JP4765812B2 - Information processing system, client device, program, and file access control method - Google Patents

Description

  The present invention relates to an information processing system, a client device, a program, and a file access control method, and in particular, prevents leakage of confidential documents spread from a management server to the client device by using a security virtual machine that is dynamically distributed. The present invention relates to an information processing system, a client device, a program, and a file access control method.

  Currently, most companies have an information processing infrastructure called an intranet for the purpose of sharing information within the company. An intranet is a collection of any number of servers and clients, both of which are computer systems. Each company stores confidential document files useful for corporate activities on a server, and edits and browses a single file from a single client or a plurality of clients.

  When a person in a company edits a file using a client device, the file is often copied independently and stored in a storage device in the client device in order to save the trouble of accessing the server. In this way, the confidential document file spreads from the server and gradually becomes unevenly distributed in the intranet, which causes information leakage. In addition, due to the Personal Information Protection Law enforced in April 2005, attention is focused on measures for leakage of personal information.

  As a technique for solving such a problem of preventing leakage of confidential information in a client device, a user computer monitors a system call from a program or data flowing through a communication path, and accesses an access command (call) of data to be monitored. ) Is performed, and a data monitoring method is disclosed in which access and transmission are prohibited when the process ID and transmission source address of the command source are not registered as status information (see Patent Document 1).

  Further, as another technique for solving the above-described problem, a document input from the document client device and stored in the database of the document management server is stored in the document management client device according to the confidential level designated by the creator of the document, Alternatively, a technique for encryption and decryption by a document management server is disclosed (see Patent Document 2).

  In this technology, when the input means obtains a document to be registered in the document management client device, the document creator and the confidential level are acquired, and an encryption key corresponding to the acquired confidential level is registered in the key management table for each user. If so, the document is encrypted and transmitted to the document management server. If the encryption key is not registered in the key management table, it is transmitted to the document management server without being encrypted. If the encryption flag is OFF after the document management server receives the document, it is encrypted and stored in the database.

JP 2005-275669 A JP 2002-288161 A

  However, the technique disclosed in Patent Document 1 has a first problem that a client device needs to have a program necessary for monitoring in advance. Further, since there is no mechanism for confirming whether or not the program is being monitored on the display device, there is a second problem that it is difficult for the user (operator) of the client device to grasp the processing contents performed by the device.

  Further, in the technique of Patent Document 2, when a document at a confidential level is transmitted to the document management server, it is not encrypted unconditionally and there is a possibility that secret information is leaked on the communication path. There is a third problem.

  In addition, in order to prevent leakage of confidential information in the client device, a program dedicated to browsing / editing confidential documents dedicated to the leakage prevention environment or a program written in a specific language that can be interpreted and executed by a browser interpreter In this case, the existing program for viewing and editing documents cannot be used, but another problem arises in that a dedicated viewing and editing program must be prepared separately.

  An object of the present invention is to provide an information processing system, a client device, a program, and a file access control method that solve the above-described problems and avoid the above-described another problem.

  The first information processing system of the present invention is an information processing system in which a client device and a web server device are connected via a communication network, and the web server device secures a system call content related to file access performed by a program to secure content. A security virtual machine module to be modified and a module for expanding the security virtual module are stored in the storage unit as a security module, and the security module is distributed upon request, and the client device loads the security module. And means for interpreting the module to be deployed, installing a security virtual machine module in its own device to generate a security virtual machine, and starting the security virtual machine, the security virtual machine Means for interposing itself between the program and the operating system when a program for accessing a file through a communication network is started, and for interposing itself for any program started by the intervening program; Means for modifying the contents of a system call relating to file access issued by the program to secure contents and passing them to the operating system.

  The second information processing system of the present invention is the first information processing system, wherein the security virtual machine operates on the security virtual machine the contents of the system call displayed by the program. Means for changing the system call to a display to which a symbol indicating that the program is added is added.

  A third information processing system according to the present invention is the second information processing system, wherein the security module includes one or more sets of encryption and decryption modules, and these modules are also targeted for deployment, and the client The device deployment means installs and activates the security virtual machine module and the encryption / decryption module in its own device, and sends a system call issued when accessing information on the communication network to the information as a communication path. Means for changing to a system call that is handled by being encrypted and decrypted by the encryption and decryption module at the time of input / output.

  The fourth information processing system of the present invention is the third information processing system, wherein when the security virtual machine issues a system call instructing the storage of a file in a storage device, the system call Means for encrypting the contents of the stored file into a system call that encrypts the stored file information using one of the one or more encryption and decryption modules and stores it as a temporary file.

  A fifth information processing system according to the present invention is the third or fourth information processing system, wherein the information processing system is connected to the client device via the communication network and stores a confidential file. And the server device decrypts the encryption / decryption module corresponding to or corresponding to the encryption / decryption module and the access request designation information from the client device, and the request designation information is secret. If a file is to be acquired, the secret file is encrypted by the encryption / decryption module and sent back.

  A sixth information processing system according to the present invention is the fifth information processing system, wherein the information processing system is connected to the client device via the communication network and has a policy for handling the secret file. A server device that stores one or more defined policy definition information, wherein the server device is the same as or corresponding to the encryption and decryption module, and an access request from the client device Means for decrypting the designation information, and if the request designation information is policy definition file acquisition, the means for encrypting and returning the policy definition information with the encryption and decryption module; Policy in a secure manner, i.e. by communication using the encryption and decryption modules. It means for instructing the definition information acquired in accordance with the content of the acquired policy definition information comprises means for performing modifications of the system call.

  The seventh information processing system of the present invention is the sixth information processing system, wherein the information processing system is connected to the client device via the communication network, and identifies each user for the user of the secret file. Including a server device that stores an authentication database including identification information of the policy definition information applied to the information, password, and the user, and the client device specifies a request designation when accessing the confidential file or policy definition information. A server apparatus having a means for transmitting a user identification and a password, and storing the authentication database together with the user identification and password when the server apparatus storing the confidential file receives access from the client apparatus Means for requesting authentication and means for processing the request according to the authentication result. When the server device storing the policy definition information receives access from the client device, the server device storing the authentication database is requested to authenticate the server device with the user identification and password, and specified if authenticated. The server apparatus for reading the policy definition information, encrypting it and sending it back, and storing the authentication database, receives the authentication request and checks whether the received user identification and password combination is registered in the authentication database. If it is an inquiry from a server device that confirms and returns an authentication result and stores the policy definition information, it also has means for returning policy definition information designation information upon authentication.

  The first client device of the present invention accesses a web server device connected via a communication network, and installs a security module in which a security virtual machine module that associates a system call content related to file access into secure content and an expansion module are associated with each other. Loading means; interpreting the deployment module; installing a security virtual machine module on the apparatus; generating a security virtual machine; and launching the security virtual machine, the security virtual machine comprising a communication network Means for interposing itself between the program and the operating system when a program for accessing a file through the system is started, and for any program started by the intervening program, Grams has a means for passing the contents of the system call for file access modified operating system in a secure content to be issued.

  The second client device according to the present invention is the first client device, wherein the security virtual machine operates on the security virtual machine the contents of the displayed system call issued by the program. Means for changing to a system call of display to which a symbol indicating a program is added is provided.

  The third client device of the present invention is the second client device, wherein the security module includes one or more encryption and decryption modules, and the expansion means includes the security virtual machine module and the encryption And the decryption module is installed and activated on its own device, and the security virtual machine encrypts the system call issued when accessing the file through the communication network when inputting / outputting information to / from the communication path. And a means for modifying the system call to be handled after being encrypted and decrypted by the decryption module.

  The fourth client device of the present invention is the third client device, and when the security virtual machine issues a system call instructing the program to store a file in a storage device, the contents of the system call Is encrypted using one of the one or more encryption and decryption modules, and is converted into a system call for storing as a temporary file.

  A fifth client device according to the present invention is the third or fourth client device, wherein when the security virtual machine is started, communication using the encryption and decryption module is performed with respect to an operating system. Accordingly, there is provided means for instructing acquisition of policy definition information that defines handling of a file accessed through a communication network, and means for controlling modification of the system call according to the content of the acquired policy definition information.

  The first program of the present invention interposes itself between the program and the operating system when a program that accesses a file through a communication network is started, and also for any program that starts the interposed program, Similarly, a procedure for interposing itself and a procedure for changing the contents of a display system call issued by the program to a display system call to which a symbol indicating that the program is operating on the security virtual machine is added And a procedure for changing the contents of the system call related to file access issued by the program to secure contents and passing them to the operating system.

  A second program of the present invention is the first program, wherein a system call issued when accessing a file through a communication network is stored as information as a procedure for modifying the system call related to the file access. Causes the computer to execute a procedure for changing to a system call handled by encryption and decryption when input / output to / from the communication path.

  The third program according to the present invention is the second program, wherein as a procedure for modifying the system call related to the file access, a system call for instructing storage of the file in the storage device is further transferred to the file information. The computer is caused to execute a procedure for encryption and modification to a system call stored as a temporary file.

  A fourth program of the present invention is the second or third program, and when activated, a server device connected via a communication network uses encrypted communication to access a file accessed through the communication network. A computer is caused to execute a procedure for instructing acquisition of policy definition information for which handling is defined, and a procedure for controlling modification of a system call relating to the file access according to the contents of the acquired policy definition information.

  A first file access control method of the present invention is a method for controlling file access of a client device, which accesses a web server device connected via a communication network and modifies the content of a system call related to file access to secure content. To load a security module in which a security virtual machine module and a deployment module are associated with each other, interpret the deployment module, install the security virtual machine module on its own device, generate a security virtual machine, and install the security virtual machine When a program for accessing a file through a communication network is started by the deployment procedure to be started and the control of the security virtual machine, the security virtual machine is interposed between the program and the operating system, Similarly, for any program that is started by an intervening program, the procedure that intervenes the security virtual machine and the contents of the display system call issued by the program must be a program operating on the security virtual machine. And a procedure for modifying the system call related to file access issued by the program to a secure content and passing it to the operating system.

  The second file access control method of the present invention is the first file access control method, wherein the security module includes one or more sets of encryption and decryption modules, and the deployment procedure is a security virtual machine module. And installing the encryption / decryption module in its own device, and as a procedure for modifying the system call relating to the file access, the system call issued when accessing the file through the communication network, And a procedure for changing to a system call handled by encryption and decryption when input / output to / from.

  A third file access control method according to the present invention is the second file access control method, wherein the system further instructs to store the file in a storage device as a procedure for modifying the system call related to the file access. It has a procedure for changing a call into a system call that encrypts file information and stores it as a temporary file.

  A fourth file access control method according to the present invention is the second or third file access control method, wherein encrypted communication is used from a device connected through a communication network under the control of the security virtual machine. A procedure for instructing to acquire policy definition information, and a procedure for controlling modification of a system call related to the file access according to the content of the acquired policy definition information.

  According to the present invention, a security virtual machine that improves security when a client device accesses a file through a communication network or stores a file in a storage device is distributed through the communication network. A program that accesses a file through the network is operated on itself, a program that the program calls is also operated on itself, and a system call issued by these programs is used for file access through the communication network and subsequent storage devices. In order to support normal storage, the contents are modified, so there is no need for the client device to have its own security improvement program or tool, and without limiting the program that handles files, Has the effect of preventing file leakage and spread That.

  Next, the best mode for carrying out the present invention will be described in detail with reference to the drawings. FIG. 1 is a block diagram showing the overall configuration of the information processing system of the present invention. Referring to FIG. 1, the information processing system according to the present invention includes a client device 101, a confidential document server 301, a policy distribution server 401, a VM distribution server 501, an authentication server 601, and a communication network 201 that connects and communicates with each other. Has been.

  The configuration is not limited to the number of client devices 101 but may include a plurality of the servers. The communication network 201 is a communication network such as the Internet or an intranet.

  The client device 101 is a device that operates under program control, such as a workstation or a personal computer, and includes a storage device 106 such as a hard disk, a CPU (not shown), and a main memory.

  In the memory, an operating system 110, a program 102 running on the operating system 110, and a WWW browser 109 (World Wide Web browser) are expanded.

  An input device 112 such as a keyboard and a display device 111 such as a display are connected to the client device 101 through signal lines, and data can be input and output through the operating system 110. The communication network 201 is also connected through an Ethernet (registered trademark) card (not shown) standardized by IEEE 802.3.

  The program 102 is a program capable of creating and editing a document, and includes an existing program having these functions. An arbitrary number of temporary files 107 and normal files 108 exist in the storage device 106.

  Whether or not the file on the storage device 106 can be accessed is determined according to FIG. 4 based on whether or not it is a program operating on the VM 104 (security virtual machine). When the program running on the VM 104 writes data as a normal file 108, the encryption / decryption means (A) 103 encrypts the written content and writes it as a temporary file 107. When the program reads the temporary file, the read / decryption means (A) 103 decrypts the read contents.

  When the program running on the VM 104 performs communication via the communication network 201, the content is encrypted / decrypted by the encryption / decryption means (B) 105, such as IPSec (Security Architecture for Internet Protocol) or SSL (Security Socket Layer). Encrypt and decrypt based on the standard of

  Next, the confidential document server 301, policy distribution server 401, VM distribution server 501, and authentication server 601 will be described. These servers are information processing apparatuses that include a CPU and a main memory (not shown) and operate under program control.

  In the confidential document server 301, an arbitrary number of confidential document files 304 including confidential information are stored in a storage device 303 such as a hard disk. Examples of the confidential document file 304 include a word processor document and a spreadsheet document.

  The policy distribution server 401 stores one or more policy definition files 404 in a storage device 403 such as a hard disk. These are files in which security policies are defined for handling the confidential document file 304, and different files are used for each user who operates the client apparatus 101. The name (designation information) of the policy definition file used by each user is prepared in advance in a table in the authentication DB 603 (authentication database).

  Both the confidential document server 301 and the policy distribution server 401 are provided with an Ethernet (registered trademark) card of the same standard as that of the client apparatus 101, and can communicate via the communication network 201. In communication, similar to the client device 101, the encryption / decryption means (C) 302 and the encryption / decryption means (D) 402 encrypt the transmission information and decrypt the reception information.

  The VM distribution server 501 is constructed by a WWW server or the like, and includes a VM file 503 in a storage device 502 such as a hard disk. This server can be accessed via the WWW browser 109 at any time, and the VM file 503 can be downloaded.

  The VM file 503 is obtained by consolidating the VM 104, the encryption / decryption unit (A) 103, the encryption / decryption unit (B) 105, and a program having a function of developing them into the client apparatus 101 as a single package. is there.

  The program is configured as a program that closely cooperates with a WWW browser such as ActiveX (registered trademark of Microsoft Corporation).

  The VM 104 deployed on the client apparatus 101 can operate the program 102 on itself, but has a function of modifying a system call issued by the program 102 to the operating system 110 according to the contents of the policy definition file 404. .

  The authentication server 601 is constructed by a relational database server or the like, and includes an authentication DB 603. FIG. 5 is a diagram showing an example of the contents of the authentication DB 603. The authentication DB 603 has a single table, and the table includes an arbitrary number of rows corresponding to the number of users. The contents of the line include the user ID, password, and name of the policy definition file used by the user.

  The authentication server 601 always accepts access from the confidential document server 301 and the policy distribution server 401. When both servers use a query described in SQL (Structured Query Language) and ask whether the authentication DB 603 contains specific contents, the search result is returned.

  Further, the administrator of the information processing system can modify any row in the authentication DB 603 using the WWW browser 109.

  Next, the operation of each component will be described. Upon receiving a user operation instruction, the WWW browser 109 accesses the VM distribution server 501 and downloads the VM file 503 through the communication network 201. When the VM file 503 is downloaded, the WWW browser 109 interprets the program having the function to be expanded and sends the encryption / decryption means (A) 103, the encryption / decryption means (B) 105, and the VM 104 to the client apparatus 101. Deploy (install). Further, the VM 104 is activated.

  Next, the initialization function in the VM 104 runs on the operating system 110, accesses the policy distribution server 401, and acquires the policy definition file 404. In the communication path used for acquisition, the encryption / decryption means (B) 105 and the encryption / decryption means (D) 402 use the authentication information (for example, the ID and password of the user who operates the client) as a key. Encrypt / decrypt the acquisition request information and the policy definition file 404 that responds.

  The policy distribution server 401 uses the authentication server 601 to confirm that the operation is an acquisition operation from a client operated by a legitimate user. Upon receiving the confirmation query, the authentication server 601 determines whether the authentication information stored in the authentication DB 603 (authentication database) matches the transmitted user ID (identification) and password combination. return.

  The VM 104 requests the operating system 110 to start a WWW browser when the acquisition of the policy definition file 404 is completed. Alternatively, a message is displayed to prompt the user to start. Here, the WWW browser is a typical example of a program for accessing a file through a communication network.

  If the WWW browser 109 has already been activated, the operating system 110 prepares a WWW browser (# 2), that is, a WWW browser instance # 2, and a system call program that is locally used exclusively by the WWW browser 109.

  The VM 104 changes the call destination of the system call program to the VM 104. Alternatively, the operating system 110 is requested to change the call destination. Further, system call parameters may also be relayed.

  As a result, the program 102 (WWW browser (# 2)) issues a system call to the VM 104. Thereafter, when starting (calling) the program 102 ′ from the program 102, since the VM 104 relays the activation request system call, the call destination of the dedicated system call program corresponding to the program 102 ′ is also changed to the VM 104. . Therefore, the VM 104 also interposes itself between the program 102 ′ and the operating system 110.

  Therefore, as shown in FIG. 2, not only the program 102 started after the VM 104 is started, but also other programs started from the program 102 operating on the VM 104 (operating on the VM 104). Similarly, the program 102 ′ also includes the VM 104 (operates on the VM 104). Thereafter, the VM 104 is interposed between these programs and the operating system 110 for all programs started from the program 102 ′ and its descendants.

  The VM 104 once inspects the system call sent by the program 102 and sends it to the operating system 110 without modification unless it is a system call for file access or program screen display.

  If it is a system call related to file access, the content of the system call is changed to a secure (safe) content according to the policy definition file 404 and then transmitted to the operating system 110.

  A related system call that does not correspond to the application condition of the policy definition file 404 is transmitted to the operating system 110 as it is.

  The program 102 (WWW browser (# 2)) and the program 102 ′ cannot send a system call to the operating system 110 without passing through the VM 104.

  The system call includes input / output to / from the storage device 106 and the display device 111. The modification method will be described for each system call issued by the program operating on the VM 104.

  If the system call is input / output to / from the storage device 106, as shown in FIG. 4, access control to the file is performed depending on whether the program 102 is operating on the VM 104 or not. A system call that performs input / output to an area that the program 102 cannot access unconditionally fails. At the same time, in the case of input / output to / from the storage device intended for a temporary file, encryption / decryption means (A) 103 performs encryption / decryption processing.

  If the system call is an output to the display device 111, in addition to the output to the original display device, an output of a symbol that allows the user to visually determine that it is operating on the VM 104 using the display device is also possible. Do it at the same time. For example, as shown in FIG. 3, a display 701 of a program operating on the VM 104 is added with a symbol 703 compared to a display 702 of a program not operating on the VM 104.

  If the system call is input / output to / from the communication network 201, access control is performed based on the policy definition file 404 when the program 102 is operating on the VM 104. I / O to servers other than those permitted in the policy definition file fails. Further, even in the case of communication to the permitted server, the communication contents are encrypted by the encryption / decryption means (B) 105 in order to prevent eavesdropping on the communication path. Authentication information is used as a key at this time.

  In addition, since input / output to / from the printing apparatus and other programs corresponds to the system call, it is appropriately controlled.

  Next, the explanation of the confidential document server 301 will be supplemented. When the server accepts communication from the program 102 operating on the VM 104, the encryption / decryption means (C) 302 decrypts the communication contents. Each time there is a communication request from each client apparatus 101, the confidential document server 301 inquires a key, that is, authentication information, from the authentication server 601 and decrypts subsequent communication contents. Only when the decryption is successful, the access to the confidential document file 304 is permitted. If decryption fails, access is denied.

  Next, the description of the policy distribution server 401 will be supplemented. The communication path is decrypted using the encryption / decryption means (D) 402 by the same procedure as the confidential document server 301. The policy definition file that can be accessed differs for each user ID, and which file is used is preset in the authentication DB 603 in the authentication server 601.

  Next, the operation of the best mode for carrying out the present invention will be described with reference to the drawings. As a first operation example, a case where the spreadsheet software is operated on the VM 104 and the confidential document file 304 is browsed / edited will be described with reference to the sequence charts of FIGS.

  A client device 101 receives a user instruction at an arbitrary time, and the WWW browser 109 issues a download request to the VM distribution server 501 (step S1). The VM distribution server 501 returns the VM file 503 (step S2).

  The WWW browser 109 expands the downloaded encryption / decryption means (A) 103, VM 104, and encryption / decryption means (B) 105 on the client device 101 (step S3).

  The VM 104 is activated, and this acquires the policy definition file 404 from the policy distribution server 401. Prior to the acquisition, the user is asked for authentication information using the display device 111, inputs an ID and a password, and is transmitted together with a policy definition file request (step S4).

  The policy distribution server 401 that has received the authentication information asks the authentication server 601 whether or not it is authentic (step S5). The authentication server 601 checks the authentication DB 603 and returns whether or not there is a row in which both the ID and password input by the user match in any row of the table stored in the authentication DB 603. Only when there is a matching line, it is considered that the authentication has succeeded, and the policy definition file name described in the line is also returned (step S6).

  If the authentication is successful, the received information is decrypted by the encryption / decryption means (D) 402 using the authentication information as a key (step S7), and in response to the policy definition file request, the policy definition file with the received file name is read out. Is encrypted by the encryption / decryption means (D) 402 and returned (step S8). If the authentication is not successful, the policy definition file 404 cannot be acquired, and the subsequent processing cannot be continued. The received policy definition file is decrypted by the encryption / decryption means (B) 105 (step S9).

  Next, the VM 104 activates the program 102 (WWW browser (# 2)) as a program operating on the VM 104 (step S10). It is assumed that the respective WWW browsers are sparse from each other and the information to be held is not mixed.

  Further, a symbol 703 (for example, icon, text, flag, watermark, etc.) shown in FIG. 3 is added and displayed on the program 102 running on the VM 104 by modifying the system call by the VM 104 (step S11). ). Thereby, the user can confirm that the program 102 (WWW browser (# 2)) is operating in the secure mode.

  Upon receiving an instruction from the user, the program 102 requests acquisition of the confidential document file 304 of the confidential document server 301 (step S12). At this time, the VM 104 modifies the system call and encrypts the request contents to be sent to the communication path until reaching the confidential document server 301 by the encryption / decryption means (B) 105 using the authentication information (step S13). ). The confidential document server 301 asks the authentication server 601 whether the received authentication information is registered (step S14), receives the result (step S15), and decrypts the request information if the authentication is successful (step S16).

  The requested confidential document file 304 is similarly encrypted using the authentication information and transmitted (step S17). The information returned from the client device 101 is decrypted by the encryption / decryption means (B) 105 (step S18).

  The program 102 stores the acquired confidential document file 304 in the storage device 106 as a temporary file 107. At this time, the VM 104 encrypts the temporary file 107 by the encryption / decryption means (A) 103 by modifying the system call parameters according to FIG. 4 (step S19).

  At the same time, the program 102 activates a browsing / editing program corresponding to the confidential document file 304. As shown in FIG. 2, the browsing / editing program started from the program 102 also operates on the VM 104 (step S20).

  The user handles the confidential document file 304 using the activated browsing / editing program. Even if the user attempts to save the file as a normal file 108, the browsing / editing program is running on the VM 104, so that the user encrypts it according to FIG. In other words, file writing when operating on the VM 104 is defined (permitted) only as “encrypt and write as a temporary file” (step S21).

  When the content of the confidential document file 304 is sent to the server permitted by the policy definition file 404 through the communication network 201, the content is encrypted by the encryption / decryption means (B) 105 (step S22). Accordingly, the content transmitted cannot be decrypted by a device other than the confidential document server 301 or the policy distribution server 401 that has the encryption / decryption means (C) 302 or the encryption / decryption means (D) 402 corresponding to this. Further, the temporary file 107 is deleted when all the programs operating on the VM 104 are not finished. In this way, leakage of confidential documents is prevented.

  As a second operation example, an example in which a confidential document file 304 cannot be acquired even when a program not operating on the VM 104 accesses the confidential document server 301 will be described.

  Since the program not running on the VM 104 cannot use the encryption / decryption means (B) 105, the data flowing in the communication path is plain text. When plaintext is decrypted by the encryption / decryption means (C) 302 on the confidential document server 301, the data cannot be interpreted by the server. As a result, the program cannot request the confidential document file 304 because the request that cannot be interpreted cannot be processed. In this way, leakage of secret documents is prevented also in the second operation example.

  As described above, in the description of the embodiment of the present invention, the information processing system includes an example in which each of the VM distribution server 501, the confidential document server 301, the policy distribution server 401, and the authentication server 601 is configured by a dedicated server device. However, the configuration may be such that one or two server devices are provided with the four servers (service processing functions).

  Further, the mode in which the policy distribution server 401 is connected to the client apparatus 101 by communication has been described. However, when a policy is not determined for each user of the confidential document server 301, by including a common definition in the VM file 503, etc. The policy distribution server 401 may not be included in the information processing system.

  Further, the contents of the authentication DB 603 may be a user ID and a password, and the confidential document server 301 may have the contents, and the authentication server 601 may not be included in the information processing system.

  As described above, according to the present invention, when a program operating on the VM 104 performs remote file access, it is changed to a system call that performs encryption of information sent to the communication path and decryption of received information. Leakage on the road is suppressed.

  Further, when a program operating on the VM 104 stores file information in a storage device, the file information is encrypted and stored as a temporary file, not as a normal file. Is suppressed.

  Further, since a symbol indicating that the program is operating on the VM 104 is additionally displayed, the user (operator) can grasp the processing content (security level).

1 is a block diagram showing an overall configuration of an information processing system of the present invention. In this invention, it is the figure which showed a mode that the program (program intervened in VM104) which operate | moves on VM104 derives. In the present invention, (1) is a diagram showing a display of a program not running on the VM 104, and (2) is a diagram showing a display example of a program running on the VM 104. It is the figure which showed the kind and form of file access operation according to program operation environment of this invention. It is the figure which showed the example of the content of authentication DB603 of this invention. It is the sequence chart which showed the 1st operation example of the information processing system of this invention. It is the sequence chart which showed the 1st operation example of the information processing system of this invention.

Explanation of symbols

101 Client device 102, 102 'Program 103 Encryption / decryption means (A)
104 VM
105 Encryption / Decryption Means (B)
106 Storage Device 107 Temporary File 108 Normal File 109 WWW Browser 110 Operating System 111 Display Device 112 Input Device 201 Communication Network 301 Confidential Document Server 302 Encryption / Decryption Means (C)
303 Storage Device 304 Confidential Document File 401 Policy Distribution Server 402 Encryption / Decryption Means (D)
403 Storage device 404 Policy definition file 501 VM distribution server 502 Storage device 503 VM file 601 Authentication server 603 Authentication DB

Claims (18)

An information processing system in which a client device and a web server device are connected via a communication network,
The web server device associates a security virtual machine module that modifies system call content related to file access performed by a program into secure content and a module that expands the security virtual machine module in a storage unit, and stores the security module in the storage unit. With means to deliver on demand,
Means for the client device to load the security module;
Interpreting the module to be deployed, generating a security virtual machine by installing a security virtual machine module in its own device, and having a deployment means for starting the security virtual machine;
When the security virtual machine starts a program that accesses a file through a communication network, the security virtual machine interposes itself between the program and the operating system. Means to intervene;
Means for changing the contents of a system call relating to file access issued by the program to secure contents and passing them to the operating system;
Means for changing the content of the display system call issued by the program to a display system call to which a symbol indicating that the program is operating on the security virtual machine is added;
An information processing system comprising: The security module includes one or more encryption / decryption modules, and these modules are also targeted for deployment, and the deployment unit of the client device installs the security virtual machine module and the encryption / decryption module in its own device. To start,
Means for changing a system call issued when accessing information on the communication network into a system call that is encrypted and decrypted by the encryption and decryption module when the information is input / output to / from the communication path The information processing system according to claim 1 . When the security virtual machine issues a system call instructing the program to store a file in a storage device, the contents of the system call are stored in the storage file information in the one or more encryption / decryption modules. 3. The information processing system according to claim 2 , further comprising means for changing to a system call that is encrypted using one module and stored as a temporary file. The information processing system includes a server device connected to the client device via the communication network and storing a confidential file,
The server device decrypts the request specification information for access from the client device and the encryption and decryption module corresponding to or corresponding to the encryption and decryption module, and the request specification information is obtained by acquiring a secret file. if, the information processing system according to claim 2 or 3, characterized in that it comprises means for returning to encrypt the private files in the encryption and decryption modules. The information processing system includes a server device that is connected to the client device via the communication network and stores one or more policy definition information that defines a policy for handling the secret file,
The server device decrypts the encryption / decryption module that is the same as or corresponding to the encryption / decryption module and the access request designation information from the client device, and the request designation information is obtained by obtaining a policy definition file. If there is, means for encrypting and returning policy definition information by the encryption and decryption module,
The security virtual machine is configured to instruct the operating system to acquire policy definition information by a secure method, that is, by communication using the encryption and decryption module, and according to the content of the acquired policy definition information. 5. The information processing system according to claim 4 , further comprising means for modifying a system call. The information processing system includes an authentication database connected to the client device via the communication network and including identification information of each user and a password and identification information of the policy definition information applied to the user of the secret file. Including a server device to store,
The client device has means for transmitting a user identification and a password in addition to request designation when accessing the confidential file and policy definition information,
When the server device storing the confidential file receives access from the client device, the server device storing the authentication database is requested to authenticate with the user identification and password, and a request is made according to the authentication result. Means for processing,
When the server device storing the policy definition information receives an access from the client device, the server device storing the authentication database is requested to authenticate with the user identification and the password, and designated if authenticated. Read out the policy definition information that has been encrypted, and has a means to reply
The server device that stores the authentication database receives the authentication request, checks whether the received combination of user identification and password is registered in the authentication database, returns an authentication result, and stores the policy definition information 6. The information processing system according to claim 5 , further comprising means for returning policy definition information designation information when authentication is made from an apparatus. Means for accessing a web server device connected via a communication network and loading a security module in which a security virtual machine module and a deployment module are associated with each other to change the contents of a system call related to file access to secure contents;
Interpreting the deployment module, installing a security virtual machine module in its own device to generate a security virtual machine, and comprising deployment means for starting the security virtual machine,
When the security virtual machine starts a program that accesses a file through a communication network, the security virtual machine interposes itself between the program and the operating system. Means to intervene;
Means for changing the contents of a system call relating to file access issued by the program to secure contents and passing them to the operating system;
Means for changing the content of the display system call issued by the program to a display system call to which a symbol indicating that the program is operating on the security virtual machine is added;
A client device comprising: The security module includes one or more encryption / decryption modules, and the deployment unit installs and activates the security virtual machine module and the encryption / decryption module in its own device,
A system call issued when the security virtual machine accesses a file through a communication network is handled as a system call that is encrypted and decrypted by the encryption and decryption module when information is input / output to / from a communication path. The client apparatus according to claim 7 , further comprising a modification unit. When the security virtual machine issues a system call instructing the storage of the file to the storage device, the security virtual machine displays the contents of the system call, the file information, and one of the one or more encryption and decryption modules. 9. The client apparatus according to claim 8 , further comprising means for changing to a system call that is encrypted using one module and stored as a temporary file. Means for instructing the operating system to obtain policy definition information defining the handling of a file accessed through a communication network by communication using the encryption and decryption module when the security virtual machine is activated; in accordance with the contents of the acquired policy definition information, the client device according to claim 8 or 9, characterized in that it comprises means for controlling the modification of the system call. When a program that accesses a file through a communication network is started, intervene itself between the program and the operating system, and for any program started by the intervening program, a procedure for interposing itself in the same manner;
A procedure for changing the content of the display system call issued by the program to a display system call to which a symbol indicating that the program is operating on the security virtual machine is added;
A program for causing a computer to execute a procedure of changing a content of a system call related to file access issued by the program to a secure content and passing it to an operating system. The program according to claim 11 , wherein
As a procedure for modifying the system call related to the file access, the system call issued when accessing the file through the communication network is converted into a system call that handles encryption and decryption when inputting / outputting information to / from the communication path. A program for causing a computer to execute a modification procedure. A program according to claim 12 , wherein
As a procedure for modifying the system call related to the file access, the computer further executes a procedure for modifying the system call for instructing storage of the file to the storage device into a system call for encrypting file information and storing it as a temporary file. Program to let you. The program according to claim 12 or 13 ,
When activated, a procedure for instructing to acquire policy definition information that defines the handling of files accessed through the communication network using encrypted communication from a server device connected via the communication network, and the policy definition information acquired A program for causing a computer to execute a procedure for controlling modification of a system call related to file access according to contents. A method for controlling file access of a client device, wherein a security virtual machine module that accesses a web server device connected via a communication network and modifies a system call content related to file access to a secure content is associated with a deployment module The steps to load the security module;
A deployment procedure for interpreting the deployment module, installing a security virtual machine module on its own device to generate a security virtual machine, and starting the security virtual machine;
When a program that accesses a file through a communication network is started under the control of the security virtual machine, a security virtual machine is interposed between the program and an operating system. As well as procedures to intervene security virtual machines,
A procedure for changing the content of the display system call issued by the program to a display system call to which a symbol indicating that the program is operating on the security virtual machine is added;
A file access control method comprising a step of changing contents of a system call relating to file access issued by the program to secure contents and transferring the contents to an operating system. The security module includes one or more encryption / decryption modules, and the deployment procedure installs the security virtual machine module and the encryption / decryption module in its own device,
As a procedure for modifying the system call related to the file access, the system call issued when accessing the file through the communication network is converted into a system call that handles encryption and decryption when inputting / outputting information to / from the communication path. 16. The file access control method according to claim 15 , further comprising a modification procedure. As a procedure for modifying the system call related to the file access, the system call for instructing storage of the file in the storage device further includes a procedure for modifying the system call to encrypt the file information and store it as a temporary file. The file access control method according to claim 16 , wherein: According to the control of the security virtual machine, a procedure for instructing to acquire policy definition information using encrypted communication from a device connected via a communication network, and a system call related to the file access according to the contents of the acquired policy definition information. file access control method according to claim 16 or 17, characterized by having a procedure for controlling the modification.

Images