to the fifth embodiment.

FIG. 19 is a schematic diagram of each means according to the fifth embodiment.

FIG. 20 is a diagram showing a memory image in the fifth embodiment.

FIG. 21 is a schematic functional block diagram of an unauthorized access monitoring device and an IC card according to the sixth embodiment.

FIG. 22 is a first schematic functional block diagram of invalidation means according to the sixth embodiment.

FIG. 23 is a second schematic functional block diagram of an invalidating unit according to the sixth embodiment.

FIG. 24 is a schematic functional block diagram of a conventional IC card and IC card system.

FIG. 25 is an image diagram showing an OS and applications in the IC card.

FIG. 26 is an image diagram of a memory area.

FIG. 27 is a flowchart showing the processing of API.

[Description of Reference Signs] 100 Unauthorized Access Monitoring Device 101 IC Card 102 CPU 103 ROM 104 RAM 105 EEPROM (Constitutes Rewritable Nonvolatile Memory) 106 EEPROM Writing Circuit (Constitutes Rewritable Nonvolatile Memory Writing Circuit) 107 External Communication Circuit 110 Access monitoring means 111 Detection signal generating means 112 Access information managing means 113 Interrupt signal generating means

   ─────────────────────────────────────────────────── ─── Continued front page    (72) Inventor Taishi Nakabe             3-10-18 Kagamiyama, Higashihiroshima-shi Matsushita Co., Ltd.             Electric Appliance Information System Hiroshima Laboratory F-term (reference) 5B017 AA03 BA01 CA14                 5B035 AA13 BB09 CA11 CA22 CA38                 5B042 GA21 GA33 GA38 JJ29 JJ46                       JJ47 KK01 MC12

Claims (21)

[Claims] 1. An unauthorized access monitoring apparatus for monitoring unauthorized access to a memory area, access monitoring means for monitoring access to a predetermined memory area, monitoring results of the access monitoring means, and access to the memory area. An unauthorized access monitoring apparatus, comprising: a detection signal generating unit that generates an unauthorized detection signal indicating that there is an unauthorized access based on access information that is information that can identify a program that is accessing. . 2. An access information managing means for managing the access information is further provided, wherein the detection signal generating means is based on the monitoring result of the access monitoring means and the access information received from the access information managing means. The unauthorized access monitoring device according to claim 1, which generates an unauthorized access detection signal indicating that there is unauthorized access. 3. The CPU (Central Processing) in response to the fraud detection signal generated by the detection signal generating means.
3. The unauthorized access monitoring device according to claim 2, further comprising an interrupt signal generating means for transmitting an interrupt signal to the unit). 4. The access monitoring means includes an address storage means for storing an address of the predetermined memory area, an address acquired from an address bus used when a CPU accesses the memory area, and the address storage means. 4. The unauthorized access monitoring device according to claim 3, further comprising: a comparison unit configured to monitor access to the predetermined memory area by comparing the stored address of the predetermined memory area. 5. The access monitoring means further comprises a CPU.
5. The unauthorized access monitoring device according to claim 4, wherein the unauthorized access monitoring device monitors a control bus that transmits a command when accessing the memory area, and outputs a monitoring result according to the command. 6. The unauthorized access monitoring device according to claim 1, wherein the access information indicates whether or not the access to the memory area is performed by an OS (Operating System). 7. The access information management means changes the access information based on a command transmitted by the OS when an interface for providing the function of the OS to the application is used by the application. The unauthorized access monitoring device described in 2. 8. The predetermined interface is an API
The unauthorized access monitoring device according to claim 7, which is (Application Program Interface). 9. The unauthorized access monitoring device according to claim 1, wherein the predetermined memory area includes at least one of an OS storage area, an OS work area, an application storage area, and a user information storage area. 10. The unauthorized access monitoring device according to claim 1, wherein the predetermined memory area includes an external communication circuit used for communication with the outside or a rewritable nonvolatile memory writing circuit. 11. The address monitoring means stores an address of the predetermined memory area, which is composed of a memory area storing a predetermined program and a memory area permitted to be accessed by the program, in the program unit. Based on the storage means, the address obtained from the address bus used when the CPU accesses the predetermined memory area, and the address stored in the address storage means, the program corresponding to the accessed address is monitored. Comparing means for notifying as a result, the interrupt signal generating means transmits an interrupt signal in accordance with an instruction from the CPU, and transmits information indicating that the interrupt signal has been transmitted to the access information managing means, The access information management means uses the interrupt signal from the interrupt signal generating means. The access information indicating the program that is accessing the memory area is changed based on the information indicating that the access signal has been generated, The unauthorized access monitoring device according to claim 3, wherein the unauthorized access detection signal is generated based on 12. The unauthorized access monitoring device according to claim 11, wherein the predetermined memory area includes a shared area that is not monitored by the access monitoring means. 13. The access monitoring means stores the address of the predetermined memory area, which is composed of a memory area storing a predetermined program and a memory area permitted to be accessed by the program, in the program unit. Based on the storage means, the address obtained from the address bus used when the CPU accesses the predetermined memory area, and the address stored in the address storage means, the program corresponding to the accessed address is monitored. The comparison means for notifying as a result and the control bus for transmitting an instruction when the CPU accesses the memory area are monitored, and the instruction and the address acquired from the address bus and the address stored in the address storage means are displayed. Program notification hand that notifies the running program based on The access information management unit changes access information indicating a program accessing the memory area based on the notification from the program notification unit, and the detection signal generation unit includes the access unit. The unauthorized access monitoring device according to claim 3, wherein the unauthorized access detection signal is generated based on a monitoring result of a monitoring unit and the access information. 14. The unauthorized access monitoring device according to claim 13, wherein the predetermined memory area comprises a shared area which is not monitored by the access monitoring means. 15. Further, the clock is inputted from a clock supplying means for giving a clock to the CPU, and a judging means for judging whether or not the speed of the clock is normal; The unauthorized access monitoring device according to claim 3, further comprising invalidation means for transmitting a fraud detection signal to the built-in signal generation means. 16. The method according to claim 15, wherein the determination means determines whether or not the speed of the clock given to the CPU is normal by comparing the input clock with a reference voltage serving as a threshold for transmitting the fraud detection signal. Unauthorized access monitoring device described. 17. The speed of the clock given to the CPU by the judging means comparing the inputted clock with the clock generated by the independent clock generating means for generating a clock independent of the clock given to the CPU. The unauthorized access monitoring device according to claim 15, wherein it is determined whether or not is normal. 18. An IC (Integrated) equipped with the unauthorized access monitoring device according to claim 1. Description:
Circuit) card. 19. A method for monitoring unauthorized access to a memory area, comprising: an access monitoring step for monitoring access to a predetermined memory area; a monitoring result in the access monitoring step; An unauthorized access monitoring method, comprising: a detection signal generating step of generating a fraud detection signal indicating that there is an unauthorized access based on access information which is information capable of discriminating an accessing program. . 20. The unauthorized access monitoring method according to claim 19, further comprising an access information management step of managing the access information, wherein the detection signal generating step receives the access information from the access information management step. 21. Further, in response to the fraud detection signal generated by the detection signal generating step, the CPU (Central Proc
21. The unauthorized access monitoring method according to claim 20, further comprising an interrupt signal generating step of transmitting an interrupt signal to the essing unit).