An embodiment of a program execution control circuit and a computer system according to the present invention (referred to as the “circuit of the present invention” and the “system of the present invention” occasionally hereinafter) will be described with reference to the drawings hereinafter.
According to this embodiment, it is assumed that the circuit of the present invention is applied to a computer system comprising a CPU (Central Processing Unit), a communication circuit that can receive data transmitted from an external connection device, a nonvolatile memory and a volatile memory, and the system of the present invention is provided as an IC card incorporating one or more IC chips comprising components of the computer system and the circuit of the present invention in a plastic card.
Similar to the conventional example, the basic system of the IC card according to this embodiment has the constitution shown in
The CPU 3 performs a process in the IC card by reading a program code stored in the nonvolatile memory 5 and the volatile memory 6.
The communication circuit 4 is a communication interface circuit for transmitting and receiving data to and from the external connection device 23, more specifically, for receiving the command APDU and transmitting the response APDU and it provides a contact-type interface or a noncontact-type interface.
The nonvolatile memory 5 comprises a semiconductor nonvolatile memory such as a flash memory and the volatile memory 6 comprises a semiconductor random access memory such as a SRAM or DRAM. The address area of the nonvolatile memory 5 provides a first memory area and the address area of the volatile memory 6 provides a second memory area different from the first memory area and the CPU 3 can access both memory areas.
The program code of a system program of the IC card (corresponding to a first computer program) and the program code of an application program of the IC card (corresponding to a second computer program) are stored in the first memory area provided by the nonvolatile memory 5.
As shown in
The circuit 2 of the present invention controls whether the CPU 3 can execute the program code stored in the second memory area provided in the volatile memory 6. The constitution and operation of the circuit 2 of the present invention will be described with reference to
The flag 10 stores 1-bit identifier F for identifying whether the object to be executed by the CPU 3 is the system program or the application program. When the identifier F stored in the flag 10 is “logical value 1” (represented by just “1” hereinafter), it means that the system program is being executed or just before it is executed and when the identifier F is “logical value 0” (represented by just “0” hereinafter), it means that the application program is being executed or just before it is executed. In addition, the setting of the identifier F to the flag 10 is executed by the system program by the CPU 3 as will be described below.
The boundary address register 11 stores a boundary address of the storage area R1 for the system program only in the second memory area. More specifically, when the second memory area is divided such that the storage area R1 (address area) for the system program only in the second memory area is positioned lower side from the address area of the receiving buffer R2 and the temporary working area R3, the boundary address is the most significant address of the storage area R1 or the least significant address of the storage areas R2 or R3.
The address comparator 12 receives an address signal and the boundary address stored in the boundary address register 11 and compares the address values and determines whether the address value of the address signal that specifies the stored place of the program code to be executed is in the storage area R1 for the system program only in the second memory area or not. When the address value of the address signal is in the storage area R1 for the system program only in the second memory area, “1” is outputted and when it is not in the storage area R1 (that is, it is in the storage area R2 or R3), “0” is outputted. More specifically, when it is assumed that the second memory area is divided such that the storage area R1 for the system program only in the second memory area is positioned on the lower side from the receiving buffer R2 or the temporary working area R3, and the boundary address is specified by the most significant address of the storage area R1, “1” is outputted in a case where the address value of the address signal is equal to the address value of the boundary address or less, and “0” is outputted in a case where the address value of the address signal is more than the address value of the boundary address.
The AND circuit 13 has three inputs, to which the output of the flag 10 (identifier F), the output of the address comparator 12 and an instruction fetch signal Sif are inputted and its output is inputted to the OR circuit 14. The instruction fetch signal Sif is a readout control signal that is outputted during an instruction fetch period when the CPU 3 reads the program code stored in the first or second memory area. The instruction fetch signal Sif becomes an activated state at “1”.
The OR circuit 14 has two inputs, to which the output of the AND circuit 13 and a second readout control signal S2rd are inputted and its output is inputted to the volatile memory 6 as a readout control signal RD for the volatile memory 6. The second readout control signal S2rd is a readout control signal outputted when the CPU 3 fetches the program code and reads the data stored in the second memory area at the time of executing the fetched instruction. The second readout control signal S2rd becomes an activated state at “1”.
Thus, when all of the inputs of the AND circuit 13 are “1” or the second readout control signal S2rd is “1”, the readout control signal RD becomes “1” and activated. Here, focusing on the case where it is controlled whether the CPU 3 can read the program code from the volatile memory 6 or not, since the signal level of the second readout control signal S2rd is “0”, the state of the readout control signal RD is determined by the signal level of each input of the AND circuit 13 substantially. That is, when the identifier F of the flag 10 is “1” and the object to be executed by the CPU 3 is the system program, and the output of the address comparator 12 is “1” and the program code of the system program to be executed is in the storage area R1 for the system program only in the second memory area, the readout control signal RD is outputted in synchronization with the instruction fetch signal Sif and the program code stored in the storage area R1 for the system program only in the second memory area is allowed to be read.
In addition, when the identifier F of the flag 10 is “0” and the object to be executed by the CPU 3 is the application program, the readout control signal RD is not activated regardless of the stored place of the program code to be executed and the program code is not allowed to be read. Furthermore, even when the identifier F of the flag 10 is “1” and the object to be executed by the CPU 3 is the system program, if the output of the address comparator 12 is “0” and the program code to be executed is not in the storage area R1 for the system program only in the second memory area, the program code is not allowed to be read similarly.
As shown in
Next, the executing operation of the system of the present invention including the control for the circuit 2 of the present invention will be described with reference to a flowchart shown in
First, when the CPU 3 is reset, the program counter in the CPU 3 is set to an initial address just after reset, that is, a head address of the system program of the nonvolatile memory 5 (first memory area) at step S100.
Then, the system program stored in the first memory area is started to be executed at step S101.
Then, the boundary address is set in the boundary address register 11 of the circuit 2 of the present invention by the execution of the system program by the CPU 3 at step S102.
Then, “1” is set in the flag 10 of the circuit 2 of the present invention by the execution of the system program, so that the execution state of the system program can be identified at step S103.
Then, the necessary program code is transferred from the first memory area to the storage area R1 for the system program only in the second memory area and stored therein by the execution of the system program at step S104.
After the executions of the system program from the steps S101 to S104, as shown in the memory map in
Then, it is determined whether the command APDU is transmitted from the external connection device 23 to the communication circuit 4 or not by the execution of the system program at step S105.
When the command APDU is transmitted at the step S105 (YES), the operation is moved to step S106 by the execution of the system program and the command APDU is stored in the receiving buffer (R2) 7 in the second memory area. Since then, even when the command APDU stored in the receiving buffer 7 is a malicious program code, as shown in the memory map in
Then, the contents of the command APDU stored in the receiving buffer (R2) 7 at the step S106 is determined by the execution of the system program at step S107. When the command APDU is the start command of the application program at the step S107 (YES), the operation is moved to step S108 and when it is not (when it is the start command of the system program) (NO), the operation is moved to step S111.
At step S108, when “0” is set in the flag 10 of the circuit 2 of the present invention by the execution of the system program, the execution state of the application program can be identified. By the process at the step S108, the circuit 2 of the present invention becomes the control state in which the program code is not allowed to be executed in the second memory area as shown in the memory map in
Then, the application program is executed by the CPU 3 at step S109.
Here, the execution process of the application program at the step S109 will be described with reference to a flowchart shown in
First, a subroutine for the execution process of the application program shown in
Then, it is determined whether the command APDU is transmitted from the external connection device 23 to the communication circuit 4 or not by the execution of the application program at step S202.
When the command APDU is transmitted at the step S202 (YES), the operation is moved to step S203 and the command APDU is stored in the receiving buffer (R2) 7 in the second memory area by the execution of the application. Since then, even when the command APDU stored in the receiving buffer 7 is a malicious program code, as shown in the memory map in
Then, the contents of the command APDU stored in the receiving buffer (R2) 7 at the step S203 is determined by the execution of the application program at step S204. When the command APDU is the end command of the application program at the step S204 (YES), the operation is moved to step S206 and when it is not (NO), the operation is moved to step S205 and the application program is continued to be executed.
When the operation is moved to the step S206, it returns from the subroutine to the step S110 in the main routine shown in
By the execution of the system program, “1” is set to the flag 10 of the circuit 2 of the present invention at the step S110 and the execution state of the system program can be identified. By the execution process at the step S110, the circuit 2 of the present invention returns to the control state in which the program code is allowed to be executed in the storage area R1 for the system program only in the second memory area as shown in the memory map in
When the operation is moved to step S111 because the command APDU is not the start command of the application program but the start command of the system program according to the determination at the step S107, the contents of the command APDU stored in the receiving buffer (R2) 7 at the step S106 is determined by the execution of the system program and when the command APDU is the start command of the system program stored in the second memory area (YES), the operation is moved to step S112 and when it is not, the operation is moved to step S113.
The command process of the system program required to be executed in the second memory area is executed in the storage area R1 for the system program only in the second memory area at the step S112. Meanwhile, the command process of the system program is executed in the first memory area at the step S113.
As described above, the circuit 2 of the present invention and the system 1 of the present invention can provide a memory protection function in which a malicious program transmitted from the external connection device 23 to the volatile memory of the system 1 of the present invention and stored therein can be surely prevented from being executed, the program code of the volatile memory area allotted to the system program can be executed while the system program of the IC card is being executed, and the program code in the entire area of the volatile memory is not allowed to be executed while the application program of the IC card is being executed, so that the data stored in the IC card can be prevented from being erased, altered or leaked.
Next, another embodiment of the present invention will be described.
(1) Although it is assumed that the system 1 of the present invention is provided as the IC card incorporating one or more IC chips comprising the CPU 3, the communication circuit 4, the nonvolatile memory 5, the volatile memory 6, and the circuit 2 of the present invention in a plastic card according to the above embodiment, the system 1 of the present invention is not always limited to the IC card.
(2) In addition, when the system 1 of the present invention comprises the plurality of IC chips, in a case where the CPU 3 and the volatile memory 6 are comprised in different IC chips respectively, the circuit 2 of the present invention may be comprised in an IC chip other than the IC chips comprising the CPU 3 and the volatile memory 6 or may be formed in the IC chip of the CPU 3 or the volatile memory 6.
(3) Although one circuit constitution example of the circuit 2 of the present invention is illustrated in
The program execution control circuit and the computer system according to the present invention can be applied to a computer system such as an IC card having a communication interface with an external connection device.
Although the present invention has been described in terms of the preferred embodiment, it will be appreciated that various modifications and alternations might be made by those skilled in the art without departing from the spirit and scope of the invention. The invention should therefore be measured in terms of the claims which follow.
Number | Date | Country | Kind |
---|---|---|---|
2006-178655 | Jun 2006 | JP | national |