Program execution control circuit, computer system, and IC card

Description

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram showing the system constitution example of a computer system according to one embodiment of the present invention;

FIG. 2 is a circuit diagram showing the circuit constitution example of a program execution control circuit according to one embodiment of the present invention;

FIG. 3 shows memory maps briefly showing a control state by the operation of the program execution control circuit according to one embodiment of the present invention;

FIG. 4 is a flowchart for explaining a process procedure of a system program of the computer system according to one embodiment of the present invention;

FIG. 5 is a flowchart for explaining an execution process of an application program during the process procedure in the system program shown in FIG. 4;

FIG. 6 is a view for explaining the basic system constitution of an IC card;

FIG. 7 is a view for explaining the flow of the basic command of the IC card;

FIG. 8 is a view for explaining the data structure of a command APDU and a response APDU of the IC card; and

FIG. 9 is a flowchart showing a conventional method for preventing a malicious program received from the outside from being executed.

DETAILED DESCRIPTION OF THE INVENTION

An embodiment of a program execution control circuit and a computer system according to the present invention (referred to as the “circuit of the present invention” and the “system of the present invention” occasionally hereinafter) will be described with reference to the drawings hereinafter.

According to this embodiment, it is assumed that the circuit of the present invention is applied to a computer system comprising a CPU (Central Processing Unit), a communication circuit that can receive data transmitted from an external connection device, a nonvolatile memory and a volatile memory, and the system of the present invention is provided as an IC card incorporating one or more IC chips comprising components of the computer system and the circuit of the present invention in a plastic card.

Similar to the conventional example, the basic system of the IC card according to this embodiment has the constitution shown in FIG. 6. A terminal PC 21 and an IC card reader/writer 22 communicate with an IC card 20 as an external connection device 23 using a contact-type interface or a noncontact-type interface. As shown in FIG. 7, commands are exchanged between the external connection device 23 and the IC card 20 in FIG. 6 such that a command APDU 24 is sent from the external connection device 23 to the IC card 20 and its processed result with respect to the command APDU 24 is sent from the IC card 20 to the external connection device 23 as a response APDU 25 like the conventional case.

FIG. 1 shows the further detailed constitution of the system of the present invention (corresponding to the IC card 20 shown in FIG. 6). The system 1 of the present invention comprises a CPU 3, a communication circuit 4, a nonvolatile memory 5, a volatile memory 6, and a circuit 2 of the present invention.

The CPU 3 performs a process in the IC card by reading a program code stored in the nonvolatile memory 5 and the volatile memory 6.

The communication circuit 4 is a communication interface circuit for transmitting and receiving data to and from the external connection device 23, more specifically, for receiving the command APDU and transmitting the response APDU and it provides a contact-type interface or a noncontact-type interface.

The nonvolatile memory 5 comprises a semiconductor nonvolatile memory such as a flash memory and the volatile memory 6 comprises a semiconductor random access memory such as a SRAM or DRAM. The address area of the nonvolatile memory 5 provides a first memory area and the address area of the volatile memory 6 provides a second memory area different from the first memory area and the CPU 3 can access both memory areas.

The program code of a system program of the IC card (corresponding to a first computer program) and the program code of an application program of the IC card (corresponding to a second computer program) are stored in the first memory area provided by the nonvolatile memory 5.

As shown in FIG. 3, the second memory area provided by the volatile memory 6 is divided into a storage area R1 for the program code of the system program only, a receiving buffer 7 (R2) that is a storage area for data (command APDU) received by the communication circuit 4, and a data storage area (temporary working area) R3 used in reading and writing data when the CPU 3 executes the system program or the application program. The program code that has to be executed in the second memory area in the system program is stored in the storage area R1 for the program code of the system program only in the second memory area. The process to be executed in the program code includes a process for data writing in the nonvolatile memory 5 and the like.

The circuit 2 of the present invention controls whether the CPU 3 can execute the program code stored in the second memory area provided in the volatile memory 6. The constitution and operation of the circuit 2 of the present invention will be described with reference to FIG. 2.

FIG. 2 is a circuit diagram showing one circuit constitution example of the circuit 2 of the present invention. As shown in FIG. 2, the circuit 2 of the present invention comprises a flag 10, a boundary address register 11, an address comparator 12, an AND circuit 13, and an OR circuit 14. The circuit 2 of the present invention controls whether the program code can be read from the volatile memory 6 or not in order to allow or not to allow the program code stored in the second memory area to be executed by the CPU 3 shown in FIG. 1.

The flag 10 stores 1-bit identifier F for identifying whether the object to be executed by the CPU 3 is the system program or the application program. When the identifier F stored in the flag 10 is “logical value 1” (represented by just “1” hereinafter), it means that the system program is being executed or just before it is executed and when the identifier F is “logical value 0” (represented by just “0” hereinafter), it means that the application program is being executed or just before it is executed. In addition, the setting of the identifier F to the flag 10 is executed by the system program by the CPU 3 as will be described below.

The boundary address register 11 stores a boundary address of the storage area R1 for the system program only in the second memory area. More specifically, when the second memory area is divided such that the storage area R1 (address area) for the system program only in the second memory area is positioned lower side from the address area of the receiving buffer R2 and the temporary working area R3, the boundary address is the most significant address of the storage area R1 or the least significant address of the storage areas R2 or R3.

The address comparator 12 receives an address signal and the boundary address stored in the boundary address register 11 and compares the address values and determines whether the address value of the address signal that specifies the stored place of the program code to be executed is in the storage area R1 for the system program only in the second memory area or not. When the address value of the address signal is in the storage area R1 for the system program only in the second memory area, “1” is outputted and when it is not in the storage area R1 (that is, it is in the storage area R2 or R3), “0” is outputted. More specifically, when it is assumed that the second memory area is divided such that the storage area R1 for the system program only in the second memory area is positioned on the lower side from the receiving buffer R2 or the temporary working area R3, and the boundary address is specified by the most significant address of the storage area R1, “1” is outputted in a case where the address value of the address signal is equal to the address value of the boundary address or less, and “0” is outputted in a case where the address value of the address signal is more than the address value of the boundary address.

The AND circuit 13 has three inputs, to which the output of the flag 10 (identifier F), the output of the address comparator 12 and an instruction fetch signal Sif are inputted and its output is inputted to the OR circuit 14. The instruction fetch signal Sif is a readout control signal that is outputted during an instruction fetch period when the CPU 3 reads the program code stored in the first or second memory area. The instruction fetch signal Sif becomes an activated state at “1”.

The OR circuit 14 has two inputs, to which the output of the AND circuit 13 and a second readout control signal S2rd are inputted and its output is inputted to the volatile memory 6 as a readout control signal RD for the volatile memory 6. The second readout control signal S2rd is a readout control signal outputted when the CPU 3 fetches the program code and reads the data stored in the second memory area at the time of executing the fetched instruction. The second readout control signal S2rd becomes an activated state at “1”.

Thus, when all of the inputs of the AND circuit 13 are “1” or the second readout control signal S2rd is “1”, the readout control signal RD becomes “1” and activated. Here, focusing on the case where it is controlled whether the CPU 3 can read the program code from the volatile memory 6 or not, since the signal level of the second readout control signal S2rd is “0”, the state of the readout control signal RD is determined by the signal level of each input of the AND circuit 13 substantially. That is, when the identifier F of the flag 10 is “1” and the object to be executed by the CPU 3 is the system program, and the output of the address comparator 12 is “1” and the program code of the system program to be executed is in the storage area R1 for the system program only in the second memory area, the readout control signal RD is outputted in synchronization with the instruction fetch signal Sif and the program code stored in the storage area R1 for the system program only in the second memory area is allowed to be read.

In addition, when the identifier F of the flag 10 is “0” and the object to be executed by the CPU 3 is the application program, the readout control signal RD is not activated regardless of the stored place of the program code to be executed and the program code is not allowed to be read. Furthermore, even when the identifier F of the flag 10 is “1” and the object to be executed by the CPU 3 is the system program, if the output of the address comparator 12 is “0” and the program code to be executed is not in the storage area R1 for the system program only in the second memory area, the program code is not allowed to be read similarly.

FIG. 3 shows memory maps summarizing the control state by the operation of the circuit of the present invention and showing the execution allowed or execution prohibited state of the program code according to the identifier F of the flag 10 and an address specifying the stored place of the program code to be executed. In FIG. 3, the memory map when the system program is being executed, that is, when the identifier F is “1” is arranged on the left side (FIG. 3A) and the memory map when the application program is being executed, that is, when the identifier F is “0” is arranged on the right side (FIG. 3B).

As shown in FIG. 3, when the identifier F of the flag 10 is “1”, the program code is allowed to be executed in the storage area R1 for the system program only and the program code is not allowed to be executed in the receiving buffer R2 and the temporary working area R3. In addition, when the identifier F of the flag 10 is “0”, the program code is not allowed to be executed in the entire second memory area (R1, R2 and R3).

Next, the executing operation of the system of the present invention including the control for the circuit 2 of the present invention will be described with reference to a flowchart shown in FIG. 4.

First, when the CPU 3 is reset, the program counter in the CPU 3 is set to an initial address just after reset, that is, a head address of the system program of the nonvolatile memory 5 (first memory area) at step S100.

Then, the system program stored in the first memory area is started to be executed at step S101.

Then, the boundary address is set in the boundary address register 11 of the circuit 2 of the present invention by the execution of the system program by the CPU 3 at step S102.

Then, “1” is set in the flag 10 of the circuit 2 of the present invention by the execution of the system program, so that the execution state of the system program can be identified at step S103.

Then, the necessary program code is transferred from the first memory area to the storage area R1 for the system program only in the second memory area and stored therein by the execution of the system program at step S104.

After the executions of the system program from the steps S101 to S104, as shown in the memory map in FIG. 3A, the circuit 2 of the present invention becomes a control state in which the program code can be allowed to be executed in the storage area R1 for the system program only in the second memory area.

Then, it is determined whether the command APDU is transmitted from the external connection device 23 to the communication circuit 4 or not by the execution of the system program at step S105.

When the command APDU is transmitted at the step S105 (YES), the operation is moved to step S106 by the execution of the system program and the command APDU is stored in the receiving buffer (R2) 7 in the second memory area. Since then, even when the command APDU stored in the receiving buffer 7 is a malicious program code, as shown in the memory map in FIG. 3A, since the program code is not allowed to be executed in the receiving buffer (R2) 7, the program code is prevented from being executed illegally. In addition, when the command APDU is not transmitted at the step S105 (NO), the determining operation at the step S105 is repeated.

Then, the contents of the command APDU stored in the receiving buffer (R2) 7 at the step S106 is determined by the execution of the system program at step S107. When the command APDU is the start command of the application program at the step S107 (YES), the operation is moved to step S108 and when it is not (when it is the start command of the system program) (NO), the operation is moved to step S111.

At step S108, when “0” is set in the flag 10 of the circuit 2 of the present invention by the execution of the system program, the execution state of the application program can be identified. By the process at the step S108, the circuit 2 of the present invention becomes the control state in which the program code is not allowed to be executed in the second memory area as shown in the memory map in FIG. 3B.

Then, the application program is executed by the CPU 3 at step S109.

Here, the execution process of the application program at the step S109 will be described with reference to a flowchart shown in FIG. 5.

First, a subroutine for the execution process of the application program shown in FIG. 5 is called by the execution of the system program at the step S109. Thus, the program counter of the CPU 3 is set at the head address of the application program in the first memory area at step S200 and the application program stored in the first memory area is started at step S201.

Then, it is determined whether the command APDU is transmitted from the external connection device 23 to the communication circuit 4 or not by the execution of the application program at step S202.

When the command APDU is transmitted at the step S202 (YES), the operation is moved to step S203 and the command APDU is stored in the receiving buffer (R2) 7 in the second memory area by the execution of the application. Since then, even when the command APDU stored in the receiving buffer 7 is a malicious program code, as shown in the memory map in FIG. 3B, since the program code is not allowed to be executed in the receiving buffer (R2) 7, the program code is prevented from being executed illegally. Furthermore, since the program code is not allowed to be executed in the storage area R1 for the system program only and the temporary working area R3 in the second memory area, the program code stored in the second memory area can be prevented from being executed erroneously from the application program. In addition, when the command APDU is not transmitted at the step S202 (NO), the determining operation at the step S202 is repeated.

Then, the contents of the command APDU stored in the receiving buffer (R2) 7 at the step S203 is determined by the execution of the application program at step S204. When the command APDU is the end command of the application program at the step S204 (YES), the operation is moved to step S206 and when it is not (NO), the operation is moved to step S205 and the application program is continued to be executed.

When the operation is moved to the step S206, it returns from the subroutine to the step S110 in the main routine shown in FIG. 4.

By the execution of the system program, “1” is set to the flag 10 of the circuit 2 of the present invention at the step S110 and the execution state of the system program can be identified. By the execution process at the step S110, the circuit 2 of the present invention returns to the control state in which the program code is allowed to be executed in the storage area R1 for the system program only in the second memory area as shown in the memory map in FIG. 3A.

When the operation is moved to step S111 because the command APDU is not the start command of the application program but the start command of the system program according to the determination at the step S107, the contents of the command APDU stored in the receiving buffer (R2) 7 at the step S106 is determined by the execution of the system program and when the command APDU is the start command of the system program stored in the second memory area (YES), the operation is moved to step S112 and when it is not, the operation is moved to step S113.

The command process of the system program required to be executed in the second memory area is executed in the storage area R1 for the system program only in the second memory area at the step S112. Meanwhile, the command process of the system program is executed in the first memory area at the step S113.

As described above, the circuit 2 of the present invention and the system 1 of the present invention can provide a memory protection function in which a malicious program transmitted from the external connection device 23 to the volatile memory of the system 1 of the present invention and stored therein can be surely prevented from being executed, the program code of the volatile memory area allotted to the system program can be executed while the system program of the IC card is being executed, and the program code in the entire area of the volatile memory is not allowed to be executed while the application program of the IC card is being executed, so that the data stored in the IC card can be prevented from being erased, altered or leaked.

Another Embodiment

Next, another embodiment of the present invention will be described.

(1) Although it is assumed that the system 1 of the present invention is provided as the IC card incorporating one or more IC chips comprising the CPU 3, the communication circuit 4, the nonvolatile memory 5, the volatile memory 6, and the circuit 2 of the present invention in a plastic card according to the above embodiment, the system 1 of the present invention is not always limited to the IC card.

(2) In addition, when the system 1 of the present invention comprises the plurality of IC chips, in a case where the CPU 3 and the volatile memory 6 are comprised in different IC chips respectively, the circuit 2 of the present invention may be comprised in an IC chip other than the IC chips comprising the CPU 3 and the volatile memory 6 or may be formed in the IC chip of the CPU 3 or the volatile memory 6.

(3) Although one circuit constitution example of the circuit 2 of the present invention is illustrated in FIG. 2 according to the above embodiment, the circuit 2 of the present invention is not limited to the circuit constitution shown in FIG. 2. In addition, although it is assumed that the activated state of the input and output signals of the circuit 2 of the present invention is defined by the “logic value 1” in the above embodiment, the activated state of a part or all of the signal may be specified by a “logic value 0”. In addition, definition of each of the logic values of the identifier F of the flag 10 and the output of the address comparator 12 is not limited to the above embodiment. Therefore, the circuit constitution of the circuit 2 of the present invention is appropriately varied according to the definition of the logic value of each signal.

The program execution control circuit and the computer system according to the present invention can be applied to a computer system such as an IC card having a communication interface with an external connection device.

Although the present invention has been described in terms of the preferred embodiment, it will be appreciated that various modifications and alternations might be made by those skilled in the art without departing from the spirit and scope of the invention. The invention should therefore be measured in terms of the claims which follow.

Claims

1. A program execution control circuit controlling a computer system, the computer system comprising a CPU capable of executing a first computer program and a second computer program, a communication circuit capable of receiving data transmitted from an external connection device, a first memory area for storing the first and second computer programs, and a second memory area including a storage area for the first computer program, a storage area for the data received by the communication circuit, and a storage area for data used when the CPU executes a program,the program execution control circuit controlling the computer system such that, in a case where it is recognized that a program to be executed by the CPU is the first computer program,the program is allowed to be executed when a program code of the program is stored in the first memory area or the storage area for the first computer program in the second memory area, and the program is not allowed to be executed when the program code is stored in the second memory area other than the storage area for the first computer program therein.
2. The program execution control circuit according to claim 1 controlling such that, in a case where it is recognized that a program to be executed by the CPU is the second computer program, the program is allowed to be executed when a program code of the program is stored in the first memory area, and the program is not allowed to be executed when the program code is stored in the second memory area.
3. The program execution control circuit according to claim 2 comprising: a flag for determining whether a program to be executed by the CPU is the first computer program or the second computer program;a boundary address register for storing a boundary address of the storage area for the first computer program in the second memory area; andan address comparator for comparing an address of the first or second memory area specifying where a program code of the program is stored with the boundary address stored in the boundary address register and determining whether the program code is stored in the storage area for the first computer program in the second memory area or not,the program execution control circuit outputting a readout control signal to the second memory area during an instruction fetch period for reading the program code from the first or second memory area when the flag shows that the program to be executed by the CPU is the first computer program and the address comparator determines that the program code is stored in the storage area for the first computer program in the second memory area, andthe program execution control circuit not outputting the readout control signal to the second memory area during the instruction fetch period when the flag shows that the program to be executed by the CPU is the second computer program or the address comparator determines that the program code is stored in the second memory area other than the storage area for the first computer program therein.
4. A computer system comprising: the program execution control circuit according to claim 1;a CPU capable of executing a first computer program and a second computer program;a communication circuit capable of receiving data transmitted form an external connection device;a first memory area capable of storing the first and second computer programs; anda second memory area including a storage area for the first computer program, a storage area for the data received by the communication circuit, and a storage area for data used when the CPU executes a program.
5. The computer system according to claim 4, wherein the first memory area comprises a nonvolatile memory and the second memory area comprises a volatile memory.
6. A computer system comprising: the program execution control circuit according to claim 3;a CPU capable of executing a first computer program and a second computer program;a communication circuit capable of receiving data transmitted form an external connection device;a first memory area capable of storing the first and second computer programs; anda second memory area including a storage area for the first computer program, a storage area for the data received by the communication circuit, and a storage area for data used when the CPU executes a program, whereina system program and an application program are stored as the first computer program and the second computer program in the first memory area respectively,the system program is started after the CPU has been reset, and comprisesa first step of setting the boundary address in the boundary address register provided in the program execution control circuit,a second step of setting the flag provided in the program execution control circuit to a state such that a program to be executed by the CPU is the first computer program, anda third step of storing a part or all of the system program in the storage area for the first computer program in the second memory area.
7. The computer system according to claim 6, wherein the first memory area comprises a nonvolatile memory and the second memory area comprises a volatile memory.
8. The computer system according to claim 6, wherein the system program further comprisesa fourth step of determining whether the communication circuit receives command data transmitted from the external connection device or not,a fifth step of storing the command data in the storage area for data received by the communication circuit in the second memory area when it is determined that the command data is received at the fourth step,a sixth step of determining whether the command data is a start command of the application program or not,a seventh step of setting the flag to a state such that the program to be executed by the CPU is the second computer program when it is determined that the command data is the start command of the application program at the sixth step,an eighth step of starting the application program, anda ninth step of setting the flag in a state such that the program to be executed by the CPU is the first computer program after the application program has been completed.
9. The computer system according to claim 8, wherein the application program comprisesa first step of determining whether the communication circuit receives command data transmitted from the external connection device or not after the application program has been started at the eighth step of the system program,a second step of storing the command data in the storage area for data received by the communication circuit in the second memory area when it is determined that the command data is received at the first step,a third step of determining whether the command data is an end command of the application program or not, anda fourth step of moving an operation to the ninth step of the system program when it is determined that the command data is the end command of the application program at the third step.
10. The computer system according to claim 8, wherein the system program further comprisesa tenth step of determining whether the system program to be executed is stored in the storage area for the first computer program in the second memory area or not when it is determined that the command data is the start command of the system program at the sixth step,a step of executing the system program stored in the storage area for the first computer program in the second memory area when it is determined that the system program is stored in the storage area for the first computer program in the second memory area at the tenth step, anda step of executing the system program stored in the first memory area when it is determined that the system program is not stored in the storage area for the first computer program in the second memory area at the tenth step.
11. An IC card comprising the computer system according to claim 4.
12. An IC card comprising the computer system according to claim 6.

Priority Claims (1)

Number	Date	Country	Kind
2006-178655	Jun 2006	JP	national

Program execution control circuit, computer system, and IC card

Information

Publication Number

Date Filed

Date Published

Inventors

Original Assignees

CPC

US Classifications

International Classifications

Abstract

Description

Claims

Priority Claims (1)