WO2020136793A1 - Information processing device, information processing method, and information processing program - Google Patents

Information processing device, information processing method, and information processing program Download PDF

Info

Publication number
WO2020136793A1
WO2020136793A1 PCT/JP2018/048085 JP2018048085W WO2020136793A1 WO 2020136793 A1 WO2020136793 A1 WO 2020136793A1 JP 2018048085 W JP2018048085 W JP 2018048085W WO 2020136793 A1 WO2020136793 A1 WO 2020136793A1
Authority
WO
WIPO (PCT)
Prior art keywords
variable
information
vulnerability
unit
type
Prior art date
Application number
PCT/JP2018/048085
Other languages
French (fr)
Japanese (ja)
Inventor
武 植田
孝一 清水
俊 日夏
雅道 丹治
Original Assignee
三菱電機株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 三菱電機株式会社 filed Critical 三菱電機株式会社
Priority to PCT/JP2018/048085 priority Critical patent/WO2020136793A1/en
Priority to JP2019520661A priority patent/JP6599053B1/en
Publication of WO2020136793A1 publication Critical patent/WO2020136793A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management

Definitions

  • the present invention relates to vulnerability analysis.
  • a threat analysis is performed to identify threats that should not occur in the development target system (for example, threats such as eavesdropping on confidential information flowing through communication channels are identified. ). Then, based on the result of the threat analysis, the policy of measures for preventing the threat is examined (for example, it is necessary to encrypt the communication path).
  • the security function and operation method suitable for the concrete implementation method of the processing content for realizing the development target system and the program for realizing the processing content are examined. Then, incorporate the examination results into the design and implementation.
  • analysis is performed to confirm whether the designed and implemented program is vulnerable.
  • a conventional vulnerability analysis device analyzes a source code of a program using an analysis technique such as pollution analysis according to a predetermined rule (for example, Patent Document 1).
  • Patent Document 1 a method has been proposed in which the specifications of a program are formally described by a model, and a mathematical method is used to mathematically prove whether the behavior of the program satisfies the property of generating a vulnerability (eg, model checking). , Patent Document 2).
  • the source code of the program is analyzed according to a predetermined rule. For this reason, it is not possible to confirm vulnerabilities due to omissions or errors in the design and implementation of security measures that were examined after the threat analysis performed in the upstream process.
  • verification is possible by defining or selecting the property of the object to be proved. To correctly define or select the nature of the object to be proved, it is necessary to understand the details of what the design and implementation specifications should be correct.
  • the threat analysis is conducted in the upstream development phase where the design and implementation specifications are undecided. Therefore, it is extremely troublesome to associate the threat analysis result with the specifications for designing and implementing the program to define or select the nature of the object to be proved. Further, in the method of statically analyzing the specifications of the program, if the entire program is analyzed, a large amount of computer resources such as memory are required and the calculation time becomes long.
  • the relationship between the part in the program (the program executed by the device) containing the security measures after the threat analysis in the upstream process and the information assets used by the device It is useful to clarify the relationship between device information assets and vulnerabilities. From such a point of view, the present invention mainly aims to contribute to the clarification of the correspondence relationship between the part in the program, the information asset, and the vulnerability.
  • the information processing apparatus is A variable discrimination unit that discriminates each type of a plurality of variables included in the program executed by the device, Each type of the plurality of variables discriminated by the variable discriminating unit is compared with each type of the plurality of information assets used by the device, and each of the plurality of information assets and each of the plurality of variables are compared. And a candidate generation unit that generates one or more candidates for the correspondence relationship.
  • a candidate for a correspondence relationship between a variable included in a program executed by a device and an information asset used by the device is generated. Can contribute to.
  • FIG. 3 is a flowchart showing an operation example of the vulnerability analysis device according to the first embodiment.
  • FIG. 3 is a diagram showing an example of program specifications according to the first embodiment.
  • FIG. 3 is a diagram showing an example of a correspondence relationship between the constituent elements and the program specifications according to the first embodiment.
  • FIG. 5 is a diagram showing an example of a threat analysis result according to the first embodiment. 5 is a flowchart showing an operation example of the variable discrimination unit according to the first embodiment.
  • FIG. 5 is a diagram showing an example of a program variable processing relationship according to the first embodiment.
  • FIG. 6 is a diagram showing an example of an operation of extracting a related threat list according to the first embodiment.
  • FIG. 3 is a diagram showing an example of a threat-vulnerability type correspondence DB according to the first embodiment.
  • Embodiment 1 ***Composition explanation*** The configuration of the vulnerability analysis device 10 according to the first embodiment will be described with reference to FIG.
  • the vulnerability analysis device 10 corresponds to an information processing device.
  • the vulnerability analysis device 10 is a computer.
  • the vulnerability analysis device 10 includes hardware such as a processor 11, a memory 12, a storage 13, and a communication interface 14.
  • the pro processor 11 and other hardware are connected via a signal line, and the processor 11 controls these other hardware.
  • the processor 11 is an IC (Integrated Circuit) that performs processing.
  • the processor 11 is a CPU (Central Processing Unit), a DSP (Digital Signal Processor), and a GPU (Graphics Processing Unit).
  • FIG. 1 only one processor 11 is shown. However, a plurality of processors 11 may be provided, and the plurality of processors 11 may execute programs that implement respective functions in cooperation with each other.
  • the memory 12 is a storage device that temporarily stores data for the processing of the processor 11.
  • the memory 12 is, for example, an SRAM (Static Random Access Memory) or a DRAM (Dynamic Random Access Memory).
  • the storage 13 is a storage device that stores data.
  • the storage 13 is, as a specific example, a HDD (Hard Disk Drive). Further, the storage 13 may be SSD (Solid State Drive).
  • the storage 13 is an SD (registered trademark, Secure Digital) memory card, CF (CompactFlash, registered trademark), NAND flash, flexible disk, optical disk, compact disk, Blu-ray (registered trademark) disk, DVD (Digital Versatile Disk). It may be a portable recording medium.
  • the communication interface 14 is an interface for communicating with an external device.
  • the communication interface 14 is, as a specific example, an Ethernet (registered trademark), a USB (Universal Serial Bus), or an HDMI (registered trademark, High-Definition Multimedia Interface) port.
  • the vulnerability analysis device 10 has, as functional components, a first acceptance unit 21, a variable determination unit 22, a candidate generation unit 23, a second acceptance unit 24, a related threat extraction unit 25, a vulnerability candidate extraction unit 26, and a vulnerability.
  • the sex analysis unit 27 is provided.
  • the second reception unit 24 corresponds to the output unit.
  • the function of each functional component of the vulnerability analysis device 10 is realized by a program.
  • a program that realizes the function of each functional component of the vulnerability analysis device 10 is stored in the storage 13. This program is read into the memory 12 by the processor 11 and executed by the processor 11. As a result, the function of each functional component of the vulnerability analysis device 10 is realized.
  • each functional component of the vulnerability analysis apparatus 10 may read information that determines the operation of analysis performed by the program and information that determines the determination condition from a database or setting file stored in the storage 13. Further, the information that determines the analysis operation and the information that determines the determination condition may be part of the program. For example, in the present embodiment, the variable discrimination unit 22 reads the processing type DB 31 and changes the analysis operation. Further, the vulnerability candidate extraction unit 26 reads the threat-vulnerability correspondence DB 32 and changes the analysis operation.
  • FIG. 1 the structure with only one vulnerability analysis apparatus 10 was illustrated.
  • a plurality of computers may be connected via a network, and the plurality of computers may cooperate to form a vulnerability analysis system.
  • an input/output device for the user to input and output to the vulnerability analysis device 10 is connected via the communication interface 14.
  • the vulnerability analysis apparatus 10 may be provided with an interface for inputting and outputting, and the vulnerability analysis apparatus 10 may be directly operated by the user.
  • the operation of the vulnerability analysis device 10 according to the first embodiment will be described with reference to FIGS. 2 to 15.
  • the operation of the vulnerability analysis device 10 described below corresponds to an information processing method and an information processing program.
  • FIG. 2 is a flowchart showing the overall operation of the vulnerability analysis device 10 according to the first embodiment.
  • the 1st reception part 21 receives the input of various information required for analysis (step S1).
  • the first reception unit 21 causes the information asset flow 41 (FIG. 3), the program specification 42 (FIG. 4), the correspondence relationship 43 between constituent elements and program specifications 43 (FIG. 5), and the threat analysis result 44 (described below). 6) is accepted.
  • variable discriminating unit 22 extracts a variable included in the program represented by the program specification 42 and discriminates the type of the extracted variable (step S2).
  • the program specification 42 is information (flow chart, UML (Unified Modeling Language)) or SysML activity diagram or sequence diagram in which a program (source code) to be executed by the development target device or characteristics of the program is described. ).
  • the variable determination unit 22 determines, as the type of the extracted variable, whether the extracted variable is an input variable, an output variable, or an internally used variable.
  • the candidate generation unit 23 generates a candidate for the correspondence relationship between the information asset and the variable (step S3).
  • the candidate generation unit 23 compares the type of the variable determined by the variable determination unit 22 with the type of the information asset used by the device, and generates one or more candidates for the correspondence relationship between the information asset and the variable.
  • the information asset is information determined to be used by a component (device) by threat analysis.
  • the information assets of the constituent elements (devices) are described in the information asset flow 41 (FIG. 3).
  • the types of information assets include input information assets that are information assets that are input to the device, output information assets that are information assets that are output from the device to the outside of the device, and internal use that is information assets that are used inside the device. We have information assets.
  • the candidate generation unit 23 associates the input information assets with the input variables, the output information assets with the output variables, and the internal usage information assets with the internal usage variables to generate candidates for the correspondence relationship.
  • the second reception unit 24 When there are a plurality of correspondence relationship candidates, the second reception unit 24 outputs a plurality of correspondence relationship candidates. Then, the second reception unit 24 receives the selection of the correspondence relationship by the user of the vulnerability analysis device 10 (step S4). That is, the second accepting unit 24 displays a plurality of correspondence relationship candidates on, for example, the input/output device, and the user of the vulnerability analysis apparatus 10 applies the corresponding correspondence relationship from among the displayed plurality of correspondence relationship candidates. Select. Then, the second reception unit 24 receives the selection from the user.
  • the related threat extracting unit 25 extracts the related threat based on the correspondence between the information asset and the variable (step S5). That is, when only one candidate for the correspondence relationship is generated in step S3, the related threat extraction unit 25 extracts the related threat based on the candidate for the correspondence relationship generated for only one. On the other hand, when a plurality of correspondence relationship candidates are generated in step S3 and the selection of the correspondence relationship in step S4 is accepted, the related threat is extracted based on the correspondence relationship selected in step S4. Specifically, the related threat extraction unit 25 extracts a related threat from the threat analysis result 44 (FIG. 6) received in step S1.
  • the vulnerability candidate extraction unit 26 extracts candidates for the types of vulnerabilities that may be used in attacks leading to related threats (step S6).
  • the vulnerability analysis unit 27 performs a vulnerability analysis to check whether a candidate for the type of vulnerability may occur in the description of the program specification 42, and outputs the analysis result (step S7).
  • the first reception unit 21 has an information asset flow 41 (FIG. 3), a program specification 42 (FIG. 4), a correspondence relationship 43 between constituent elements and program specifications 43 (FIG. 5), and a threat analysis result 44 (FIG. 6). And accept.
  • the user operates the input/output device connected via the communication interface 14.
  • the information asset flow 41, the program specification 42, the correspondence 43 between the constituent elements and the program specification, and the threat analysis result 44 are input.
  • the first reception unit 21 receives the information asset flow 41 input via the communication interface 14, the program specification 42, the correspondence relationship 43 between the component and the program specification, and the threat analysis result 44. Further, the first reception unit 21 writes the information asset flow 41, the program specification 42, the correspondence relationship 43 between the component and the program specification, and the threat analysis result 44 in the memory 12, respectively.
  • the information asset flow 41 is obtained by organizing the flow (flow) of information assets after the threat analysis is performed.
  • the information asset flow 41 is generated for each device included in the development target system.
  • a component 411 that is a component (device) that constitutes the development target system
  • a related element 412 that is a component (device) related to the component 411
  • a connection relation 413 between the information asset, the information asset name 414, and the information asset type 415 are included.
  • the types of information assets are the input information assets, the output information assets, and the internal usage information assets. There may be types of information assets other than input information assets, output information assets, and internal use information assets.
  • the “input” is a flow of information assets input to the constituent element 411 from outside the constituent element 411.
  • the “output” is a flow of information assets output from the component 411 to the outside of the component 411.
  • “Internal use” is a flow of information assets used only inside the component 411.
  • the information asset flow 41 can be represented by a diagram obtained by expanding the UML communication diagram as shown in FIG.
  • a rectangle represents the constituent element 411 or the related element 412.
  • the component 411 is a "controller” in the example of FIG.
  • the related elements 412 are “HMI” and “device” in the example of FIG.
  • the connection relation 413 is represented by a solid line connecting the constituent element 411 and the related element 412.
  • an arrow is shown near the connection relation 413.
  • These arrows represent the flow of information assets.
  • the direction of the arrow represents the flow direction of information assets.
  • a line whose starting point is a circle extends from the controller regardless of the connection relation 413. This line also represents the flow of information assets.
  • This line indicates that there is no flow between the component 411 and the related element 412, that is, it is an internal use information asset.
  • the character string arranged near the flow line of the information asset is the name 414 of the information asset handled by the flow.
  • the character string enclosed in ⁇ >> is the information asset type 415.
  • the arrow from the HMI to the controller in FIG. 3 means that the information asset “command” flows from the “HMI” to the “controller”. Then, the arrow indicates that the type 415 of the information asset is “input” (input information asset) from the standpoint of “controller”.
  • a line with a round starting point extending from the "controller” indicates that the type 415 of the information asset "MAC key” is "internal use” (internal use information asset), that is, the information asset "MAC key” is inside the controller. It is used in.
  • the information asset flow 41 corresponds to information asset information.
  • the program specification 42 includes a name 421 of a program to be subjected to vulnerability analysis, and a program processing content 422 that expresses a flow of data (data flow) and a flow of processing (control flow).
  • the program specification 42 includes the logic that is the whole program or a part of the program executed by the device (corresponding to the component 411 of FIG. 3) included in the development target system after the threat analysis is performed. Described.
  • the program specification 42 is described for each device included in the development target system.
  • the program specifications 42 may not be input to the vulnerability analysis device 10 for some devices and programs that are not subject to vulnerability analysis.
  • the program specification 42 is specifically a source code or a program model.
  • a program model is information that can describe the structure and operation of a program such as a flowchart, UML, and SysML in a diagram.
  • the program model also corresponds to a UML or SysML activity diagram or sequence diagram, a DFD, a block diagram used in control engineering, and the like.
  • the program model is described and stored in a data format capable of expressing a hierarchical structure so that the processor 11 (variable discriminating unit 22) can process its contents.
  • FIG. 4 shows an example of the program specification 42 regarding the communication processing with the HMI of the component “controller”.
  • a part of the operation content of the program operating in the controller is described in the form of a general C language source code.
  • the program name 421 is “PROGRAM_C.C”, and the program processing content 422 is C language description content.
  • the program name 421 is shown by the file name of the C language source code, but any format can be used as long as the vulnerability analysis device 10 can uniquely identify each program specification 42. good.
  • the program name 421 is used in a correspondence relationship 43 between a constituent element and a program specification described later.
  • the correspondence relationship 43 between the constituent element and the program specification shows the correspondence relationship between the constituent element 431 to be subjected to the vulnerability analysis and the program specification 432.
  • the correspondence 43 between the constituent elements and the program specifications can be expressed as a table as shown in FIG. 5, for example.
  • FIG. 5 there are two program specifications 42 to be inspected in the constituent element “controller”, which are “PROGRAM_CC” and “PROGRAM_DC”, respectively.
  • the threat analysis result 44 shows the result of the threat analysis on the development target system.
  • the threat analysis result 44 includes a threat 441, a component 442, related information assets 443, and a threat type 444.
  • the contents of the threat are shown in the threat 441.
  • the component element 442 indicates a component element or a connection relationship in which a threat occurs.
  • the related information assets 443 indicate information assets related to the threat.
  • the threat type 444 indicates the type of influence on the information asset when a threat occurs.
  • the threat type 444 indicates, for example, one of C, I, and A that is generally used to indicate the attribute of information security. Note that C means confidentiality, I means integrity, and A means availability.
  • the threat analysis result 44 can be represented in a table format as shown in FIG. 6, for example. In the example of FIG.
  • Step S2 of FIG. 2 program variable processing relation analysis processing
  • the variable discriminating unit 22 discriminates the type of the variable based on the process in which the variable included in the program specification 42 accepted in step S1 is used, and analyzes the propagation relation between the variables and the processing order. More specifically, the variable determination unit 22 determines whether the process in which the variable is used is an input process, an output process, or an internal use process.
  • the input process is a process of inputting a value from outside the device.
  • the output process is a process of outputting a value to the outside of the device.
  • the internal use process is a process of using a value inside the device.
  • the variable determination unit 22 determines the type of variable based on the type of processing.
  • the propagation relationship between variables is a value propagation relationship within a program between variables.
  • FIG. 7 is a flowchart illustrating an operation example of the variable discrimination unit 22.
  • variable discriminating unit 22 reads various information required for analysis from the memory 12 (step S21).
  • variable discriminating unit 22 extracts variables included in the program specification 42 (step S22).
  • variable determination unit 22 determines the type of the extracted variable (step S23).
  • variable discrimination unit 22 analyzes the propagation relation and processing order of each variable whose type has been discriminated (step S24).
  • variable discrimination unit 22 writes the analysis result in the memory 12 (step S25).
  • step S21 the variable determination unit 22 reads the process type DB 31 from the storage 13 and writes the process type DB 31 in the memory 12.
  • step S21 the variable discrimination unit 22 reads out the information of the program specification 42 and the processing type DB 31 from the memory 12.
  • the program specification 42 is the program specification 42 accepted in step S1.
  • the process type DB 31 includes a process name 311 and a process type 312.
  • the process name 311 indicates the name of the process included in the program specification 42.
  • the process type 312 indicates which of the input process, the output process, and the internal use process (security process) the process indicated by the process name 311 corresponds to.
  • the input process is described as Input.
  • the output process is described as Output.
  • the internal use processing (security processing) is described as Security.
  • the process indicated by the process name 311 is a function, a method, or the like. In the example of FIG. 8, for example, the processing type of the processing name receiveMessage is input processing (Input).
  • step S22 the variable discrimination unit 22 extracts a variable from the program specifications 42 read in step S21.
  • the variable extraction process differs depending on the description method of the program specification 42.
  • the variables can be extracted by using the lexical analysis and syntax analysis techniques used by the compiler.
  • the variable discrimination unit 22 also extracts variables according to the respective description rules.
  • step S23 the variable determination unit 22 determines the type of each variable extracted in step S22.
  • the variable discriminating unit 22 checks whether or not each extracted variable is used in the processing of the function, method, etc. indicated by the processing name 311 of the processing type DB 31. “Used for processing” means that a variable is used as an argument of a function or method, or a variable is used as a return value of a function or method.
  • the variable determination unit 22 determines the variable type by the process type 312 of the target process. As described above, the variable discriminating unit 22 discriminates the type of variable based on the type of processing.
  • variable determination unit 22 causes the return value or the argument of the address passing (reference passing argument). Variables used in (including) are determined as “input variables”. On the other hand, if the processing type is “Output”, the variable determination unit 22 determines that the variable used as the argument passed by value is the “output variable”. Further, the variable discriminator 22 discriminates the variable used as the argument passed by address into both the “input variable” and the “output variable”. Further, the variable discriminating unit 22 discriminates the variable used as the return value as the “input variable”.
  • variable determination unit 22 determines variables that are not determined to be of any type, and that are used in the conditional statement and the processing type is “Security”.
  • the variable used as the argument or return value of the function is determined to be an "internal use variable”.
  • each variable is treated separately. For example, when the same variable msg can be determined as a different variable type at a location different from the location where the variable msg is determined as an input variable, the variable determination unit 22 handles each as a different variable. Further, the variable discriminating unit 22 allows the same variable name to be distinguished. The variable discrimination unit 22 enables each variable to be uniquely identified in the format of variable name:line number, such as msg:12.
  • variable determination unit 22 determines the processing type of the variable using the information of the processing type DB 31 in step S23.
  • the processing type may be determined based on the rule generated in advance as described above, or may be determined by the logic set in the variable determination unit 22.
  • the “input variable” or the “output variable” is determined according to how the variable is handled in the function or the process type assigned to the function in advance. Furthermore, in the above, a variable that satisfies a certain condition is determined to be an “internal use variable”. However, another rule may be used as the rule for determining the variable type. Further, in the present embodiment, it is assumed that the above determination rule is stored inside the variable determination unit 22, but the determination rule may be stored in a file or a database. Also, the determination rule may be changed.
  • step S24 the variable determination unit 22 analyzes the propagation relationship and processing order of each variable whose type can be determined in step S23.
  • the propagation relationship is a data flow in which the value of a variable determined as an “input variable” propagates to another variable.
  • the variable discriminating unit 22 can analyze the propagation relation from the substitution relation of variables as in the existing static code analysis. For example, when the process type DB 31 shown in FIG. 8 is used for the program specification 42 shown in FIG. 4, the variable discrimination unit 22 obtains the propagation relation 453 shown in FIG.
  • step S25 the variable discriminating unit 22 writes the results analyzed in steps S21 to S24 in the memory 12 as the program variable processing relation 45 (FIG. 9).
  • the program variable processing relation 45 represents the analysis result of the variable discriminating unit 22 for the variable in the program specification 42.
  • the program variable processing relation 45 includes a variable type 451, a variable name 452, and a propagation relation 453.
  • the variable type 451 shows the variable type obtained by the analysis of the variable discriminating unit 22.
  • the variable name 452 shows the name of the variable.
  • the propagation relationship 453 shows the data flow (propagation relationship) in which the value of the variable determined as the “input variable” propagates to another variable.
  • the variable type of the variable name msg is “input variable”.
  • the variable name msg is propagated to the output variables dev and val.
  • Step S3 of FIG. 2 information property-variable correspondence estimation process
  • the candidate generation unit 23 generates a candidate for the correspondence relationship between the information asset and the variable based on the information asset flow 41 input in step S1 and the program variable processing relationship 45 obtained in step S2.
  • the candidate generator 23 reads the information asset flow 41 and the program variable processing relationship 45 from the memory 12. Next, the candidate generation part 23 maps the “input” of the information asset flow 41 and the “input variable” of the program variable processing relation 45. Similarly, the candidate generation unit 23 maps the “output” of the information asset flow 41 and the “output variable” of the program variable processing relation 45. Further, the candidate generation unit 23 maps the “internal use” of the information asset flow 41 and the “internal use variable” of the program variable processing relation 45. In this way, the candidate generator 23 generates all combinations of information assets and variables of the program specifications 42. Then, the candidate generation unit 23 writes the generated correspondence relationship candidates in the memory 12 as the information asset-variable correspondence relationship candidates 46.
  • the information asset-variable correspondence relationship candidate 46 includes a candidate name 461, an input or internal use information asset 462, a variable name 463, a propagation relationship 464, and an output information asset 465.
  • the command which is the input information asset is associated with the variables len and msg.
  • the value that is the input information asset is associated with the variable ans.
  • the MAC key which is an information asset for internal use, is associated with the variable key.
  • the instruction that is the output information asset is associated with the variables dev and val.
  • the response, which is the output information asset is associated with the variable ret.
  • the plurality of candidates shown in the information asset-variable correspondence candidate 46 are different from each other.
  • Step S4 of FIG. 2 second reception process
  • the second reception unit 24 When the information asset-variable correspondence relationship candidates 46 (FIG. 10) generated in step S3 include a plurality of correspondence relationship candidates, the second reception unit 24 outputs the information asset-variable correspondence relationship candidates 46. Then, the second reception unit 24 receives the selection of the correspondence relationship between the information asset and the variable selected by the user.
  • the second reception unit 24 reads out the information asset-variable correspondence candidate 46 from the memory 12.
  • the second reception unit 24 inputs the information asset-variable correspondence relationship candidate 46 via the communication interface 14.
  • Send to output device the information asset-variable correspondence candidate 46 is displayed on the input/output device.
  • the user operates the input/output device to select the information asset-variable correspondence 47 from the information asset-variable correspondence candidates 46.
  • the selected information asset-variable correspondence 47 is input to the second reception unit 24 via the communication interface 14.
  • the second receiving unit 24 receives the information asset-variable correspondence 47 input via the communication interface 14. Further, the second accepting unit 24 writes the accepted information asset-variable correspondence 47 in the memory 12.
  • the information asset-variable correspondence relationship 47 is one of the correspondence relationship candidates included in the information asset-variable correspondence relationship candidate 46 in which the actual correspondence relationship between information assets and variables is shown. As shown in FIG. 10, the information asset-variable correspondence relationship candidate 46 also includes a propagation relationship and a processing order. Therefore, the user can select the information asset-variable correspondence 47 in consideration of the propagation relation and the processing order. Here, it is assumed that the candidate 1 of FIG. 10 is selected as the information asset-variable correspondence 47. If the information asset-variable correspondence relationship candidate 46 has only one correspondence relationship candidate, step S4 is not performed, but the corresponding correspondence candidates included in the information asset-variable correspondence relationship candidate 46 are also as follows. Is referred to as information asset-variable correspondence 47.
  • the related threat extraction unit 25 extracts a list of threats related to the program specification 42 as a related threat list 48 based on the information asset-variable correspondence 47. Note that the related threat list 48 is extracted for each program specification 42.
  • the related threat extraction unit 25 reads the threat analysis result 44 (FIG. 6) and the correspondence 43 (FIG. 5) between the component and the program specification from the memory 12. Then, the related threat extraction unit 25 sequentially processes each entry of the correspondence relationship 43 between the constituent element and the program specification, and creates the information asset flow 41 (FIG. 3) corresponding to the content of the constituent element 431 and the content of the program specification 432. The corresponding information asset-variable correspondence 47 is read from the memory. Then, the related threat extraction unit 25 uses the information asset flow 41 and the information asset-variable correspondence 47 to extract the threat related to the program specification 42 from the threat analysis result 44 (FIG. 6) (see details in FIG. 11 will be used later).
  • the related threat extraction unit 25 writes the extracted result as the related threat list 48 in the memory 12 in association with the processed program specification 42.
  • the related threat extracting unit 25 performs these operations for all the entries of the correspondence 43 (FIG. 5) between the constituent elements and the program specifications.
  • the related threat extraction unit 25 extracts a related threat by the operation shown in FIG. 11, for example.
  • the related threat extraction unit 25 searches the threat analysis result 44 (FIG. 6) for an entry in which the description content of the constituent element 431 of the correspondence relationship 43 (FIG. 5) between the constituent element and the program specification is included in the constituent element 442. .. Then, the related threat extraction unit 25 tentatively extracts the description content of the threat 441 of the entry obtained by the search. For example, PROGRAM_C. In the case where the threat extraction is performed on C.C, PROGRAM_C.C. The component on which C operates is the controller. Therefore, the related threat extraction unit 25 searches the threat analysis result 44 (FIG. 6) for an entry including “controller” in the component 442. In the threat analysis result 44 (FIG.
  • entries “HMI-controller”, “controller”, and “controller-device” are obtained (procedure (1) in FIG. 11). Then, the related threat extracting unit 25 tentatively extracts “tampering of unencrypted communication”, “leakage by guess”, “tampering by resending” and “DoS by resending” described in the threat 441 of these entries (see FIG. 11). Procedure (2)).
  • the related threat extracting unit 25 determines the threat 441 of the corresponding entry. Formally extract the contents described in.
  • the related threat extraction unit 25 uses the “command”, “response”, “MAC key”, “instruction” of the related information assets 443 of the entry (line numbers 4 to 13) obtained in the procedure (1) of FIG. It is determined whether each of the “value” and the “status” is associated with a variable in the information asset-variable correspondence 47 (FIG. 10). In the information asset-variable correspondence 47 of FIG. 10, information assets other than "status" are associated with variables.
  • the related threat extracting unit 25 formally extracts the description contents of the threat 441 on the fourth to 11th lines in FIG. 11 (procedure (3) in FIG. 11). Then, the related threat extraction unit 25 writes the description content of the extracted threat 441 in the memory 12 as the related threat list 48.
  • the related threat list 48 is a part of the threat analysis result 44 extracted by the extraction processing illustrated in FIG. 11.
  • the related threat list 48 is stored in association with the related program specifications 42 (FIG. 4). Further, the related threat list 48 may be associated with the entry of the correspondence relationship 43 (FIG. 5) between the component and the program specification.
  • Step S6 of FIG. 2 Related vulnerability candidate extraction processing
  • the vulnerability candidate extraction unit 26 sets the relevant program specification 42 (FIG. 4) based on the information of the related threat list 48 (FIG. 12) extracted in step S5 and the threat-vulnerability type correspondence DB 32 (FIG. 13). Vulnerability type candidates 49 to be inspected that may be used for attacking related threats are extracted for each related threat.
  • the vulnerability candidate extraction unit 26 reads the threat-vulnerability type correspondence DB 32 from the storage 13 and writes the threat-vulnerability type correspondence DB 32 in the memory 12.
  • the vulnerability candidate extraction unit 26 reads the correspondence 43 (FIG. 5) between the constituent elements and the program specifications from the memory 12.
  • the vulnerability candidate extraction unit 26 sequentially processes each entry of the correspondence 43 (FIG. 5) between the component and the program specification, and reads the related threat list 48 (FIG. 12) corresponding to the program specification 432 from the memory 12. ..
  • the vulnerability candidate extraction unit 26 refers to the entry of the threat-vulnerability type correspondence DB 32 for each threat described in the related threat list 48, and finds the candidate of the vulnerability type related to the threat in the vulnerability type list. 322.
  • the vulnerability candidate extraction unit 26 writes the acquired vulnerability type candidates as vulnerability type candidates 49 (FIG. 14) in the memory 12 in association with each threat.
  • the vulnerability candidate extraction unit 26 does this for all threats.
  • the vulnerability candidate extraction unit 26 continues the same process for the next entry of the correspondence 43 (FIG. 5) between the component and the program specification, and extracts the vulnerability type candidate 49 for all the entries. ..
  • the threat-vulnerability type correspondence DB 32 can be represented in a table format as shown in FIG.
  • the threat-vulnerability type correspondence DB 32 includes information on a threat 321 and a vulnerability type list 322 corresponding to the threat.
  • vulnerability type list 322 vulnerability types corresponding to threats are listed. If there is no entry for the threat in the threat-vulnerability type correspondence DB 32, or if there is a threat entry but no corresponding vulnerability type is described, the threat is described in the program specification 42.
  • the vulnerability candidate extraction unit 26 includes a display indicating that there is no vulnerability candidate corresponding to the threat in the result output of the vulnerability analysis in step S7 described later. Good.
  • the vulnerability type candidate 49 corresponds to the threat 441 of the related threat list 48, the component 442, the related information assets 443, the threat type 444, and the vulnerability type list 322 of the threat-vulnerability type correspondence DB 32. It is the attached information. Unlike FIG. 14, the vulnerability type candidate 49 may include only the threat 441, the related information assets 443, and the vulnerability type list 322. Further, the vulnerability type candidate 49 may include an element not shown in FIG.
  • Step S7 of FIG. 2 Vulnerability analysis processing
  • the vulnerability analysis unit 27 analyzes whether the vulnerability types shown in the vulnerability type list 322 of the vulnerability type candidates 49 extracted in step S6 exist in the program specifications 42. Then, the vulnerability analysis section 27 outputs the analysis result. Vulnerability analysis is performed using static code analysis or formal verification techniques as described in the background art. The vulnerability analysis unit 27 inspects the vulnerabilities associated with each threat according to the information of the vulnerability type candidates 49.
  • the vulnerability analysis unit 27 includes a program specification 42 (FIG. 4) for performing the vulnerability analysis, a corresponding related threat list 48 (FIG. 12), and a vulnerability type candidate 49 (corresponding to each related threat. 14) and are read from the memory 12.
  • the vulnerability analysis section 27 performs vulnerability analysis. That is, the vulnerability analysis unit 27 extracts the vulnerability type and the variables related thereto based on the corresponding threat list 48 and the vulnerability type candidate 49, and performs the vulnerability analysis.
  • the vulnerability analysis unit 27 writes the vulnerability detection result 410 (FIG. 15) in the memory 12 (if another vulnerability detection result 410 already exists, a new vulnerability is detected).
  • the vulnerability detection result 410 is added to the existing vulnerability detection result 410).
  • the vulnerability analysis unit 27 does this for all program specifications 42 to be inspected.
  • the vulnerability analysis unit 27 sends the vulnerability detection result 410 to the connected input/output device via the communication interface 14. Send.
  • the input/output device that has received the vulnerability detection result 410 displays the vulnerability detection result 410. Further, the vulnerability detection result 410 may be saved in a file.
  • the vulnerability analysis unit 27 also performs the vulnerability analysis in consideration of the variables associated with the information assets.
  • the vulnerability detection result 410 includes a vulnerability type 411, a variable 412, a location 413, a threat 414, a component 415, and an information asset 416.
  • the vulnerability type 411 indicates the vulnerability type detected by the vulnerability analysis unit 27.
  • the variable 412 shows a variable related to the vulnerability type detected by the vulnerability analysis unit 27.
  • a place 413 shows a place in the program specification 42 related to the vulnerability type detected by the vulnerability analysis unit 27.
  • the threat 414 indicates a threat against the vulnerability type detected by the vulnerability analysis unit 27.
  • the information asset 416 shows the information asset in which the vulnerability type detected by the vulnerability analysis unit 27 exists.
  • FIG. 15 shows the PROGRAM_C.
  • VAVD An example of the vulnerability detection result 410 related to C's threat #6 (presumed threat) is shown.
  • “vulnerability 1” is shown as the vulnerability type 411.
  • “key” is shown as the variable 412
  • “first line of PROGRAM_C.C” is shown as the location 413
  • “leakage by guess” is shown as the threat 414.
  • a “controller” is shown as the component 415
  • a “MAC key” is shown as the information asset 416.
  • the correspondence relationship between the result of the threat analysis and the program specification can be clarified based on the correspondence relationship between the flow of information assets of the threat analysis and the classification of input/output of the variable of the program specification. Therefore, according to the present embodiment, the analysis target can be narrowed down at the time of vulnerability analysis.
  • the correspondence relationship of the vulnerabilities used in the attacks linked to each threat is stored. Therefore, in the vulnerability analysis, it is possible to derive the vulnerability used for the attack by referring to the correspondence relationship from the result of the threat analysis.
  • the vulnerability analysis apparatus 10 obtains the device configuration of the system of the vulnerability analysis, the type of information assets, and the flow of information assets from the information asset flow 41 (FIG. 3) acquired from the outside.
  • the vulnerability analysis device 10 analyzes the device configuration of the system subject to vulnerability analysis, the type of information assets, and the flow of information assets.
  • differences from the first embodiment will be mainly described. Note that items not described below are the same as those in the first embodiment.
  • step S1 of FIG. 2 the first reception unit 21 receives the threat analysis input information 51 instead of the information asset flow 41.
  • the input device connected via the communication interface 14 is operated by the user, and the threat analysis input information 51, the program specification 42, the correspondence 43 between the constituent elements and the program specification, and the threat analysis result 44. And are entered. Then, the first accepting unit 21 accepts the threat analysis input information 51, the program specification 42, the correspondence 43 between the constituent elements and the program specification, and the threat analysis result 44 via the communication interface 14. Further, the first reception unit 21 writes the threat analysis input information 51, the program specifications 42, the correspondence relationship 43 between the constituent elements and the program specifications, and the threat analysis result 44 in the memory 12.
  • the threat analysis input information 51 is information used for threat analysis.
  • the threat analysis input information 51 includes a plurality of constituent elements that configure the system that is the target of vulnerability analysis, a connection relationship between the constituent elements, a list of information assets, and information indicating the flow of information assets.
  • the information asset determination unit 28 performs a related information asset flow extraction process.
  • the information asset determination unit 28 based on the threat analysis input information 51 received in step S1 and the correspondence 43 between the constituent elements and the program specifications, the program specifications to be the target of the vulnerability analysis.
  • the information asset flow associated with 42 is extracted for each component.
  • the information asset flow has the same format as the information asset flow 41 of FIG. 3 shown in the first embodiment. That is, the information asset discriminating unit 28 discriminates whether each of the information assets used in the system targeted for threat analysis is an input information asset, an output information asset, or an internally used information asset.
  • Embodiment 3 the output order of the candidates is not considered when outputting the candidates of the correspondence relationship between the information asset and the variable.
  • the vulnerability analysis device 10 controls the output order according to the certainty of each candidate when outputting the candidate of the correspondence relationship between the information asset and the variable. That is, in the present embodiment, when the second reception unit 24 outputs a plurality of correspondence relationship candidates, a priority order is set among the plurality of correspondence relationship candidates, and a correspondence relationship candidate having a high priority order is provided. Is output with priority.
  • differences from the first embodiment will be mainly described. Note that items not described below are the same as those in the first embodiment.
  • step S3 of FIG. 2 when the candidate generation unit 23 analyzes the correspondence between the variable in the program specification 42 and the information asset, the candidate generation unit 23 estimates the certainty as a candidate.
  • the candidate generation unit 23 estimates the certainty of the candidate of the correspondence relationship between the variable and the information asset, for example, by a combination of preset keywords or the like. For example, the candidate generation unit 23 infers that the information asset “command” and the variable command and the variable cmd are similar to each other in the notation, and thus is highly likely to be a candidate. Further, the candidate generation unit 23 determines that the certainty is high for the candidate having many combinations of corresponding variables.
  • the candidate generation unit 23 specifies the output order (priority order) of the candidates of the plurality of correspondence relationships according to the certainty. Then, the second reception unit 24 outputs a plurality of candidates for the correspondence relationship in the output order designated by the candidate generation unit 23.
  • the certainty of the correspondence relationship candidate is estimated, the output order of the correspondence relationship candidate is specified based on the certainty, and the plurality of correspondence relationship candidates are specified in the specified output order. Output. Therefore, according to the present embodiment, the user can easily select the correct correspondence relationship even when there are a plurality of correspondence relationship candidates.
  • the vulnerability candidate extraction unit 26 uses the threat-vulnerability correspondence DB 32 to extract the vulnerability type candidates corresponding to the related threat.
  • the first accepting unit 21 acquires the attack tree.
  • the vulnerability candidate extraction unit 26 uses the attack tree to extract the vulnerability type candidates.
  • the attack tree is information indicating a series of attack procedures for achieving each threat of the threat analysis result 44 (FIG. 6) and the types of vulnerabilities used in the attack procedures.
  • the vulnerability candidate extraction unit 26 is included in the attack tree instead of using the threat-vulnerability correspondence DB 32 when extracting candidates for the type of vulnerability corresponding to each threat in the related threat list 48 (FIG. 12). Extract information on the type of vulnerability.
  • the vulnerability candidate extraction unit 26 extracts the type of vulnerability from the attack tree after confirming that the attack destination is the corresponding component. Items not described in this embodiment are the same as those in the first embodiment.
  • flexible analysis can be performed by using the vulnerability type information included in the attack tree (when the threat-vulnerability type correspondence DB 32 is used, Correspondence between threat and vulnerability types is fixed). According to the present embodiment, for example, when the type of vulnerability used varies depending on the system configuration and the attack method, flexible analysis can be performed.
  • the program specification 42 is used as it is in the vulnerability analysis.
  • the vulnerability analysis unit 27 performs vulnerability analysis by referring to the association between information assets and variables or/and the type of threat. That is, in the present embodiment, the vulnerability analysis unit 27 adds the association between the plurality of information assets and the plurality of variables obtained from the information asset-variable correspondence 47 (FIG. 10) to the program specification 42, Vulnerability analysis can be performed. Further, the vulnerability analysis unit 27 can perform the vulnerability analysis by referring to the threat type 444 (C, I, A) described in the threat analysis result 44. That is, the vulnerability analysis unit 27 can perform the vulnerability analysis by adding the threat type 444 (C, I, A) to the program specification 42.
  • the vulnerability analysis unit 27 extracts, as a program fragment, from the program specification 42, a portion in which processing related to the vulnerability type candidates extracted by the vulnerability candidate extraction unit 26 is described. be able to. Then, the vulnerability analysis unit 27 can perform vulnerability analysis using the extracted program fragment.
  • the vulnerability analysis unit 27 refers to the program specification 42, for example, a process of referring to or changing a variable related to the threat, a process using another variable that affects the variable related to the threat, and a branch process.
  • the process that controls the execution of the above process such as the determination process can be extracted as a program fragment. Items not described in this embodiment are the same as those in the first embodiment.
  • the vulnerability check is performed by adding the meta information such as the value (C, I, A) of the information asset to the inspection target program specification in association with the information asset and the variable. To do. Therefore, in the present embodiment, it is possible to efficiently generate the check formula and/or the model. Further, in the present embodiment, by using the program fragment, it is possible to make the vulnerability analysis more efficient than when using the entire program specification.
  • the storage 13 stores an OS (Operating System). Then, at least part of the OS is loaded into the memory 12 and executed by the processor 11.
  • the processor 11 executes at least a part of the OS while the first acceptance unit 21, the variable determination unit 22, the candidate generation unit 23, the second acceptance unit 24, the related threat extraction unit 25, the vulnerability candidate extraction unit 26, A program that implements the functions of the vulnerability analysis unit 27 and the information asset determination unit 28 is executed.
  • the processor 11 executes the OS, task management, memory management, file management, communication control, etc. are performed. Further, the first reception unit 21, the variable determination unit 22, the candidate generation unit 23, the second reception unit 24, the related threat extraction unit 25, the vulnerability candidate extraction unit 26, the vulnerability analysis unit 27, and the information asset determination unit 28.
  • At least one of the information, the data, the signal value, and the variable value indicating the result of the processing is stored in at least one of the memory 12, the storage 13, the register in the processor 11, and the cache memory. Further, the first reception unit 21, the variable determination unit 22, the candidate generation unit 23, the second reception unit 24, the related threat extraction unit 25, the vulnerability candidate extraction unit 26, the vulnerability analysis unit 27, and the information asset determination unit 28.
  • the program that realizes the function of may be stored in a portable recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a Blu-ray (registered trademark) disk, or a DVD.
  • a portable recording medium that stores a program that realizes the function of may be distributed commercially.
  • the “part” of may be read as “circuit” or “process” or “procedure” or “processing”.
  • the vulnerability analysis device 10 may be realized by a processing circuit.
  • the processing circuit is, for example, a logic IC (Integrated Circuit), a GA (Gate Array), an ASIC (Application Specific Integrated Circuit), or an FPGA (Field-Programmable Gate Array).
  • processing circuit the superordinate concept of the processor and the processing circuit is referred to as “processing circuit”. That is, each of the processor and the processing circuit is a specific example of “processing circuit”.
  • 10 vulnerability analysis device 11 processor, 12 memory, 13 storage, 14 communication interface, 21 first reception part, 22 variable discrimination part, 23 candidate generation part, 24 second reception part, 25 related threat extraction part, 26 Vulnerability candidate extraction part, 27 vulnerability analysis part, 28 information asset discrimination part, 31 processing type DB, 32 threat-vulnerability type correspondence DB, 41 information asset flow, 42 program specifications, 43 correspondence between constituent elements and program specifications , 44 threat analysis result, 45 program variable processing relation, 46 information asset-variable correspondence relation candidate, 47 information asset-variable correspondence relation, 48 related threat list, 49 vulnerability type candidate, 410 vulnerability detection result.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Quality & Reliability (AREA)
  • Stored Programmes (AREA)
  • Debugging And Monitoring (AREA)

Abstract

According to the present invention, a variable discerning unit (22) discerns the respective types of a plurality of variables included in a program executed by an apparatus. A candidate generation unit (23) compares the respective types of the plurality of variables discerned by the variable discerning unit (22) with the respective types of a plurality of information assets used by the apparatus, and generates one or more candidates for the correspondence relationship between each of the plurality of information assets and each of the plurality of variables.

Description

情報処理装置、情報処理方法及び情報処理プログラムInformation processing apparatus, information processing method, and information processing program
 本発明は、脆弱性分析に関する。 The present invention relates to vulnerability analysis.
 セキュリティを考慮した開発プロセスでは、セキュリティ上の問題である脆弱性を作りこまないようにするために、開発上流の段階からセキュリティに関する分析や検討を行う。まず、システム設計等の開発上流フェーズで、開発対象システムで発生してはならない脅威を洗い出すための脅威分析を実施する(例えば、通信路を流れる機密情報が盗聴される等の脅威が洗い出される)。そして、脅威分析の結果に基づき、その脅威に至らないようにするための対策の方針を検討する(例えば、通信路を暗号化する必要がある等)。更に開発フェーズが進み設計及び実装の段階になると、開発対象システムを実現するための処理内容及び処理内容を実現するプログラムの具体的な実現方法に適したセキュリティ機能や運用方法を検討する。そして、検討結果を設計及び実装に盛り込む。設計及び実装の最終段階では、設計及び実装したプログラムに脆弱性がないかを確認するための分析を行う。 In the development process that considers security, in order to prevent the creation of vulnerabilities, which are security problems, analyze and consider security from the upstream stage of development. First, in the upstream development phase of system design, etc., a threat analysis is performed to identify threats that should not occur in the development target system (for example, threats such as eavesdropping on confidential information flowing through communication channels are identified. ). Then, based on the result of the threat analysis, the policy of measures for preventing the threat is examined (for example, it is necessary to encrypt the communication path). When the development phase further progresses to the stage of design and implementation, the security function and operation method suitable for the concrete implementation method of the processing content for realizing the development target system and the program for realizing the processing content are examined. Then, incorporate the examination results into the design and implementation. At the final stage of design and implementation, analysis is performed to confirm whether the designed and implemented program is vulnerable.
 脆弱性がないかを確認する脆弱性分析装置の実現方法の一つとして、設計及び実装したプログラムの仕様又はプログラム自身を静的に分析する技術が存在する。
 従来の脆弱性分析装置は、予め定められたルールに従い汚染分析等の分析技術を使ってプログラムのソースコードを分析する(例えば、特許文献1)。
 また、プログラムの仕様をモデルで形式的に記述し、モデル検査と呼ばれる形式手法を使ってプログラムの動作が脆弱性を発生させる性質を満たすかを数学的に証明する手法も提案されている(例えば、特許文献2)。 As one of the methods for realizing a vulnerability analysis device that confirms whether or not there is a vulnerability, there is a technique for statically analyzing the specifications of the designed and implemented program or the program itself.
A conventional vulnerability analysis device analyzes a source code of a program using an analysis technique such as pollution analysis according to a predetermined rule (for example, Patent Document 1).
In addition, a method has been proposed in which the specifications of a program are formally described by a model, and a mathematical method is used to mathematically prove whether the behavior of the program satisfies the property of generating a vulnerability (eg, model checking). , Patent Document 2).
特許第5740702号公報Japanese Patent No. 5740702 特開2008-262311号公報Japanese Patent Laid-Open No. 2008-262311
 特許文献1の手法では、予め決められたルールに従いプログラムのソースコードを分析する。このため、上流工程で実施した脅威分析の後に検討したセキュリティ対策の設計及び実装の抜けや誤りに起因する脆弱性の確認ができない。
 また、特許文献2の手法では、証明すべき対象の性質を定義または選択すれば検証が可能である。証明すべき対象の性質を正しく定義または選択するには、設計及び実装の仕様が正しくはどうなるべきかの詳細までを把握する必要がある。しかし、脅威分析は設計及び実装の仕様が未確定である開発上流フェーズで実施するものである。このため、脅威分析の結果とプログラムを設計及び実装した仕様とを対応付けて、証明すべき対象の性質を定義または選択することは非常に手間がかかる。また、プログラムの仕様を静的に分析する手法では、プログラム全体を分析対象とすると、メモリ等の計算機リソースを多く必要とし、計算時間も長くなる。 In the method of Patent Document 1, the source code of the program is analyzed according to a predetermined rule. For this reason, it is not possible to confirm vulnerabilities due to omissions or errors in the design and implementation of security measures that were examined after the threat analysis performed in the upstream process.
In addition, with the method of Patent Document 2, verification is possible by defining or selecting the property of the object to be proved. To correctly define or select the nature of the object to be proved, it is necessary to understand the details of what the design and implementation specifications should be correct. However, the threat analysis is conducted in the upstream development phase where the design and implementation specifications are undecided. Therefore, it is extremely troublesome to associate the threat analysis result with the specifications for designing and implementing the program to define or select the nature of the object to be proved. Further, in the method of statically analyzing the specifications of the program, if the entire program is analyzed, a large amount of computer resources such as memory are required and the calculation time becomes long.
 効率的に脆弱性分析を行うためには、上流工程での脅威分析後のセキュリティ対策が盛り込まれたプログラム(機器で実行されるプログラム)内の部分と当該機器が用いる情報資産との関係と、機器の情報資産と脆弱性との関係とを明確にすることが有用である。
 このような観点より、本発明は、プログラム内の部分と情報資産と脆弱性との対応関係の明確化に資することを主な目的とする。 In order to efficiently perform vulnerability analysis, the relationship between the part in the program (the program executed by the device) containing the security measures after the threat analysis in the upstream process and the information assets used by the device, It is useful to clarify the relationship between device information assets and vulnerabilities.
From such a point of view, the present invention mainly aims to contribute to the clarification of the correspondence relationship between the part in the program, the information asset, and the vulnerability.
 本発明に係る情報処理装置は、
 機器で実行されるプログラムに含まれる複数の変数の各々の種別を判別する変数判別部と、
 前記変数判別部により判別された前記複数の変数の各々の種別と、前記機器が用いる複数の情報資産の各々の種別とを比較し、前記複数の情報資産の各々と前記複数の変数の各々との対応関係の候補を1つ以上生成する候補生成部とを有する。 The information processing apparatus according to the present invention is
A variable discrimination unit that discriminates each type of a plurality of variables included in the program executed by the device,
Each type of the plurality of variables discriminated by the variable discriminating unit is compared with each type of the plurality of information assets used by the device, and each of the plurality of information assets and each of the plurality of variables are compared. And a candidate generation unit that generates one or more candidates for the correspondence relationship.
 本発明によれば、機器で実行されるプログラムに含まれる変数と機器が用いる情報資産との対応関係の候補を生成するため、プログラム内の部分と情報資産と脆弱性との対応関係の明確化に資することができる。 According to the present invention, a candidate for a correspondence relationship between a variable included in a program executed by a device and an information asset used by the device is generated. Can contribute to.
実施の形態1に係る脆弱性分析装置の構成例を示す図。The figure which shows the structural example of the vulnerability analysis apparatus which concerns on Embodiment 1. 実施の形態1に係る脆弱性分析装置の動作例を示すフローチャート。3 is a flowchart showing an operation example of the vulnerability analysis device according to the first embodiment. 実施の形態1に係るコントローラに関する情報資産フローの例を示す図。The figure which shows the example of the information asset flow regarding the controller which concerns on Embodiment 1. 実施の形態1に係るプログラム仕様の例を示す図。FIG. 3 is a diagram showing an example of program specifications according to the first embodiment. 実施の形態1に係る構成要素とプログラム仕様の対応関係の例を示す図。FIG. 3 is a diagram showing an example of a correspondence relationship between the constituent elements and the program specifications according to the first embodiment. 実施の形態1に係る脅威分析結果の例を示す図。FIG. 5 is a diagram showing an example of a threat analysis result according to the first embodiment. 実施の形態1に係る変数判別部の動作例を示すフローチャート。5 is a flowchart showing an operation example of the variable discrimination unit according to the first embodiment. 実施の形態1に係る処理種別DBの例を示す図。The figure which shows the example of process classification DB which concerns on Embodiment 1. 実施の形態1に係るプログラム変数処理関係の例を示す図。FIG. 5 is a diagram showing an example of a program variable processing relationship according to the first embodiment. 実施の形態1に係る情報資産-変数対応関係候補の例を示す図。The figure which shows the example of the information asset-variable correspondence relationship candidate which concerns on Embodiment 1. 実施の形態1に係る関連脅威一覧の抽出動作の例を示す図。FIG. 6 is a diagram showing an example of an operation of extracting a related threat list according to the first embodiment. 実施の形態1に係る関連脅威一覧の例を示す図。The figure which shows the example of the related threat list which concerns on Embodiment 1. 実施の形態1に係る脅威-脆弱性種別対応DBの例を示す図。FIG. 3 is a diagram showing an example of a threat-vulnerability type correspondence DB according to the first embodiment. 実施の形態1に係る脆弱性種別候補の例を示す図。The figure which shows the example of the vulnerability classification candidate which concerns on Embodiment 1. 実施の形態1に係る脆弱性検出結果の例を示す図。The figure which shows the example of the vulnerability detection result which concerns on Embodiment 1. 実施の形態2に係る脆弱性分析装置の構成例を示す図。The figure which shows the structural example of the vulnerability analysis apparatus which concerns on Embodiment 2.
 以下、本発明の実施の形態について、図を用いて説明する。以下の実施の形態の説明及び図面において、同一の符号を付したものは、同一の部分又は相当する部分を示す。 Hereinafter, an embodiment of the present invention will be described with reference to the drawings. In the following description of the embodiments and the drawings, the same reference numerals denote the same or corresponding parts.
 実施の形態1.
***構成の説明***
 図1を参照して、実施の形態1に係る脆弱性分析装置10の構成を説明する。
 脆弱性分析装置10は、情報処理装置に相当する。 Embodiment 1.
***Composition explanation***
The configuration of the vulnerability analysis device 10 according to the first embodiment will be described with reference to FIG.
The vulnerability analysis device 10 corresponds to an information processing device.
 脆弱性分析装置10は、コンピュータである。脆弱性分析装置10は、プロセッサ11と、メモリ12と、ストレージ13と、通信インタフェース14といったハードウェアを備える。信号線を介してプロプロセッサ11と他のハードウェアとは接続され、プロセッサ11はこれら他のハードウェアを制御する。 The vulnerability analysis device 10 is a computer. The vulnerability analysis device 10 includes hardware such as a processor 11, a memory 12, a storage 13, and a communication interface 14. The pro processor 11 and other hardware are connected via a signal line, and the processor 11 controls these other hardware.
 プロセッサ11は、プロセッシングを行うIC(Integrated Circuit)である。プロセッサ11は、具体例としては、CPU(Central Processing Unit)、DSP(Digital Signal Processor)、GPU(Graphics Processing Unit)である。なお、図1では、プロセッサ11は、1つだけ示されている。しかし、プロセッサ11は、複数であってもよく、複数のプロセッサ11が、各機能を実現するプログラムを連携して実行してもよい。 The processor 11 is an IC (Integrated Circuit) that performs processing. As a specific example, the processor 11 is a CPU (Central Processing Unit), a DSP (Digital Signal Processor), and a GPU (Graphics Processing Unit). In FIG. 1, only one processor 11 is shown. However, a plurality of processors 11 may be provided, and the plurality of processors 11 may execute programs that implement respective functions in cooperation with each other.
 メモリ12は、プロセッサ11のプロセッシングのためにデータを一時的に記憶する記憶装置である。メモリ12は、具体例としては、SRAM(Static Random Access Memory)、DRAM(Dynamic Random Access Memory)である。 The memory 12 is a storage device that temporarily stores data for the processing of the processor 11. The memory 12 is, for example, an SRAM (Static Random Access Memory) or a DRAM (Dynamic Random Access Memory).
 ストレージ13は、データを保管する記憶装置である。ストレージ13は、具体例としては、HDD(Hard Disk Drive)である。また、ストレージ13は、SSD(Solide State Drive)でも良い。また、ストレージ13は、SD(登録商標、Secure Digital)メモリカード、CF(CompactFlash、登録商標)、NANDフラッシュ、フレキシブルディスク、光ディスク、コンパクトディスク、ブルーレイ(登録商標)ディスク、DVD(Digital Versatile Disk)といった可搬記録媒体であってもよい。 The storage 13 is a storage device that stores data. The storage 13 is, as a specific example, a HDD (Hard Disk Drive). Further, the storage 13 may be SSD (Solid State Drive). The storage 13 is an SD (registered trademark, Secure Digital) memory card, CF (CompactFlash, registered trademark), NAND flash, flexible disk, optical disk, compact disk, Blu-ray (registered trademark) disk, DVD (Digital Versatile Disk). It may be a portable recording medium.
 通信インタフェース14は、外部の装置と通信するためのインタフェースである。通信インタフェース14は、具体例としては、Ethernet(登録商標)、USB(Universal Serial Bus)、HDMI(登録商標、High-Definition Multimedia Interface)のポートである。 The communication interface 14 is an interface for communicating with an external device. The communication interface 14 is, as a specific example, an Ethernet (registered trademark), a USB (Universal Serial Bus), or an HDMI (registered trademark, High-Definition Multimedia Interface) port.
 脆弱性分析装置10は、機能構成要素として、第1の受付部21、変数判別部22、候補生成部23、第2の受付部24、関連脅威抽出部25、脆弱性候補抽出部26、脆弱性分析部27を備える。第2の受付部24は、出力部に相当する。
 脆弱性分析装置10の各機能構成要素の機能はプログラムにより実現される。 The vulnerability analysis device 10 has, as functional components, a first acceptance unit 21, a variable determination unit 22, a candidate generation unit 23, a second acceptance unit 24, a related threat extraction unit 25, a vulnerability candidate extraction unit 26, and a vulnerability. The sex analysis unit 27 is provided. The second reception unit 24 corresponds to the output unit.
The function of each functional component of the vulnerability analysis device 10 is realized by a program.
 脆弱性分析装置10の各機能構成要素の機能を実現するプログラムは、ストレージ13に格納されている。このプログラムは、プロセッサ11によりメモリ12に読み込まれ、プロセッサ11によって実行される。これにより、脆弱性分析装置10の各機能構成要素の機能が実現される。 A program that realizes the function of each functional component of the vulnerability analysis device 10 is stored in the storage 13. This program is read into the memory 12 by the processor 11 and executed by the processor 11. As a result, the function of each functional component of the vulnerability analysis device 10 is realized.
 脆弱性分析装置10の各機能構成要素の機能は、そのプログラムで行う分析の動作を決定する情報及び判断の条件を決定する情報をストレージ13に保存されるデータベースや設定ファイルから読み込みこんでも良い。また、分析の動作を決定する情報及び判断の条件を決定する情報をプログラムの一部としても良い。例えば、本実施の形態では、変数判別部22は処理種別DB31を読み込んで分析の動作を変更する。また、脆弱性候補抽出部26は脅威-脆弱性対応DB32を読み込んで分析の動作を変更する。 The function of each functional component of the vulnerability analysis apparatus 10 may read information that determines the operation of analysis performed by the program and information that determines the determination condition from a database or setting file stored in the storage 13. Further, the information that determines the analysis operation and the information that determines the determination condition may be part of the program. For example, in the present embodiment, the variable discrimination unit 22 reads the processing type DB 31 and changes the analysis operation. Further, the vulnerability candidate extraction unit 26 reads the threat-vulnerability correspondence DB 32 and changes the analysis operation.
 なお、図1では脆弱性分析装置10が1台のみでの構成を例示した。これに代えて、複数のコンピュータがネットワークを経由して接続され、複数のコンピュータが協働して、脆弱性分析システムを構成するようにしてもよい。
 更に、図1では、利用者が脆弱性分析装置10への入力や出力を行うための入出力装置が通信インタフェース14を介して接続されることが想定されている。これに代えて、脆弱性分析装置10に入力や出力を行うためのインタフェースを設け、脆弱性分析装置10を利用者が直接操作するようにしてもよい。 In addition, in FIG. 1, the structure with only one vulnerability analysis apparatus 10 was illustrated. Alternatively, a plurality of computers may be connected via a network, and the plurality of computers may cooperate to form a vulnerability analysis system.
Further, in FIG. 1, it is assumed that an input/output device for the user to input and output to the vulnerability analysis device 10 is connected via the communication interface 14. Instead of this, the vulnerability analysis apparatus 10 may be provided with an interface for inputting and outputting, and the vulnerability analysis apparatus 10 may be directly operated by the user.
***動作の説明***
 図2から図15を参照して、実施の形態1に係る脆弱性分析装置10の動作を説明する。なお、以下に示す脆弱性分析装置10の動作は、情報処理方法及び情報処理プログラムに相当する。 ***Description of operation***
The operation of the vulnerability analysis device 10 according to the first embodiment will be described with reference to FIGS. 2 to 15. The operation of the vulnerability analysis device 10 described below corresponds to an information processing method and an information processing program.
 図2は、実施の形態1に係る脆弱性分析装置10の全体動作を示すフローチャートである。 FIG. 2 is a flowchart showing the overall operation of the vulnerability analysis device 10 according to the first embodiment.
 最初に、第1の受付部21が、分析に必要な各種情報の入力を受け付ける(ステップS1)。
 ステップS1では、第1の受付部21は、後述する情報資産フロー41(図3)、プログラム仕様42(図4)、構成要素とプログラム仕様の対応関係43(図5)、脅威分析結果44(図6)を受け付ける。 First, the 1st reception part 21 receives the input of various information required for analysis (step S1).
In step S1, the first reception unit 21 causes the information asset flow 41 (FIG. 3), the program specification 42 (FIG. 4), the correspondence relationship 43 between constituent elements and program specifications 43 (FIG. 5), and the threat analysis result 44 (described below). 6) is accepted.
 また、変数判別部22が、プログラム仕様42で表されるプログラムに含まれる変数を抽出し、抽出した変数の種別を判別する(ステップS2)。
 後述するように、プログラム仕様42は、開発対象の機器で実行されるプログラム(ソースコード)又はプログラムの特徴が記載される情報(フローチャート、UML(Unified Modeling Language)又はSysMLのアクティビティ図又はシーケンス図等)である。
 変数判別部22は、抽出した変数の種別として、抽出した変数が入力変数、出力変数、内部利用変数のいずれであるかを判別する。 Further, the variable discriminating unit 22 extracts a variable included in the program represented by the program specification 42 and discriminates the type of the extracted variable (step S2).
As will be described later, the program specification 42 is information (flow chart, UML (Unified Modeling Language)) or SysML activity diagram or sequence diagram in which a program (source code) to be executed by the development target device or characteristics of the program is described. ).
The variable determination unit 22 determines, as the type of the extracted variable, whether the extracted variable is an input variable, an output variable, or an internally used variable.
 次に、候補生成部23が、情報資産と変数の対応関係の候補を生成する(ステップS3)。
 候補生成部23は、変数判別部22により判別された変数の種別と、機器が用いる情報資産の種別とを比較し、情報資産と変数の対応関係の候補を1つ以上生成する。
 情報資産とは、本明細書では、脅威分析により構成要素(機器)が用いると判定された情報である。具体的には、構成要素(機器)の情報資産は、情報資産フロー41(図3)に記述されている。
 情報資産の種別には、機器に入力される情報資産である入力情報資産、機器から機器の外部に出力される情報資産である出力情報資産、機器の内部で利用される情報資産である内部利用情報資産がある。
 候補生成部23は、入力情報資産と入力変数、出力情報資産と出力変数、内部利用情報資産と内部利用変数とを対応付けて対応関係の候補を生成する。 Next, the candidate generation unit 23 generates a candidate for the correspondence relationship between the information asset and the variable (step S3).
The candidate generation unit 23 compares the type of the variable determined by the variable determination unit 22 with the type of the information asset used by the device, and generates one or more candidates for the correspondence relationship between the information asset and the variable.
In the present specification, the information asset is information determined to be used by a component (device) by threat analysis. Specifically, the information assets of the constituent elements (devices) are described in the information asset flow 41 (FIG. 3).
The types of information assets include input information assets that are information assets that are input to the device, output information assets that are information assets that are output from the device to the outside of the device, and internal use that is information assets that are used inside the device. We have information assets.
The candidate generation unit 23 associates the input information assets with the input variables, the output information assets with the output variables, and the internal usage information assets with the internal usage variables to generate candidates for the correspondence relationship.
 なお、対応関係の候補が複数存在する場合には、第2の受付部24が複数の対応関係の候補を出力する。そして、第2の受付部24は、脆弱性分析装置10の利用者による、対応関係の選択を受け付ける(ステップS4)。
 つまり、第2の受付部24は、複数の対応関係の候補を例えば入出力装置に表示し、脆弱性分析装置10の利用者が表示された複数の対応関係の候補の中から該当する対応関係を選択する。そして、第2の受付部24が、利用者からの選択を受け付ける。 When there are a plurality of correspondence relationship candidates, the second reception unit 24 outputs a plurality of correspondence relationship candidates. Then, the second reception unit 24 receives the selection of the correspondence relationship by the user of the vulnerability analysis device 10 (step S4).
That is, the second accepting unit 24 displays a plurality of correspondence relationship candidates on, for example, the input/output device, and the user of the vulnerability analysis apparatus 10 applies the corresponding correspondence relationship from among the displayed plurality of correspondence relationship candidates. Select. Then, the second reception unit 24 receives the selection from the user.
 次に、関連脅威抽出部25が、情報資産と変数との対応関係に基づき、関連する脅威を抽出する(ステップS5)。
 つまり、ステップS3で対応関係の候補が1つだけ生成された場合は、関連脅威抽出部25は、1つだけ生成された対応関係の候補に基づき、関連する脅威を抽出する。一方、ステップS3で対応関係の候補が複数生成され、ステップS4での対応関係の選択が受け付けられた場合は、ステップS4で選択された対応関係に基づき、関連する脅威を抽出する。
 関連脅威抽出部25は、具体的には、ステップS1で受け付けた脅威分析結果44(図6)から関連する脅威を抽出する。 Next, the related threat extracting unit 25 extracts the related threat based on the correspondence between the information asset and the variable (step S5).
That is, when only one candidate for the correspondence relationship is generated in step S3, the related threat extraction unit 25 extracts the related threat based on the candidate for the correspondence relationship generated for only one. On the other hand, when a plurality of correspondence relationship candidates are generated in step S3 and the selection of the correspondence relationship in step S4 is accepted, the related threat is extracted based on the correspondence relationship selected in step S4.
Specifically, the related threat extraction unit 25 extracts a related threat from the threat analysis result 44 (FIG. 6) received in step S1.
 次に、脆弱性候補抽出部26が、関連する脅威に至る攻撃に利用される恐れのある脆弱性の種別の候補を抽出する(ステップS6)。 Next, the vulnerability candidate extraction unit 26 extracts candidates for the types of vulnerabilities that may be used in attacks leading to related threats (step S6).
 最後に、脆弱性分析部27が、脆弱性の種別の候補がプログラム仕様42の記述で発生し得るかを調べるための脆弱性分析を実施し、分析結果を出力する(ステップS7)。 Finally, the vulnerability analysis unit 27 performs a vulnerability analysis to check whether a candidate for the type of vulnerability may occur in the description of the program specification 42, and outputs the analysis result (step S7).
 次に、図2の各ステップの動作を順次説明していく。 Next, the operation of each step in FIG. 2 will be sequentially explained.
(図2のステップS1:第1の受付処理)
 第1の受付部21は、情報資産フロー41(図3)と、プログラム仕様42(図4)と、構成要素とプログラム仕様の対応関係43(図5)と、脅威分析結果44(図6)とを受け付ける。 (Step S1 of FIG. 2: first reception process)
The first reception unit 21 has an information asset flow 41 (FIG. 3), a program specification 42 (FIG. 4), a correspondence relationship 43 between constituent elements and program specifications 43 (FIG. 5), and a threat analysis result 44 (FIG. 6). And accept.
 具体的には、通信インタフェース14を介して接続された入出力装置が利用者によって操作される。利用者の操作により、情報資産フロー41と、プログラム仕様42と、構成要素とプログラム仕様の対応関係43と、脅威分析結果44とが入力される。そして、第1の受付部21は、通信インタフェース14を介して入力された情報資産フロー41と、プログラム仕様42と、構成要素とプログラム仕様の対応関係43と、脅威分析結果44とを受け付ける。
 更に、第1の受付部21は、情報資産フロー41と、プログラム仕様42と、構成要素とプログラム仕様の対応関係43と、脅威分析結果44とを、それぞれメモリ12に書き込む。 Specifically, the user operates the input/output device connected via the communication interface 14. By the operation of the user, the information asset flow 41, the program specification 42, the correspondence 43 between the constituent elements and the program specification, and the threat analysis result 44 are input. Then, the first reception unit 21 receives the information asset flow 41 input via the communication interface 14, the program specification 42, the correspondence relationship 43 between the component and the program specification, and the threat analysis result 44.
Further, the first reception unit 21 writes the information asset flow 41, the program specification 42, the correspondence relationship 43 between the component and the program specification, and the threat analysis result 44 in the memory 12, respectively.
 図3を参照して、情報資産フロー41の一例を説明する。 An example of the information asset flow 41 will be described with reference to FIG.
 情報資産フロー41は、脅威分析が行われた後の情報資産の流れ(フロー)が整理されて得られる。情報資産フロー41は、開発対象システムに含まれる機器ごとに生成される。
 情報資産フロー41には、開発対象システムを構成する構成要素(機器)である構成要素411と、構成要素411と関連する構成要素(機器)である関連要素412と、構成要素411と関連要素412との間の接続関係413と、情報資産の名称414と、情報資産の種別415とが含まれる。
 情報資産の種別は、前述したように、入力情報資産、出力情報資産及び内部利用情報資産である。入力情報資産、出力情報資産及び内部利用情報資産以外の情報資産の種別があってもよい。
 「入力」とは、構成要素411の外部から構成要素411に入力される情報資産のフローである。「出力」とは、構成要素411から構成要素411の外部に出力される情報資産のフローである。「内部利用」とは、構成要素411の内部のみで利用される情報資産のフローである。 The information asset flow 41 is obtained by organizing the flow (flow) of information assets after the threat analysis is performed. The information asset flow 41 is generated for each device included in the development target system.
In the information asset flow 41, a component 411 that is a component (device) that constitutes the development target system, a related element 412 that is a component (device) related to the component 411, and a component 411 and a related element 412. A connection relation 413 between the information asset, the information asset name 414, and the information asset type 415 are included.
As described above, the types of information assets are the input information assets, the output information assets, and the internal usage information assets. There may be types of information assets other than input information assets, output information assets, and internal use information assets.
The “input” is a flow of information assets input to the constituent element 411 from outside the constituent element 411. The “output” is a flow of information assets output from the component 411 to the outside of the component 411. “Internal use” is a flow of information assets used only inside the component 411.
 情報資産フロー41は、具体的には、図3に示すように、UMLのコミュニケーション図を拡張したような図で表わすことができる。図3において、矩形は構成要素411又は関連要素412を表わす。構成要素411は、図3の例では「コントローラ」である。また、関連要素412は、図3の例では、「HMI」と「デバイス」である。
 接続関係413は、構成要素411と関連要素412とを結ぶ実線で表される。
 更に、図3では、接続関係413の付近に矢印が示されている。これら矢印は情報資産のフローを表す。矢印の方向が情報資産のフローの方向を表す。
 また、コントローラから接続関係413とは無関係に始点が丸である線も伸びている。この線も情報資産のフローを表す。この線は、構成要素411と関連要素412との間ではフローがないこと、つまり、内部利用情報資産であることを示す。
 情報資産のフローの線の付近に配置されている文字列がそのフローで扱う情報資産の名称414である。また≪≫で囲まれる文字列は、情報資産の種別415である。例えば、図3中のHMIからコントローラに向かう矢印は情報資産「コマンド」が「HMI」から「コントローラ」に向かって流れることを意味する。そして、当該矢印は「コントローラ」の立場では、情報資産の種別415が「入力」(入力情報資産)であることを示す。また、「コントローラ」から伸びる始点が丸の線は、情報資産「MAC鍵」の種別415が「内部利用」(内部利用情報資産)であること、すなわち、情報資産「MAC鍵」がコントローラの内部で利用されることを示す。
 なお、情報資産フロー41は、情報資産情報に相当する。 Specifically, the information asset flow 41 can be represented by a diagram obtained by expanding the UML communication diagram as shown in FIG. In FIG. 3, a rectangle represents the constituent element 411 or the related element 412. The component 411 is a "controller" in the example of FIG. The related elements 412 are “HMI” and “device” in the example of FIG.
The connection relation 413 is represented by a solid line connecting the constituent element 411 and the related element 412.
Furthermore, in FIG. 3, an arrow is shown near the connection relation 413. These arrows represent the flow of information assets. The direction of the arrow represents the flow direction of information assets.
Also, a line whose starting point is a circle extends from the controller regardless of the connection relation 413. This line also represents the flow of information assets. This line indicates that there is no flow between the component 411 and the related element 412, that is, it is an internal use information asset.
The character string arranged near the flow line of the information asset is the name 414 of the information asset handled by the flow. The character string enclosed in <<>> is the information asset type 415. For example, the arrow from the HMI to the controller in FIG. 3 means that the information asset “command” flows from the “HMI” to the “controller”. Then, the arrow indicates that the type 415 of the information asset is “input” (input information asset) from the standpoint of “controller”. Also, a line with a round starting point extending from the "controller" indicates that the type 415 of the information asset "MAC key" is "internal use" (internal use information asset), that is, the information asset "MAC key" is inside the controller. It is used in.
The information asset flow 41 corresponds to information asset information.
 次に、図4を参照して、プログラム仕様42の一例を説明する。 Next, an example of the program specification 42 will be described with reference to FIG.
 プログラム仕様42は、脆弱性分析する対象のプログラムの名称421と変数の流れ(データフロー)や処理の流れ(制御フロー)を表現するプログラム処理内容422を含む。
 具体的には、プログラム仕様42には、脅威分析が行われた後の開発対象システムに含まれる機器(図3の構成要素411に対応)で実行されるプログラム全体もしくはその一部となるロジックが記述される。開発対象システムに含まれる機器ごとにプログラム仕様42が記述される。
 また、脆弱性分析の対象でない機器及びプログラムの一部については、プログラム仕様42を脆弱性分析装置10に入力しなくてもよい。 The program specification 42 includes a name 421 of a program to be subjected to vulnerability analysis, and a program processing content 422 that expresses a flow of data (data flow) and a flow of processing (control flow).
Specifically, the program specification 42 includes the logic that is the whole program or a part of the program executed by the device (corresponding to the component 411 of FIG. 3) included in the development target system after the threat analysis is performed. Described. The program specification 42 is described for each device included in the development target system.
In addition, the program specifications 42 may not be input to the vulnerability analysis device 10 for some devices and programs that are not subject to vulnerability analysis.
 なお、プログラム仕様42は、具体的には、ソースコードもしくはプログラムモデルである。
 プログラムモデルとは、フローチャート、UML、SysMLのようなプログラムの構造及び動作を図表で記述できる情報である。プログラムモデルは、例えば、プログラム言語で記述されたソースコード、処理/判断をC言語等のプログラム言語の形式で記述(m=n+1やm=add(n,1)等)されたフローチャートである。プログラムモデルは、また、UML又はSysMLのアクティビティ図又はシーケンス図、DFD、制御工学等で用いられるブロック線図が該当する。プログラムモデルは、プロセッサ11(変数判別部22)でその内容を処理できるように、階層的な構造を表現できるデータ形式で記述されて保管される。プログラムモデルは、例えば、XML(Extensible Markup Language)とJSON(JavaScript(登録商標) Object Notation)といったデータ形式で記述される。例えば、図4は、構成要素「コントローラ」のHMIとの通信処理に関するプログラム仕様42の一例を示している。図4では、一般的なC言語のソースコードの形式で、コントローラで動作するプログラムの一部の動作内容が記述されている。
 また、プログラムの名称421は、「PROGRAM_C.C」であり、プログラム処理内容422は、C言語の記述内容である。図4の例では、プログラムの名称421は、C言語のソースコードのファイル名で示しているが、脆弱性分析装置10が一意に各プログラム仕様42を判別できる情報であればどのような形式でも良い。なお、プログラムの名称421は、後述する構成要素とプログラム仕様の対応関係43で利用される。 The program specification 42 is specifically a source code or a program model.
A program model is information that can describe the structure and operation of a program such as a flowchart, UML, and SysML in a diagram. The program model is, for example, a source code described in a programming language and a flowchart in which processing/judgment is described in a programming language format such as C language (m=n+1 or m=add(n,1)). The program model also corresponds to a UML or SysML activity diagram or sequence diagram, a DFD, a block diagram used in control engineering, and the like. The program model is described and stored in a data format capable of expressing a hierarchical structure so that the processor 11 (variable discriminating unit 22) can process its contents. The program model is described in a data format such as XML (Extensible Markup Language) and JSON (JavaScript (registered trademark) Object Notation). For example, FIG. 4 shows an example of the program specification 42 regarding the communication processing with the HMI of the component “controller”. In FIG. 4, a part of the operation content of the program operating in the controller is described in the form of a general C language source code.
The program name 421 is “PROGRAM_C.C”, and the program processing content 422 is C language description content. In the example of FIG. 4, the program name 421 is shown by the file name of the C language source code, but any format can be used as long as the vulnerability analysis device 10 can uniquely identify each program specification 42. good. The program name 421 is used in a correspondence relationship 43 between a constituent element and a program specification described later.
 次に、図5を参照して、構成要素とプログラム仕様の対応関係43の一例を説明する。 Next, with reference to FIG. 5, an example of the correspondence 43 between the constituent elements and the program specifications will be described.
 構成要素とプログラム仕様の対応関係43は、脆弱性分析の対象とする構成要素431とプログラム仕様432との対応関係を示す。
 構成要素とプログラム仕様の対応関係43は、例えば、図5のような表として表現することができる。図5では、構成要素「コントローラ」で検査対象となるプログラム仕様42が2つあり、それぞれが「PROGRAM_C.C」と「PROGRAM_D.C」である。 The correspondence relationship 43 between the constituent element and the program specification shows the correspondence relationship between the constituent element 431 to be subjected to the vulnerability analysis and the program specification 432.
The correspondence 43 between the constituent elements and the program specifications can be expressed as a table as shown in FIG. 5, for example. In FIG. 5, there are two program specifications 42 to be inspected in the constituent element “controller”, which are “PROGRAM_CC” and “PROGRAM_DC”, respectively.
 次に、図6を参照して、脅威分析結果44の一例を説明する。 Next, an example of the threat analysis result 44 will be described with reference to FIG.
 脅威分析結果44には、開発対象システムに対する脅威分析の結果が示される。
 脅威分析結果44には、脅威441、構成要素442、関係する情報資産443及び脅威の種別444が含まれる。
 脅威441には、脅威の内容が示される。
 構成要素442には、脅威が発生する構成要素または接続関係が示される。
 関係する情報資産443には、脅威に関係する情報資産が示される。
 脅威の種別444には、脅威が発生した際に情報資産に与える影響の種別が示される。脅威の種別444には、例えば、一般的に情報セキュリティの属性を示すのに使われるC、I、Aのうちのいずれかが示される。なお、Cは機密性、Iは完全性、Aは可用性を意味する。
 脅威分析結果44は、例えば、図6のように表の形式で表すことができる。図6の例では、1行目のレコードには、脅威441として「推測による漏洩」が示され、構成要素442として脅威が発生する構成要素である「リモート端末」が示され、関係する情報資産443として推測の漏洩に関係する「パスワード」が示され、また、脅威の種別444として「C」が示される。 The threat analysis result 44 shows the result of the threat analysis on the development target system.
The threat analysis result 44 includes a threat 441, a component 442, related information assets 443, and a threat type 444.
The contents of the threat are shown in the threat 441.
The component element 442 indicates a component element or a connection relationship in which a threat occurs.
The related information assets 443 indicate information assets related to the threat.
The threat type 444 indicates the type of influence on the information asset when a threat occurs. The threat type 444 indicates, for example, one of C, I, and A that is generally used to indicate the attribute of information security. Note that C means confidentiality, I means integrity, and A means availability.
The threat analysis result 44 can be represented in a table format as shown in FIG. 6, for example. In the example of FIG. 6, in the record in the first row, “leakage by speculation” is shown as the threat 441, and “remote terminal”, which is the constituent element causing the threat, is shown as the constituent element 442, and related information assets A “password” related to leakage of guess is shown as 443, and “C” is shown as a threat type 444.
(図2のステップS2:プログラム変数処理関係分析処理)
 変数判別部22は、ステップS1で受け入れられたプログラム仕様42に含まれる変数が用いられている処理に基づいて、変数の種別を判別し、変数間の伝搬関係及び処理の順番を分析する。
 より具体的には、変数判別部22は、変数が用いられている処理が、入力処理、出力処理及び内部利用処理のいずれであるかを判別する。入力処理とは、機器の外部から値を入力する処理である。出力処理は、機器の外部に値を出力する処理である。内部利用処理とは、機器の内部で値を利用する処理である。変数判別部22は、処理の種別に基づいて変数の種別を判別する。
 また、変数間の伝搬関係とは、変数間でのプログラム内部での値の伝搬関係である。 (Step S2 of FIG. 2: program variable processing relation analysis processing)
The variable discriminating unit 22 discriminates the type of the variable based on the process in which the variable included in the program specification 42 accepted in step S1 is used, and analyzes the propagation relation between the variables and the processing order.
More specifically, the variable determination unit 22 determines whether the process in which the variable is used is an input process, an output process, or an internal use process. The input process is a process of inputting a value from outside the device. The output process is a process of outputting a value to the outside of the device. The internal use process is a process of using a value inside the device. The variable determination unit 22 determines the type of variable based on the type of processing.
The propagation relationship between variables is a value propagation relationship within a program between variables.
 図7は、変数判別部22の動作例を説明するフローチャートである。 FIG. 7 is a flowchart illustrating an operation example of the variable discrimination unit 22.
 最初に、変数判別部22は、分析に必要な各種情報をメモリ12から読み込む(ステップS21)。 First, the variable discriminating unit 22 reads various information required for analysis from the memory 12 (step S21).
 次に、変数判別部22は、プログラム仕様42に含まれる変数を抽出する(ステップS22)。 Next, the variable discriminating unit 22 extracts variables included in the program specification 42 (step S22).
 次に、変数判別部22は、抽出した変数の種別を判別する(ステップS23)。 Next, the variable determination unit 22 determines the type of the extracted variable (step S23).
 次に、変数判別部22は、種別が判別できた各変数の伝搬関係及び処理順番を分析する(ステップS24)。 Next, the variable discrimination unit 22 analyzes the propagation relation and processing order of each variable whose type has been discriminated (step S24).
 最後に、変数判別部22は、分析した結果をメモリ12に書き込む(ステップS25)。 Finally, the variable discrimination unit 22 writes the analysis result in the memory 12 (step S25).
 次に、図7のステップS21~S26の詳細を説明する。 Next, the details of steps S21 to S26 in FIG. 7 will be described.
<図7のステップS21の詳細>
 ステップS21では、変数判別部22は、ストレージ13から処理種別DB31を読み出し、処理種別DB31をメモリ12に書き込む。
 次に、変数判別部22は、プログラム仕様42と処理種別DB31の情報をメモリ12から読み出す。
 ここで、プログラム仕様42は、ステップS1で受け付けられたプログラム仕様42である。 <Details of Step S21 in FIG. 7>
In step S21, the variable determination unit 22 reads the process type DB 31 from the storage 13 and writes the process type DB 31 in the memory 12.
Next, the variable discrimination unit 22 reads out the information of the program specification 42 and the processing type DB 31 from the memory 12.
Here, the program specification 42 is the program specification 42 accepted in step S1.
 図8を参照して、処理種別DB31の一例を説明する。 An example of the processing type DB 31 will be described with reference to FIG.
 処理種別DB31には、処理名311と処理種別312とが含まれる。
 処理名311には、プログラム仕様42に含まれる処理の名称が示される。
 処理種別312には、処理名311に示される処理が、入力処理、出力処理及び内部利用処理(セキュリティ処理)のいずれに該当するかが示される。図8では、入力処理はInputと記されている。出力処理はOutputと記されている。内部利用処理(セキュリティ処理)はSecurityと記されている。
 処理名311に示される処理は、関数、メソッド等である。
 図8の例では、例えば、処理名receiveMessageの処理種別は入力処理(Input)である。 The process type DB 31 includes a process name 311 and a process type 312.
The process name 311 indicates the name of the process included in the program specification 42.
The process type 312 indicates which of the input process, the output process, and the internal use process (security process) the process indicated by the process name 311 corresponds to. In FIG. 8, the input process is described as Input. The output process is described as Output. The internal use processing (security processing) is described as Security.
The process indicated by the process name 311 is a function, a method, or the like.
In the example of FIG. 8, for example, the processing type of the processing name receiveMessage is input processing (Input).
<図7のステップS22の詳細>
 ステップS22では、変数判別部22は、ステップS21で読み込んだプログラム仕様42から変数を抽出する。変数の抽出処理はプログラム仕様42の記述方法による異なる。
 本実施の形態で説明に用いているプログラム仕様42(ソースコード)では、コンパイラで用いられる字句解析と構文解析の技術を用いることで、変数を抽出することができる。ソースコード以外の記述の場合も、変数判別部22は、それぞれの記述ルールに従い変数を抽出する。 <Details of Step S22 in FIG. 7>
In step S22, the variable discrimination unit 22 extracts a variable from the program specifications 42 read in step S21. The variable extraction process differs depending on the description method of the program specification 42.
In the program specification 42 (source code) used in the description of this embodiment, the variables can be extracted by using the lexical analysis and syntax analysis techniques used by the compiler. In the case of descriptions other than the source code, the variable discrimination unit 22 also extracts variables according to the respective description rules.
<図7のステップS23の詳細>
 ステップS23では、変数判別部22は、ステップS22で抽出された各変数の種別を判別する。
 変数判別部22は、抽出した各変数が、処理種別DB31の処理名311に示される関数、メソッド等の処理に用いられているか否かを調べる。「処理に用いられている」とは、関数又はメソッドの引数として変数が用いられている、もしくは、関数又はメソッドの戻り値として変数が用いられていることを意味する。
 抽出した変数が、処理名311に示される処理に用いられている場合は、変数判別部22は、対象の処理の処理種別312によって変数の種別を判別する。前述したように、変数判別部22は、処理の種別に基づいて、変数の種別を判別する。
 より具体的には、例えば、プログラム仕様42がC言語で記述されている場合には、処理種別が「Input」であれば、変数判別部22は、戻り値又はアドレス渡しの引数(参照渡し引数も含む)で用いられた変数は「入力変数」と判定する。一方、処理種別が「Output」であれば、変数判別部22は、値渡しの引数で用いられた変数は「出力変数」と判別する。また、アドレス渡しの引数で用いられた変数は、変数判別部22は「入力変数」と「出力変数」の両者に判別する。また、変数判別部22は、戻値に用いられた変数は「入力変数」と判別する。更に、変数判別部22は、すべての変数に対して前述の判定を行った結果、いずれの種別にも判別されない変数であって、条件文に利用されている変数と、処理種別が「Secuirty」の関数の引数又は戻り値に用いられている変数は、「内部利用変数」と判別する。 <Details of Step S23 in FIG. 7>
In step S23, the variable determination unit 22 determines the type of each variable extracted in step S22.
The variable discriminating unit 22 checks whether or not each extracted variable is used in the processing of the function, method, etc. indicated by the processing name 311 of the processing type DB 31. “Used for processing” means that a variable is used as an argument of a function or method, or a variable is used as a return value of a function or method.
When the extracted variable is used in the process indicated by the process name 311, the variable determination unit 22 determines the variable type by the process type 312 of the target process. As described above, the variable discriminating unit 22 discriminates the type of variable based on the type of processing.
More specifically, for example, in the case where the program specification 42 is written in C language, if the processing type is “Input”, the variable determination unit 22 causes the return value or the argument of the address passing (reference passing argument). Variables used in (including) are determined as “input variables”. On the other hand, if the processing type is “Output”, the variable determination unit 22 determines that the variable used as the argument passed by value is the “output variable”. Further, the variable discriminator 22 discriminates the variable used as the argument passed by address into both the “input variable” and the “output variable”. Further, the variable discriminating unit 22 discriminates the variable used as the return value as the “input variable”. Furthermore, as a result of the above-described determinations for all variables, the variable determination unit 22 determines variables that are not determined to be of any type, and that are used in the conditional statement and the processing type is “Security”. The variable used as the argument or return value of the function is determined to be an "internal use variable".
 例えば、図4で示したプログラム仕様42を、図8で示した処理種別DB31を使って、上記の判定規則で解析した場合には、msg、lenが「入力変数」になる。また、dev、val、retが「出力変数」になる。また、key、stateが「内部利用変数」になる。また、cmdは、いずれにも分類されない。 For example, when the program specification 42 shown in FIG. 4 is analyzed by the above determination rule using the processing type DB 31 shown in FIG. 8, msg and len become “input variables”. Also, dev, val, and ret become “output variables”. Also, key and state become "internal use variables". Moreover, cmd is not classified into any.
 なお、図4の例では存在しないが、2以上の同じ変数が、それぞれ別の種別として判別できる場合には、それぞれの変数は別に取り扱う。例えば、変数msgを入力変数と判定した箇所とは異なる箇所で同じ変数msgが別の変数種別と判定できる場合は、変数判別部22は、それぞれを別の変数として取り扱う。また、変数判別部22は、同じ変数名でも区別できるようにする。変数判別部22は、例えば、msg:12といったように、変数名:行番号等の形式で各変数を一意に識別できるようにする。 Although not present in the example in Fig. 4, if two or more same variables can be distinguished as different types, each variable is treated separately. For example, when the same variable msg can be determined as a different variable type at a location different from the location where the variable msg is determined as an input variable, the variable determination unit 22 handles each as a different variable. Further, the variable discriminating unit 22 allows the same variable name to be distinguished. The variable discrimination unit 22 enables each variable to be uniquely identified in the format of variable name:line number, such as msg:12.
 また、上記では、ステップS23において、変数判別部22が処理種別DB31の情報を用いて変数の処理種別を判定する例を説明した。このように事前に生成されたルールに基づいて処理種別の判定が行われても良いし、変数判別部22に設定されたロジックにより行われても良い。 Further, in the above, the example in which the variable determination unit 22 determines the processing type of the variable using the information of the processing type DB 31 in step S23 has been described. The processing type may be determined based on the rule generated in advance as described above, or may be determined by the logic set in the variable determination unit 22.
 また、上記では、変数の種別を判定する処理では、関数での変数の扱われ方又は関数に事前に割り当てた処理種別によって、「入力変数」又は「出力変数」を決定している。更に、上記では、一定の条件を満たす変数を「内部利用変数」と判定している。しかしながら、変数の種別の判定規則として、別の規則を用いてもよい。
 また、本実施の形態では、上記の判定規則は、変数判別部22の内部に保持されていることを想定しているが、ファイルやデータベースに判定規則が保持されていてもよい。また、判定規則を変更してもよい。 Further, in the above, in the process of determining the variable type, the “input variable” or the “output variable” is determined according to how the variable is handled in the function or the process type assigned to the function in advance. Furthermore, in the above, a variable that satisfies a certain condition is determined to be an “internal use variable”. However, another rule may be used as the rule for determining the variable type.
Further, in the present embodiment, it is assumed that the above determination rule is stored inside the variable determination unit 22, but the determination rule may be stored in a file or a database. Also, the determination rule may be changed.
<図7のステップS24の詳細>
 ステップS24では、変数判別部22が、ステップS23で種別が判定できた各変数の伝搬関係及び処理順番を分析する。伝搬関係とは、「入力変数」として判定した変数の値が他の変数に伝搬するデータフローのことである。変数判別部22は、既存の静的コード解析と同様に変数の代入関係等から伝搬関係を分析することができる。
 例えば、図4で示したプログラム仕様42に、図8で示した処理種別DB31を使った場合には、変数判別部22は、図9の伝搬関係453を得ることになる。 <Details of Step S24 in FIG. 7>
In step S24, the variable determination unit 22 analyzes the propagation relationship and processing order of each variable whose type can be determined in step S23. The propagation relationship is a data flow in which the value of a variable determined as an “input variable” propagates to another variable. The variable discriminating unit 22 can analyze the propagation relation from the substitution relation of variables as in the existing static code analysis.
For example, when the process type DB 31 shown in FIG. 8 is used for the program specification 42 shown in FIG. 4, the variable discrimination unit 22 obtains the propagation relation 453 shown in FIG.
<図7のステップS25の詳細>
 ステップS25では、変数判別部22は、ステップS21~S24で分析した結果をプログラム変数処理関係45(図9)としてメモリ12に書き込む。 <Details of Step S25 in FIG. 7>
In step S25, the variable discriminating unit 22 writes the results analyzed in steps S21 to S24 in the memory 12 as the program variable processing relation 45 (FIG. 9).
 図9を参照して、プログラム変数処理関係45の一例を説明する。 An example of the program variable processing relationship 45 will be described with reference to FIG.
 プログラム変数処理関係45は、プログラム仕様42内の変数について、変数判別部22の分析結果を表す。
 プログラム変数処理関係45は、変数種別451、変数名452及び伝搬関係453を含む。
 変数種別451には、変数判別部22の分析により得られた変数の種別が示される。
 変数名452には、変数の名称が示される。
 伝搬関係453には、前述したように、「入力変数」として判定した変数の値が他の変数に伝搬するデータフロー(伝搬関係)が示される。
 図9に示す例では、変数名msgの変数種別は「入力変数」である。更に、伝搬関係453から、変数名msgは、出力変数dev、valに伝搬する。 The program variable processing relation 45 represents the analysis result of the variable discriminating unit 22 for the variable in the program specification 42.
The program variable processing relation 45 includes a variable type 451, a variable name 452, and a propagation relation 453.
The variable type 451 shows the variable type obtained by the analysis of the variable discriminating unit 22.
The variable name 452 shows the name of the variable.
As described above, the propagation relationship 453 shows the data flow (propagation relationship) in which the value of the variable determined as the “input variable” propagates to another variable.
In the example shown in FIG. 9, the variable type of the variable name msg is “input variable”. Further, from the propagation relation 453, the variable name msg is propagated to the output variables dev and val.
(図2のステップS3:情報資産-変数対応推測処理)
 候補生成部23は、ステップS1で入力された情報資産フロー41と、ステップS2で得られたプログラム変数処理関係45に基づき、情報資産と変数の対応関係の候補を生成する。 (Step S3 of FIG. 2: information property-variable correspondence estimation process)
The candidate generation unit 23 generates a candidate for the correspondence relationship between the information asset and the variable based on the information asset flow 41 input in step S1 and the program variable processing relationship 45 obtained in step S2.
 具体的には、候補生成部23は、情報資産フロー41とプログラム変数処理関係45とをメモリ12から読み出す。
 次に、候補生成部23は、情報資産フロー41の「入力」とプログラム変数処理関係45の「入力変数」とをマッピングする。同様に、候補生成部23は、情報資産フロー41の「出力」とプログラム変数処理関係45の「出力変数」とをマッピングする。更に、候補生成部23は、情報資産フロー41の「内部利用」とプログラム変数処理関係45の「内部利用変数」とをマッピングする。このようにして、候補生成部23は、情報資産とプログラム仕様42の変数との組み合わせをすべて生成する。
 そして、候補生成部23は、生成した対応関係の候補を、情報資産-変数対応関係候補46として、メモリ12に書き込む。 Specifically, the candidate generator 23 reads the information asset flow 41 and the program variable processing relationship 45 from the memory 12.
Next, the candidate generation part 23 maps the “input” of the information asset flow 41 and the “input variable” of the program variable processing relation 45. Similarly, the candidate generation unit 23 maps the “output” of the information asset flow 41 and the “output variable” of the program variable processing relation 45. Further, the candidate generation unit 23 maps the “internal use” of the information asset flow 41 and the “internal use variable” of the program variable processing relation 45. In this way, the candidate generator 23 generates all combinations of information assets and variables of the program specifications 42.
Then, the candidate generation unit 23 writes the generated correspondence relationship candidates in the memory 12 as the information asset-variable correspondence relationship candidates 46.
 図10を参照して、情報資産-変数対応関係候補46の一例を説明する。 An example of the information asset-variable correspondence relationship candidate 46 will be described with reference to FIG.
 情報資産-変数対応関係候補46は、候補名461、入力または内部利用の情報資産462、変数名463、伝搬関係464、出力の情報資産465からなる。
 図10の例では、候補1では、入力の情報資産であるコマンドは、変数len及びmsgと対応付けられている。また、入力の情報資産である値は、変数ansと対応付けられている。また、内部利用の情報資産であるMAC鍵は、変数keyと対応付けられている。また、出力の情報資産である指示は、変数dev及びvalと対応付けられている。また、出力の情報資産である応答は、変数retと対応付けられている。
 情報資産-変数対応関係候補46に示される複数の候補は、各々異なっている。 The information asset-variable correspondence relationship candidate 46 includes a candidate name 461, an input or internal use information asset 462, a variable name 463, a propagation relationship 464, and an output information asset 465.
In the example of FIG. 10, in the candidate 1, the command which is the input information asset is associated with the variables len and msg. Further, the value that is the input information asset is associated with the variable ans. The MAC key, which is an information asset for internal use, is associated with the variable key. Further, the instruction that is the output information asset is associated with the variables dev and val. The response, which is the output information asset, is associated with the variable ret.
The plurality of candidates shown in the information asset-variable correspondence candidate 46 are different from each other.
(図2のステップS4:第2の受付処理)
 ステップS3で生成された情報資産-変数対応関係候補46(図10)に複数の対応関係の候補が存在する場合は、第2の受付部24が情報資産-変数対応関係候補46を出力する。
 そして、第2の受付部24は、利用者が選択した情報資産と変数の対応関係の選択を受け付ける。 (Step S4 of FIG. 2: second reception process)
When the information asset-variable correspondence relationship candidates 46 (FIG. 10) generated in step S3 include a plurality of correspondence relationship candidates, the second reception unit 24 outputs the information asset-variable correspondence relationship candidates 46.
Then, the second reception unit 24 receives the selection of the correspondence relationship between the information asset and the variable selected by the user.
 具体的には、第2の受付部24は、情報資産-変数対応関係候補46をメモリ12から読み出す。情報資産-変数対応関係候補46に複数の対応関係の候補が存在する場合には、第2の受付部24は、情報資産-変数対応関係候補46を、通信インタフェース14を介して接続された入出力装置に送信する。
 そして、入出力装置に情報資産-変数対応関係候補46が表示される。利用者は入出力装置に対する操作を行って、情報資産-変数対応関係候補46から情報資産-変数対応関係47を選択する。選択された情報資産-変数対応関係47が、通信インタフェース14を介して第2の受付部24に入力される。そして第2の受付部24は、通信インタフェース14を介して入力された情報資産-変数対応関係47を受け付ける。さらに第2の受付部24は、受け付けた情報資産-変数対応関係47をメモリ12に書き込む。情報資産-変数対応関係47は、実際の情報資産と変数との対応関係が示される、情報資産-変数対応関係候補46に含まれる対応関係の候補の1つである。
 図10に示すように、情報資産-変数対応関係候補46には伝搬関係及び処理順番も含まれる。このため、利用者は伝搬関係及び処理順番を考慮して、情報資産-変数対応関係47を選択することができる。
 ここでは、図10の候補1が、情報資産-変数対応関係47として選択されたものとする。
 なお、情報資産-変数対応関係候補46に対応関係の候補が1つしかない場合は、ステップS4は行われないが、情報資産-変数対応関係候補46に含まれる当該対応関係の候補も、以下では、情報資産-変数対応関係47と称する。 Specifically, the second reception unit 24 reads out the information asset-variable correspondence candidate 46 from the memory 12. When the information asset-variable correspondence relationship candidate 46 has a plurality of correspondence relationship candidates, the second reception unit 24 inputs the information asset-variable correspondence relationship candidate 46 via the communication interface 14. Send to output device.
Then, the information asset-variable correspondence candidate 46 is displayed on the input/output device. The user operates the input/output device to select the information asset-variable correspondence 47 from the information asset-variable correspondence candidates 46. The selected information asset-variable correspondence 47 is input to the second reception unit 24 via the communication interface 14. Then, the second receiving unit 24 receives the information asset-variable correspondence 47 input via the communication interface 14. Further, the second accepting unit 24 writes the accepted information asset-variable correspondence 47 in the memory 12. The information asset-variable correspondence relationship 47 is one of the correspondence relationship candidates included in the information asset-variable correspondence relationship candidate 46 in which the actual correspondence relationship between information assets and variables is shown.
As shown in FIG. 10, the information asset-variable correspondence relationship candidate 46 also includes a propagation relationship and a processing order. Therefore, the user can select the information asset-variable correspondence 47 in consideration of the propagation relation and the processing order.
Here, it is assumed that the candidate 1 of FIG. 10 is selected as the information asset-variable correspondence 47.
If the information asset-variable correspondence relationship candidate 46 has only one correspondence relationship candidate, step S4 is not performed, but the corresponding correspondence candidates included in the information asset-variable correspondence relationship candidate 46 are also as follows. Is referred to as information asset-variable correspondence 47.
(図2のステップS5:関連脅威抽出処理)
 関連脅威抽出部25は、情報資産-変数対応関係47に基づき、プログラム仕様42に関連する脅威の一覧を、関連脅威一覧48として抽出する。なお、関連脅威一覧48の抽出はそれぞれのプログラム仕様42に対して行われる。 (Step S5 of FIG. 2: Related threat extraction processing)
The related threat extraction unit 25 extracts a list of threats related to the program specification 42 as a related threat list 48 based on the information asset-variable correspondence 47. Note that the related threat list 48 is extracted for each program specification 42.
 具体的には、関連脅威抽出部25は、脅威分析結果44(図6)と、構成要素とプログラム仕様の対応関係43(図5)とをメモリ12から読み込む。
 そして、関連脅威抽出部25は、構成要素とプログラム仕様の対応関係43の各エントリを順に処理し、構成要素431の内容に対応する情報資産フロー41(図3)と、プログラム仕様432の内容に対応する情報資産-変数対応関係47とをメモリから読み込む。
 そして、関連脅威抽出部25は、情報資産フロー41と、情報資産-変数対応関係47とを使って、脅威分析結果44(図6)からプログラム仕様42に関連する脅威を抽出する(詳細は図11を使い後述する)。
 そして、関連脅威抽出部25は、抽出した結果を、関連脅威一覧48として、処理したプログラム仕様42に関連付けてメモリ12に書き込む。関連脅威抽出部25は、これらの動作を、構成要素とプログラム仕様の対応関係43(図5)のすべてのエントリについて行う。 Specifically, the related threat extraction unit 25 reads the threat analysis result 44 (FIG. 6) and the correspondence 43 (FIG. 5) between the component and the program specification from the memory 12.
Then, the related threat extraction unit 25 sequentially processes each entry of the correspondence relationship 43 between the constituent element and the program specification, and creates the information asset flow 41 (FIG. 3) corresponding to the content of the constituent element 431 and the content of the program specification 432. The corresponding information asset-variable correspondence 47 is read from the memory.
Then, the related threat extraction unit 25 uses the information asset flow 41 and the information asset-variable correspondence 47 to extract the threat related to the program specification 42 from the threat analysis result 44 (FIG. 6) (see details in FIG. 11 will be used later).
Then, the related threat extraction unit 25 writes the extracted result as the related threat list 48 in the memory 12 in association with the processed program specification 42. The related threat extracting unit 25 performs these operations for all the entries of the correspondence 43 (FIG. 5) between the constituent elements and the program specifications.
 関連脅威抽出部25は、例えば、図11に示す動作によって関連する脅威の抽出を行う。 The related threat extraction unit 25 extracts a related threat by the operation shown in FIG. 11, for example.
 まず、関連脅威抽出部25は、構成要素とプログラム仕様の対応関係43(図5)の構成要素431の記載内容が構成要素442に含まれるエントリを脅威分析結果44(図6)上で探索する。そして、関連脅威抽出部25は、探索により得られたエントリの脅威441の記載内容を仮に抽出する。
 例えば、PROGRAM_C.Cに対して脅威抽出を行っている場合には、構成要素とプログラム仕様の対応関係43(図5)によれば、PROGRAM_C.Cが動作する構成要素はコントローラである。このため、関連脅威抽出部25は、構成要素442に「コントローラ」が含まれるエントリを脅威分析結果44(図6)上で探索する。脅威分析結果44(図6)では、「HMI-コントローラ間」、「コントローラ」及び「コントローラ-デバイス間」のエントリが得られる(図11の手順(1))。そして、関連脅威抽出部25は、これらエントリの脅威441に記載の「未暗号通信の改ざん」、「推測による漏えい」、「再送による改ざん」及び「再送によるDoS」を仮に抽出する(図11の手順(2))。 First, the related threat extraction unit 25 searches the threat analysis result 44 (FIG. 6) for an entry in which the description content of the constituent element 431 of the correspondence relationship 43 (FIG. 5) between the constituent element and the program specification is included in the constituent element 442. .. Then, the related threat extraction unit 25 tentatively extracts the description content of the threat 441 of the entry obtained by the search.
For example, PROGRAM_C. In the case where the threat extraction is performed on C.C, PROGRAM_C.C. The component on which C operates is the controller. Therefore, the related threat extraction unit 25 searches the threat analysis result 44 (FIG. 6) for an entry including “controller” in the component 442. In the threat analysis result 44 (FIG. 6), entries “HMI-controller”, “controller”, and “controller-device” are obtained (procedure (1) in FIG. 11). Then, the related threat extracting unit 25 tentatively extracts “tampering of unencrypted communication”, “leakage by guess”, “tampering by resending” and “DoS by resending” described in the threat 441 of these entries (see FIG. 11). Procedure (2)).
 次に、関連脅威抽出部25は、探索により得られたエントリの関係する情報資産443の記載内容が情報資産-変数対応関係47において変数と対応付けられている場合に、該当するエントリの脅威441の記載内容を正式に抽出する。
 関連脅威抽出部25は、図11の手順(1)で得られたエントリ(行番号4~13)の関係する情報資産443の「コマンド」、「応答」、「MAC鍵」、「指示」、「値」及び「ステータス」のそれぞれが、情報資産-変数対応関係47(図10)において変数と対応付けられているか否かを判定する。
 図10の情報資産-変数対応関係47では、「ステータス」以外の情報資産は変数と対応付けられている。
 このため、関連脅威抽出部25は、図11の4行目~11行目の脅威441の記載内容を正式に抽出する(図11の手順(3))。
 そして、関連脅威抽出部25は、抽出した脅威441の記載内容を、関連脅威一覧48としてメモリ12に書き込む。 Next, when the description content of the related information asset 443 of the entry obtained by the search is associated with the variable in the information asset-variable correspondence 47, the related threat extracting unit 25 determines the threat 441 of the corresponding entry. Formally extract the contents described in.
The related threat extraction unit 25 uses the “command”, “response”, “MAC key”, “instruction” of the related information assets 443 of the entry (line numbers 4 to 13) obtained in the procedure (1) of FIG. It is determined whether each of the “value” and the “status” is associated with a variable in the information asset-variable correspondence 47 (FIG. 10).
In the information asset-variable correspondence 47 of FIG. 10, information assets other than "status" are associated with variables.
Therefore, the related threat extracting unit 25 formally extracts the description contents of the threat 441 on the fourth to 11th lines in FIG. 11 (procedure (3) in FIG. 11).
Then, the related threat extraction unit 25 writes the description content of the extracted threat 441 in the memory 12 as the related threat list 48.
 また、図12を参照して、関連脅威一覧48の一例を説明する。 An example of the related threat list 48 will be described with reference to FIG.
 関連脅威一覧48は、図11で例示した抽出処理によって抽出された脅威分析結果44の一部である。関連脅威一覧48は、関連するプログラム仕様42(図4)と対応付けて記憶される。また、関連脅威一覧48は、構成要素とプログラム仕様の対応関係43(図5)のエントリと対応付けされてもよい。 The related threat list 48 is a part of the threat analysis result 44 extracted by the extraction processing illustrated in FIG. 11. The related threat list 48 is stored in association with the related program specifications 42 (FIG. 4). Further, the related threat list 48 may be associated with the entry of the correspondence relationship 43 (FIG. 5) between the component and the program specification.
(図2のステップS6:関連脆弱性候補抽出処理)
 脆弱性候補抽出部26は、ステップS5で抽出された関連脅威一覧48(図12)と、脅威-脆弱性種別対応DB32(図13)の情報に基づき、該当のプログラム仕様42(図4)に関連する脅威の攻撃に利用される可能性がある検査すべき脆弱性種別候補49を、個々の関連する脅威毎に抽出する。 (Step S6 of FIG. 2: Related vulnerability candidate extraction processing)
The vulnerability candidate extraction unit 26 sets the relevant program specification 42 (FIG. 4) based on the information of the related threat list 48 (FIG. 12) extracted in step S5 and the threat-vulnerability type correspondence DB 32 (FIG. 13). Vulnerability type candidates 49 to be inspected that may be used for attacking related threats are extracted for each related threat.
 具体的には、脆弱性候補抽出部26は、ストレージ13から脅威-脆弱性種別対応DB32を読み込み、脅威-脆弱性種別対応DB32をメモリ12に書き込む。
 次に、脆弱性候補抽出部26は、構成要素とプログラム仕様の対応関係43(図5)をメモリ12から読み込む。
 そして、脆弱性候補抽出部26は、構成要素とプログラム仕様の対応関係43(図5)の各エントリを順に処理し、プログラム仕様432に対応する関連脅威一覧48(図12)をメモリ12から読み込む。
 次に、脆弱性候補抽出部26は、関連脅威一覧48に記載される脅威毎に脅威-脆弱性種別対応DB32のエントリを参照して、脅威と関係する脆弱性種別の候補を脆弱性種別一覧322から取得する。そして、脆弱性候補抽出部26は、取得した脆弱性種別の候補を脆弱性種別候補49(図14)として、個々の脅威と対応付けてメモリ12に書き込む。脆弱性候補抽出部26は、これをすべての脅威について行う。
 そして、脆弱性候補抽出部26は、構成要素とプログラム仕様の対応関係43(図5)の次のエントリについても同様に処理を続け、すべてのエントリに対して脆弱性種別候補49の抽出を行う。 Specifically, the vulnerability candidate extraction unit 26 reads the threat-vulnerability type correspondence DB 32 from the storage 13 and writes the threat-vulnerability type correspondence DB 32 in the memory 12.
Next, the vulnerability candidate extraction unit 26 reads the correspondence 43 (FIG. 5) between the constituent elements and the program specifications from the memory 12.
Then, the vulnerability candidate extraction unit 26 sequentially processes each entry of the correspondence 43 (FIG. 5) between the component and the program specification, and reads the related threat list 48 (FIG. 12) corresponding to the program specification 432 from the memory 12. ..
Next, the vulnerability candidate extraction unit 26 refers to the entry of the threat-vulnerability type correspondence DB 32 for each threat described in the related threat list 48, and finds the candidate of the vulnerability type related to the threat in the vulnerability type list. 322. Then, the vulnerability candidate extraction unit 26 writes the acquired vulnerability type candidates as vulnerability type candidates 49 (FIG. 14) in the memory 12 in association with each threat. The vulnerability candidate extraction unit 26 does this for all threats.
Then, the vulnerability candidate extraction unit 26 continues the same process for the next entry of the correspondence 43 (FIG. 5) between the component and the program specification, and extracts the vulnerability type candidate 49 for all the entries. ..
 図13を参照して、脅威-脆弱性種別対応DB32の一例を説明する。 An example of the threat-vulnerability type correspondence DB 32 will be described with reference to FIG.
 脅威-脆弱性種別対応DB32は、図13のように表の形式で表すことができる。
 脅威-脆弱性種別対応DB32には、脅威321と、その脅威に対応する脆弱性種別一覧322の情報が含まれる。
 脆弱性種別一覧322には、脅威に対応する脆弱性種別が列挙される。なお、脅威-脆弱性種別対応DB32に脅威のエントリが存在しない場合、もしくは、脅威のエントリは存在するが対応する脆弱性種別の記載がない場合は、その脅威にはプログラム仕様42で記述されるレベルで分析できる脆弱性種別が存在しない。例えば、図13の「故障」には脆弱性種別がないが、これは故障が機器の不具合であり、プログラムに起因する脆弱性ではないからである。このような、脆弱性がない場合には、脆弱性候補抽出部26は、後述するステップS7の脆弱性分析の結果出力において、脅威に対応する脆弱性の候補がないことを示す表示を含めてもよい。 The threat-vulnerability type correspondence DB 32 can be represented in a table format as shown in FIG.
The threat-vulnerability type correspondence DB 32 includes information on a threat 321 and a vulnerability type list 322 corresponding to the threat.
In the vulnerability type list 322, vulnerability types corresponding to threats are listed. If there is no entry for the threat in the threat-vulnerability type correspondence DB 32, or if there is a threat entry but no corresponding vulnerability type is described, the threat is described in the program specification 42. There is no vulnerability type that can be analyzed at the level. For example, the “fault” in FIG. 13 does not have a vulnerability type because the fault is a device defect and not a program-induced vulnerability. When there is no such vulnerability, the vulnerability candidate extraction unit 26 includes a display indicating that there is no vulnerability candidate corresponding to the threat in the result output of the vulnerability analysis in step S7 described later. Good.
 図14を参照して、脆弱性種別候補49の一例を説明する。 An example of the vulnerability type candidate 49 will be described with reference to FIG.
 脆弱性種別候補49は、関連脅威一覧48の脅威441と、構成要素442と、関係する情報資産443と、脅威の種別444と、脅威-脆弱性種別対応DB32の脆弱性種別一覧322とを対応付けた情報である。なお、図14と異なり、脆弱性種別候補49は、脅威441、関係する情報資産443及び脆弱性種別一覧322のみで構成されてもよい。また、脆弱性種別候補49に、図14に示されていない要素が含まれていてもよい。 The vulnerability type candidate 49 corresponds to the threat 441 of the related threat list 48, the component 442, the related information assets 443, the threat type 444, and the vulnerability type list 322 of the threat-vulnerability type correspondence DB 32. It is the attached information. Unlike FIG. 14, the vulnerability type candidate 49 may include only the threat 441, the related information assets 443, and the vulnerability type list 322. Further, the vulnerability type candidate 49 may include an element not shown in FIG.
(図2のステップS7:脆弱性分析処理)
 脆弱性分析部27は、ステップS6で抽出された脆弱性種別候補49の脆弱性種別一覧322に示される脆弱性種別がプログラム仕様42に存在するかの分析を行う。そして、脆弱性分析部27は、分析結果を出力する。
 脆弱性分析は、背景技術で説明したような静的コード解析又は形式的検証の技術を使って行われる。脆弱性分析部27は、脆弱性種別候補49の情報に従って、各脅威に関連する脆弱性を検査する。 (Step S7 of FIG. 2: Vulnerability analysis processing)
The vulnerability analysis unit 27 analyzes whether the vulnerability types shown in the vulnerability type list 322 of the vulnerability type candidates 49 extracted in step S6 exist in the program specifications 42. Then, the vulnerability analysis section 27 outputs the analysis result.
Vulnerability analysis is performed using static code analysis or formal verification techniques as described in the background art. The vulnerability analysis unit 27 inspects the vulnerabilities associated with each threat according to the information of the vulnerability type candidates 49.
 具体的には、脆弱性分析部27は、脆弱性分析を行うプログラム仕様42(図4)と、対応する関連脅威一覧48(図12)と、各関連脅威に対応する脆弱性種別候補49(図14)とをメモリ12から読み出す。
 次に、脆弱性分析部27は、脆弱性分析を行う。つまり、脆弱性分析部27は、脆弱性種別とそれに関連する変数を対応する関連脅威一覧48と脆弱性種別候補49に基づいて抽出し、脆弱性分析を行う。
 そして、脆弱性分析部27は、脆弱性を検出した場合には、脆弱性検出結果410(図15)をメモリ12に書き込む(既に他の脆弱性検出結果410が存在する場合には新たな脆弱性検出結果410を既存の脆弱性検出結果410に追記する)。
 脆弱性分析部27は、これをすべての検査対象のプログラム仕様42について行う。
 すべての検査対象のプログラム仕様42に対してすべての脆弱性分析が完了した場合には、脆弱性分析部27は、通信インタフェース14を介して、接続された入出力装置に脆弱性検出結果410を送信する。
 脆弱性検出結果410を受信した入出力装置は脆弱性検出結果410を表示する。また、脆弱性検出結果410をファイルに保存してもよい。
 なお、脆弱性分析部27は、情報資産に対応付けられた変数も考慮して脆弱性分析を行う。 Specifically, the vulnerability analysis unit 27 includes a program specification 42 (FIG. 4) for performing the vulnerability analysis, a corresponding related threat list 48 (FIG. 12), and a vulnerability type candidate 49 (corresponding to each related threat. 14) and are read from the memory 12.
Next, the vulnerability analysis section 27 performs vulnerability analysis. That is, the vulnerability analysis unit 27 extracts the vulnerability type and the variables related thereto based on the corresponding threat list 48 and the vulnerability type candidate 49, and performs the vulnerability analysis.
When the vulnerability is detected, the vulnerability analysis unit 27 writes the vulnerability detection result 410 (FIG. 15) in the memory 12 (if another vulnerability detection result 410 already exists, a new vulnerability is detected). The vulnerability detection result 410 is added to the existing vulnerability detection result 410).
The vulnerability analysis unit 27 does this for all program specifications 42 to be inspected.
When all the vulnerability analyzes have been completed for all the program specifications 42 to be inspected, the vulnerability analysis unit 27 sends the vulnerability detection result 410 to the connected input/output device via the communication interface 14. Send.
The input/output device that has received the vulnerability detection result 410 displays the vulnerability detection result 410. Further, the vulnerability detection result 410 may be saved in a file.
The vulnerability analysis unit 27 also performs the vulnerability analysis in consideration of the variables associated with the information assets.
 図15を参照して、脆弱性検出結果410の一例を説明する。 An example of the vulnerability detection result 410 will be described with reference to FIG.
 脆弱性検出結果410には、脆弱性種別411、変数412、箇所413、脅威414、構成要素415及び情報資産416が含まれる。
 脆弱性種別411には、脆弱性分析部27が検出した脆弱性種別が示される。
 変数412には、脆弱性分析部27が検出した脆弱性種別と関係する変数が示される。
 箇所413には、脆弱性分析部27が検出した脆弱性種別と関係する、プログラム仕様42中の箇所が示される。
 脅威414には、脆弱性分析部27が検出した脆弱性種別に対する脅威が示される。
 構成要素415には、脆弱性分析部27が検出した脆弱性種別が存在する構成要素が示される。
 情報資産416には、脆弱性分析部27が検出した脆弱性種別が存在する情報資産が示される。
 図15は、PROGRAM_C.Cの脅威#6(推測による脅威)に関連する脆弱性検出結果410の一例を示している。図15の例では脆弱性種別411として「脆弱性1」が示される。また、変数412として「key」が示され、箇所413として「PROGRAM_C.Cの1行目」が示され、脅威414として「推測による漏えい」が示される。また、構成要素415として「コントローラ」が示され、情報資産416として「MAC鍵」が示される。 The vulnerability detection result 410 includes a vulnerability type 411, a variable 412, a location 413, a threat 414, a component 415, and an information asset 416.
The vulnerability type 411 indicates the vulnerability type detected by the vulnerability analysis unit 27.
The variable 412 shows a variable related to the vulnerability type detected by the vulnerability analysis unit 27.
A place 413 shows a place in the program specification 42 related to the vulnerability type detected by the vulnerability analysis unit 27.
The threat 414 indicates a threat against the vulnerability type detected by the vulnerability analysis unit 27.
In the component 415, a component in which the vulnerability type detected by the vulnerability analyzer 27 is present is shown.
The information asset 416 shows the information asset in which the vulnerability type detected by the vulnerability analysis unit 27 exists.
FIG. 15 shows the PROGRAM_C. An example of the vulnerability detection result 410 related to C's threat #6 (presumed threat) is shown. In the example of FIG. 15, “vulnerability 1” is shown as the vulnerability type 411. Further, “key” is shown as the variable 412, “first line of PROGRAM_C.C” is shown as the location 413, and “leakage by guess” is shown as the threat 414. Also, a “controller” is shown as the component 415, and a “MAC key” is shown as the information asset 416.
***実施の形態の効果の説明***
 以上のように、本実施の形態によれば、機器で実行されるプログラムに含まれる変数と機器が用いる情報資産との対応関係の候補を生成するため、プログラム内の部分と情報資産と脆弱性との対応関係を明確にできる。 ***Explanation of the effect of the embodiment***
As described above, according to the present embodiment, since the candidate of the correspondence relationship between the variable included in the program executed by the device and the information asset used by the device is generated, the portion within the program, the information asset, and the vulnerability The correspondence relationship with can be clarified.
 また、本実施の形態では、脅威分析の情報資産の流れと、プログラム仕様の変数の入力/出力の分類の対応関係に基づき、脅威分析の結果とプログラム仕様との対応関係を明確にできる。このため、本実施の形態によれば、脆弱性分析の時点において分析対象を絞り込むことできる。 Further, in the present embodiment, the correspondence relationship between the result of the threat analysis and the program specification can be clarified based on the correspondence relationship between the flow of information assets of the threat analysis and the classification of input/output of the variable of the program specification. Therefore, according to the present embodiment, the analysis target can be narrowed down at the time of vulnerability analysis.
 また、本実施の形態では、脅威分析での情報資産の流れとプログラム仕様の変数の入出力関係の対応関係を分析して推測することができる。このため、本実施の形態によれば、脆弱性分析の利用者が個々にそれらを実行する手間を省くことができる。 Further, in this embodiment, it is possible to analyze and infer the correspondence relationship between the flow of information assets in the threat analysis and the input/output relationship of the variables of the program specification. For this reason, according to the present embodiment, it is possible to save the user of vulnerability analysis from having to individually execute them.
 更に、本実施の形態では、各脅威に結びつく攻撃に利用される脆弱性の対応関係を記憶している。このため、脆弱性分析の際に、脅威分析の結果から、対応関係を参照して、攻撃に利用される脆弱性を導出することができる。 Further, in the present embodiment, the correspondence relationship of the vulnerabilities used in the attacks linked to each threat is stored. Therefore, in the vulnerability analysis, it is possible to derive the vulnerability used for the attack by referring to the correspondence relationship from the result of the threat analysis.
 実施の形態2.
 実施の形態1では、脆弱性分析装置10は、外部から取得した情報資産フロー41(図3)から、脆弱性分析の対象のシステムの機器構成、情報資産の種別及び情報資産の流れを得る。
 本実施の形態では、脆弱性分析装置10が、脆弱性分析の対象のシステムの機器構成、情報資産の種別及び情報資産の流れを分析する例を説明する。
 本実施の形態では、主に実施の形態1との差異を説明する。
 なお、以下で説明していない事項は、実施の形態1と同様である。 Embodiment 2.
In the first embodiment, the vulnerability analysis apparatus 10 obtains the device configuration of the system of the vulnerability analysis, the type of information assets, and the flow of information assets from the information asset flow 41 (FIG. 3) acquired from the outside.
In the present embodiment, an example will be described in which the vulnerability analysis device 10 analyzes the device configuration of the system subject to vulnerability analysis, the type of information assets, and the flow of information assets.
In the present embodiment, differences from the first embodiment will be mainly described.
Note that items not described below are the same as those in the first embodiment.
***構成の説明***
 図16を参照して、実施の形態1に係る脆弱性分析装置10の構成を説明する。
 図16では、図1の構成と比較して、情報資産判別部28が追加されている。図16に示す他の要素は、図1に示したものと同じである。 ***Composition explanation***
The configuration of the vulnerability analysis device 10 according to the first embodiment will be described with reference to FIG.
In FIG. 16, as compared with the configuration of FIG. 1, the information asset discriminating unit 28 is added. The other elements shown in FIG. 16 are the same as those shown in FIG.
***動作の説明***
 以下、図2を参照して、本実施の形態に係る脆弱性分析装置10の動作例を説明する。 ***Description of operation***
Hereinafter, an operation example of the vulnerability analysis device 10 according to the present exemplary embodiment will be described with reference to FIG.
 本実施の形態では、図2のステップS1において、第1の受付部21が、情報資産フロー41の替わりに、脅威分析入力情報51を受け付ける。 In the present embodiment, in step S1 of FIG. 2, the first reception unit 21 receives the threat analysis input information 51 instead of the information asset flow 41.
 具体的には、通信インタフェース14を介して接続された入力装置が利用者によって操作され、脅威分析入力情報51と、プログラム仕様42と、構成要素とプログラム仕様の対応関係43と、脅威分析結果44とが入力される。
 そして、第1の受付部21は、通信インタフェース14を介して脅威分析入力情報51と、プログラム仕様42と、構成要素とプログラム仕様の対応関係43と、脅威分析結果44とを受け付ける。
 更に、第1の受付部21は、脅威分析入力情報51と、プログラム仕様42と、構成要素とプログラム仕様の対応関係43と、脅威分析結果44とをメモリ12に書き込む。 Specifically, the input device connected via the communication interface 14 is operated by the user, and the threat analysis input information 51, the program specification 42, the correspondence 43 between the constituent elements and the program specification, and the threat analysis result 44. And are entered.
Then, the first accepting unit 21 accepts the threat analysis input information 51, the program specification 42, the correspondence 43 between the constituent elements and the program specification, and the threat analysis result 44 via the communication interface 14.
Further, the first reception unit 21 writes the threat analysis input information 51, the program specifications 42, the correspondence relationship 43 between the constituent elements and the program specifications, and the threat analysis result 44 in the memory 12.
 脅威分析入力情報51は、脅威分析に用いられた情報である。
 脅威分析入力情報51は、脆弱性分析の対象となるシステムを構成する複数の構成要素、構成要素間の接続関係、情報資産の一覧および情報資産の流れを示す情報が含まれている。 The threat analysis input information 51 is information used for threat analysis.
The threat analysis input information 51 includes a plurality of constituent elements that configure the system that is the target of vulnerability analysis, a connection relationship between the constituent elements, a list of information assets, and information indicating the flow of information assets.
 次に、ステップS3を実施する前に、情報資産判別部28が、関連情報資産フロー抽出処理を行う。
 関連情報資産フロー抽出処理では、情報資産判別部28は、ステップS1で受け付けられた脅威分析入力情報51と、構成要素とプログラム仕様の対応関係43とに基づき、脆弱性分析の対象となるプログラム仕様42に関連する情報資産フローを、構成要素毎に抽出する。情報資産フローは、実施の形態1で示した図3の情報資産フロー41と同じ形式である。
 つまり、情報資産判別部28は、脅威分析の対象となるシステムで用いられる情報資産の各々が、入力情報資産、出力情報資産、内部利用情報資産のいずれであるかを判別する。 Next, before carrying out step S3, the information asset determination unit 28 performs a related information asset flow extraction process.
In the related information asset flow extraction processing, the information asset determination unit 28, based on the threat analysis input information 51 received in step S1 and the correspondence 43 between the constituent elements and the program specifications, the program specifications to be the target of the vulnerability analysis. The information asset flow associated with 42 is extracted for each component. The information asset flow has the same format as the information asset flow 41 of FIG. 3 shown in the first embodiment.
That is, the information asset discriminating unit 28 discriminates whether each of the information assets used in the system targeted for threat analysis is an input information asset, an output information asset, or an internally used information asset.
***実施の形態の効果の説明***
 以上のように、本実施の形態によれば、脆弱性分析装置10が情報資産フローを生成することができるため、外部装置で情報資産フローを生成する必要がない。 ***Explanation of the effect of the embodiment***
As described above, according to the present embodiment, since the vulnerability analysis device 10 can generate the information asset flow, it is not necessary to generate the information asset flow by the external device.
 実施の形態3.
 実施の形態1及び2では、情報資産と変数との対応関係の候補を出力する場合に、候補の出力順序は考慮されていない。
 本実施の形態では、脆弱性分析装置10は、情報資産と変数との対応関係の候補を出力する際に、各候補の確かさに従って出力順序を制御する。つまり、本実施の形態では、第2の受付部24が、複数の対応関係の候補を出力する場合に、複数の対応関係の候補の間に優先順位を設け、優先順位が高い対応関係の候補を優先して出力する。
 本実施の形態では、主に実施の形態1との差異を説明する。
 なお、以下で説明していない事項は、実施の形態1と同様である。 Embodiment 3.
In the first and second embodiments, the output order of the candidates is not considered when outputting the candidates of the correspondence relationship between the information asset and the variable.
In the present embodiment, the vulnerability analysis device 10 controls the output order according to the certainty of each candidate when outputting the candidate of the correspondence relationship between the information asset and the variable. That is, in the present embodiment, when the second reception unit 24 outputs a plurality of correspondence relationship candidates, a priority order is set among the plurality of correspondence relationship candidates, and a correspondence relationship candidate having a high priority order is provided. Is output with priority.
In the present embodiment, differences from the first embodiment will be mainly described.
Note that items not described below are the same as those in the first embodiment.
 具体的には、図2のステップS3において、候補生成部23がプログラム仕様42内の変数と情報資産の対応を分析する際に、候補生成部23は候補としての確かさを推測する。候補生成部23は、例えば、事前に設定されたキーワードの組み合わせ等で変数と情報資産の対応関係の候補の確かさを推測する。
 例えば、候補生成部23は、情報資産「コマンド」と、変数command及び変数cmdは、表記が近似するため、候補としての確かさが高いと推測する。また、候補生成部23は、対応する変数の組み合わせが多い候補はその確かさが高いと判定する。候補生成部23は、確かさに従って複数の対応関係の候補の出力順序(優先順位)を指定するする。
 そして、第2の受付部24は、候補生成部23により指定された出力順序に従って、複数の対応関係の候補を出力する。 Specifically, in step S3 of FIG. 2, when the candidate generation unit 23 analyzes the correspondence between the variable in the program specification 42 and the information asset, the candidate generation unit 23 estimates the certainty as a candidate. The candidate generation unit 23 estimates the certainty of the candidate of the correspondence relationship between the variable and the information asset, for example, by a combination of preset keywords or the like.
For example, the candidate generation unit 23 infers that the information asset “command” and the variable command and the variable cmd are similar to each other in the notation, and thus is highly likely to be a candidate. Further, the candidate generation unit 23 determines that the certainty is high for the candidate having many combinations of corresponding variables. The candidate generation unit 23 specifies the output order (priority order) of the candidates of the plurality of correspondence relationships according to the certainty.
Then, the second reception unit 24 outputs a plurality of candidates for the correspondence relationship in the output order designated by the candidate generation unit 23.
 以上のように、本実施の形態では、対応関係の候補の確かさを推測し、確かさに基づいて対応関係の候補の出力順序を指定し、指定した出力順序で複数の対応関係の候補を出力する。このため、本実施の形態によれば、利用者は対応関係の候補が複数存在した場合でも、容易に正しい対応関係を選択することができる。 As described above, in the present embodiment, the certainty of the correspondence relationship candidate is estimated, the output order of the correspondence relationship candidate is specified based on the certainty, and the plurality of correspondence relationship candidates are specified in the specified output order. Output. Therefore, according to the present embodiment, the user can easily select the correct correspondence relationship even when there are a plurality of correspondence relationship candidates.
 実施の形態4.
 実施の形態1~3では、脆弱性候補抽出部26は、脅威-脆弱性対応DB32を使って、関連脅威に対応する脆弱性種別の候補を抽出する。
 本実施の形態では、第1の受付部21がアタックツリーを取得する。そして、脆弱性候補抽出部26は、アタックツリーを用いて、脆弱性の種別の候補を抽出する。アタックツリーは、脅威分析結果44(図6)の各脅威を達成するための一連の攻撃手順と当該攻撃手順に利用される脆弱性の種別が示される情報である。
 脆弱性候補抽出部26は、関連脅威一覧48(図12)の各脅威に対応する脆弱性の種別の候補を抽出する際に、脅威-脆弱性対応DB32を使う替わりに、アタックツリーに含まれる脆弱性の種別の情報を抽出する。なお、脆弱性候補抽出部26は、攻撃先が対応する構成要素であることを確認した後に、アタックツリーから脆弱性の種別を抽出する。
 なお、本実施の形態で説明していない事項は、実施の形態1と同様である。 Fourth Embodiment
In the first to third embodiments, the vulnerability candidate extraction unit 26 uses the threat-vulnerability correspondence DB 32 to extract the vulnerability type candidates corresponding to the related threat.
In the present embodiment, the first accepting unit 21 acquires the attack tree. Then, the vulnerability candidate extraction unit 26 uses the attack tree to extract the vulnerability type candidates. The attack tree is information indicating a series of attack procedures for achieving each threat of the threat analysis result 44 (FIG. 6) and the types of vulnerabilities used in the attack procedures.
The vulnerability candidate extraction unit 26 is included in the attack tree instead of using the threat-vulnerability correspondence DB 32 when extracting candidates for the type of vulnerability corresponding to each threat in the related threat list 48 (FIG. 12). Extract information on the type of vulnerability. The vulnerability candidate extraction unit 26 extracts the type of vulnerability from the attack tree after confirming that the attack destination is the corresponding component.
Items not described in this embodiment are the same as those in the first embodiment.
 以上のように、本実施の形態では、アタックツリーに含まれる脆弱性の種別の情報を使うことで、柔軟な分析を行うことができる(脅威-脆弱性種別対応DB32を使った場合には、脅威と脆弱性の種別の対応関係は固定的である)。本実施の形態によれば、例えば、システムの構成や攻撃の仕方によって利用される脆弱性の種別が変化する場合に、柔軟な分析を行うことができる。 As described above, in the present embodiment, flexible analysis can be performed by using the vulnerability type information included in the attack tree (when the threat-vulnerability type correspondence DB 32 is used, Correspondence between threat and vulnerability types is fixed). According to the present embodiment, for example, when the type of vulnerability used varies depending on the system configuration and the attack method, flexible analysis can be performed.
 実施の形態5.
 実施の形態1~4では、脆弱性分析の際にプログラム仕様42をそのまま利用する。
 本実施の形態では、脆弱性分析部27は、情報資産と変数との対応付け又は/及び脅威の種別を参照して、脆弱性分析を行う。つまり、本実施の形態では、脆弱性分析部27は、情報資産-変数対応関係47(図10)から得られる複数の情報資産と複数の変数との対応付けをプログラム仕様42に追加して、脆弱性分析を行うことができる。また、脆弱性分析部27は、脅威分析結果44に記載の脅威の種別444(C、I、A)を参照して、脆弱性分析を行うことができる。つまり、脆弱性分析部27は、プログラム仕様42に脅威の種別444(C、I、A)を追加して、脆弱性分析を行うことができる。
 また、本実施の形態では、脆弱性分析部27は、脆弱性候補抽出部26により抽出された脆弱性の種別の候補に関連する処理が記述される部分をプログラム仕様42からプログラム断片として抽出することができる。そして、脆弱性分析部27は、抽出したプログラム断片を用いて脆弱性分析を行うことができる。この場合には、脆弱性分析部27は、プログラム仕様42から、例えば、脅威に関連する変数を参照又は変更する処理、脅威に関連する変数に影響を与える他の変数を使った処理、分岐処理、判断処理等の上述の処理の実行を制御する処理を、プログラム断片として抽出することができる。
 なお、本実施の形態で説明していない事項は、実施の形態1と同様である。 Embodiment 5.
In the first to fourth embodiments, the program specification 42 is used as it is in the vulnerability analysis.
In the present embodiment, the vulnerability analysis unit 27 performs vulnerability analysis by referring to the association between information assets and variables or/and the type of threat. That is, in the present embodiment, the vulnerability analysis unit 27 adds the association between the plurality of information assets and the plurality of variables obtained from the information asset-variable correspondence 47 (FIG. 10) to the program specification 42, Vulnerability analysis can be performed. Further, the vulnerability analysis unit 27 can perform the vulnerability analysis by referring to the threat type 444 (C, I, A) described in the threat analysis result 44. That is, the vulnerability analysis unit 27 can perform the vulnerability analysis by adding the threat type 444 (C, I, A) to the program specification 42.
In addition, in the present embodiment, the vulnerability analysis unit 27 extracts, as a program fragment, from the program specification 42, a portion in which processing related to the vulnerability type candidates extracted by the vulnerability candidate extraction unit 26 is described. be able to. Then, the vulnerability analysis unit 27 can perform vulnerability analysis using the extracted program fragment. In this case, the vulnerability analysis unit 27 refers to the program specification 42, for example, a process of referring to or changing a variable related to the threat, a process using another variable that affects the variable related to the threat, and a branch process. The process that controls the execution of the above process such as the determination process can be extracted as a program fragment.
Items not described in this embodiment are the same as those in the first embodiment.
 以上のように、本実施の形態では、検査対象のプログラム仕様に、情報資産と変数との対応付け、情報資産の価値(C、I、A)等のメタ情報を追加して脆弱性検査を行う。このため、本実施の形態では、検査式の生成又は/及びモデルの生成を効率化することができる。
 また、本実施の形態では、プログラム断片を用いることで、プログラム仕様の全体を用いる場合に比べて、脆弱性分析を効率化することができる。 As described above, in this embodiment, the vulnerability check is performed by adding the meta information such as the value (C, I, A) of the information asset to the inspection target program specification in association with the information asset and the variable. To do. Therefore, in the present embodiment, it is possible to efficiently generate the check formula and/or the model.
Further, in the present embodiment, by using the program fragment, it is possible to make the vulnerability analysis more efficient than when using the entire program specification.
 以上、本発明の実施の形態について説明したが、これらの実施の形態のうち、2つ以上を組み合わせて実施しても構わない。
 あるいは、これらの実施の形態のうち、1つを部分的に実施しても構わない。
 あるいは、これらの実施の形態のうち、2つ以上を部分的に組み合わせて実施しても構わない。
 なお、本発明は、これらの実施の形態に限定されるものではなく、必要に応じて種々の変更が可能である。 Although the embodiments of the present invention have been described above, two or more of these embodiments may be combined and implemented.
Alternatively, one of these embodiments may be partially implemented.
Alternatively, two or more of these embodiments may be partially combined for implementation.
The present invention is not limited to these embodiments, and various modifications can be made if necessary.
***ハードウェア構成の説明***
 最後に、脆弱性分析装置10のハードウェア構成の補足説明を行う。 *** Explanation of hardware configuration ***
Finally, a supplementary description of the hardware configuration of the vulnerability analysis device 10 will be given.
 ストレージ13には、OS(Operating System)が記憶されている。
 そして、OSの少なくとも一部がメモリ12にロードされ、プロセッサ11により実行される。
 プロセッサ11はOSの少なくとも一部を実行しながら、第1の受付部21、変数判別部22、候補生成部23、第2の受付部24、関連脅威抽出部25、脆弱性候補抽出部26、脆弱性分析部27及び情報資産判別部28の機能を実現するプログラムを実行する。
 プロセッサ11がOSを実行することで、タスク管理、メモリ管理、ファイル管理、通信制御等が行われる。
 また、第1の受付部21、変数判別部22、候補生成部23、第2の受付部24、関連脅威抽出部25、脆弱性候補抽出部26、脆弱性分析部27及び情報資産判別部28の処理の結果を示す情報、データ、信号値及び変数値の少なくともいずれかが、メモリ12、ストレージ13、プロセッサ11内のレジスタ及びキャッシュメモリの少なくともいずれかに記憶される。
 また、第1の受付部21、変数判別部22、候補生成部23、第2の受付部24、関連脅威抽出部25、脆弱性候補抽出部26、脆弱性分析部27及び情報資産判別部28の機能を実現するプログラムは、磁気ディスク、フレキシブルディスク、光ディスク、コンパクトディスク、ブルーレイ(登録商標)ディスク、DVD等の可搬記録媒体に格納されていてもよい。そして、第1の受付部21、変数判別部22、候補生成部23、第2の受付部24、関連脅威抽出部25、脆弱性候補抽出部26、脆弱性分析部27及び情報資産判別部28の機能を実現するプログラムが格納された可搬記録媒体を商業的に流通させてもよい。 The storage 13 stores an OS (Operating System).
Then, at least part of the OS is loaded into the memory 12 and executed by the processor 11.
The processor 11 executes at least a part of the OS while the first acceptance unit 21, the variable determination unit 22, the candidate generation unit 23, the second acceptance unit 24, the related threat extraction unit 25, the vulnerability candidate extraction unit 26, A program that implements the functions of the vulnerability analysis unit 27 and the information asset determination unit 28 is executed.
When the processor 11 executes the OS, task management, memory management, file management, communication control, etc. are performed.
Further, the first reception unit 21, the variable determination unit 22, the candidate generation unit 23, the second reception unit 24, the related threat extraction unit 25, the vulnerability candidate extraction unit 26, the vulnerability analysis unit 27, and the information asset determination unit 28. At least one of the information, the data, the signal value, and the variable value indicating the result of the processing is stored in at least one of the memory 12, the storage 13, the register in the processor 11, and the cache memory.
Further, the first reception unit 21, the variable determination unit 22, the candidate generation unit 23, the second reception unit 24, the related threat extraction unit 25, the vulnerability candidate extraction unit 26, the vulnerability analysis unit 27, and the information asset determination unit 28. The program that realizes the function of may be stored in a portable recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a Blu-ray (registered trademark) disk, or a DVD. Then, the first reception unit 21, the variable determination unit 22, the candidate generation unit 23, the second reception unit 24, the related threat extraction unit 25, the vulnerability candidate extraction unit 26, the vulnerability analysis unit 27, and the information asset determination unit 28. A portable recording medium that stores a program that realizes the function of may be distributed commercially.
 また、第1の受付部21、変数判別部22、候補生成部23、第2の受付部24、関連脅威抽出部25、脆弱性候補抽出部26、脆弱性分析部27及び情報資産判別部28の「部」を、「回路」又は「工程」又は「手順」又は「処理」に読み替えてもよい。
 また、脆弱性分析装置10は、処理回路により実現されてもよい。処理回路は、例えば、ロジックIC(Integrated Circuit)、GA(Gate Array)、ASIC(Application Specific Integrated Circuit)、FPGA(Field-Programmable Gate Array)である。
 なお、本明細書では、プロセッサと処理回路との上位概念を、「プロセッシングサーキットリー」という。
 つまり、プロセッサと処理回路とは、それぞれ「プロセッシングサーキットリー」の具体例である。 Further, the first reception unit 21, the variable determination unit 22, the candidate generation unit 23, the second reception unit 24, the related threat extraction unit 25, the vulnerability candidate extraction unit 26, the vulnerability analysis unit 27, and the information asset determination unit 28. The "part" of may be read as "circuit" or "process" or "procedure" or "processing".
The vulnerability analysis device 10 may be realized by a processing circuit. The processing circuit is, for example, a logic IC (Integrated Circuit), a GA (Gate Array), an ASIC (Application Specific Integrated Circuit), or an FPGA (Field-Programmable Gate Array).
In this specification, the superordinate concept of the processor and the processing circuit is referred to as “processing circuit”.
That is, each of the processor and the processing circuit is a specific example of “processing circuit”.
 10 脆弱性分析装置、11 プロセッサ、12 メモリ、13 ストレージ、14 通信インタフェース、21 第1の受付部、22 変数判別部、23 候補生成部、24 第2の受付部、25 関連脅威抽出部、26 脆弱性候補抽出部、27 脆弱性分析部、28 情報資産判別部、31 処理種別DB、32 脅威-脆弱性種別対応DB、41 情報資産フロー、42 プログラム仕様、43 構成要素とプログラム仕様の対応関係、44 脅威分析結果、45 プログラム変数処理関係、46 情報資産-変数対応関係候補、47 情報資産-変数対応関係、48 関連脅威一覧、49 脆弱性種別候補、410 脆弱性検出結果。 10 vulnerability analysis device, 11 processor, 12 memory, 13 storage, 14 communication interface, 21 first reception part, 22 variable discrimination part, 23 candidate generation part, 24 second reception part, 25 related threat extraction part, 26 Vulnerability candidate extraction part, 27 vulnerability analysis part, 28 information asset discrimination part, 31 processing type DB, 32 threat-vulnerability type correspondence DB, 41 information asset flow, 42 program specifications, 43 correspondence between constituent elements and program specifications , 44 threat analysis result, 45 program variable processing relation, 46 information asset-variable correspondence relation candidate, 47 information asset-variable correspondence relation, 48 related threat list, 49 vulnerability type candidate, 410 vulnerability detection result.

Claims (15)

  1.  機器で実行されるプログラムに含まれる複数の変数の各々の種別を判別する変数判別部と、
     前記変数判別部により判別された前記複数の変数の各々の種別と、前記機器が用いる複数の情報資産の各々の種別とを比較し、前記複数の情報資産の各々と前記複数の変数の各々との対応関係の候補を1つ以上生成する候補生成部とを有する情報処理装置。     A variable discrimination unit that discriminates each type of a plurality of variables included in the program executed by the device,
    Each type of the plurality of variables discriminated by the variable discriminating unit is compared with each type of the plurality of information assets used by the device, and each of the plurality of information assets and each of the plurality of variables are compared. An information processing apparatus having a candidate generation unit that generates one or more candidates for the correspondence relationship.
  2.  前記情報処理装置は、更に、
     前記候補生成部により複数の対応関係の候補が生成された場合に、前記複数の対応関係の候補を出力する出力部を有する請求項1に記載の情報処理装置。     The information processing device further includes
    The information processing apparatus according to claim 1, further comprising an output unit configured to output the plurality of correspondence relationship candidates when the plurality of correspondence relationship candidates are generated by the candidate generation unit.
  3.  前記変数判別部は、
     前記複数の変数の各々が、入力変数、出力変数、内部利用変数のいずれであるかを判別し、
     前記候補生成部は、
     前記機器の外部から前記機器に入力される情報資産である入力情報資産と前記入力変数、前記機器から前記機器の外部に出力される情報資産である出力情報資産と前記出力変数、前記機器の内部で利用される情報資産である内部利用情報資産と前記内部利用変数とを対応付けて、対応関係の候補を1つ以上生成する請求項1に記載の情報処理装置。     The variable discrimination unit,
    Each of the plurality of variables is determined as an input variable, an output variable, or an internal use variable,
    The candidate generation unit,
    An input information asset that is an information asset that is input to the device from outside the device and the input variable, an output information asset that is an information asset that is output from the device to the outside of the device and the output variable, and the inside of the device The information processing apparatus according to claim 1, wherein one or more candidates for a correspondence relationship are generated by associating an internal usage information asset, which is an information asset used in, with the internal usage variable.
  4.  前記候補生成部は、
     前記複数の情報資産の各々が、前記入力情報資産、前記出力情報資産、前記内部利用情報資産のいずれであるかが示される情報資産情報を取得し、前記情報資産情報に示される入力情報資産と前記入力変数と、前記情報資産情報に示される前記出力情報資産と前記出力変数、前記情報資産情報に示される前記内部利用情報資産と前記内部利用変数とを対応付ける請求項3に記載の情報処理装置。     The candidate generation unit,
    Each of the plurality of information assets acquires information asset information indicating which of the input information asset, the output information asset, and the internal use information asset, and the input information asset indicated in the information asset information. The information processing apparatus according to claim 3, wherein the input variable is associated with the output information asset and the output variable indicated by the information asset information, and the internal use information asset and the internal use variable indicated by the information asset information are associated with each other. ..
  5.  前記情報処理装置は、更に、
     前記複数の情報資産の各々が、前記入力情報資産、前記出力情報資産、前記内部利用情報資産のいずれであるかを判別する情報資産判別部を有する請求項3に記載の情報処理装置。     The information processing device further includes
    The information processing apparatus according to claim 3, further comprising an information asset determination unit that determines whether each of the plurality of information assets is the input information asset, the output information asset, or the internal use information asset.
  6.  前記変数判別部は、
     前記複数の変数の各々が用いられている処理が、入力処理、出力処理、内部利用処理のいずれであるかを判別し、判別した処理の種別に基づいて、前記複数の変数の各々の種別を判別する請求項3に記載の情報処理装置。     The variable discrimination unit,
    It is determined whether the process in which each of the plurality of variables is used is an input process, an output process, or an internal use process, and the type of each of the plurality of variables is determined based on the determined process type. The information processing apparatus according to claim 3, wherein the information processing apparatus determines.
  7.  前記変数判別部は、
     前記複数の変数における変数値の伝搬関係を解析し、
     前記出力部は、
     前記候補生成部により生成された1つ以上の対応関係の候補と、前記変数判別部の解析により得られた変数値の伝搬関係とを出力する請求項2に記載の情報処理装置。     The variable discrimination unit,
    Analyzing the propagation relationship of variable values in the plurality of variables,
    The output unit is
    The information processing apparatus according to claim 2, which outputs one or more correspondence relationship candidates generated by the candidate generation unit and a propagation relationship of variable values obtained by the analysis of the variable determination unit.
  8.  前記候補生成部は、
     複数の対応関係の候補を生成した場合に、前記複数の対応関係の候補の間に優先順位を設け、
     前記出力部は、
     優先順位が高い対応関係の候補を優先して出力する請求項2に記載の情報処理装置。     The candidate generation unit,
    When a plurality of correspondence relationship candidates are generated, a priority order is set among the plurality of correspondence relationship candidates,
    The output unit is
    The information processing apparatus according to claim 2, wherein the candidate of the correspondence having a high priority is preferentially output.
  9.  前記候補生成部は、
     前記複数の対応関係の候補の各々について、対応関係の候補としての確かさを推測し、推測結果に基づき、前記複数の対応関係の候補の間に優先順位を設ける請求項8に記載の情報処理装置。     The candidate generation unit,
    The information processing according to claim 8, wherein the certainty of each of the plurality of correspondence relationship candidates is estimated as a correspondence relationship candidate, and a priority order is set among the plurality of correspondence relationship candidates based on the estimation result. apparatus.
  10.  前記情報処理装置は、更に、
     前記1つ以上の対応関係の候補の中から選択された対応関係に基づき、前記機器に存在する脆弱性の種別の候補を抽出する脆弱性候補抽出部と、
     前記脆弱性候補抽出部により抽出された脆弱性の種別の候補に基づき、前記機器の脆弱性分析を行う脆弱性分析部とを有する請求項1に記載の情報処理装置。     The information processing device further includes
    A vulnerability candidate extraction unit that extracts a candidate for the type of vulnerability existing in the device based on the correspondence relationship selected from the one or more correspondence relationship candidates;
    The information processing apparatus according to claim 1, further comprising: a vulnerability analysis unit that performs a vulnerability analysis of the device based on a vulnerability type candidate extracted by the vulnerability candidate extraction unit.
  11.  前記脆弱性候補抽出部は、
     アタックツリーを参照して、前記機器に存在する脆弱性の種別の候補を抽出する請求項10に記載の情報処理装置。脆弱性の種別の候補     The vulnerability candidate extraction unit,
    The information processing apparatus according to claim 10, wherein a candidate for the type of vulnerability existing in the device is extracted by referring to an attack tree. Vulnerability type candidates
  12.  前記脆弱性分析部は、
     前記複数の情報資産と前記複数の変数との対応付け、脅威の種別の少なくともいずれかを参照して、前記機器の脆弱性分析を行う請求項10に記載の情報処理装置。     The vulnerability analysis unit is
    The information processing apparatus according to claim 10, wherein vulnerability analysis of the device is performed by referring to at least one of association between the plurality of information assets and the plurality of variables and a threat type.
  13.  前記脆弱性分析部は、
     前記脆弱性候補抽出部により抽出された脆弱性の種別の候補に関連する処理が記述される部分を前記プログラムからプログラム断片として抽出し、抽出した前記プログラム断片を用いて前記機器の脆弱性分析を行う請求項10に記載の情報処理装置。     The vulnerability analysis unit is
    A portion in which a process related to a vulnerability type candidate extracted by the vulnerability candidate extraction unit is described is extracted as a program fragment from the program, and a vulnerability analysis of the device is performed using the extracted program fragment. The information processing apparatus according to claim 10, which is performed.
  14.  コンピュータが、機器で実行されるプログラムに含まれる複数の変数の各々の種別を判別し、
     前記コンピュータが、判別された前記複数の変数の各々の種別と、前記機器が用いる複数の情報資産の各々の種別とを比較し、前記複数の情報資産の各々と前記複数の変数の各々との対応関係の候補を1つ以上生成する情報処理方法。     The computer determines the type of each of the plurality of variables included in the program executed by the device,
    The computer compares the respective types of the determined plurality of variables with the respective types of the plurality of information assets used by the device, and compares each of the plurality of information assets with each of the plurality of variables. An information processing method for generating one or more correspondence candidates.
  15.  機器で実行されるプログラムに含まれる複数の変数の各々の種別を判別する変数判別処理と、
     前記変数判別処理により判別された前記複数の変数の各々の種別と、前記機器が用いる複数の情報資産の各々の種別とを比較し、前記複数の情報資産の各々と前記複数の変数の各々との対応関係の候補を1つ以上生成する候補生成処理とをコンピュータに実行させる情報処理プログラム。     A variable determination process for determining the type of each of a plurality of variables included in the program executed by the device,
    Each type of the plurality of variables determined by the variable determination process is compared with each type of a plurality of information assets used by the device, and each of the plurality of information assets and each of the plurality of variables are compared. An information processing program that causes a computer to execute a candidate generation process for generating one or more candidates for the correspondence relationship.
PCT/JP2018/048085 2018-12-27 2018-12-27 Information processing device, information processing method, and information processing program WO2020136793A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/JP2018/048085 WO2020136793A1 (en) 2018-12-27 2018-12-27 Information processing device, information processing method, and information processing program
JP2019520661A JP6599053B1 (en) 2018-12-27 2018-12-27 Information processing apparatus, information processing method, and information processing program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2018/048085 WO2020136793A1 (en) 2018-12-27 2018-12-27 Information processing device, information processing method, and information processing program

Publications (1)

Publication Number Publication Date
WO2020136793A1 true WO2020136793A1 (en) 2020-07-02

Family

ID=68383317

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2018/048085 WO2020136793A1 (en) 2018-12-27 2018-12-27 Information processing device, information processing method, and information processing program

Country Status (2)

Country Link
JP (1) JP6599053B1 (en)
WO (1) WO2020136793A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH03161844A (en) * 1989-11-20 1991-07-11 Fujitsu Ltd Spelling correcting system
JP2011519435A (en) * 2007-10-10 2011-07-07 テレフオンアクチーボラゲット エル エム エリクソン(パブル) Apparatus for reconfiguring a technical system based on security analysis, and corresponding technical decision support system and computer program product
JP2011165051A (en) * 2010-02-12 2011-08-25 Keihin Corp Development support device, method and program
JP2011186999A (en) * 2010-03-11 2011-09-22 Cats Kk Device for supporting conversion of floating point representation program to fixed point representation and support program thereof
JP2013171358A (en) * 2012-02-20 2013-09-02 Mitsubishi Electric Corp Control program editor device and control program editor program

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH03161844A (en) * 1989-11-20 1991-07-11 Fujitsu Ltd Spelling correcting system
JP2011519435A (en) * 2007-10-10 2011-07-07 テレフオンアクチーボラゲット エル エム エリクソン(パブル) Apparatus for reconfiguring a technical system based on security analysis, and corresponding technical decision support system and computer program product
JP2011165051A (en) * 2010-02-12 2011-08-25 Keihin Corp Development support device, method and program
JP2011186999A (en) * 2010-03-11 2011-09-22 Cats Kk Device for supporting conversion of floating point representation program to fixed point representation and support program thereof
JP2013171358A (en) * 2012-02-20 2013-09-02 Mitsubishi Electric Corp Control program editor device and control program editor program

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
TARUI, SHO ET AL.: "Static Range Analysis for Vulnerability Detection", IEICE TECHNICAL REPORT, vol. 107, no. 175, 26 July 2007 (2007-07-26), pages 95 - 100 *

Also Published As

Publication number Publication date
JPWO2020136793A1 (en) 2021-02-15
JP6599053B1 (en) 2019-10-30

Similar Documents

Publication Publication Date Title
US8776239B2 (en) In-development vulnerability response management
US8635602B2 (en) Verification of information-flow downgraders
US8850405B2 (en) Generating sound and minimal security reports based on static analysis of a program
US8701186B2 (en) Formal analysis of the quality and conformance of information flow downgraders
JP5863973B2 (en) Program execution device and program analysis device
JP7287480B2 (en) Analysis function imparting device, analysis function imparting method and analysis function imparting program
WO2022180702A1 (en) Analysis function addition device, analysis function addition program, and analysis function addition method
JPWO2006087780A1 (en) Vulnerability audit program, vulnerability audit device, vulnerability audit method
US20190361788A1 (en) Interactive analysis of a security specification
US8650546B2 (en) Static analysis based on observed string values during execution of a computer-based software application
JP5077455B2 (en) Vulnerability audit program, vulnerability audit device, vulnerability audit method
US20230141948A1 (en) Analysis and Testing of Embedded Code
JP6632777B2 (en) Security design apparatus, security design method, and security design program
WO2023067665A1 (en) Analysis function addition method, analysis function addition device, and analysis function addition program
WO2020136793A1 (en) Information processing device, information processing method, and information processing program
WO2023067668A1 (en) Analysis function addition method, analysis function addition device, and analysis function addition program
JP6608569B1 (en) Security design apparatus, security design method, and security design program
JP7052870B2 (en) Hypothesis reasoning device, hypothesis reasoning method, and program
WO2023067667A1 (en) Analysis function imparting method, analysis function imparting device, and analysis function imparting program
WO2023067663A1 (en) Analysis function addition method, analysis function addition device, and analysis function addition program
JPWO2020261430A1 (en) Information processing equipment, information processing methods and information processing programs
JPWO2019138540A1 (en) Threat identification device, threat identification method, and threat identification program
JP7292505B1 (en) Attack scenario generation device, attack scenario generation method, and attack scenario generation program
US20190129828A1 (en) Gathering coverage metrics for static program analysis tools

Legal Events

Date Code Title Description
ENP Entry into the national phase

Ref document number: 2019520661

Country of ref document: JP

Kind code of ref document: A

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18945215

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18945215

Country of ref document: EP

Kind code of ref document: A1