JP2005134995A - System, method and program for security management - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To realize a security management system suitable for comprehensively coping with possible attacking methods. <P>SOLUTION: The security management system includes a storage means for storing a set file in which the corresponding relation between a parameter name and an inspection item is defined; an identification means for identifying an inspection item to be executed corresponding to the specified parameter, when the parameter of an inspection object is specified, by referring to the set file stored in the storage means based on the parameter name of the above specified parameter; and an execution means for executing the inspection processing, corresponding to the inspection item identified by the identification means, corresponding to the above parameter. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to a computer network security system, and more particularly to a security management system technique for more efficiently managing the security of an application connected to a network.

In recent years, with the advent of various attack techniques on computer networks by malicious third parties, security systems for computer networks have become an important issue. Therefore, when building a system that connects to the network, system designers and developers must assume all of these third-party attack methods, understand their outline, and build a strong security system. Is required. As a security system of a computer network, it is described in documents such as JP 2002-328897 A (Patent Document 1).
JP 2002-328897 A

  In recent years, applications connected to the network have also been targeted for attack. As described above, in order to build a strong security system, it is necessary to consider all attack methods by a third party and respond to it. Must be built into the system. However, there are attack techniques for applications connected to the network all over the world, and new attack techniques have appeared one after another. Therefore, in order for system designers and administrators to collect all information related to these attack methods, they must spend a lot of effort and time, and they cover all attack methods without much effort. It was very difficult to take security measures that would cover the situation.

  In order to maintain the system effectively, it is necessary to always check whether effective security measures are being taken. However, since conventional security measures were implemented by embedding each logic for preventing fraud in each program, there was a situation where the security measure level was different for each program, and the security quality was consistent. There was a problem that could not be kept. In addition, it is difficult for system administrators to confirm security measures at the program level, and it is difficult to centrally manage the security measures level, and it is not possible to easily understand the contents of each program measure (for example, which The attack method is covered, and which attack method is not covered).

  In addition, the security countermeasure level of applications connected to the network often depends on the skill of the system designer, so the security countermeasure level may be higher or lower depending on the skill of the system designer. There is also. However, in order to maintain the system effectively, it is required to maintain a high level of security countermeasures consistently regardless of the skill of the system designer.

  Therefore, an object of the present invention is to realize a security management system suitable for comprehensively covering assumed attack methods.

  Moreover, this invention makes it a subject to implement | achieve the security management system which can grasp | ascertain the condition of a security measure easily.

  Moreover, this invention makes it a subject to implement | achieve the security management system which can maintain the precision of a security countermeasure level highly irrespective of a system designer's skill.

  In order to solve the above-described problem, the security management device of the invention of the present application specifies a storage unit that stores a setting file that defines a correspondence relationship between a parameter name and an inspection item, and a parameter to be inspected. A specifying unit for specifying an inspection item to be executed with respect to the specified parameter by referring to a setting file stored in the storage unit based on a parameter name of the specified parameter; and an inspection item specified by the specifying unit Execution means for executing an inspection process corresponding to the above-described parameter.

  Further, the security management device can be appropriately provided with the following configuration.

  That is, the storage means stores an inspection file that defines risk data held by each inspection item, and the execution means stores the risk data held by the inspection item specified by the specifying means as the value of the parameter. It is characterized by determining whether or not it is included.

  The dangerous data is data that may cause the server or client to execute a process that is not intended by the server, and is defined data composed of symbols, numerical values, characters, and the like.

  The execution means determines whether or not danger data is included in the value of the parameter, using a module responsible for inspection processing corresponding to the inspection item specified by the specifying means.

  The storage means stores a plurality of the setting files, and when the parameter is specified, the specifying means specifies a setting file that matches a predetermined condition from the setting files stored in the storage means, and specifies the specification The specified setting file is referred to based on the parameter name of the specified parameter.

  It further comprises setting means for accepting designation of an inspection item to be executed for each parameter name and setting a setting file in which the designated inspection item is associated with the parameter name.

  When an output instruction for the setting file is received, output means for outputting a correspondence table indicating the correspondence between the parameter name and each inspection item is further provided.

  The present invention is also established as a security management program. Specifically, a program for realizing a predetermined function in the server, and when a parameter is specified, the parameter name stored in the storage means and the inspection item are determined based on the parameter name of the specified parameter. A function for specifying a test item to be executed for the specified parameter with reference to a setting file in which the association is defined, and a function for executing a process corresponding to the specified test item for the parameter Is a program that causes a server to realize the above.

  The execution function refers to an inspection file that defines the risk data held by each inspection item stored in the storage unit based on the specified inspection item, and stores the risk data held by the specified inspection item. It is a function that identifies and determines whether or not the identified danger data is included in the value of the parameter.

  The present invention is also established as a security management method. Specifically, when a parameter is specified, the specification file is referred to based on the parameter name of the specified parameter by referring to a setting file that defines the association between the parameter name and the inspection item stored in the storage unit. A step of specifying an inspection item to be executed for the specified parameter, and a step of executing an inspection process corresponding to the inspection item specified by the specifying means for the parameter.

  The security management method of the present invention can be implemented by a computer, and a computer program therefor can be installed or loaded on the computer through various media such as a CD-ROM, a magnetic disk, a semiconductor memory, and a communication network. . It also includes the case where a computer program is recorded and distributed on a printer card or printer option board.

  According to the present invention, it is possible to easily grasp the status of security measures at the program level by referring to the setting file. Further, according to the present invention, by using the setting file, it is possible to maintain high security level accuracy consistently regardless of the skill of the system designer. Further, according to the present invention, it is possible to realize a security management system suitable for covering all possible attack methods by using the configuration file.

(Security management system configuration)
First, the configuration of the security management system of this embodiment will be described with reference to FIGS. 1 to 3. FIG. 1 is a block diagram showing a schematic configuration of a security management system according to the present embodiment. FIG. 2 is a block diagram illustrating a hardware configuration of the server according to the present embodiment. FIG. 3 is a block diagram illustrating a functional configuration diagram of the server according to the present embodiment.

  As shown in FIG. 1, the security management system 100 is typically implemented as a client / server system using a WWW system on the Internet.

  The server system 1 includes a Web server program 11, a Web page 12, a CGI program (script) 13, a storage device 14, a security management program 15, and a printer 16. A browser program 21 for accessing the server system 1 and browsing the Web page 12 is installed in the client system 2.

  The server 1 includes an application block 3 and a security management block 4. The application block includes a web server program 11, a web page 12, a CGI program (script) 13, and a storage device 14, and various websites according to specifications (for example, various sites such as a member service site and a product sales site). To the user. The security management block 4 is mainly configured by the security management program 15 and functions as a library used from the application block 3 as necessary.

  The Web server program 11 receives an HTTP message sent from the user's client computer 2 and performs processing corresponding to the message. For example, when the Web server program 11 determines that the message is for accessing the Web page specified by the URL, the Web server program 11 provides the Web page to the user's client computer 2. The Web server program 11 is typically implemented in the server system 1 as a daemon program called httpd.

  The web page 12 is document data constituting a screen to be provided to the user, which is designed using, for example, HTML. A Web page having contents corresponding to the specifications of the site can be used. In addition to Web pages that are prepared in advance as static data, Web pages that are dynamically generated by the CGI program 13 or the like are applicable.

  The CGI program 13 is a program executed when the Web server program 11 receives a specific message by HTTP. The CGI program 13 is typically described in a program language such as Perl or C ++. The CGI program interactively accepts various instructions according to site specifications, and causes the server 1 to implement processing functions based on these instructions.

  The storage device 14 stores various data according to site specifications. For example, in the case of a member service site, member information is stored, and in the case of a product sales site, product information is stored.

  The security management program 15 is a program (library) that is executed when the CGI program 13 receives a message to be inspected. The security management program 15 is typically described in a program language such as Perl or C ++.

  For example, the server 1 according to the present embodiment has a function of dynamically generating a Web page by the CGI program 13 or the like as described above. However, for example, when a malicious script is included in the input data sent from the outside, if a Web page in which the malicious script is embedded is generated as it is, information leaks on the client side that executed the script. Or damage to the file.

  Therefore, the security management program 15 checks whether or not dangerous data is included in the input data. If the dangerous data is included, the security management program 15 notifies the CGI program 13 to that effect, thereby It is configured to block attacks from.

  The printer 16 prints the contents of the setting file in the storage device 14 on a predetermined print medium in accordance with an instruction from the system administrator or the like.

  FIG. 2 is a block diagram illustrating a hardware configuration of the server according to the present embodiment. The server 1 as a security management device includes a CPU, a ROM, a RAM, an external storage device, a user interface, a display, a printer, a communication interface, and the like. In FIG. 3, attention is paid to functions related to the present invention in the server 1 and they are expressed by function blocks. In the present embodiment, it is assumed that the CPU realizes these function implementing means by executing a program stored in a ROM, RAM, external storage device, or the like, but partly uses dedicated hardware. It is good also as a structure implement | achieved.

  FIG. 3 is a block diagram illustrating a functional configuration diagram of the server according to the present embodiment. The application means (application block) 3 includes a request receiving means 30 for receiving a predetermined request transmitted from the client as a normal function necessary for executing processing according to the site specifications, and a response to the predetermined request. Request processing means 32 for executing processing is provided. However, the application means 3 of the present embodiment is characterized in that the application means 3 includes an inspection target specifying means 31 that specifies a parameter included in the received request as an inspection target and instructs the security management means 4 to start processing.

  On the other hand, the security management means (security management block) 4 receives the designation of the inspection item to be executed for each parameter name, and sets the setting file setting means 42 for setting the setting file in which the designated inspection item is associated with the parameter name. When the specification of the inspection item to be updated for each parameter name is received, the setting file update unit 43 that updates the information of the specified inspection item in the setting file, and when the output instruction of the setting file is received, the parameter name and each inspection item And a setting file output unit 44 that outputs a correspondence table indicating the corresponding relationship between the setting file and the setting file storage unit 45 that stores the setting file set by the setting file setting unit 42.

  Further, when a parameter as inspection target data is specified, the security management unit 4 refers to the setting file storage unit 45 based on the parameter name of the specified parameter, and performs an inspection to be performed on the specified parameter. An inspection item specifying unit 40 for specifying an item, an inspection execution unit 41 for executing an inspection process corresponding to the inspection item specified by the inspection item specifying unit 40 for a parameter, and an inspection result by the inspection execution unit 41 as a predetermined An inspection result output means 42 for outputting by the method, and an inspection file storage means 46 for storing an inspection file defining danger data held by each inspection item are provided.

  The inspection execution means 41 executes the inspection process corresponding to the inspection item specified by the inspection item specifying means 40. As this execution method, for example, the risk data held by the specified inspection item is stored in the inspection file storage means 46. It is possible to employ a configuration in which it is acquired from the above and whether or not the acquired danger data is included in the parameter value. Also, for example, an inspection module that performs each inspection process for each inspection item is prepared, and only the inspection module corresponding to the inspection item specified from the plurality of inspection modules is called to perform the inspection process. You may employ | adopt the structure to perform.

(Data structure of each file)
Next, the file structure according to the present embodiment will be described with reference to FIGS. FIG. 4 is a diagram showing the structure of the setting file of this embodiment. FIG. 5 is a diagram showing the structure of the setting file of this embodiment.

  As shown in FIG. 4, the setting file stores parameter names to be inspected and inspection items in association with each other. Each record includes items such as a parameter name, exception processing, inspection item 1, inspection item 2, inspection item 3,... Inspection item N, and is uniquely specified by the parameter name.

  The parameter name is the same as the parameter name used by the application, or the parameter name that can specify the parameter name used by the application is stored. In exception processing, rules for character types that allow exceptional input are stored as regular expressions.

  In each of the inspection items 1 to N, execution information (whether the inspection is enabled or disabled) indicating whether or not to execute the corresponding inspection item is stored. Here, “1” is stored when the inspection item is executed, and “0” is stored when the inspection item is not executed.

  The inspection items 1 to N are set according to the type of attack. In the present embodiment, the inspection item 1 is set with a URL inspection item for inspecting whether the target data includes characters that are not permitted in the URL. In the inspection item 2, a directory inspection item for inspecting whether the target data includes a character string used in directory traversal is set. In the inspection item 3, an SQL inspection item for inspecting whether the target data includes a character or a character string used in SQL injection is set. In the inspection item 4, a cross-site scripting inspection item for inspecting whether the target data includes a character or a character string used in cross-site scripting is set. In the inspection item 5, an OS inspection item for inspecting whether the target data includes characters used in the direct OS command injection is set. Note that the contents to be set in the inspection items are not limited to these, and inspection items for all attacks known at the time of the inspection can be appropriately set in the inspection items.

  Since which inspection item should be executed for which parameter depends on the contents of the application, it is desirable to prepare a setting file for each type of application. However, when a unique parameter name is used in all applications, it is possible to prepare one setting file and use it in common.

  This setting file is set by the setting file setting means 42. FIG. 6 is a diagram illustrating an example of the configuration of the setting file screen according to the present embodiment. As shown in the figure, the system administrator can input parameter names and inspection item execution information (1/0) from the setting file screen displayed on the display. When the setting button on the setting file screen is selected, the setting file setting unit 42 registers the input parameter name and the execution information of the inspection item in the setting file storage unit 45 in association with each other.

  As described above, according to the setting file according to the present embodiment, inspection items can be individually specified for each parameter name, so that the security level for each parameter name can be adjusted with a very simple operation. become.

  The setting file is displayed on the display by the setting file output unit 44 and printed on a print medium. FIG. 9 is a diagram illustrating an example of the setting file displayed on the display. According to this, since the parameter name and the setting state of the inspection item are output in a table format, the system administrator can grasp at a glance the security level for each parameter name at the time of maintenance. .

  Also, if the security level changes from the screen, you can simply specify the parameter name to be changed and re-enter the execution information for the inspection item on the setting file update screen (not shown) It will be possible to easily perform maintenance work.

  On the other hand, FIG. 5 is a diagram showing the structure of the inspection file of this embodiment. As shown in FIG. 5, in the inspection file, defined data as dangerous data (hereinafter, synonymous with dangerous character (column)) and inspection items are stored in association with each other. Each record includes items such as a dangerous character (string), inspection item 1, inspection item 2, inspection item 3,... Inspection item N, and is uniquely identified by the dangerous character (column). The

  The dangerous characters store data (characters) that may be used for attacks. In the inspection items 1 to N, identification information indicating whether or not the corresponding dangerous character should be extracted as a dangerous character in each inspection item is stored. For example, when looking at the character string “&”, the inspection items 1 to 3 are blank (not dangerous characters), the inspection item 4 is “&amp;” for designating sanitizing processing, and the inspection item N is a dangerous character. Each of “Error” shown is stored. According to this, it can be seen that whether or not the same character is handled as a dangerous character depends on the inspection target item.

  Hereinafter, the processing of the application means 3 will be described with reference to the flowchart shown in FIG. FIG. 7 shows the flow of processing of the application means 3. In addition, each process (including the partial process to which the code | symbol is not provided) can be arbitrarily changed in order within the range which does not produce contradiction in the processing content, or can be performed in parallel.

  Prior to the inspection, the application means 3 designates a setting file used for the inspection (STEP 701). Next, when receiving a predetermined request, that is, a parameter sent from the client 2 (YES in STEP 702), the request receiving unit 30 determines whether or not to perform an inspection on the parameter (STEP 703). It should be noted that this determination can be omitted when an inspection is always performed on parameters sent from the outside.

  If it is determined that the inspection is to be performed (Yes in STEP 703), the inspection object designating unit 31 instructs the inspection unit to start processing (STEP 704), and the received parameters are transferred to the inspection object designating unit 31 (STEP 705). ). The parameter delivery is typically performed by calling an inspection means, that is, an inspection library, with a parameter to be inspected as an argument. Thereby, the process of the inspection means is started, and the inspection process described later in FIG. 8 is executed. When the inspection process for the designated parameter is completed, the inspection unit notifies the application unit 3 of the inspection result.

  Upon receiving the notification of the inspection result, the request receiving unit 30 of the application unit 3 determines whether or not the inspection result is normal (STEP 706). If it is determined that the inspection result is normal, the request processing unit 32 determines in STEP 702 Pass the accepted parameters.

  The request processing means 32 executes processing according to the parameter (for example, generates a Web page incorporating the received parameter and sends it back to the client 2) (STEP 707).

On the other hand, when the request receiving means 30 determines that the inspection result is not normal, it executes error processing (STEP 708). As the error process, a process according to the specification can be set. For example, an error screen indicating that invalid data is included in the input value may be sent back to the client 2. In the case of error processing, the processing by the request processing means 32 is not executed, so that an attack based on dangerous data can be avoided in advance.
(Processing flow of security management means 4)
Next, processing of the security management unit 4 will be described with reference to a flowchart shown in FIG. FIG. 8 is a flowchart showing the flow of processing by the security management means 4. In addition, each process (including the partial process to which the code | symbol is not provided) can be arbitrarily changed in order within the range which does not produce contradiction in the processing content, or can be performed in parallel.

  When the start of processing is notified from the application unit 3 (YES in STEP 801), the inspection item specifying unit 40 of the security management unit 4 reads the setting file designated by the application unit 3 from the setting file storage unit 45 (STEP 802). .

  Next, the inspection item specifying unit 40 refers to the read setting file and determines whether or not exception processing is set for the parameter name of the passed parameter (STEP 803). If it is determined that exception processing is associated, exception processing is executed for the parameter (STEP 804).

  For example, when “ITEM20” is specified as the parameter name, “[AZ] [3] [_]” is stored in the exception processing column corresponding to “ITEM20”. Even if the character corresponding to “[AZ] [3] [_]” is stored in the value of, it is not processed as dangerous data.

  Next, the inspection item specifying means 40 specifies the inspection item for which execution of inspection is set for the designated parameter name from the inspection items (STEP 805). That is, from the inspection items 1 to N, the inspection items for which “1 (valid)” is set in the execution information are extracted.

  When the parameter name is “ITEM20”, “1 (valid)” is set for inspection item 1, inspection item 3, inspection item 4, and inspection item 5, and these inspection items should be executed. Specify as an inspection item.

  When the inspection item is specified, the inspection item specifying unit 40 refers to the inspection file and inspects whether or not the parameter data includes the risk data of the specified inspection item (STEP 807). For example, when the inspection item 1 (URL inspection item) is inspected, if a NULL character is included in the parameter value, it is determined that danger data is included.

  If it is determined that the dangerous data is included (Yes in STEP 807), the inspection item specifying unit 40 executes a predetermined dangerous process so that the server 1 is not attacked based on the dangerous data (STEP 808). .

  As the dangerous process, a process according to the specification can be adopted. For example, when the sanitizing process (detoxification) is specified in the inspection file, the process is executed. In the danger process, the fact that the danger data has been extracted or the sanitizing process is set in the inspection result.

  The inspection item specifying means 40 determines whether or not the inspection process has been completed for all target inspection items (STEP 809). If all of the inspection items have not been completed, the process returns to STEP 806 to inspect the next inspection item. Is executed (NO in STEP 809). The inspection item specifying unit 40 repeats the processing of STEPs 806 to 808 until the inspection processing is completed for all inspection items.

  On the other hand, when it is determined that the inspection process has been completed for all inspection items to be processed (Yes in STEP 809), the inspection result is notified to the application unit 2 (STEP 810). The application unit 2 executes the above-described processing based on the inspection result obtained as a return value.

  As described above, according to the present embodiment, since the security management block 4 is separated from the application side and configured as a library, it becomes unnecessary to mount security countermeasure logic on the application side, thereby reducing the number of application development steps. Will be able to.

  Further, according to the present embodiment, each application can use one security management block 4, so that the security quality of each application can be kept uniform. Further, according to the present embodiment, it is possible to comprehensively cover all attack methods by collectively defining target attack methods in the setting file.

  Further, according to the present embodiment, the security information can be listed by referring to the setting file, and the security management unit 4 executes the inspection process according to the information of the setting file, and therefore refers to the setting file. This makes it possible to easily verify whether security measures are properly implemented at the program level.

  In addition, according to the present embodiment, the system administrator only needs to specify whether or not the inspection target is executed for each parameter name, so that the accuracy of the security level is kept high regardless of the skills of the individual system designers. It becomes possible.

(Other embodiments)
The present invention is not limited to the above-described embodiments, and can be variously modified and applied. For example, the application means 3 that has acquired a test result indicating that dangerous data is included may be configured not to accept access from the client 2 that has transmitted such dangerous data using a cookie thereafter. .

  For example, if the request accepting unit 3 finds that the risk data is included in the request sent from the client 2 as a result of the inspection by the security managing unit 4, the request accepting unit 3 provides information indicating an attacker together with an error message. Send it back to client 2 as a cookie.

  Receiving this, the client 2 writes the cookie information in a predetermined position on the hard disk and displays the sent error message. Next time, when the client 2 makes an access request to the server 1, the browser 21 of the client 2 refers to the cookie and finds a cookie corresponding to the server 1. To the client 2.

  The server 1 determines whether or not the client 2 is a client 2 that has been certified as an attacker in the past by referring to the cookie sent together with the request. When the information indicating that the attacker is an attacker is included in the cookie, the server 1 determines that the client 2 is the client 2 that has been certified as an attacker in the past. Thereby, it is possible to perform processing so as not to accept the request without executing the inspection by the security management means 4.

  According to this configuration, the server 1 can determine whether or not the access is from an attacker using a cookie, so that access from the client 2 recognized as an attacker is easy. Can be eliminated.

It is a block diagram which shows schematic structure of the security management system which concerns on this embodiment. It is a block diagram which shows the hardware constitutions of the server which concerns on this embodiment. It is a block diagram which shows the function block diagram of the server which concerns on this embodiment. It is a figure which shows the structure of the setting file which concerns on this embodiment. It is a figure which shows the structure of the setting file which concerns on this embodiment. It is a figure which shows an example of a structure of the setting file screen which concerns on this embodiment. It is a flow of processing of application means 3 according to the present embodiment. It is a flowchart which shows the flow of the process by the application means 8 which concerns on this embodiment. It is a figure which shows an example of the setting file displayed on the display.

Explanation of symbols

1 Server 2 Client 3 Application Block 4 Security Management Block 11 Web Server Program 12 Web Page 13 CGI Program 14 Storage Device 15 Security Management Program 16 Printer 21 Browser 100 Security Management System

Claims (9)

Storage means for storing a setting file that defines the correspondence between parameter names and inspection items;
When a parameter to be inspected is specified, a setting file stored in the storage unit is referred to based on the parameter name of the specified parameter, and an inspection item to be executed for the specified parameter is specified. Specific means to
Execution means for executing the inspection process corresponding to the inspection item specified by the specifying means on the parameter;
A security management device comprising: The storage means stores an inspection file that defines risk data held by each inspection item,
The security management apparatus according to claim 1, wherein the execution unit determines whether or not the risk data held by the inspection item specified by the specifying unit is included in the value of the parameter. The said execution means judges whether risk data are contained in the value of the said parameter using the module which bears the inspection process applicable to the inspection item which the said specific means specified. Security management device. The storage means stores a plurality of the setting files,
When the parameter is specified, the specifying unit specifies a setting file that matches a predetermined condition from the setting files stored in the storage unit, and sets the specified setting based on the parameter name of the specified parameter. 4. The security management apparatus according to claim 1, wherein the security management apparatus refers to a file. 5. The apparatus according to claim 1, further comprising a setting unit configured to receive a designation of an inspection item to be executed for each parameter name, and to set a setting file in which the designated inspection item is associated with the parameter name. The security management device according to item. 5. The security according to claim 1, further comprising: an output unit that outputs a correspondence table indicating a correspondence relationship between the parameter name and each inspection item when an output instruction of the setting file is received. Management device. A program for causing a server to realize a predetermined function,
When a parameter is specified, a setting file that defines the association between the parameter name stored in the storage means and the inspection item is referred to based on the parameter name of the specified parameter, and the specified parameter is Specific functions to identify inspection items to be executed
A program for causing a server to realize an execution function for executing processing corresponding to the specified inspection item on the parameter.   The execution function refers to an inspection file that defines the risk data held by each inspection item stored in the storage unit based on the specified inspection item, and stores the risk data held by the specified inspection item. 8. The program according to claim 7, wherein the program is a function for identifying and determining whether or not the identified danger data is included in the value of the parameter. When a parameter is specified, a setting file that defines the association between the parameter name stored in the storage means and the inspection item is referred to based on the parameter name of the specified parameter, and the specified parameter is Identifying the inspection items to be performed
Executing an inspection process corresponding to the inspection item specified by the specifying unit for the parameter;
The security management method characterized by performing.

Images