WO2023090297A1 - Storage device and program - Google Patents

Storage device and program Download PDF

Info

Publication number
WO2023090297A1
WO2023090297A1 PCT/JP2022/042268 JP2022042268W WO2023090297A1 WO 2023090297 A1 WO2023090297 A1 WO 2023090297A1 JP 2022042268 W JP2022042268 W JP 2022042268W WO 2023090297 A1 WO2023090297 A1 WO 2023090297A1
Authority
WO
WIPO (PCT)
Prior art keywords
storage device
command
data
predetermined
area
Prior art date
Application number
PCT/JP2022/042268
Other languages
French (fr)
Japanese (ja)
Inventor
貴旨 宮長
秀治 竹島
Original Assignee
Verbatim Japan株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Verbatim Japan株式会社 filed Critical Verbatim Japan株式会社
Publication of WO2023090297A1 publication Critical patent/WO2023090297A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/79Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/08Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers from or to individual record carriers, e.g. punched card, memory card, integrated circuit [IC] card or smart card

Definitions

  • the present invention relates to storage devices.
  • SSDs Solid State Drives
  • USB Universal Serial Bus
  • storage devices are equipped with memory controllers for controlling data writing to and reading from the memory chips.
  • rewritable storage media such as SSDs that are used by general users to take countermeasures against peeping and falsification of data by third parties.
  • authentication information such as a password each time the storage medium is connected to the computer.
  • it is troublesome to enter the password and there is a risk that if the password is forgotten, all data will be inaccessible. That is, convenience is sacrificed for data protection.
  • the purpose of the present invention is to protect data without impairing convenience.
  • a storage device comprises a computer that accepts file operations from a user, a connection interface for exchanging information with a computer, and a storage area, as well as the following memory controller.
  • the memory controller instructs the computer to transfer the data stored in the storage area to the storage area so as to prohibit at least overwriting of data stored in the storage area. manages the reading and writing of data in
  • the memory controller prohibits rewriting until receiving the predetermined command, and permits rewriting from receiving the predetermined command until receiving a predetermined second command.
  • the memory controller when the memory controller does not receive the predetermined command, the memory controller prohibits new writing of the file stored in the storage area, but permits reading of the file. This allows the storage device to function as a ROM (Read Only Memory) until a predetermined command is received.
  • ROM Read Only Memory
  • the memory controller permits recording of a new file in the storage area when the predetermined command is not received. Thereby, overwriting (rewriting) of the data stored in the storage area can be prohibited until the predetermined command is received.
  • the storage area includes a data area in which files specified by the user are stored, and a management area for storing access history to the data area. Then, the memory controller stores a log in the management area at least when the rewriting process is executed. This makes it possible to record at least that the rewriting process has been executed.
  • the memory controller in response to a request from the computer, generates an illegal disconnection indicating that the connection with the computer has been terminated after receiving the predetermined command and before receiving the predetermined second command.
  • Information is stored in the management area. As a result, it is possible to record that the connection with the computer has been illegally disconnected before the predetermined second command is received.
  • a pattern data string that is not recorded by the OS is stored in a predetermined area within the management area of the storage device.
  • the OS Operating System
  • boot sector By using the MBR (Master Boot Record) or boot sector as the predetermined area, it is possible to detect a change in the partition assigned to the data area or a reformatting of the data area.
  • the program receives a specification of data to be written from a user after outputting the predetermined command; and outputting to the computer.
  • the user can turn off the protection of the storage area of the storage device using the predetermined command and then turn the protection on with the predetermined second command.
  • the program determines whether or not setting information about data rewrite prohibition is recorded in the storage device, indicates that rewriting of data is permitted, storing prohibition information to the effect that writing to the storage device is prohibited in a management area of the storage device; and storing the prohibition information in the management region. If so, causing the computer to further execute a step of rejecting a write request from a user to the storage device.
  • the program determines whether or not a data string of a predetermined pattern is stored in a predetermined area in the management area of the storage device when the acquired identification information is registered in advance. and rejecting the user's write request to the storage device if the data string is not stored.
  • the program when connected to the storage device, stores information indicating that the connection with the computer has been terminated after receiving the predetermined command and before receiving the predetermined second command, When obtained from the storage device, the second predetermined command is output to the storage device.
  • FIG. 1 is a diagram showing a configuration example of a computer system 1 including a storage device 10 and a personal computer 20 having a dedicated application program AP installed according to an embodiment of the present invention
  • FIG. 4 is a flow chart showing the flow of release processing executed by the personal computer 20 according to the dedicated application program AP.
  • 4 is a flow chart showing the flow of write processing executed by the personal computer 20 according to the dedicated application program AP. It is a figure for demonstrating the operation
  • FIG. 1 is a diagram showing a configuration example of a computer system 1 including a storage device 10 and a personal computer 20 having a dedicated application program AP installed according to an embodiment of the present invention.
  • personal computer is written as "PC”, and the same applies hereinafter in this specification.
  • the storage device 10 is an SSD having a function of protecting stored data, and is detachably attached to the PC 20 .
  • the storage device 10 is shipped with protection enabled. That is, when the user uses the storage device 10 for the first time after purchasing it, the protection is always effective. When the protection is valid, reading data from the storage device 10 is permitted, but writing data to the storage device 10 is prohibited. Writing data to the storage device 10 in general means rewriting data already stored in the storage device 10 , renaming data already stored in the storage device 10 , and writing new data to the storage device 10 . Data can be read from the storage device 10 even when the protection is valid. In other words, the storage device 10 with protection enabled functions as a ROM (Read Only Memory).
  • ROM Read Only Memory
  • a dedicated application program AP paired with the storage device 10 is pre-installed in the PC 20 .
  • the dedicated application program AP is sold together with the storage device 10, for example.
  • This dedicated application program AP is a program for allowing the user to control ON (protection enabled)/OFF (protection released) of protection (that is, data writing) of the storage device 10 .
  • Identification information for uniquely identifying the storage device 10 is registered in the dedicated application program AP in advance, and this identification information is also stored in the storage device 10 in advance. Specific examples of this identification information include the device ID and serial number of the storage device 10 .
  • the dedicated application program AP may be executed as a resident application and kept in a running state at all times.
  • a command indicating that it is from the dedicated application program AP may be issued to the storage device 10.
  • a unique command different from the command issued from the OS may be used as the command issued from the dedicated application program AP.
  • FIG. 2 is a flowchart showing the flow of cancellation processing. As shown in FIG. 2, the release process in this embodiment includes a confirmation step SA110 and a protection OFF step SA120.
  • the PC 20 acquires identification information from the storage device 10 connected to itself.
  • PC 20 first determines whether or not the identification information acquired in confirmation step SA110 is registered in advance.
  • the PC 20 determines that the identification information acquired in the confirmation step SA110 is registered in advance, the PC 20 outputs to the storage device 10 a protect OFF command, which is a command instructing release of protection. do.
  • a protect OFF command is an example of a predetermined command in the present invention. If the PC 20 determines that the identification information acquired in the confirmation step SA110 is not pre-registered, it may handle the storage device 10 as a ROM without outputting the protect OFF command. An error message may be output to notify the user of the discrepancy in the identification information.
  • the PC 20 When the protection of the storage device 10 is released by executing the release processing, the PC 20 writes data to the storage device 10 by executing the write processing shown in FIG. As shown in FIG. 3, the write process includes acceptance step SB110 and protect ON step SB120.
  • the PC 20 receives from the user the designation of data to be written.
  • data to be written for example, file management such as a file manager that is standardly installed in the OS, or a file manager that is independently constructed by a dedicated application program separately from the file manager that is standardly installed in the OS.
  • a file operation such as drag-and-drop of a file to the storage device 10 on the user interface screen of the application is exemplified.
  • PC 20 writes data to storage device 10 in accordance with the specification of the data to be written received in receiving step SB110.
  • the PC 20 When the data writing to the storage device 10 is completed, the PC 20 outputs to the storage device 10 a command for prohibiting data writing to the storage device 10 , that is, a protect ON command for enabling protection of the storage device 10 .
  • a protect ON command is an example of a second predetermined command in the present invention.
  • the storage device 10 includes a connection interface (I/F) 110, a memory chip 120, and a memory controller .
  • connection I/F 110 is, for example, a USB interface, for detachably attaching the storage device 10 to other electronic equipment such as the PC 20.
  • the connection I/F 110 exchanges various types of information with a connected electronic device.
  • the memory chip 120 serves as a storage area 122 for storing various data such as files.
  • the storage area 122 is divided into a data area 122a and a management area 122b.
  • Various data such as files are stored in the data area 122a.
  • the history (log) of accesses to the data area 122a is stored in the management area 122b.
  • the user can grasp how the data area 122a was accessed. Note that the log may be recorded only when the data already stored in the data area 122a is overwritten or the name is changed (that is, the process of rewriting the stored data).
  • the memory controller 130 receives various commands from the connected electronic device via the connection I/F 110 .
  • commands received by the memory controller 130 from the connected electronic device via the connection I/F 110 include new writing of data to the memory chip 120, overwriting of already stored data, renaming of already stored data, Alternatively, a command for instructing reading of data, the aforementioned protect OFF command, and the aforementioned protect ON command can be used.
  • the memory controller 130 permits reading of the data stored in the storage area 122.
  • it manages the reading and writing of data to the storage area 122 so as to prohibit writing to the storage area 122 in general. This is because the storage device 10 functions as a ROM until a protection OFF command is received from the connected electronic device.
  • the memory controller 130 When the memory controller 130 receives the protect OFF command, it cancels the protection of the storage device 10 . As a result, in addition to reading data from the storage area 122, general writing to the storage area 122 is permitted from the time the protect OFF command is received until the protection is enabled again.
  • the memory controller 130 stores a history in the management area 122b when new data is written to the storage area 122, stored data is rewritten, or stored data is renamed.
  • the memory controller 130 Upon receipt of the protect ON command, the memory controller 130 activates the protection of the storage device 10 (that is, restores the protect ON state).
  • FIG. 4 is a sequence diagram showing an operation example of the storage device 10 and the PC 20.
  • the storage device 10 is attached to the PC 20 at time t0. At this point, protection is ON.
  • the PC 20 executes the cancellation process described above.
  • the PC 20 acquires the identification information from the storage device 10 by executing the confirmation step SA110 described above (FIG. 4: S001).
  • the PC 20 executes the protect OFF step SA120 described above.
  • the PC 20 determines whether or not the identification information obtained in confirmation step SA110 has been registered.
  • the identification information of the storage device 10 has already been registered in the dedicated application program AP of the PC 20, so the determination result of this determination is "Yes". Therefore, the PC 20 transmits a protect OFF command to the storage device 10 (FIG. 4: S002).
  • the protection of the storage device 10 is canceled.
  • the protect state of the storage device 10 is switched from ON to OFF at time t1.
  • the specification of the file is accepted at the acceptance step SB110 described above, and the file is written to the storage area 122 at the protection ON step SB120 ( FIG. 4 : S003).
  • the writing of this file is completed at time t3 (t2 ⁇ t3).
  • the protection ON command is output from the PC 20 to the storage device 10 (FIG. 4: S004).
  • the memory controller 130 of the storage device 10 receives the protection ON command via the connection I/F 110, the protection of the storage device 10 is returned to ON.
  • S001 to S004 are executed. In this case, since the PC 20 has already acquired the identifier of the storage device 10, if it detects that the connection state of the storage device 10 is maintained, the process of S001 may be omitted.
  • the user can control ON/OFF of the protection of the storage device 10 by causing the PC 20 to output the protection OFF command and the protection ON command according to the dedicated application program AP. .
  • the storage device 10 is shipped, protection is ON, and writing to the memory chip 120 is prohibited until a protection OFF command is received. Also, when an operation such as writing to or reading from a certain file is completed, the protection ON state is always restored.
  • the storage device 10 when the storage device 10 is attached to a computer device in which the dedicated application program AP is not installed, protection is always on and a protect OFF command is never received from this computer device.
  • the state in which the protection of the storage device 10 is maintained is guaranteed. Therefore, for example, if ransomware is installed in the PC 20 and the ransomware accesses the memory controller 130 to write or alter data in the memory chip 120, the memory controller 130 does not accept writing to the memory chip 120. Since it is in this state, there is no fear that the data stored in the memory chip 120 will be altered or that virus software or the like will be written.
  • the dedicated application program AP is installed in the PC 20, it is sufficient to perform file operations in the same way as normal file operations using a file manager or the like, and authentication work is performed each time the storage device 10 is connected. Also, the user's convenience is not impaired.
  • a dedicated application program AP checks a file recorded in the storage device 10 prior to writing data to the storage device 10, and confirms that the file has already been recorded. If it is, writing may be omitted.
  • the dedicated application program may not accept file operations such as drag-and-drop and deletion by file managers other than the file manager independently constructed by the dedicated application program.
  • the PC 20 may further confirm the current protection status of the storage device 10 in confirmation step SA110. Specifically, when the PC 20 recognizes the storage device 10, the PC 20 notifies the memory controller 130 of the current protection state of the storage device 10 (ON state (state in which the protection ON command was last received from the PC 20)). or OFF state (the last received command from the PC 20 was a read command or a write command)). Information indicating the protection state may be stored as flag information in the memory controller 130 itself, or may be stored in the management area 122b and read by the memory controller 130 .
  • the protection should be ON except when the file is being operated. is.
  • an abnormal operation may be performed during communication between the storage device 10 and the PC 20, such as a malicious person pulling out the storage device 10 from the PC 20 during a file operation, or accidentally pulling it out without malice.
  • the memory controller 130 is not connected to the PC 20 in which the dedicated application program AP is installed, the protection ON signal will not be supplied to the memory controller 130, so there is a possibility that the protection will be canceled (that is, the security will not be guaranteed). state) will persist forever.
  • the PC 20 when the PC 20 detects that the storage device 10 connected to the PC 20 is in the protect OFF state, the PC 20 supplies a protect ON command to the memory controller 130 to at least inhibit subsequent data writing. , forcibly restores the storage device 10 to the protection ON state.
  • the PC 20 preferably warns the user by displaying a message to the effect that the protection was turned off at the time of connection and to the effect that subsequent writing is prohibited.
  • the dedicated application program AP accesses the history information stored in the management area 122b and reads out that information indicating the occurrence of an abnormal operation is stored, the dedicated application program AP reads, "This storage device is unprotected. The previous connection may have terminated abnormally.Forcibly protected.” is displayed.
  • the PC 20 may supply a predetermined command to the memory controller 130 to deny all external access requests including reading in addition to writing in general. In this way, even if an unauthorized program (executable file) such as malware is stored in the storage device 10 while the above protection has been canceled, such a program cannot be removed from the storage device 10 by another person. There is no risk of spreading to other computers.
  • the memory controller 130 stores that effect in the management area 122b.
  • the dedicated application program AP stores the information indicating that the protection has been forcibly returned to the ON state in the past, as long as the user of the PC 20 does not perform a predetermined operation, the dedicated application program AP cannot be transferred to the storage device 10.
  • You may choose not to receive any access from The predetermined operation is, for example, inputting an administrator password.
  • the dedicated application program AP deletes the information stored in the management area 122b indicating that the protection has been forcibly turned ON. As a result, the same processing as before the abnormal disconnection, including the processing of writing new data, can be performed on the storage device 10 thereafter.
  • any operation from the user on the PC 20, or at least an operation relating to an access request to the storage device 10, is not accepted.
  • the dedicated application program AP receives a write request for a certain file and starts the protection OFF state, it minimizes the operation screen (window) until the write processing ends and the protection ON state is reached. or make the operation screen invisible, or even if the operation screen can be seen, the operation is not accepted as much as possible, or is not accepted at all. Rejecting as much as possible means, for example, not accepting in principle, but controlling to accept operations only when a predetermined condition is met, or controlling to accept only some of a plurality of operations.
  • the specification of the storage device 10 can be applied to any case.
  • the storage device 10 has a function of forcibly turning the protection ON state when the power supply is interrupted.
  • the memory controller of the storage device 10 is provided with a function to detect whether or not power is being supplied to the storage device 10. , and has a function of forcibly writing information indicating that the protection is ON in the storage device 10 when the detection is made.
  • the protection ON state is checked when connected to the PC 20, so security is doubled.
  • the storage device 10 may be forced into the protection ON state when power is supplied from a state in which no power is supplied.
  • the protect state in the above embodiment is a state in which writing to the storage area 122 is prohibited in general, and the protect OFF command is a command to release the prohibition of writing to the storage area 122 in general.
  • the protect OFF command although the prohibition of rewriting of stored data is maintained, the first command to release the prohibition of writing new data and the second command to release the prohibition of writing to the storage area in general.
  • Two types may be provided, and the memory controller 130 may determine whether the received protect OFF command is the first command or the second command. In this case, the user can select which of the first command and the second command to output in the dedicated application program AP.
  • the memory controller 130 when the memory controller 130 receives the second command, it permits general writing of data to the storage area 122 until it receives the protect ON command as in the above-described embodiment. permits the reading of data stored in the storage area 122 and the writing of new data to the storage area, but prohibits rewriting of the data already stored in the storage area 122 and returns an error to the command issuing source. good.
  • the dedicated application program AP in a mode in which the prohibition of rewriting of stored data is maintained even in the protection OFF state, the dedicated application program AP may be caused to execute a process of outputting an error message when the rewriting process is instructed by the user. .
  • the protected state is a state in which writing to the storage area is prohibited in general, but writing of new data is permitted, and rewriting of existing data (change of file name, modification of data contents, etc.) is prohibited. It may be in a prohibited state.
  • the memory controller 130 does not receive the protect OFF command, the memory controller 130 permits the recording of new data in the storage area 122 and the reading of the data stored in the storage area 122. Data reading and writing to the storage area 122 may be managed so as to prohibit rewrite processing. This is because if the rewriting process of the stored data is prohibited, the data stored in the storage device 10 can be prevented from being altered.
  • a write-once medium is a recording medium in which new data can be written but written data cannot be rewritten.
  • the memory controller 130 stores illegal disconnection information indicating illegal disconnection in the management area 122b. may be stored in If the storage device 10 is removed from the connected electronic device before the protection ON command is received, such as during the writing process, the protection of the storage device 10 remains canceled and the data recorded in the storage device 10 is altered. This is because there is a risk of being equalized.
  • the memory controller 130 stores status information indicating "accessing" at the time when the protection is canceled in the management area 122b.
  • the status information may be rewritten from "accessing" to "normally terminated” when processing such as writing to the target data is completed and the protection ON state is restored.
  • information indicating that an abnormal termination has occurred should be stored in the management area 122b.
  • the evidence is recorded in the management area 122b of the storage device 10. If AP is used, it is possible to check the evidence and take countermeasures such as prohibiting subsequent writing.
  • the dedicated application program AP determines whether or not the setting information regarding prohibition of data rewriting is recorded in the storage device 10. and, if the setting information indicates that rewriting of data is permitted, storing prohibition information for prohibiting writing to the storage device 10 in the management area 122b of the storage device 10; If prohibition information is stored in the area 122b, a step of rejecting a write request to the storage device 10 from the user may be further executed by the computer device at the installation destination.
  • a pattern data string that is not recorded by the OS may be written in a predetermined area in the management area 122b.
  • a specific example of this specific area is an MBR (Master Boot Record) or a boot sector.
  • the MBR is an area indicated by the top address of the logical addresses in the storage device 10 .
  • a boot sector is the leading sector of a partition provided in the storage area 122 of the storage device 10 .
  • the memory capacity of each of the MBR and boot sector may vary depending on the type of OS, but for example it is 512 bytes.
  • the storage area 122 in the storage device 10 is formatted by the OS
  • the stored contents of the boot sector are updated according to the OS. Therefore, by writing a pattern data string that the OS does not record in the MBR or boot sector when the storage device 10 is shipped, whether or not the partition has been changed or reformatted can be detected from the stored contents of the MBR or boot sector. it becomes possible to
  • the dedicated application program AP in this aspect stores a data string of a predetermined pattern in a predetermined area in the management area of the storage device when the identification information acquired in the confirmation step SA110 is registered in advance. and, if the data string is not stored, rejecting the user's write request to the storage device.
  • a dedicated application program AP that conspicuously characterizes the present invention was pre-installed in the PC 20 .
  • the dedicated application program AP may be distributed by downloading via an electric communication line, or may be distributed in a form written on a computer-readable recording medium.
  • the storage device 10 is shipped with a dedicated application program AP paired with the storage device 10 written in the data area 122a of the storage device 10, and the storage device 10 is first installed in the electronic device after shipment.
  • a step of acquiring identification information of a storage device connected to the computer A step of outputting a command for releasing the prohibition of
  • the storage device 10 may additionally have functions other than storage.
  • the storage device 10 may be provided with an interface for connecting to a network such as a LAN, and function as a shared storage (NAS (Network Attached Storage)) accessed by a plurality of PCs. That is, the storage device 10 may be provided with a function for realizing the function of a general personal computer.
  • NAS Network Attached Storage
  • the storage device 10A shown in FIG. Functions may be incorporated in the control unit 140 in advance.
  • the storage device 10A may be housed in the same housing as the hardware for realizing the functions of a general personal computer.
  • Input/output devices such as a keyboard and a display may be connected via, for example, the connection I/F 110, or may be connected via a communication interface for connecting to a network such as a LAN. .
  • the operation when the storage device 10A is connected to another PC 20 via the connection I/F 110 is the same as the operation described using FIGS. That is, when there is a request from the other PC 20 to access the data stored in the storage device 10A, the memory controller 130 does not receive at least a write request unless it receives a protect OFF command generated by the dedicated application program AP. refuse. This prevents the data stored in the storage device 10A from being unintentionally rewritten or unintended data from being written.
  • Another method of restricting write requests is to have the OS recognize the storage device 10 as a ROM device that cannot normally be written to, so that only when the dedicated application program AP performs a write operation, the dedicated application program AP can be read. changes the OS's perception of storage device 10 from a ROM device to a writable recordable device, and after the write operation is completed, changes the OS's perception of storage device 10 back from a writable device to a ROM device. This makes it possible to reject write requests from other than the dedicated application program AP.
  • Commands related to writing information may not be transmitted to memory controller 130 until received.
  • the storage device 10B receives the protect OFF command
  • the memory controller 130 will not receive at least a write-related command, so that information will not be written to the storage area 122 .
  • the protect OFF command for the control unit 140 of the bridge board 150 used here may be the same command as the protect OFF command for the memory controller 130, but from the viewpoint of making it difficult to be hacked from the outside, the protect OFF command for the memory controller 130 is used. It is preferable to use a command different from the OFF command.
  • the control unit 140 of the bridge board 150 does not receive the write command or No commands, including read commands, may be transmitted to memory controller 130 .
  • the bridge board 150 has a memory (not shown) in which the password is stored. This prevents the data in the storage device 10B from being rewritten or read by a user who does not know the password.
  • This password may be set in advance when the storage device 10B is shipped from the factory or the like, and may be known only to the purchaser of the storage device 10B. may be used to set the storage device 10B after the fact. Also, multiple passwords may be set for each type of command (read command, write command, etc.) that the memory controller 130 can recognize, or only one password that is common to all commands may be set.
  • a log file for managing the write history is stored in advance in the management area 122b, and by referring to this log file, It may be checked whether the data stored in the storage device 10 has been tampered with.
  • This log file may be created by the memory controller 130 when writing to the storage device 10 for the first time, or may be stored in the management area 122b when the storage device is shipped. It may be created in response to a log file creation command received from the PC 20 when it is first connected.
  • this log file contains the timing (date and time) of writing, the file name of the file to be written, and the contents of the file, using a predetermined hash function. The hash value obtained is associated and described. This means that each write adds a new record to the log file.
  • the file name the information of the storage area (path) is omitted in the figure for convenience of explanation, but the file name may include the information of the path.
  • the hash value may be generated by the memory controller 130, or by the PC 20 or the control unit 140 in which the dedicated application program AP is installed. In the latter case, an instruction to update the log file including the hash value is supplied to the memory controller 130 together with the instruction to write the target file.
  • the PC 20 determines whether the data stored in the storage device 10 or the like has been tampered with by referring to this log file at a predetermined timing according to instructions from the memory controller 130 or the dedicated application program AP.
  • the execution timing of this determination may be based on a schedule predetermined by the memory controller 130, or may be triggered by receiving a command for executing a predetermined tampering check from the connected PC 20. . In the latter case, the user may set the execution timing of the falsification check in the dedicated application program AP.
  • a specific timing setting for example, every time the storage device 10 or the like is connected, arbitrary timing designated by the user and a certain cycle (every month, etc.) can be considered.
  • Memory controller 130 first generates a hash value for each of all files currently stored in data area 122a using a predetermined hash function such as MD5 or SHA256. For example, the generated set of hash values and the set of hash values described in the log file read from the management area 122b are compared to determine whether they are the same. If they are the same (perfect match), it is determined that no falsification has occurred. If they are not the same, it is determined that falsification is suspected. In this case, the following processing may be subsequently performed.
  • a predetermined hash function such as MD5 or SHA256.
  • the PC 20 which operates according to commands from the memory controller 130 or the dedicated application program AP, stores the file names of all files described in the log file and all file names currently stored in the data area 122a. Check consistency with
  • the PC 20 According to instructions from the memory controller 130 or the dedicated application program AP, the PC 20 writes the result of the above determination (at least information indicating the possibility of falsification) to the management area 122b. Information indicating the result of determination is provided to the PC 20 as necessary.
  • the memory controller 130 receives commands for editing or deleting the content or file name of the log file from other than the dedicated application, or updates commands for the log file supplied independently of general file write commands. is suspected of unauthorized access to log files and should preferably not be accepted.
  • the log file and/or the information indicating the tampering judgment result is always output to an external device having a file lock function, or when the log file is protected, it is stored in an external device such as the storage device 10. You can remember.
  • the log file and/or the falsification determination result are stored only when the memory controller 130 receives a predetermined command generated by the dedicated application program AP described above (when connected to the PC 20 on which the AP is running). , to the PC 20 .
  • the log file and/or the information indicating the falsification judgment result be given an attribute that the dedicated application program AP can only read and cannot rewrite.
  • the log file may be recorded in a recording device having a function of receiving the protect ON/OFF command described above.
  • a storage device has at least a control section that supplies a command received from a computer to the memory controller when a predetermined password is received from the computer.
  • the function of updating the log file at the time of writing and the falsification determination process described above can be provided to, for example, a dedicated application program AP. That is, the execution commands for updating the log file and judging falsification described above are performed based on commands supplied from the PC 20 connected to this general storage device and executing the dedicated application program AP. That is, each time the dedicated application program AP in this aspect writes one file, it also writes the contents of the log file having the file name predetermined in association with the identification ID of the storage device to the write target. The log file is updated based on the file, and the updated log file is stored in a predetermined area in the storage device. Then, at a predetermined timing while this storage device is connected, the aforementioned falsification determination is performed.
  • the hash value described in the log file stored in this storage device and all file names currently stored in this storage device are read, and the hash value is calculated based on the read file names.
  • tampering determination is performed by comparing both, and detailed contents of tampering (file deletion/addition, file name change, etc.) are further specified as necessary. If the user who manages data tampering and the user who records the data are different, the user who monitors data tampering should save a log file and use that log file to check whether the data has been tampered with. can be
  • target files for tampering determination are not the entire storage device (that is, all files stored in the storage device), but a preset partial storage area or folder (aggregate of files). good too.
  • a program causes a computer connected to a storage device to store, in the storage device, a hash value generated based on the file to be written when the file is written; comparing the hash value stored in the storage device with a hash value calculated based on the file stored in the storage device; and outputting information indicating the possibility of falsification based on the result of the comparison. and causing to be performed.
  • file is not dependent on a specific OS, other computer systems, or data contents, but refers to a data structure of the minimum unit when writing, reading, or other user operations are performed.
  • Reference Signs List 1A, 1B ... computer system, 10, 10A, 10B... storage device, 20... PC, 110... connection I/F, 120... memory chip, 122... storage area, 122a... data area, 122b... management area, 130 ... Memory controller, AP ... Dedicated application program

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Human Computer Interaction (AREA)
  • Software Systems (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Storage Device Security (AREA)

Abstract

[Problem] To protect data without impairing convenience. [Solution] Provided is a storage device 10 including a connection interface 110, a memory chip 120, and a memory controller 130. The connection interface 110 gives and receives information to and from an electronic device that accepts file operation from a user. The memory chip 120 has a storage area 122 that stores data. The memory controller 130 manages, when a command received from the electronic device as a connection destination is a command other than a protection OFF command, data reading and writing to the storage area 122 so as to prohibit, for the electronic device as the connection destination, at least overwriting of the data stored in the storage area 122.

Description

記憶装置及びプログラムStorage device and program
 本発明は、記憶装置に関する。 The present invention relates to storage devices.
 従来、各種データを記憶するための記憶装置として、磁気ディスクとヘッドとを備えたハードディスクドライブが用いられてきたが、多数の微細な半導体素子で構成されたメモリチップを用いた記憶装置への置き換えが進んでいる。メモリチップを用いた記憶装置に関する先行技術としては、例えば特許文献1が挙げられる。 Conventionally, hard disk drives equipped with magnetic disks and heads have been used as storage devices for storing various types of data. is progressing. For example, Japanese Patent Laid-Open No. 2002-200303 is cited as a prior art related to a storage device using a memory chip.
特開平5-73433号公報JP-A-5-73433
 メモリチップを用いた記憶装置(記憶媒体ともいう)の具体例として、フラッシュメモリを搭載したSSD(SolidStateDrive)及びUSB(UniversalSerialBus)メモリが挙げられる。これらの記憶装置には、メモリチップへのデータの書き込み又はメモリチップからのデータの読み出しを制御するためのメモリコントローラが搭載されている。
 近年、情報セキュリティに対するニーズが高まるにつれ、SSDのような一般のユーザが使用する書き換え可能な記憶媒体に対しても、第三者によるデータの盗み見や改ざんに対する対策が求められている。ここで、例えば、記憶媒体に記憶されたデータ全体を暗号化しておき、記憶媒体をコンピュータに接続するたびにパスワード等の認証情報をユーザに入力させるという方法によってデータの秘匿化を図ることも考えられるが、パスワードの入力が煩わしい上に、パスワードを忘れた場合に一切のデータにアクセスできなくなるというリスクがある。すなわち、データの保護のために利便性が犠牲になっている。 Specific examples of storage devices (also referred to as storage media) using memory chips include SSDs (Solid State Drives) and USB (Universal Serial Bus) memories equipped with flash memories. These storage devices are equipped with memory controllers for controlling data writing to and reading from the memory chips.
In recent years, as the need for information security has increased, there has been a demand for rewritable storage media such as SSDs that are used by general users to take countermeasures against peeping and falsification of data by third parties. Here, for example, it is conceivable to encrypt the entire data stored in the storage medium and to make the data confidential by requiring the user to enter authentication information such as a password each time the storage medium is connected to the computer. However, it is troublesome to enter the password, and there is a risk that if the password is forgotten, all data will be inaccessible. That is, convenience is sacrificed for data protection.
 本発明は、利便性を損なうことなくデータを保護することを目的とする。 The purpose of the present invention is to protect data without impairing convenience.
 本発明の第1の態様に係る記憶装置は、ユーザからファイル操作を受け付けるコンピュータと情報の授受を行うための接続インタフェースと記憶領域とを備えることに加え、以下のメモリコントローラを備える。このメモリコントローラは、前記コンピュータから受信した命令が所定コマンド以外の命令である場合、当該コンピュータに対して前記記憶領域に記憶されているデータについて、少なくとも上書きについては禁止するように、前記記憶領域へのデータの読み書きを管理する。 A storage device according to a first aspect of the present invention comprises a computer that accepts file operations from a user, a connection interface for exchanging information with a computer, and a storage area, as well as the following memory controller. When the command received from the computer is a command other than a predetermined command, the memory controller instructs the computer to transfer the data stored in the storage area to the storage area so as to prohibit at least overwriting of data stored in the storage area. manages the reading and writing of data in
 これにより、接続インタフェースに接続されたコンピュータから所定コマンドを受信していなければ、少なくとも記憶領域に記憶されたデータの上書きは禁止される。このため、所定コマンドの発行に専用アプリケーションプログラムAPを用いるようにすれば、当該専用アプリケーションプログラムAPがインストールされていないコンピュータに第1の態様の記憶装置が接続されても、当該記憶装置の記憶領域に記憶されたデータが改変(少なくとも上書き)される虞がない。また、ユーザは、自身が使用するコンピュータに上記専用アプリケーションプログラムAPをインストールすることによって、記憶領域のプロテクトのON/OFFを上記所定コマンドによって制御することができる。 As a result, unless a predetermined command has been received from the computer connected to the connection interface, at least overwriting of the data stored in the storage area is prohibited. Therefore, if a dedicated application program AP is used to issue a predetermined command, even if the storage device of the first aspect is connected to a computer in which the dedicated application program AP is not installed, the storage area of the storage device can be There is no possibility that the data stored in the memory will be altered (at least overwritten). By installing the dedicated application program AP on the computer used by the user, the user can control ON/OFF of protection of the storage area by the predetermined command.
 好ましい態様において、前記メモリコントローラは、前記所定コマンドを受信するまでは書き換えを禁止し、前記所定コマンドを受信してから所定の第2コマンドを受信するまでは書き換えを許可する。
 これにより、ユーザは、自身の使用するコンピュータに上記専用アプリケーションプログラムAPをインストールすることによって、記憶領域のプロテクトを上記所定コマンドによってOFFすること、及び所定の第2のコマンドによって当該プロテクトをONにすることができる。 In a preferred aspect, the memory controller prohibits rewriting until receiving the predetermined command, and permits rewriting from receiving the predetermined command until receiving a predetermined second command.
By installing the dedicated application program AP on the computer used by the user, the user can turn off the protection of the storage area by the predetermined command and turn on the protection by the predetermined second command. be able to.
 好ましい態様において、前記メモリコントローラは、前記所定コマンドを受信しない場合、前記記憶領域に記憶されているファイルの新規書き込みについては禁止する一方、当該ファイルの読出しについては許可する。
 これにより、記憶装置を、所定コマンドを受信するまではROM(Read OnlyMemory)として機能させることができる。 In a preferred aspect, when the memory controller does not receive the predetermined command, the memory controller prohibits new writing of the file stored in the storage area, but permits reading of the file.
This allows the storage device to function as a ROM (Read Only Memory) until a predetermined command is received.
 好ましい態様において、前記メモリコントローラは、前記所定コマンドを受信しない場合、前記記憶領域に新規にファイルを記録することについては許可する。これにより、所定コマンドを受信するまでは記憶領域に記憶されたデータの上書き(書換え)を禁止することができる。 In a preferred embodiment, the memory controller permits recording of a new file in the storage area when the predetermined command is not received. Thereby, overwriting (rewriting) of the data stored in the storage area can be prohibited until the predetermined command is received.
 好ましい態様において、前記記憶領域は、ユーザが指定したファイルが記憶されるデータ領域と、前記データ領域へのアクセスの履歴を記憶するための管理領域とを含む。そして、前記メモリコントローラは、少なくとも書き換え処理が実行された場合、前記管理領域にログを記憶する。これにより、少なくとも書き換え処理が実行されたことを記録することができる。 In a preferred embodiment, the storage area includes a data area in which files specified by the user are stored, and a management area for storing access history to the data area. Then, the memory controller stores a log in the management area at least when the rewriting process is executed. This makes it possible to record at least that the rewriting process has been executed.
 好ましい態様において、前記メモリコントローラは、前記コンピュータからの要求に応じて、前記所定コマンドを受信した後前記所定の第2コマンドを受信する前に前記コンピュータとの接続が解除されたことを示す不正切断情報を、前記管理領域に記憶する。これにより、所定の第2コマンドを受信する前にコンピュータとの接続が解除される不正切断が実行されたことを記録することができる。 In a preferred aspect, the memory controller, in response to a request from the computer, generates an illegal disconnection indicating that the connection with the computer has been terminated after receiving the predetermined command and before receiving the predetermined second command. Information is stored in the management area. As a result, it is possible to record that the connection with the computer has been illegally disconnected before the predetermined second command is received.
 好ましい態様において、記憶装置における管理領域内の所定の領域に、OS(Operating System)が記録しないパターンのデータ列が記憶されているものである。これにより、MBR(Master Boot Record)又はブートセクタを上記所定の領域とすることで、データ領域に割り当てられたパーティションの変更又はデータ領域の再フォーマットを検知することが可能になる。 In a preferred embodiment, a pattern data string that is not recorded by the OS (Operating System) is stored in a predetermined area within the management area of the storage device. By using the MBR (Master Boot Record) or boot sector as the predetermined area, it is possible to detect a change in the partition assigned to the data area or a reformatting of the data area.
 本発明は、他の観点において、コンピュータに、当該コンピュータに接続された記憶装置の識別情報を取得するステップと、該取得した識別情報が予め登録されているものである場合、当該記憶装置に対して、書き込みについての禁止を解除する所定コマンドを出力するステップとを実行させるためのプログラムを提供する。
 このプログラムによれば、接続インタフェースに接続されたコンピュータから記憶領域に記憶されたデータの読み書きを指示するコマンドを受信しても、当該コマンドに先立って所定コマンドを受信していなければ、少なくとも記憶領域に記憶されたデータの上書きを禁止することができる。 In another aspect of the present invention, a step of acquiring identification information of a storage device connected to the computer in a computer; and outputting a predetermined command for releasing the write prohibition.
According to this program, even if a command instructing reading and writing of data stored in the storage area is received from a computer connected to the connection interface, if a predetermined command is not received prior to the command, at least the storage area overwriting of data stored in the
 好ましい態様において、前記プログラムは、前記所定コマンドの出力後に、書き込み対象のデータの指定をユーザから受け付けるステップと、当該データについての書き込みが完了すると、書き込みを禁止する第2の所定コマンドを前記記憶装置に出力するステップと、を更に前記コンピュータに実行させる。これより、ユーザは、上記所定コマンドを用いて記憶装置の記憶領域のプロテクトをOFFにしたのち所定の第2のコマンドによって当該プロテクトをONにすることができる。 In a preferred aspect, the program receives a specification of data to be written from a user after outputting the predetermined command; and outputting to the computer. Thus, the user can turn off the protection of the storage area of the storage device using the predetermined command and then turn the protection on with the predetermined second command.
 好ましい態様において、前記プログラムは、該取得した識別情報が予め登録されているものである場合、前記記憶装置においてデータの書き換え禁止についての設定情報が記録されているか否かを判定し、当該設定情報がデータの書き換えが許可されていることを示している場合、当該記憶装置に対する書き込みを禁止する旨の禁止情報を前記記憶装置の管理領域に記憶するステップと、前記管理領域に前記禁止情報が記憶されている場合、ユーザからの前記記憶装置に対する書き込み要求を拒否するステップと、を更に前記コンピュータに実行させる。 In a preferred aspect, if the obtained identification information is registered in advance, the program determines whether or not setting information about data rewrite prohibition is recorded in the storage device, indicates that rewriting of data is permitted, storing prohibition information to the effect that writing to the storage device is prohibited in a management area of the storage device; and storing the prohibition information in the management region. If so, causing the computer to further execute a step of rejecting a write request from a user to the storage device.
 好ましい態様において、前記プログラムは、該取得した識別情報が予め登録されたものである場合、前記記憶装置の管理領域における所定の領域に所定のパターンのデータ列が記憶されているか否かを判定するステップと、当該データ列が記憶されていない場合、前記記憶装置に対するユーザの書き込み要求を拒否するステップと、を更に前記コンピュータに実行させる。 In a preferred aspect, the program determines whether or not a data string of a predetermined pattern is stored in a predetermined area in the management area of the storage device when the acquired identification information is registered in advance. and rejecting the user's write request to the storage device if the data string is not stored.
 好ましい態様において、前記プログラムは、前記記憶装置と接続した際に、前記所定コマンドを受信した後前記所定の第2コマンドを受信する前に前記コンピュータとの接続が解除されたことを示す情報を、前記記憶装置から取得すると、前記第2の所定コマンドを前記記憶装置に出力する。 In a preferred aspect, the program, when connected to the storage device, stores information indicating that the connection with the computer has been terminated after receiving the predetermined command and before receiving the predetermined second command, When obtained from the storage device, the second predetermined command is output to the storage device.
本発明の一実施形態による記憶装置10と専用アプリケーションプログラムAPをインストール済のパーソナルコンピュータ20とを含むコンピュータシステム1の構成例を示す図である。1 is a diagram showing a configuration example of a computer system 1 including a storage device 10 and a personal computer 20 having a dedicated application program AP installed according to an embodiment of the present invention; FIG. 専用アプリケーションプログラムAPに従ってパーソナルコンピュータ20が実行する解除処理の流れを示すフローチャートである。4 is a flow chart showing the flow of release processing executed by the personal computer 20 according to the dedicated application program AP. 専用アプリケーションプログラムAPに従ってパーソナルコンピュータ20が実行する書き込み処理の流れを示すフローチャートである。4 is a flow chart showing the flow of write processing executed by the personal computer 20 according to the dedicated application program AP. 本実施形態における動作を説明するための図である。It is a figure for demonstrating the operation|movement in this embodiment. 変形例にかかるコンピュータシステム1Aの構成例を示す図である。It is a figure which shows the structural example of 1 A of computer systems concerning a modification. 変形例にかかるコンピュータシステム1Bの構成例を示す図である。It is a figure which shows the structural example of the computer system 1B concerning a modification. 変形例にかかるログファイルの構成例を示す図である。It is a figure which shows the structural example of the log file concerning a modification.
 以下に述べる各実施形態には技術的に好ましい種々の限定が付されている。しかし、本発明の実施形態は、以下に述べる形態に限られるものではない。 Various technically preferable limitations are attached to each embodiment described below. However, embodiments of the present invention are not limited to the forms described below.
A.実施形態
 図1は、本発明の一実施形態による記憶装置10と専用アプリケーションプログラムAPをインストール済のパーソナルコンピュータ20とを含むコンピュータシステム1の構成例を示す図である。なお、図1では「パーソナルコンピュータ」は「PC」と表記されており、以下、本明細書でも同様である。記憶装置10は、記憶済のデータをプロテクトする機能を有するSSDであり、PC20に着脱自在に装着される。 A. Embodiment FIG. 1 is a diagram showing a configuration example of a computer system 1 including a storage device 10 and a personal computer 20 having a dedicated application program AP installed according to an embodiment of the present invention. In FIG. 1, "personal computer" is written as "PC", and the same applies hereinafter in this specification. The storage device 10 is an SSD having a function of protecting stored data, and is detachably attached to the PC 20 .
 記憶装置10は、プロテクトが有効な状態に設定されて出荷される。すなわち、ユーザが記憶装置10を購入して初めて使用する際において、必ずプロテクトが有効となっている。プロテクトが有効な状態では、記憶装置10からのデータの読み出しは許容される一方、記憶装置10へのデータの書き込み全般は禁止される。記憶装置10へのデータの書き込み全般とは、記憶装置10に記憶済のデータの書き換え、記憶装置10に記憶済のデータの名称変更、及び記憶装置10への新規データの書き込みのことをいう。プロテクトが有効な状態においても記憶装置10からのデータの読み出しは可能である。つまり、プロテクトが有効な状態の記憶装置10はROM(Read Only Memory)として機能する。 The storage device 10 is shipped with protection enabled. That is, when the user uses the storage device 10 for the first time after purchasing it, the protection is always effective. When the protection is valid, reading data from the storage device 10 is permitted, but writing data to the storage device 10 is prohibited. Writing data to the storage device 10 in general means rewriting data already stored in the storage device 10 , renaming data already stored in the storage device 10 , and writing new data to the storage device 10 . Data can be read from the storage device 10 even when the protection is valid. In other words, the storage device 10 with protection enabled functions as a ROM (Read Only Memory).
 PC20には、記憶装置10と対になる専用アプリケーションプログラムAPが予めインストールされている。専用アプリケーションプログラムAPは、例えば、記憶装置10とセットで販売される。インストールは、例えば記憶装置10を購入したユーザが、記憶装置10を接続して使用したいと考えるPC20(そのようなPC20が複数台ある場合は、それらすべて)においてインストール作業を行う。この専用アプリケーションプログラムAPは、記憶装置10のプロテクト(すなわち、データの書き込み)のON(プロテクト有効)/OFF(プロテクト解除)をユーザに制御させるためのプログラムである。専用アプリケーションプログラムAPには記憶装置10を一意に識別する識別情報が予め登録されており、この識別情報は記憶装置10にも予め記憶されている。この識別情報の具体例としては、記憶装置10の機器IDやシリアル番号がある。PC20では、専用アプリケーションプログラムAPは常駐アプリケーションとして実行され常に実行状態とされてもよい。 A dedicated application program AP paired with the storage device 10 is pre-installed in the PC 20 . The dedicated application program AP is sold together with the storage device 10, for example. For installation, for example, the user who purchased the storage device 10 performs the installation work on the PC 20 to which the user wants to connect and use the storage device 10 (if there are multiple such PCs 20, all of them). This dedicated application program AP is a program for allowing the user to control ON (protection enabled)/OFF (protection released) of protection (that is, data writing) of the storage device 10 . Identification information for uniquely identifying the storage device 10 is registered in the dedicated application program AP in advance, and this identification information is also stored in the storage device 10 in advance. Specific examples of this identification information include the device ID and serial number of the storage device 10 . In the PC 20, the dedicated application program AP may be executed as a resident application and kept in a running state at all times.
 また、専用アプリケーションプログラムAPからの命令とそれ以外からの命令を区別し、記憶装置10は専用アプリケーションプログラムAPが実行されているPC20からの命令のみに対応するようにしても良い。これにより、サイバー攻撃等で悪意をもって記憶装置10に発行される命令を受け付けないようにできる。これを実現するため、専用アプリケーションプログラムAPから記憶装置10に発行される命令に先立ち、専用アプリケーションプログラムAPからであることを表す命令を記憶装置10に発行しても良い。あるいは、専用アプリケーションプログラムAPから発行される命令としてOSから発行される命令を異なるユニークな命令を用いても良い。 Further, it is also possible to distinguish between commands from the dedicated application program AP and commands from others, and the storage device 10 can handle only commands from the PC 20 on which the dedicated application program AP is being executed. As a result, it is possible to prevent acceptance of commands maliciously issued to the storage device 10 due to cyberattacks or the like. In order to achieve this, prior to the instruction issued from the dedicated application program AP to the storage device 10, a command indicating that it is from the dedicated application program AP may be issued to the storage device 10. FIG. Alternatively, a unique command different from the command issued from the OS may be used as the command issued from the dedicated application program AP.
 専用アプリケーションプログラムAPをアプリケーションとして実行中のPC20は、記憶装置10へのデータの書き込み指示を契機として、記憶装置10のプロテクトを解除する解除処理を実行する。 The PC 20, which is running the dedicated application program AP as an application, uses the instruction to write data to the storage device 10 as a trigger to execute a release process for releasing the protection of the storage device 10.
 図2は、解除処理の流れを示すフローチャートである。図2に示されるように、本実施形態における解除処理は、確認ステップSA110と、プロテクトOFFステップSA120とを含む。 FIG. 2 is a flowchart showing the flow of cancellation processing. As shown in FIG. 2, the release process in this embodiment includes a confirmation step SA110 and a protection OFF step SA120.
 確認ステップSA110では、PC20は、自装置に接続された記憶装置10から識別情報を取得する。プロテクトOFFステップSA120では、PC20は、まず、確認ステップSA110にて取得した識別情報が予め登録されているものであるか否かを判定する。 At the confirmation step SA110, the PC 20 acquires identification information from the storage device 10 connected to itself. In protect OFF step SA120, PC 20 first determines whether or not the identification information acquired in confirmation step SA110 is registered in advance.
 次いで、PC20は、確認ステップSA110にて取得した識別情報が予め登録されているものであると判定した場合に、プロテクトの解除を指示するコマンド(命令)であるプロテクトOFFコマンドを記憶装置10へ出力する。プロテクトOFFコマンドは、本発明における所定コマンドの一例である。なお、PC20は、確認ステップSA110にて取得した識別情報が予め登録されているものではないと判定した場合、プロテクトOFFコマンドの出力は行わずに記憶装置10をROMとして取り扱ってもよく、また、識別情報の不一致をユーザに通知するエラーメッセージの出力を行ってもよい。 Next, when the PC 20 determines that the identification information acquired in the confirmation step SA110 is registered in advance, the PC 20 outputs to the storage device 10 a protect OFF command, which is a command instructing release of protection. do. A protect OFF command is an example of a predetermined command in the present invention. If the PC 20 determines that the identification information acquired in the confirmation step SA110 is not pre-registered, it may handle the storage device 10 as a ROM without outputting the protect OFF command. An error message may be output to notify the user of the discrepancy in the identification information.
 解除処理の実行により記憶装置10のプロテクトを解除した場合、PC20は、図3に示される書き込み処理を実行することにより、記憶装置10へのデータの書き込みを行う。図3に示されるように、書き込み処理は、受け付けステップSB110と、プロテクトONステップSB120とを含む。 When the protection of the storage device 10 is released by executing the release processing, the PC 20 writes data to the storage device 10 by executing the write processing shown in FIG. As shown in FIG. 3, the write process includes acceptance step SB110 and protect ON step SB120.
 受け付けステップSB110では、PC20は、書き込み対象のデータの指定をユーザから受け付ける。書き込み対象のデータの指定の具体例としては、例えばOSに標準搭載されているファイルマネージャや、OSに標準搭載されているファイルマネージャとは別に専用アプリケーションプログラムより独自に構築したファイルマネージャ等のファイル管理アプリケーションのユーザインタフェース画面における記憶装置10へのファイルのドラッグアンドドロップ等のファイル操作が挙げられる。プロテクトONステップSB120では、PC20は、受け付けステップSB110にて受け付けた書き込み対象のデータの指定に従ってデータを記憶装置10へ書き込む。記憶装置10へのデータの書き込みが完了すると、PC20は、記憶装置10に対するデータの書き込みを禁止するためのコマンド、即ち記憶装置10のプロテクトを有効にするプロテクトONコマンドを記憶装置10に出力する。プロテクトONコマンドは、本発明における第2の所定コマンドの一例である。 At the receiving step SB110, the PC 20 receives from the user the designation of data to be written. As a specific example of specifying data to be written, for example, file management such as a file manager that is standardly installed in the OS, or a file manager that is independently constructed by a dedicated application program separately from the file manager that is standardly installed in the OS. A file operation such as drag-and-drop of a file to the storage device 10 on the user interface screen of the application is exemplified. In protect ON step SB120, PC 20 writes data to storage device 10 in accordance with the specification of the data to be written received in receiving step SB110. When the data writing to the storage device 10 is completed, the PC 20 outputs to the storage device 10 a command for prohibiting data writing to the storage device 10 , that is, a protect ON command for enabling protection of the storage device 10 . A protect ON command is an example of a second predetermined command in the present invention.
 次いで、記憶装置10の構成について図1を参照しつつ説明する。
 図1に示されるように、記憶装置10は、接続インタフェース(I/F)110と、メモリチップ120と、メモリコントローラ130とを含む。 Next, the configuration of the storage device 10 will be described with reference to FIG.
As shown in FIG. 1, the storage device 10 includes a connection interface (I/F) 110, a memory chip 120, and a memory controller .
 接続I/F110は、例えばUSBインタフェースであり、記憶装置10をPC20等の他の電子機器に着脱自在に装着するためのものである。接続I/F110は、接続先の電子機器との間で各種情報の授受を行う。 The connection I/F 110 is, for example, a USB interface, for detachably attaching the storage device 10 to other electronic equipment such as the PC 20. The connection I/F 110 exchanges various types of information with a connected electronic device.
 メモリチップ120は、ファイル等の各種データを記憶するための記憶領域122の役割を果たす。記憶領域122は、データ領域122aと管理領域122bとに区分けされる。データ領域122aには、ファイル等の各種データが記憶される。管理領域122bには、データ領域122aへのアクセスの履歴(ログ)が記憶される。データ領域122aに記憶される履歴を参照することで、データ領域122aに対してどのようなアクセスが為されたかをユーザは把握することができる。なお、ログの記録は、データ領域122aに記憶済のデータの上書き又は名称変更(即ち、記憶済のデータの書き換え処理)が行われた場合にのみ記録されてもよい。 The memory chip 120 serves as a storage area 122 for storing various data such as files. The storage area 122 is divided into a data area 122a and a management area 122b. Various data such as files are stored in the data area 122a. The history (log) of accesses to the data area 122a is stored in the management area 122b. By referring to the history stored in the data area 122a, the user can grasp how the data area 122a was accessed. Note that the log may be recorded only when the data already stored in the data area 122a is overwritten or the name is changed (that is, the process of rewriting the stored data).
 メモリコントローラ130は、接続I/F110を介して接続先の電子機器から各種コマンドを受信する。接続I/F110を介して接続先の電子機器からメモリコントローラ130が受信するコマンドの一例としては、メモリチップ120へのデータの新規書き込み、記憶済のデータの上書き、記憶済のデータの名称変更、又はデータの読み出しを指示するコマンド、前述のプロテクトOFFコマンド、及び前述のプロテクトONコマンドが挙げられる。 The memory controller 130 receives various commands from the connected electronic device via the connection I/F 110 . Examples of commands received by the memory controller 130 from the connected electronic device via the connection I/F 110 include new writing of data to the memory chip 120, overwriting of already stored data, renaming of already stored data, Alternatively, a command for instructing reading of data, the aforementioned protect OFF command, and the aforementioned protect ON command can be used.
 記憶装置10のプロテクトが有効な状態において接続先の電子機器から受信したコマンド命令がプロテクトOFFコマンド以外のコマンドである場合、メモリコントローラ130は、記憶領域122に記憶されているデータの読み出しについては許可する一方、記憶領域122に対する書き込み全般を禁止するように、記憶領域122へのデータの読み書きを管理する。接続先の電子機器からプロテクトOFFコマンドを受信するまでは、記憶装置10をROMとして機能させるためである。 If the command received from the connected electronic device while the protection of the storage device 10 is enabled is a command other than the protection OFF command, the memory controller 130 permits reading of the data stored in the storage area 122. On the other hand, it manages the reading and writing of data to the storage area 122 so as to prohibit writing to the storage area 122 in general. This is because the storage device 10 functions as a ROM until a protection OFF command is received from the connected electronic device.
 メモリコントローラ130は、プロテクトOFFコマンドを受信すると、記憶装置10のプロテクトを解除する。その結果、プロテクトOFFコマンドを受信してから再度プロテクトが有効とされるまでは、記憶領域122からのデータの読み出しに加えて記憶領域122に対する書き込み全般が許可される。メモリコントローラ130は、記憶領域122に対する新規データの書き込み、記憶済のデータの書き換え、又は記憶済のデータの名称変更が行われると、管理領域122bに履歴を記憶する。そして、メモリコントローラ130は、プロテクトONコマンドの受信を契機として、記憶装置10のプロテクトを有効にする(つまり、プロテクトON状態に復帰させる)。 When the memory controller 130 receives the protect OFF command, it cancels the protection of the storage device 10 . As a result, in addition to reading data from the storage area 122, general writing to the storage area 122 is permitted from the time the protect OFF command is received until the protection is enabled again. The memory controller 130 stores a history in the management area 122b when new data is written to the storage area 122, stored data is rewritten, or stored data is renamed. Upon receipt of the protect ON command, the memory controller 130 activates the protection of the storage device 10 (that is, restores the protect ON state).
 図4は、記憶装置10及びPC20の動作例を示すシーケンス図である。
 時刻t0において記憶装置10がPC20に装着される。この時点ではプロテクトONの状態である。次に、ファイルマネージャ等のファイル管理アプリケーションによる記憶装置10へのファイルのドラッグアンドドロップが行われると、PC20は前述の解除処理を実行する。PC20は、前述した確認ステップSA110を実行することにより、記憶装置10から識別情報を取得する(図4:S001)。次いで、PC20は、前述したプロテクトOFFステップSA120を実行する。前述したように、PC20は、確認ステップSA110にて取得した識別情報が登録済であるか否かを判定する。
 本動作例では、記憶装置10の識別情報はPC20の専用アプリケーションプログラムAPに登録済であるため、この判定の判定結果は"Yes"となる。このため、PC20はプロテクトOFFコマンドを記憶装置10へ送信する(図4:S002)。 FIG. 4 is a sequence diagram showing an operation example of the storage device 10 and the PC 20. As shown in FIG.
The storage device 10 is attached to the PC 20 at time t0. At this point, protection is ON. Next, when a file is dragged and dropped to the storage device 10 by a file management application such as a file manager, the PC 20 executes the cancellation process described above. The PC 20 acquires the identification information from the storage device 10 by executing the confirmation step SA110 described above (FIG. 4: S001). The PC 20 then executes the protect OFF step SA120 described above. As described above, the PC 20 determines whether or not the identification information obtained in confirmation step SA110 has been registered.
In this operation example, the identification information of the storage device 10 has already been registered in the dedicated application program AP of the PC 20, so the determination result of this determination is "Yes". Therefore, the PC 20 transmits a protect OFF command to the storage device 10 (FIG. 4: S002).
 記憶装置10のメモリコントローラ130は、接続I/F110を介してプロテクトOFFコマンドを受信すると、記憶装置10のプロテクトを解除する。図4に示されるように時刻t1(t0<t1)においてメモリコントローラ130がプロテクトOFFコマンドを受信すると、記憶装置10のプロテクト状態は時刻t1にONからOFFに切り替えられる。 When the memory controller 130 of the storage device 10 receives the protection OFF command via the connection I/F 110, the protection of the storage device 10 is canceled. As shown in FIG. 4, when the memory controller 130 receives the protect OFF command at time t1 (t0<t1), the protect state of the storage device 10 is switched from ON to OFF at time t1.
 時刻t2(t1<t2)において、前述した受け付けステップSB110にて当該ファイルの指定が受け付けられ、前述のプロテクトONステップSB120にて当該ファイルの記憶領域122への書き込みが行われ(図4:S003)、このファイルの書き込み完了が時刻t3(t2<t3)において完了したとする。すると、時刻t3においてPC20から記憶装置10へプロテクトONコマンドが出力される(図4:S004)。記憶装置10のメモリコントローラ130は、接続I/F110を介して当該プロテクトONコマンドを受信すると、記憶装置10のプロテクトをONに戻す。
 この後、ユーザがPC20にて別のファイル操作を行うと、S001~S004が実行される。この場合、PC20は、既に記憶装置10の識別子を取得しているので、記憶装置10の接続状態が維持されていることを検知していれば、S001の処理は省略してもよい。 At time t2 (t1<t2), the specification of the file is accepted at the acceptance step SB110 described above, and the file is written to the storage area 122 at the protection ON step SB120 ( FIG. 4 : S003). , the writing of this file is completed at time t3 (t2<t3). Then, at time t3, the protection ON command is output from the PC 20 to the storage device 10 (FIG. 4: S004). When the memory controller 130 of the storage device 10 receives the protection ON command via the connection I/F 110, the protection of the storage device 10 is returned to ON.
After that, when the user performs another file operation on the PC 20, S001 to S004 are executed. In this case, since the PC 20 has already acquired the identifier of the storage device 10, if it detects that the connection state of the storage device 10 is maintained, the process of S001 may be omitted.
 以上説明したように、本実施形態によれば、専用アプリケーションプログラムAPに従ってプロテクトOFFコマンド及びプロテクトONコマンドをPC20に出力させることにより、ユーザは記憶装置10のプロテクトのON/OFFを制御することができる。そして、記憶装置10の出荷時においては、プロテクトがON状態になっており、プロテクトOFFコマンドを受信するまで、メモリチップ120への書き込みは禁止された状態となっている。また、あるファイルに対する書き込みや読み出しといった操作が完了すると、必ずプロテクトON状態に復帰することになる。 As described above, according to this embodiment, the user can control ON/OFF of the protection of the storage device 10 by causing the PC 20 to output the protection OFF command and the protection ON command according to the dedicated application program AP. . When the storage device 10 is shipped, protection is ON, and writing to the memory chip 120 is prohibited until a protection OFF command is received. Also, when an operation such as writing to or reading from a certain file is completed, the protection ON state is always restored.
 よって、例えば専用アプリケーションプログラムAPがインストールされていないコンピュータ装置に記憶装置10が装着された場合、必ずプロテクトがON状態となっており、且つこのコンピュータ装置からプロテクトOFFコマンドを受信することがないから、記憶装置10のプロテクトが維持された状態が担保される。よって、例えばPC20にランサムウェアがインストールされていて、当該ランサムウェアがメモリチップ120にデータを書き込んだり改変すべくメモリコントローラ130にアクセスしたとしても、メモリコントローラ130はメモリチップ120への書き込みを受け付けない状態にあるから、メモリチップ120に記憶されたデータが改変されたり、ウイルスソフトウェア等の書き込みが行わたりする虞がない。 Therefore, for example, when the storage device 10 is attached to a computer device in which the dedicated application program AP is not installed, protection is always on and a protect OFF command is never received from this computer device. The state in which the protection of the storage device 10 is maintained is guaranteed. Therefore, for example, if ransomware is installed in the PC 20 and the ransomware accesses the memory controller 130 to write or alter data in the memory chip 120, the memory controller 130 does not accept writing to the memory chip 120. Since it is in this state, there is no fear that the data stored in the memory chip 120 will be altered or that virus software or the like will be written.
 また、PC20に専用アプリケーションプログラムAPを一度インストールすれば、ファイルマネージャ等を用いて通常のファイル操作と同じようにファイル操作を行うだけでよく、記憶装置10を接続するたびに認証作業を行うといった作業も必要がないので、ユーザの利便性が損なわれない。 In addition, once the dedicated application program AP is installed in the PC 20, it is sufficient to perform file operations in the same way as normal file operations using a file manager or the like, and authentication work is performed each time the storage device 10 is connected. Also, the user's convenience is not impaired.
 記憶装置10においてデータの書き換えを禁止する方法としては、専用アプリケーションプログラムAPで、記憶装置10へのデータの書き込みに先立ち、記憶装置10に記録されているファイルを確認し、当該ファイルが既に記録されている場合は書き込みを行わないようにしても良い。 As a method for prohibiting rewriting of data in the storage device 10, a dedicated application program AP checks a file recorded in the storage device 10 prior to writing data to the storage device 10, and confirms that the file has already been recorded. If it is, writing may be omitted.
 また、サイバー攻撃への対応を強化するために、専用アプリケーションプログラムによる独自に構築したファイルマネージャによるファイルのドラッグアンドドロップのみに対応することも有効である。このために、専用アプリケーションプログラムによる独自に構築したファイルマネージャ以外のファイルマネージャによるドラッグアンドドロップや削除等のファイル操作を、専用アプリケーションプログラムにおいて受け付けないようにしても良い。 In addition, in order to strengthen the response to cyber-attacks, it is also effective to support only drag-and-drop of files using a file manager independently constructed by a dedicated application program. For this reason, the dedicated application program may not accept file operations such as drag-and-drop and deletion by file managers other than the file manager independently constructed by the dedicated application program.
B.その他の実施形態
 PC20は、確認ステップSA110において、更に、現在の記憶装置10のプロテクトの状態を確認してもよい。具体的には、PC20は、記憶装置10を認識すると、メモリコントローラ130に対して、記憶装置10の現在のプロテクトの状態(ON状態(PC20から最後に受信したのがプロテクトONコマンドである状態)なのか、OFF状態(PC20から最後に受信したのが読み出し命令または書き込み命令である))のかを返すように要求する。プロテクトの状態を示す情報は、メモリコントローラ130自身がフラグ情報とし有してもよいし、管理領域122bに記憶しておき、メモリコントローラ130が読み出してもよい。 B. Other Embodiments The PC 20 may further confirm the current protection status of the storage device 10 in confirmation step SA110. Specifically, when the PC 20 recognizes the storage device 10, the PC 20 notifies the memory controller 130 of the current protection state of the storage device 10 (ON state (state in which the protection ON command was last received from the PC 20)). or OFF state (the last received command from the PC 20 was a read command or a write command)). Information indicating the protection state may be stored as flag information in the memory controller 130 itself, or may be stored in the management area 122b and read by the memory controller 130 .
 ここで、上述の通り、正常に動作していれば、ファイルの操作中以外はプロテクトON状態となっているはずだから、記憶装置10をPC20に接続した時点では必ずプロテクトON状態となっているはずである。しかし、悪意のある者がファイル操作中に記憶装置10をPC20から引き抜いたり、あるいは悪意はなくても誤って引き抜いてしまったりするなど、記憶装置10とPC20との通信中に異常な操作が行われた場合、専用アプリケーションプログラムAPがインストールされたPC20に接続されない限り、メモリコントローラ130にはプロテクトON信号が供給されることはないので、プロテクトが解除されている状態(すなわちセキュリティが担保されない可能性がある状態)が永久に持続することになる。 Here, as described above, if the operation is normal, the protection should be ON except when the file is being operated. is. However, an abnormal operation may be performed during communication between the storage device 10 and the PC 20, such as a malicious person pulling out the storage device 10 from the PC 20 during a file operation, or accidentally pulling it out without malice. If the memory controller 130 is not connected to the PC 20 in which the dedicated application program AP is installed, the protection ON signal will not be supplied to the memory controller 130, so there is a possibility that the protection will be canceled (that is, the security will not be guaranteed). state) will persist forever.
 よって、PC20は、PC20に接続された記憶装置10がプロテクトOFF状態であることを検出した場合は、例えば、少なくとも以後のデータの書き込みを禁止すべく、プロテクトONコマンドをメモリコントローラ130に供給して、記憶装置10を強制的にプロテクトON状態に復帰させる。 Therefore, when the PC 20 detects that the storage device 10 connected to the PC 20 is in the protect OFF state, the PC 20 supplies a protect ON command to the memory controller 130 to at least inhibit subsequent data writing. , forcibly restores the storage device 10 to the protection ON state.
 加えて、PC20は、接続時にプロテクトOFF状態となっていた旨および以後の書き込みが禁止される旨のメッセージを表示することにより、ユーザに注意を促すことが好ましい。具体的には、専用アプリケーションプログラムAPは、管理領域122bに記憶された履歴情報にアクセスし、異常操作の発生を示す情報が記憶されていることを読み出した場合、「この記憶デバイスはプロテクトが外れています。前回の接続時に異常終了した可能性があります。強制的にプロテクトしました。」などのメッセージを表示する。 In addition, the PC 20 preferably warns the user by displaying a message to the effect that the protection was turned off at the time of connection and to the effect that subsequent writing is prohibited. Specifically, when the dedicated application program AP accesses the history information stored in the management area 122b and reads out that information indicating the occurrence of an abnormal operation is stored, the dedicated application program AP reads, "This storage device is unprotected. The previous connection may have terminated abnormally.Forcibly protected." is displayed.
 なお、プロテクトされない状態の間にデータが改ざんされている可能性があるので、この記憶装置10のデータの信頼性はもはや担保されていない状態になっているとも把握できる。この観点から、PC20は、所定のコマンドをメモリコントローラ130に供給して、書き込み全般に加えて読み出しを含む外部からのアクセス要求を一切拒否させてもよい。こうすれば、仮に上記のプロテクトが解除されてしまっている間にマルウェアなどの不正なプログラム(実行ファイル)が記憶装置10に記憶されてしまったとしても、そのようなプログラムが記憶装置10から他のコンピュータへ拡散するといった虞がない。 It should be noted that there is a possibility that the data has been tampered with while it is not protected, so it can be understood that the reliability of the data in this storage device 10 is no longer guaranteed. From this point of view, the PC 20 may supply a predetermined command to the memory controller 130 to deny all external access requests including reading in addition to writing in general. In this way, even if an unauthorized program (executable file) such as malware is stored in the storage device 10 while the above protection has been canceled, such a program cannot be removed from the storage device 10 by another person. There is no risk of spreading to other computers.
 具体的には、記憶装置10がPC20との接続時に強制的にプロテクトON状態に復帰させられた場合は、メモリコントローラ130はその旨を管理領域122bに記憶しておく。専用アプリケーションプログラムAPは、このように過去に強制的にプロテクトON状態に復帰させられたことを示す情報が記憶されている限り、PC20のユーザから所定の操作が行われない限り、記憶装置10へのアクセスを一切受けないようにしてもよい。所定の操作とは、例えば管理者パスワードの入力である。
 これにより、データが改ざんされている可能性がある記憶装置10を実質的に使用できなくすることができる。当該所定の操作が実行された場合、専用アプリケーションプログラムAPは、管理領域122bに記憶されている強制的にプロテクトON状態にさせられたことを示す情報を削除する。これにより、以後、記憶装置10に対して、新たなデータの書き込み処理を含む、異常な接続解除が行われる前と同じ処理を行うことができることになる。 Specifically, when the storage device 10 is forcibly returned to the protection ON state when connected to the PC 20, the memory controller 130 stores that effect in the management area 122b. As long as the dedicated application program AP stores the information indicating that the protection has been forcibly returned to the ON state in the past, as long as the user of the PC 20 does not perform a predetermined operation, the dedicated application program AP cannot be transferred to the storage device 10. You may choose not to receive any access from The predetermined operation is, for example, inputting an administrator password.
As a result, the storage device 10 whose data may have been tampered with can be practically unusable. When the predetermined operation is executed, the dedicated application program AP deletes the information stored in the management area 122b indicating that the protection has been forcibly turned ON. As a result, the same processing as before the abnormal disconnection, including the processing of writing new data, can be performed on the storage device 10 thereafter.
 上述したような異常な接続解除が行われた場合のほか、正常に読み書きが行われている最中においても、その間はプロテクトOFF状態となっている以上、記憶装置10に対して不正なアクセスがなされる可能性は完全には排除できない。例えば、書き込み対象のファイルサイズが大きい場合、書き込み時間は長くなり、従ってプロテクトOFF状態である期間も長くなる。この期間の間に、不正の目的を持ったユーザがPC20を操作して他のファイルに関する記憶装置10への書き込み、削除、ファイル名の変更の要求を行い、結果としてデータが改ざんされるといった虞も考えられる。 In addition to the above-described abnormal connection disconnection, unauthorized access to the storage device 10 is prevented even during normal reading and writing, as the protection is in the OFF state during that time. The possibility of doing so cannot be completely ruled out. For example, if the size of the file to be written is large, the write time will be long, and therefore the period of the protection OFF state will also be long. During this period, there is a possibility that a user with an illegal purpose operates the PC 20 to request writing, deletion, or renaming of other files to the storage device 10, resulting in falsification of data. is also conceivable.
 そこで、ユーザが指定したファイルの読み書きのために記憶装置10がプロテクトOFF状態となっている間は、PC20におけるユーザからの一切の操作、あるいは少なくとも記憶装置10に対するアクセス要求に関する操作を受け付けないようにしてもよい。具体的には、専用アプリケーションプログラムAPは、あるファイルについての書き込み要求を受けてプロテクトOFF状態を開始すると、書き込み処理が終了してプロテクトON状態となるまでの間、操作画面(ウィンドウ)を最小化するあるいは視認できない状態にする、あるいは操作画面を視認することはできても操作をできるだけ受け付けないようにする、或いは、全く受け付けないようにする。できるだけ受け付けないようにするとは、例えば、原則は受け付けないが、所定の条件が満たされた場合のみ操作を受けつけるように制御する、あるいは複数の操作のうち一部の操作のみを受け付けるように制御する。要するに、ユーザが指定したファイルの読み書きのために記憶装置10がプロテクトOFF状態となっている間は、ユーザが指定したファイルの読み書きのために記憶装置10がプロテクトOFF状態となっている間は、プロテクトON状態の場合に比べて、操作に関する制限を多くするないしは操作するための条件を厳しくする。 Therefore, while the storage device 10 is in the protection OFF state in order to read/write a file specified by the user, any operation from the user on the PC 20, or at least an operation relating to an access request to the storage device 10, is not accepted. may Specifically, when the dedicated application program AP receives a write request for a certain file and starts the protection OFF state, it minimizes the operation screen (window) until the write processing ends and the protection ON state is reached. or make the operation screen invisible, or even if the operation screen can be seen, the operation is not accepted as much as possible, or is not accepted at all. Rejecting as much as possible means, for example, not accepting in principle, but controlling to accept operations only when a predetermined condition is met, or controlling to accept only some of a plurality of operations. . In short, while the storage device 10 is in the protection OFF state for reading/writing the file specified by the user, while the storage device 10 is in the protection OFF state for reading/writing the file specified by the user, Compared to the protection ON state, restrictions on operations are increased or the conditions for operations are made stricter.
 ただし、一般的なSSD等の半導体記憶装置においては、その仕様上、電源供給が遮断された場合に強制的にプロテクトON状態になるもの、強制的にプロテクトON状態になるもの、電源供給が遮断される直前にプロテクト状態を保持するものがあるが、上記態様によれば、記憶装置10の仕様がいずれの場合であっても適用できる。
 もっとも、記憶装置10は、電源供給が遮断された場合に強制的にプロテクトON状態になる機能を有することが好ましい。具体的には、記憶装置10のメモリコントローラに、記憶装置10に電源が供給されているか否かを検知する機能を設け、電源が供給されている状態から供給されなくなったことを検知した場合に、当該検知があった場合は、強制的にプロテクトON状態であることを示す情報を記憶装置10内に書き込む機能を有する。この場合、異常操作によってこのような記憶装置10固有の機能が万が一動作しなかったとしても、PC20と接続され際にプロテクトON状態がチェックされるから、セキュリティが二重に担保されることになる。あるいは、記憶装置10は、電源供給がなされていない状態から電源が供給された場合に、強制的にプロテクトON状態になるようにしてもよい。 However, in general semiconductor storage devices such as SSDs, due to their specifications, when the power supply is cut off, the protection is forcibly turned ON, the protection is forcibly turned ON, and the power supply is cut off. However, according to the above aspect, the specification of the storage device 10 can be applied to any case.
However, it is preferable that the storage device 10 has a function of forcibly turning the protection ON state when the power supply is interrupted. Specifically, the memory controller of the storage device 10 is provided with a function to detect whether or not power is being supplied to the storage device 10. , and has a function of forcibly writing information indicating that the protection is ON in the storage device 10 when the detection is made. In this case, even if such a function unique to the storage device 10 does not operate due to an abnormal operation, the protection ON state is checked when connected to the PC 20, so security is doubled. . Alternatively, the storage device 10 may be forced into the protection ON state when power is supplied from a state in which no power is supplied.
 上記実施形態におけるプロテクト状態は、記憶領域122に対する書き込み全般が禁止された状態であり、プロテクトOFFコマンドは記憶領域122に対する書き込み全般の禁止を解除するコマンドであった。しかし、プロテクトOFFコマンドとして、記憶済のデータの書き換え処理の禁止を維持するものの、新規データの書き込みの禁止を解除する第1コマンドと、記憶領域に対する書き込み全般の禁止を解除する第2コマンドとの2種類が設けられ、受信したプロテクトOFFコマンドが第1コマンドと第2コマンドとの何れかであるかをメモリコントローラ130が判別してもよい。この場合、専用アプリケーションプログラムAPにおいて第1コマンドと第2コマンドとの何れを出力するのかをユーザに選択させればよい。 The protect state in the above embodiment is a state in which writing to the storage area 122 is prohibited in general, and the protect OFF command is a command to release the prohibition of writing to the storage area 122 in general. However, as the protect OFF command, although the prohibition of rewriting of stored data is maintained, the first command to release the prohibition of writing new data and the second command to release the prohibition of writing to the storage area in general. Two types may be provided, and the memory controller 130 may determine whether the received protect OFF command is the first command or the second command. In this case, the user can select which of the first command and the second command to output in the dedicated application program AP.
 また、メモリコントローラ130は、第2コマンドを受信した場合には上記実施形態と同様にプロテクトONコマンドを受信するまで、記憶領域122に対するデータの書き込み全般を許可し、第1コマンドを受信した場合には記憶領域122に記憶されているデータの読み出し及び記憶領域への新規データの書き込みは許容するものの、記憶領域122に記憶済のデータの書き換え処理を禁止してコマンドの発行元へエラーを返せばよい。なお、プロテクトOFF状態においても記憶済のデータの書き換え処理の禁止を維持する態様においては、書き換え処理をユーザから指示された場合にエラーメッセージを出力する処理を専用アプリケーションプログラムAPに実行させてもよい。 In addition, when the memory controller 130 receives the second command, it permits general writing of data to the storage area 122 until it receives the protect ON command as in the above-described embodiment. permits the reading of data stored in the storage area 122 and the writing of new data to the storage area, but prohibits rewriting of the data already stored in the storage area 122 and returns an error to the command issuing source. good. In addition, in a mode in which the prohibition of rewriting of stored data is maintained even in the protection OFF state, the dedicated application program AP may be caused to execute a process of outputting an error message when the rewriting process is instructed by the user. .
 上記実施形態におけるプロテクト状態は、記憶領域に対する書き込み全般が禁止される状態であったが、新規データの書き込みは許可され、既存データの書き換え処理(ファイル名の変更やデータの中身の修正など)は禁止される状態であってもよい。この場合、メモリコントローラ130は、プロテクトOFFコマンドを受信しない場合、記憶領域122に新規にデータを記録すること及び記憶領域122に記憶されたデータを読み出すことについては許可する一方、記憶済のデータの書き換え処理については禁止するように、記憶領域122へのデータの読み書きを管理すればよい。記憶済のデータの書き換え処理が禁止されていれば、記憶装置10に記憶済のデータの改変を防ぐことができるからである。 In the above-described embodiment, the protected state is a state in which writing to the storage area is prohibited in general, but writing of new data is permitted, and rewriting of existing data (change of file name, modification of data contents, etc.) is prohibited. It may be in a prohibited state. In this case, if the memory controller 130 does not receive the protect OFF command, the memory controller 130 permits the recording of new data in the storage area 122 and the reading of the data stored in the storage area 122. Data reading and writing to the storage area 122 may be managed so as to prohibit rewrite processing. This is because if the rewriting process of the stored data is prohibited, the data stored in the storage device 10 can be prevented from being altered.
 この例によれば、専用アプリケーションプログラムAPを有さない電子機器に接続された記憶装置10をライトワンス媒体として機能させることが可能になる。ライトワンス媒体とは、データの新規書き込みは可能であるものの、書き込み済のデータの書き換え処理を行えない記録媒体のことをいう。 According to this example, it is possible to make the storage device 10 connected to an electronic device that does not have a dedicated application program AP function as a write-once medium. A write-once medium is a recording medium in which new data can be written but written data cannot be rewritten.
 また、メモリコントローラ130は、プロテクトOFFコマンドを受信した後、プロテクトONコマンドを受信する前に接続先の電子機器との接続が解除された場合、接続の不正切断を示す不正切断情報を管理領域122bに記憶させてもよい。書き込み処理の途中等、プロテクトONコマンドを受信する前に記憶装置10が接続先の電子機器から取り外されると、記憶装置10のプロテクトが解除されたままとなり、記憶装置10に記録されたデータが改変等される虞があるからである。 Further, when the connection with the connected electronic device is canceled after receiving the protect OFF command and before receiving the protect ON command, the memory controller 130 stores illegal disconnection information indicating illegal disconnection in the management area 122b. may be stored in If the storage device 10 is removed from the connected electronic device before the protection ON command is received, such as during the writing process, the protection of the storage device 10 remains canceled and the data recorded in the storage device 10 is altered. This is because there is a risk of being equalized.
 なお、接続の不正切断があったことを明示的に示す不正切断情報に替えて、メモリコントローラ130は、プロテクトが解除されると当時に「アクセス中」であることを示すステータス情報を管理領域122bに書き込み、対象データに対する書き込み等の処理が終了してプロテクトON状態に復帰すると、当該ステータス情報を「アクセス中」から「正常終了」されたことを示す情報に書き換えてもよい。要するに、記憶装置10がPC20に再度接続された場合に、管理領域122bに、異常終了が発生したことを示す情報が記憶されていればよい。 It should be noted that instead of the illegal disconnection information that explicitly indicates that the connection has been illegally disconnected, the memory controller 130 stores status information indicating "accessing" at the time when the protection is canceled in the management area 122b. , the status information may be rewritten from "accessing" to "normally terminated" when processing such as writing to the target data is completed and the protection ON state is restored. In short, when the storage device 10 is reconnected to the PC 20, information indicating that an abnormal termination has occurred should be stored in the management area 122b.
 この例によれば、プロテクトONコマンドを受信する前に記憶装置10が接続先の電子機器から取り外された場合には、その証拠が記憶装置10の管理領域122bに記録されるので、専用アプリケーションプログラムAPを使えば、その証拠をチェックし、以降の書き込みを禁止する等の対処を行うことが可能になる。 According to this example, if the storage device 10 is removed from the connected electronic device before the protection ON command is received, the evidence is recorded in the management area 122b of the storage device 10. If AP is used, it is possible to check the evidence and take countermeasures such as prohibiting subsequent writing.
 なお、この態様における専用アプリケーションプログラムAPは、確認ステップSA110にて取得した識別情報が予め登録されているものである場合、記憶装置10においてデータの書き換え禁止についての設定情報が記録されているか否かを判定し、当該設定情報がデータの書き換えが許可されていることを示している場合、記憶装置10に対する書き込みを禁止する旨の禁止情報を記憶装置10の管理領域122bに記憶するステップと、管理領域122bに禁止情報が記憶されている場合、ユーザからの記憶装置10に対する書き込み要求を拒否するステップと、をインストール先のコンピュータ装置に更に実行させてもよい。 If the identification information obtained in the confirmation step SA110 is registered in advance, the dedicated application program AP in this aspect determines whether or not the setting information regarding prohibition of data rewriting is recorded in the storage device 10. and, if the setting information indicates that rewriting of data is permitted, storing prohibition information for prohibiting writing to the storage device 10 in the management area 122b of the storage device 10; If prohibition information is stored in the area 122b, a step of rejecting a write request to the storage device 10 from the user may be further executed by the computer device at the installation destination.
 記憶装置10の出荷時に、OSが記録しないパターンのデータ列を管理領域122b内の所定の領域に書き込んでおいてもよい。この特定の領域の具体例としては、MBR(MasterBootRecord)、又はブートセクタが挙げられる。MBRとは、記憶装置10における論理アドレスのうちの先頭アドレスにより示される領域である。ブートセクタとは、記憶装置10の記憶領域122に設けられたパーティションの先頭セクタのことをいう。MBR及びブートセクタの各々の記憶容量はOSの種類によって異なり得るが、一例をあげれば512バイトである。記憶装置10におけるパーティションがOSにより変更されると、MBRの記憶内容が当該OSに応じて変更される。 At the time of shipment of the storage device 10, a pattern data string that is not recorded by the OS may be written in a predetermined area in the management area 122b. A specific example of this specific area is an MBR (Master Boot Record) or a boot sector. The MBR is an area indicated by the top address of the logical addresses in the storage device 10 . A boot sector is the leading sector of a partition provided in the storage area 122 of the storage device 10 . The memory capacity of each of the MBR and boot sector may vary depending on the type of OS, but for example it is 512 bytes. When the partition in the storage device 10 is changed by the OS, the storage contents of the MBR are changed according to the OS.
 また、記憶装置10における記憶領域122がOSによりフォーマットされた場合には、ブートセクタの記憶内容が当該OSに応じて更新される。従って、記憶装置10の出荷時にOSが記録しないパターンのデータ列をMBR又はブートセクタに書き込んでおくことで、パーティションの変更又は再フォーマットが為されたか否かをMBR又はブートセクタの記憶内容から検知することが可能になる。 Also, when the storage area 122 in the storage device 10 is formatted by the OS, the stored contents of the boot sector are updated according to the OS. Therefore, by writing a pattern data string that the OS does not record in the MBR or boot sector when the storage device 10 is shipped, whether or not the partition has been changed or reformatted can be detected from the stored contents of the MBR or boot sector. it becomes possible to
 なお、この態様における専用アプリケーションプログラムAPは、確認ステップSA110にて取得した識別情報が予め登録されたものである場合、前記記憶装置の管理領域における所定の領域に所定のパターンのデータ列が記憶されているか否かを判定するステップと、当該データ列が記憶されていない場合、前記記憶装置に対するユーザの書き込み要求を拒否するステップとを更にコンピュータに実行させてもよい。 It should be noted that the dedicated application program AP in this aspect stores a data string of a predetermined pattern in a predetermined area in the management area of the storage device when the identification information acquired in the confirmation step SA110 is registered in advance. and, if the data string is not stored, rejecting the user's write request to the storage device.
 上記実施形態では、本発明の特徴を顕著に示す専用アプリケーションプログラムAPがPC20に予めインストールされていた。しかし、専用アプリケーションプログラムAPは、電気通信回線経由のダウンロードにより配布されてもよく、また、コンピュータ読み取り可能な記録媒体に書き込まれた態様で配布されてもよい。後者の具体例としては、記憶装置10と対になる専用アプリケーションプログラムAPを当該記憶装置10のデータ領域122aに書き込んだ状態で記憶装置10を出荷し、出荷後に記憶装置10が電子機器に最初に接続された時点で記憶装置10から当該電子機器へ専用アプリケーションプログラムAPを出力して当該電子機器にインストールする態様が挙げられる。 In the above embodiment, a dedicated application program AP that conspicuously characterizes the present invention was pre-installed in the PC 20 . However, the dedicated application program AP may be distributed by downloading via an electric communication line, or may be distributed in a form written on a computer-readable recording medium. As a specific example of the latter, the storage device 10 is shipped with a dedicated application program AP paired with the storage device 10 written in the data area 122a of the storage device 10, and the storage device 10 is first installed in the electronic device after shipment. There is a mode in which a dedicated application program AP is output from the storage device 10 to the electronic device at the time of connection and installed in the electronic device.
 要するに、本発明のシステムにおいて、当該コンピュータに接続された記憶装置の識別情報を取得するステップと、該取得した識別情報が予め登録されているものである場合、当該記憶装置に対して、書き込み処理の禁止を解除するためのコマンドを出力するステップとが実行されていればよい。 In short, in the system of the present invention, a step of acquiring identification information of a storage device connected to the computer; A step of outputting a command for releasing the prohibition of
 また、記憶装置10は、記憶以外の機能を付加的に有していてもよい。例えば、記憶装置10にLAN等のネットワークに接続するためのインタフェースを設け、複数のPCからアクセスを受ける共有ストレージ(NAS(Network Attached Storage))として機能させてもよい。すなわち、記憶装置10に、一般的なパーソナルコンピュータの機能を実現するための機能を設けてもよい。 In addition, the storage device 10 may additionally have functions other than storage. For example, the storage device 10 may be provided with an interface for connecting to a network such as a LAN, and function as a shared storage (NAS (Network Attached Storage)) accessed by a plurality of PCs. That is, the storage device 10 may be provided with a function for realizing the function of a general personal computer.
 具体的には、図5に示す記憶装置10Aのように、一般的なパーソナルコンピュータの機能を実現するための1以上の汎用または専用のプロセッサからなる制御部140を有し、専用アプリケーションプログラムAPの機能を制御部140に予め込みこんでおいてもよい。この場合、図5に示すように、一般的なパーソナルコンピュータの機能を実現するためのハードウェアと同一筐体内に記憶装置10Aを収容してもよい。なお、キーボードやディスプレイなどの入出力装置(図示省略)は、例えば接続I/F110を介して接続されてもよいし、LAN等のネットワークに接続するための通信インタフェースを介して接続されてもよい。 Specifically, like the storage device 10A shown in FIG. Functions may be incorporated in the control unit 140 in advance. In this case, as shown in FIG. 5, the storage device 10A may be housed in the same housing as the hardware for realizing the functions of a general personal computer. Input/output devices (not shown) such as a keyboard and a display may be connected via, for example, the connection I/F 110, or may be connected via a communication interface for connecting to a network such as a LAN. .
 記憶装置10Aを接続I/F110を介して他のPC20に接続した場合の動作は、図1~図4を用いて説明した動作と同様である。すなわち、当該他のPC20から記憶装置10Aに記憶されたデータへのアクセス要求があった場合、専用アプリケーションプログラムAPによって生成されたプロテクトOFFコマンドを受信しない限り、メモリコントローラ130は少なくとも書き込みの要求については拒否する。これにより、記憶装置10A内に記憶されたデータは意図せず書き換えられたり、意図しないデータが書き込まれたりすることが防止される。 The operation when the storage device 10A is connected to another PC 20 via the connection I/F 110 is the same as the operation described using FIGS. That is, when there is a request from the other PC 20 to access the data stored in the storage device 10A, the memory controller 130 does not receive at least a write request unless it receives a protect OFF command generated by the dedicated application program AP. refuse. This prevents the data stored in the storage device 10A from being unintentionally rewritten or unintended data from being written.
 書き込みの要求を制限する別の方法として、記憶装置10を通常は書き込みができないROMデバイスとしてOSが認識するようにしておき、専用アプリケーションプログラムAPが書き込み動作を実施する際にだけ、専用アプリケーションプログラムAPが記憶装置10に対するOSの認識をROMデバイスから書き込みが可能な記録可能デバイスに変化させ、書き込み動作が完了した後、記憶装置10に対するOSの認識を書き込み可能デバイスからROMデバイスに戻す方法がある。これにより、専用アプリケーションプログラムAP以外からの書き込み要求は拒絶することが可能となる。 Another method of restricting write requests is to have the OS recognize the storage device 10 as a ROM device that cannot normally be written to, so that only when the dedicated application program AP performs a write operation, the dedicated application program AP can be read. changes the OS's perception of storage device 10 from a ROM device to a writable recordable device, and after the write operation is completed, changes the OS's perception of storage device 10 back from a writable device to a ROM device. This makes it possible to reject write requests from other than the dedicated application program AP.
 更に書き込みの要求を制限する別の方法として、インタフェースを変換するブリッジボードを有する図6に示す記憶装置10Bにおいて、ブリッジボード150の制御部140が、専用アプリケーションプログラムAPによって生成されたプロテクトOFFコマンドを受信しない限り、情報の書き込みに関係するコマンドをメモリコントローラ130に伝送しないようにしてもよい。すなわち、記憶装置10BがプロテクトOFFコマンドを受信しない限り、メモリコントローラ130は少なくとも書き込みに関する命令を受けることがないから、記憶領域122に情報が書き込まれることがない。これにより、記憶装置10B内に記憶されたデータは意図せず書き換えられたり、意図しないデータが書き込まれたりすることが防止される。ここで使うブリッジボード150の制御部140に対するプロテクトOFFコマンドは、メモリコントローラ130に対するプロテクトOFFコマンドと同じコマンドを用いても良いが、外部からのハッキングを受けにくくするという観点から、メモリコントローラ130に対するプロテクトOFFコマンドとは異なるコマンドを用いることが好ましい。 Furthermore, as another method of limiting write requests, in the storage device 10B shown in FIG. Commands related to writing information may not be transmitted to memory controller 130 until received. In other words, unless the storage device 10B receives the protect OFF command, the memory controller 130 will not receive at least a write-related command, so that information will not be written to the storage area 122 . This prevents the data stored in the storage device 10B from being unintentionally rewritten or unintended data from being written. The protect OFF command for the control unit 140 of the bridge board 150 used here may be the same command as the protect OFF command for the memory controller 130, but from the viewpoint of making it difficult to be hacked from the outside, the protect OFF command for the memory controller 130 is used. It is preferable to use a command different from the OFF command.
 この際、更に、ブリッジボード150の制御部140は、PC20等の外部装置から、プロテクトOFFコマンドの受信に先立ってもしくはプロテクトOFFコマンドの受信とともに、予め設定されたパスワードを受信しない限り、書き込み命令や読み出し命令を含む一切のコマンドをメモリコントローラ130に伝送しないようにしてもよい。具体的には、ブリッジボード150は図示せぬメモリを備え、このメモリに上記パスワードを記憶しておく。これにより、当該パスワードを知らないユーザによって、記憶装置10B内のデータを書き換えられたり読み出されたりすることが防止される。なお、このパスワードは、記憶装置10Bの工場出荷時等に予め設定しておき、記憶装置10Bの購入者のみが知ることができるものであっても良いし、当該特定のユーザが専用アプリケーションプログラムAPを用いて、記憶装置10Bについて事後的に設定しても良い。また、このパスワードは、メモリコントローラ130が認識できるコマンド(読み出し命令や書き込み命令など)の種類ごとに複数設定してもよいし、すべてのコマンドに共通する一つのみ設定してもよい。 At this time, furthermore, the control unit 140 of the bridge board 150 does not receive the write command or No commands, including read commands, may be transmitted to memory controller 130 . Specifically, the bridge board 150 has a memory (not shown) in which the password is stored. This prevents the data in the storage device 10B from being rewritten or read by a user who does not know the password. This password may be set in advance when the storage device 10B is shipped from the factory or the like, and may be known only to the purchaser of the storage device 10B. may be used to set the storage device 10B after the fact. Also, multiple passwords may be set for each type of command (read command, write command, etc.) that the memory controller 130 can recognize, or only one password that is common to all commands may be set.
 上述した記憶装置10、10A、または10B(以下、記憶装置10等という)において、書き込み履歴を管理するためのログファイルを管理領域122bに予め記憶しておき、このログファイルを参照することによって、記憶装置10に記憶されたデータが改ざんされていないかをチェックしてもよい。このログファイルは、記憶装置10に最初に書き込む際にメモリコントローラ130が作成してもよいし、記憶装置の出荷時に管理領域122bに記憶されてもよいし、専用アプリケーションプログラムAPをインストールしたPC20と最初に接続した際においてPC20から受信したログファイルの作成命令に応じて作成されてもよい。 In the above-described storage device 10, 10A, or 10B (hereinafter referred to as storage device 10, etc.), a log file for managing the write history is stored in advance in the management area 122b, and by referring to this log file, It may be checked whether the data stored in the storage device 10 has been tampered with. This log file may be created by the memory controller 130 when writing to the storage device 10 for the first time, or may be stored in the management area 122b when the storage device is shipped. It may be created in response to a log file creation command received from the PC 20 when it is first connected.
 メモリコントローラ130又は専用アプリケーションプログラムAPの命令に従ってPC20は、一つのファイルの書き込み(新規に作成された一つのファイルの書き込みおよび既存の一つのファイルの書き換えを含む)を行う度に、ログファイルの内容を更新する。例えば、図7に示すように、このログファイルには、書き込みを行ったタイミング(日付および時刻)、書き込み対象のファイルのファイル名、および当該ファイルの内容に基づいて所定のハッシュ関数を用いて生成されたハッシュ値が対応付けて記述される。つまり、一つの書き込みを行う度に、ログファイルに新たなレコードが一つ追加されることになる。なお、ファイル名について、同図では説明の便宜上、記憶領域の情報(パス)の情報を省略しているが、ファイル名にパスの情報が含まれてもよい。 Each time the PC 20 writes one file (including writing one newly created file and rewriting one existing file) in accordance with instructions from the memory controller 130 or the dedicated application program AP, the contents of the log file to update. For example, as shown in FIG. 7, this log file contains the timing (date and time) of writing, the file name of the file to be written, and the contents of the file, using a predetermined hash function. The hash value obtained is associated and described. This means that each write adds a new record to the log file. As for the file name, the information of the storage area (path) is omitted in the figure for convenience of explanation, but the file name may include the information of the path.
 なお、ハッシュ値の生成は、メモリコントローラ130にて行ってもよいし、専用アプリケーションプログラムAPがインストールされたPC20または制御部140にて行ってもよい。後者の場合、対象ファイルの書き込み命令とともに、ハッシュ値を含むログファイルの更新命令がメモリコントローラ130へ供給される。 Note that the hash value may be generated by the memory controller 130, or by the PC 20 or the control unit 140 in which the dedicated application program AP is installed. In the latter case, an instruction to update the log file including the hash value is supplied to the memory controller 130 together with the instruction to write the target file.
 メモリコントローラ130又は専用アプリケーションプログラムAPの命令に従ってPC20は、所定のタイミングで、このログファイルを参照することにより、記憶装置10等に記憶されたデータに対して改ざんがなされていないかを判定する。この判定の実行タイミングは、メモリコントローラ130が予め定めたスケジュールに基づくものあってもよいし、接続されているPC20から所定の改ざんチェックを実行するためのコマンドが受信されたことを契機としてもよい。後者の場合、専用アプリケーションプログラムAPにおいて、改ざんチェックの実行タイミングをユーザが設定しておいてもよい。具体的なタイミングの設定としては、例えば、記憶装置10等と接続するたび、ユーザが指定した任意のタイミングで、一定の周期(1か月ごと等)、などが考えられる。 The PC 20 determines whether the data stored in the storage device 10 or the like has been tampered with by referring to this log file at a predetermined timing according to instructions from the memory controller 130 or the dedicated application program AP. The execution timing of this determination may be based on a schedule predetermined by the memory controller 130, or may be triggered by receiving a command for executing a predetermined tampering check from the connected PC 20. . In the latter case, the user may set the execution timing of the falsification check in the dedicated application program AP. As a specific timing setting, for example, every time the storage device 10 or the like is connected, arbitrary timing designated by the user and a certain cycle (every month, etc.) can be considered.
 以下、改ざん判定の処理を具体的に説明する。メモリコントローラ130は、まず、現時点においてデータ領域122aに記憶されているすべてのファイルの各々について、MD5やSHA256等の予め定められたハッシュ関数を用いてハッシュ値を生成する。例えば、そして、該生成されたハッシュ値のセットと管理領域122bから読み出したログファイルに記述されているハッシュ値のセットとを比較し、両者が同一であるか否かを判定する。同一である場合(完全一致)は、改ざんが行われていないと判定する。同一でない場合は改ざんが疑われると判定する。この場合、続いて以下の処理を行ってもよい。 The falsification determination process will be specifically described below. Memory controller 130 first generates a hash value for each of all files currently stored in data area 122a using a predetermined hash function such as MD5 or SHA256. For example, the generated set of hash values and the set of hash values described in the log file read from the management area 122b are compared to determine whether they are the same. If they are the same (perfect match), it is determined that no falsification has occurred. If they are not the same, it is determined that falsification is suspected. In this case, the following processing may be subsequently performed.
 具体的には、メモリコントローラ130又は専用アプリケーションプログラムAPの命令に従って動作するPC20は、ログファイルに記述されているすべてのファイルのファイル名と、現時点においてデータ領域122aに記憶されているすべてのファイル名との整合性をチェックする。 Specifically, the PC 20, which operates according to commands from the memory controller 130 or the dedicated application program AP, stores the file names of all files described in the log file and all file names currently stored in the data area 122a. Check consistency with
 このチェックの結果、ログファイルには記述されているがデータ領域122aには存在しないファイル名が検出された場合、当該ファイル名のファイルは不正に削除されたか、そのファイルの中身のデータは記憶されているがファイル名が不正に変更されたと判定する。一方、ログファイルには記述されていないがデータ領域122aには存在するファイル名が検出された場合は、当該ファイル名のファイルが不正に書き込まれたか、当該ファイル名が不正に変更されたと判定する。 As a result of this check, if a file name that is described in the log file but does not exist in the data area 122a is detected, the file with that file name has been illegally deleted, or the data in the file has not been stored. It is determined that the file name has been changed illegally. On the other hand, if a file name not described in the log file but existing in the data area 122a is detected, it is determined that the file with that file name has been illegally written or that the file name has been illegally changed. .
 なお、データ領域122aには何らかのファイルが存在するにもかかわらず、本来存在すべき予め定められた名称のログファイルが発見できない場合は、ログファイルの不正削除が疑われるので、記憶装置10に改ざんの可能性があると判定する。 If a log file with a predetermined name that should exist in the data area 122a cannot be found even though some files exist in the data area 122a, unauthorized deletion of the log file is suspected. It is determined that there is a possibility of
 メモリコントローラ130又は専用アプリケーションプログラムAPの命令に従ってPC20は、以上のような判定の結果(少なくとも改ざんの可能性を示す情報)を管理領域122bに書き込む。判定の結果を示す情報は、必要に応じてPC20へ提供される。 According to instructions from the memory controller 130 or the dedicated application program AP, the PC 20 writes the result of the above determination (at least information indicating the possibility of falsification) to the management area 122b. Information indicating the result of determination is provided to the PC 20 as necessary.
 なお、ログファイル自体が改ざんされると上記の改ざん判定結果を担保することができないので、管理領域122bへの書き込み要求は一切禁止することが好ましい。この観点から、メモリコントローラ130は、ログファイルの中身やファイル名に対する編集や削除について専用アプリケーション以外から受け付けた命令、あるいは一般のファイルの書き込み命令とは独立して供給されたログファイルの更新命令については、ログファイルへの不正アクセスの疑いがあるので、これを受け付けないことが好ましい。 It should be noted that if the log file itself is tampered with, the above tampering determination result cannot be guaranteed, so it is preferable to prohibit any write requests to the management area 122b. From this point of view, the memory controller 130 receives commands for editing or deleting the content or file name of the log file from other than the dedicated application, or updates commands for the log file supplied independently of general file write commands. is suspected of unauthorized access to log files and should preferably not be accepted.
 なお、ログファイルおよび/または改ざん判定結果を示す情報は、常時ファイルロック機能を有する外部装置へ出力する場合、その他ログファイルの保護が担保されている場合は、記憶装置10等の外部の装置に記憶してもよい。例えば、ログファイルおよび/または改ざん判定結果は、メモリコントローラ130は、上述した専用アプリケーションプログラムAPによって生成される所定のコマンドを受け取った場合(APが実行されているPC20と接続された場合)にのみ、PC20に出力する。加えて、ログファイルおよび/または改ざん判定結果を示す情報は、専用アプリケーションプログラムAPにおいて読み取りのみが可能であって書き換え不可であるいう属性が付与されることが好ましい。
 この際に、ログファイルを上述のプロテクトON/OFFコマンドを受け付ける機能を有する記録装置に記録しても良い。 When the log file and/or the information indicating the tampering judgment result is always output to an external device having a file lock function, or when the log file is protected, it is stored in an external device such as the storage device 10. You can remember. For example, the log file and/or the falsification determination result are stored only when the memory controller 130 receives a predetermined command generated by the dedicated application program AP described above (when connected to the PC 20 on which the AP is running). , to the PC 20 . In addition, it is preferable that the log file and/or the information indicating the falsification judgment result be given an attribute that the dedicated application program AP can only read and cannot rewrite.
At this time, the log file may be recorded in a recording device having a function of receiving the protect ON/OFF command described above.
 図6に示した記憶装置10Bに関して上記説明した改ざん判定処理は、上述したプロテクトON/OFFコマンドを受け付ける機能を有していない、一般的なメモリコントローラを備えた読み書き可能な記憶装置(SSD等)に対して適用してもよい。
 例えば、メモリコントローラ130に替えて、上述したプロテクトON/OFFコマンドを受けつける機能を有しない一般的なメモリコントローラを備えた記憶装置に上述したブリッジボードを接続することで、ブリッジボードがPC20から所定のパスワードを受信しない限り、メモリコントローラ130へアクセス(従ってメモリチップ120へのアクセス)を禁止することができる。すなわち、本発明に係る記憶装置は、一の態様において、コンピュータから所定のパスワードを受信した場合に、当該コンピュータから受信した命令を前記メモリコントローラに供給する制御部を少なくとも有する。 The tampering determination process described above with respect to the storage device 10B shown in FIG. may be applied to
For example, instead of the memory controller 130, by connecting the bridge board to a storage device having a general memory controller that does not have the function of accepting the protection ON/OFF command, the bridge board can be transferred from the PC 20 to a predetermined Access to memory controller 130 (and thus memory chip 120) may be prohibited unless a password is received. That is, in one aspect, a storage device according to the present invention has at least a control section that supplies a command received from a computer to the memory controller when a predetermined password is received from the computer.
 上述した書き込み時のログファイルの更新や改ざん判定処理の機能は、例えば専用アプリケーションプログラムAPに持たせることができる。即ち、上述したログファイルの更新や改ざん判定の実行命令は、この一般的な記憶装置に接続され、専用アプリケーションプログラムAPが実行されたPC20から供給される命令に基づいて行われる。すなわち、この態様における専用アプリケーションプログラムAPは、一つのファイルの書き込みを行うごとに、併せて、記憶装置の識別IDに対応付けて予め決定されたファイル名を有するログファイルの内容を、書き込み対象のファイルに基づいて更新し、更新されたログファイルを記憶装置内の所定の領域に記憶させる。そして、この記憶装置が接続されている間の所定のタイミングにおいて、上述した改ざん判定を行う。すなわち、この記憶装置に記憶されているログファイルに記述されたハッシュ値と現時点においてこの記憶装置に記憶されている全てのファイル名を読み出して、該読み出したファイル名に基づいてハッシュ値を算出し、両者を比較することで改ざん判定を行い、必要に応じて改ざんの詳細内容(ファイルの削除や追加なのか、ファイル名の変更なのか等)を更に特定する。
 データの改ざんの有無を管理するユーザとデータを記録するユーザとが異なる場合、データの改ざんを監視するユーザがログファイルを保存し、そのログファイルを用いてデータの改ざんの有無をチェックするようにしても良い。 The function of updating the log file at the time of writing and the falsification determination process described above can be provided to, for example, a dedicated application program AP. That is, the execution commands for updating the log file and judging falsification described above are performed based on commands supplied from the PC 20 connected to this general storage device and executing the dedicated application program AP. That is, each time the dedicated application program AP in this aspect writes one file, it also writes the contents of the log file having the file name predetermined in association with the identification ID of the storage device to the write target. The log file is updated based on the file, and the updated log file is stored in a predetermined area in the storage device. Then, at a predetermined timing while this storage device is connected, the aforementioned falsification determination is performed. That is, the hash value described in the log file stored in this storage device and all file names currently stored in this storage device are read, and the hash value is calculated based on the read file names. , tampering determination is performed by comparing both, and detailed contents of tampering (file deletion/addition, file name change, etc.) are further specified as necessary.
If the user who manages data tampering and the user who records the data are different, the user who monitors data tampering should save a log file and use that log file to check whether the data has been tampered with. can be
 なお、上述した改ざんの判定の対象ファイルは、記憶装置の全体(すなわち記憶装置に記憶されたすべてのファイル)ではなく、予め設定した一部の記憶領域ないしフォルダ(ファイルの集合体)であってもよい。 It should be noted that the above-described target files for tampering determination are not the entire storage device (that is, all files stored in the storage device), but a preset partial storage area or folder (aggregate of files). good too.
 要するに、本発明の一の態様に係るプログラムは、記憶装置と接続されたコンピュータに、ファイル書き込み時において当該書き込みの対象のファイルに基づいて生成されたハッシュ値を当該記憶装置に記憶させるステップと、当該記憶装置に記憶されているハッシュ値と、当該記憶装置に記憶されているファイルに基づいて算出されると比較するステップと、前記比較の結果に基づいて、改ざんの可能性を示す情報を出力するステップと、を実行させる。ここで、上述した「ファイル」とは、特定のOSその他のコンピュータシステムやデータ内容に依存するものではなく、書き込みや読み出しその他ユーザが操作を行う際の最小単位のデータ構造体をいう。 In short, a program according to one aspect of the present invention causes a computer connected to a storage device to store, in the storage device, a hash value generated based on the file to be written when the file is written; comparing the hash value stored in the storage device with a hash value calculated based on the file stored in the storage device; and outputting information indicating the possibility of falsification based on the result of the comparison. and causing to be performed. Here, the above-mentioned "file" is not dependent on a specific OS, other computer systems, or data contents, but refers to a data structure of the minimum unit when writing, reading, or other user operations are performed.
1、1A、1B…コンピュータシステム、10、10A、10B…記憶装置、20…PC、110…接続I/F、120…メモリチップ、122…記憶領域、122a…データ領域、122b…管理領域、130…メモリコントローラ、AP…専用アプリケーションプログラム Reference Signs List 1, 1A, 1B... computer system, 10, 10A, 10B... storage device, 20... PC, 110... connection I/F, 120... memory chip, 122... storage area, 122a... data area, 122b... management area, 130 … Memory controller, AP … Dedicated application program

Claims (14)

  1.  ユーザからファイル操作を受け付けるコンピュータと情報の授受を行うための接続インタフェースと、
     記憶領域と、
     前記コンピュータから受信した命令が所定コマンド以外の命令である場合、当該コンピュータに対して前記記憶領域に記憶されているデータについて、少なくとも書き換えを禁止するように、前記記憶領域へのデータの読み書きを管理するメモリコントローラと
     を有する記憶装置。     a connection interface for exchanging information with a computer that accepts file operations from a user;
    a storage area;
    When the command received from the computer is a command other than a predetermined command, managing the reading and writing of data in the storage area so as to at least prohibit the computer from rewriting the data stored in the storage area. and a storage device having a memory controller that
  2.  前記メモリコントローラは、前記所定コマンドを受信するまでは書き換えを禁止し、前記所定コマンドを受信してから所定の第2コマンドを受信するまでは書き換えを許可する、
     請求項1に記載の記憶装置。     The memory controller prohibits rewriting until receiving the predetermined command, and permits rewriting from receiving the predetermined command until receiving a predetermined second command.
    2. A storage device according to claim 1.
  3.  前記メモリコントローラは、
     前記所定コマンドを受信しない場合、前記記憶領域に記憶されているファイルの新規書き込みについては禁止する一方、当該ファイルの読出しについては許可する
     請求項2に記載の記憶装置。     The memory controller
    3. The storage device according to claim 2, wherein when the predetermined command is not received, new writing of the file stored in the storage area is prohibited, while reading of the file is permitted.
  4.  前記メモリコントローラは、
     前記所定コマンドを受信しない場合、前記記憶領域に新規にファイルを記録することを許可する
     請求項1ないし3のいずれか1項に記載の記憶装置。     The memory controller
    4. The storage device according to any one of claims 1 to 3, wherein when the predetermined command is not received, recording of a new file in the storage area is permitted.
  5.  前記記憶領域は、ユーザが指定したファイルが記憶されるデータ領域と、前記データ領域へのアクセスの履歴を記憶するための管理領域とを含み、
     前記メモリコントローラは、少なくとも書き換え処理が実行された場合は、前記管理領域にログを記憶する
     請求項2または3に記載の記憶装置。     The storage area includes a data area for storing files specified by a user and a management area for storing a history of access to the data area,
    4. The storage device according to claim 2, wherein said memory controller stores a log in said management area at least when rewrite processing is executed.
  6.  前記メモリコントローラは、前記コンピュータからの要求に応じて、前記所定コマンドを受信した後前記所定の第2コマンドを受信する前に前記コンピュータとの接続が解除されたことを示す履歴情報を、前記管理領域に記憶する
     請求項5に記載の記憶装置。     In response to a request from the computer, the memory controller stores history information indicating that the connection with the computer has been terminated after receiving the predetermined command and before receiving the predetermined second command. 6. The storage device according to claim 5, stored in an area.
  7.  前記管理領域内の所定の領域に、OSが記録しないパターンのデータ列が記憶されている
     請求項1に記載の記憶装置。     2. The storage device according to claim 1, wherein a data string having a pattern that is not recorded by the OS is stored in a predetermined area within the management area.
  8.  前記コンピュータから所定のパスワードを受信した場合に、当該コンピュータから受信した命令を前記メモリコントローラに供給する制御部を更に有する
     請求項1に記載の記憶装置。     2. The storage device according to claim 1, further comprising a control unit that supplies a command received from said computer to said memory controller when a predetermined password is received from said computer.
  9.  コンピュータに、
     当該コンピュータに接続された記憶装置の識別情報を取得するステップと、
     該取得した識別情報が予め登録されているものである場合、当該記憶装置に対して、書き込みについての禁止を解除する所定コマンドを出力するステップと
     を実行させるためのプログラム。     to the computer,
    obtaining identification information of a storage device connected to the computer;
    a step of outputting a predetermined command for releasing the write prohibition to the storage device when the acquired identification information is registered in advance.
  10.  前記所定コマンドの出力後に、書き込み対象のデータの指定をユーザから受け付けるステップと、
     当該データについての書き込み処理が完了すると、書き込みについて禁止する第2の所定コマンドを前記記憶装置に出力するステップと
     を更に前記コンピュータに実行させる、請求項9に記載のプログラム。     a step of receiving a designation of data to be written from a user after outputting the predetermined command;
    10. The program according to claim 9, further causing the computer to execute a step of outputting a second predetermined command prohibiting writing to the storage device when the writing process for the data is completed.
  11.  該指定された書き込み対象のデータから前記第2の所定コマンドを出力するまでの間、前記ユーザによる前記記憶装置へアクセスするための操作を禁止する、請求項10に記載のプログラム。 11. The program according to claim 10, which prohibits the user from accessing the storage device from the designated data to be written until the second predetermined command is output.
  12.  該取得した識別情報が予め登録されているものである場合、前記記憶装置においてデータの書き換え禁止についての設定情報が記録されているか否かを判定し、当該設定情報がデータの書き換えが許可されていることを示している場合、当該記憶装置に対する書き込みを禁止する旨の禁止情報を前記記憶装置の管理領域に記憶するステップと、
     前記管理領域に前記禁止情報が記憶されている場合、ユーザからの前記記憶装置に対する書き込み要求を拒否するステップと
     をさらに前記コンピュータに実行させる、請求項9に記載のプログラム。     If the acquired identification information is registered in advance, it is determined whether or not setting information about data rewriting prohibition is recorded in the storage device, and if the setting information permits data rewriting. a step of storing prohibition information to the effect that writing to the storage device is prohibited in a management area of the storage device,
    10. The program according to claim 9, further causing said computer to execute a step of rejecting a write request from a user to said storage device when said inhibition information is stored in said management area.
  13.  前記記憶装置と接続した際に、前記所定コマンドを受信した後前記所定の第2コマンドを受信する前に前記コンピュータとの接続が解除されたことを示す情報を前記記憶装置から取得すると、前記第2の所定コマンドを前記記憶装置に出力する、請求項10に記載のプログラム。 When information indicating that the connection with the computer has been terminated after receiving the predetermined command and before receiving the predetermined second command is obtained from the storage device when connecting to the storage device, 11. The program according to claim 10, outputting two predetermined commands to said storage device.
  14.  該取得した識別情報が予め登録されたものである場合、前記記憶装置の管理領域における所定の領域に所定のパターンのデータ列が記憶されているか否かを判定するステップと、
     当該データ列が記憶されていない場合、前記記憶装置に対するユーザの書き込み要求を拒否するステップと
     をさらに前記コンピュータに実行させる、請求項9~11のいずれか1項に記載のプログラム。     determining whether or not a data string of a predetermined pattern is stored in a predetermined area in the management area of the storage device when the acquired identification information is registered in advance;
    12. The program according to any one of claims 9 to 11, further causing the computer to execute a step of rejecting a user's write request to the storage device if the data string is not stored.
PCT/JP2022/042268 2021-11-22 2022-11-14 Storage device and program WO2023090297A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
JP2021189683 2021-11-22
JP2021-189683 2021-11-22
JP2022016543 2022-02-04
JP2022-016543 2022-02-04

Publications (1)

Publication Number Publication Date
WO2023090297A1 true WO2023090297A1 (en) 2023-05-25

Family

ID=86396996

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2022/042268 WO2023090297A1 (en) 2021-11-22 2022-11-14 Storage device and program

Country Status (1)

Country Link
WO (1) WO2023090297A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116795741A (en) * 2023-08-28 2023-09-22 凡澈科技(武汉)有限公司 Method and system for preventing memory data from being deleted and tampered

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009182670A (en) * 2008-01-30 2009-08-13 Oki Data Corp Image processing apparatus and image processing system
US20090259796A1 (en) * 2008-04-10 2009-10-15 Phison Electronics Corp. Data writing method for non-volatile memory and storage system and controller using the same
JP2013025519A (en) * 2011-07-20 2013-02-04 Nec Biglobe Ltd Storage device sharing system, management device, access control device, and method and program therefor
US20200310926A1 (en) * 2019-03-27 2020-10-01 SK Hynix Inc. Apparatus and method for reducing cell disturb in an open block of a memory system during a receovery procedure

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009182670A (en) * 2008-01-30 2009-08-13 Oki Data Corp Image processing apparatus and image processing system
US20090259796A1 (en) * 2008-04-10 2009-10-15 Phison Electronics Corp. Data writing method for non-volatile memory and storage system and controller using the same
JP2013025519A (en) * 2011-07-20 2013-02-04 Nec Biglobe Ltd Storage device sharing system, management device, access control device, and method and program therefor
US20200310926A1 (en) * 2019-03-27 2020-10-01 SK Hynix Inc. Apparatus and method for reducing cell disturb in an open block of a memory system during a receovery procedure

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116795741A (en) * 2023-08-28 2023-09-22 凡澈科技(武汉)有限公司 Method and system for preventing memory data from being deleted and tampered
CN116795741B (en) * 2023-08-28 2023-11-10 凡澈科技(武汉)有限公司 Method and system for preventing memory data from being deleted and tampered

Similar Documents

Publication Publication Date Title
JP4690310B2 (en) Security system and method
JP4520755B2 (en) Data migration method and data migration apparatus
US7370166B1 (en) Secure portable storage device
US8474021B2 (en) Security system and method for computers
TWI799224B (en) Method of controlling storage device
US20080046997A1 (en) Data safe box enforced by a storage device controller on a per-region basis for improved computer security
US20070028292A1 (en) Bus bridge security system and method for computers
US20030221115A1 (en) Data protection system
JP2013506910A (en) Write Once Read Many (WORM) Memory Device Authentication and Secure Ring
JP5184041B2 (en) File system management apparatus and file system management program
JP4521865B2 (en) Storage system, computer system, or storage area attribute setting method
JP2007280096A (en) Log maintenance method, program, and system
JP5457427B2 (en) Storage device, terminal device and computer program
JP2020520518A (en) Auxiliary storage device having independent restoration area and equipment to which the auxiliary storage device is applied
US20040003265A1 (en) Secure method for BIOS flash data update
WO2023090297A1 (en) Storage device and program
JP2014071887A (en) Secure removable mass storage
US20040107357A1 (en) Apparatus and method for protecting data on computer hard disk and computer readable recording medium having computer readable programs stored therein
TWI414958B (en) Read - only protection of removable media
US20220374534A1 (en) File system protection apparatus and method in auxiliary storage device
US11720677B2 (en) Attached storage device for enhanced data and program protection
JP5295156B2 (en) Information processing apparatus and software unauthorized use prevention method
JP5397617B2 (en) Management system, information processing apparatus, management apparatus, management method, and program
JP2019159766A (en) Data protection device, data protection method, and data protection program
JPWO2005010761A1 (en) Write control method and computer system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22895578

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2023561586

Country of ref document: JP