JP2002351567A - Program control device and method, and program - Google Patents

Abstract

(57) [Summary] An object of the present invention is to provide a program control device and method, and a program that can effectively establish safety during program execution. SOLUTION: An IC mounted on an IC card 100
The control unit 300 in the chip 200 executes a security program recorded in the OS unit 420 at the time of initialization. In the DF area unit 440, a plurality of types of programs for implementing a plurality of types of services are recorded in a plurality of areas. When an area corresponding to the desired service is designated, the control unit 300 sets a hardware firewall (HWFW) for the area based on the operation of the security program. The HWFW prohibits the designation of another service and the execution of the program of another service while the program of the designated service is being executed.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a program control device and method, and a program, and more particularly to an IC
The present invention relates to a program control device and method suitable for executing a program recorded on a card, and a program.

[0002]

2. Description of the Related Art Integrated circuits (IC chips (IC: Integrat)
ed Circuit)) is becoming popular. Since an IC card has an integrated circuit mounted thereon, the storage capacity is overwhelmingly larger than that of a conventional magnetic card and the like, and the IC card can execute a program by itself. . In particular, since a plurality of application programs can be recorded and each of them can be executed by the IC card itself, it is possible to use a plurality of types of services with one IC card. Useful.

That is, one IC card can be used for various purposes such as an ID card, a credit card, a cash card, an electronic wallet (electronic money), various membership cards, a point card, an electronic key, and an electronic ticket. it can. In order to realize the use of such a plurality of types of services, an IC card usually has a function of dynamically recording and updating an application program according to a user's purpose. The ability to dynamically record and update application programs allows the user to use services according to the desired use, but also increases the possibility of unauthorized use by recording and executing unauthorized programs.

In order to deal with such a problem, a hardware firewall (Hardware Firewall) is provided in the IC card.
l, hereinafter referred to as “HWFW”). This HWFW controls the execution, reading and writing of programs and data related to other services by limiting the memory area that can be accessed by each program,
Prevent unauthorized execution.

[0005] However, in the case of the conventional HWFW, it is necessary to constantly monitor whether or not a program accesses a limited memory area. Therefore, it is necessary to keep each program executable. For this reason, if there is a command that jumps to another program in a certain program and that command is executed, all programs are in an executable state, so a jump to another program is executed and illegal use is performed. There was a possibility.

In addition, since a memory area for restricting access must be set in advance (fixedly set) for each program, if a new application program is recorded after setting once, a firewall is not applied to the program. Is not valid. For this reason, there is a problem that the security of the added / updated program cannot be established, and the advantage of an IC card that can use various services by recording a plurality of types of programs is hindered. .

[0007]

SUMMARY OF THE INVENTION The present invention has been made in view of the above circumstances, and provides a program control device and method, and a program capable of effectively establishing security during program execution. With the goal.

[0008]

To achieve the above object, a program control device according to a first aspect of the present invention controls the execution of a plurality of programs recorded on a recording medium having a plurality of storage areas. Program assigning means for assigning at least one program for realizing a predetermined service to any one of the plurality of storage areas; and service designating means for designating a service to be executed. A program executing means for executing a program for realizing the service specified by the service specifying means; and controlling the service specifying means and the program executing means when the service specifying means specifies a service, wherein the program The service designating means designates a program which can be executed simultaneously by the executing means. Comprising a run limiting means for limiting the program program corresponding to the service is stored in the storage area allocated, and wherein the.

In the above-mentioned program control device, the service designating means designates a directory in a storage area corresponding to the designated service, and the execution restricting means executes only a program belonging to the directory designated by the service designating means. It is desirable to control the program execution means so that

In the above-mentioned program control device, the execution restricting means includes a designation restricting means for prohibiting the service designation means from designating another service while the program execution means is executing the program; It is desirable to have access restriction means for prohibiting the program execution means from accessing another storage area even if the program executed by the execution means requests access to another storage area.

In the above-described program control device, the storage medium may be a program storage area of an IC card, and the program control device may be mounted on the IC card.

According to the above configuration, for example, an IC
When a plurality of types of programs for realizing a plurality of types of services are recorded on a recording medium such as a card, for example, a service that can be realized by an IC card based on an instruction from a host terminal or the like for using the services When any of the above is specified, the executable programs are limited to the programs in the recording area allocated to the specified service. That is, a so-called hardware firewall (HWFW) is set in the target storage area when the service is specified (dynamically). Thus, unlike the case where HWFW is fixedly set in advance,
It is not necessary to keep all programs executable. For this reason, it is possible to prevent a situation in which a program being executed executes a program of another service, and it is possible to improve safety at the time of executing the program. Further, since there is no need to set a memory area to be restricted in advance, the degree of freedom of a storage area for installing an application program can be increased, and the number and capacity of programs to be installed can be flexibly handled. .

In this case, for example, if a directory is set in the designated storage area, the service designating means designates a directory immediately below the desired program, and the execution control means designates a directory immediately below the designated directory. The program execution means is controlled so that only the program is executed. Thereby, only the program for realizing the predetermined service is executed.

Further, the HWFW set in response to the designation of the service prohibits the service designation means from designating another service while the program for the predetermined service is being executed. Further, even if a program being executed requests execution of a program related to another service, the execution is prohibited. Accordingly, only the program related to the predetermined service is executed, so that the security at the time of executing the program can be improved.

To achieve the above object, a program control method according to a second aspect of the present invention is a program control method for controlling execution of a plurality of programs recorded on a recording medium having a plurality of storage areas. A program allocation step of allocating at least one program for realizing a predetermined service to any one of the plurality of storage areas; a service specification step of specifying a service to be executed; and the service specification step. A program execution step of executing a program for realizing the specified service; and, when the service is specified in the service specification step, a program executed simultaneously in the program execution step is executed by the service specification step. Record in the storage area corresponding to the specified service And an execution restriction step for restricting the program being characterized in that.

In the above program control method, in the service specifying step, a directory in a storage area to which a program corresponding to the specified service is assigned is specified, and the execution restriction step is executed in the program execution step. It is desirable that the program be limited to only those programs belonging to the directory specified in the service specifying step.

In the above-described program control method, the execution restriction step includes a designation restriction step of prohibiting designation of another service by the service designation step while the program is being executed in the program execution step; It is preferable to include an access restriction step of prohibiting access to the other storage area even if the program executed by the program requests access to another storage area.

In the above-described program control method, the storage medium may be a program storage area of an IC card.

To achieve the above object, a program according to a third aspect of the present invention causes a computer to function as the program control device.

[0020]

Embodiments of the present invention will be described below with reference to the drawings.

FIG. 1 is a diagram for explaining the configuration of an IC card (smart card) according to an embodiment of the present invention. As shown, an IC chip 200 is mounted on the IC card 100. The lower part of FIG.
0 is schematically shown. As shown, IC
The chip 200 includes a control unit 300 and a memory unit 400. The memory unit 400 further includes a work area unit 41
0, OS section 420, MF section 430 and DF area section 44
0 is provided.

The control unit 300 includes, for example, a CPU (Centra
l A processing unit (Central Processing Unit) that controls the memory unit 400 based on an instruction (command) from a host terminal (not shown) for using the IC card 100, reads out programs and data,
Write and execute.

The work area 410 is, for example, a RAM (Rand
om Access Memory) and is used as a work area when the control unit 300 executes a program.

An OS (Operating System) unit 420 is composed of a read-only semiconductor memory device such as a ROM (Read Only Memory) and stores basic software (OS) for operating the control unit 300. I do. The control unit 300 executes the OS recorded in the OS unit 420, so that the IC card 100
, And realizes each processing described later.

The OS unit 420 includes the control unit 30
It is assumed that 0 stores a security program that performs a security operation when executing an application program recorded in a DF area unit 440 described later. The operation of the hardware firewall (HWFW) function (described later) according to the present embodiment
Is realized by executing a security program.

Each program recorded in the OS section 420 is recorded when the IC chip 200 is manufactured.

An MF (Master File) unit 430 is, for example, an EEPROM (Electrically Erasabl).
A directory (hereinafter, referred to as an “MF directory”), which is constituted by a rewritable nonvolatile semiconductor memory device such as an e-Programmable Read-Only Memory (hereinafter referred to as “MF directory”), is created. This MF directory is set as a current directory when the IC card 100 is initialized.

In addition, immediately below the MF directory of the MF section 430, a common program that can be commonly executed by each program (application program) recorded in the DF area section 440 described later is stored. This common program can be dynamically added / updated (downloadable), and when the common program is downloaded immediately below the MF directory, execution by each application program in the DF area unit 440 becomes possible.

In the present embodiment, it is assumed that the subprogram of the security program recorded in the OS section 420 is recorded in the MF section 430 as a common program. Since the security program is an important program to be executed from the first use of the IC card 100, the security program is recorded in the OS unit 420 when the IC card 100 is issued (more specifically, when the IC chip 200 is manufactured). However, vulnerabilities in security programs may become apparent after a card is issued. To cope with this, subprograms and data of the security program are dynamically recorded (downloaded) in the MF unit 430 that can be added and updated, so that the latest security environment can always be realized. That is, the operation of the HWFW, which will be described later, depends on the security program of the OS section 420 and the MF section 4.
It is realized by cooperation with 30 subprograms.

The DF (Dedicated File) area 440 is, for example, an EEPROM (Electrically Era).
It is composed of a rewritable nonvolatile semiconductor storage device such as a sable programmable read-only memory, and stores programs (application programs) and data for implementing a plurality of types of services using the IC card 100. In the DF area unit 440, the storage area is further divided for each service as shown in FIG. In the present embodiment, the services that can be used with the IC card 100 are service 1 to service n (for example, service 1 is “electronic wallet”, service 2 is “ID card”, and service n is “electronic key”). The DF area unit 440 has service-specific areas 440-1 to 440-n corresponding to each service.

FIG. 3 shows the MF section 430 and the DF area section 440
FIG. 5 is a diagram schematically showing the relationship with As shown
Each service area 440-1 to 440 of the DF area unit 440
0-n stores program files, data files, and the like required for each service. Further, directories are prepared in the service-specific areas 440-1 to 440-n as necessary, and program files and data files are stored in the respective directories.

Next, referring to the flowchart of FIG.
A program execution process of the IC card 100 according to the present embodiment will be described.

First, when the communication between the IC card 100 and the host terminal is started by mounting the IC card 100 on a host terminal (not shown) for providing a desired service (step S101: Yes). And the host terminal is I
A command for initialization is issued to the C card 100.

Upon receiving the initialization command from the host terminal, the control unit 300 of the IC card 100
The OS and the security program of S unit 420 are executed (step S102).

Based on the operation of the OS executed in step S102, the control section 300 sets the MF directory of the MF section 430 as the current directory as shown in FIG. 5A (step S103). When the MF directory becomes the current directory, the common program immediately below the MF directory, that is, the security subprogram becomes executable. This security subprogram is to be executed according to the instruction of the security program started in step S102. In FIGS. 5, 6, and 8, a program that is being executed or is in an executable state is shown in reverse video.

Next, a command for designating a service provided by the host terminal is transmitted from the host terminal to the IC card 10.
0 (Step S104: Yes), the control unit 300 sends the service-specific area 4 corresponding to the service.
The root directories 40-1 to 440-n are set as current directories (step S105). Here, a case where service 1 is specified will be described as an example.

Based on the operation of the security program started in steps S102 and S103, the control unit 300 sets the root directory to the current directory in step S105 and triggers the service-specific area 440 corresponding to the root directory. -1 to hardware firewall (Hardware Firewall,
(Hereinafter referred to as "HWFW") (step S10).
6, FIG. 5 (b)). That is, the HWFW is dynamically set. Here, since no directory exists under the root directory of the service 1 (step S10).
7: No), the program immediately below the root directory is in an executable state as shown in reverse video in FIG. That is, only the program that belongs immediately below the current directory becomes executable (step S109).

On the other hand, service-specific areas 440-1 to 440
In the case where a plurality of directories exist within −n (example of service 2), control is performed based on the operation of the security program, when service 2 is designated, that is, when the root directory is designated (step S105). Part 3
00 is a service-specific area 440-2 corresponding to the service 2
(Step S106, FIG. 6)
(A)).

When the host terminal designates a directory (directory 1 in the figure) in which a necessary program is stored (step S107: Yes), as shown in reverse display in FIG. Program becomes executable. In other words, only the programs belonging directly below the current directory are in an executable state.

Then, the control unit 300 executes the program in the executable state. That is, step S10
If a directory is specified in Step 7 (Step S107: Yes), a program immediately below the directory is executed (Step S108), and a service having no directory other than the root directory is selected (Step S107: No), the program immediately below the root directory is executed (step S10).
9).

When the program is executed in step S108 or S109, the operation of the program being executed is monitored by the HWFW set in step S106 (step S200).

The program monitoring processing by the HWFW will be described with reference to the flowchart of FIG. Here, as shown in FIG.
An example in which a program belonging to directory 1 of service 2 (service 2) is being executed will be described.

First, as shown in FIG. 8A, while a program belonging to the directory 1 of the service-specific area 440-2 (in the figure, highlighted in the figure) is being executed, a service n is issued by a command from the host terminal. Is specified, that is, even if the current is set in the root directory of the service-specific area 440-n (step S201: Ye
s) Based on the operation of the security program, the control unit 300 does not permit the execution of the program belonging to the root directory where the current is set (if a further directory exists, the specified directory) (step S202). .

On the other hand, as shown in FIG. 8B, the program of the service 2 currently being executed (in the figure, highlighted)
Request execution of the program in the service-specific area 440-1 (Step S203: Yes, S204: Y
es), the control unit 300 does not permit the execution of the requested program (the program in the service-specific area 440-1 and immediately below the root directory in the figure) based on the operation of the security program (step S205). In this case, for example, even if the program of the service 2 being executed requests acquisition of data from the data file in the service-specific area 440-1, the control unit 300 does not permit this.

However, when the program of the service 2 being executed requests execution of a program (not shown) belonging to the directory 2 of the service-specific area 440-2 or acquisition of data from a data file (not shown) (step S20).
3: Yes, S204: No) is permitted in the service-specific area 440-2 in which the HWFW is set (step S206).

During the execution of the application program, the control unit 300 always performs the processing of steps S201 to S206, and monitors the operation of the application program (step S207: No).

When the execution of the application program ends (step S207: Yes), the control unit 30
0 designates the current directory as the service-specific area 440
-2, the directory 1 is changed to the MF directory (step S208).

When the MF directory becomes the current directory in step S208, the control unit 30
0 cancels the HWFW set in the service-specific area 440-2 based on the operation of the security program (step S209), returns to the program execution processing shown in FIG. 4, and ends the processing.

As described above, according to the embodiment of the present invention, the HWFW setting is dynamically set at the time of designating a service for a program executed by the IC card 100 for implementing a plurality of services. Unlike the case where the HWFW is fixedly set by setting a memory area to be monitored in advance, a degree of freedom can be provided by adding / updating a program (application program) or data to the DF area unit 440, By recording a plurality of types of programs, the convenience of an IC card realizing the use of a plurality of types of services can be effectively utilized.

The HWFW set in this embodiment is
Prohibits the designation of another service while a certain program is being executed, and allows the executed program to execute a program of another service (a program recorded in another service-specific area 440). Since the execution is prohibited, it is possible to prevent an illegal operation due to recording and executing an unauthorized program.

In the above embodiment, an example has been described in which the present invention is applied to the IC card 100 on which the CPU (control unit 300) is mounted, but the recording medium to which the present invention can be applied is not limited to this. For example, the present invention may be applied to a mode in which a host terminal executes a plurality of programs recorded on an IC card (memory card) on which a CPU is not mounted. Further, in this case, the host terminal is not limited to a dedicated device, but may be a normal computer system such as a personal computer. In this case, the same operation as the above-described operation of the control unit 300 can be realized by installing and executing a program for realizing the above-described processing in a computer.

Here, the method of supplying the program to the computer is arbitrary. For example, a medium recording the above program (for example, a flexible disk, a CD-RO
M (Compact Disc Read-Only Memory), DVD (Digita
l Versatile Disk) or may be supplied via, for example, a communication line, a communication network, a communication system, or the like. In this case, for example, a bulletin board of a communication network (BBS: Bulletin Boa)
rd System), and the program is superimposed on a carrier wave via a network and distributed to a computer. Then, by starting this program and executing it in the same manner as other application programs under the control of the OS, the above-described processing can be executed.

[0053]

As described above, according to the present invention,
It is possible to provide a program control device and method, and a program that can effectively establish safety during program execution.

[Brief description of the drawings]

FIG. 1 is a diagram for explaining an external appearance of an IC card according to an embodiment of the present invention and a configuration in an IC chip of the IC card.

FIG. 2 is a diagram for explaining details of a DF area shown in FIG. 1;

FIG. 3 is a diagram for explaining a relationship between an MF section and a DF area shown in FIG. 1;

FIG. 4 is a flowchart illustrating a program execution process according to the embodiment of the present invention.

5A and 5B are diagrams for explaining an example of the process shown in FIG. 4; FIG. 5A is a diagram for explaining a process at the time of execution of a common program; FIG. FIG. 9 is a diagram for describing processing when a directory is specified.

6A and 6B are diagrams for explaining another example of the process shown in FIG. 4; FIG. 6A is a diagram for explaining a process when a root directory of another service is designated; )
FIG. 8 is a diagram for explaining processing when a directory in a service-specific area is specified;

FIG. 7 is a flowchart for explaining a monitoring process by the HWFW shown in FIG. 4;

8A and 8B are diagrams for explaining an example of the process shown in FIG. 7; FIG. 8A is a diagram for explaining a process when another service is specified at the time of executing a program; FIG. 9 is a diagram for describing processing when a program being executed specifies a program or data of another service.

[Explanation of symbols]

 Reference Signs List 100 IC card 200 IC chip 300 Control unit 400 Memory unit 410 Work area unit 420 OS (Operation System) unit 430 MF (Master File) unit 440 DF (Dedicated File) area unit

 ──────────────────────────────────────────────────続 き Continuing on the front page (72) Inventor Naohisa Ichihara 3-3-3 Toyosu, Koto-ku, Tokyo Within NTT Data Corporation (72) Inventor Shinya Yamamoto 3-chome, Toyosu, Koto-ku, Tokyo No. 3-3 F-term in NTT Data Corporation (reference) 2C005 MA01 MB05 SA22 SA25 5B035 AA13 BB09 CA11 CA38 5B076 FB01 FB02 FB03

Claims (9)

[Claims] 1. A program control device for controlling execution of a plurality of programs recorded on a recording medium having a plurality of storage areas, wherein the at least one program for realizing a predetermined service is executed by the plurality of programs. Program allocation means for allocating to any one of the storage areas, service specification means for specifying a service to be executed, program execution means for executing a program for realizing the service specified by the service specification means, and service specification means When the user specified the service, the service control unit and the program execution unit were controlled, and a program corresponding to the service specified by the service specification unit was assigned to a program that the program execution unit can execute simultaneously. Limited to programs recorded in storage area A program control device, comprising: 2. The service specifying means specifies a directory in a storage area corresponding to a specified service, and the execution restricting means executes only a program belonging to the directory specified by the service specifying means. The program control device according to claim 1, wherein the program control unit controls the program execution unit. 3. The execution restricting unit includes: a designation restricting unit that prohibits the service designation unit from designating another service while the program execution unit is executing a program; 2. An access restricting unit that prohibits the program execution unit from accessing another storage area even if the running program requests access to another storage area. Or the program control device according to 2. 4. The storage medium according to claim 1, wherein the storage medium is a program storage area of an IC card, and the program control device is mounted on the IC card. Program control unit. 5. A program control method for controlling execution of a plurality of programs recorded on a recording medium having a plurality of storage areas, wherein at least one program for realizing a predetermined service is stored in the plurality of programs. A program allocating step for allocating to any one of the storage areas; a service specifying step for specifying a service to be executed; a program executing step for executing a program for realizing the service specified in the service specifying step; Executing to limit programs executed simultaneously in the program execution step to a program recorded in a storage area corresponding to the service specified in the service specification step when a service is specified in the service specification step And a limiting step. Program control method to be. 6. The service designating step, wherein a directory in a storage area to which a program corresponding to the designated service is allocated is designated. 6. The program control method according to claim 5, wherein the program is limited to only programs belonging to a directory specified in the service specifying step. 7. The execution restriction step includes: a designation restriction step of prohibiting designation of another service by the service designation step while the program is being executed in the program execution step; and a program execution step executed by the program execution step. 7. An access restriction step of prohibiting access to another storage area even if the program in question requests access to another storage area. Program control method. 8. The program control method according to claim 5, wherein said storage medium is a program storage area of an IC card. 9. A program for causing a computer to function as the program control device according to claim 1. Description: