TREA

Computer system having memory protection function

Follow

Information

  • Patent Application
  • 20070266214
  • Publication Number
    20070266214
  • Date Filed
    April 26, 2007
    17 years ago
  • Date Published
    November 15, 2007
    17 years ago
Information
Abstract
A computer system for preventing secret data in a memory area from being erased, altered or leaked due to a buffer overflow attack and the like comprises a memory map circuit for storing an access control memory map which defines whether the CPU has an access right for executing a program with respect to each address of the memory area, an access right determination circuit for determining whether the CPU has the access right to the memory area of an execution program storage address designated by a program counter based on the access control memory map, and outputting an access prohibition signal which makes the CPU execute a predetermined operation to disable the CPU from accessing the memory area of the execution program storage address when the CPU does not have the access right.
Description

BRIEF DESCRIPTION OF THE DRAWINGS


FIG. 1 is a block diagram showing the circuit constitution of a computer system according to one embodiment of the present invention;



FIG. 2 is a circuit diagram showing one example of the input signal, output signal and internal circuit constitution of an access right determination circuit of the computer system according to the present invention;



FIG. 3 is a block diagram showing another circuit constitution of the computer system according to one embodiment of the present invention;



FIG. 4 is a view showing the execution of a legitimate program and variations in state of a stack area when a buffer overflow attack does not occur;



FIG. 5 is a view showing the execution of the legitimate program and variations in state of the stack area when the buffer overflow attack occurs;



FIG. 6 is a view showing the execution of the program and variations in state of the stack area and a heap area when data destruction is eroded from the stack area to the heap area under the buffer overflow attack;



FIG. 7 is a view showing one example of operation process for preventing an illegal program from being executed when the buffer overflow attack occurs in the computer system according to one embodiment of the present invention;



FIG. 8 is a view showing another example of the operation process for preventing an illegal program from being executed when the buffer overflow attack occurs in the computer system according to one embodiment of the present invention;



FIG. 9 is a block diagram showing the constitution example of an IC card according to the present invention; and



FIG. 10 is a block diagram showing one example of a conventional computer system having a data protecting function.





DETAILED DESCRIPTION OF THE INVENTION

A computer system having a memory protection function according to the present invention (referred to as the “system of the present invention” hereinafter) will be described with reference to the drawings hereinafter.


First Embodiment


FIG. 1 is a schematic view showing the constitution example of a system 1 of the present invention. As shown in FIG. 1, the system 1 of the present invention comprises a CPU (central processing unit) 10, a ROM (read only memory) 11, RAM 12, a nonvolatile memory 13, a peripheral I/O interface 14, a memory map circuit 15, an access right determination circuit 16, a data bus 17, and an address bus 18. The CPU 10, the ROM 11, the RAM 12, the nonvolatile memory 13 and the peripheral I/O interface 14 are connected to each other through the data bus 17 and the address bus 18. The ROM 11, the RAM 12, and the nonvolatile memory 13 constitute a memory area 19 in which program codes and data executed by the CPU 10 are stored.


In addition, according to this embodiment, it is assumed that in the memory area 19, a program code area to store a program code and a fixed data area to store fixed data are formed in the ROM 11 and the nonvolatile memory 13 and a stack area to store dynamic data and another heap area in the memory area to be used in executing the program are formed in the RAM 12 in which data can be read and programmed at high speed.


The memory map circuit 15 comprises a RAM or a register and stores an access control memory map which defines whether the CPU 10 has an access right for executing the program (referred to as the “execution right” occasionally hereinafter) with respect to each address of the memory area 19 or not, and outputs the information of the access control memory map to the access right determination circuit 16. According to this embodiment, since the input/output of the memory map circuit 15 is separated from the data bus 17 and they are not connected directly, the contents of the access control memory map are prevented from being altered carelessly or illegally by the execution of the program by the CPU 10.


The access right determination circuit 16 determines whether there is the execution right to the memory area 19 specified by an execution program storage address Spc designated by the value of a program counter 20 in the CPU 10 or not with respect to each execution program storage address. FIG. 2 shows an input signal, an output signal and a detailed internal circuit constitution of the access right determination circuit 16. According to the example shown in FIG. 2, the information of the access control memory map outputted from the memory map circuit 15 is an upper limit address signal SA1 and a lower limit address signal SA2 showing the upper limit and the lower limit, respectively of a non-executable address range in which the access for executing the program from the CPU 10 is not allowed (that is, there is no execution right). The access right determination circuit 16 comprises a matching circuit 21 for comparing the execution program storage address Spc to the information SA1 and SA2 of the access control memory map, and the matching circuit 21 compares the execution program storage address Spc inputted from the program counter 20 with each of the upper limit address signal SA1 and the lower limit address signal SA2 to determine whether the execution program storage address Spc exists in the non-executable address range between the upper limit address signal SA1 and the lower limit address signal SA2 or not. In addition, according to this embodiment, it is determined whether the execution program storage address Spc exists in the non-executable address range, that is, whether there is the execution right of the execution program storage address Spc or not in synchronization with a fetch timing signal Sft inputted from the CPU 10 and enabled at a timing when the CPU 10 fetches an instruction. More specifically, when the execution program storage address Spc exists in the non-executable address range and the fetch timing signal Sft is in an enabled state (at the time of high level), it is determined that there is no execution right of the execution program storage address Spc and an access prohibition signal SC is enabled (switched to high level) to be outputted.


By the access prohibition signal SC, the CPU 10 accesses an address area in the memory area 19 specified by the execution program storage address Spc designated by the value of the program counter 20 and executes a process in which an illegal program stored in the address area is prevented from being executed as will be described below. As a result, in the whole address area of the memory area 19, the program illegally programmed in the non-executable address range specified by the access control memory map stored in the memory map circuit 15 cannot be executed, so that secret data stored in the memory area 19 is prevented from being erased, altered, or leaked by the execution of the illegal program.


Furthermore, according to this system 1 in the present invention, as shown in FIG. 3, when the value of a stack pointer 22 outputted from the CPU 10 is used as the upper limit address signal SA1 showing the upper limit of the non-executable address range of the access control memory map and outputted from the memory map circuit 15, it can vary in accordance with the increase and decrease of the stack area. For example, the value SP of the stack pointer 22 outputted from the CPU 10 may be used as the upper limit address signal SA1 and the value subtracted by the stack area used in an active subroutine may be used as the lower limit address signal SA2 showing the lower limit of the non-executable address range.


EXAMPLE 1

Next, a description will be made of one example of a protective operation of the system 1 of the present invention when a buffer overflow attack occurs as shown in FIG. 5 hereinafter. FIG. 7 shows execution of a legitimate program, prevention of execution of a malicious illegal program and variations in state of the stack area (#13 to #15) when the buffer overflow attack occurs.


#13: The operations when the buffer overflow attack occurs are the same as #6 to #8 shown in FIG. 5.


#14: The CPU 10 tries to move the control to the malicious illegal program buried in the stack area set in the non-executable address range by an altered return address. Here, the access right determination circuit 16 detects that the execution program storage address Spc designated by the value of the program counter 20 exists in the non-executable address range of the access control memory map stored in the memory map circuit 15, and the access prohibition signal SC is enabled.


#15: When the access prohibition signal SC is enabled, the execution of the illegal program is detected and when the access prohibition signal SC is used as an interruption request signal to the CPU 10, an interruption process is started in the CPU 10. In this interruption process, internal secret data is prevented from being erased, altered, or leaked by the malicious, illegal program, by performing an appropriate operation such as clear (data erase) of the stack area.


Here, when data in the heap area is written beyond the stack area previously set as shown in #12 in FIG. 6 due to the buffer overflow attack at the above step #13, the CPU 10 tries to move the control to the malicious illegal program buried in the heap area by the altered return address.


However, since the designated value of the stack pointer is moved in the heap area by data programming beyond the stack area, the upper limit address signal SA1 showing the upper limit of the non-executable address range is also moved in the heap area and the execution right of the heap area eroded by the buffer overflow attack is changed from its original effective state to an ineffective state. Therefore, similar to the case of the #14, the access right determination circuit 16 detects that the execution program storage address Spc designated by the value of the program counter 20 is in the non-executable address range of the access control memory map stored in the memory map circuit 15, and the access prohibition signal SC is enabled. Then, the interrupting operation at the #15 is performed and the malicious illegal program buried in the heap area becomes non-executable and the internal secret data is prevented from being erased, changed or leaked.


In addition, by separating the address ranges of the stack area and the heap area set in the RAM 12 so as not to be continuous, more specifically by setting the address range of the interface between the stack area and the heap area to the address range of the ROM 11 or the nonvolatile memory 13, the heap area is prevented from being eroded by the buffer overflow attack, which is effective in protecting the area from the buffer overflow attack.


EXAMPLE 2

Next, another example of the protective operation in the system 1 of the present invention in the case where the buffer overflow attack occurs as shown in FIG. 5 will be described. In this example 2, a description will be made of a protective operation from the buffer overflow attack after the whole system has been set to an initial state.



FIG. 8 shows program execution, prevention of execution of an illegal program and variations in state of the stack area (#16 to #18) when execution of the malicious illegal program is detected and a reset process is performed.


#16: The operations when the buffer overflow attack occurs are the same operations as those #6 to #8 shown in FIG. 5.


#17: The CPU 10 tries to move the control to the malicious illegal program buried in the stack area set in the non-executable address range by the altered return address. Here, the access right determination circuit 16 detects that the execution program storage address Spc designated by the value of the program counter 20 is in the non-executable address range of the access control memory map stored in the memory map circuit 15, and the access prohibition signal SC is enabled (similar to the #14 in the example 1).


#18: When the access prohibition signal SC is enabled, the execution of the illegal program is detected and when the access prohibition signal SC is used as a reset request signal to the CPU 10, the reset process is started in the CPU 10 and the CPU 10 restarts. When the CPU 10 restarts, the malicious illegal program is further surely prevented from being executed.


Here, in the case where the data has been written in the heap area beyond the previously set stack area as shown in the #12 in FIG. 6 due to the buffer overflow attack in the step #16, the CPU 10 tries to move the control to the malicious illegal program buried in the heap area by an altered return address.


However, since the value designated by the stack pointer is moved to the heap area by data writing beyond the stack area, the upper limit address signal SA1 designating the upper limit of the non-executable address range is also moved into the heap area and the execution right of the heap area eroded by the buffer overflow attack is changed from the original effective state to an ineffective state. Therefore, similar to the case of the #17 (#14), the access right determination circuit 16 detects that the execution program storage address Spc designated by the value of the program counter 20 exists in the non-executable address range of the access control memory map stored in the memory map circuit 15, and the access prohibition signal SC is enabled. Thus, the reset operation of the above #18 is performed and the malicious illegal program buried in the heap area cannot be executed and the internal secret data can be prevented from being erased, altered or leaked.


Second Embodiment

According to the first embodiment, the memory map circuit 15 comprises the RAM or the register, the non-executable address range defined by the access control memory map stored therein can vary physically and according to the constitution example shown in FIG. 3 especially, the description was made of the case where the non-executable address range varies according to the value of the stack pointer 22. However, according to this second embodiment, a description will be made of a case where a non-executable address range is previously fixed as an address area for storing data only. The address area for storing data only covers an entire address range of a RAM 12 containing a stack area and a heap area.


According to the second embodiment, an access control memory map is stored in a memory map circuit 15 such that it cannot be written by a hardware or software operation. Since the access control memory map cannot be written, the circuit constitution of the memory map circuit 15 can be simplified as compared with the first embodiment. In addition, the whole constitution of the system 1 of the present invention is the same as that shown in FIG. 1.


When the memory map circuit 15 comprises a ROM, although the non-executable address range is already fixed before shipment and cannot be changed after shipment, when the memory map circuit 15 comprises a RAM or a register, it can be set by the CPU 10 from the side of a tester together with a shipment test after manufacturing or according to a special program (stored in a nonvolatile memory 13 and the like). In the case of the latter, the executable range after manufacturing can be set with any means as long as there is no risk of altering the set contents by erasing the program after setting and the like.


According to the second embodiment, when the non-executable address range is fixed, the non-executable address range can be used as a perfect data only area by previously ensuring a storage area for secret information such as private information and setting the storage area to an area having absolutely no execution right.


Furthermore, when the function of the memory map circuit 15 in the first embodiment and the function of the memory map circuit 15 in the second embodiment are combined, that is, when the fixed non-executable address range and variable non-executable address range are combined, the malicious illegal program can be surely prevented from being executed.


Third Embodiment

Next, a variation of the system 1 according to the first or second embodiment of the present invention will be described. FIG. 9 shows the constitution example of an IC card 2 on which the system 1 of the present invention is mounted. In addition, the same signs are allotted to the same components in the system 1 of the present invention shown in FIG. 1 and their description will be omitted. Important information such as a password or electron certification information has been stored in the IC card. Security of the IC card can be ensured by mounting the system 1 of the present invention against a person having designs on the data.


Another Embodiment

Next, another embodiment of the system of the present invention will be described hereinafter.


(1) Although it is assumed that the address range of the stack area expands in the upper address direction according to the writing of the data and the value of the stack pointer 22 is used as the upper address signal SA1 designating the upper limit of the non-executable address range in the first embodiment, when the address range of the stack area expands in a lower address direction, the value of the stack pointer 22 may be used as the lower limit address signal SA2 designating the lower limit of the non-executable address range.


(2) Although the constitutions shown in FIGS. 1 and 3 are illustrated as the constitution example of the system 1 of the present invention, the constitution example of the system 1 of the present invention is not limited to those. For example, although it is assumed that the memory area 19 comprises the three kinds of memory devices such as the ROM 11, RAM 12, and the nonvolatile memory 13 in the above each embodiment, the memory area used in executing the program by the CPU 10 may comprise the RAM 12 only.


(3) Although the memory map circuit 15 is provided separately in FIGS. 1, 2 and 3 in the above each embodiment, it may be incorporated in the CPU 10 or the access right determination circuit 16. In addition, although the access right determination circuit 16 is separately provided in FIGS. 1, 2 and 3, it may be incorporated in the CPU 10 as a hardware circuit.


(4) Although the IC card has been described as the variation of the system 1 of the present invention in the third embodiment, the variation of the system 1 of the present invention is not limited to the IC card.


The computer system according to the present invention can be applied to a computer system requiring access control in which secret data stored in a memory area is prevented from being erased, altered or leaked due to carelessness of a user or illegal usage.


Although the present invention has been described in terms of the preferred embodiment, it will be appreciated that various modifications and alternations might be made by those skilled in the art without departing from the spirit and scope of the invention. The invention should therefore be measured in terms of the claims which follow.

Claims
  • 1. A computer system having a memory protection function comprising: a CPU for executing a computer program;a memory area including one or more memory devices for storing the computer program and data; anda memory map circuit for storing an access control memory map which defines whether the CPU has an access right for executing a program with respect to each address of the memory area, whereinthe memory area in an address range in which the access control memory map defines that the CPU does not have the access right is allowed to be accessed by normal reading and writing, but is prohibited to be accessed by program execution from the CPU.
  • 2. The computer system according to claim 1 comprising an access right determination circuit for determining whether the CPU has the access right to the memory area of an execution program storage address designated by a program counter of the CPU based on the access control memory map, and outputting an access prohibition signal which makes the CPU execute a predetermined operation to disable the CPU from accessing the memory area of the execution program storage address when the CPU does not have the access right.
  • 3. The computer system according to claim 2, wherein the access right determination circuit comprises a matching circuit for receiving an input of the execution program storage address from the program counter and an input of the access control memory map from the memory map circuit and comparing the execution program storage address to the access control memory map, and enabling the access prohibition signal based on a comparison result of the matching circuit.
  • 4. The computer system according to claim 3, wherein the access right determination circuit determines the input of the execution program storage address from the program counter in synchronization with a timing signal enabled when the CPU fetches an instruction.
  • 5. The computer system according to claim 2, wherein the address range in which the access control memory map defines that the CPU does not have the access right is fixed as a data storage only address area.
  • 6. The computer system according to claim 2, wherein the address range in which the access control memory map defines that the CPU does not have the access right is used as a stack area.
  • 7. The computer system according to claim 2, wherein the memory map circuit has such a constitution that contents of the access control memory map cannot be changed by the program execution of the CPU.
  • 8. The computer system according to claim 6, wherein the address range in which the access control memory map defines that the CPU does not have the access right varies according to increase or decrease of the stack area.
  • 9. The computer system according to claim 8, wherein a part of the memory area is divided into a stack area without the access right from the CPU and a heap area with the access right from the CPU and the access control memory map varies so that an eroded heap area becomes a state without the access right from the CPU when the stack area overflows and the heap area is eroded.
  • 10. The computer system according to claim 2, wherein a part of the memory area is divided into a stack area without the access right from the CPU and a heap area with the access right from the CPU, and address ranges of the stack area and the heap area are set separately each other so that the heap area is not eroded even when the stack area overflows.
  • 11. The computer system according to claim 2, wherein the access prohibition signal makes the CPU start a predetermined interrupt operation.
  • 12. The computer system according to claim 2, wherein the access prohibition signal makes the CPU start a reset operation.
  • 13. An IC card mounting the computer system having the memory protection function according to claim 1.
Priority Claims (1)
Number Date Country Kind
2006-133949 May 2006 JP national