WO2005029328A1 - Operating system and recording medium containing the same - Google Patents

Operating system and recording medium containing the same Download PDF

Info

Publication number
WO2005029328A1
WO2005029328A1 PCT/JP2004/013643 JP2004013643W WO2005029328A1 WO 2005029328 A1 WO2005029328 A1 WO 2005029328A1 JP 2004013643 W JP2004013643 W JP 2004013643W WO 2005029328 A1 WO2005029328 A1 WO 2005029328A1
Authority
WO
WIPO (PCT)
Prior art keywords
program
address
operating system
api
area
Prior art date
Application number
PCT/JP2004/013643
Other languages
French (fr)
Japanese (ja)
Inventor
Kiyoto Yui
Original Assignee
Denki Hompo Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Denki Hompo Ltd. filed Critical Denki Hompo Ltd.
Priority to JP2005514058A priority Critical patent/JPWO2005029328A1/en
Publication of WO2005029328A1 publication Critical patent/WO2005029328A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow

Definitions

  • the present invention relates to a highly secure operating system that is not easily infected by a computer virus, and a recording medium that records the operating system.
  • Non-Patent Document 1 "Nodoka-I 'Programming Taizen", UNYUN
  • Non-Patent Document 2 “OPERATING SYSTEM Internals and DesignJ, William Stallings, Ph. D.
  • Non-Patent Document 3 "Intel Architecture Optimization Manual", Disclosure of Intel Corporation of the United States
  • FIG. 1 is a diagram schematically illustrating a configuration of a memory device (also referred to simply as a memory) used when executing an application program (hereinafter simply referred to as a program) on a general computer.
  • a memory device also referred to simply as a memory
  • an application program hereinafter simply referred to as a program
  • a program is stored in an area All. Then, areas A12, A13, and A14 are secured as areas used for program data processing. Area A12 is used to read and write data used in the entire program. The area A13 is used when it is necessary to secure a timely data area in executing the program, and the area in the memory expands and contracts during the execution of the program.
  • the area A14 is a special memory area called a stack memory, which is used to manage the execution of a small, structured program called a subroutine that constitutes a program, and to manage data temporarily used by the subroutine. Area.
  • the subroutine is defined as follows in this document.
  • a subroutine is defined as a program that stores the start address of the next program to be executed after the subroutine has been executed in advance in the stack memory and executes it.
  • the subroutine call indicates that this subroutine is called, that is, executed.
  • FIG. 2 schematically shows the operation of the stack memory in the area A14 together with the sample program.
  • the sample program is described in C language.
  • the sample program is configured to call a subroutine (child program) named test on the 12th line of the program and execute it.
  • a subroutine child program
  • four pieces of data called arguments are passed. That is, its arguments are four, ' ⁇ ', ⁇ ',' S, and 'T. These data are written to the areas # 21, # 22, # 23, and # 24 on the stack memory.
  • the memory area where the variable s exists is deliberately designated as an address, and 100 characters of zero (0) are written from there to the memory. That is, when this is executed, all contents of 100 characters are overwritten with zeros, including the areas A21-A26, and the program flow is destroyed.
  • buffer overrun the phenomenon of illegal writing beyond the originally set memory area is called buffer overrun.
  • CPUs central processing units
  • computer viruses and unauthorized access act on computer systems by utilizing the above-mentioned phenomena.
  • An unauthorized access user exploits the buffer overrun, writes his own unauthorized program on the stack memory, and executes the program to take control of the system.
  • an unauthorized program on the stack memory requests and executes an API (application program interface) or system call from the operating system (OS) for the purpose of performing an illegal act.
  • API application program interface
  • OS operating system
  • the present invention has been made under the circumstances described above, and it is possible to suppress computer viruses and unauthorized access using a no-fuzzy-barran phenomenon, which is said to be a cause of a security hole. It is intended to provide an operating system and a recording medium on which the operating system is recorded.
  • an operating system includes an API (Application Program Interface) or an API requested by a program in an operating system that provides a system call to the program. Or, before execution of a system call, an address acquisition means for reading the storage address of the program on the memory device is provided, and the program requesting the API is set as the primary program. If the primary program is a subroutine, the If it is defined that up to the secondary-n-th order (n is an integer equal to or greater than 2) program that forms the call source forms a call hierarchy in order, the address acquisition means determines the storage address of the primary program, the secondary primary The feature is that the storage addresses up to the nth program are obtained respectively. To.
  • API Application Program Interface
  • an address comparison determining means for determining whether or not the address force obtained by the address obtaining means and indicating a proper position on the memory device by comparing the address with a reference address
  • Reference address detection means for detecting a predetermined address on the memory device as the comparison reference address.
  • the storage address of the program on the memory device is acquired, and whether or not the address indicates the proper position is determined. By comparing and determining, it is possible to determine whether the program is appropriate or incorrect.
  • the program that requested the API is determined to be appropriate, execute the API. If it is determined that the program is invalid, the program can be interrupted. Therefore, according to the operating system of the present invention, when an unauthorized access using the buffer overrun phenomenon occurs, it can be suppressed and the computer system can be protected.
  • an operating system capable of suppressing a computer virus and unauthorized access using a buffer overrun phenomenon which is said to be a cause of a security hole, and a recording medium on which the operating system is recorded. be able to.
  • the operating system (hereinafter, referred to as an OS) according to the present invention can suitably function in a hardware such as a personal computer system having a CPU, a storage device, and the like.
  • the CPU can be applied to all CPUs provided with a stack register (stack memory dedicated register).
  • stack register stack memory dedicated register
  • IA32 Intel 32-bit microprocessor
  • FIG. 3 shows a schematic configuration diagram of the register set 200 included in the IA32.
  • the stack memory is managed by the register device R11 (32-bit ESP register) and operated by the register device R12 (32-bit EBP register) in FIG.
  • EIP is a program counter (indicating the address of the memory of the program that the CPU wants to execute) in 32-bit representation.
  • Each register is a general-purpose register.
  • FIG. 4 shows a schematic configuration of an OS according to the present invention.
  • the OS provides an API (Application Program Interface) for programs represented by application programs.
  • the API provides functions for reading and writing data files and controlling peripheral devices such as a mouse. That is, the application program can use various functions provided by the OS, such as reading and writing files, by executing the API provided by the OS.
  • APIs may not be available in the system Also known as
  • the OSIOO shown in FIG. 4 includes an OS main unit 1 that provides an API for controlling the peripheral device 20, an API entrance 2 serving as an API request window from a program (main routine or subroutine) 10, and a storage device 20. And a file management system 3 for managing data to be recorded in the file.
  • the above configuration is the same as the general OS configuration.
  • the OS 100 further includes an address comparison determination unit 4 between the OS main body 1 and the API entrance 2. Furthermore, there are provided address acquisition means 5 for providing the address for storing the program to the address comparison / judgment means 4 and reference address detection means 6 for providing the address comparison / judgment means 4 with an address to be compared with. .
  • the API entrance 2 is an entrance of an API request generated at the time of execution of a program, and the OS 100 accepts this part. As with a general OS, there are many types of APIs provided by OS 100. When an API execution request is generated from a program 10 (main routine or subroutine), it is accepted collectively at API entrance 2, Passes control to the process corresponding to the requested API.
  • the address acquisition means 5 has a function of acquiring the storage address of the program (main routine or subroutine) that called the API in the memory area.
  • Sequential processing type computers use a method in which the execution of all programs is specified by a memory address.
  • the program of the subroutine requesting the API is the primary program
  • the caller of the primary program is the secondary program
  • the caller of the secondary program is the tertiary program
  • the nth order in this case, (n is an integer greater than or equal to 4) If you define up to the program, the (n-1) next program saves the address of the nth program to be executed after returning to the API after executing the API.
  • the address acquisition means 5 functions to read this address from the memory device.
  • the reference address detection means 6 obtains, as a comparison reference address, an address on the OS for determining an area in which a program is allowed to be stored and an area in which the program is allowed to be stored.
  • FIG. 5 shows an example of a memory configuration used when executing the program 10 in a computer system equipped with the OS 100.
  • FIG. There is a method of acquiring a start address A40 and an end address A41 indicating an area for storing the data. This method is a logically complete embodiment.
  • an area for storing a program in an actual OS is often divided into a plurality of memory areas and stored. In that case, it is necessary to check the start address and the end address for each storage area of the program, which is troublesome.
  • the addresses acquired by the reference address detection means 6 as the comparison reference addresses are not limited to the proper start address and end address of the program storage area. That is, the reference address detection means 6 can set a desired address in the memory area as the comparison reference address.
  • the upper limit of the stack area (the Z end address in the direction of address 0) is an address indicated by reference sign A37, and the lower limit (the start address) is This is the address indicated by reference numeral A38.
  • the reference address detection means 6 acquires the addresses indicated by the reference signs A37 and A38.
  • the address comparison determination means 4 shown in FIG. 4 compares the program storage address acquired by the address acquisition means 5 with the comparison reference address acquired by the reference address acquisition means 6, and issues a program requesting an API. (Main routine or subroutine) is a malicious program. Specifically, it is determined whether or not the address strength of the program storage area acquired by the address acquisition means 5 is between the upper limit A37 and the lower limit A38 of the stack area.
  • the storage area of the malicious program is usually the used area A34 in the stack area in the memory configuration of FIG. Therefore, if the address acquisition means 5 acquires the address strength of the program storage area between the upper limit A37 and the lower limit A38 of the stack area, Is determined to be a malicious program.
  • the address comparison determination means 4 notifies the OS main body 1 that the malicious program has become parasitic.
  • the OS body 1 interrupts the API request, forcibly terminates the program, and notifies the system administrator of a warning by e-mail or the like.
  • the requested API is executed.
  • the address acquisition means 5 acquires the storage address of the program that requested the API in the memory (Step Sl in FIG. 6).
  • the address to be acquired is an address indicating the next position of the part that requested the API in the primary program. In other words, it is the address that indicates the position where the primary program is returned after executing the API and continues. Specifically, for example, the address is acquired from the area A51 in the configuration example of the stack memory in FIG.
  • the reference address detection means 6 checks the memory area allocated to the program 10 by the OS 100, and acquires the address of the area as a comparison reference address if the program must not exist (step S2).
  • the reference address detecting means 6 acquires the upper limit (end address) A37 and the lower limit (start address) A38 of the stack area, and sets the area between them as the area where the program must not exist.
  • step S3 the program storage address acquired by the address acquisition means 5 is compared with the comparison reference address detected by the reference address detection means 6 in the address comparison determination means 4 (step S3). That is, it is determined whether the program storage address obtained by the address obtaining means 5 is an incorrect address.
  • the program storage address acquired by the address acquisition means 5 is referred to as the reference address. If the address is within the address area detected by the software detection means 6, the program 10 is determined to be invalid, and if it is outside the area, the program 10 is determined to be appropriate. Also, since the prerequisite API request may be the OS itself, it is also determined whether the caller's address is within the OS management area. If it is within the OS management area, it is determined that appropriate processing has been performed!
  • step S3 if it is determined that the program requesting the API is illegal, an e-mail is sent to the system administrator to that effect, the API request is interrupted, and the program Is forcibly terminated (step S7).
  • step S3 if it is determined in step S3 that the program requesting the API is normal, the address acquisition means 5 further stores the storage address of the parent program of the program requesting the API (with the address of the caller).
  • the reference address detection means 6 detects the start address and end address of the program area A31 and sets them as comparison reference addresses. Then, the address comparison determination means 4 determines whether or not the storage address of the parent program of the program that has requested the API is in the program area A31 (step S4).
  • This processing is performed because there is a possibility that the API will be executed via the program of the malicious program shared library.
  • step S4 if the caller address is outside the program area A31, it is regarded as the address of the shared library, and the address of the caller's parent program (return address to the parent program) is obtained. (Step S5), and the process returns to step S3.
  • the API execution source program is the primary program
  • the primary program caller is the secondary program
  • the secondary program caller is the tertiary program
  • the tertiary program caller is the quaternary program.
  • Areas A54, A57, and A510 in the stack memory shown in Fig. 7 have secondary and quaternary programs respectively.
  • the return address to the RAM, that is, the program storage address is stored.
  • the address acquisition means 5 sequentially acquires the storage address of the desired program from the areas A54, A57, and A510 for each loop processing.
  • FIG. 8 is a diagram showing a basic configuration of a subroutine program in IA32. First, FIG. 8 will be described. The first and second lines of the subroutine program P1 in FIG. 8 are fixedly present at the beginning of the subroutine, and the fourth and fifth lines are fixedly present at the end of the subroutine.
  • the first line is an instruction to store the contents of the EBP register (value indicating the data start area of the parent program) in the stack.
  • the values of the data start area of the parent program shown in areas A53, A56, and A59 in FIG. 7 are written by this procedure.
  • the second line is an instruction to copy the contents of the ESP register to the EBP register.
  • the ESP register always points to the unused top zero in the stack area.
  • the EBP register is used to refer to the work data area of the program.
  • the areas A52, A55, and A58 corresponding to the programs 13 and 13 indicate the start position of the work data area of the program as the contents of the EBP register at the time of executing each program.
  • the third line is a subroutine body. In FIG. 8, the force shown only in the third row is actually shown in multiple rows.
  • the fourth line is a procedure for ending the subroutine.
  • Lea v e command is IA32 specific CPU instructions in each program 1 one 3, copies the value of the EBP register ESP register, stack memory force also read the value of the area A53, A56, A59 to EBP register. The value of the ESP register is subtracted to open areas A53, A56, and A59.
  • the fifth line is a command to return to the parent program.
  • the subroutine program transfers control to the corresponding return address, shown in areas A51, A54, A57, and A510, respectively.
  • the contents of the ESP register are subtracted to free up the area.
  • the iret instruction may be used instead of the ret instruction. That is, the subroutine The call has a call instruction and an int instruction in IA32. It is promised that the call instruction returns with the ret instruction, and the int instruction returns with the iret instruction.
  • the return address to the API execution source program 1 is at the top of the stack area on the zero side. It can be obtained mechanically according to the contents of the ESP register at that location. In other words, since the ESP register always indicates the unused top of zero, area A51 can be obtained as an area adjacent to the area indicated by the ESP register value.
  • the API usually uses an int instruction among the subroutine call instructions described above.
  • the value shown in area A51 is the return address to program 1 written to the stack area by the int instruction.
  • return information and various types of return information regarding the API execution source program are written according to the specification of the int instruction. That is, only the return address can be mechanically acquired from here.
  • each of the programs 13 is a value of the EBP register of the calling program (parent program) (indicating the data start area of the parent program). Value) are stored in areas A53, A56, and A59.
  • the area A53 indicates the next area on the zero side adjacent to the area A56.
  • the area A56 indicates the next area on the zero side adjacent to the area A59. Therefore, in each of the programs 13, the data area of the parent program can be acquired in a formula based on a potato.
  • the return address to program 2-4 is always adjacent to areas A53, A56, and A59, that is, the upper address side of the address indicating the start of the data area of the parent program.
  • the return address of the program 2-4 can be mechanically calculated based on the address indicating the start of the data area of the parent program.
  • step S4 of FIG. 6 when the caller address is within the program area A31, the requested API is executed (step S6), and the control returns to the caller who has requested the execution of the API. To return.
  • step S4 the address of the caller and the address of the shared library area A39
  • the storage area A39 of the shared library dynamically changes, so that it is difficult to obtain the address.
  • the storage address of the program on the memory device is obtained, and the execution address indicates the proper position.
  • the API is executed, and if it is determined that the program is invalid, the program can be interrupted. Therefore, according to the operating system of the present invention, when an unauthorized access using the buffer overrun phenomenon occurs, it can be suppressed and the computer system can be protected.
  • FIG. 1 is a diagram schematically showing a configuration of a memory device used when a general computer executes a program.
  • FIG. 2 is a diagram schematically showing the functions of a sample program and a stack memory.
  • FIG. 3 is a schematic configuration diagram of a register set of an IA32 CPU of Intel Corporation in the United States.
  • FIG. 4 is an example of a schematic configuration of an operating system according to the present invention.
  • FIG. 5 is an example of a memory configuration used to execute a program in a computer system equipped with the operating system of FIG. 3.
  • FIG. 6 is a flowchart showing an operation of the operating system when an API is requested from a program.
  • FIG. 7 is a diagram schematically showing an example of a data configuration stored in a stack memory.
  • FIG. 8 is a diagram for explaining a basic configuration of a subroutine program.
  • Figure 9 shows the operating system when an API is requested from a program. It is a flowchart which shows the other form of operation

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

[PROBLEMS] To provide an operating system capable of suppressing a computer virus and an unauthorized access utilizing the buffer overrun phenomenon which is said to be a cause of generation of a security hole, and a recording medium containing the operating system. [MEANS FOR SOLVING THE PROBLEMS] An operating system (100) provides an API (application program interface) or a system call to a program. The operating system (100) includes address acquisition means (5) for reading a storage address of the program in the memory device before executing the API or the system call requested from the program. When the program which has requested the API is defined to be a primary program and secondary to n-degree (n is an integer not smaller than 2) program as a call source of the primary program are defined to successively form call hierarchies if the primary program is a subroutine, the address acquisition means (5) acquires the storage address of the primary program and the storage address of the secondary to n-degree program.

Description

明 細 書  Specification
オペレーティングシステム、及びそれを記録した記録媒体  Operating system and recording medium recording the same
技術分野  Technical field
[0001] 本発明は、コンピュータウィルスに感染しにくい、安全性の高いオペレーティングシ ステム、及びそれを記録した記録媒体に関する。  The present invention relates to a highly secure operating system that is not easily infected by a computer virus, and a recording medium that records the operating system.
背景技術  Background art
[0002] インターネットの普及に従い、企業、個人用途のコンピュータシステムの多く力 ネッ トワークに接続し、相互にデータのやり取りをするに至っている。  [0002] With the widespread use of the Internet, many computer systems for corporate and personal use have been connected to networks and exchanged data with each other.
し力しながら、コンピュータシステムに対し、外部より悪意あるネットワーク利用者が 接続し、システム管理者が気付かないうちに、コンピュータシステムが書き換えられる 問題が頻繁に発生している。また、所謂コンピュータウィルスと呼ばれる悪意ある実 行形式のデータ (プログラム)がシステムに書き込まれるという問題も多ぐこれらは深 刻な社会問題となって ヽる。  However, malicious network users from outside connect to computer systems, and computer systems are frequently rewritten without the knowledge of the system administrator. In addition, there are many problems that malicious execution data (programs) called so-called computer viruses are written to the system, and these are serious social problems.
尚、コンピュータシステムや、悪意あるネットワーク接続者による行為については、 非特許文献 1一 3にそれぞれ記載されて!、る。  The actions of a computer system or a malicious network connection are described in Non-Patent Documents 13 and 13, respectively.
非特許文献 1 :「ノヽッカ一'プログラミング大全」, UNYUN著  Non-Patent Document 1: "Nodoka-I 'Programming Taizen", UNYUN
非特許文献 2:「OPERATING SYSTEM Internals andDesignJ , William S talings, Ph. D.著  Non-Patent Document 2: “OPERATING SYSTEM Internals and DesignJ, William Stallings, Ph. D.
非特許文献 3 :「インテル'ァーキテクイチヤ最適化マニュアル」,米インテル社 発明の開示  Non-Patent Document 3: "Intel Architecture Optimization Manual", Disclosure of Intel Corporation of the United States
発明が解決しょうとする課題  Problems to be solved by the invention
[0003] 前記したような悪意あるネットワーク接続者による行為は、コンピュータシステムに存 在するセキュリティホールを利用して行われる。このセキュリティホールとは、インター ネットを通じた不正アクセス及び、コンピュータゥイノレスによりコンピュータシステムを 破壊改造するための警備の穴である。  [0003] The above-mentioned act by a malicious network connection person is performed using a security hole existing in a computer system. This security hole is a security hole for unauthorized access through the Internet and for the destruction and modification of computer systems by Computer Innores.
現在では、世界中のコンピュータシステムにおいて、多数のセキュリティホールが存 在し、前記したように、これを利用した不正アクセス、コンピュータウィルスが社会問題 となっている。 At present, there are many security holes in computer systems around the world, and as mentioned above, unauthorized access and computer viruses using these holes are a social problem. It has become.
[0004] セキュリティホールの発生原因の一つは、ノ ッファオ一バーラン現象にあると言われ ている。このバッファオーバーラン現象について説明すると、例えば、ある電子メール の送付ソフトにおいて、送付先の入力可能なメールアドレスの最大文字数が 50文字 とする。  [0004] It is said that one of the causes of the generation of the security hole is due to the nofao-barran phenomenon. Explaining the buffer overrun phenomenon, for example, in a software for sending an e-mail, it is assumed that the maximum number of characters of an e-mail address that can be input to a destination is 50 characters.
ここで、送付先のメールアドレスに、 1000文字の長さのメールアドレスを指定すると 、(想定して 、な 、) 50文字を超えた 950文字のデータカ モリ領域を超えて書き込 まれ、これによりコンピュータの制御が破綻を来たす。このような現象がバッファォー バーラン現象と呼ばれて 、る。  Here, if an e-mail address with a length of 1000 characters is specified as the destination e-mail address, the data is written beyond the data storage area of 950 characters exceeding 50 characters (assumed, Computer control has gone bankrupt. Such a phenomenon is called a buffer overrun phenomenon.
[0005] 更に、ノ ッファオ一バーラン現象について、詳細に説明する。図 1は、一般的なコン ピュータにおいて、アプリケーションプログラム(以下、単にプログラムとも呼ぶ)を実 行する際に使用するメモリ装置 (単にメモリとも呼ぶ)の構成を模式的に示した図であ る。 [0005] Further, a detailed description will be given of the phenomenon of no-four-bar-run. FIG. 1 is a diagram schematically illustrating a configuration of a memory device (also referred to simply as a memory) used when executing an application program (hereinafter simply referred to as a program) on a general computer.
[0006] 図 1のメモリ構成のうち、プログラムは領域 Al lに格納される。そして、プログラムの データ処理に使用する領域として、領域 A12、 A13、 A14を確保する。このうち、領 域 A12は、プログラム全体で使用するデータの読み書きに使用する。領域 A13は、 プログラムを実行する上で、適時データ領域を確保したいときに使用し、プログラムの 実行中にメモリ中の領域が伸縮する。また、領域 A14は、スタックメモリと呼称する特 殊なメモリ領域であって、プログラムを構成するサブルーチンと呼ばれる小さ 、構成 のプログラムの実行管理と、サブルーチンが一時的に使用するデータの管理を行う ための領域である。  [0006] In the memory configuration of FIG. 1, a program is stored in an area All. Then, areas A12, A13, and A14 are secured as areas used for program data processing. Area A12 is used to read and write data used in the entire program. The area A13 is used when it is necessary to secure a timely data area in executing the program, and the area in the memory expands and contracts during the execution of the program. The area A14 is a special memory area called a stack memory, which is used to manage the execution of a small, structured program called a subroutine that constitutes a program, and to manage data temporarily used by the subroutine. Area.
尚、サブルーチンとは当文書において次のように定義する。  The subroutine is defined as follows in this document.
サブルーチンとはスタックメモリに事前にサブルーチンを実行し終わったら実行すベ き次のプログラムの開始アドレスを格納して実行するプログラムと規定するものとする 。サブルーチンコールとはこのサブルーチンを呼び出すこと、つまり実行する事を示 すものとする。  A subroutine is defined as a program that stores the start address of the next program to be executed after the subroutine has been executed in advance in the stack memory and executes it. The subroutine call indicates that this subroutine is called, that is, executed.
[0007] 図 2に、サンプルプログラムと共に、領域 A14のスタックメモリの働きを模式的に示 す。尚、サンプルプログラムは C言語により記述されている。 前記サンプルプログラムは、プログラム 12行目で testという名称のサブルーチン( 子プログラム)を呼び出し、それを実行する構成となっている。また、そのサブルーチ ン実行時に、引数と呼ばれるデータを 4つ渡している。即ち、その引数は、 'Τ'、 Έ' 、 'S,、 'T,の 4つである。これらのデータは、スタックメモリ上の領域 Α21、 Α22、 Α2 3、 Α24に書き込まれる。 [0007] FIG. 2 schematically shows the operation of the stack memory in the area A14 together with the sample program. The sample program is described in C language. The sample program is configured to call a subroutine (child program) named test on the 12th line of the program and execute it. At the time of execution of the subroutine, four pieces of data called arguments are passed. That is, its arguments are four, 'Τ', Έ ',' S, and 'T. These data are written to the areas # 21, # 22, # 23, and # 24 on the stack memory.
[0008] このサンプルプログラム実行時にぉ 、て、前記引数がスタックメモリに書き込まれた 後、サブルーチン' test'に制御が移行する。また、このとき、サブルーチン実行終了 後にプログラム 13行目に制御が戻るように、スタックメモリの領域 A25に、プログラム 1 3行目を示すアドレスデータを記憶する。  [0008] At the time of execution of the sample program, after the argument is written to the stack memory, the control shifts to a subroutine "test". At this time, the address data indicating the 13th line of the program is stored in the area A25 of the stack memory so that the control returns to the 13th line after the execution of the subroutine is completed.
[0009] そして、プログラム 14行目から始まるサブルーチン' test'の実行においては、先ず 、プログラム 14行目、 16行目において初期設定が行われる。次いで、 17行目におい て、変数 sに ' A,という値が代入される。この値は、スタックメモリの領域 A26に書き込 まれる。  [0009] Then, in the execution of the subroutine "test" starting from the 14th line of the program, first, initialization is performed on the 14th and 16th lines of the program. Then, on line 17, the value 'A,' is assigned to the variable s. This value is written to area A26 of the stack memory.
[0010] そして、プログラム 18行目においては、故意に、変数 sの存在するメモリ領域をアド レス指定し、そこからゼロ(0)を 100文字、メモリに書き込むよう指示している。すなわ ち、これが実行されると、領域 A21— A26を含め、 100文字分の全ての内容が、ゼロ に上書きされ、その結果プログラムの流れが破壊される。  [0010] Then, on the 18th line of the program, the memory area where the variable s exists is deliberately designated as an address, and 100 characters of zero (0) are written from there to the memory. That is, when this is executed, all contents of 100 characters are overwritten with zeros, including the areas A21-A26, and the program flow is destroyed.
[0011] すなわち、プログラム 19行目において、本来ならば、領域 A25に格納されている、 呼び出し元の 13行目のアドレスに戻り、 13行目力もの処理に続くのである力 実際 には、領域 A25にはゼロが書き込まれており、プログラムはゼロ番地力も実行しようと する。その結果、コンピュータに障害が生じる。  [0011] That is, in the 19th line of the program, the program returns to the address of the 13th line of the caller, which is originally stored in the area A25. Has been written to zero, and the program will also try to run at zero. As a result, a failure occurs in the computer.
[0012] 以上、説明したように、本来設定されたメモリの領域を超えて不正に書き込まれる現 象をバッファオーバーランと呼んでいる。尚、このような脆弱性が現在の CPU (中央 処理装置)には存在しており、コンピュータウィルスや不正アクセスは、前記した現象 を利用してコンピュータシステムに不正を働く。また、実際のコンピュータウィルスや 不正アクセスにあっては、メモリへの上書きにおいて、自身に都合のよいメモリアドレ スを書き込み、ここにプログラムの制御が移行するように仕向け、不正を働くようにし ている。 [0013] 不正アクセス利用者は、前記バッファオーバーランを悪用し、スタックメモリ上に自 分の不正プログラムを書き込み、これを実行させることによりシステムの制御権を乗つ 取る。すなわち、スタックメモリ上の不正プログラム力 不正行為を行う目的で OS (ォ ペレ一ティングシステム)に対して API (アプリケーションプログラムインタフェイス)また はシステムコールを要求し、実行する。 [0012] As described above, the phenomenon of illegal writing beyond the originally set memory area is called buffer overrun. Note that such vulnerabilities exist in current CPUs (central processing units), and computer viruses and unauthorized access act on computer systems by utilizing the above-mentioned phenomena. Also, in the case of actual computer virus or unauthorized access, when overwriting the memory, write a convenient memory address to itself, and encourage the control of the program to be transferred here, so that the illegal operation is performed . [0013] An unauthorized access user exploits the buffer overrun, writes his own unauthorized program on the stack memory, and executes the program to take control of the system. In other words, an unauthorized program on the stack memory requests and executes an API (application program interface) or system call from the operating system (OS) for the purpose of performing an illegal act.
[0014] 本発明は、前記したような事情のもとになされたものであり、セキュリティホールの発 生原因と言われるノ ッファオ一バーラン現象を利用したコンピュータウィルスや不正 アクセスを抑制することのできるオペレーティングシステム、及びそれを記録した記録 媒体を提供することを目的とする。  The present invention has been made under the circumstances described above, and it is possible to suppress computer viruses and unauthorized access using a no-fuzzy-barran phenomenon, which is said to be a cause of a security hole. It is intended to provide an operating system and a recording medium on which the operating system is recorded.
課題を解決するための手段  Means for solving the problem
[0015] 前記した課題を解決するため、本発明に係るオペレーティングシステムは、 API (ァ プリケーシヨンプログラムインタフェイス)またはシステムコールをプログラムに提供す るオペレーティングシステムにお 、て、プログラムから要求された APIまたはシステム コールの実行前に、メモリ装置上における前記プログラムの格納アドレスを読み取る アドレス取得手段を備え、 APIを要求したプログラムを 1次プログラムとし、 1次プログ ラムがサブルーチンである場合、 1次プログラムの呼び出し元となる 2次一 n次(nは 2 以上の整数)プログラムまでが、順に呼び出し階層を形成していると定義すると、前記 アドレス取得手段は、 1次プログラムの格納アドレスと、 2次一 n次プログラムまでの格 納アドレスをそれぞれ取得することに特徴を有する。 [0015] In order to solve the above-mentioned problem, an operating system according to the present invention includes an API (Application Program Interface) or an API requested by a program in an operating system that provides a system call to the program. Or, before execution of a system call, an address acquisition means for reading the storage address of the program on the memory device is provided, and the program requesting the API is set as the primary program. If the primary program is a subroutine, the If it is defined that up to the secondary-n-th order (n is an integer equal to or greater than 2) program that forms the call source forms a call hierarchy in order, the address acquisition means determines the storage address of the primary program, the secondary primary The feature is that the storage addresses up to the nth program are obtained respectively. To.
[0016] また、前記アドレス取得手段が取得したアドレス力 メモリ装置上の適正な位置を示 している力否かを、比較基準となるアドレスと大小比較することにより判定するアドレス 比較判定手段と、メモリ装置上における所定のアドレスを前記比較基準アドレスとして 検出する基準アドレス検出手段とを備えることに特徴を有する。 [0016] Further, an address comparison determining means for determining whether or not the address force obtained by the address obtaining means and indicating a proper position on the memory device by comparing the address with a reference address, Reference address detection means for detecting a predetermined address on the memory device as the comparison reference address.
[0017] このような構成によれば、プログラムから要求された APIを実行する前に、メモリ装 置上におけるプログラムの格納アドレスを取得し、そのアドレスが適正な位置を示して いる力否かを比較判定することにより、プログラムが適正か不正かを判断することがで きる。  According to such a configuration, before executing the API requested by the program, the storage address of the program on the memory device is acquired, and whether or not the address indicates the proper position is determined. By comparing and determining, it is possible to determine whether the program is appropriate or incorrect.
その結果、 APIを要求したプログラムを適正なものと判断した場合は、 APIを実行し 、プログラムを不正なものと判断した場合は、プログラムを中断させることができる。 したがって、本発明に係るオペレーティングシステムによれば、バッファオーバーラン 現象を利用した不正アクセスが発生した場合には、それを抑制し、コンピュータシス テムを保護することができる。 As a result, if the program that requested the API is determined to be appropriate, execute the API. If it is determined that the program is invalid, the program can be interrupted. Therefore, according to the operating system of the present invention, when an unauthorized access using the buffer overrun phenomenon occurs, it can be suppressed and the computer system can be protected.
発明の効果  The invention's effect
[0018] 本発明によれば、セキュリティホールの発生原因と言われるバッファオーバーラン現 象を利用したコンピュータウィルスや不正アクセスを抑制することのできるオペレーテ イングシステム、及びそれを記録した記録媒体を提供することができる。  According to the present invention, there is provided an operating system capable of suppressing a computer virus and unauthorized access using a buffer overrun phenomenon which is said to be a cause of a security hole, and a recording medium on which the operating system is recorded. be able to.
発明を実施するための最良の形態  BEST MODE FOR CARRYING OUT THE INVENTION
[0019] 以下、本発明に係る実施の形態について説明する。本発明に係るオペレーティン グシステム(以下、 OSと呼ぶ)は、例えば、パーソナルコンピュータシステム等に代表 されるような、 CPU,記憶装置等を備えたノヽードウエアにおいて好適に機能させるこ とがでさる。 Hereinafter, embodiments according to the present invention will be described. The operating system (hereinafter, referred to as an OS) according to the present invention can suitably function in a hardware such as a personal computer system having a CPU, a storage device, and the like.
[0020] 前記 CPUとしては、スタックレジスタ(スタックメモリ専用レジスタ)を備えた全ての C PUに適用することができる力 以下の説明においては、 I A32 (Intel社の 32ビットマ イク口プロセッサ)を例に説明する。  [0020] The CPU can be applied to all CPUs provided with a stack register (stack memory dedicated register). In the following description, IA32 (Intel 32-bit microprocessor) is used as an example. Will be described.
図 3に、 IA32が有するレジスタ 'セット 200の概略構成図を示す。以下の説明におけ るスタックメモリは、図 3中のレジスタ装置 R11 (32ビット表現で ESPのレジスタ)により 管理され、レジスタ装置 R12 (32ビット表現で EBPのレジスタ)により操作される。  FIG. 3 shows a schematic configuration diagram of the register set 200 included in the IA32. In the following description, the stack memory is managed by the register device R11 (32-bit ESP register) and operated by the register device R12 (32-bit EBP register) in FIG.
[0021] 尚、図 3中、 32ビット表現で EIPはプログラムカウンタ(CPUがこれから実行したいプ ログラムのメモリのアドレスを示すもの)であり、 EAX、 EBX、 ECX、 EDX、 ESI、 EDI 、 EBPの各レジスタは、汎用レジスタである。  [0021] In Fig. 3, EIP is a program counter (indicating the address of the memory of the program that the CPU wants to execute) in 32-bit representation. Each register is a general-purpose register.
[0022] 図 4は、本発明に係る OSの概略構成を示している。尚、一般に OSは、アプリケー シヨンプログラムを代表とするプログラムに対して、 API (アプリケーションプログラムィ ンタフェイス)を提供する。 APIとは、データファイルの読み書きや、マウス等の周辺装 置を制御するための機能を提供するものである。すなわち、アプリケーションプロダラ ムは、 OSが提供する APIを実行することによって、ファイルの読み書き等、 OSが提 供する様々な機能を利用することができる。また、 APIは、 OSによっては、システムコ ールとも呼ばれる。 FIG. 4 shows a schematic configuration of an OS according to the present invention. Generally, the OS provides an API (Application Program Interface) for programs represented by application programs. The API provides functions for reading and writing data files and controlling peripheral devices such as a mouse. That is, the application program can use various functions provided by the OS, such as reading and writing files, by executing the API provided by the OS. Also, APIs may not be available in the system Also known as
[0023] 図 4に示す OSIOOは、周辺装置 20を制御する API等を提供する OS本体 1と、プロ グラム(メインルーチンまたはサブルーチン) 10からの API要求窓口となる API入り口 2と、記憶装置 20に記録するデータの管理を行うファイル管理システム 3とを備える。 以上の構成は、一般的な OS構成と同一である力 OS100においては、さらに OS 本体 1と API入り口 2との間にアドレス比較判定手段 4を備える。さらには、アドレス比 較判定手段 4に対しプログラムの格納アドレスを提供するアドレス取得手段 5と、アド レス比較判定手段 4に対し比較の基準とするアドレスを提供する基準アドレス検出手 段 6とを備える。  The OSIOO shown in FIG. 4 includes an OS main unit 1 that provides an API for controlling the peripheral device 20, an API entrance 2 serving as an API request window from a program (main routine or subroutine) 10, and a storage device 20. And a file management system 3 for managing data to be recorded in the file. The above configuration is the same as the general OS configuration. The OS 100 further includes an address comparison determination unit 4 between the OS main body 1 and the API entrance 2. Furthermore, there are provided address acquisition means 5 for providing the address for storing the program to the address comparison / judgment means 4 and reference address detection means 6 for providing the address comparison / judgment means 4 with an address to be compared with. .
[0024] API入り口 2は、プログラムの実行の際に発生する API要求の入り口であって、 OS 100は、この部分で受け付けを行う。一般的な OSと同様に、 OS 100が提供する API には多数の種類が存在する力 プログラム 10 (メインルーチンまたはサブルーチン) から API実行の要求が発生すると、 API入り口 2で一括して受け付けし、要求のあつ た APIに応じた処理に制御を渡す。  [0024] The API entrance 2 is an entrance of an API request generated at the time of execution of a program, and the OS 100 accepts this part. As with a general OS, there are many types of APIs provided by OS 100. When an API execution request is generated from a program 10 (main routine or subroutine), it is accepted collectively at API entrance 2, Passes control to the process corresponding to the requested API.
[0025] アドレス取得手段 5は、 APIを呼び出したプログラム (メインルーチンまたはサブル 一チン)のメモリ領域上の格納アドレスを取得する機能を有して 、る。  The address acquisition means 5 has a function of acquiring the storage address of the program (main routine or subroutine) that called the API in the memory area.
逐次処理型のコンピュータは、すべてのプログラムの実行をメモリのアドレスにより 指定する方式をとる。すなわち、 APIを要求するサブルーチンのプログラムを 1次プロ グラムとし、 1次プログラムの呼び出し元を 2次プログラムとし、 2次プログラムの呼び出 し元を 3次プログラムとし、以下、 n次(この場合、 nは 4以上の整数)プログラムまでを 定義すると、(n-1)次プログラムは、 APIを実行後に復帰(リターン)して実行する n次 プログラムのアドレスをメモリに保存している。アドレス取得手段 5は、このアドレスをメ モリ装置から読み取る働きをする。  Sequential processing type computers use a method in which the execution of all programs is specified by a memory address. In other words, the program of the subroutine requesting the API is the primary program, the caller of the primary program is the secondary program, the caller of the secondary program is the tertiary program, and the nth order (in this case, (n is an integer greater than or equal to 4) If you define up to the program, the (n-1) next program saves the address of the nth program to be executed after returning to the API after executing the API. The address acquisition means 5 functions to read this address from the memory device.
[0026] また、基準アドレス検出手段 6は、 OS上において、プログラムの格納が許されてい る領域と許されて 、な 、領域とを判定するためのアドレスを比較基準アドレスとして取 得する。ここで、 OS100を搭載したコンピュータシステムにおいて、プログラム 10を実 行する際に使用するメモリ構成の例を図 5に示す。  [0026] The reference address detection means 6 obtains, as a comparison reference address, an address on the OS for determining an area in which a program is allowed to be stored and an area in which the program is allowed to be stored. Here, FIG. 5 shows an example of a memory configuration used when executing the program 10 in a computer system equipped with the OS 100.
前記比較基準アドレスを取得する具体的な一例としては、図 5において、プログラム を格納する領域を示す開始アドレス A40及び終了アドレス A41を取得する方法があ る。この方法が論理的に完全な実施例である。 As a specific example of obtaining the comparison reference address, FIG. There is a method of acquiring a start address A40 and an end address A41 indicating an area for storing the data. This method is a logically complete embodiment.
[0027] し力しながら、実際の OSにおいてプログラムを格納する領域は、複数のメモリ領域 に分断して格納する場合が多い。その場合、プログラムの格納領域ごとに、その開始 アドレスと終了アドレスとを調べる必要があり煩雑である。 However, in many cases, an area for storing a program in an actual OS is often divided into a plurality of memory areas and stored. In that case, it is necessary to check the start address and the end address for each storage area of the program, which is troublesome.
[0028] なお、基準アドレス検出手段 6が比較基準アドレスとして取得するアドレスは、適正 なプログラム格納領域の開始アドレス及び終了アドレスに限定されるものではない。 すなわち、基準アドレス検出手段 6は、メモリ領域における所望のアドレスを比較基準 アドレスとして設定することができる。 [0028] The addresses acquired by the reference address detection means 6 as the comparison reference addresses are not limited to the proper start address and end address of the program storage area. That is, the reference address detection means 6 can set a desired address in the memory area as the comparison reference address.
そこで本実施の形態においては、本発明の理解を容易にするため、比較基準アド レスとして、スタック領域の上限及び下限(開始アドレス及び終了アドレス)を取得する 方法を簡易例として示す。これは、ノ ッファオ一バーランを利用して、不正アクセスを 行うプログラムは、その性質上、大多数がプログラム本体をスタック領域に保存するた めである。  Therefore, in the present embodiment, a method of obtaining the upper and lower limits (start address and end address) of the stack area as comparison reference addresses will be described as a simple example in order to facilitate understanding of the present invention. This is because the majority of programs that perform unauthorized access using the no-fault balun store the program itself in the stack area due to the nature of the program.
[0029] 図 5のメモリ構成において、 OS100がプログラム 10に割り振るメモリ領域のうち、ス タック領域の上限(0番地方向 Z終了アドレス)は符号 A37で示すアドレスであり、下 限(開始アドレス)は符号 A38に示すアドレスである。  In the memory configuration of FIG. 5, among the memory areas allocated by the OS 100 to the program 10, the upper limit of the stack area (the Z end address in the direction of address 0) is an address indicated by reference sign A37, and the lower limit (the start address) is This is the address indicated by reference numeral A38.
すなわち、基準アドレス検出手段 6は、符号 A37、 A38に示したアドレスを取得する。  That is, the reference address detection means 6 acquires the addresses indicated by the reference signs A37 and A38.
[0030] また、図 4に示すアドレス比較判定手段 4は、アドレス取得手段 5が取得したプログ ラム格納アドレスと、基準アドレス取得手段 6が取得した比較基準アドレスとを比較し 、 APIを要求するプログラム (メインルーチンまたはサブルーチン)が不正プログラム であるか否かを判断する。具体的には、アドレス取得手段 5が取得した、プログラム格 納領域のアドレス力 スタック領域の上限 A37と下限 A38の間にあるか否かを判断す る。 Further, the address comparison determination means 4 shown in FIG. 4 compares the program storage address acquired by the address acquisition means 5 with the comparison reference address acquired by the reference address acquisition means 6, and issues a program requesting an API. (Main routine or subroutine) is a malicious program. Specifically, it is determined whether or not the address strength of the program storage area acquired by the address acquisition means 5 is between the upper limit A37 and the lower limit A38 of the stack area.
[0031] すなわち、ノ ッファオ一バーランを利用して不正プログラムがコンピュータに寄生し た場合、通常、その不正プログラムの格納領域は、図 5のメモリ構成ではスタック領域 中の使用中領域 A34となる。したがって、アドレス取得手段 5が取得した、プログラム 格納領域のアドレス力 スタック領域の上限 A37と下限 A38の間である場合には、そ のプログラムが不正プログラムであると判定される。 That is, when a malicious program is parasitized in a computer by utilizing the over-the-top run, the storage area of the malicious program is usually the used area A34 in the stack area in the memory configuration of FIG. Therefore, if the address acquisition means 5 acquires the address strength of the program storage area between the upper limit A37 and the lower limit A38 of the stack area, Is determined to be a malicious program.
[0032] その場合、アドレス比較判定手段 4は、不正プログラムが寄生して 、る旨を OS本体 1に通知する。 OS本体 1は、 APIの要求を中断し、プログラムを強制終了させるととも に、警告を電子メール等の手段によりシステム管理者に通知する。  In this case, the address comparison determination means 4 notifies the OS main body 1 that the malicious program has become parasitic. The OS body 1 interrupts the API request, forcibly terminates the program, and notifies the system administrator of a warning by e-mail or the like.
尚、アドレス比較判定手段 4による判定の結果、 APIを要求するプログラムが正常な ものであると判断された場合には、要求された APIが実行される。  If it is determined as a result of the determination by the address comparison determining means 4 that the program requesting the API is normal, the requested API is executed.
[0033] 続いて、プログラムから APIの要求があった場合の OS100の動作について、さらに 図 6のフロー図に基づいて説明する。  Next, the operation of the OS 100 when a program requests an API will be described with reference to the flowchart of FIG.
プログラム 10 (メインルーチンまたはサブルーチン)力も APIの要求が発生すると、 アドレス取得手段 5は APIを要求したプログラムのメモリ上の格納アドレスを取得する (図 6のステップ Sl)。  When an API request occurs in the program 10 (main routine or subroutine), the address acquisition means 5 acquires the storage address of the program that requested the API in the memory (Step Sl in FIG. 6).
[0034] APIを要求したプログラムを 1次プログラムとすれば、取得するアドレスは、 1次プロ グラム中の APIを要求した部分の次位置を示すアドレスである。すなわち、 APIを実 行した後に復帰(リターン)し、 1次プログラムを継続する位置を示すアドレスである。 具体的には、例えば、図 7のスタックメモリの構成例における領域 A51からアドレスを 取得する。  Assuming that the program that has requested the API is a primary program, the address to be acquired is an address indicating the next position of the part that requested the API in the primary program. In other words, it is the address that indicates the position where the primary program is returned after executing the API and continues. Specifically, for example, the address is acquired from the area A51 in the configuration example of the stack memory in FIG.
[0035] また、基準アドレス検出手段 6は、 OS 100がプログラム 10に割り振ったメモリ領域を 調べ、プログラムが存在してはならな 、領域のアドレスを比較基準アドレスとして取得 する(ステップ S 2)。  The reference address detection means 6 checks the memory area allocated to the program 10 by the OS 100, and acquires the address of the area as a comparison reference address if the program must not exist (step S2).
前記したように、ノ ッファオ一バーランが発生したときに、不正プログラムが寄生する のはスタック領域である。このため、基準アドレス検出手段 6は、スタック領域の上限( 終了アドレス) A37と下限(開始アドレス) A38を取得し、その間の領域を、プログラム の存在してはならな ヽ領域として設定する。  As described above, when an overrun occurs, it is in the stack area that a malicious program parasitizes. For this reason, the reference address detecting means 6 acquires the upper limit (end address) A37 and the lower limit (start address) A38 of the stack area, and sets the area between them as the area where the program must not exist.
[0036] 次 、で、アドレス比較判定手段 4にお 、て、アドレス取得手段 5が取得したプロダラ ム格納アドレスと、基準アドレス検出手段 6が検出した比較基準アドレスとが比較され る(ステップ S3)。すなわち、アドレス取得手段 5が取得したプログラム格納アドレスが 、不正なアドレスである力否かが判断される。  Next, the program storage address acquired by the address acquisition means 5 is compared with the comparison reference address detected by the reference address detection means 6 in the address comparison determination means 4 (step S3). . That is, it is determined whether the program storage address obtained by the address obtaining means 5 is an incorrect address.
[0037] 具体的には、アドレス取得手段 5が取得したプログラム格納アドレス力 基準アドレ ス検出手段 6が検出したアドレス領域内である場合には、プログラム 10は不正である と判断され、領域外である場合にはプログラム 10は適正なものであると判断される。 また、前提となる APIの要求が OS本体である場合もあるため、呼び出し元のアドレス 力 OSの管理領域内であるか否力も判断される。 OSの管理領域内である場合は、 適正な処理が行なわれて!/、ると判断する。 [0037] Specifically, the program storage address acquired by the address acquisition means 5 is referred to as the reference address. If the address is within the address area detected by the software detection means 6, the program 10 is determined to be invalid, and if it is outside the area, the program 10 is determined to be appropriate. Also, since the prerequisite API request may be the OS itself, it is also determined whether the caller's address is within the OS management area. If it is within the OS management area, it is determined that appropriate processing has been performed!
[0038] ステップ S3にお!/、て、 APIを要求したプログラムが不正であると判断されると、シス テム管理者にその旨を電子メールにて送信し、 APIの要求を中断し、プログラムを強 制終了させる (ステップ S7)。  [0038] In step S3, if it is determined that the program requesting the API is illegal, an e-mail is sent to the system administrator to that effect, the API request is interrupted, and the program Is forcibly terminated (step S7).
[0039] 一方、ステップ S3において、 APIを要求したプログラムが正常であると判断されると 、さらに、アドレス取得手段 5が、 APIを要求したプログラムの親プログラムの格納アド レス(呼び出し元のアドレスと呼ぶ)を取得し、基準アドレス検出手段 6が、プログラム 領域 A31の開始アドレス及び終了アドレスを検出して比較基準アドレスに設定する。 そして、アドレス比較判定手段 4は、 APIを要求したプログラムの親プログラムの格納 アドレスがプログラム領域 A31にある力否かを判断する(ステップ S4)。  [0039] On the other hand, if it is determined in step S3 that the program requesting the API is normal, the address acquisition means 5 further stores the storage address of the parent program of the program requesting the API (with the address of the caller). The reference address detection means 6 detects the start address and end address of the program area A31 and sets them as comparison reference addresses. Then, the address comparison determination means 4 determines whether or not the storage address of the parent program of the program that has requested the API is in the program area A31 (step S4).
尚、この処理は、不正プログラム力 共有ライブラリのプログラムを経由して APIを実 行する可能性があるために行なわれる。  This processing is performed because there is a possibility that the API will be executed via the program of the malicious program shared library.
[0040] ステップ S4において、呼び出し元アドレスが、プログラム領域 A31の外である場合 、共有ライブラリのアドレスであると見なし、呼び出し元のさらに親プログラムのァドレ ス(その親プログラムへのリターンアドレス)を取得し (ステップ S5)、ステップ S3の処 理に戻る。  [0040] In step S4, if the caller address is outside the program area A31, it is regarded as the address of the shared library, and the address of the caller's parent program (return address to the parent program) is obtained. (Step S5), and the process returns to step S3.
このように、ステップ S3— S5のループ処理においては、 APIを要求したプログラム を 1次プログラムとすれば、その呼び出し元 (親プログラム)となる 2次プログラムをはじ め、順に呼び出し階層を形成する n次プログラムまでの格納アドレスが適正力否力判 定される。  In this way, in the loop processing of steps S3 to S5, if the program requesting the API is defined as the primary program, a call hierarchy is sequentially formed starting with the secondary program that is the caller (parent program) of the primary program n The storage address up to the next program is judged to be appropriate.
[0041] ここで、ステップ S 5の処理の具体例を示す。例えば、 APIの実行元プログラムを 1 次プログラム、 1次プログラムの呼び出し元を 2次プログラム、 2次プログラムの呼び出 し元を 3次プログラム、さらに 3次プログラムの呼び出し元を 4次プログラムとする。 図 7に示すスタックメモリの、領域 A54、 A57、 A510には、それぞれ 2次一 4次プログ ラムへのリターンアドレス、すなわち、プログラム格納アドレスが格納されている。 Here, a specific example of the processing in step S5 will be described. For example, the API execution source program is the primary program, the primary program caller is the secondary program, the secondary program caller is the tertiary program, and the tertiary program caller is the quaternary program. Areas A54, A57, and A510 in the stack memory shown in Fig. 7 have secondary and quaternary programs respectively. The return address to the RAM, that is, the program storage address is stored.
よって、アドレス取得手段 5は、領域 A54、 A57、 A510の中から、所望のプログラ ムの格納アドレスをループ処理毎に順に取得する。  Therefore, the address acquisition means 5 sequentially acquires the storage address of the desired program from the areas A54, A57, and A510 for each loop processing.
[0042] ここで、それぞれのリターンアドレスを取得する方法について、図 7及び図 8に基づ いて詳細に説明する。 Here, a method of obtaining each return address will be described in detail with reference to FIGS. 7 and 8.
図 8は、 IA32におけるサブルーチンプログラムの基本構成を示す図である。先ず、 図 8について説明する。図 8のサブルーチンプログラム P1の 1行目及び 2行目は、サ ブルーチンの最初に固定的に存在し、 4行目及び 5行目は、サブルーチンの最後に 固定的に存在する。  FIG. 8 is a diagram showing a basic configuration of a subroutine program in IA32. First, FIG. 8 will be described. The first and second lines of the subroutine program P1 in FIG. 8 are fixedly present at the beginning of the subroutine, and the fourth and fifth lines are fixedly present at the end of the subroutine.
1行目は、 EBPレジスタの内容 (親プログラムのデータ開始領域を示す値)をスタツ クに格納する命令である。図 7中の領域 A53、 A56、 A59に示される親プログラムの データ開始領域の値は、この手順により書き込まれている。  The first line is an instruction to store the contents of the EBP register (value indicating the data start area of the parent program) in the stack. The values of the data start area of the parent program shown in areas A53, A56, and A59 in FIG. 7 are written by this procedure.
[0043] 2行目は、 EBPレジスタへ、 ESPレジスタの内容を複写する命令である。 ESPレジ スタは、常に、スタック領域における未使用のゼロ側最上位を示す。この命令以後は 、そのプログラムの作業用データ領域の参照に、 EBPレジスタを使用する。プロダラ ム 1一 3に対応する領域 A52、 A55、 A58は、それぞれのプログラム実行時における EBPレジスタの内容として、そのプログラムの作業用データ領域開始位置を示してい る。 The second line is an instruction to copy the contents of the ESP register to the EBP register. The ESP register always points to the unused top zero in the stack area. After this instruction, the EBP register is used to refer to the work data area of the program. The areas A52, A55, and A58 corresponding to the programs 13 and 13 indicate the start position of the work data area of the program as the contents of the EBP register at the time of executing each program.
[0044] 3行目は、サブルーチン本体である。図 8においては、 3行目のみに示す力 実際 は複数行で示される。  The third line is a subroutine body. In FIG. 8, the force shown only in the third row is actually shown in multiple rows.
4行目は、サブルーチンの終了を行う手順である。 IA32固有の CPU命令である lea veコマンドは、プログラム 1一 3のそれぞれにおいて、 EBPレジスタの値を ESPレジス タに複写し、スタックメモリ力も領域 A53、 A56、 A59の値を EBPレジスタへ読み取る 。 ESPレジスタの値は、減算して、領域 A53、 A56、 A59を開放する。 The fourth line is a procedure for ending the subroutine. Lea v e command is IA32 specific CPU instructions in each program 1 one 3, copies the value of the EBP register ESP register, stack memory force also read the value of the area A53, A56, A59 to EBP register. The value of the ESP register is subtracted to open areas A53, A56, and A59.
[0045] 5行目は、親プログラムに戻る命令である。これを実行すると、サブルーチンプログ ラムは、領域 A51、 A54、 A57、 A510にそれぞれ示される、対応するリターンァドレ スに制御を移す。同時に ESPレジスタの内容を減算して領域を開放する。  The fifth line is a command to return to the parent program. When this is done, the subroutine program transfers control to the corresponding return address, shown in areas A51, A54, A57, and A510, respectively. At the same time, the contents of the ESP register are subtracted to free up the area.
尚、 ret命令の代わりに iret命令を使用する場合がある。すなわち、サブルーチンの 呼び出しは、 IA32においては、 call命令と int命令が存在する。 call命令に対しては 、 ret命令で復帰し、 int命令に対しては iret命令にて復帰する約束となっている。 The iret instruction may be used instead of the ret instruction. That is, the subroutine The call has a call instruction and an int instruction in IA32. It is promised that the call instruction returns with the ret instruction, and the int instruction returns with the iret instruction.
[0046] 図 8のサブルーチンプログラム P1の基本構成を前提として、各プログラムのリターン アドレスは、次のようにして取得することができる。  Assuming the basic configuration of the subroutine program P1 in FIG. 8, the return address of each program can be obtained as follows.
図 7において、 APIの実行元プログラム 1へのリターンアドレスはスタック領域のゼロ 側の最上位に存在する。その所在位置の ESPレジスタの内容により機械的に取得す ることができる。すなわち、 ESPレジスタは常に、未使用のゼロ側最上位を示すので、 領域 A51は ESPレジスタの示す値の領域と隣接する領域として取得することができる  In FIG. 7, the return address to the API execution source program 1 is at the top of the stack area on the zero side. It can be obtained mechanically according to the contents of the ESP register at that location. In other words, since the ESP register always indicates the unused top of zero, area A51 can be obtained as an area adjacent to the area indicated by the ESP register value.
[0047] APIは通常、前記したサブルーチン呼び出し命令のうち、 int命令を使用する。領 域 A51に示される値は int命令がスタック領域に書き込んだ、プログラム 1へのリタ一 ンアドレスである。領域 A51には int命令の仕様に従い、 APIの実行元プログラムに 関するリターン情報と各種戻り情報が書き込まれている。すなわち、ここから、リターン アドレスのみを機械的に取得することができる。 [0047] The API usually uses an int instruction among the subroutine call instructions described above. The value shown in area A51 is the return address to program 1 written to the stack area by the int instruction. In the area A51, return information and various types of return information regarding the API execution source program are written according to the specification of the int instruction. That is, only the return address can be mechanically acquired from here.
[0048] また、前記したように、図 8の 1行目においてプログラム 1一 3のそれぞれは、呼び出 し元のプログラム (親プログラム)の EBPレジスタの値 (親プログラムのデータ開始領 域を示す値)を領域 A53、 A56、 A59に格納している。領域 A53は、領域 A56と隣 接するゼロ側の次の領域を示す。領域 A56は、領域 A59と隣接するゼロ側の次の領 域を示す。したがって、プログラム 1一 3のそれぞれにおいては、その親プログラムの データ領域を芋づる式に取得することができる。  Further, as described above, in the first line of FIG. 8, each of the programs 13 is a value of the EBP register of the calling program (parent program) (indicating the data start area of the parent program). Value) are stored in areas A53, A56, and A59. The area A53 indicates the next area on the zero side adjacent to the area A56. The area A56 indicates the next area on the zero side adjacent to the area A59. Therefore, in each of the programs 13, the data area of the parent program can be acquired in a formula based on a potato.
[0049] そして、プログラム 2— 4へのリターンアドレスは、領域 A53、 A56、 A59、すなわち 親プログラムのデータ領域開始を示すアドレスの上位アドレス側に常に隣接している [0049] The return address to program 2-4 is always adjacent to areas A53, A56, and A59, that is, the upper address side of the address indicating the start of the data area of the parent program.
。これにより、プログラム 2— 4のリターンアドレスは、親プログラムのデータ領域開始を 示すアドレスに基づ 、て機械的に算出することができる。 . As a result, the return address of the program 2-4 can be mechanically calculated based on the address indicating the start of the data area of the parent program.
[0050] 一方、図 6のステップ S4において、呼び出し元アドレスが、プログラム領域 A31内で ある場合、要求された APIを実行し (ステップ S6)、制御は APIの実行を要求した呼 び出し元にリターンする。  On the other hand, in step S4 of FIG. 6, when the caller address is within the program area A31, the requested API is executed (step S6), and the control returns to the caller who has requested the execution of the API. To return.
尚、ステップ S4において、呼び出し元アドレスと、共有ライブラリ領域 A39のァドレ スとを直接比較しないのは、共有ライブラリの格納領域 A39が動的に変化するため、 そのアドレスの取得が困難であるためである。 In step S4, the address of the caller and the address of the shared library area A39 The reason why the address is not directly compared is that the storage area A39 of the shared library dynamically changes, so that it is difficult to obtain the address.
[0051] 以上のようにして、 OS 100における一連の動作が行なわれる。尚、 APIを直接呼び 出したプログラムの格納アドレスのみを判定する場合には、図 6のフロー図は、図 9に 示すフロー図のように、図 6のステップ S4、 S5が省略され、処理フローは簡素化され る。 As described above, a series of operations in OS 100 are performed. When only the storage address of the program that directly calls the API is determined, the flow chart of FIG. 6 omits steps S4 and S5 of FIG. 6, as shown in the flow chart of FIG. Is simplified.
[0052] 以上、説明した実施の形態によれば、プログラム力 要求された APIを実行する前 に、メモリ装置上におけるプログラムの格納アドレスを取得し、そのアドレスが適正な 位置を示している力否かを比較判定することにより、プログラムが適正か不正かを判 断することができる。  According to the above-described embodiment, before executing the requested API, the storage address of the program on the memory device is obtained, and the execution address indicates the proper position. By comparing and judging whether the program is correct or not, it is possible to judge whether the program is appropriate or not.
その結果、 APIを要求したプログラムを適正なものと判断した場合は、 APIを実行し 、プログラムを不正なものと判断した場合は、プログラムを中断させることができる。 したがって、本発明に係るオペレーティングシステムによれば、バッファオーバーラン 現象を利用した不正アクセスが発生した場合には、それを抑制し、コンピュータシス テムを保護することができる。  As a result, if it is determined that the program requesting the API is appropriate, the API is executed, and if it is determined that the program is invalid, the program can be interrupted. Therefore, according to the operating system of the present invention, when an unauthorized access using the buffer overrun phenomenon occurs, it can be suppressed and the computer system can be protected.
図面の簡単な説明  Brief Description of Drawings
[0053] [図 1]図 1は、一般的なコンピュータにおいて、プログラムを実行する際に使用するメ モリ装置の構成を模式的に示した図である。  [FIG. 1] FIG. 1 is a diagram schematically showing a configuration of a memory device used when a general computer executes a program.
[図 2]図 2は、サンプルプログラム及びスタックメモリの働きを模式的に示す図である。  FIG. 2 is a diagram schematically showing the functions of a sample program and a stack memory.
[図 3]図 3は、米国インテル社の IA32系 CPUのレジスタ.セットの概略構成図である。  [FIG. 3] FIG. 3 is a schematic configuration diagram of a register set of an IA32 CPU of Intel Corporation in the United States.
[図 4]図 4は、本発明に係るオペレーティングシステムの概略構成の一例である。  FIG. 4 is an example of a schematic configuration of an operating system according to the present invention.
[図 5]図 5は、図 3のオペレーティングシステムを搭載したコンピュータシステムにおい て、プログラムを実行する際に使用するメモリ構成の一例である。  FIG. 5 is an example of a memory configuration used to execute a program in a computer system equipped with the operating system of FIG. 3.
[図 6]図 6は、プログラムから APIの要求があった場合のオペレーティングシステムの 動作を示すフロー図である。  FIG. 6 is a flowchart showing an operation of the operating system when an API is requested from a program.
[図 7]図 7は、スタックメモリに記憶されるデータ構成例を模式的に示す図である。  FIG. 7 is a diagram schematically showing an example of a data configuration stored in a stack memory.
[図 8]図 8は、サブルーチンプログラムの基本構成を説明するための図である。  FIG. 8 is a diagram for explaining a basic configuration of a subroutine program.
[図 9]図 9は、プログラムから APIの要求があった場合のオペレーティングシステムの 動作の他の形態を示すフロー図である。 [Figure 9] Figure 9 shows the operating system when an API is requested from a program. It is a flowchart which shows the other form of operation | movement.

Claims

請求の範囲 The scope of the claims
[1] API (アプリケーションプログラムインタフェイス)またはシステムコールをプログラム に提供するオペレーティングシステムにお 、て、  [1] In operating systems that provide APIs (application program interfaces) or system calls to programs,
プログラム力も要求された APIまたはシステムコールの実行前に、メモリ装置上にお ける前記プログラムの格納アドレスを読み取るアドレス取得手段を備え、  An address acquisition unit for reading a storage address of the program on a memory device before executing the API or the system call for which the program capability is also required;
APIを要求したプログラムを 1次プログラムとし、 1次プログラムがサブルーチンである 場合、 1次プログラムの呼び出し元となる 2次一 n次 (nは 2以上の整数)プログラムま でが、順に呼び出し階層を形成していると定義すると、  If the program requesting the API is the primary program, and the primary program is a subroutine, the call hierarchy of the secondary-n-th order (n is an integer of 2 or more) programs that call the primary program will be If we define it as forming,
前記アドレス取得手段は、 1次プログラムの格納アドレスと、 2次一 n次プログラムまで の格納アドレスをそれぞれ取得することを特徴とするオペレーティングシステム。  The operating system according to claim 1, wherein said address acquiring means acquires a storage address of a primary program and a storage address up to a secondary-n-th order program.
[2] 前記アドレス取得手段が取得したアドレス力 メモリ装置上の適正な位置を示して いる力否かを、比較基準となるアドレスと大小比較することにより判定するアドレス比 較判定手段と、 [2] address comparison determining means for determining whether or not the address force obtained by the address obtaining means indicates a proper position on the memory device by comparing the address with a reference address,
メモリ装置上における所定のアドレスを前記比較基準アドレスとして検出する基準ァ ドレス検出手段とを備えることを特徴とする請求項 1に記載されたオペレーティングシ ステム。  2. The operating system according to claim 1, further comprising: a reference address detection unit that detects a predetermined address on a memory device as the comparison reference address.
[3] 前記基準アドレス検出手段は、プログラムに割り振られたメモリ領域を構成する各領 域のアドレスを検出し、各領域のアドレスを、それぞれ前記比較基準アドレスとして設 定する機能を有することを特徴とする請求項 2に記載されたオペレーティングシステ ム。  [3] The reference address detection means has a function of detecting an address of each area constituting a memory area allocated to a program, and setting an address of each area as the comparison reference address. The operating system according to claim 2, wherein
[4] 前記基準アドレス検出手段は、プログラムに割り振られたメモリ領域のうち、プロダラ ム格納用の開始アドレスおよび終了アドレスを検出し、該開始アドレスおよび終了ァ ドレスを前記比較基準アドレスとして設定することを特徴とする請求項 2に記載された オペレーティングシステム。  [4] The reference address detection means detects a start address and an end address for storing a program in a memory area allocated to a program, and sets the start address and the end address as the comparison reference address. 3. The operating system according to claim 2, wherein:
[5] 前記基準アドレス検出手段は、プログラムに割り振られたメモリ領域のうち、スタック メモリ用の開始アドレスおよび終了アドレスを取得し、該開始アドレスおよび終了アド レスを前記比較基準アドレスとして設定することを特徴とする請求項 2に記載されたォ ペレ一ティングシステム。 [5] The reference address detection means acquires a start address and an end address for a stack memory from a memory area allocated to a program, and sets the start address and the end address as the comparison reference address. The operating system according to claim 2, characterized in that:
[6] 前記アドレス比較判定手段の判定結果により、プログラムが要求する APほたはシ ステムコールを実行する力否かが決定されることを特徴とする請求項 2乃至請求項 5 の!、ずれかに記載されたオペレーティングシステム。 [6] The method according to claims 2 to 5, wherein whether or not the AP requested by the program is capable of executing a system call is determined based on the result of the determination by the address comparison determining means. , The operating system listed in the miscellaneous.
[7] 前記アドレス比較判定手段の判定結果により、プログラムが要求する APほたはシ ステムコールの実行の中止を決定した際、  [7] When it is determined that the execution of an AP or a system call requested by the program is to be stopped based on the determination result of the address comparison determination unit,
APIまたはシステムコールの実行を中止すると共に、警報としての電子メールをシス テム管理者に送信することを特徴とする請求項 6に記載されたオペレーティングシス テム。  7. The operating system according to claim 6, wherein the execution of the API or the system call is stopped, and an e-mail as an alert is transmitted to a system administrator.
[8] 請求項 1乃至請求項 7の 、ずれかに記載されたオペレーティングシステムを記録し たコンピュータ読み取り可能な記録媒体。  [8] A computer-readable recording medium recording the operating system according to any one of claims 1 to 7.
PCT/JP2004/013643 2003-09-18 2004-09-17 Operating system and recording medium containing the same WO2005029328A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2005514058A JPWO2005029328A1 (en) 2003-09-18 2004-09-17 Operating system and recording medium recording the same

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2003-326982 2003-09-18
JP2003326982 2003-09-18

Publications (1)

Publication Number Publication Date
WO2005029328A1 true WO2005029328A1 (en) 2005-03-31

Family

ID=34372852

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2004/013643 WO2005029328A1 (en) 2003-09-18 2004-09-17 Operating system and recording medium containing the same

Country Status (2)

Country Link
JP (1) JPWO2005029328A1 (en)
WO (1) WO2005029328A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008114560A1 (en) * 2007-02-21 2008-09-25 Nec Corporation Computer, operation rule application method, and operating system
JP5326063B1 (en) * 2012-09-11 2013-10-30 アンラブ,インコーポレイテッド Malicious shellcode detection apparatus and method using debug events

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH03273346A (en) * 1990-03-22 1991-12-04 Nec Corp Dynamic call relation analyzing system by symbolic debugger
JP2003515219A (en) * 1999-11-14 2003-04-22 クリックネット ソフトウエア,インク. Method and system for inhibiting application program interface
JP2004126854A (en) * 2002-10-01 2004-04-22 Mitsubishi Electric Corp Attack countermeasure system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH03273346A (en) * 1990-03-22 1991-12-04 Nec Corp Dynamic call relation analyzing system by symbolic debugger
JP2003515219A (en) * 1999-11-14 2003-04-22 クリックネット ソフトウエア,インク. Method and system for inhibiting application program interface
JP2004126854A (en) * 2002-10-01 2004-04-22 Mitsubishi Electric Corp Attack countermeasure system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
KITAZAWA, S. ET AL.: "Behavior Blocking Hoshiki ni Motozuku Kumikomi Device no Hogo", JOHO SORI GAKKAI KENKYU HOKOKU (2003-DPS-113), vol. 2003, no. 64, 19 June 2003 (2003-06-19), pages 7 - 12, XP002986255 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008114560A1 (en) * 2007-02-21 2008-09-25 Nec Corporation Computer, operation rule application method, and operating system
JP5131563B2 (en) * 2007-02-21 2013-01-30 日本電気株式会社 Computer, operation rule application method, operating system
JP5326063B1 (en) * 2012-09-11 2013-10-30 アンラブ,インコーポレイテッド Malicious shellcode detection apparatus and method using debug events

Also Published As

Publication number Publication date
JPWO2005029328A1 (en) 2007-11-15

Similar Documents

Publication Publication Date Title
CA2856268C (en) Methods of detection of software exploitation
TW594493B (en) New processor mode for limiting the operation of guest software running on a virtual machine supported by a virtual machine monitor
JP6185487B2 (en) Keeping secure data isolated from non-secure access when switching between domains
JP6370098B2 (en) Information processing apparatus, information processing monitoring method, program, and recording medium
US9804948B2 (en) System, method, and computer program product for simulating at least one of a virtual environment and a debugging environment to prevent unwanted code from executing
JP2018041438A5 (en)
JP2018041438A (en) System and method for detecting malicious codes in file
JP5398427B2 (en) Hardware-based mandatory access control
US9542557B2 (en) Snoop-based kernel integrity monitoring apparatus and method thereof
JP6984710B2 (en) Computer equipment and memory management method
US20220129343A1 (en) Systems and methods for reducing exception latency
US20050044292A1 (en) Method and apparatus to retain system control when a buffer overflow attack occurs
WO2004075060A1 (en) Computer virus detection device
JP5131563B2 (en) Computer, operation rule application method, operating system
JP2005316599A (en) Interrupt controller
KR20170060815A (en) A Electronic Device And Method For Protecting The Kernel Space of the Memory
WO2005029328A1 (en) Operating system and recording medium containing the same
US20050138263A1 (en) Method and apparatus to retain system control when a buffer overflow attack occurs
US11403231B2 (en) Prevention of hash-based API importing
JP4627266B2 (en) Information leakage prevention system due to unknown malware
Wen et al. Towards thwarting data leakage with memory page access interception
Hu et al. BIFI: Architectural support for information flow integrity measurement
US20240111857A1 (en) Secure execution of a file on a copy device in a virtualized computing environment
US20230013428A1 (en) Function execution in system management modes
US20080189525A1 (en) Implementing a two phase open firmware driver in adapter fcode

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BW BY BZ CA CH CN CO CR CU CZ DK DM DZ EC EE EG ES FI GB GD GE GM HR HU ID IL IN IS JP KE KG KP KZ LC LK LR LS LT LU LV MA MD MK MN MW MX MZ NA NI NO NZ PG PH PL PT RO RU SC SD SE SG SK SY TJ TM TN TR TT TZ UA UG US UZ VN YU ZA ZM

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SZ TZ UG ZM ZW AM AZ BY KG MD RU TJ TM AT BE BG CH CY DE DK EE ES FI FR GB GR HU IE IT MC NL PL PT RO SE SI SK TR BF CF CG CI CM GA GN GQ GW ML MR SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 2005514058

Country of ref document: JP

122 Ep: pct application non-entry in european phase