JPWO2019093059A1 - Threat analyzers, threat analysis methods, and threat analysis programs - Google Patents

Abstract

We provide threat analysis equipment, threat analysis methods, and threat analysis programs that can perform threat analysis on target systems in the conceptual design stage. For the functional application included in the target system, the first acquisition unit 150 that acquires the functional application model information 500 to 900 modeled using the system specification information for defining the system specifications, and the vulnerability included in the case system. Threat of the target system based on the second acquisition unit 160 that acquires the vulnerability model information 1100 to 1300 modeled using the system specification information, the functional application model information 500 to 900, and the vulnerability model information 1100 to 1300. An execution unit 180 for performing analysis is provided.

Description

The present invention relates to a threat analyzer, a threat analysis method, and a threat analysis program.

Conventionally, as a threat analysis method, a threat analysis tool "Microsoft Threat Modeling Tool" (hereinafter referred to as "MS threat analysis tool") announced by Microsoft Corporation in the United States is known (see, for example, Non-Patent Document 1). .. The MS threat analysis tool divides the data flow contained in the system to be analyzed by the interface between organizations, and then extracts the characteristic information of the interaction of the elements at both ends of the data flow. Then, by comparing the threat classification table compiled in advance with the STRIDE classification axis and the extracted characteristic information, it is possible to present the threats that may occur in the system to be analyzed. Here, the STRIDE classification axis is "spoofing" (Spoofing), "tampering" (Tampering), "denial" (Repudiation), "information disclosure" (Information disclosure), "DoS attack" (Denial of service), It is a classification axis composed of each threat of "Elevation of privilege".

"Microsoft Threat Modeling Tool 2016 User Guide" (Microsoft Threat Modeling Tool 2016 User Guide), [online], Microsoft (Microsoft), [Search on October 26, 2017], Internet <URL: https: // www. microsoft.com/en-us/download/details.aspx?id=49168&751be11f-ede8-5a0c-058c-2ee190a24fa6=True&e6b34bbe-475b-1abd-2c51-b5034bcdd6d2=True&fa43d42b-25b5-4a42-fe9b-1634f450f5

The MS threat analysis tool described above performs threat analysis using the data flow diagram of the system to be analyzed. However, since data flow diagrams are often used in the detailed design stage of system design, it has been difficult for MS threat analysis tools to perform threat analysis on systems in the conceptual design stage.

In addition, as vulnerability case information, most of the vulnerability case information database called CWE (Common Weakness Enumeration) collected and accumulated by MITER Corporation in the United States is open to the public. However, since CWE describes vulnerabilities found in existing systems that are actually in operation, it was difficult to apply CWE to systems in the conceptual design stage for threat analysis.

Therefore, an object of the present invention is to provide a threat analysis device, a threat analysis method, and a threat analysis program capable of performing threat analysis on a target system in the conceptual design stage.

The threat analyzer according to one aspect of the present invention includes a first acquisition unit that acquires functional application model information modeled using system specification information for defining system specifications for a functional application included in a target system. , A threat analysis of the target system is performed based on the second acquisition unit that acquires the vulnerability model information modeled using the system specification information for the vulnerabilities contained in the case system, and the functional application model information and the vulnerability model information. It has an execution unit to perform.

According to this aspect, the functional application model information modeled by using the system specification information is acquired for the functional application included in the target system, and the vulnerability included in the case system is modeled by using the system specification information. Vulnerability model information is acquired. Then, threat analysis of the target system is performed based on the functional application model information and the vulnerability model information. Here, the abstract specification information included in the system specification information can also be obtained in the system at the conceptual design stage. Therefore, by acquiring the functional application model information and the vulnerability model information using the same system specification information, the functional application model information of the target system and the vulnerability model information of the case system can be easily compared. It is possible to perform threat analysis for vulnerabilities that may exist in the system. Therefore, threat analysis can be performed on the target system at the conceptual design stage.

In the above-described embodiment, the vulnerability model information includes information on the attack establishment condition and the attack result, the second acquisition unit acquires a plurality of vulnerability model information, and the functional application model information is a plurality of vulnerability model information. When at least one of the attack conditions is satisfied, an update unit is further provided to update a part of the functional application model information based on the attack establishment condition and the attack result information of the vulnerability model information, and the execution unit is updated. The threat analysis of the target system may be performed based on the function application model information and the plurality of vulnerability model information.

According to this aspect, when the functional application model information satisfies at least one attack condition of the plurality of vulnerability model information, the functional application model information is based on the attack establishment condition and the attack result of the vulnerability model information. Is partly updated. This makes it possible to analyze threats to functional applications that can be connected to the functional application, and to perform threat analysis of the target system against attacks that combine multiple vulnerabilities.

In the above-described embodiment, the target system includes the first functional application and the second functional application capable of communicating with the first functional application, and the first acquisition unit includes the functional application model information of the first functional application and the first. The functional application model information of the two functional applications is acquired, and the execution unit obtains the functional application model information of the first functional application, the functional application model information of the second functional application, and the vulnerability model information of the target system. Threat analysis may be performed.

According to this aspect, the target system is based on the functional application model information of the first functional application, the functional application model information of the second functional application capable of communicating with the first functional application, and the vulnerability model information. Functional analysis is performed. This makes it possible to analyze the possibility of an attack on a combination of two functional applications that can be connected by communication.

In the above-described embodiment, the usage fee calculation unit for calculating the usage fee for the target system for which the threat analysis has been performed may be further provided.

According to this aspect, the usage fee is calculated for the target system for which the threat analysis has been performed. As a result, by charging the service user for the usage fee, a part of the usage fee can be returned (feedback) as a reward to a person other than the service user, for example, an information registrant.

In the above-described embodiment, when the target system includes a vulnerability as a result of threat analysis, a reward calculation unit may be further provided to calculate the reward for the vulnerability model information corresponding to the vulnerability based on the usage fee.

According to this aspect, when the target system contains a vulnerability as a result of threat analysis, the reward for the vulnerability model information corresponding to the vulnerability is calculated based on the usage fee of the target system. As a result, an incentive for registration can be given to the information registrant of the vulnerability model information. Therefore, the cycle of registration and use can be rotated well, and the threat analysis service business can be established as a continuous business.

The threat analysis method according to another aspect of the present invention is the first acquisition step of acquiring the functional application model information modeled by using the system specification information for defining the system specifications for the functional application included in the target system. And, threat analysis of the target system based on the second acquisition step to acquire the vulnerability model information modeled using the system specification information about the vulnerability included in the case system, and the functional application model information and the vulnerability model information. Includes execution steps and.

According to this aspect, the functional application model information modeled by using the system specification information is acquired for the functional application included in the target system, and the vulnerability included in the case system is modeled by using the system specification information. Vulnerability model information is acquired. Then, threat analysis of the target system is performed based on the functional application model information and the vulnerability model information. Here, the abstract specification information included in the system specification information can also be obtained in the system at the conceptual design stage. Therefore, by acquiring the functional application model information and the vulnerability model information using the same system specification information, the functional application model information of the target system and the vulnerability model information of the case system can be easily compared. It is possible to perform threat analysis for vulnerabilities that may exist in the system. Therefore, threat analysis can be performed on the target system at the conceptual design stage.

In the above-described embodiment, the vulnerability model information includes information on the attack establishment condition and the attack result, the second acquisition step acquires a plurality of vulnerability model information, and the functional application model information is a plurality of vulnerability model information. When at least one of the attack conditions is satisfied, the execution step further includes an update step of updating a part of the functional application model information based on the attack establishment condition and the attack result information of the vulnerability model information. It may include performing threat analysis of the target system based on the function application model information and a plurality of vulnerability model information.

According to this aspect, when the functional application model information satisfies at least one attack condition of the plurality of vulnerability model information, the functional application model information is based on the attack establishment condition and the attack result of the vulnerability model information. Is partly updated. This makes it possible to analyze threats to functional applications that can be connected to the functional application, and to perform threat analysis of the target system against attacks that combine multiple vulnerabilities.

In the above aspect, the target system includes the first functional application and the second functional application capable of communicating with the first functional application, and the first acquisition step includes the functional application model information of the first functional application and the first. The functional application model information of the two functional applications is acquired, and the execution step is based on the functional application model information of the first functional application, the functional application model information of the second functional application, and the vulnerability model information of the target system. It may include performing a threat analysis.

According to this aspect, the target system is based on the functional application model information of the first functional application, the functional application model information of the second functional application capable of communicating with the first functional application, and the vulnerability model information. Functional analysis is performed. This makes it possible to analyze the possibility of an attack on a combination of two functional applications that can be connected by communication.

In the above aspect, the usage fee calculation step of calculating the usage fee for the target system for which the threat analysis has been performed may be further included.

According to this aspect, the usage fee is calculated for the target system for which the threat analysis has been performed. As a result, by charging the service user for the usage fee, a part of the usage fee can be returned (feedback) as a reward to a person other than the service user, for example, an information registrant.

In the above aspect, when the target system includes a vulnerability as a result of threat analysis, a reward calculation step of calculating the reward for the vulnerability model information corresponding to the vulnerability based on the usage fee may be further included.

According to this aspect, when the target system contains a vulnerability as a result of threat analysis, the reward for the vulnerability model information corresponding to the vulnerability is calculated based on the usage fee of the target system. As a result, an incentive for registration can be given to the information registrant of the vulnerability model information. Therefore, the cycle of registration and use can be rotated well, and the threat analysis service business can be established as a continuous business.

The threat analysis program according to another aspect of the present invention is a threat analysis program to be executed by a computer, and the functional application included in the target system is modeled by using the system specification information for defining the system specifications. The first acquisition step to acquire the functional application model information, the second acquisition step to acquire the vulnerability model information modeled using the system specification information about the vulnerabilities contained in the case system, and the functional application model information and vulnerabilities. Includes execution steps to perform threat analysis of the target system based on model information.

According to this aspect, the functional application model information modeled by using the system specification information is acquired for the functional application included in the target system, and the vulnerability included in the case system is modeled by using the system specification information. Vulnerability model information is acquired. Then, threat analysis of the target system is performed based on the functional application model information and the vulnerability model information. Here, the abstract specification information included in the system specification information can also be obtained in the system at the conceptual design stage. Therefore, by acquiring the functional application model information and the vulnerability model information using the same system specification information, the functional application model information of the target system and the vulnerability model information of the case system can be easily compared. It is possible to perform threat analysis for vulnerabilities that may exist in the system. Therefore, threat analysis can be performed on the target system at the conceptual design stage.

According to the present invention, it is possible to provide a threat analysis device, a threat analysis method, and a threat analysis program capable of performing threat analysis on a target system in the conceptual design stage.

FIG. 1 is a block diagram showing a physical configuration of the threat analyzer according to the first embodiment of the present invention. FIG. 2 is a block diagram showing a functional configuration of the threat analyzer according to the first embodiment of the present invention. FIG. 3 is a diagram showing system specification information of the connected car system. FIG. 4 is a diagram showing functional block definition information of the connected car system. FIG. 5 is a diagram showing functional application model information of the vehicle electronic control function application. FIG. 6 is a diagram showing functional application model information of the vehicle communication control function application. FIG. 7 is a diagram showing functional application model information of the vehicle information display function application. FIG. 8 is a diagram showing functional application model information of the Web information display function application. FIG. 9 is a diagram showing functional application model information of the Web information server functional application. FIG. 10 is a diagram showing system component relationship information of the connected car system. FIG. 11 is a diagram showing vulnerability model information of [Web server impersonation]. FIG. 12 is a diagram showing vulnerability model information 1200 of [execution of arbitrary shellcode in a Web browser]. FIG. 13 is a diagram showing vulnerability model information 1300 of [authority promotion of Web browser application execution process]. FIG. 14 is a flowchart of the threat analysis process. FIG. 15 is a flowchart of the vulnerable application search process. FIG. 16 is a diagram showing a matching result of vulnerability model information with respect to the functional application model information of the Web information display function application. FIG. 17 is a diagram showing a matching result of vulnerability model information with respect to the functional application model information of the Web information server function application. FIG. 18 is a diagram showing the relationship between the attribute values of the functional application after the vulnerability attack. FIG. 19 is a diagram showing an attack route tree. FIG. 20 is a block diagram showing a physical configuration of the threat analyzer according to the second embodiment of the present invention. FIG. 21 is a block diagram showing a functional configuration of the threat analyzer according to the second embodiment of the present invention. FIG. 22 is a diagram showing a target system management table. FIG. 23 is a diagram showing a vulnerability case information management table. FIG. 24 is a flowchart of the vulnerability case information registration process. FIG. 25 is a flowchart of the threat analysis service management process. FIG. 26 is a flowchart of the billing information management process.

An embodiment of the present invention will be described below. In the description of the drawings below, the same or similar components are represented by the same or similar reference numerals. The drawings are examples, and the dimensions and shapes of each part are schematic, and the technical scope of the present invention should not be limited to the embodiment.

[First Embodiment]
The threat analysis apparatus, the threat analysis method, and the threat analysis program according to the first embodiment of the present invention will be described with reference to FIGS. 1 to 19.

First, the configuration of the threat analyzer 100 will be described with reference to FIGS. 1 and 2. Here, FIG. 1 is a block diagram showing a physical configuration of the threat analyzer 100 according to the first embodiment of the present invention. FIG. 2 is a block diagram showing a functional configuration of the threat analyzer 100 according to the first embodiment of the present invention.

As shown in FIG. 1, the threat analyzer 100 includes a bus 101, a central information processing unit (hereinafter referred to as “CPU”) 102 connected to the bus 101, and an input / output processor (hereinafter referred to as “IOP”) 103. And a main storage device 107. The threat analyzer 100 is, for example, a normal computer used interactively by the user U.

The IOP 103 is connected to a display device 104 and an input device 105 that input / output data exchanged between the user U and the threat analysis device 100. Further, the IOP 103 is connected to the large-capacity secondary storage device 106. Further, the IOP 103 loads and saves data and programs to and from the main storage device 107 as needed.

The main memory 107 includes a threat analysis process S1400, a vulnerability application search process S1500, system design information subject to threat analysis (hereinafter referred to as “target system design information 120”), vulnerability case information 130, and information. The system specification information 140, the threat analysis result information 1900, and the attack route tree 1950 are stored and stored.

The target system design information 120 includes functional block definition information 400, functional application model information 500, 600, 700, 800, 900 (hereinafter referred to as “500 to 900”), and system component relationship information 1000. Consists of.

The function block definition information 400 is for indicating the configuration of the target system and the allocation of functions. Specifically, the functional block definition information 400 describes the hardware and software constituting the target system, such as the hardware hard block of the hardware, the software of the system, for example, an operating system (hereinafter referred to as “OS”), a Web browser, and the like. Information that defines the mutual relationship with applications, etc. The functional block definition information 400 is, for example, information corresponding to a block definition diagram of the system description language Systems Modeling Language (SysML) formulated by OMG (Object Management Group).

The functional application model information 500 to 900 is information modeled by using the system specification information 140 for the functional application included in the target system. The functional application model information 500 to 900 includes various attribute information included in the functional application, such as an execution environment and input / output attributes.

The system component relationship information 1000 is information including the inclusion relationship and the connection relationship between the hard block and the function module described in the function block definition information 400. The system component relationship information 1000 represents the above-mentioned inclusion relationship and connection relationship in, for example, a table format.

The vulnerability case information 130 includes vulnerability model information 1100, 1200, 1300 (hereinafter referred to as “1100 to 1300”).

Vulnerability model information 1100 to 1300 refers to system specification information 140 regarding vulnerabilities contained in an existing system that has a case of being attacked by a vulnerability (hereinafter referred to as "case system"). Information modeled using. Vulnerability model information 1100 to 1300 includes various attribute information included in each vulnerability, such as attack establishment conditions and attack results.

The system specification information 140 is for creating functional application model information 500 to 900 and vulnerability model information 1100 to 1300. The system specification information 140 is abstract information for defining the system specifications.

The threat analysis process S1400 and the vulnerable application search process S1500 are processes for performing threat analysis of a target system (hereinafter, referred to as “target system”). The threat analysis process S1400 and the vulnerability application search process S1500 use the target system design information 120 and the vulnerability case information 130 to output the threat analysis result information 1900 and the attack route tree as processing results.

As shown in FIG. 2, the threat analysis device 100 includes a first acquisition unit 150, a second acquisition unit 160, an update unit 170, and an execution unit 180 as its functional configuration.

The first acquisition unit 150 is configured to acquire the functional application model information 500 to 900 for the functional application included in the target system. When the target system includes a plurality of functional applications, the first acquisition unit 150 acquires the functional application model information 500 to 900 corresponding to each functional application. Further, the first acquisition unit 150 may be configured to acquire all of the target system design information 120 including the functional application model information 500 to 900.

The first acquisition unit 150 can be composed of, for example, the bus 101, the CPU 102, the IOP 103, the input device 105, the secondary storage device 106, and the main storage device 107 shown in FIG.

The second acquisition unit 160 is configured to acquire vulnerability model information 1100 to 1300 for the vulnerability included in the case system. The second acquisition unit 160 acquires vulnerability model information 1100 to 1300 corresponding to each vulnerability when there are a plurality of case systems, the case system includes a plurality of vulnerabilities, or both. Further, the second acquisition unit 160 may be configured to acquire all of the vulnerability case information 130 including the vulnerability model information 1100 to 1300.

The second acquisition unit 160 can be composed of, for example, the bus 101, the CPU 102, the IOP 103, the input device 105, the secondary storage device 106, and the main storage device 107 shown in FIG.

The update unit 170 is for updating the functional application model information 500 to 900. Specifically, the update unit 170 sets the attack establishment condition of the vulnerability model information when one of the functional application model information 500 to 900 satisfies the attack establishment condition included in one of the vulnerability model information 1100-1300. And, based on the attack result, a part of the relevant functional application model information that satisfies the attack establishment condition is updated.

The update unit 170 can be composed of, for example, the bus 101, the CPU 102, and the main storage device 107 shown in FIG.

The execution unit 180 is for performing threat analysis of the target system. Specifically, the execution unit 180 is configured to perform threat analysis of the target system based on the functional application model information 500 to 900 and the vulnerability model information 1100 to 1300. Further, the execution unit 180 is configured to perform all the processing executed by the threat analysis device 100.

When the update unit 170 updates a part of the functional application model information satisfying the attack establishment condition, the execution unit 180 updates the target system based on the updated functional application model information and vulnerability model information 1100 to 1300. It is configured to perform threat analysis of.

Further, the execution unit 180 is one when the plurality of functional application model information 500 to 900 includes one functional application model information and other functional application model information that can be communicated with the one functional application model information. It is configured to perform threat analysis of the target system based on the functional application model information, other functional application model information, and the vulnerability model information 1100 to 1300. One functional application model information corresponds to an example of the "first functional application model information" of the present invention, and the other functional application model information corresponds to an example of the "second functional application model information" of the present invention.

The execution unit 180 can be composed of, for example, the bus 101, the CPU 102, the display device 104, and the main storage device 107 shown in FIG.

In the following description, the target system is a so-called connected car system (hereinafter referred to as "connected car system"), which is typified by an electric vehicle manufactured by Tesla Motors of the United States and is capable of connecting to the Internet and frequently using electronic control. ”) As an example.

Next, the system specification information 140 used in the threat analyzer 100 will be described with reference to FIG. FIG. 3 is a diagram showing system specification information 140 of the connected car system.

As shown in FIG. 3, the system specification information 140 includes the "functional application name" of the item number "1", the "functional application type" of the item number "2", the "mounting unit name" of the item number "3", and the item. "Execution condition" of number "4", "number of inputs n" of item number "5" (n is a positive integer), "first input to nth input" of item number "6", item number "7" "Number of outputs m" (m is a positive integer), "1st output to mth output" of item number "8", "operation order" of item number "9", and "function" of item number "10" , ”, Is roughly divided into each main attribute. The "execution condition" of the item number "4", the "first input to the nth input" of the item number "6", and the "first output to the mth output" of the item number "8" each have a plurality of sub-attributes. Includes.

The names of the respective attributes and the contents of the attribute values are as shown in FIG. Here, only the attributes that play an important role in the threat analysis process S1400 and the vulnerable application search process S1500, which will be described later, will be described, and the description of the other attributes will be omitted.

The “execution condition” in item number “4” indicates the software environment required to execute the functional application. Even functional applications with the same functions may have different vulnerabilities and types of vulnerabilities that are affected if the OS required for execution is different. Therefore, information on the software environment is important information for determining vulnerabilities in functional applications.

The "1st input to nth input" of the item number "6" and the "1st output to the mth output" of the item number "8" are channels for the functional application to exchange information with the outside, and are attacked. On the contrary, it can be a route to attack, so it is important information in determining vulnerability. The "first input to nth input" of item number "6" and the "first output to mth output" of item number "8" are authority checks indicating the communication path, communication protocol, and the presence or absence of access control, respectively. , Communication content, etc. are described as attribute values.

As described above, the system specification information 140 is abstract information for defining the system specifications. Using this system specification information 140, the functional application included in the target system is modeled and the functional application model information 500 to 900 is created.

Here, when the target system is in the conceptual design stage, it is assumed that the specifications of the target system can be defined only abstractly. On the other hand, the abstract specification information included in the system specification information 140 can also be obtained by the system at the conceptual design stage. Therefore, even if the target system is in the conceptual design stage, it is possible to acquire the functional application model information 500 to 900 modeled by using the system specification information 140 for the functional application included in the target system.

Similarly, for the vulnerability included in the case system, the modeled vulnerability model information 1100 to 1300 is acquired by using the system specification information 140. In this way, by acquiring the functional application model information 500 to 900 and the vulnerability model information 1100 to 1300 using the same system specification information 140, the functional application model information 500 to 900 of the target system and the vulnerability model of the case system are acquired. Information 1100 to 1300 can be easily compared, and threat analysis for vulnerabilities that may exist in the target system can be performed. Therefore, threat analysis can be performed on the target system at the conceptual design stage.

Next, the target system design information 120 used in the threat analyzer 100 will be described with reference to FIGS. 4 to 10. FIG. 4 is a diagram showing functional block definition information 400 of the connected car system. FIG. 5 is a diagram showing functional application model information 500 of the vehicle electronic control function application 417. FIG. 6 is a diagram showing functional application model information 600 of the vehicle communication control function application 428. FIG. 7 is a diagram showing the functional application model information 700 of the vehicle information display function application 439a. FIG. 8 is a diagram showing the functional application model information 800 of the Web information display function application 439b. FIG. 9 is a diagram showing the functional application model information 900 of the Web information server functional application 449. FIG. 10 is a diagram showing system component relationship information 1000 of the connected car system.

As shown in FIG. 4, the functional block definition information 400 of the connected car system is a hardware block, that is, a vehicle electronic control unit (ECU) 410, a vehicle communication gateway (GW) 420, a console display (CD) 430, and A Web server (WS) 440 and functional applications such as a vehicle electronic control function application 417, a vehicle communication control function application 428, a vehicle information display function application 439a, a Web information display function application 439b, and a Web information server function application 449. including. Here, the functional application is an application program that is stored in the main memory of the hardware block, executed by the CPU, and realizes the functional role required by the hardware block.

Further, the functional block definition information 400 further includes an OS (RTOS) 427, an OS (Linux (registered trademark)) 437, 347, a Web browser (Webkit) 438, and a Web server (httpd) 448.

Among the hardware blocks, the vehicle electronic control unit (ECU) 410, the vehicle communication gateway (GW) 420, and the console display (CD) 430 are mounted inside the vehicle. On the other hand, the Web server (WS) 440 on the Internet is installed outside the vehicle. The web server (WS) 440 is connected to the vehicle console display (CD) 430 via the Internet.

Each hardware block is an independent computer system. For example, the vehicle electronic control unit (ECU) 410 includes a CPU 412, an IOP 413, and a main storage device 414 connected to the bus 411. The IOP 413 is connected to the harness (communication adapter) 415 and the CANBus communication adapter 416 to control data communication inside and outside the block. The vehicle electronic control unit (ECU) 410 is connected to the vehicle communication gateway (GW) 420 via CANBus 450, which is a communication path. The other hardware blocks, the vehicle communication gateway (GW) 420, the console display (CD) 430, and the Web server (WS) 440, have the same internal configuration as the vehicle electronic control unit (ECU) 410. Is omitted. The vehicle communication gateway (GW) 420 is connected to the console display (CD) 430 via Ethernet (registered trademark) 451 which is a communication path. The console display (CD) 430 is connected to the Web server (WS) 440 via Wifi 452, which is a communication path.

The functional roles of the hardware block of the connected car system are roughly divided into two (first function) vehicle electronic control function and (second function) Web information display function. Both of the two functions are executed starting from the vehicle information display function application 439a and the Web information display function application 439b of the console display (CD) 430 that controls the interface with the vehicle driver.

(First Function) The vehicle electronic control function console display (CD) 430 executes the vehicle information display function application 439a. The vehicle information display function application 439a is created by creating a corresponding vehicle control command, for example, a command for monitoring the operating state of an engine, a command for opening a door or a rear gate, etc., according to an input vehicle driver's designation. The vehicle control command is transmitted to the vehicle communication gateway (GW) 420 via Ethernet 451. The vehicle communication control function application 428 of the vehicle communication gateway (GW) 420 converts the received vehicle control command into an ECU command, and transmits the converted ECU command to the vehicle electronic control unit (ECU) 410 via CANBus450. .. The vehicle electronic control function application 417 of the vehicle electronic control unit (ECU) 410 generates a unit internal command according to the received ECU command, and executes vehicle control specified by the vehicle driver.

(Second function) Web information display function The console display (CD) 430 executes the Web information display function application 439b. The Web information display function application 439b creates a corresponding Web page request command, for example, a get command of the http protocol, etc. according to the input vehicle driver's specification, and sends the created Web page request command to the Web server via Wifi452. (WS) Send to 440. The Web information server function application 449 of the Web server (WS) 440 searches for the corresponding Web page according to the received Web page request command, and searches for the page content that is the search result, for example, HTML content or Javascript (registered trademark) code. , Reply to the console display (CD) 430 as a Web page response command.

As shown in FIG. 5, in the functional application model information 500 of the vehicle electronic control function application 417, "vehicle electronic control", which is the name of the vehicle electronic control function application 417, is described in the attribute value of the item number "1". .. In the attribute value of the item number "2", "application" which is a software type of the vehicle electronic control function application 417 is described. In the attribute value of the item number "3", the "vehicle electronic control unit (ECU)" which is the mounting unit of the vehicle electronic control function application 417 is described. The vehicle electronic control function application 417 does not require an OS, a Web browser, and a Web server at the time of execution. Therefore, "-(none)" is described in each of the attribute values of the item numbers "4-1", "4-2", and "4-3". On the other hand, in the attribute value of the item number "4-4", the "user" which is the process mode at the time of executing the application is described.

The vehicle electronic control function application 417 includes one system of inputs. The source of the first input is the vehicle communication control function application 428 executed by the vehicle communication gateway (GW) 420. The data of the first input is input via CANBus450, the communication protocol is CAN, and the authority check is not performed. The communication content is an application command and includes an ECU control command. Therefore, the attribute value of the item number "5" is "1", the attribute value of the item number "6-1" is "vehicle communication control", and the attribute value of the item number "6-2" is "application". However, the attribute value of item number "6-3" is "Vehicle Communication Gateway (GW)", the attribute value of item number "6-4" is "CANBus", and the attribute value of item number "6-5" is. "CAN" is used for the attribute value, "-(none)" is used for the attribute value of item number "6-6", and "app command (ECU control command)" is used for the attribute value of item number "6-7". However, each is described.

The vehicle electronic control function application 417 includes one system of outputs. The destination of the first output is a vehicle equipment handler (not shown) of the unit internal module executed by the same vehicle electronic control unit (ECU) 410. The data of the first output is output via a harness (not shown), the communication protocol is unique to the inside of the unit, and the authority check is not performed. The communication content is a command inside the unit and includes an ECU control command. Therefore, the attribute value of item number "7" is "1", the attribute value of item number "8-1" is "vehicle equipment handler", and the attribute value of item number "8-2" is "unit". "Internal module", "Vehicle electronic control unit (ECU)" for the attribute value of item number "8-3", "harness" for the attribute value of item number "8-4", item number "8-" The attribute value of "5" is "unique inside the unit", the attribute value of item number "8-6" is "-(none)", and the attribute value of item number "8-7" is "unique inside the unit". Commands (ECU control commands) ”are described respectively.

In the attribute value of the item number "9", "the first input is input and then the first output is output", which is the operation order of the vehicle electronic control function application 417, is described. An ECU control command is input to the first input, which is a function content of the vehicle electronic control function application 417, and a unit command is output from the first output to control the vehicle equipment in the attribute value of the item number “10”. Is described.

As shown in FIG. 6, in the functional application model information 600 of the vehicle communication control function application 428, "vehicle communication control" which is the name of the vehicle communication control function application 428 is described in the attribute value of the item number "1". .. In the attribute value of the item number "2", "application" which is a software type of the vehicle communication control function application 428 is described. In the attribute value of the item number "3", the "vehicle communication gateway (GW)" which is the mounting unit of the vehicle communication control function application 428 is described. The vehicle communication control function application 428 requires an RTOS as an OS at the time of execution, but does not require a Web browser and a Web server. Therefore, "RTOS" is described in the attribute value of the item number "4-1", and "-(none)" is described in the attribute value of the item numbers "4-2" and "4-3". On the other hand, in the attribute value of the item number "4-4", the "user" which is the process mode at the time of executing the application is described.

The vehicle communication control function application 428 comprises one system of inputs. The source of the first input is the vehicle information display function application 439a of the Web browser application executed on the console display (CD) 430. The data of the first input is input via Ethernet451, the communication protocol is UDP / IP (Port3500), and the authority check is not performed. In addition, the communication content is an application command and includes an ECU control command (request). Therefore, the attribute value of the item number "5" is "1", the attribute value of the item number "6-1" is "vehicle information display", and the attribute value of the item number "6-2" is "Web". "Browser application" has "console display (CD)" for the attribute value of item number "6-3", "Ethernet" for the attribute value of item number "6-4", and item number "6-5". "UDP / IP (Port3500)" is the attribute value of, "-(none)" is the attribute value of item number "6-6", and "app command" is the attribute value of item number "6-7". (ECU control command (request)) ”is described respectively.

The vehicle communication control function application 428 includes one system of outputs. The destination of the first output is the vehicle electronic control function application 417 executed by the vehicle electronic control unit (ECU) 410. The data of the first output is output via CANBus450, the communication protocol is CAN, and the authority check is not performed. In addition, the communication content is an application command and includes an ECU control command (request). Therefore, the attribute value of the item number "7" is "1", the attribute value of the item number "8-1" is "vehicle electronic control", and the attribute value of the item number "8-2" is "application". However, the attribute value of item number "8-3" is "Vehicle electronic control unit (ECU)", and the attribute value of item number "8-4" is "CAN Bus", item number "8-5". "CAN" is used for the attribute value of, "-(none)" is used for the attribute value of item number "8-6", and "app command (ECU control command (ECU control command)" is used for the attribute value of item number "8-7". Requests)) ”are described respectively.

In the attribute value of the item number "9", "the first input is input, then the first output is output", which is the operation order of the vehicle communication control function application 428, is described. In the attribute value of the item number "10", "the ECU control command is input to the first input, the protocol is converted, and the output is output from the first output", which is the function content of the vehicle communication control application 428, is described.

As shown in FIG. 7, in the functional application model information 700 of the vehicle information display function application 439a, "vehicle information display" which is the name of the vehicle information display function application 439a is described in the attribute value of the item number "1". .. In the attribute value of the item number "2", the "Web browser application" which is the software type of the vehicle information display function application 439a is described. In the attribute value of the item number "3", the "console display (CD)" which is the mounting unit of the vehicle information display function application 439a is described. The vehicle information display function application 439a requires Linux as an OS and Webkit as a Web browser at the time of execution, but does not require a Web server. Therefore, "Linux" is set as the attribute value of item number "4-1", "Webkit" is set as the attribute value of item number "4-2", and "-(none)" is set as the attribute value of "4-3". , Each is described. On the other hand, in the attribute value of the item number "4-4", "privilege" which is a process mode at the time of application execution is described.

The vehicle information display function application 439a includes two inputs. The source of the first input is a user I / F handler (not shown) of the unit internal module executed on the same console display (CD) 430. The data of the first input is input via the unit internal bus (not shown), the communication protocol is unique to the unit internal, and the authority check is not performed. The communication content is a command inside the unit and includes a user input command. Therefore, "2" is used for the attribute value of item number "5", "user I / F handler" is used for the attribute value of item number "6-11", and "user I / F handler" is used for the attribute value of item number "6-12". "Unit internal module", "Console display (CD)" for the attribute value of item number "6-13", "Unit internal bus" for the attribute value of item number "6-14", item number " The attribute value of "6-15" is "unique inside the unit", the attribute value of item number "6-16" is "-(none)", and the attribute value of item number "6-17" is "unit". Internal commands (user input commands) ”are described respectively.

As a result of outputting the ECU control command (request) from the first output described later, the ECU control command (response) transmitted from the vehicle communication gateway (GW) 420 is input to the second input. The details of the ECU control command (response) will be omitted.

The vehicle information display function application 439a includes one system of outputs. The destination of the first output is the vehicle communication control function application 428 executed by the vehicle communication gateway (GW) 420. The data of the first output is output via Ethernet 451 and the communication protocol is UDP / IP (Port3500), and the authority check is not performed. In addition, the communication content is an application command and includes an ECU control command (request). Therefore, the attribute value of the item number "7" is "1", the attribute value of the item number "8-1" is "vehicle communication control", and the attribute value of the item number "8-2" is "application". However, the attribute value of item number "8-3" is "Vehicle Communication Gateway (GW)", the attribute value of item number "8-4" is "Ethernet", and the attribute value of item number "8-5" is. "UDP / IP (Port3500)" is the attribute value, "-(none)" is the attribute value of item number "8-6", and "app command (app command) is the attribute value of item number" 8-7 ". ECU control command (request) ”is described respectively.

In the attribute value of item number "9", the operation order of the vehicle information display function application 439a, "the first input is input, then the first output is output, and then the second input is input." It has been described. In the attribute value of item number "10", the function content of the vehicle information display function application 439a is "The operation instruction of the vehicle equipment is input to the first input, and the ECU control command (request) is created and output from the first output. Then, an ECU control command (response) is input to the second input, and vehicle information is displayed. "

As shown in FIG. 8, in the functional application model information 800 of the Web information display function application 439b, "Web information display" which is the name of the Web information display function application 439b is described in the attribute value of the item number "1". .. In the attribute value of the item number "2", the "Web browser application" which is the software type of the Web information display function application 439b is described. In the attribute value of item number "3", "console display (CD)" which is an implementation unit of the Web information display function application 439b is described. The vehicle information display function application 439a requires Linux as an OS and Webkit as a Web browser at the time of execution, but does not require a Web server. Therefore, "Linux" is set as the attribute value of item number "4-1", "Webkit" is set as the attribute value of item number "4-2", and "-(none)" is set as the attribute value of "4-3". , Each is described. On the other hand, in the attribute value of the item number "4-4", the "user" which is the process mode at the time of executing the application is described.

The Web information display function application 439b includes two inputs. The source of the first input is a user I / F handler (not shown) of the unit internal module executed on the same console display (CD) 430. The data of the first input is input via the unit internal bus (not shown), the communication protocol is unique to the unit internal, and the authority check is not performed. The communication content is a command inside the unit and includes a user input command. Therefore, "2" is used for the attribute value of item number "5", "user I / F handler" is used for the attribute value of item number "6-11", and "user I / F handler" is used for the attribute value of item number "6-12". "Unit internal module", "Console display (CD)" for the attribute value of item number "6-13", "Unit internal bus" for the attribute value of item number "6-14", item number " The attribute value of "6-15" is "unique inside the unit", the attribute value of item number "6-16" is "-(none)", and the attribute value of item number "6-17" is "unit". Internal commands (user input commands) ”are described respectively.

As a result of the http request command being output from the first output described later, the http response command (response) transmitted from the Web server (WS) 440 is input to the second input. The source of the second input is the Web information server function application 449 of the Web server application executed by the Web server (WS) 440. The second input data is input via Wifi452, the communication protocol is TCP / IP, and the authority check is performed by TLS communication based on the page address and password. In addition, the communication content is an http response command, which includes HTML data which is page content and Javascript code. Therefore, the attribute value of the item number "6-21" is "Web information server", the attribute value of the item number "6-22" is "Web server application", and the attribute value of the item number "6-23" is. "Web server (WS)", "Wifi" for the attribute value of item number "6-24", "TCP / IP" for the attribute value of item number "6-25", and item number " "TLS communication based on page address and password" is described in the attribute value of "6-26", and "http response command (HTML, Javascript)" is described in the attribute value of item number "6-27". ..

The Web information display function application 439b has one output system. The destination of the first output is the Web information server function application 449 of the Web server application executed by the Web server (WS) 440. The data of the first output is input via Wifi452, the communication protocol is TCP / IP, and the authority check is performed by TLS communication based on the page address and password. The communication content is an http request command, which includes a page address and a password. Therefore, the attribute value of the item number "7" is "1", the attribute value of the item number "8-1" is "Web information server", and the attribute value of the item number "8-2" is "Web". "Server application" has "Web server (WS)" for the attribute value of item number "8-3", "Wifi" for the attribute value of item number "8-4", and item number "8-5". The attribute value of item number is "TCP / IP", the attribute value of item number "8-6" is "TLS communication based on page address and password", and the attribute value of item number "8-7" is "http". Request commands (page address, password) "are described respectively.

In the attribute value of item number "9", the operation order of the Web information display function application 439b, "the first input is input, then the first output is output, and then the second input is input." It has been described. In the attribute value of item number "10", the function content of the Web information display function application 439b is "A Web page acquisition request is input to the first input, an http request command is created and output from the first output, and the second The http response command (response) is input and the Web information is displayed. "

As shown in FIG. 9, in the functional application model information 900 of the Web information server function application 449, "Web information server" which is the name of the Web information server function application 449 is described in the attribute value of the item number "1". .. In the attribute value of the item number "2", "Web server application" which is a software type of the Web information server function application 449 is described. In the attribute value of the item number "3", "Web server (WS)" which is an implementation unit of the Web information server function application 449 is described. The Web information server function application 449 requires Linux as the OS and httpd as the Web server at the time of execution, but does not require a Web browser. Therefore, "Linux" is set as the attribute value of item number "4-1", "-(none)" is set as the attribute value of item number "4-2", and "httpd" is set as the attribute value of "4-3". , Each is described. On the other hand, in the attribute value of the item number "4-4", the "user" which is the process mode at the time of executing the application is described.

The Web information server function application 449 includes one input system. The source of the first input is the Web information display function application 429b of the Web browser function application executed on the console display (CD) 430. The data of the first input is input via Wifi452, the communication protocol is TCP / IP, and the authority check is performed by TLS communication based on the page address and password. The communication content is an http request command, which includes a page address and a password. Therefore, the attribute value of the item number "5" is "1", the attribute value of the item number "6-1" is "Web information display", and the attribute value of the item number "6-2" is "Web". "Server application" has "Console display (CD)" for the attribute value of item number "6-3", "Wifi" for the attribute value of item number "6-4", and item number "6-5". The attribute value of item number "TCP / IP" is "TCP / IP", the attribute value of item number "6-6" is "TLS communication based on page address and password", and the attribute value of item number "6-7" is "http". Request commands (page address, password) "are described respectively.

The Web information server function application 449 has one output system. The destination of the first output is the Web information display function application 439b of the Web browser application executed on the console display (CD) 430. The data of the first output is input via Wifi452, the communication protocol is TCP / IP, and the authority check is performed by TLS communication based on the page address and password. In addition, the communication content is an http response command, which includes HTML data which is page content and Javascript code. Therefore, the attribute value of the item number "7" is "1", the attribute value of the item number "8-1" is "Web information display", and the attribute value of the item number "8-2" is "Web". "Browser application" has "Console display (CD)" for the attribute value of item number "8-3", "Wifi" for the attribute value of item number "8-4", and item number "8-5". "TCP / IP" is used for the attribute value of, "TLS communication based on page address and password" is used for the attribute value of item number "8-6", and "http" is used for the attribute value of item number "8-7". Response commands (HTML, Javascript) "are described respectively.

In the attribute value of the item number "9", "the first input is input and then the first output is output", which is the operation order of the Web information server function application 449, is described. In the attribute value of item number "10", the function content of the Web information server function application 449, "A Web page acquisition request is input in the first input, the http page content is searched, and the http response command (response) is issued. Output from 1 output. ”Is described.

As shown in FIG. 10, the system component relationship information 1000 of the connected car system is information summarizing the relationship information regarding the execution environment and the functional cooperation for any application of the connected car system. By referring to this information, information of type D can be obtained from the following types A.

Type A: Software environment (OS, web server, web browser) required to execute the application
For example, item number "4" means that the "application" named "vehicle communication control" of the first component requires the "OS" named "RTOS" of the second component as the execution environment. Is shown.

Type B: Hardware environment in which the application exists (hardware block)
For example, in the item number "1", the "application" named "vehicle electronic control" of the first component is implemented in the hardware block named "vehicle electronic control unit (ECU)" of the second component. , Indicates that it will be executed.

Type C: Calling relationship of function module For example, in the item number "2", the "application" named "vehicle electronic control" of the first component is the "application" named "vehicle communication control" of the second component. ", Indicates that there is a functional calling relationship.

Type D: Connection relationship of hardware block For example, in item number "3", the "hardware block" named "vehicle electronic control" of the first component is the "vehicle communication gateway (GW)" of the second component. It indicates that there is a network connection relationship with the "hardware block" named "".

The system component relationship information 1000 is information created based on the functional block definition information 400 and the functional application model information 500 to 900. Therefore, the system component-related information 1000 does not provide new information beyond that indicated by the functional block definition information 400 and the functional application model information 500 to 900. However, it is presented as an example of implementing a connected car system.

In the present embodiment, an example of the functional block definition information 400 represented by a graphic is shown in FIG. 4, but the present invention is not limited to this. The actual information storage format in the computer for the functional block definition information does not have to be a graphic, for example, a tabular format as shown in FIG. 10, linked record data, or XML (eXtensive Markup Language). It may be expressed by such text data.

In addition, for convenience of explanation, those using figures can be implemented in any data format when actually implementing the system. For example, the connection relationship and the inclusion relationship can be stored in the relational database as tabular data as shown in FIG.

Next, the vulnerability case information 130 used in the threat analyzer 100 will be described with reference to FIGS. 11 to 13. FIG. 11 is a diagram showing vulnerability model information 1100 of [Web server impersonation]. FIG. 12 is a diagram showing vulnerability model information 1200 of [execution of arbitrary shellcode in a Web browser]. FIG. 13 is a diagram showing vulnerability model information 1300 of [authority promotion of Web browser application execution process].

Vulnerability case information 130 includes vulnerability model information 1100 of [Web server impersonation], vulnerability model information 1200 of [Execution of arbitrary shellcode in Web browser], and [Elegation of authority of Web browser application execution process]. Vulnerability model information 1300 and is included.

As shown in FIG. 11, in the vulnerability model information 1100 of [Web server impersonation], the vulnerability model name "Web server impersonation" is described in the attribute value of the item number "1". In the attribute value of item number "10", the vulnerability content "Since the address and password of the Web server are disclosed, it is possible to impersonate the Web server" is described.

Here, the attribute values of the item numbers "2" to the item numbers "8" include two types of attribute values, "attack establishment condition" and "attack result". The attack establishment condition is a condition for establishing an attack that exploits the vulnerability. That is, when an arbitrary functional application is given, if the attribute value of the application matches a plurality of attack establishment conditions of certain vulnerability model information, the functional module has the vulnerability and is attacked. It can be determined that there is a possibility. The attack result, which is another attribute value, shows the result of a specific attribute value of a functional application being changed when a functional application is vulnerable to an attack.

In the attribute value of the attack establishment condition of item number "2", "Web server application" which is a type of functional application having the vulnerability is described. The execution conditions for the vulnerability to be established are that the OS is Linux (Version), the Web server is httpd (Version), and the process mode is user mode. Therefore, "Linux (Version)" is the attribute value of the attack establishment condition of item number "4-1", and "httpd (Version)" is the attribute value of the attack establishment condition of item number "4-2". "User" is described in the attribute value of the attack establishment condition of "4-4".

For the input of the vulnerability, the communication protocol is TCP / IP, the authority check is performed by the page address and password (public), and the communication content is the http request command (page) for one or more inputs. Address). Therefore, "n> 1" (n is the number of inputs and is a positive integer) is set as the attribute value of the attack establishment condition of the item number "5", and "n> 1" is set as the attribute value of the attack establishment condition of the item number "6-5". "TCP / IP" has "page address, password (public)" in the attribute value of the attack establishment condition of item number "6-6", and "http request" in the attribute value of the attack establishment condition of item number "6-7". "Command (page address)" is described respectively.

Here, the attack establishment condition that the password of the item number "6-6" is disclosed represents the vulnerability itself. As a result, as shown in the item number "10", the result that "the Web server can be impersonated and installed" is caused.

As for the output of the vulnerability, for one of the outputs of one or more systems, the communication protocol is TCP / IP, the authority check is performed by the page address and password (public), and the communication content is the http response command (HTML, Javascript). Therefore, "m> 1" (m is the number of outputs and is a positive integer) is set as the attribute value of the attack establishment condition of item number "7", and "m> 1" is set as the attribute value of the attack establishment condition of item number "8-5". "TCP / IP" is the attribute value of the attack establishment condition of item number "8-6", and "page address, password (public)" is the attribute value of the attack establishment condition of item number "8-7". Commands (HTML, Javascript) "are described respectively.

If the above attack conditions are met, there is a possibility of an attack against the vulnerability. In the case of this vulnerability, the result of the attack is "It is possible to impersonate a Web server" as described above, and in addition to HTML and Javascript as http response commands, Shell code (arbitrary content), which is the system code of the operating system, is used. It becomes possible to output. Therefore, "http response command (HTML, Javascript, Shell code (arbitrary content))" is described in the attribute value of the attack result of the item number "8-7".

Here, if you use a normal Web browser, even if you access the fake server and enter the http response command that includes the Shell code, it will not be executed on the browser, so the damage caused by the fake server access is limited. .. However, there is a problem that the damage spreads when the Web browser has other vulnerabilities and the attack is executed in combination with the vulnerabilities. As will be described later, the threat analysis device 100 has a characteristic advantage that threat analysis can be performed on an attack in which a plurality of vulnerabilities are combined.

As shown in FIG. 12, in the vulnerability model information 1200 of [Execution of arbitrary shellcode in a Web browser], the vulnerability model name "Execution of arbitrary shellcode in a Web browser" is described in the attribute value of item number "1". Has been done. The attribute value of item number "10" is the vulnerability content "Any shellcode can be executed in a Web browser due to an address leak and a Use After Free vulnerability (CVE2011-3928 and CVE2011-0154)". Is described. Here, CVE is the numbering of the vulnerability case information database registered and published by MITER Corporation in the United States, and indicates that the vulnerability is a vulnerability case that actually occurred.

In the attribute value of the attack establishment condition of item number "2", "Web browser application" which is a type of functional application having the vulnerability is described. The execution conditions for the vulnerability to be established are that the OS is Linux (Version), the Web browser is Webkit (Version), and the process mode is user mode. Therefore, "Linux (Version)" is the attribute value of the attack establishment condition of item number "4-1", and "Webkit (Version)" is the attribute value of the attack establishment condition of item number "4-2". "User" is described in the attribute value of the attack establishment condition of "4-4".

For the input of the vulnerability, the communication protocol is TCP / IP and the communication content is an http response command (HTML, Javascript, Shell code (arbitrary content)) for one of the inputs of one or more systems. Therefore, "n> = 1" (n is the number of inputs and is a positive integer) in the attribute value of the attack establishment condition of the item number "5" becomes the attribute value of the attack establishment condition of the item number "6-5". In "TCP / IP", "[<] http response command (HTML, Javascript, Shell code (arbitrary content))" is described in the attribute value of the attack establishment condition of item number "6-7".

Here, [<] added to the beginning of the attack establishment condition of item number "6-7" is a part of the condition for determining whether or not the vulnerability model information can be applied to the functional application. Indicates that. A detailed description will be described later.

The output of the vulnerability is that the communication protocol is TCP / IP and the communication content is the http request command (page address) for one of the outputs of one or more systems. Therefore, "m> = 1" (m is the number of outputs and is a positive integer) in the attribute value of the attack establishment condition of the item number "7" becomes the attribute value of the attack establishment condition of the item number "8-5". "TCP / IP" and "http request command (page address)" are described in the attribute value of the attack establishment condition of item number "8-7".

If the above attack conditions are met, there is a possibility of an attack against the vulnerability. In the case of this vulnerability, the result of the attack is "Any shellcode can be entered and executed with a Web browser" as described above, and in addition, as a new output, the communication path is Ethernet and the communication protocol is UDP /. With IP (Port 3500), it is possible to output application commands (arbitrary content) for communication content. Therefore, "m + 1" is the attribute value of the attack result of item number "7", "Ethernet" is the attribute value of the attack result of item number "11-4", and the attribute of the attack result of item number "11-5". "UDP / IP (Port 3500)" is described in the value, and "App command (arbitrary content)" is described in the attribute value of the attack result of the item number "11-7".

In this embodiment, the "app command (ECU control command (request))" is used at the time of a specific attack. However, since the attack result of item number "11-7" is "app command (arbitrary content)", it is clear that this is included.

As shown in FIG. 13, the vulnerability model information 1300 of [Web browser application execution process authority elevation] has the attribute value of item number "1" as the vulnerability model name "Web browser application execution process authority promotion". Is described. In the attribute value of item number "10", the vulnerability content "In Linux, a vulnerability in the kernel API makes it possible to elevate the execution authority of a process (CVE2013-6282)" is described.

The execution conditions for this vulnerability to hold are that the OS is Linux (Version) and the process mode is user mode. Therefore, "Linux (Version)" is described in the attribute value of the attack establishment condition of the item number "4-1", and "user" is described in the attribute value of the attack establishment condition of the item number "4-4". ..

For the input of the vulnerability, the communication protocol is TCP / IP and the communication content is an http response command (HTML, Javascript, Shell code (arbitrary content)) for one of the inputs of one or more systems. Therefore, "n> = 1" (n is the number of inputs and is a positive integer) in the attribute value of the attack establishment condition of the item number "5" becomes the attribute value of the attack establishment condition of the item number "6-5". In "TCP / IP", "[<] http response command (HTML, Javascript, Shell code (arbitrary content))" is described in the attribute value of the attack establishment condition of item number "6-7".

If the above attack conditions are met, there is a possibility of an attack against the vulnerability. For this vulnerability, the result of the attack is that the process mode changes from user mode to privileged mode. Therefore, "privilege" is described in the attribute value of the attack result of the item number "4-4".

Next, the threat analysis process S1400 and the vulnerable application search process S1500 executed by the threat analysis device 100 will be described with reference to FIGS. 14 to 19. FIG. 14 is a flowchart of the threat analysis process S1400. FIG. 15 is a flowchart of the vulnerable application search process S1500. FIG. 16 is a diagram showing matching results of vulnerability model information 1100 and 1200 with respect to the functional application model information 800 of the Web information display function application 439b. FIG. 17 is a diagram showing a matching result of vulnerability model information 1100 with respect to the functional application model information 900 of the Web information server functional application 449. FIG. 18 is a diagram showing the relationship between the attribute values of the functional application after the vulnerability attack. FIG. 19 is a diagram showing an attack vector tree 1950.

Before the execution unit 180 executes the threat analysis process S1400, the first acquisition unit 150 acquires the functional application model information 500 to 900, and the second acquisition unit 160 acquires the vulnerability model information 1100 to 1300. deep. In addition, the target system design information 120 other than the functional application model information 500 to 900 shall be acquired in advance.

When the threat analysis process S1400 is activated by the user U, the execution unit 180 first displays the functional block definition information 400 (S1401), as shown in FIG.

Next, the execution unit 180 acquires the corresponding functional application model information 500 to 900 for the functional application designated as the attack target by the user U, and sets it in the user-specified functional application UA (S1402).

In the following, a case where the vehicle electronic control function application 417 is designated as an attack target by the user U and set in the user-designated function application UA will be described as a specific example.

Next, the execution unit 180 sets empty (NULL) in the vulnerable application list VL for outputting the analysis result (S1403).

Next, the execution unit 180 determines whether or not there is a vulnerability model information VI that satisfies the attack establishment condition for the user-specified function application UA (S1404). Specifically, the execution unit 180 determines whether or not there is a vulnerability model information VI including an attack establishment condition that matches the attribute values of the functional application model information 500 to 900 of the user-specified functional application UA.

As a result of the determination, if there is a vulnerability model information VI that satisfies the attack establishment condition for the user-specified function application UA, it is considered that the user-specified function application UA has a vulnerability of the vulnerability model information VI. Therefore, the update unit 170 updates a part of the functional application model information 500 to 900 of the user-specified functional application UA based on the attack establishment condition and the attack result of the vulnerability model information VI that satisfies the attack establishment condition (S1405). .. Specifically, the update unit 170 sets some attribute values of the functional application model information 500 to 900 of the user-specified function application UA to the attack establishment condition and attack result attribute of the vulnerability model information VI that satisfies the attack establishment condition. Rewrite to value.

Next, the execution unit 180 sets the user-specified function application UA and the vulnerability model information VI that satisfies the attack establishment condition, and adds them to the head of the vulnerability application list VL (S1406).

On the other hand, if there is no vulnerability model information VI that satisfies the attack establishment condition for the user-specified function application UA, it is considered that the user-specified function application UA does not have a vulnerability. Therefore, the execution unit 180 adds the user-specified function application UA and the empty string (NULL) indicating that there is no vulnerability satisfying the attack establishment condition to the head of the vulnerable application list VL (S1407).

In the case of the above-mentioned specific example, none of the attack establishment conditions of the vulnerability model information 1100 to 1300 match the attribute value of the functional application model information 500 of the vehicle electronic control function application 417. Therefore, the execution unit 180 adds the name of the vehicle electronic control function application 417 and the empty string (NULL) to the head of the vulnerable application list VL in step S1407. As a result, the vulnerable application list VL becomes the following data (1).
Vulnerable application list VL =
((Vehicle electronic control function application 417, NULL)) ... (1)

Data (1) indicates that the vehicle electronic control function application 417 was set as an attack target, but no vulnerability was found.

Next, the execution unit 180 calls the vulnerable application search process S1500 shown in FIG. 15 with a predetermined argument (S1408). The predetermined arguments are, for example, the first argument is the user-specified function application UA, and the second argument is the vulnerable application list VL. As a result of the vulnerable application search process S1500, the vulnerable application search process result list FRV is returned as a return value.

In the case of the above-mentioned specific example, the user-specified function application UA of the first argument is the vehicle electronic control function application 417. On the other hand, the vulnerable application list VL of the second argument is the above-mentioned data (1). Hereinafter, the call of the vulnerable application search process S1500 using these arguments is referred to as <first call>.

Vulnerability application search process S1500 sets the functional application specified by the first argument as an attack target, and when an attack attempt on a related functional application spreads, what vulnerability of which functional application is attacked. In other words, it is a process to search the range where the vulnerability attack spreads. In the vulnerability application search process S1500, the first argument is treated as an analysis starting point application SP that defines the target point of the attack, that is, the starting point of the vulnerability spread search, and the second argument is executed by the time of the processing call. It is treated as an analysis route list APL that lists the history list of the search routes.

A detailed description of the vulnerable application search process S1500 will be described later together with the process content of <first call>.

In the case of the above-mentioned specific example, the vulnerable application search processing result list FRV, which is the return value of <first call>, becomes the following data (2).
Vulnerable application search processing result list FRV =
(((Vehicle electronic control function application 417, NULL)),
(Vehicle communication control function application 428, NULL),
(Vehicle information display function application 439a, NULL)),
((Vehicle electronic control function application 417, NULL),
(Vehicle communication control function application 428, NULL),
(Web information display function application 1961, vulnerability model information 1200, 1300),
(Web information server function application 1962, vulnerability model information 1100))) ... (2)

Next, the execution unit 180 stores and registers the threat analysis result information 1900 created by merging the vulnerable application search processing result list FRV and the vulnerable application list VL into a single list in the main storage device 107 (step 1409). ).

In the case of the above-mentioned specific example, the vulnerable application search processing result list FRV is the above-mentioned data (2). On the other hand, since the vulnerable application list VL is empty (NULL), the value of the threat analysis result information 1900 is the above-mentioned data (2).

Next, the execution unit 180 creates the attack route tree 1950 shown in FIG. 19 from the threat analysis result information 1900 and displays it on the display device 104 (S1410). Although detailed description will be described later, the configuration of the attack route tree 1950 shown in FIG. 19 reflects the list structure of the above-mentioned data (2).

After step S1411, the CPU 102 terminates the threat analysis process S1400.

As shown in the above processing flow, in the threat analysis process S1400 of the present application, threat analysis is performed while matching the functional application model information 500 to 900 of the functional application which is a component of the target system with the vulnerability model information 1100 to 1300. As a result, it has the feature of realizing highly accurate threat analysis without omissions or omissions.

Here, the attack vector tree 1950 created in step S1410 described above will be described.

As shown in FIG. 19, the attack route tree 1950 is a chart that visually displays the contents of the threat analysis result information 1900. The attack vector tree 1950 contains four hardware blocks 410, 420, 430, 440 and five functional applications 417,428,439a, 439b, 449, among the already described design information for the connected car system. It is included. In each functional application 417, 428, 439a, 439b, 449, names, functions, inputs, and outputs extracted from the functional application model information 500 to 900 shown in FIGS. 5 to 9 are described. Further, the attack route tree 1950 is connected to each functional application 417, 428, 439a, 439b, 449 via a network, and the vehicle information display function application 439a and the Web information display function application 439b are realized. It is shown visually. In the lower right part of FIG. 19, the functional application surrounded by the broken line frame shows the change of the attribute value of the functional application model information after the vulnerability attack described later and the attack route.

Next, the vulnerable application search process S1500 will be described.

When the vulnerable application search process S1500 is started, as shown in FIG. 15, the execution unit 180 first sets the search result list RT for result output to empty (NULL) (S1501). Specifically, the CPU 102 sets the search result list RT to empty (NULL).

Next, the execution unit 180 searches the system component relationship information 1000, identifies the hardware block including the analysis starting application SP of the first argument, and determines the presence or absence of the adjacent hardware block connected to the hardware block. Judgment (S1502).

If there is an adjacent hardware block as a result of the determination in step S1502, the execution unit 180 searches the system component relationship information 1000 again and registers all the functional applications in the adjacent hardware block in the analysis target application list AL. (S1503).

In the case of the above-mentioned specific example, that is, in the case of <first call>, in step S1502, as a hardware block including the vehicle electronic control function application 417 which is the user-specified function application UA set in the first argument, The "vehicle electronic control unit (ECU)" described in the second component of the item number "1" of the system component relationship information 1000 shown in FIG. 10 is specified. Then, as described in item number “3” of the system component relationship information 1000 shown in FIG. 10, the vehicle communication gateway (GW) 420, which is an adjacent hardware block connected to the vehicle electronic control unit (ECU) 410, is used. There is. Therefore, in step S1503, the vehicle communication control function application 428, which is the “vehicle communication control” described in the second component of the item number “5” of the system component relationship information 1000 shown in FIG. 10, is the analysis target application list. Registered in AL.

Next, the execution unit 180 determines whether or not there is a functional application in the analysis target application list AL (S1504).

As a result of the determination in step S1504, if there is a functional application, the execution unit 180 takes out the first (first) functional application in the analysis target application list AL and sets it in the analysis target application OA. (S1505). At this time, the execution unit 180 removes the extracted functional application from the analysis target application list AL. As a result, when there are a plurality of functional applications in the analysis target application list AL, the second functional application becomes the first (first) functional application in the analysis target application list AL. On the other hand, when there is only one functional application in the analysis target application list AL, there is no functional application in the analysis target application list AL.

Next, the execution unit 180 determines whether or not there is vulnerability model information VI that satisfies the attack establishment condition for the application OA to be analyzed (S1506). Specifically, the execution unit 180 determines whether or not there is a vulnerability model information VI including an attack establishment condition that matches the attribute values of the functional application model information 500 to 900 of the application OA to be analyzed.

As a result of the determination in step S1506, if the analysis target application OA has a vulnerability model information VI that satisfies the attack establishment condition, the analysis target application OA is considered to have the vulnerability. Therefore, the update unit 170 updates a part of the functional application model information 500 to 900 of the application OA to be analyzed based on the attack establishment condition and the attack result of the vulnerability model information VI that satisfies the attack establishment condition (S1507). Specifically, the update unit 170 sets some attribute values of the functional application model information 500 to 900 of the application OA to be analyzed as the attribute values of the attack establishment condition and the attack result of the vulnerability model information VI that satisfies the attack establishment condition. Rewrite to.

On the other hand, as a result of the determination in step S1506, if there is no vulnerability model information 1100 to 1300 including an attack establishment condition that matches the attribute values of the functional application model information 500 to 900 of the application model information to be analyzed, the application OA to be analyzed is concerned. Since the attack establishment conditions of the vulnerability model information 1100 to 1300 are not satisfied, it is considered that the vulnerability is not possessed. Therefore, the execution unit 180 sets “NULL” in the vulnerability model information VI that satisfies the attack establishment condition (S1508).

In the case of the above-mentioned specific example, since the vehicle communication control function application 428 is included in the analysis target application list AL, the vehicle communication control function application 428 is set as the analysis target application OA in step S1505. However, since there is no vulnerability model information 1100 to 1300 including an attack establishment condition that matches the attribute value of the functional application model information 600 of the vehicle communication control function application 428, "NULL" is set in the vulnerability model information VI in step S1508. Will be done.

Next, the execution unit 180 communicates with the analysis starting application OA by the analysis target application OA based on the functional application model information 500 to 900 of the analysis target application OA and the functional application model information 500 to 900 of the analysis starting application SP. It is determined whether or not it is possible (S1509). In the determination, for example, each attribute value of the output communication path, communication protocol, authority check, and communication content in the functional application model information 500 to 900 of the analysis target application OA is the functional application model information 500 to 900 of the analysis starting application SP. It is based on whether or not it matches each attribute value of the input in.

In the case of the above-mentioned specific example, the attribute values of the item numbers “7” and the item numbers “8-4” to “8-7” in the function application model information 600 of the vehicle communication control function application 428 are the vehicle electronic control function application 417. The attribute values of the item numbers "5" and the item numbers "6-4" to "7-7" in the function application model information 500 of the above are matched. Therefore, in step S1509, it is determined that the vehicle communication control function application 428 and the vehicle electronic control function application 417 can be connected by communication.

As a result of the determination in S1509, when the analysis target application OA can communicate with the analysis starting application SP, the execution unit 180 sets the analysis target application OA and the vulnerability model information VI, and sets the set as a vulnerable application search process. What is added to the final element of the analysis route list APL, which is the second argument of S1500, is set in the next analysis route list APLNX. (S1510).

In the case of the above-mentioned specific example, in step S1508, the execution unit 180 sets “NULL” in the vulnerability model information VI. Therefore, in step S1510, the vehicle communication control function application 428 and “NULL”, which are the analysis target application OA, are displayed. Is added to the final element of the analysis route list APL and set in the next analysis route list APLNX. As a result, the next analysis route list APLNX becomes the following data (3).
Next analysis route list APLNX =
((Vehicle electronic control function application 417, NULL),
(Vehicle communication control function application 428, NULL))… (3)

In the data (3), the vehicle electronic control function application 417 and the vehicle communication control function application 428 are expressed as list format data as the next analysis route list APLNX. In this, these two function applications are connected in series. That is, it means that a two-layer tree is formed. As described above, it is a feature of the vulnerable application search process S1500 that the attack route tree is sequentially formed by calling the vulnerable application search process S1500.

On the other hand, as a result of the determination in S1509, if the analysis target application OA cannot communicate with the analysis start application SP, the execution unit 180 returns to step S1504 and again determines whether or not there is a functional application in the analysis target application list AL. judge.

After step S1510, the CPU 102 recursively calls the vulnerable application search process S1500 with a predetermined argument (S1511). The predetermined arguments are, for example, the first argument is the application OA to be analyzed, and the second argument is the next analysis route list APLNX. As a result of the processing of the vulnerable application search processing S1500, the vulnerable application search processing result list FRV is returned as a return value.

In the case of the above-mentioned specific example, the analysis target application OA of the first argument is the vehicle communication control function application 428. On the other hand, the next analysis route list APLNX of the second argument is the above-mentioned data (3). Hereinafter, the recursive call of the vulnerable application search process S1500 using these arguments will be referred to as <second call>, and the details of the process will be described later.

Next, the execution unit 180 adds the vulnerable application search processing result list FRV, which is the return value of the recursively called vulnerable application search processing S1500, to the search result list RT and updates the search result list RT (S1512).

In the case of the above-mentioned specific example, the vulnerable application search processing result list FRV, which is the return value of <second call>, becomes the above-mentioned data (2). On the other hand, the search result list RT is set to empty (NULL) in step S1501. Therefore, the search result list RT updated in step S1512 is the above-mentioned data (2).

After step S1512, the execution unit 180 repeats the processes of steps S1504 to S1512 until there are no functional applications in the analysis target application list AL.

If there is no adjacent hardware block as a result of the determination in step S1502, or if there is no functional application in the analysis target application list AL as a result of the determination in step S1504, the execution unit 180 determines that the search result list RT is empty (NULL). Whether or not it is determined (S1513).

If the search result list RT is empty (NULL) as a result of the determination in step S1513, the execution unit 180 adds the analysis route list APL, which is the second argument of the vulnerable application search process S1500, to the search result list RT (S1514). ).

As a result of the determination in step S1513, if the search result list RT is not empty (NULL), or after step S1514, the CPU 102 terminates the vulnerable application search process S1500.

In the case of the above-mentioned specific example, since only the vehicle communication control function application 428 registered in the analysis target application list AL in step S1503, there is no unanalyzed functional application. Therefore, the process proceeds to step S1513. Further, in step 1512, the search result list RT is updated to the above-mentioned data (2), so step S1514 is not performed. In this way, the vulnerable application search process S1500 by the <first call> ends.

The processing content of the vulnerable application search processing S1500 by <second call> will be described below. The description of the same parts as those described above will be omitted as appropriate.

In step S1502, the analysis target application OA set in the first argument is the second item “5” of the system component relationship information 1000 shown in FIG. 10 as a hardware block including the vehicle communication control function application 428. The "vehicle communication gateway (GW)" described in the component is specified. Then, as described in item number "9" of the system component relationship information 1000 shown in FIG. 10, there is a console display (CD) 430 which is an adjacent hardware block connected to the vehicle communication gateway (GW) 420. Therefore, in step S1503, the system component relationship with the vehicle information display function application 439a, which is the "vehicle information display" described in the second component of the item number "11" of the system component relationship information 1000 shown in FIG. The Web information display function application 439b, which is the “Web information display” described in the second component of the item number “14” of the information 1000, is registered in the analysis target application list AL.

In this way, the vulnerable application search process S1500 sequentially determines the connectivity and the applicability of the vulnerability model information to the functional application that has the possibility of connecting to the calling functional application. As a result, it is possible to determine the presence or absence of vulnerabilities in a plurality of functional applications inherent in the target system and analyze the possibility of an attack on the combination of the entire target system.

That is, based on the functional application model information 500 to 900 of one functional application, the functional application model information 500 to 900 of the functional application capable of communicating with the one functional application, and the vulnerability model information 1100 to 1300. By performing a functional analysis of the target system, it is possible to analyze the possibility of an attack on a combination of two functional applications that can be connected by communication.

Next, since the vehicle information display function application 439a and the Web information display function application 439b are registered in the analysis target application list AL, the vehicle information display function application 439a is set as the analysis target application OA in step S1505. However, since there is no vulnerability model information 1100 to 1300 including an attack establishment condition that matches the attribute value of the function application model information 700 of the vehicle information display function application 439a, the vulnerability model information VI that satisfies the attack establishment condition is set in step S1508. "NULL" is set.

Next, the vehicle communication control function application in which the attribute values of the item numbers "7" and the item numbers "8-4" to "8-7" in the functional application model information 700 of the vehicle information display function application 439a are the first arguments. It matches the attribute values of the item numbers “5” and the item numbers “6-4” to “7-7” in the functional application model information 600 of 428. Therefore, in step S1509, it is determined that the vehicle information display function application 439a and the vehicle communication control function application 428 can be connected by communication.

Next, since "NULL" is set in the vulnerability model information VI that satisfies the attack establishment condition in step S1508, the execution unit 180 sets the analysis target application OA, the vehicle information display function application 439a, and NULL in step S1510. The pair is added to the final element of the analysis route list APL and set in the next analysis route list APLNX. As a result, the next analysis route list APLNX becomes the following data (4).
Next analysis route list APLNX =
((Vehicle electronic control function application 417, NULL),
(Vehicle communication control function application 428, NULL),
(Vehicle information display function application 439a, NULL))… (4)

Next, in step 1511, the vulnerable application search process S1500 recursively uses the vehicle information display function application 439a, which is the analysis target application OA, as the first argument, and the above-mentioned data (4), which is the next analysis route list APLNX, as the second argument. Called to. The recursive call of the vulnerable application search process S1500 using these arguments is called <third call>.

Here, the processing content of the <third call> of the vulnerable application search processing S1500 will be briefly described. The hardware block adjacent to the console display (CD) 430 is the web server (WS) 440. However, even if the vulnerability is applied to the Web information server function application 449, which is a functional application inherent in the Web server (WS) 440, the communication connection with the Web information display function application 439b cannot be established. The <third call> of the vulnerable application search process S1500 ends by returning the above-mentioned data (4) as a return value.

Returning to the description of the processing content of the <second call> of the vulnerable application search process S1500, in step 1512, the above-mentioned data (4) of the vulnerable application search process result list FRV which is the return value of the <third call>. Is added to the search result list RT set to empty (NULL) in step S1501, and the search result list RT is updated. Therefore, the updated search result list RT is the above-mentioned data (4).

Next, returning to step S1504, since the Web information display function application 439b remains in the analysis target application list AL, the process proceeds to step 1505, and the Web information display function application 439b is set in the analysis target application OA.

Next, in step 1506, it is determined whether or not there is vulnerability model information 1100 to 1300 including an attack establishment condition that matches the attribute value of the functional application model information 900 of the Web information display function application 439b.

As shown in FIG. 16, the attribute value 1601 of the functional application model information 800 of the Web information display function application 439b is the attack establishment condition 1602 of the vulnerability model information 1200, 1300 except for the communication content of the item number “6-7”. Is consistent with. On the other hand, the attribute value 1601 of the functional application model information 800 is the input content "http response command (Shell code (arbitrary content))" which is the vulnerability establishment condition of the item numbers "6 to 7" of the vulnerability model information 1200 and 1300. Does not meet.

However, the communication content of the attack establishment condition 1602 of the vulnerability model information 1200 and 1300 includes "[<]" indicating that it is a part of the attack establishment condition. In this case, it is considered that the attribute value 1601 of the functional application model information 800 satisfies the attack establishment condition 1602 of the vulnerability model information 1200 and 1300. Therefore, in step S1507, the attribute value 1601 of the functional application model information 800 of the Web information display function application 439b is updated to become the attribute value 1603.

By including such a satisfaction condition "[<]" in the attack establishment condition 1602 of the vulnerability model information 1200 and 1300, the possibility of establishing an attack on the Web information display function application 439b can be reserved. In other words, if this input condition is satisfied, an attack on the vulnerability of the Web information display function application 439b will be established.

As will be described later, the Web information server function application 449 connected to the Web information display function application 439b has the vulnerability model information 1100 of [Web server impersonation], and after the attack of the vulnerability, the information server function application 449 "Http response command (Shell code (arbitrary content))" will be output.

As described above, when the vulnerability application search process S1500 has a vulnerability that satisfies the attack establishment condition for any functional application, the functional application is based on the attack establishment condition and the attack result of the vulnerability model information. By updating some attribute values of the functional application model information of, it is possible to analyze the threat to the functional application in the future while retaining the possibility of attack. If other vulnerability model information is applied to other functional applications in subsequent analysis, it can be confirmed that the reserved attack is actually established, and an attack that combines multiple vulnerabilities throughout the target system. Threat analysis is realized.

Web information display function Function of application 439b The attribute value 1603 after the update of application model information 800 has the process mode of item number "4-4" changed to "privileged mode", and a new output, that is, the (m + 1) th (m + 1) ) As output, "Ethernet" for the communication path of item number "11-4", "UDP / IP (Port3500)" for the protocol of item number "11-5", and the communication content of item number "11-7". "App command (ECU control command (request))" has been added.

As shown in FIG. 19, the Web information display function application 439b before the attack is updated to the Web information display function application 1961 after the attack on the vulnerability, and the functional attributes are changed. The attacked Web information display function application 1961 can input and execute an arbitrary shell code and output a new second output. Specifically, a fake ECU control command can be sent to the vehicle communication control function application 428 via the logical communication path 1963. This attack results in unpredictable hazards, such as vehicle doors opening or fuel control malfunctioning while driving.

In this way, by updating a part of the functional application model information 800 of the Web information display function application 439b based on the attack establishment conditions and the attack results of the vulnerability model information 1200 and 1300 that satisfy the attack establishment conditions, the function is concerned. Functions that can be connected to applications Threat analysis for applications is possible, and threat analysis of target systems against attacks that combine multiple vulnerabilities can be performed.

Returning to the explanation of the processing content of the <second call> of the vulnerable application search process S1500, in step S1509, the Web information display function application 1961, which is the analysis target application OA after the attack on the vulnerability, and the analysis starting application SP It is determined whether or not communication connection with the vehicle communication control function application 428 is possible.

As shown in FIG. 18, each attribute value of the output in the attribute value 1802 of the Web information display function application 1961 and each attribute value of the input in the attribute value 1801 of the function application model information 600 of the vehicle communication control function application 428 match. To do.

Therefore, in step S1509, it is determined that the Web information display function application 1961 and the vehicle communication control function application 428 can be connected to each other, and the process proceeds to step S1510.

In step S1510, a pair of the Web information display function application 1961, which is the analysis target application OA, and the vulnerability model information 1200, 1300, which is the vulnerability model information VI, is added to the final element of the analysis route list APL, and the next analysis route is added. Set to list APLNX. As a result, the next analysis route list APLNX becomes the following data (5).
Next analysis route list APLNX =
((Vehicle electronic control function application 417, NULL),
(Vehicle communication control function application 428, NULL),
(Web information display function application 1961, vulnerability model information 1200, 1300)) ... (5)

In step S1511, the vulnerable application search process S1500 is recursively called with the Web information display function application 1961, which is the analysis target application OA, as the first argument, and the above-mentioned data (5), which is the next analysis route list APLNX, as the second argument. .. Hereinafter, the recursive call of the vulnerable application search process S1500 using these arguments will be referred to as <fourth call>.

Here, the processing content of the <fourth call> of the vulnerable application search processing S1500 will be described.

In step S1502, (CD) 430 is specified as a hardware block including the Web information display function application 1961 specified in the first argument, and a Web server (WS) 440 is specified as an adjacent hardware block connected to the (CD) 430. The search is performed and the process proceeds to step S1503.

In step S1503, the Web information server function application 449 is selected as the function application in the Web server (WS) 440 and registered in the analysis target application list AL. In step S1504, since the Web information server function application 449 is in the analysis target application list AL, the process proceeds to step S1505.

In step S1505, the Web information server function application 449 is set as the analysis target application OA, and in step S1506 it is determined whether or not the Web information server function application 449 has vulnerability information having an attack establishment condition. Here, the vulnerability model information 1100 that satisfies the attack establishment condition exists for the Web information server function application 449.

As shown in FIG. 17, the attribute value 1701 of the functional application model information 900 of the Web information server functional application 449 and the attack establishment condition 1702 of the vulnerability model information 1100 match. As the updated attribute value 1703 of the Web information server function application 449, "http response command (Shell code (arbitrary content))" is added to the communication content of the item number "8-7".

As shown in FIG. 19, the Web information server function application 449 before the attack is changed to the Web information server function application 1962 after the attack, and the functional attributes are changed. The attacked Web information server function application 1962 can output an arbitrary shell code. Specifically, it is possible to send a Shell code for generating a fake ECU control command to the Web information display function application 1961 via a logical communication path 1964.

As described above, the change in the application function due to the attack on the vulnerability of the Web information display application 439b, that is, in response to the Web information display function application 1961 after the attack, the application function is changed by the attack on the vulnerability of the Web information server function application 449. A change, that is, a post-attack Web information server function application 1962 occurs. As described above, the threat analysis of the present invention makes it possible to complete the sequence of attacks from the outside of the vehicle in which the Web information display function application 1961 and the Web information server function application 1962 are combined.

Returning to the explanation of the <fourth call> of the vulnerable application search process S1500, in step S1509, the Web information server function application 1962, which is the application to be analyzed after the attack on the vulnerability, and the Web, which is the analysis starting application SP. It is determined whether or not the information display function application 1961 is capable of communication connection.

As shown in FIG. 18, each attribute value of the output in the attribute value 1803 of the Web information server function application 1962 and each attribute value of the input in the attribute value 1802 of the Web information display function application 1961 match.

Therefore, in step S1509, it is determined that the Web information server function application 1962 and the Web information display function application 1961 can be connected to each other, and the process proceeds to step S1510.

In step 1510, a pair of the Web information server function application 1962, which is the analysis target application OA, and the vulnerability model information 1100, which is the vulnerability model information VI, is added to the final element of the analysis route list APL, and the next analysis route list APLNX Is set to. As a result, the next analysis route list APLNX becomes the following data (6).
Next analysis route list APLNX =
((Vehicle electronic control function application 417, NULL),
(Vehicle communication control function application 428, NULL),
(Web information display function application 1961, vulnerability model information 1100, 1200))
(Web information server function application 1962, vulnerability model information 1100))… (6)

In step S1511, the vulnerable application search process S1500 is recursively called with the Web information server function application 1962, which is the application to be analyzed, as the first argument, and the above-mentioned data (6), which is the next analysis route list APLNX, as the second argument. Is done. Hereinafter, the recursive call of the vulnerable application search process S1500 using these arguments is referred to as <fifth call>.

Here, the processing content of the <fifth call> of the vulnerable application search processing S1500 will be briefly described. In step S1502, since there is no adjacent hardware unit in the Web server (WS) 440, the process proceeds to step S1513. Then, the <fifth call> of the vulnerable application search process S1500 returns the above-mentioned data (6) as a return value and ends.

Returning to the explanation of the <fourth call> of the vulnerable application search process S1500, in step 1512, the above-mentioned data (6) of the vulnerable application search process result list FRV, which is the return value of the <fifth call>, is the step. It is added to the search result list RT set to empty (NULL) in S1501, and the search result list RT is updated. Therefore, the updated search result list RT is the above-mentioned data (6).

Next, the process returns to step S1504, and since there is no analysis target in the analysis target application list AL, the process proceeds to step S1513.

In the determination of step S1513, since the search result list RT is the above-mentioned data (6) and is not empty (NULL), the <fourth call> of the vulnerable application search process S1500 ends without doing anything as it is. As a return value, the search result list RT of the above-mentioned data (6) is returned.

Returning to the description of the <second call> of the vulnerable application search process S1500, in step 1512, the above-mentioned data (6) of the vulnerable application search process result list FRV, which is the return value of the <fourth call>, is searched. It is added to the data (4) which is the result list RT, and the search result list RT is updated. Therefore, the updated search result list RT becomes the following data (7).
Search result list RT =
(((Vehicle electronic control function application 417, NULL)),
(Vehicle communication control function application 428, NULL),
(Vehicle information display function application 439a, NULL)),
((Vehicle electronic control function application 417, NULL),
(Vehicle communication control function application 428, NULL),
(Web information display function application 1961, vulnerability model information 1200, 1300),
(Web information server function application 1962, vulnerability model information 1100))) ... (7)

As described above, the search result list RT shows a set of the functional application and the vulnerability model information applicable to the functional application as a list. Further, the data (7) is the same as the above-mentioned data (2).

As shown in FIG. 19, when the vehicle electronic control function application 417 is specified as the user-specified function application UA, the above-mentioned search result list RT has two vulnerability request attack paths to the vehicle electronic control function application 417. It shows that the sequential call relationship of the functional application was obtained as a result of the vulnerable application search process S1500.

The first call relationship is an execution path of a normal call relationship starting from the vehicle information display function application 439a, as shown in the first element of the above-mentioned data (7). The second call relationship is the execution path of the vulnerability attack starting from the Web information server function application 1962, as shown in the second element of the above-mentioned data (7).

Returning to the explanation of <second call> of the vulnerable application search process S1500, in the next step S1504, since there is no analysis target in the analysis target application list AL, the process proceeds to step S1513.

In the determination of step S1513, since the search result list RT is the above-mentioned data (7) and is not empty (NULL), the <second call> of the vulnerable application search process S1500 ends without doing anything as it is. As a return value, the search result list RT of the above-mentioned data (7) is returned.

As described above, the processing result of the <second call> of the vulnerable application search process S1500 is returned to the <first call> of the vulnerable application search process S1500 by the threat analysis process S1400. Further, the processing result of the threat analysis processing S1400 is returned to the threat analysis main processing (not shown) to obtain the threat analysis result information 1900 which is the final analysis result.

In the present embodiment, an example of a connected car system is shown as a target system, but the present invention is not limited to this. Threat analysis may be performed on systems other than the connected car system.

As described above, according to the threat analyzer 100, the threat analysis method, and the threat analysis program of the present embodiment, the functional application model information 500 to modeled using the system specification information 140 for the functional application included in the target system. 900 is acquired, and vulnerability model information 1100 to 1300 modeled using the system specification information 140 is acquired for the vulnerability included in the case system. Then, a threat analysis of the target system is performed based on the functional application model information 500 to 900 and the vulnerability model information 1100 to 1300. Here, the abstract specification information included in the system specification information 140 can also be obtained in the system at the conceptual design stage. Therefore, by acquiring the functional application model information 500 to 900 and the vulnerability model information 1100 to 1300 using the same system specification information 140, the functional application model information 500 to 900 of the target system and the vulnerability model information 1100 of the case system are obtained. It can be easily compared with ~ 1300, and threat analysis for vulnerabilities that may exist in the target system can be performed. Therefore, threat analysis can be performed on the target system at the conceptual design stage.

[Second Embodiment]
Next, the threat analysis device, the threat analysis method, and the threat analysis program according to the second embodiment of the present invention will be described with reference to FIGS. 20 to 26. In the second embodiment, the description of the matters common to the first embodiment will be omitted, and only the differences will be described. In particular, the same action and effect due to the same configuration will not be mentioned sequentially for each embodiment.

FIG. 20 is a block diagram showing a physical configuration of the threat analyzer 200 according to the second embodiment of the present invention. FIG. 21 is a block diagram showing a functional configuration of the threat analyzer 200 according to the second embodiment of the present invention. FIG. 22 is a diagram showing a target system management table 2200. FIG. 23 is a diagram showing a vulnerability case information management table 2300. FIG. 24 is a flowchart of the vulnerability case information registration process S2400. FIG. 25 is a flowchart of the threat analysis service management process S2500. FIG. 26 is a flowchart of the billing information management process S2600.

As shown in FIG. 20, the target system management table 2200, the vulnerability case information management table 2300, the vulnerability case information registration process S2400, and the threat analysis service management process S2500 are stored in the main memory 107 of the threat analysis device 200. , Billing information management process S2600, and are further stored and stored.

The target system management table 2200 is table data for managing the target system. The target system management table 2200 is used by the threat analysis service management process S2500.

The vulnerability case information management table 2300 is table data for managing the vulnerability model information, and includes attribute information for management such as what kind of vulnerability model information is registered and who is the registrant. .. The vulnerability case information management table 2300 is used by the vulnerability case information registration process S2400.

The vulnerability case information registration process S2400 is a program that manages the registration of vulnerability model information 1100 to 1300 by the information registrant IR.

The threat analysis service management process S2500 uses the threat analysis process S1400 and the vulnerable application search process S1500 described in the first embodiment for the service user SU, and provides a service by the threat analysis device 200 (hereinafter referred to as “threat analysis service”). Is a program that provides. The service user SU is a person who uses the threat analysis service to perform threat analysis of the information system he / she designs.

The billing information management process S2600 is a program for calculating a reward (incentive) that is an incentive for registration of the information registrant IR of vulnerability model information 1100 to 1300. The information registrant IR is a person who registers vulnerability model information 1100 to 1300.

As shown in FIG. 21, the threat analysis device 200 further includes a usage fee calculation unit 210 and a reward calculation unit 220 as its functional configuration.

The usage fee calculation unit 210 is configured to calculate the usage fee for the target system for which the threat analysis has been performed.

The reward calculation unit 220 is configured to calculate the reward for the vulnerability model information 1100 to 1300 based on the usage fee calculated by the usage fee calculation unit 210. As a result of the threat analysis of the target system, this reward is calculated for the vulnerability model information 1100 to 1300 corresponding to the vulnerability when the target system contains a vulnerability.

Vulnerability model information 1100 to 1300 is created by modeling it based on vulnerability information registered from the general public, such as CVE (Common Vulnerabilities and Exposures) of MITER Corporation in the United States. The progress of information technology and the complexity of information systems are increasing year by year. Along with this, the fields in which vulnerabilities are discovered are expanding year by year, and new cases are discovered every day. Therefore, it is difficult for a threat analysis service provider to prepare vulnerability model information by independently collecting and modeling vulnerability information using only its own resources. In other words, it is necessary to have other general businesses report vulnerability case information, model it if possible, and update the content of the vulnerability model information daily.

However, at present, general businesses do not have incentives such as money to report vulnerability case information and pay the effort to register it, so it is difficult to maintain good quality without missing vulnerability model information. It was.

The threat analysis device 200 according to the present embodiment includes a mechanism for feeding back a part of the usage fee to the people who registered the vulnerability model information 1100 to 1300 used in the threat analysis service as a reward for information registration. It is characterized by that. As a result, the registrants of vulnerability model information 1100 to 1300 are given an incentive for registration, the cycle of registration and use is rotated well, and the threat analysis service business can be established as a continuous business.

Next, the target system management table 2200 used in the threat analyzer 200 will be described with reference to FIG. 22. FIG. 22 is a diagram showing a target system management table 2200.

As shown in FIG. 22, the target system management table 2200 stores information on what kind of vulnerabilities are detected as a result of threat analysis and the relationship between the target system and the vulnerabilities for each target system. Specifically, in the "first target system", the service user SU "Yamamoto" receives the threat analysis service, and the service usage fee is "1000 yen". As a result of the threat analysis, the "first target system" The "system" is shown to include a "first vulnerability" and a "third vulnerability".

The configuration of the target system management table 2200 is not limited to the example shown in FIG. As long as the following correspondence is managed, the vulnerability case information management table may be in another information format, or may be managed by being divided into a plurality of tables.
1st management information: Analysis of target system identification information and service user UR, usage date and time, service usage fee, etc. 2nd management information: Target system identification information and threat analysis results Information related to the identification information of the vulnerability model information of the vulnerability inherent in the target system and the reference information (link information) to the storage destination of the vulnerability model information.

As will be described later, it is possible to calculate the reward to be paid to the information registrant IR of the vulnerability model information 1100 to 1300 by using the information of the target system management table 2200.

Next, the vulnerability case information management table 2300 used in the threat analyzer 200 will be described with reference to FIG. 23. FIG. 23 is a diagram showing a vulnerability case information management table 2300.

As shown in FIG. 23, the vulnerability case information management table 2300 manages the vulnerability model information 1100 to 1300 used for threat analysis in association with the case system name in which the vulnerability was found. Specifically, the vulnerabilities of the system whose case system name is "first case system" are registered by the registrant "Tanaka" and include "second vulnerability" and "third vulnerability". The "second vulnerability" is used in the two threat analyzes of the "second case system" and the "third case system" managed in the target system management table 2200, and as a result, the usage fee is "100 yen". Is stored. Similarly, the "third vulnerability" is used in the two threat analyzes of the "first target system" and the "third target system", and "150 yen" is stored as a usage fee.

The configuration of the vulnerability case information management table 2300 is not limited to the example shown in FIG. 23. The vulnerability case information management table may be in another information format as long as the following correspondence is managed, or may be managed by being divided into a plurality of tables.
1st management information: Case system identification information and attribute information related to registration service management work such as registration date and time and registrants 2nd management information: Case system identification information and vulnerabilities inherent in the case system Information related to the identification information of the sex model information and the reference information (link information) to the storage destination of the vulnerability model information. Third management information: The identification information of the case system and the vulnerability model of the vulnerability inherent in the case system. For each information associated with the information, usage history information (usage fee, number of times of use, etc.) in which the information was used for threat analysis

Next, the vulnerability case information registration process S2400 executed by the threat analyzer 200 will be described with reference to FIG. 24. FIG. 24 is a flowchart of the vulnerability case information registration process S2400.

When the vulnerability case information registration process S2400 is started, as shown in FIG. 24, the execution unit 180 accepts the registration request of the vulnerability case information 130 by the information registrant IR (S2401). In step S2401, the execution unit 180 waits until a registration request comes.

Next, the second acquisition unit 160 registers the vulnerability case information 130 input by the information registrant IR (S2402).

Next, the execution unit 180 adds and registers the vulnerability case information input by the information registrant IR to the vulnerability case information management table 2300 shown in FIG. 23 (S2403).

After step S2403, the execution unit 180 ends the vulnerability case information registration process S2400.

In the present embodiment, an example in which the vulnerability case information registration process S2400 is terminated when one registration request is received is shown, but the present invention is not limited to this. The vulnerability case information registration process may have, for example, a loop process structure so as to wait for the next registration request.

Next, the threat analysis service management process S2500 executed by the threat analysis device 200 will be described with reference to FIG. 25. FIG. 25 is a flowchart of the threat analysis service management process S2500.

When the threat analysis service management process S2500 is started, as shown in FIG. 25, the execution unit 180 receives a request for use of threat analysis by the service user SU (S2501). In step S2501, the execution unit 180 waits until a usage request comes.

Next, the first acquisition unit 150 registers the target system design information 120 input by the service user SU (S2502).

Next, the execution unit 180 calls the threat analysis process S1400 (S2503). As a result, threat analysis is performed on the target system.

Next, the execution unit 180 updates the target system management table 2200 shown in FIG. 22 using the threat analysis result information 1900 (S2504).

Next, the usage fee calculation unit 210 calculates the usage fee for the target system for which the threat analysis was performed in step S2503 (S2504). Specifically, the usage fee calculation unit 210 calculates the usage fee according to a predetermined usage fee calculation formula by using the system resource usage amount such as the CPU processing time required for the threat analysis.

Next, the usage fee calculation unit 210 adds the usage fee calculated in step S2504 to the usage fee of the target system management table 2200 and registers it (S2505). For example, "1000 yen" is registered as a usage fee in the "first target system" of the target system management table 2200.

A threat analysis is performed for each request by the service user SU, and the result of the threat analysis and the usage fee are registered in the target system management table 2200.

After step S2505, the execution unit 180 ends the threat analysis service management process S2500.

In this way, by calculating the usage fee for the target system for which the threat analysis was performed, the usage fee is charged to the service user UR, and a part of the usage fee is paid to a person other than the service user UR. For example, it can be returned (feedback) to the information registrant IR as a reward.

In the present embodiment, an example is shown in which the threat analysis service management process S2500 is terminated when one usage request is received, but the present embodiment is not limited to this. The threat analysis service management process may have a loop process structure so as to wait for the next usage request.

Next, the billing information management process S2600 executed by the threat analyzer 200 will be described with reference to FIG. 26. FIG. 26 is a flowchart of the billing information management process S2600.

When the billing information management process S2600 is started, as shown in FIG. 26, the execution unit 180 determines whether or not there is a result record in which the usage fee is not charged in the target system management table 2200 (S2601).

As a result of the determination, when there is a result record for which the usage fee has not been charged in the target system management table 2200, the execution unit 180 extracts the first result record among the unbilled result records and charges the service user SU the usage fee. Request (S2602). For example, the service user "Yamamoto" is charged the usage fee "1000 yen" for the "first target system" shown in FIG.

Next, the reward calculation unit 220 calculates the reward for the vulnerability model information 1100 to 1300 corresponding to the vulnerability for each vulnerability included in the target system of the result record based on the usage fee of the target system (S2603). ). Specifically, the reward calculation unit 220 applies a predetermined vulnerability usage fee calculation formula to the usage fee of the target system, and calculates the reward for the vulnerability model information.

For example, the "first target system" shown in FIG. 22 has a service usage fee of "1000 yen" and includes two "first vulnerability" and "third vulnerability". Here, it is assumed that there is a contract condition in which 10% of the usage fee is paid as a reward for the vulnerability model information 1100 to 1300 used for threat analysis. In this case, the reward for the vulnerability model information by the threat analysis of the "first analysis target system" is 1000 yen x 10% = 100 yen. In addition, when the target system for which threat analysis is performed contains multiple vulnerabilities, if the calculated vulnerability model information reward is proportionally divided by the number of vulnerability information contained in the target system, "1st vulnerability" 50 yen will be calculated as a reward for the vulnerability model information of "sexuality", and 50 yen will be calculated as a reward for the vulnerability model information of "third vulnerability".

In this way, when the target system contains vulnerabilities as a result of threat analysis, the vulnerabilities are calculated by calculating the reward for the vulnerability model information 1100 to 1300 corresponding to the vulnerabilities based on the usage fee of the target system. It is possible to give an incentive for registration to the information registrant IR of sex model information 1100 to 1300. Therefore, the cycle of registration and use can be rotated well, and the threat analysis service business can be established as a continuous business.

Next, the reward calculation unit 220 searches all the vulnerability case records including the vulnerability for which the reward was calculated in step S2603 in the vulnerability case information management table 2300 shown in FIG. 23. (S2604).

For example, when the vulnerability case information management table 2300 shown in FIG. 23 is searched, the names of the case systems including the "first vulnerability" are "second case system" and "third case system". Moreover, the name of the case system including the "third vulnerability" is only one case of the "first case system".

Next, the reward calculation unit 220 adds the reward calculated in step S2603 to the reward of the corresponding vulnerability in the vulnerability case record and updates it (S2605). When there are a plurality of vulnerability case records, the reward calculation unit 220 prorates the calculated reward by the number of vulnerability case records searched in step S2604, and prorates the prorated reward to the corresponding vulnerability in the vulnerability case record. It will be updated in addition to the reward of.

For example, the reward of 50 yen for the vulnerability model information of the "first vulnerability" calculated in step S2603 is the name of the case system searched in step S2604, "second case system" and "third case system". , And add 50 yen / 2 = 25 yen to the "Reward" column of "1st vulnerability" in each record of "2nd case system" and "3rd case system". To do. In addition, the reward of 50 yen for the vulnerability model information of "3rd vulnerability" is "3rd vulnerability" in the record of "1st case system" which is the name of the case system in which "3rd vulnerability" is registered. Add to the "Reward" column of.

Since the target system management table 2200 and the vulnerability case information management table 2300 are linked by the vulnerability identification information of "first vulnerability", "second vulnerability", and "third vulnerability", the target system management A part of the usage fee managed in Table 2200 can be allocated as a reward for the vulnerability model information managed in the Vulnerability Case Information Management Table 2300.

The method of allocating the incentive to the information registrant IR of the vulnerability case information is not limited to the above-mentioned example. As another method, for example, for each vulnerability information in the vulnerability case information management table 2300, a method of setting and storing the usage unit price of the vulnerability in advance can be considered. In this case, when calculating the service usage fee of the target system management table 2200, the usage unit price of the vulnerability corresponding to the vulnerability identification information included in the target system is calculated from the vulnerability case information management table 2300. By searching and accumulating the usage unit price, the vulnerability data usage fee will be reflected in the analysis service usage fee.

After step S2605, the execution unit 180 repeats each step of steps S2601 to S2605 until there are no records as a result of not charging the usage fee in the target system management table 2200.

When there are no records in the target system management table 2200 as a result of not charging the usage fee, the execution unit 180 describes all the vulnerabilities included in the case system for each case system registered in the vulnerability case information management table 2300. The total amount is calculated by totaling the rewards of the above, and the calculated total reward amount is paid to each information registrant IR (S2606).
After step S2606, the execution unit 180 ends the billing information management process S2600.

As described above, according to the threat analysis device 200, the threat analysis method, and the threat analysis program of the present embodiment, the usage fee is calculated for the target system for which the threat analysis is performed. As a result, by charging the service user for the usage fee, a part of the usage fee can be returned (feedback) as a reward to a person other than the service user, for example, an information registrant.

Further, according to the threat analyzer 200, the threat analysis method, and the threat analysis program of the present embodiment, when the target system contains a vulnerability as a result of the threat analysis, the vulnerability model information 1100 to correspond to the vulnerability is found. The reward for 1300 is calculated based on the usage fee of the target system. As a result, it is possible to give an incentive for registration to the information registrant IR of vulnerability model information 1100 to 1300. Therefore, the cycle of registration and use can be rotated well, and the threat analysis service business can be established as a continuous business.

The embodiments described above are for facilitating the understanding of the present invention, and are not for limiting and interpreting the present invention. Each element included in each embodiment and its arrangement, material, condition, shape, size, etc. are not limited to those exemplified, and can be changed as appropriate. In addition, the configurations shown in different embodiments can be partially replaced or combined.

100 ... Threat analyzer, 101 ... Bus, 102 ... Central information processing device (CPU), 103 ... Input / output processor (IOP), 104 ... Display device, 105 ... Input device, 106 ... Secondary storage device, 107 ... Main storage Device, 120 ... Target system design information, 130 ... Vulnerability case information, 140 ... System specification information, 150 ... 1st acquisition department, 160 ... 2nd acquisition department, 170 ... Update department, 180 ... Execution department, 200 ... Threat analysis Device, 210 ... Usage fee calculation unit, 220 ... Reward calculation unit, 400 ... Functional block definition information, 410 ... Vehicle electronic control unit (ECU), 411 ... Bus, 414 ... Main storage device, 415 ... Harness (communication adapter), 416 ... CANBus communication adapter, 417 ... Vehicle electronic control function application, 420 ... Vehicle communication gateway (GW), 428 ... Vehicle communication control function application, 229b ... Information display function application, 430 ... Console display (CD), 438 ... Browser ( Webkit), 439a ... Vehicle information display function application, 439b ... Web information display function application, 440 ... Web server (WS), 448 ... Web server (http), 449 ... Web information server function application, 450 ... CANBus, 451 ... Ethernet , 500-900 ... Functional application model information, 1000 ... System component related information, 1100-1300 ... Vulnerability model information, S1400 ... Threat analysis processing, S1500 ... Vulnerable application search processing, 1900 ... Threat analysis result information, 1950 ... Attack Route tree, 1961 ... Web information display function application, 1962 ... Web information server function application, 1963 ... Communication route, 1964 ... Communication route, 2200 ... Target system management table, 2300 ... Vulnerability case information management table, S2400 ... Vulnerability case Information registration process, S2500 ... Threat analysis service management process, S2600 ... Billing information management process, IR ... Information registrant, SU ... Service user, U ... User.

Claims (11)

For the functional application included in the target system, the first acquisition unit that acquires the functional application model information modeled using the system specification information for defining the system specifications, and
A second acquisition unit that acquires vulnerability model information modeled using the system specification information for vulnerabilities included in the case system,
It includes an execution unit that performs threat analysis of the target system based on the functional application model information and the vulnerability model information.
Threat analyzer. The vulnerability model information includes information on attack establishment conditions and attack results.
The second acquisition unit acquires a plurality of the vulnerability model information.
When the functional application model information satisfies at least one of the attack conditions of the plurality of vulnerability model information, the functional application model is based on the attack establishment condition and the attack result information of the vulnerability model information. It also has an update section that updates part of the information.
The execution unit performs threat analysis of the target system based on the updated functional application model information and the plurality of vulnerability model information.
The threat analyzer according to claim 1. The target system includes a first function application and a second function application capable of communicating with the first function application.
The first acquisition unit acquires the functional application model information of the first functional application and the functional application model information of the second functional application.
The execution unit performs threat analysis of the target system based on the functional application model information of the first functional application, the functional application model information of the second functional application, and the vulnerability model information.
The threat analyzer according to claim 1 or 2. A usage fee calculation unit for calculating a usage fee for the target system for which the threat analysis has been performed is further provided.
The threat analyzer according to any one of claims 1 to 3. As a result of the threat analysis, when the target system includes a vulnerability, it further includes a reward calculation unit that calculates a reward for the vulnerability model information corresponding to the vulnerability based on the usage fee.
The threat analyzer according to claim 4. For the functional application included in the target system, the first acquisition step to acquire the functional application model information modeled using the system specification information for defining the system specifications, and
The second acquisition step to acquire the vulnerability model information modeled using the system specification information for the vulnerability included in the case system, and
Including an execution step of performing a threat analysis of the target system based on the functional application model information and the vulnerability model information.
Threat analysis method. The vulnerability model information includes information on attack establishment conditions and attack results, and the second acquisition step acquires a plurality of the vulnerability model information.
When the functional application model information satisfies at least one of the attack conditions of the plurality of vulnerability model information, the functional application model is based on the attack establishment condition and the attack result information of the vulnerability model information. Includes additional update steps to update some of the information
The execution step includes performing a threat analysis of the target system based on the updated functional application model information and the plurality of vulnerability model information.
The threat analysis method according to claim 6. The target system includes a first function application and a second function application capable of communicating with the first function application.
The first acquisition step acquires the functional application model information of the first functional application and the functional application model information of the second functional application.
The execution step includes performing threat analysis of the target system based on the functional application model information of the first functional application, the functional application model information of the second functional application, and the vulnerability model information. ,
The threat analysis method according to claim 6 or 7. A usage fee calculation step for calculating a usage fee for the target system for which the threat analysis has been performed is further included.
The threat analysis method according to any one of claims 6 to 8. As a result of the threat analysis, when the target system contains a vulnerability, the reward calculation step of calculating the reward for the vulnerability model information corresponding to the vulnerability based on the usage fee is further included.
The threat analysis method according to claim 9. A threat analysis program that runs on a computer
For the functional application included in the target system, the first acquisition step to acquire the functional application model information modeled using the system specification information for defining the system specifications, and
The second acquisition step to acquire the vulnerability model information modeled using the system specification information for the vulnerability included in the case system, and
Including an execution step of performing a threat analysis of the target system based on the functional application model information and the vulnerability model information.
Threat analysis program.

Images