JP2008198151A - Majority decision processing method and computer system using dual collation function - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To efficiently operate a policy file and to maintain the integrity of the policy file by solving the following problem: the security of the whole system can not be maintained since the policy file has the possibility of being tampered and, in this case, a computer is hijacked and an unauthorized act such as data leakage is performed. <P>SOLUTION: This computer system composed of many computers transfers the policy file to a different node when updating the policy file. When a certain node accesses the policy file, the certain node reads the policy file from the different node, takes a majority decision in a corresponding item and performs access control of resources. During performing the majority decision processing, a result of the majority decision is stored as history into a buffer. When the majority decision processing is performed, whether the result of the majority decision exists in the buffer or in another computer is checked, and if the respective results coincide, the value is used. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a computer system equipped with a secure OS (Operating System), which is an OS with enhanced security-related functions.

  Conventionally, high-reliability technology has been actively used for fault-tolerant technology, such as how to hide the failure from the user when a hardware failure or software failure occurs. The reliability of computer hardware and software It has been improved by contribution. However, incidents such as unauthorized access and information leakage are gradually increasing, and security improvement is required as one of high reliability. For example, if a policy file that defines which operations are allowed for each operation that is subject to security has been tampered with, then if the server is hijacked, fraudulent acts such as data leakage can occur. High nature.

  On the other hand, virtualization software such as Xen which is open source has appeared. Virtualization software makes it easy to run multiple operating systems on a single machine, and there is an increasing need for majority processing to make one decision from multiple operating systems.

  Patent Document 1 acquires environment information (processor usage status, memory usage status, etc.) in a cluster configuration composed of a large number of nodes, and detects a server failure by a statistical outlier that is unlikely to occur as a majority or data. The technology is described. Patent Document 2 describes a technique for securing security by owning a policy file and resolving rule conflicts in the policy file.

JP 2004-355233 A JP 2004-303243 A

  In the secure OS, when accessing computer resources such as CPU, memory, and main storage, the resource access right is checked by referring to the policy file that owns the resource access right, but this policy file is falsified. Unauthorized access and information leakage may occur. In the prior art, this problem cannot be avoided for falsification of the policy file.

  The policy file is a file for setting which operation is permitted for each resource by a certain server for each operation to be subjected to the security check.

  Further, as a conventional high reliability method, there is a backup in a hot standby method including an active server and a standby server. However, because the active server and standby server have the same configuration, they are easily intruded at the same time. If they are intruded on both servers, the policy file cannot be recovered and resource access control cannot be performed if the policy file is altered. There is.

  One example of performing majority processing is a three-tier cluster system. The three-tier cluster system is a system that executes one transaction divided into three types of servers, that is, an FEP (Front End Processor) server, an AP (Application) server, and a DB (Database) server. The FEP server executes communication processing, the AP server executes traffic body processing, and the DB server executes file input / output processing.

  When executing transaction processing in a three-tier cluster system consisting of an FEP server, AP server, and DB server, since the majority processing is executed several times per transaction, the problem is that this majority processing becomes a performance bottleneck. is there.

  An object of the present invention is to apply the double collation function to reduce the number of majority processes and to ensure the same degree of completeness as to take a majority vote at all points.

  In the present invention, the duplex verification function means a function that determines that the output is normal if the two outputs match, and determines that the output is not normal if the two outputs do not match.

  In order to solve at least one of the above problems, the present invention provides a system including a majority voting storage unit that stores a majority voting result in each server in a computer system including a plurality of computers.

  If the majority process is explained using the access right to the resource, in the computer system, a policy file indicating the access right of the resource is arranged in each node. When the server accesses a certain resource, the majority process is performed from the policy file in each other node to determine the access right. At this time, the result of the majority decision is a resource access right, which is cached in the majority decision storage unit. Similarly, other servers cache the result of the majority decision in the majority decision storage unit.

  When accessing the same resource again, it is necessary to check the access right of the resource. In this case, it is checked whether or not there is an access right corresponding to the cache stored in the storage unit. Also, it is checked whether or not the access right corresponding to the other server has the access right corresponding to the cache stored in the majority memory. If this access right exists and matches, this value (access right) is used. However, if it is not cached, majority processing is executed.

  According to the present invention, the number of majority processes can be reduced while maintaining performance such as security. Further, the overhead for majority decision can be reduced.

  The present invention will be described below with reference to the drawings. In the embodiment, a three-tier cluster system is used as a specific example of the computer system. However, the present invention is not limited to this, and the present invention can be applied to a system that requires majority processing in a plurality of calculation periods. It is. The majority process referred to in the present invention is a method that adopts the value with the most output from among a plurality of outputs. In the following embodiment, the access right to the resource is described. The present invention is not limited to the above, and the present invention can be applied as long as the same effect is required, for example, for arithmetic processing of a plurality of CPUs.

  FIG. 1 is a system configuration diagram according to the present invention. The target system includes nodes (11-1 to 19-1), a network (20), a console (21), and a terminal (22). Each node (11-1 to 19-1) is classified into any one of FEP server (1), AP server (2), and DB server (3). The FEP server (1) that mainly performs communication processing includes a node 1 (11-1), a node 2 (12-1), and a node 3 (13-1). The AP server (2) includes a node 4 (14-1), a node 5 (15-1), and a node 6 (16-1). The DB server (3) includes a node 7 (17-1), a node 8 (18-1), and a node 9 (19-1). Each node (11-1 to 19-1) is connected by a network (20) together with a terminal (22) and a console (21). In the console (21), falsification information of each node is accumulated.

  FIG. 2 is a configuration diagram of the node. In FIG. 2, the hardware configuration and software configuration of the node 1 (11-1) of the FEP server (1) will be described. Hereinafter, a buffer is used as an example of the storage unit.

  The hardware configuration of node 1 (11-1) consists of CPU (Central Processing Unit) (11-2), Memory (11-3), IOP (Input Output Processor) (11-4), NIC (Network Interface Controller) (11-5), a disk controller (11-6), and a disk device (11-7).

  The node 1 (11-1) has the above CPU (11-2) when the virtualization software (11-10) in the disk device (11-7) is expanded on the memory (11-3) and started. ) And memory (11-3) are allocated to three logical nodes: node 1-1 (11-1), node 1-2 (11-2), and node 1-3 (11-3) To divide.

  The software configuration of node 1 (11-1) of the FEP server (1) consists of virtualization software (11-10) and OS (11-11-1, 11-11-) that operate multiple operating systems (OS) simultaneously. 2, 11-11-3), policy file (11-12-1, 11-12-2, 11-12-3), majority processing section (11-13-1, 11-13-2, 11-13) -3), majority vote buffer (11-14-1, 11-14-2, 11-14-3) and user program (UP) (11-15-1, 11-15-2, 11-15-3) Consists of The UP processing (11-15-1, 11-15-2, 11-15-3) of the FEP server (1) is the OS (11-11-1, 11-11-2, 11-11-3) Communication processing 1 (11-15-1), communication processing 2 (11-15-2), and communication processing 3 (11-15-3) correspond to each other.

  The hardware configuration and software configuration of the node 2 (12-1) and the node 3 (12-1) of the FEP server (1) are the same as those of the node (11-1).

  Hardware configuration of node 4 (14-1), node 5 (14-1) and node 6 (14-1) of AP server (2), and node 7 (14-1) and node of DB server (3) The hardware configuration of 8 (15-1) and node 9 (15-1) is the same as that of node 1 (10-1) of the FEP server (1).

  In the present embodiment, as described above, hardware and software are used. However, the present invention is not limited to this, and the same effect can be obtained, for example, as in a dedicated LSI (Large Scale Integration). The present invention can be realized as long as it has a configuration to be provided.

  FIG. 3 is a diagram showing a user program (UP). The UP of the FEP server (1), as shown in FIG. 2, is a communication process (11-15-1 to 11-15-3, 12-15-1 to 12-15-3, 13-15-1 to 13 -15-3) is executed.

  AP server (2) UP executes application processing (14-15-1 to 14-15-3, 15-15-1 to 15-15-3, 16-15-1 to 16-15-3) To do. The UP of DB server (3) is IO input / output processing (17-15-1 to 17-15-3, 18-15-1 to 18-15-3, 19-15-1 to 19-15-3 ) Is executed.

  FIG. 4 is a diagram showing transaction processing.

  Here, the node 1 (11-1) of the FEP server (1) receives the message from the terminal (22) and analyzes it (processing 100). The node 1-1 (11-1-1) checks which AP is executed from the message, and selects the corresponding server 4 (14-1) from the AP server (2) (processing 101). Here, it is assumed that the AP of node 4-1 (14-1-1) is executed. Node 1-1 (11-1-1) refers to the policy file and checks the access rights of Node 4-1 (14-1-1) to the AP server to confirm that it can communicate with this server ( Process 102). When the node 1-1 (11-1-1) can communicate with the node 4-1 (14-1-1), the node 1-1 (11-1-1) transmits a message to the AP server (process 103). If communication is impossible, the transaction process is interrupted (process 104). The message here refers to a message transferred from one node to another node.

  Next, the AP server node 4-1 (14-1-1) receives and analyzes the message from the FEP server node 1-1 (11-1-1) (processing 110). Then, the node 4-1 (14-1-1) executes the corresponding AP (processing 111). Then, an IO request is made to the disk. There are two IO requests: read (process 112) and write (process 113).

  For the IO request, the AP server (2) first selects a node from the DB server, and then checks the access right of the node to the DB server. If the access right is allowed (when OK), send a message to the DB server. If the access right is not permitted (NG), transaction processing is interrupted. When the above processing ends at the AP server (2), the DB server node 7-1 (17-1-1) makes an IO input / output request. The IO input / output request is processed as follows by reading (processing 120-123) and writing (processing 130-133) a file.

  For the IO input / output request, the node 7 (17-1-1) of the DB server (3) first analyzes the message analysis from the node 4 (14-1-1) of the AP server (2) (process 120). 130). Next, the node 7-1 (17-1-1) selects a file to be accessed (processing 121 and 131). Next, the access right of the file is checked. If access to the file is permitted, the file is read. If not permitted, the transaction processing is interrupted (processing 122, 132). Next, the node 7 (17-1-1) of the DB server (3) transmits the IO processing result to the node 4 (14-1-1) of the AP server (2) (processing 123, 133).

  When the above processing ends at the DB server (3), the node 4 (14-1-1) of the AP server (2) receives a message from the node 7 (17-1-1) of the DB server (3), and AP processing completion processing is performed (processing 140). Further, the transaction processing result is transmitted to the node 1 (11-1-1) of the FEP server (1) (processing 141).

  Finally, the node 1 (11-1-1) of the FEP server (1) transmits the transaction processing result to the terminal (22) (processing 150).

  FIG. 5 is a diagram illustrating a process in which majority processing and duplex verification processing are combined in a server node. Each node refers to a policy file in another node and performs majority processing (processing 200). Then, the result is stored in the majority vote buffer (process 201).

  In the duplicated verification process, whether or not the access rights match for the policy file entry stored in the majority buffer is checked, and if they match, resource access control is performed using the access rights (process 210). ).

  6 to 8 are diagrams showing policy files of each server.

  FIG. 6 is a diagram illustrating an example of a policy file for the node 1 of the FEP server. This policy file indicates whether communication with other nodes is possible. In node 1-1 communication processing 1 (11-15-1), node 4-1 (14-1-1), node 5-1 (15-1-1), node 6-1 (16-1- Can communicate with 1), but cannot communicate with other nodes. Communication possible is (00) 16, and communication impossible is (01) 16. Note that 16 in (00) 16 and (01) 16 indicates that the value of the parenthesis is expressed in hexadecimal, but other notations such as binary may be used. The policy files for the communication process 1 (11-15-2) of the node 1-2 and the communication process 1 (11-15-3) of the node 1-3 are the same.

  FIG. 7 is a diagram illustrating an example of a policy file for the node 1 of the AP server. This policy file indicates whether communication with other nodes is possible. In node 4-1, communication process 1 (14-15-1), node 7-1 (17-1-1), node 8-1 (18-1-1), node 9-1 (19-1- Can communicate with 1), but cannot communicate with other nodes. Communication possible is (00) 16, and communication impossible is (01) 16. The same applies to the policy files of the communication process 1 (11-15-2) of the node 4-2 and the communication process 1 (11-15-3) of the node 4-3.

  FIG. 8 is a diagram illustrating an example of a policy file for the node 1 of the DB server. This policy file indicates whether the file can be accessed. RW can read and write the file, R can read the file, and Non indicates that the file cannot be accessed. In the input / output process 1 (14-15-1) of the node 7-1, the file 1 can be read and written, the file 2 cannot be accessed, and the file 3 can only be read. Can communicate with node 7-1 (17-1-1), node 8-1 (18-1-1), and node 9-1 (19-1-1), but cannot communicate with other nodes is there. Communication possible is (00) 16, and communication impossible is (01) 16. The policy files of the communication process 1 (17-15-2) of the node 7-2 and the communication process 1 (17-15-3) of the node 7-3 are the same.

  The detailed processing procedure will be described below with reference to FIG.

  FIG. 9 illustrates a policy file transmission process.

  The node 1-1 (11-1-1) prohibits the majority process from being executed when the policy file is updated or when the policy file expires (process 300). The policy file is transmitted from the node 1-2 (11-1-2) to the node 3-3 (13-1-3) (processing 302). The node 1-2 (11-1-2) to the node 3-3 (13-1-3) receive the policy files from the node 1-1 (11-1-1), respectively (processing 310 and 320). ). Each of the node 1-2 (11-1-2) to the node 3-3 (13-1-3) checks the policy file and writes the policy file (processing 311 and 321). Further, the node 1-2 (11-1) to the node 1-3 (15-1) notify the node 1-1 (11-1-1) of the completion of writing. When the node 1-1 (11-1-1) receives the completion of the writing of the policy file (process 330), the node 1-1 (11-1-1) cancels the majority process prohibition process and starts the majority process. (Process 331).

  FIG. 10 is a diagram illustrating processing from access to resources to majority processing in the server.

  Here, the processing in the FEP server (1) will be described as an example. Nodes 1-1 (11-1-1), 1-2 (11-1-2), and 1-3 (11-1-3) perform majority processing.

  The node 1-1 (11-1-1) requests access to the resource (process 400). The access control of the corresponding resource is referred from the policy file (process 401). Next, when there is access control for the corresponding resource (Case 1) (Process 402), other nodes, here Node 1-2 (11-1-2) and Node 1-3 (11-1-3) Queries the corresponding access control (step 403). Then, the node 1-2 (11-1-2) returns the corresponding access control to the node 1-1 (11-1-1) (processing 410). Similarly, the node 1-3 (11-1-3) returns the corresponding access control to the node 1-1 (11-1-1) (processing 411).

  The node 1-1 (11-1-1) checks whether the corresponding access control values match (processing 420). If they match, resource access control is performed (process 421) (case 1-1). If they do not match (processing 220), the three processes of occurrence of falsification, determination, majority processing, and policy file recovery processing are performed (processing 422) (case 1-2). When there is no access control of the corresponding resource (process 430) (case 2), majority processing is executed (process 431).

  FIG. 11 shows a flowchart of the present invention.

  Here, the node 1-1 (11-1-1) performs resource access. Node 1-1 (11-1-1) performs duplex verification with node 1-2 (11-1-2). The node 1-1 (11-1-1) performs majority processing with other nodes (node 1-3 (11-1-3) to node 3-3 (13-1-3)).

  The node 1-1 (11-1-1) checks whether the node that performs resource access has a majority result in its buffer (process 500). If there is no result of majority voting in the majority voting buffer, a majority voting process is performed (process 505). If there is a majority result in the majority buffer, the node 1-2 (11-1-2) inquires about the result of the majority decision to other nodes (process 501). The node 1-2 (11-1-2) checks whether there is an entry for the corresponding resource (process 510). If there is no entry, majority processing is performed (processing 505).

  The node 1-1 (11-1-1) checks whether the access right values of the entries match (duplex matching function) (process 520). If they do not match, the majority process is performed (process 505).

  The node 1-1 (11-1-1) reads the access right from the entry of the corresponding resource, checks the access right value, and checks whether it is permitted (process 530). If access is permitted, the resource is accessed (process 540). On the other hand, if the access is not permitted, it is notified that the resource cannot be accessed (process 541).

  FIG. 12 is a diagram showing entries in the policy file.

  The policy file entry includes a subject (50), an object (51), and an access right (52). The subject (50) is a subject that performs access, the object (51) is a target to be accessed, and the access right (52) is a value indicating whether or not access is possible.

  FIG. 13 is a diagram showing subject and object values.

  The value of node 1-1 (11-1-1) is (11) 16, the value of node 1-2 (11-1-2) is (12) 16, and so on. The value of (16-1-3) is (63) 16.

  FIG. 14 is a diagram illustrating a processing procedure of case 1-1.

  Node 1-1 (11-1-1) considers the case where the subject (50-10) accesses the object (51-10). This is a case where the node 1-1 (11-1-1) transmits a message to the node 4-1 (14-1-1).

  The access right of the node 1-1 (11-1-1) is (00) 16. Further, referring to the majority buffer of the node 1-2 (11-1-2), this access right is also (00) 16, and the values of the access right match (processing 600). Therefore, the node 1-1 (11-1-1) refers to the value (00) 16 of the access right, and the access right (00) 16 indicates that access is permitted.

  Also, the access right is written as one entry in the majority buffer. At this time, if the majority buffer is full, for example, if writing is not possible, the resource access count and elapsed time are measured, and the access count within the fixed access count is calculated. It is invalidated by clearing the entry in the buffer.

  FIG. 15 is a diagram illustrating a processing procedure of case 1-2. Case 1-2 is when the corresponding entry exists in the policy file but the value is different. Each node has a tampering determination unit, which determines that tampering has occurred. For this reason, it is necessary to invalidate the policy file in the node where the falsification has occurred.

  Node 1-1 (11-1-1) considers the case where the subject (50-10) accesses the object (51-10). This is a case where the node 1-1 (11-1-1) transmits a message to the node 4-1 (14-1-1). The access right of the node 1-1 (11-1-1) is (00) 16. On the other hand, when the node 1-2 (11-1-2) refers to the majority buffer, this access right is also (ff) 16 and the access right does not match. For this reason, it is determined that falsification has occurred in the node 1-1 (11-1-1) or the node 1-2 (11-1-2) (processing 700). The majority process is executed according to the following procedure.

  Node 1-1 (11-1-1) can access the subject and object from the other nodes (Node 1-3 (11-1-3) to Node 3-3 (13-1-3)) Is requested (process 701). The other nodes (node 1-3 (11-1-3) to node 3-3 (13-1-3)) return the access rights of the subject and the object to the node 1-1 (processing 702). The node 1-1 (11-1-1) takes the majority of subject and object access rights (process 703). The node 1-1 (11-1-1) invalidates the policy file altered to the node 1-2 (11-1-2) (process 704).

  FIG. 16 is a diagram illustrating a processing procedure of case 2. Case 2 is a case where there is no corresponding entry in the policy file.

  Node 1-1 (11-1-1) considers the case where the subject (50-10) accesses the object (51-10). This is a case where the node 1-1 (11-1-1) transmits a message to the node 4-1 (14-1-1). The access right of the node 1-1 (11-1-1) is (01) 16. On the other hand, when the node 1-2 (11-1-2) refers to the majority buffer, there is no entry whose subject is (11) 16 and whose object is (41) 16 (process 800).

  The majority process is executed according to the following procedure. Node 1-1 (11-1-1) has access rights to subjects and objects corresponding to other nodes (Node 1-3 (11-1-3) to Node 3-3 (13-1-3)) Is requested (process 801).

  The other nodes (node 1-3 (11-1-3) to node 3-3 (13-1-3)) return the access rights of the subject and the object to the node 1-1 (processing 802). The node 1-1 (11-1-1) takes the majority of subject and object access rights (process 803). Finally, the node 1-1 (11-1-1) stores the result of the majority vote in the majority vote buffer (process 804).

  FIG. 17 is a diagram showing objects and subjects.

  The object is a node 7 that is a DB server. The value of node 7-1 (17-1-1) is (71) 16, the value of node 7-2 (17-1-2) is (72) 16, and the value of node 7-3 (17-1-3) The value is (73) 16.

  The subject of the file 1 (30) is (A1) 16, and in the following order, the value of the file 9 (38) is (A91) 16.

  FIG. 18 is a diagram showing a processing procedure when the majority decision buffer is full.

  The number of entries in the majority buffer is 3. Assume that the current majority buffer is full, that is, all are in use. Here, a case where the majority of policy files is determined and stored in an entry will be described.

  Entry 1 is a case where node 7-1 (17-1-1) accesses file 1. Entry 2 is when node 7-1 (17-1-1) accesses file 3 (32). The entry 3 is a case where the node 7-2 (17-1-2) accesses the file 5 (34).

  In this case, the entry with the lowest access frequency is calculated. Here, the number of accesses per unit time is calculated. In this case, the number of accesses per unit time of entry number 3 is the smallest. For this reason, entry 3 is to be deleted.

  Since the entry to be added is the subject (73) 16, the object (A6) 16, and the access right is (00) 16, this entry is stored in the entry number 3.

  In this way, entries with high access frequency are stored in the majority buffer.

  The secure OS requires the integrity that the policy file has not been tampered with in order to prevent unauthorized access and data leakage. In the present invention, the policy file is distributed to a plurality of nodes and a majority process is performed at the time of access, which is an essential function of the secure OS.

It is a system configuration diagram. It is a block diagram of a node. It is a figure which shows a user program (UP). It is a figure which shows transaction processing. It is a figure which shows the characteristic of this invention. It is a figure which shows the policy file of a FEP server. It is a figure which shows the policy file of AP server. It is a figure which shows the policy file of DB server. It is a figure which shows the transmission process of a policy file. It is a figure which shows the process from the access to a resource to performing a majority process. It is a figure which shows the flowchart of this invention. It is a figure which shows the entry of a policy file. It is a figure which shows the value of a subject and an object. FIG. 10 is a diagram showing a processing procedure for case 1-1. It is a figure which shows the process sequence of case 1-2. FIG. 10 is a diagram showing a processing procedure for case 2; It is a figure which shows the value of a subject and an object. It is a figure which shows the process sequence when a majority decision buffer is full.

Explanation of symbols

11-19 ... node, 20 ... network, 21 ... console, 22 ... terminal

Claims (9)

In a computer system using a duplicated collation function that allows multiple computers to communicate with each other,
The plurality of computers are:
A majority processing section that performs majority processing;
A majority memory storing a majority result of the majority processing unit;
The first calculator is
When performing the majority process, check whether there is a majority result in the majority memory of the first computer,
If there is a majority result in the majority memory of the first computer, check whether there is a majority result in the majority memory of the second computer,
If there is a majority result in the majority memory of the second computer, query the majority result,
A computer system using a duplicated collation function, wherein when a majority result in a majority storage unit of the first computer matches a majority result of the second computer, the majority result is used as a result of majority processing. In the computer system using the double collation function according to claim 1,
The majority processing is a majority processing of a policy file indicating an access right to the computer resource,
A computer system using a duplicated collation function, wherein the match between the majority result in the majority storage unit of the first computer and the majority result of the second computer is a match of the access right values. In the computer system using the double collation function according to claim 2,
The plurality of computers further includes a determination unit that determines whether the computer has been tampered with,
The determination unit of the first computer determines that falsification has occurred when the majority result of the majority storage unit of the first computer and the majority result of the second computer do not match. A computer system that uses a dual verification function. In the computer system using the double collation function according to claim 3,
If the determination unit of the first computer determines that tampering has occurred, the policy file of the computer that has determined that tampering has occurred is read from the plurality of computers, and majority processing is performed.
A computer system using a duplicated collation function, wherein a majority storage section of a computer determined to have undergone tampering is cleared. In the computer system using the double collation function according to claim 2,
The first calculator is:
When the majority result of the majority computer storage unit of the first computer matches the majority computer result of the second computer, the majority result is stored in the majority computer storage unit of the first computer,
A computer using a duplicated collation function, wherein the majority result in the majority storage unit is invalidated in the order of low frequency of access to the resource when it cannot be stored in the majority storage unit of the computer of the first computer system. In the computer system using the double collation function according to claim 5,
A computer system using a duplicated collation function, wherein the frequency of accessing the resource is calculated from the number of accesses and the elapsed time. In a computer system using a duplicated collation function that allows multiple computers to communicate with each other,
The plurality of computers, when performing majority processing,
A first step of checking whether there is a majority result in the majority memory of the computer;
If there is a majority result in the first step, a second step of inquiring whether other computers have the same majority result as the majority result,
When there is a majority result in another computer in the second step, a third step for checking whether the majority result of its own computer matches the majority result inquired in the second step;
And a fourth step of using the majority result as a result of the majority processing when the majority result matches in the third step. A majority processing method using a double collation function, comprising: In the majority processing method using the double collation function according to claim 7,
The majority process is a majority process of a policy file indicating an access right to the computer resource,
The majority processing method using a duplicated collation function, wherein the match of the majority result in the third step is a match of the access right values. In the majority processing method using the double collation function according to claim 8,
5. The majority processing method using a duplicated collation function, further comprising a fifth step of determining that falsification has occurred when the majority results do not match in the third step.

Images