JP2008234248A - Program execution device and program execution method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To improve security at the time of calling a function of a DLL (dynamic link library). <P>SOLUTION: A DDL isolation load determination part 205 of a DDL using program execution part 251 instructs load of an encrypted library 105 to a DDL isolation load program execution part 253. The DDL isolation load execution part 253 loads the encrypted library 105 to an isolation area according to the instruction. A DDL calling part 107 of the DLL using program execution part 251 instructs the DLL isolation load program execution part 253 to call a function mounted on a code in the encrypted library 105 loaded to the isolation area. The DLL isolation load program execution part 253 executes the code mounted on the encrypted library 105 in the isolation area according to the instruction, and reports the execution result to the DLL using program execution part 251. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a program execution device and a program execution method. The present invention particularly relates to an execution code security improvement method.

  Operating system developers and embedded device developers thoroughly test preinstalled software and ship it in a reliable state (system). Allowing a tested and trusted system to add or execute software, especially software written in C / C ++ language, etc. and executed directly on hardware such as a CPU (Central Processing Unit) The addition of some software or the addition of software that is not malicious but vulnerable can reduce system security.

  For such a problem, for example, the software is thoroughly tested, an electronic signature by a specific signer is given to what is deemed to be reliable, and only software having an electronic signature by the specific signer is allowed to be downloaded and executed. There is a method to solve by operation.

  Alternatively, for example, when permitting an Internet browser to download and execute software, as in the invention described in Patent Document 1, an unreliable executable code, that is, a downloaded executable code is executed in another boundary region. There is a way to prevent the deterioration of security.

  Alternatively, only software in an intermediate language that is not directly executed by hardware such as Java (registered trademark) or software in a script language such as Perl is permitted to be downloaded and executed, and can be accessed in such a language. There are ways to limit the scope of security issues.

Alternatively, as in the Symbian (registered trademark) OS (see, for example, Non-Patent Document 1), the authority is set in units of processes, and when calling the function of the operating system, the process does not have specific authority for each function. For example, there is a method of preventing the deterioration of security by limiting the use of the function or limiting the scope of influence when a security problem occurs (within the scope of authority).
JP-T-2001-514411 Craig Heath, “Symbian OS Platform Security: Software Development Usage the Symbian OS Security Architecture”, Wiley, April 2006.

  A function commonly used in many software may be provided as a dynamic link library (DLL). The DLL is loaded into the memory area of the program body, operates as a whole, and is completed as one piece of software as a whole. For example, database software may use a cryptographic library that meets the requirements of a database application for the encryption of data in the database.

  Or, for programs written in a language not directly executed by hardware, such as Java (registered trademark) or Perl, some functions are improved in performance, or existing software written in C / C ++, etc. In order to utilize the assets, it is described in a language of a type that is directly executed by hardware such as C / C ++, and this part is dynamically converted as necessary from a Java (registered trademark) or Perl program body as a DLL. May load and execute.

  In this way, when the software is composed of a plurality of modules and the DLL, which is a subordinate module rather than the main module, is not necessarily reliable software, even if the main program body can be trusted, the software as a whole cannot be trusted. It becomes a security problem. The program body may be tampered with because of malicious or vulnerable DLL.

  In the case of a DLL that can be used by a lot of software, as in the case of a cryptographic library, it is loaded from a program (for example, a company's confidential information management program) that becomes a very serious problem when a security problem occurs. May have a significant impact.

  When additional download and execution of DLLs loaded for function expansion etc. from these programs is permitted for programs in languages such as Java (registered trademark) and Perl, Java (registered trademark) Perl's execution engine security is reduced. The execution engines of Java (registered trademark) and Perl have many functions or have many authorities so that various programs written in the respective languages can be executed. Yes, a single DLL security issue can have a major impact.

  An object of the present invention is, for example, to improve security when calling a DLL function.

A program execution device according to an aspect of the present invention includes:
A DLL use program execution unit that executes a DLL use program that uses a DLL (dynamic link library) including a code that implements a specific function by a processing device;
An access restriction unit that restricts access by a processing device other than the DLL use program execution unit to a storage area of a storage device that the DLL use program execution unit accesses during execution of the DLL use program;
A program execution device comprising: a DLL isolation load program execution unit for executing a DLL isolation load program for loading the DLL into an isolation region which is a storage region different from the storage region where the access restriction unit restricts access by a processing device There,
The DLL use program execution unit and the DLL isolation load program execution unit have an isolation DLL communication unit that communicates with each other,
The DLL utilization program execution unit instructs the DLL isolation load program execution unit to load the DLL via the isolation DLL communication unit,
The DLL isolation load program execution unit loads the DLL into the isolation area according to an instruction from the DLL use program execution unit,
The DLL utilization program execution unit instructs the DLL isolation load program execution unit to call a function implemented by a code in the DLL loaded into the isolation region via the isolation DLL communication unit,
The DLL isolation load program execution unit executes the code in the DLL loaded into the isolation area in accordance with an instruction from the DLL usage program execution unit, and the execution result is transmitted to the DLL usage program via the isolation DLL communication unit. The execution unit is notified.

  According to one aspect of the present invention, in the program execution device, the DLL use program execution unit instructs the DLL isolation load program execution unit to load the DLL via the isolation DLL communication unit, and the DLL isolation load program execution unit. Loads the DLL into the isolation area according to the instruction from the DLL usage program execution unit, and the DLL usage program execution unit calls the function implemented by the code in the DLL loaded into the isolation region via the isolation DLL communication unit. To the DLL isolation load program execution unit, and the DLL isolation load program execution unit executes the code in the DLL loaded into the isolation region according to the instruction by the DLL usage program execution unit, and through the isolation DLL communication unit, By notifying the DLL execution program execution unit of the execution result, the DLL function Security is improved when you call the.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

Embodiment 1 FIG.
This embodiment will be described by taking the Java (registered trademark) language as an example. First, a general example will be briefly described. Generally, the DLL function provided by the OS (Operating System) has a program body (provided as a “.exe” file in the case of Windows (registered trademark)) and a DLL program (Windows (registered trademark)) as necessary. In this case, the function in the DLL program can be called from the program main body by loading the function name and order (index).

  In the case of the Java (registered trademark) language, the basic function uses the DLL function provided by the OS, but further defines an interface between the program main body and the DLL program according to the Java (registered trademark). . This is called JNI (Java (registered trademark) / Native / Interface). For example, in the Java (registered trademark) language, data is managed in units of objects, and objects have fields and methods therein. Access to a field of an object can be performed by using GetMethodID of JNI API (Application Programming Programming Interface). Further, for example, an execution code that returns a double type return value described in the Java (registered trademark) language can be called from a DLL program described in C / C ++ by CallDoubleMethod API.

  FIG. 10 shows a configuration when using DLL in Java (registered trademark). The DLL use program 101 which is a Java (registered trademark) program is a program provided in a format called a class file described in the Java (registered trademark) language and compiled into an intermediate language. The Java (registered trademark) execution engine 102 (hereinafter simply referred to as “execution engine”) is software that executes the DLL usage program 101, and in a typical implementation, includes an interpreter that processes an intermediate language. ) And so on. exe is provided as an executable file. The cryptographic library 105 is DLL. Assume that it is provided as a DLL file called dll. java. exe, angou. Each dll has a program body, that is, an execution engine 102, and a DLL program, that is, a code for JNI in the cryptographic library 105, and is called a host side JNI 103 and a DLL side JNI 104, respectively. When a certain function is called by the DLL use program 101 and is provided by the cryptographic library 105, the execution engine 102 calls the DLL side JNI 104 by the DLL calling unit 107 of the host side JNI 103, and the DLL side JNI 104 Call a function (encryption function or the like) in the cryptographic library 105 and return the result. The execution engine 102 is Java. exe is the encryption library 105 angou. dll is loaded into the DLL process 106 that is a Java (registered trademark) process and used.

  FIG. 1 is a block diagram showing a configuration of a program execution device 100 according to the present embodiment.

  The program execution device 100 includes a storage device 151 such as a memory and a processing device 152 such as a CPU as hardware. As the other hardware, the program execution device 100 may include an input device for downloading a program or inputting data, an output device for displaying a program execution result on a screen, or outputting data. Good.

  The program execution device 100 also includes a DLL use program execution unit 251, an access restriction unit 252, and a DLL isolation load program execution unit 253. The DLL use program execution unit 251, the access restriction unit 252, and the DLL isolation load program execution unit 253 are implemented in, for example, the OS.

  The DLL use program execution unit 251 executes the DLL use program 101 described above as the DLL use process 106 by the processing device 152. The DLL use program 101 is a program that uses the encryption library 105 described above. The cryptographic library 105 is an example of a DLL including a code that implements a specific function, and includes, for example, a code that implements a data encryption function. The DLL usage program execution unit 251 includes a DLL isolation load determination unit 205 and an isolation DLL communication unit 204 in addition to the above-described DLL calling unit 107 in the host-side JNI 103 included in the execution engine 102 in the DLL usage process 106.

  The access restriction unit 252 accesses the storage area of the storage device 151 (also referred to as “memory area”) accessed by the DLL use process 106 during execution of the DLL use program 101 by a process other than the DLL use process 106. Limited by. Therefore, the access restriction unit 252 can use a memory protection function such as an OS.

  The DLL isolation load program execution unit 253 executes the DLL isolation load program 201 as the DLL isolation process 203 by the processing device 152. The DLL isolation load program 201 is a program that loads the DLL such as the cryptographic library 105 to an isolation area that is a storage area different from the storage area in which the access restriction unit 200 restricts access by processes other than the DLL use process 106. For example, kakuri. It is implemented in an executable file called exe. The DLL isolation load program execution unit 253 includes an isolation DLL communication unit 202 in the DLL isolation load program 201. The isolation DLL communication unit 202 and the isolation DLL communication unit 204 of the host side JNI 103 communicate with each other.

  In general, a process may refer only to an execution instance of a program, but refers to an execution instance of a program and resources allocated for execution of the program. In the following, a storage area that the DLL use process 106 accesses during execution of the DLL use program 101, that is, a storage area that the access restriction unit 200 restricts access by a process other than the DLL use process 106 is simply referred to as a DLL use process 106. There is. Similarly, the isolation region may simply be referred to as a DLL isolation process 203. For example, when the cryptographic library 105 is used, angou. Although dll will be loaded into the isolation region, it can be said that it is included in the DLL isolation process 203.

  FIG. 2 is a diagram illustrating an example of the appearance of the program execution device 100.

  2, a program execution device 100 includes a system unit 910, a display device 901 having a display screen of a CRT (Cathode / Ray / Tube) or LCD (Liquid Crystal Display), a keyboard 902 (K / B), a mouse 903, and an FDD 904 ( Hardware resources such as a flexible disk drive, a CDD 905 (compact disc drive), and a printer device 906 are provided, and these are connected by cables and signal lines. The system unit 910 is a computer and is connected to the Internet 940 via a LAN 942 (local area network) and a gateway 941.

  FIG. 3 is a diagram illustrating an example of hardware resources of the program execution device 100.

  In FIG. 3, the program execution device 100 includes a CPU 911 (also referred to as “arithmetic device”, “microprocessor”, “microcomputer”, or “processor”) that executes a program. The CPU 911 is an example of the processing device 152. The CPU 911 includes a ROM 913 (Read / Only / Memory), a RAM 914 (Random / Access / Memory), a communication board 915, a display device 901, a keyboard 902, a mouse 903, an FDD904, a CDD905, a printer device 906, and a magnetic disk. It is connected to the device 920 and controls these hardware devices. Instead of the magnetic disk device 920, a storage medium such as an optical disk device or a memory card reader / writer may be used.

  The RAM 914 is an example of a volatile memory. The storage media of the ROM 913, the FDD 904, the CDD 905, and the magnetic disk device 920 are an example of a nonvolatile memory. These are examples of the storage device 151. A communication board 915, a keyboard 902, a mouse 903, an FDD 904, a CDD 905, and the like are examples of input devices. The communication board 915, the display device 901, the printer device 906, and the like are examples of output devices.

  The communication board 915 is not limited to the LAN 942, but includes the Internet 940, or a WAN (wide area network) such as an IP-VPN (Internet, Protocol, Virtual, Private, Network), a wide area LAN, and an ATM (Asynchronous, Transfer, Mode) network. It may be connected to the When connected to the Internet 940 or WAN, the gateway 941 is not necessary.

  The magnetic disk device 920 stores an operating system 921 (OS), a window system 922, a program group 923, and a file group 924. The programs in the program group 923 are executed by the CPU 911, the operating system 921, and the window system 922. The program group 923 stores programs for executing functions described as “˜unit” and “˜means” in the description of the present embodiment. The program is read and executed by the CPU 911. The file group 924 includes data and information described as “˜data”, “˜information”, “˜ID (identifier)”, “˜flag”, and “˜result” in the description of this embodiment. Signal values, variable values, and parameters are stored as items of “˜file”, “˜database”, and “˜table”. The “˜file”, “˜database”, and “˜table” are stored in a storage medium such as a disk or a memory. Data, information, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 911 via a read / write circuit, and extracted, searched, referenced, compared, and calculated. Used for processing (operation) of the CPU 911 such as calculation / control / output / printing / display. Data, information, signal values, variable values, and parameters are temporarily stored in the main memory, cache memory, and buffer memory during processing of the CPU 911 such as extraction, search, reference, comparison, calculation, control, output, printing, and display. Is remembered.

  In the block diagrams and flowcharts described in the description of this embodiment, the arrows indicate mainly input and output of data and signals. Data and signals are stored in a memory such as a RAM 914, a flexible disk (FD) of the FDD 904, and a CDD 905. Recording is performed on a recording medium such as a compact disk (CD), a magnetic disk of the magnetic disk device 920, other optical disks, a mini disk (MD), and a DVD (Digital Versatile Disc). Data and signals are transmitted by a bus 912, a signal line, a cable, and other transmission media.

  In the description of the present embodiment, what is described as “to part” and “to means” may be “to circuit”, “to device”, and “to device”, and “to step”. , “˜step”, “˜procedure”, and “˜treatment”. That is, what is described as “˜unit” and “˜means” may be realized by firmware stored in the ROM 913. Alternatively, it may be realized only by software, or only by hardware such as an element, a device, a board, and wiring, or a combination of software and hardware, and further by a combination of firmware. Firmware and software are stored as programs in a recording medium such as a magnetic disk, flexible disk, optical disk, compact disk, minidisk, or DVD. This program is read by the CPU 911 and executed by the CPU 911. In other words, the program causes the computer to function as “to part” and “to means” described in the description of the present embodiment. Alternatively, the procedure or method of “˜unit” and “˜means” described in the description of the present embodiment is executed by a computer.

  Hereinafter, the program execution method according to the present embodiment, that is, the operation of the program execution device 100 will be described.

  When the DLL usage program execution unit 251 uses the cryptographic library 105 on the recording medium or the network, first, the DLL isolation load determination unit 205 of the DLL usage program execution unit 251 performs at least one of the DLL usage program 101 and the cryptographic library 105. Depending on the attribute, the DLL isolated load program execution unit 253 is instructed to load the cryptographic library 105, or the storage area in which the access restriction unit 252 restricts access by processes other than the DLL use process 106 (that is, use) It is determined whether to load the cryptographic library 105 into the process 106). When the former determination is made, the DLL isolation load determination unit 205 of the DLL use program execution unit 251 instructs the DLL isolation load program execution unit 253 to load the cryptographic library 105 via the isolation DLL communication unit 204. The DLL quarantine load program execution unit 253 loads the cryptographic library 105 from the recording medium or network to the quarantine area (that is, the DLL quarantine process 203) in accordance with an instruction from the DLL use program execution unit 251. Next, a function (for example, a data encryption function) implemented by the code in the cryptographic library 105 loaded into the quarantine area by the DLL calling unit 107 of the DLL use program execution unit 251 via the quarantine DLL communication unit 204 Is called to the DLL isolation load program execution unit 253. The DLL isolation load program execution unit 253 executes the code implemented by the cryptographic library 105 loaded into the isolation area in accordance with the instruction from the DLL usage program execution unit 251 and uses the execution result via the isolation DLL communication unit 202 as a DLL. The program execution unit 251 is notified. The DLL use program execution unit 251 performs a predetermined process based on the notified execution result and outputs the execution result from the output device.

  FIG. 4 shows a processing flow when the cryptographic library 105 is loaded and a function in the cryptographic library 105 is called. When the DLL use program 101 instructs the execution engine 102 to call the encryption library 105 to use the encryption function, the execution engine 102 instructs the host-side JNI 103 to execute the angou. Instruct to load dll (same as the general example described above). The host-side JNI 103 causes the DLL isolation load determination unit 205 to determine whether the DLL should be isolated and loaded or not (step S301). Here, it is assumed that the DLL distributed with the electronic signature is reliable software (the DLL has an attribute that the electronic signature is attached or not attached). And). If the electronic signature is applied, it should be loaded as it is, and the host side JNI 103 uses the DLL function of the OS by the DLL calling unit 107 and the like. dll is loaded into the DLL use process 106 (step S302). The host-side JNI 103 is an angou. The fact that dll has been loaded from the DLL calling unit 107 is recorded in the DLL use process 106 to prepare for later use (step S303). Next, when the DLL usage program 101 instructs to call the function of the cryptographic library 105 loaded, the execution engine 102 instructs the host-side JNI 103 to call the function (step S306), and the host-side JNI 103 executes the DLL in step S303. Based on the contents recorded in the usage process 106, it is confirmed whether or not the cryptographic library 105 is loaded by the DLL calling unit 107 (step S307). When loaded from the DLL calling unit 107, the DLL calling unit 107 directly calls the function of the target DLL within the DLL using process 106 (step S308), and returns the calling result to the execution engine 102 and further to the DLL using program 101 (step S310). ).

  The encryption library 105 angou. A case where dll is not distributed with an electronic signature will be described. Since the electronic signature has not been given (step S301), the host-side JNI 103 passes through the isolated DLL communication unit 204 and the target DLL, “angou. dll is loaded (step S304). At this time, the host-side JNI 103 passes through the isolation DLL communication unit 204 and the angou. The DLL isolation load program execution unit 253 is instructed to load dll, and the DLL isolation load program 201 is activated (step S311). The activated DLL isolation load program 201 constitutes the DLL isolation process 203 and is the specified DLL, angou. dll is loaded into its own process (step S312), and the isolation DLL communication unit 204 in the host side JNI 103 is notified of the completion of the load via the isolation DLL communication unit 202 (step S313). The host-side JNI 103 records that the DLL has been loaded into the DLL use process 106 via the isolated DLL communication unit 204 (step S305). In response to the call of the DLL function (step S307), since the DLL is loaded into the DLL isolation process 203 (step S307), the function of the target DLL is called via the isolation DLL communication unit 204 (step S309). That is, the isolated DLL communication unit 204 of the host side JNI 103 instructs the isolated DLL communication unit 202 of the DLL isolated load program 201 to call a function by inter-process communication. The quarantine DLL communication unit 202 of the DLL quarantine load program 201 that has received it (step S314) receives the angou. The DLL function designated via the JNI function in the dll is called (step S315), and the call result is also returned to the DLL using process 106 by inter-process communication or the like (step S316).

  As described above, by separating the unreliable DLL execution code into the DLL isolation process 203 having a memory area different from that of the program body, it is loaded in the DLL isolation process 203 by the memory protection function of the process provided by the OS. Even if the DLL reaches actions such as memory destruction and execution code rewriting, the damage is confined in the DLL isolation process 203 and does not reach the DLL use process 106. Further, in order to convert DLL function calls between the DLL isolation load program 201 and the host-side JNI 103, the DLL “angou. The dll may be the same whether it is loaded as is or isolated.

  In this embodiment, the selection of DLL loading is determined based on the presence or absence of an electronic signature (an example of an attribute of a DLL), but there is also a method of determining based on the signer of the electronic signature (an example of an attribute of a DLL). For example, when the OS manufacturer or the device manufacturer in use is a signer, it is loaded as it is without being isolated as being reliable. Alternatively, the determination is made by the creator of the DLL (an example of the attribute of the DLL) that can be identified from the information stored together with the DLL on the recording medium or the network.

  The selection of DLL loading may be determined by the function and authority of the program main body (an example of the attribute of the DLL use program 101). For example, since a program for accessing the security chip requires high security, the DLL is loaded in isolation. In addition, in a program having a certain level of authority, the DLL is loaded in isolation. Alternatively, it may be determined based on the magnitude relationship (inclusion) between the program body and the DLL authority. For example, if the program body has all the authority necessary for DLL execution, the DLL is loaded without isolation. Alternatively, when high security is not required, it may be possible to load a DLL requiring a high speed call as it is without being isolated load.

As described above, the program execution device 100 according to the present embodiment is
Apart from the program body (DLL utilization program 101) that loads and executes the software module (DLL) that is linked and loaded when the program is executed, a separate program for DLL loading (DLL isolation load program 201) is provided,
In response to a DLL load instruction from the DLL usage program 101, a memory area (isolation area) different from the DLL usage program 101 for loading the DLL is allocated,
The DLL isolation load program 201 is executed in the isolation area, and the DLL isolation load program 201 loads the target DLL in the isolation area,
The DLL use program 101 and the DLL isolation load program 201 are provided with isolation DLL communication units 202 and 204,
By these isolated DLL communication units 202 and 204, calls between the DLL usage program 101 and the DLL execution code, calls between the DLL usage program 101 and the DLL isolation load program 201, and the DLL isolation load program 201 and the DLL Execute as an alternative to calls between executable code.

  This improves the security when calling the DLL function.

In addition, the program execution device 100
Depending on attributes such as the DLL usage program 101 and DLL functions, authority, creator, etc., the DLL is isolated and loaded and executed as described above, or loaded into the memory area of the DLL usage program 101 as usual. It has a DLL isolation load determination unit 205 that selects whether to execute.

  As a result, the execution time when calling a reliable DLL function can be shortened.

Embodiment 2. FIG.
In the present embodiment, differences from the first embodiment will be mainly described.

  FIG. 5 is a block diagram showing the configuration of the program execution device 100 according to the present embodiment.

  In the present embodiment, the program execution apparatus 100 includes a DLL isolation load program authority setting unit 254 in addition to the one shown in FIG. The DLL isolation load program authority setting unit 254 is implemented in the OS, for example.

  The DLL isolation load program authority setting unit 254 has an authority of a level necessary for executing the code in the DLL such as the cryptographic library 105 (for example, preset for each DLL and stored together with the DLL on the recording medium or network). Is set in the DLL isolation load program execution unit 253 by the processing device 152. That is, the authority of the DLL isolation process 203 is set. The DLL isolation load program authority setting unit 254 stores the set authority in the storage device 151. The authority stored in the storage device 151 is referred to when the DLL isolation process 203 calls a specific function of the OS or accesses a specific storage area of the storage device 151.

  For example, when using an OS that provides a function for granting authority to a process, by giving only the authority necessary for the DLL to be loaded to the DLL isolation process 203, the authority higher than that required for the DLL is granted. If the program main body (DLL utilization program 101) that loads the program has an influence range of security degradation can be narrowed. The necessary authority may be stored in the DLL file, or a separate file may be prepared and stored in the file, and the DLL file and the file storing the authority may be distributed as a set. When storing in the DLL file, both the authority when directly loading from the DLL use program 101 and the authority when being isolatedly loaded may be stored.

As described above, the program execution device 100 according to the present embodiment is
In an environment where authority is given to the execution of the program and the function provided by the OS or the like can be used only within an authorized range, a DLL that sets only the authority necessary for executing the target DLL for the DLL isolation load program 201 An isolation load program authority setting unit 254 is included.

  This further improves the security when calling the DLL function.

Embodiment 3 FIG.
In the present embodiment, differences from the first embodiment will be mainly described.

  FIG. 6 is a block diagram showing a configuration of the program execution device 100 according to the present embodiment.

  In the present embodiment, in the program execution device 100, the DLL using program execution unit 251 includes a security violation recording / notification unit 401 in the host-side JNI 103 in addition to the one shown in FIG. In addition to the one shown in FIG. 1 in the first embodiment, the DLL isolation load program execution unit 253 includes a security violation recording / notification unit 402 in the DLL isolation load program 201.

  The security violation recording / notifying unit 402 of the DLL isolation load program execution unit 253, when accessing a storage area different from the isolation area while executing code in the DLL such as the cryptographic library 105 in the isolation area, the isolation DLL communication unit The DLL utilization program execution unit 251 is notified of the access via the 202. Based on the notification, the security violation recording / notification unit 401 of the DLL using program execution unit 251 stores the access corresponding to the security violation in the storage area or outputs it from the output device.

  In the first embodiment, the cryptographic library 105 is isolated by the DLL isolation process 203 and can be accessed only within the DLL isolation process 203 by a memory protection function such as an OS. If an attempt is made to access a memory that violates the memory protection function of the OS, that is, access is not permitted, the process is notified by a method determined by the OS.

  Therefore, as described above, the security violation recording / notifying unit 402 is provided in the DLL isolation load program 201. When the DLL use process 106 receives a notification of memory protection violation by the OS, it calls the security violation recording / notification unit 402. The security violation recording / notification unit 402 notifies the isolation DLL communication unit 204 on the DLL use process 106 side via the isolation DLL communication unit 202, and the security violation recording / notification unit 401 in the host side JNI 103 Record the effect in a file or notify the user or system administrator.

  From the record or notification by the security breach recording / notification unit 401, it can be seen that the cryptographic library 105 has a defect or is trying to perform an illegal operation. Thereafter, the cryptographic library 105 is not used (simply used by the user). Alternatively, the program execution apparatus 100 may automatically set to prohibit the use of the cryptographic library 105), and a reduction in security can be avoided. The security violation recording / notification units 401 and 402 can prevent potential security damage by forcibly terminating the DLL isolation process 203 and the DLL use process 106. Alternatively, the DLL isolation load determination unit 205 can refer to the record of the security violation recording / notification unit 401 and reject the DLL load regardless of whether it is performed directly or isolated.

Embodiment 4 FIG.
The difference between the present embodiment and the third embodiment will be mainly described.

  The configuration of the program execution device 100 according to the present embodiment is the same as that shown in FIG. 6 in the third embodiment.

  In the present embodiment, the access restriction unit 252 restricts a specific operation to a part of the storage area of the storage device 151. For example, the access restriction unit 252 restricts operations such as writing data to the page and reading data from the page for each of the plurality of pages. The security violation recording / notifying unit 402 of the DLL quarantine load program execution unit 253 performs the operation to the storage area where the access restriction unit 252 restricts a specific operation while executing code in the DLL such as the cryptographic library 105 in the quarantine area. When the operation is performed, the DLL use program execution unit 251 is notified of the operation through the isolation DLL communication unit 202. For example, when the DLL isolation process 203 writes data to a page that is restricted by the access restriction unit 252, the fact is notified to the DLL use process 106. Based on the notification, the security violation recording / notification unit 401 of the DLL using program execution unit 251 stores the operation corresponding to the security violation in the storage area or outputs it from the output device.

  In many cases, the memory protection function by the OS is realized by a memory protection function of a CPU or MMU (Memory / Management / Unit) on which the OS operates. In many CPUs and MMUs, for example, a memory can be secured in units called pages every 4 KB, and attributes can be attached to the pages. For example, it is assumed that one page is set from addresses 0x1000 to 0x2000 for reading only for the execution code, and three pages are set from 0xC000 to 0xF000 for reading and writing for data and stack. At this time, if a process in which a certain program operates performs a write access to a page that can only be read, a page protection violation is detected and a CPU exception or the like occurs. This CPU exception is notified to the OS, and the OS notifies the memory protection violation as described in the third embodiment. The DLL using process 106 calls the security violation recording / notifying unit 402 when receiving the notification by the OS. The security violation recording / notification unit 402 notifies the isolation DLL communication unit 204 on the DLL use process side via the isolation DLL communication unit 202, and the security violation recording / notification unit 401 in the host side JNI 103 Record this in a file or notify the user or system administrator.

As described above, the program execution device 100 according to Embodiment 3
Security violation recording / notification units 401 and 402 are provided for detecting access to a memory outside the isolation area of a DLL execution code executed in the isolation area, and recording / notifying the access as a security warning.

Further, the program execution device 100 according to the fourth embodiment includes:
A security violation record that restricts the interface between the program body (DLL usage program 101) and the DLL execution code, detects memory access that is impossible within the scope of the restriction, and records / notifies the access as a security warning Notification units 401 and 402 are included.

  Thereby, when the DLL used in the past is used again, the reliability of the DLL can be confirmed.

  The JNI function includes, for example, an API called GetStringChars that reads the contents of a specified character string in the execution engine 102, and an API called ReleaseStringChars that notifies the execution engine 102 that the use of the character string has ended. In response to an API call for GetStringChars from the DLL, the DLL JNI 104 provides the content of the character string designated by the execution engine 102 to the cryptographic library 105 via the isolated DLL communication units 202 and 204 and the host JNI 103. Here, the DLL-side JNI 104 does not provide the contents of the character string as they are, but assigns them to independent pages using the OS function or the like. In addition, the DLL JNI 104 deletes the page assignment in response to the API call to ReleaseStringChars. When an erased page is accessed later, a memory protection violation occurs, and it can be seen that the DLL program has a defect or an illegal process.

  Alternatively, the DLL obtains an array object from the execution engine 102. In a typical implementation of the execution engine 102, the array object contains the contents of the array following management information such as type information of the contents of the array and length information of the array. In Java (registered trademark) language, the length of the array cannot be changed, but it is conceivable that the length of the array is rewritten in the DLL. In such a case, the DLL-side JNI 104 sets the array management information and the array contents information as separate pages. During execution of the DLL execution code, the management information portion is only read by the memory protection function. The content can be a readable / writable page. In this case, when the management information is rewritten, it is found that a memory protection violation occurs and the DLL program has a defect or an illegal process.

  Alternatively, in the above example of the array, access to the contents of the array is permitted only when calling an API dedicated to accessing the contents of the array, such as GetObjectArrayElement and SetObjectArrayElement provided by JNI, and in other cases, the memory protection function You may monitor and detect security violations. In this way, security can be improved.

  As a modification of the third and fourth embodiments, instead of using the memory protection function, the DLL execution code is not directly executed by the CPU, but is executed by an interpreter that interprets and executes the instructions of the CPU. The processing content may be confirmed. In this case, there is a possibility that the performance is deteriorated. However, in Embodiment 5 described later, the performance is deteriorated only during the test, so that this is not a problem.

  Here, another modification will be described. In this example, the program execution device 100 designates data in the program main body (DLL utilization program 101) that requires higher security, monitors access to the same data or data referred to by the same data, and is considered unnecessary. Security violation recording / notification units 401 and 402 for recording / notifying the determined access as a security warning are provided.

  For example, assume that the program body (DLL usage program 101) accesses the security chip. Such a program requires high security. Therefore, data that requires high security for the access is distinguished. FIG. 7 shows an implementation example in a Java (registered trademark) object 403 (hereinafter simply referred to as “object”). In a typical execution engine 102 implementation, an object 403 contains data common to each object 403 and different data for each object 403. Examples of common data include the type (type) information and size of the object 403. In this example, a security flag is added as common data. When the DLL side JNI 104 detects an access to the object 403 with this security flag, it is determined that it is a security violation, so that a security accident due to information leakage from high security data that should not be accessed originally is considered. Can be prevented.

  This security flag is set by referring to data with a security flag that is automatically set for data generated by a specific Java (registered trademark) API, in addition to a method using the Java (registered trademark) API. It is possible to use a method such as automatically setting for existing data.

Embodiment 5. FIG.
The difference between the present embodiment and the third embodiment will be mainly described.

  In the present embodiment, the DLL isolation load program execution unit 253 executes the code implemented by the cryptographic library 105 in the isolation area as a test. The security violation recording / notification unit 402 of the DLL isolation load program execution unit 253 stores in the storage device 151 whether or not a storage area other than the isolation area has been accessed during the execution. Then, the content stored in the storage device 151, that is, whether or not the access has been made is notified to the DLL use program execution unit 251 via the isolation DLL communication unit 202. Based on the notification, the security violation recording / notification unit 401 of the DLL using program execution unit 251 stores whether the access corresponding to the security violation has occurred in the storage area or outputs it from the output device. When the DLL usage program execution unit 251 uses the cryptographic library 105, the DLL isolation load determination unit 205 of the DLL usage program execution unit 251 may have accessed a storage area different from the isolation area during the test. If it is stored in the storage device, it is determined to instruct the DLL isolation load program execution unit 253 to load the cryptographic library 105. On the other hand, if it is stored in the storage device that there was no access to a storage area different from the quarantine area during the test, it is determined to load the cryptographic library 105 directly into the DLL use process 106.

Embodiment 6 FIG.
In the present embodiment, differences from the fourth embodiment will be mainly described.

  In the present embodiment, the DLL isolation load program execution unit 253 executes, as a test, the code implemented by the cryptographic library 105 in the isolation area, as in the fifth embodiment. The security violation recording / notification unit 402 of the DLL quarantine load program execution unit 253 stores in the storage device 151 whether or not the access restriction unit 252 has performed the operation on the storage area that restricts the specific operation during the execution. To do. Then, the content stored in the storage device 151, that is, whether or not the operation has been performed is notified to the DLL use program execution unit 251 via the isolation DLL communication unit 202. Based on the notification, the security violation recording / notification unit 401 of the DLL using program execution unit 251 stores whether or not there is an operation corresponding to the security violation in the storage area or outputs it from the output device. When the DLL use program execution unit 251 uses the cryptographic library 105, the DLL isolation load determination unit 205 of the DLL use program execution unit 251 determines that the access restriction unit 252 restricts a specific operation during the test. When it is stored in the storage device that the operation has been performed, it is determined to instruct the DLL isolation load program execution unit 253 to load the cryptographic library 105. On the other hand, if it is stored in the storage device that the access restriction unit 252 did not perform the operation on the storage area for restricting the specific operation during the test, the cryptographic library 105 is loaded directly into the DLL usage process 106. Judging what to do.

  In the first embodiment, the function call in the DLL is not a general function call in the same process but a call using inter-process communication. This increases the time for the call itself, and also requires a data communication time when processing a large amount of data, which causes a reduction in speed performance. Therefore, in the fifth and sixth embodiments, the DLL isolation load determination unit 205 adds information indicating whether or not a DLL test is in progress to the determination criteria. During the test, the DLL is isolated and the security violation recording / notification units 401 and 402 are operated. Here, it is confirmed that a security violation is not recorded / notified, and if other tests (such as the function realized by the DLL itself) pass, the DLL is not isolated and loaded into the DLL use process 106. In this way, it is possible to suppress degradation of performance while maintaining security.

  Whether the test has passed can be determined, for example, by giving an electronic signature by a specific signer when the test passes, but by giving an electronic signature by a different signer otherwise. Also, in the device configured for testing, the DLL use program execution unit 251 loads and isolates the DLL, and in the device configured for the product, the DLL use program execution unit 251 loads the DLL as it is. Also good.

As described above, the program execution device 100 according to the fifth and sixth embodiments is
At the time of a DLL test, the same security violation recording / notification units 401 and 402 as in the third and fourth embodiments are used to check for the presence of a security violation. If there is no security violation and the test passes, the DLL is loaded without isolation. It has a DLL isolation load determination unit 205 that permits execution.

  As a result, the execution time when calling the DLL function whose reliability has been confirmed can be shortened.

Embodiment 7 FIG.
In the present embodiment, differences from the first embodiment will be mainly described.

  FIG. 8 is a block diagram showing the configuration of the program execution device 100 according to the present embodiment.

  In the present embodiment, the isolated DLL communication units 202 and 204 included in the DLL use program execution unit 251 and the DLL isolated load program execution unit 253 use the specific storage area of the storage device 151 as the shared memory 502 (shared memory area). The shared memory 502 is used when sharing and communicating with each other. The DLL use program execution unit 251 includes a shared memory management unit 501 that manages the shared memory 502 in the host-side JNI 103.

  As described above, performance may be degraded by DLL isolation. As a method for improving performance degradation, in this embodiment, a shared memory 502 is provided between the DLL use process 106 and the DLL isolation process 203.

  It is not known which data of the execution engine 102 the DLL accesses. Therefore, all (data) memory areas in the execution engine 102 are potential target areas of the shared memory 502. However, if the target of the shared memory 502 is expanded in this way, the security is lowered. Therefore, it is necessary to limit the sharing target by concentrating such memory areas as much as possible.

  In JNI, data that has been passed from the execution engine 102 to the DLL or data that has been passed from the DLL to the execution engine 102 is concentrated as much as possible as data that may be shared in the future. In addition to setting the shared memory 502, the shared memory management unit 501 collects data access information. In the case of the Java (registered trademark) language, once the data is secured, the location does not move, but the data position is moved by garbage collection compaction. The shared memory management unit 501 provides hint information to the garbage collector (memory management mechanism) of the execution engine 102 so that the data desired to be collected is collected at the time of compaction execution (see FIG. 9). Alternatively, the data generated on the DLL side may be arranged in the shared memory 502 from the beginning. In this way, for example, when a memory is shared in order to access a large amount of data during a call to a function of a DLL and another memory is accessed during a call to the function of the DLL, the data is stored in the same page. If it exists, it has already been shared, and the possibility of protecting data that should not be accessed by the DLL increases.

  In the above description, data on the same page cannot be protected. However, as described above, it is conceivable to check outside the range accessible by JNI using the characteristics and restrictions of JNI. That is, a certain page is set to be shared and a copy thereof is taken. After the DLL call is finished, sharing is canceled, and compared with the copy, it is checked whether the area outside the range accessible by JNI has been rewritten. By concentrating and limiting the shared range, it is possible to narrow the check range and suppress performance degradation. In addition, it is possible to predict data to be concentrated in advance for sharing, not at the time of execution, by static analysis of program source code and execution code, execution log acquisition analysis at the time of testing, and the like.

As described above, the program execution device 100 according to the present embodiment is
Set the shared memory 502 between the program body (DLL usage program 101) and the DLL in the isolation area,
The shared memory management unit 501 notifies the memory management mechanism of the DLL using program 101 of data created by the DLL execution code, data accessed by the DLL execution code, and data accessed in the same function of the DLL execution code.

  This can shorten the execution time when calling the isolated DLL function.

  As mentioned above, although embodiment of this invention was described, you may implement combining 2 or more embodiment among these. Alternatively, one of these embodiments may be partially implemented. Or you may implement combining two or more embodiment among these partially.

1 is a block diagram illustrating a configuration of a program execution device according to Embodiment 1. FIG. 1 is a diagram illustrating an example of an appearance of a program execution device according to Embodiment 1. FIG. 3 is a diagram illustrating an example of hardware resources of the program execution device according to Embodiment 1. FIG. 3 is a flowchart showing a program execution method according to the first embodiment. FIG. 6 is a block diagram illustrating a configuration of a program execution device according to a second embodiment. 5 is a block diagram showing a configuration of a program execution device according to Embodiments 3 and 4. FIG. FIG. 10 is a block diagram showing a configuration of an object in a modification of the third and fourth embodiments. FIG. 20 is a block diagram illustrating a configuration of a program execution device according to a seventh embodiment. FIG. 19 is a conceptual diagram illustrating an example of memory concentration in the seventh embodiment. It is a figure which shows the usage example of a general DLL.

Explanation of symbols

  100 program execution device, 101 DLL use program, 102 execution engine, 103 host side JNI, 104 DLL side JNI, 105 cryptographic library, 106 DLL use process, 107 DLL calling unit, 151 storage device, 152 processing device, 201 DLL isolated load Program, 202 isolation DLL communication unit, 203 DLL isolation process, 204 isolation DLL communication unit, 205 DLL isolation load determination unit, 251 DLL use program execution unit, 252 access restriction unit, 253 DLL isolation load program execution unit, 254 DLL isolation load Program authority setting unit 401 Security violation recording / notification unit 402 Security violation recording / notification unit 403 object 501 shared memory management unit 502 shared memory 90 Display device, 902 keyboard, 903 mouse, 904 FDD, 905 CDD, 906 printer device, 910 system unit, 911 CPU, 912 bus, 913 ROM, 914 RAM, 915 communication board, 920 magnetic disk device, 921 operating system, 922 window System, 923 programs, 924 files, 940 Internet, 941 gateway, 942 LAN.

Claims (9)

A DLL use program execution unit that executes a DLL use program that uses a DLL (dynamic link library) including a code that implements a specific function by a processing device;
An access restriction unit that restricts access by a processing device other than the DLL use program execution unit to a storage area of a storage device that the DLL use program execution unit accesses during execution of the DLL use program;
A program execution device comprising: a DLL isolation load program execution unit for executing a DLL isolation load program for loading the DLL into an isolation region which is a storage region different from the storage region where the access restriction unit restricts access by a processing device There,
The DLL use program execution unit and the DLL isolation load program execution unit have an isolation DLL communication unit that communicates with each other,
The DLL utilization program execution unit instructs the DLL isolation load program execution unit to load the DLL via the isolation DLL communication unit,
The DLL isolation load program execution unit loads the DLL into the isolation area according to an instruction from the DLL use program execution unit,
The DLL utilization program execution unit instructs the DLL isolation load program execution unit to call a function implemented by a code in the DLL loaded into the isolation region via the isolation DLL communication unit,
The DLL isolation load program execution unit executes the code in the DLL loaded into the isolation area in accordance with an instruction from the DLL usage program execution unit, and the execution result is transmitted to the DLL usage program via the isolation DLL communication unit. A program execution apparatus that notifies an execution unit.   The DLL usage program execution unit instructs the DLL isolation load program execution unit to load the DLL according to at least one attribute of the DLL usage program and the DLL, or the access restriction unit The program execution device according to claim 1, wherein it is determined whether to load the DLL into a storage area where access is restricted. The program execution device further includes:
2. The program execution apparatus according to claim 1, further comprising a DLL isolation load program authority setting unit that sets authority of a level necessary for executing the code in the DLL in the DLL isolation load program execution unit.   When the DLL isolation load program execution unit accesses a storage area different from the isolation area while executing the code in the DLL loaded to the isolation area, the DLL isolation load program execution part has the access via the isolation DLL communication section. The program execution apparatus according to claim 1, wherein the DLL usage program execution unit is notified of the fact. The access restriction unit restricts a specific operation to a partial storage area of the storage device,
The DLL isolation load program execution unit executes the operation to a storage area where the access restriction unit restricts a specific operation while executing the code in the DLL loaded to the isolation region. The program execution apparatus according to claim 1, wherein the DLL use program execution unit is notified of the operation. The DLL isolation load program execution unit executes the code in the DLL loaded into the isolation area as a test, and stores in the storage device whether or not a storage area other than the isolation area has been accessed during the execution. ,
When the DLL use program execution unit stores in the storage device that there was no access to a storage area different from the isolation area during the test, the DLL isolation program execution part executes the DLL load. 2. The program execution apparatus according to claim 1, wherein the access restriction unit loads the DLL into a storage area for restricting access instead of instructing the access to the storage area. The access restriction unit restricts a specific operation to a partial storage area of the storage device,
Whether the DLL isolation load program execution unit executes the code in the DLL loaded into the isolation area as a test, and whether the access restriction unit restricted a specific operation during the execution. Memorize in the storage device,
When the DLL use program execution unit stores in the storage device that the access restriction unit has not performed the operation to the storage area that restricts the specific operation during the test, the DLL use program execution unit loads the DLL. 2. The program execution device according to claim 1, wherein instead of instructing the DLL isolation load program execution unit, the access restriction unit loads the DLL into a storage area where access is restricted.   The isolated DLL communication unit included in the DLL using program execution unit and the DLL isolated load program execution unit shares a specific storage area of the storage device as a shared memory area, and uses the shared memory area when communicating with each other. The program execution device according to claim 1. A DLL use program execution unit that executes a DLL use program that uses a DLL (dynamic link library) including a code that implements a specific function by a processing device;
An access restriction unit for restricting access by a processing device other than the DLL use program execution unit to a storage area of a storage device accessed by the DLL use program execution unit during execution of the DLL use program;
A computer comprising a DLL isolation load program execution unit for executing a DLL isolation load program for loading the DLL into an isolation area which is a storage area different from the storage area where the access restriction unit restricts access is executed by a processing device. A program execution method,
The DLL use program execution unit and the DLL isolation load program execution unit have an isolation DLL communication unit that communicates with each other,
The program execution method includes:
The DLL using program execution unit directing the DLL isolation load program execution unit to load the DLL via the isolation DLL communication unit;
The DLL isolation load program execution unit loading the DLL into the isolation region according to an instruction from the DLL use program execution unit;
The DLL using program execution unit instructs the DLL isolation load program execution unit to call a function implemented by a code in the DLL loaded into the isolation region via the isolation DLL communication unit;
The DLL isolation load program execution unit executes the code in the DLL loaded into the isolation region in accordance with an instruction from the DLL usage program execution unit, and the execution result is transmitted to the DLL usage program via the isolation DLL communication unit. And a step of notifying the execution unit.

Images