JP2009037642A - Data processing method, data processor, computer program, and recording medium - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a data processing method, a data processor, a computer program and a recording medium by which the essential structure of an illegal code can be identified and detected. <P>SOLUTION: A branch source address and a branch destination address of a branch instruction (jmp instruction) are stored (S4), it is determined whether or not a call instruction for calling an instruction code group for executing an external command is associated with the branch destination address (S6), when the call instruction is associated with the branch destination address, it is determined whether or not its call destination exists between the branch source address and the branch destination address (S9), and when the call destination by the call instruction exists between the branch source address and the branch destination address, information is generated indicating that the illegal code is detected (S10). <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a data processing method for detecting data for executing illegal processing, a data processing device, a computer program for realizing the data processing device, and a computer on which the computer program is recorded. The present invention relates to a recording medium.

With the spread of the Internet network, various information processing apparatuses become targets of attacks such as computer viruses and cracking, and the possibility of being exposed to these threats is increasing.
For example, in recent years, as represented by computer viruses such as “Nimda” and “Code Red”, self-propagation has been made by exploiting vulnerabilities (security holes) in application programs such as system programs or web browsers. There are cases that have caused damage.

  In attacks such as computer viruses and cracking as described above, attack data including an instruction code (hereinafter referred to as illegal code) for performing illegal processing is transmitted to an information processing apparatus such as a server apparatus or personal computer that is an attack target. The instruction code is executed by the information processing apparatus. There are a variety of such attack methods, and one of them is an attack method based on buffer overflow. In buffer overflow, the buffer reserved in the stack is in a state where data is written to the stack area larger than the reserved buffer. May cause malfunction. An attack caused by buffer overflow intentionally causes a malfunction of the program, for example, acquiring system administrator authority.

In order to cope with attacks such as these computer viruses and cracking, conventionally, the presence or absence of a specific bit pattern found in an illegal code is detected for received data. When such a bit pattern is included in the received data, it is determined that the attack data includes an illegal code, and processing such as refusal of data reception and notification to the user is performed. Yes.
Nanami Fuuta, “Advanced packet worm / virus remediation using the Part3 iptables extension module”, Linux World, Japan, IDG Japan, August 1, 2002, Volume 1, Volume 1 8, pages 142-149

  Therefore, in order to cope with various computer viruses and cracking attacks using conventional methods, it is necessary to prepare a specific bit pattern corresponding to each computer virus and cracking in the database in advance. If a computer virus or cracking technique is discovered, the database must be updated.

  By the way, in the conventional detection method for attack data, a part that is not essential for attack processing such as detecting a known bit pattern as described above or simply repeating a NOP instruction (NOP: non-operation). Has been trying to detect the structure of. Therefore, it is vulnerable to variations in attack data, and whenever unknown attack data appears, it is necessary to update the bit pattern database used for detection, and the time lag until the database is updated has become a problem.

  The present invention has been made in view of such circumstances, and retrieves an instruction code related to a branch instruction from input data and calls an instruction code group for executing a predetermined process at a branch destination address. If the instruction code is associated with a branch destination address, the call destination address of the instruction code is between the branch source address and the branch destination address. With this configuration, it is not necessary to prepare in advance a bit pattern for detecting an instruction code group that performs illegal processing, and detection is also performed for an unknown instruction code group that performs illegal processing. Possible data processing method, data processing apparatus, computer program for realizing the data processing apparatus, and computer in which the computer program is recorded Reading in Yuta and an object thereof is to provide a recording medium capable.

  A data processing method according to the first invention is a data processing for receiving input of data including a plurality of instruction codes and determining whether or not a process executed based on an instruction code included in the received data is an illegal process. In the method, an instruction code related to a branch instruction is retrieved from the data, and a branch source address associated with the retrieved instruction code and a branch destination address associated with a branch destination of the instruction code are stored. Determining whether or not an instruction code for calling an instruction code group for executing predetermined processing is associated with the branch destination address, and determining that the instruction code is associated with the branch destination address The call destination address of the instruction code is stored, and whether the stored call destination address is between the branch source address and the branch destination address is determined. Characterized by disconnection.

  The data processing apparatus according to the second aspect of the present invention comprises means for accepting input of data including a plurality of instruction codes, and is the process executed based on the instruction code included in the data accepted by the means being illegal processing? In the data processing apparatus for determining whether or not, a means for retrieving an instruction code related to a branch instruction from the data, a branch source address associated with the retrieved instruction code, and a branch destination of the instruction code Means for storing a branch destination address that is stored, means for determining whether or not an instruction code for calling an instruction code group for executing a predetermined process is associated with the branch destination address, and the branch destination If it is determined that the instruction code is associated with an address, means for storing a call destination address of the instruction code, and a stored call destination address Means for determining whether or not the address is between the branch source address and the branch destination address; and when the call destination address is between the branch source address and the branch destination address, the data is data for executing an illegal process. And means for outputting information indicating that there is.

  According to a third aspect of the present invention, there is provided a computer program having a step of causing a computer to determine whether or not processing executed based on data including a plurality of input instruction codes is illegal processing. A step of retrieving an instruction code related to a branch instruction from the data; and a computer having a branch source address associated with the retrieved instruction code and a branch destination address associated with a branch destination of the instruction code. A step of storing, a step of causing a computer to determine whether or not an instruction code for calling an instruction code group for executing a predetermined process is associated with the branch destination address; and If it is determined that the instruction code is associated with And storing the calling destination address of the instruction code, the computer, the stored calling destination address was that characterized by having a step of determining whether there between the branch source address and branch destination address.

  According to a fourth aspect of the present invention, there is provided a computer-readable recording medium having a step of causing a computer to determine whether or not a process executed based on input data including a plurality of instruction codes is an illegal process. In a computer-readable recording medium in which a computer program is recorded, a step of causing a computer to retrieve an instruction code related to a branch instruction from the data, and a correspondence with the retrieved instruction code A step of storing a branch source address and a branch destination address associated with a branch destination of the instruction code; and an instruction code for calling a command code group for executing a predetermined process to the branch destination address in the computer Step to determine whether or not When it is determined that the instruction code is associated with the branch destination address, the step of storing the call destination address of the instruction code, and the call destination address stored in the computer are the branch source address and the branch destination address. A computer program having a step for determining whether or not it is in between is recorded.

  In the first invention, the second invention, the third invention, and the fourth invention, the instruction code related to the branch instruction is searched from the input data, and the branch source address and branch destination address of the searched instruction code are obtained. It is determined whether or not an instruction code for calling an instruction code group for executing a predetermined process is associated with the branch destination address, and it is determined that the instruction code is associated with the branch destination address. In this case, the call destination address of the instruction code is stored, and it is determined whether or not the stored call destination address is between the branch source address and the branch destination address. Therefore, because we focus on the universal structure that is not found in normal data (executable code), it is highly possible that it can be detected even when malicious code is transformed, and unknown attack data appears. Even so, as long as the intrinsic processing of the malicious code does not change, the malicious code can be detected. In addition, by sequentially reading the instruction code, it is possible to determine whether it is an illegal code, so the processing speed is fast, for example, it can be determined in real time for data received by communication, etc. The present invention has an excellent effect.

Hereinafter, the present invention will be specifically described with reference to the drawings illustrating embodiments thereof.
Embodiment 1 FIG.
FIG. 1 is a schematic configuration diagram for explaining an intrusion detection system using a data processing apparatus of the present invention. In the figure, reference numeral 10 denotes a relay device that embodies the data processing device of the present invention, for example, a device that relays data communication such as a router, a switch, and a broadband router. The relay device 10 includes a CPU 11, a memory 12, and communication interfaces (hereinafter referred to as communication IFs) 13 and 14, and is connected to an information processing device 20 connected to the communication IF 13 and a data communication network N such as the Internet network. Thus, transmission / reception of various data is relayed to / from another information processing apparatus 30 connected to the communication IF 14. The information processing devices 20 and 30 are devices that can perform data communication such as personal computers, server devices, mobile phones, and PDAs (Personal Digital Assistants).
When the relay device 10 receives the data transmitted from the information processing device 30, the relay device 10 determines whether the received data includes data including an instruction code (hereinafter referred to as an illegal code) for executing an illegal process. If an illegal code is included, processing such as communication interruption and alarm output is performed.

The memory 12 of the relay device 10 includes a routing table 12a, a filtering table 12b, and a branch table 12c.
The routing table 12a stores communication route control information, and the transmission route of data transmitted from the information processing apparatus 20 is determined based on the route control information. The filtering table 12b stores identification information (for example, an IP address or a port number) of a communication partner to be rejected. When data is received from an information processing apparatus corresponding to the identification information, the data Is not transmitted to the information processing apparatus 20.
Further, the computer program of the present invention is stored in the memory 12 in advance, and when the CPU 11 executes the computer program, the relay device 10 operates as an intrusion detection system that detects an unauthorized code. The branch table 12c stores a memory address (hereinafter, simply referred to as an address) related to a specific instruction code acquired during startup of the computer program, and determines whether the data includes illegal code. Used.
The CPU 11 of the relay apparatus 10 performs a writing process or a reading process on these tables as appropriate to perform communication control.

  Hereinafter, the characteristic structure of the malicious code found based on the inventors' knowledge will be described. As a universal feature of illegal code, the inventors have established that a call instruction (hereinafter referred to as a call instruction) is set at a branch destination specified by a branch instruction (hereinafter referred to as a jmp instruction). It is found to be between the jmp instruction and the call instruction. Then, the call instruction acquires the address stored in the stack, that is, the address next to the call instruction in the instruction code group of the call destination, and executes the command to be activated using the acquired address.

2 and 3 are conceptual diagrams for explaining the characteristic structure of an illegal code. As described above, the call instruction is set in correspondence with the branch destination of the jmp instruction for branching the process. That is, the call instruction is associated with the branch destination address (A10) of the jmp instruction.
A call instruction group (A2 to A6) for calling an external command is associated with the call instruction call destination, and the call destination of the call instruction is the branch source address (A1) and the branch destination address (A10). It is set to come in between. In this instruction code group, the address stored in the stack by the call instruction, that is, the address (A11) next to the call instruction is acquired by the pop instruction, and an external command is executed using the acquired address. . Therefore, by making any external command intended by the creator of the illegal code correspond to the next address of the call instruction, the external command is called and executed when these instruction codes are executed. It has become.
Of course, dummy initial data and a work area may be provided between the instruction code group and the call instruction (A7 to A9).

As shown schematically in FIG. 3, the illegal code described above includes (1) the presence of a call instruction at the branch destination of the jmp instruction, and (2) the call destination of the call instruction between the call instruction and the jmp instruction. It is characterized by the existence.
In the relay device 10, an illegal code having such a characteristic structure is detected from the data received by the communication IF 14, and an alarm is output or communication is interrupted.

  Hereinafter, a procedure for detecting a malicious code having the above-described characteristic structure will be described. FIG. 4 is a flowchart for explaining the processing procedure of the intrusion detection system according to the present embodiment, and FIG. 5 is a conceptual diagram showing an example of the branch table 12c used at the time of intrusion detection. First, the CPU 11 of the relay device 10 reads 1 byte of data received by the communication IF 14 (step S1). Then, the CPU 11 determines whether or not the read data is a jmp instruction (step S2). If the read data is a jmp instruction (S2: YES), the CPU 11 determines whether the branch destination address specified by the jmp instruction is larger than the current position address (step S3).

  When it is determined that the branch destination address is larger than the current location address (S3: YES), the current location address (branch source address) and the branch destination address (branch destination address) are associated with each other in the branch table 12c. Store (step S4). In the example of data as shown in FIG. 2, when the data at the address A1 is read, the data is a jmp instruction, and the branch destination address (A10) specified by the jmp instruction is larger than the address A1. A1 as the branch source address and A10 as the branch destination address are stored in the branch table 12c (see FIG. 5).

  When it is determined in step S3 that the branch destination address is smaller than the address of the current position (S3: NO), or when the branch source address and the branch destination address are stored in the branch table 12c in step S4, The CPU 11 determines whether or not the data to be read has been completed (step S5). If the CPU 11 determines that the data to be read still remains (S5: NO), the process returns to step S1 to be read. If it is determined that the data has been completed (S5: YES), this routine is terminated.

  If it is determined in step S2 that it is not the read data jmp instruction (S2: NO), the CPU 11 determines whether or not the address of the current position matches the branch destination address stored in the branch table 12c (step S2). S6). If the address at the current position does not match the branch destination address (S6: NO), a branch destination address smaller than the current position address is deleted from the branch table 12c (step S7). Then, the process of step S5 is performed, and it is determined whether to return the process to step S1 again or to end the process of this routine.

If it is determined that the current position address matches the branch destination address stored in the branch table 12c (S6: YES), the CPU 11 determines whether or not the instruction code associated with the current position address is a call instruction. Judgment is made (step S8). If the CPU 11 determines that the instruction code associated with the address at the current position is a call instruction (S8: YES), the CPU 11 refers to the branch table 12c so that the call destination of the call instruction is branched from the branch source address. It is determined whether it is between the previous addresses (step S9).
If it is determined in step S8 that it is not a call instruction (S8: NO), or if it is determined in step S9 that the call destination is not between the branch source address and the branch destination address (S9: NO) To step S5.

  When it is determined that the call destination by the call instruction is between the branch source address and the branch destination address stored in the branch table 12c (S9: YES), the CPU 11 generates information indicating that an illegal code is detected ( Step S10).

  The information indicating that the above-described fraudulent code has been detected may be displayed by providing a display unit such as a liquid crystal display on the relay device 10 or by providing an alarm unit such as a buzzer or an LED lamp. May be. Furthermore, the information may be transmitted to the information processing apparatus 20 and displayed on a display unit (not shown) included in the information processing apparatus 20. Further, the communication may be cut off in response to the generation of information indicating that the unauthorized code has been detected.

Since the character string of the external command to be executed exists at the address stored in the stack by the call instruction as described above, whether or not the ASCII character string (command name) exists at the next address of the call instruction. By using this as a proof, the detection accuracy of the illegal code can be improved.
Further, it has been known by the inventors that the presence or absence of an illegal code can be detected by making a determination as to whether or not an ASCII character string exists at the address next to the call instruction.

  As described above, according to the present embodiment, it is possible to determine whether or not a malicious code is included by sequentially reading and processing data. Therefore, an algorithm for detecting the presence or absence of a malicious code is simple, and High-speed processing is possible.

Embodiment 2. FIG.
The above-mentioned malicious code is characterized by placing an external command to be executed at the address next to the call instruction. In the first embodiment, the illegal code is found by finding a special structure for calling such an external command. Was detected. However, it is not always necessary to place the external command to be executed next to the call instruction, and it is also possible to place the command by shifting the position by a predetermined address by the author of the illegal code. Such a fraudulent code is referred to herein as a camouflaged fraud code, and the characteristic structure and detection procedure of the camouflaged fraud code will be described below. Note that the configuration of the relay device 10 and the connection configuration with the information processing devices 20 and 30 are the same as those in the first embodiment, and thus description thereof is omitted.

6 and 7 are conceptual diagrams for explaining the characteristic structure of a camouflaged malicious code. Even in the case of a camouflaged illegal code, in the instruction code group called by the call instruction, the address associated with the external command to be activated is acquired in the same manner as described above. Is different from the illegal code described in the first embodiment in that a dummy instruction code having a fixed length is placed between
That is, in the spoofed malicious code having the structure shown in FIG. 6, the address (A2) stored in the stack by the call instruction is acquired by the instruction code group defined in A16 to A20, and from the address A2 The external command associated with the fifth address (A7) is activated.

  Such a camouflaged malicious code cannot be detected by the processing described in the first embodiment, but, as schematically shown in FIG. 7, (1) an instruction code group is called by a call instruction, ( 2) It can be seen that the instruction code group still has a characteristic structure in which the address stored in the stack by the call instruction is acquired by the pop instruction. Therefore, by searching for a pop instruction that is not preceded by a push instruction in an instruction code group called by a call instruction, it is possible to detect a spoofed illegal code.

Hereinafter, a procedure for detecting a camouflaged illegal code will be described.
FIG. 8 is a flowchart for explaining the processing procedure of the intrusion detection system according to the present embodiment. First, the CPU 11 of the relay device 10 searches for a call command from the received data (step S21). As a result of the search, it is determined whether there is a call instruction (step S22). If there is a call instruction (S22: YES), the CPU 11 stores the address of the searched call instruction in the memory 12 (step S22). S23). If there is no call command in the received data (S22: NO), the processing by the intrusion detection system is terminated.

After storing the address of the retrieved call instruction, it is moved to the call destination address specified by the call instruction (step S24), and 1 byte of data is read (step S25).
Next, the CPU 11 determines whether or not the read data is a push instruction for storing an address in the stack (step S26). If it is determined that the instruction is a push instruction (S26: YES), the current address is stored (step S27), and the process returns to step S25.

If it is determined that the read data is not a push command (S26: NO), it is determined whether it is a pop command (step S28). When it is determined that the instruction is not a pop instruction (S28: NO), it is determined whether or not the call destination routine is completed (step S31).
If it is determined that the call destination routine has not ended (S31: NO), the process returns to step S25, and if it is determined that the call destination routine has ended (S31: YES), it is stored in step S23. The address is referenced and moved to the next address of the caller (step S32), and the call instruction is searched again.

  If it is determined that the data read in step S25 is a pop instruction (S28: YES), the CPU 11 refers to the address stored in step S27 to determine whether the push instruction is not a preceding pop instruction. Is determined (step S29). If it is determined that the push instruction is not a preceding pop instruction (S29: NO), the process proceeds to step S31.

  If it is determined that the data read in step S25 is a pop instruction not preceded by a push instruction (S29: YES), the CPU 11 generates information indicating that an illegal code has been detected (step S30).

  As in the first embodiment, the information indicating that the above-described fraudulent code has been detected may be displayed by providing a display unit such as a liquid crystal display on the relay device 10, and an alarm such as a buzzer or an LED lamp. You may make it alert | report by providing a part. Furthermore, the information may be transmitted to the information processing apparatus 20 and displayed on a display unit (not shown) included in the information processing apparatus 20. Further, the communication may be cut off in response to the generation of information indicating that the unauthorized code has been detected.

Embodiment 3 FIG.
In the above-described embodiment, the embodiment in which the present invention is applied to a relay device used for data communication such as a router, a switch, and a broadband router has been described. However, communication functions of a personal computer, a server device, a mobile phone, a PDA, and the like are provided. It is also possible to apply to the information processing apparatus that has it.

  FIG. 9 is a schematic diagram illustrating the configuration of the intrusion detection system according to the present embodiment. In the figure, reference numeral 50 denotes an information processing apparatus such as a personal computer, which is connected to the data communication network N via a relay apparatus 40 such as a router. The information processing device 50 receives data from various communication devices and other information processing devices through the data communication network N and the relay device 40, and transmits data to these communication devices and information processing devices. .

  The relay device 40 includes a CPU 41, a memory 42, and communication IFs 43 and 44. The memory 42 stores a routing table 42a in which communication path control information is stored, and identification information of a communication partner to be rejected. And a filtering table 42b (for example, an IP address or a port number) stored therein. Whether a communication path is set by the routing table 42a when data is transmitted from the information processing apparatus 50 to the outside, and when receiving data from the outside, is a communication partner whose reception should be refused by referring to the filtering table 42b. Is determined.

  The information processing device 50 includes a CPU 51, and is connected to various hardware such as a ROM 53, a RAM 54, a display unit 55, an input unit 56, a communication unit 57, an auxiliary storage device 58, and an internal storage device 59 via a bus 52. It is connected. The CPU 51 controls those hardware according to the control program stored in the ROM 53. The RAM 54 is configured by SRAM, flash memory, or the like, and stores data generated when the control program stored in the ROM 53 is executed.

  The display unit 55 is a display device such as a CRT or a liquid crystal display, and the input unit 56 is an input device such as a keyboard or a mouse. The display unit 55 and the input unit 56 are used, for example, when inputting and displaying data to be transmitted. The communication unit 57 includes a line terminating device such as a modem, and controls transmission / reception of various data via the relay device 40.

The auxiliary storage device 58 includes an FD drive, a CD-ROM drive, and the like that read the computer program and data from a recording medium 60 such as an FD or CD-ROM that records the computer program and data of the present invention. Data is stored in the internal storage device 59. Computer programs and data stored in the internal storage device 59 are read into the RAM 54 and executed by the CPU 51 to operate as the information processing device 50 according to the present embodiment.
Of course, the computer program of the present invention may be provided not only by the recording medium 60 but also through the data communication network N.

  The above-described computer program is preferably a resident program that is automatically read into the RAM 54 when the information processing apparatus 50 is started up. When the communication unit 57 receives data from the outside, it automatically generates an illegal code. Should be detected. The illegal code detection procedure is the same as that described in the first and second embodiments, and a description thereof will be omitted.

In the present embodiment, the information processing apparatus 50 such as a personal computer is used to detect data including an illegal code. However, in addition to a personal computer, a mobile phone, a PDA, a computer game machine, an in-vehicle communication device Of course, it can be applied to various information appliances.
Further, by providing the computer program of the present invention by recording it on a recording medium such as an FD or a CD-ROM, it is also possible to provide it as a package of application software for detecting a computer virus.

It is a typical block diagram explaining the intrusion detection system using the data processor of this invention. It is a conceptual diagram explaining the characteristic structure of a malicious code. It is a conceptual diagram explaining the characteristic structure of a malicious code. It is a flowchart explaining the process sequence of the intrusion detection system which concerns on this Embodiment. It is a conceptual diagram which shows an example of the branch table utilized in the case of intrusion detection. It is a conceptual diagram explaining the characteristic structure of the camouflaged malicious code. It is a conceptual diagram explaining the characteristic structure of the camouflaged malicious code. It is a flowchart explaining the process sequence of the intrusion detection system which concerns on this Embodiment. It is a schematic diagram explaining the structure of the intrusion detection system which concerns on this Embodiment.

Explanation of symbols

10 relay device 11 CPU
12 memory 12a routing table 12b filtering table 12c branching table 13 communication IF
14 Communication IF
DESCRIPTION OF SYMBOLS 20 Information processing apparatus 30 Information processing apparatus 50 Information processing apparatus N Data communication network

Claims (4)

In a data processing method for receiving input of data including a plurality of instruction codes and determining whether or not processing executed based on an instruction code included in the received data is illegal processing,
An instruction code related to a branch instruction is retrieved from the data, a branch source address associated with the retrieved instruction code, and a branch destination address associated with a branch destination of the instruction code are stored, and the branch When it is determined whether or not an instruction code for calling an instruction code group for executing a predetermined process is associated with the destination address, and when it is determined that the instruction code is associated with the branch destination address, A data processing method comprising: storing a call destination address of the instruction code; and determining whether the stored call destination address is between the branch source address and the branch destination address. In a data processing apparatus comprising means for receiving input of data including a plurality of instruction codes, and determining whether or not processing executed based on an instruction code included in data received by the means is illegal processing,
Means for retrieving an instruction code related to a branch instruction from the data, means for storing a branch source address associated with the retrieved instruction code, and a branch destination address associated with the branch destination of the instruction code Means for determining whether or not an instruction code for calling an instruction code group for executing a predetermined process is associated with the branch destination address; and the instruction code is associated with the branch destination address. Means for storing the call destination address of the instruction code, means for determining whether the stored call destination address is between the branch source address and the branch destination address, and the call destination address. Is provided between the branch source address and the branch destination address, and means for outputting information indicating that the data is data for executing an illegal process. The data processing apparatus according to claim Rukoto. In a computer program having a step of causing a computer to determine whether or not processing executed based on data including a plurality of input instruction codes is illegal processing,
A step of causing a computer to retrieve an instruction code related to a branch instruction from the data; and a branch source address associated with the retrieved instruction code and a branch associated with the branch destination of the instruction code Storing a destination address; causing a computer to determine whether or not an instruction code for calling an instruction code group for executing a predetermined process is associated with the branch destination address; and When it is determined that the instruction code is associated with the branch destination address, the step of storing the call destination address of the instruction code, and the call destination address stored in the computer are the branch source address and the branch destination address. And having a step of determining whether or not it is in between Program. A computer-readable recording medium on which a computer program having a step for causing a computer to determine whether or not processing executed based on data including a plurality of input instruction codes is illegal processing is recorded In
A step of causing a computer to retrieve an instruction code related to a branch instruction from the data; and a branch source address associated with the retrieved instruction code and a branch associated with the branch destination of the instruction code Storing a destination address; causing a computer to determine whether or not an instruction code for calling an instruction code group for executing a predetermined process is associated with the branch destination address; and When it is determined that the instruction code is associated with the branch destination address, the step of storing the call destination address of the instruction code, and the call destination address stored in the computer are the branch source address and the branch destination address. And a computer program having a step of determining whether or not it is in between. Reading a recording medium capable of a computer, characterized in that it is.

Images