JP2009043133A - Information processor - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an information processor assumed that secret data do not flow to the outside, not having restriction on operation of an application necessary for writing into a secondary storage device while preventing that the secret data are stored on a local machine in one terminal. <P>SOLUTION: This information processor has: a first means constructing first OS environment for forbidding the writing of data into the secondary storage device, and second OS environment for permitting the writing of the data into the secondary storage device; a second means changing a storage destination to a main storage device in time of storage operation of the data produced-edited in the first OS environment into the secondary storage device; and a third means dividing the data stored in the secondary storage device in time of a shutdown of the information processor when the data produced-edited in the second OS environment are stored into the secondary storage device, and transferring them to another information terminal or a server to make them be distributively stored. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to an information processing apparatus having an information leakage prevention function.

At present, personal computers (hereinafter referred to as PCs) used in companies generally take some measures to prevent information leakage. For example, as disclosed in Patent Document 1, when data is automatically encrypted when writing to a secondary storage device or a removable device, when a PC or a removable device is lost, Measures are taken to prevent information leakage.
Usually, the security of encrypted data is mathematically proven, and it is difficult for a third party to decrypt the encrypted data. However, this is based on the assumption that there is no user who is malicious and is a legitimate PC user, and even if it is actually encrypted, information leakage cannot be prevented. For example, there may be a case where a legitimate user of a PC who wants to take information outside tells a lie that the PC has been lost even though the PC has not been lost. In this case, since the user remains a legitimate user of the PC, the encrypted data can be decrypted, and the data in the PC can be taken out to the outside without being known.

  In such a case, a thin client system using a terminal that does not have a secondary storage device is known as an effective solution. According to this system, since data is not stored on the terminal, information is not leaked when the terminal is lost. Further, it is possible to prevent a situation in which a malicious user and a legitimate user of the PC intentionally saves data in the terminal and tries to take it outside.

  Further, in Patent Document 2, in a terminal having a secondary storage device, writing to the secondary storage device is redirected onto the main storage device, thereby restricting writing to the secondary storage device, and pseudo secondary It is possible to realize a terminal that does not have memory. Thereby, it is possible to prevent the data on the server from being stored in the terminal and flowing out to the outside.

JP 11-149414 A JP 2007-141180 A

However, in an information processing system using a terminal that does not have a secondary storage device, a high security environment can be realized, but the flexibility of the system is lost due to the limitation that data cannot be stored on the local machine. For example, in a company that develops software, it is necessary to change the system configuration in the short term or install a new development tool. Therefore, it is not desirable to make all terminals of this type.
In addition, since writing to the secondary storage device is restricted, there is a problem that operation may be hindered depending on the type of application.
Further, regarding the saving of application and user setting information and the like, there is also a problem that the setting is refreshed every time the terminal is restarted because writing to the secondary storage device cannot be performed.

  The present invention has been made in view of such circumstances, and is a system on the premise that confidential data does not leak to the outside, and the confidential data is stored on the local machine on one terminal. An object of the present invention is to provide an information processing apparatus capable of preventing the operation of the application that needs to be written to the secondary storage device without being restricted.

In order to achieve the above object, an information processing apparatus according to the present invention includes a first OS environment that prohibits writing of data to a secondary storage device, and a first OS that permits writing of data to the secondary storage device. And a second means for changing the storage destination to the main storage device when the data created and edited in the first OS environment is stored in the secondary storage device. When the data created / edited in the second OS environment is saved in the secondary storage device, the data saved in the secondary storage device is divided when the information processing device is shut down, And a third means for transferring and storing the information to an information terminal or server.
Further, the second means is characterized in that, instead of the main storage device, the storage destination is changed to a server dedicated to confidential data designated by the user.
In addition, the third means transfers the data to be distributed and stored as a distributed storage destination in another information processing apparatus in the same network, and the other information processing apparatus is activated for the distributed storage data. It is characterized by restoring on the condition.

  According to the present invention, on a system such as Patent Document 2, an application that has been restricted so far because it cannot be stored in a secondary storage device is restricted by operating it in the second OS environment. Can be used without. At this time, data stored in the secondary storage device is secretly distributed to other information processing devices or servers at the time of shutdown, so that information leakage can be prevented. Also, the confidential data created or edited in the first OS environment is stored in the main storage device with the storage destination changed, and disappears at the time of shutdown. Alternatively, since the storage destination is changed to the confidential server, the confidential data is not leaked from the secondary storage device to the outside.

Embodiments of the present invention will be described below.
(First embodiment)
FIG. 1 is a system configuration diagram showing a first embodiment of the present invention. FIG. 2 is a diagram illustrating an internal configuration of an information processing terminal (information processing apparatus) used by a user. 3 to 6 are flowcharts relating to the operation.
The system according to this embodiment includes an arbitrary number of information processing terminals 100, a general server 101, and a confidential server 102, which are connected via a local area network 103 (hereinafter referred to as a LAN).
In this system, it is assumed that a Web server, a mail server, and the like exist in the LAN 103 and can communicate with an external network, but are omitted here.
In addition, the host OS and guest OS, which will be described later, are dynamically assigned IP addresses by a DHCP server, and the host OS and guest OS on the virtual machine are constructed in a bridge configuration, and different IP addresses are assigned. Yes. Accordingly, it is assumed that access control based on an access control list (ACL) can be performed for each machine.
Further, each of the information processing terminals 100 includes a secondary storage device including a main storage device and an HDD, but is not illustrated in FIG.

One information processing terminal 100 shown in the present embodiment uses a virtual machine, “an OS environment in which writing to the secondary storage device is prohibited using the disk access control function”, and “to the secondary storage device”. The OS environment that allows the storage of data, but the stored data is secretly distributed when the terminal is shut down and stored in another location in the network ", and a function that allows the user to selectively use two OS environments Prepare.
Further, in the system shown in FIG. 1, the “confidential server” that can be accessed only from “the OS environment in which writing to the secondary storage device is prohibited”, and “allowed to save to the secondary storage device but stored data Includes a “general server” in the network that can be accessed only from an “OS environment that secretly distributes and saves to another location in the network” when the terminal is shut down.
Note that a virtual machine in this system is an environment that emulates specific hardware or a virtual machine environment that is realized by it, and normally operates on some OS. Further, on the virtual machine, it is possible to operate an OS or a program different from the OS. Hereinafter, in the present invention, the OS operating on the physical machine and permitted to be stored in the secondary storage device is referred to as the host OS, and the OS operating on the virtual machine and prohibited from being stored in the secondary storage device. This is called a guest OS.

  This system has a function for prohibiting data transfer between the host OS and the guest OS. For example, data copy and paste using a clipboard provided by a virtual machine, file transfer using RPC, or the like can be considered. In this system, all these transfers are prohibited.

  In this system, the guest OS has a function of controlling writing to a virtual secondary storage device (hereinafter referred to as a virtual HDD) on a virtual machine, and prohibits writing to the virtual HDD. Actually, the I / O to the storage device of the guest OS is monitored, and writing to the virtual HDD is redirected to the main storage device managed by the virtual machine (hereinafter referred to as a virtual main storage device), thereby The data is prohibited from remaining in the virtual machine and the information processing terminal after the shutdown.

In this system, the host OS and the guest OS have a function of controlling access to an external storage device (for example, a USB memory) that can be recognized by the OS.
With these functions, it is possible to prevent data created and edited by the user on the guest OS from being stored in a place other than the confidential server, transmitted as an email attachment, or transmitted to the outside by FTP. .

In this system, data created by any application on the host OS can be stored in the secondary storage device in the same way as a normal information terminal. Here, in the present system, when data is saved on the host OS, the file I / O is monitored, and where and what data is saved, and when the host OS is shut down, A function of forcibly sharing the monitored / stored data and saving it to another terminal or a general server.
With this function, the user can store data in the secondary storage device in the same way as a normal information terminal, and after the terminal shuts down, can realize the same state as when no data is stored locally. .
The secret sharing technique is a technique for distributing one data to two or more data. Hereinafter, distributed data is described as share. A distributed file is described as a shared file. The original information cannot be inferred from individual shares, so data can be stored safely. Further, by arranging the number of shares equal to or greater than a predetermined threshold, it is possible to restore the original data.
Since this secret sharing technique is publicly known in the following documents, a detailed description thereof is omitted here.
JP 2004-213650 A A. S hamir, "H owto Sharea S ecret", C omm. A ssoc. C omput. M ach., V o. 2 1, pp. 6 1 2-6 1 3 (N ov. 1 9 7 9) Ritsuko Nishikawa, "Overview of the Secret Sharing Method", Oki Technical Review No. 206, Vol. 73, no. 1, pp. 70-71 (January 2006)

In this system, when a plurality of information terminals having the same functions as described above are operating on the network, the secret-shared share on the host OS is stored in the secondary storage device in another terminal in the network. It is also possible to provide a function that can be saved.
According to this function, if the terminal to which the share is sent is not activated, the data cannot be restored on the host OS that sent the share, so that the monitoring effect between users is achieved and higher security is realized. It becomes possible to do.
If there is no other terminal activated at the time of saving the share, it is also possible to save the share to a general server other than the server dedicated to confidential data according to the user's instruction.

On the host OS, a function for prohibiting installation of applications other than predetermined applications is provided.
As a result, the user cannot take out data on the host OS using a malicious tool.
It is also possible to disable the creation of confidential data on the host OS by not installing a tool for creating data including confidential data, such as a form application or a document creation application.

In this system, a general server accessible only from the host OS exists in the network. This server cannot be accessed from the guest OS.
Thereby, it becomes possible to make it impossible for the user to save the data in the confidential server to the general server via the guest OS.

In this system, a plurality of information terminals having the above functions may exist in the network, but at this time, the confidential server cannot be accessed from the host OS of each terminal.
Conversely, the general server cannot be accessed from the guest OS of each terminal. Thereby, it is possible to prevent information in the confidential server from leaking outside via the host OS.

FIG. 2 is a diagram illustrating an internal configuration of the information terminal 100 used by the user.
In the information terminal 100, a host OS 200, a virtual machine 201, and a guest OS 202 are operating on the virtual machine 201.
On the host OS 200, an installation monitoring module 203, a write monitoring module 204, a network monitoring module A205, a write control module A206, a virtual machine management module 207, a secret sharing module 208, and a share management module 209 are installed.

  The installation monitoring module 203 is a module for preventing the user from installing software arbitrarily on the host OS 200. The module 203 also includes a function that prevents the OS settings from being freely changed. In practice, it is possible to use a method to prevent application installation by prohibiting registry changes, or an agent program that enumerates and checks installed software to detect unauthorized software and reports it to the administrator. .

  The write monitoring module 204 monitors file I / O to a secondary storage device by an application or service on the host OS 200, stores where data is stored, and stores the secondary data when the information terminal 100 is shut down. This module has a function of notifying the share management module 209 of data stored in the storage device. With this module 204, data does not exist on the host OS 200 after shutdown, so that information leakage can be prevented.

  The network monitoring module A 205 is a module that prohibits access when there is an access request from the host OS 200 to other than the general server 101. This module 205 can be realized by using ACL and prohibiting access to servers other than those registered in advance by the administrator.

  The writing control module A 206 is a module for prohibiting writing of data to an external medium such as a USB memory or a CD.

The virtual machine management module 207 is a module having a function that allows the user to selectively switch between the host OS 200 and the guest OS 202 and a function that synchronizes the activation and shutdown of the host OS 200 and the guest OS 202.
When OS switching is performed, the desktop screen of the switched OS is forcibly displayed in full screen size, and both OSs cannot be operated on the same desktop screen at the same time. In addition, when the user selects shutdown in either the host OS 200 or the guest OS 202, a shutdown signal is notified to an OS that is not the OS selected for shutdown by the user so that the terminal 100 can be shut down.

  The secret sharing module 208 is a module for secretly sharing data created on the host OS 200. This module can receive the secret sharing target file from the share management module 209 and then decrypt the original data using the secret sharing or the secret sharing share.

The share management module 209 is a module that manages files that are secret-shared. The share management module 209 receives a notification from the write monitoring module 204, and outputs a secret sharing / decryption request to the secret sharing module 208, a function for managing storage / reading of a plurality of created shares, It has a function to store information for performing.
It is possible to negotiate with a share management module on another information terminal 100 existing in the network, find a terminal capable of storing the share, and store the data. At this time, if there are candidates for a plurality of information terminals 100, the shares are transferred to the plurality of information terminals and stored. If there is no candidate, the share is stored in the general server 101.

  On the guest OS 202, a write prohibition module 210, a network monitoring module B211, a write control module B212, and a file transfer monitoring module 213 are installed. On the guest OS 202, a predetermined OA environment application such as a mailer, a document editing tool, an Internet browser, and the like is installed.

The write prohibition module 210 has a function of prohibiting writing to the virtual HDD managed by the guest OS 202. Actually, file I / O to the virtual HDD by an application or service running on the guest OS 202 is monitored, and writing to the virtual HDD is performed on the main storage device managed by the virtual machine 201 (hereinafter referred to as virtual main storage device). To the virtual machine 201 and the terminal 100 after the shutdown, while ensuring the operation of the guest OS 202.
With this function, the document and data created by the user on the guest OS 202 cannot be stored other than the confidential server. Therefore, since the data is stored in the confidential server 102, an effect of consolidating confidential data can be obtained.

  The network management module B211 is a module for controlling the guest OS 202 to access other than the confidential server. This module 202 can be realized by using ACL and prohibiting access to other than the confidential server registered in advance by the administrator.

  The write control module B 212 is a module for prohibiting data write to an external medium such as a USB memory or a CD.

The file transfer monitoring module 213 is a module that prohibits file transfer between the host OS 200 and the guest OS 202. For data transfer between the two OSs 200 and 202, data copy and paste using the clipboard provided by the virtual machine 201, file transfer using RPC, and the like can be considered. Data transfer by these functions is prohibited.
As a result, information leakage due to data transfer between the host OS 200 and the guest OS 202 can be prevented.

The general server 101 is a file server for storing a share created when the host OS 200 is shut down.
The general server 101 can be accessed only from the host OS 200 and cannot be accessed from the guest OS 202.
As a result, it becomes possible to prevent the user from saving the data in the confidential server 102 to the general server 101 via the guest OS 202.

The confidential server 102 is a file server for storing confidential files.
The confidential server 102 can be accessed only from the guest OS 202 and cannot be accessed from the host OS 200 of each information terminal 100 existing in the network.
Thereby, it is possible to prevent information in the confidential server 102 from leaking outside via the host OS 200.
Note that the plurality of information terminals existing in the network can access the confidential server 102 from each guest OS 202.

FIG. 3 is a startup flow of this system.
First, when the user turns on the information terminal 100 (s300), after the host OS 200 is activated (s301), the virtual machine 201 and the guest OS 202 are activated (s302).
On the host OS 200, the share management module 209 is activated (s303), and the share management module 209 determines whether there is a share (s304). If no share exists, an arbitrary module on the host OS 200 is activated (s308), and the host OS environment can be used.

When the share exists, the share management module 209 transmits a signal for confirming the activation of the terminal in which the share is stored to the target terminal (s305). If the terminal storing the share is activated, the share is downloaded from the terminal (s306). Thereafter, the share management module 209 requests the secret sharing module 208 to restore the data, and restores the original data (s307).
Thereafter, an arbitrary module on the host OS 200 is activated (s308), the host OS can be used (s309), and data in the same state as before the storage can be handled.
When another terminal holding the share is not activated (s305), the data restoration is canceled. After the cancellation, an arbitrary module on the host OS 200 is activated (s308), and the host OS environment can be used, but the original data cannot be used.

FIG. 4 is a processing flow after starting the host OS 200 in this system.
Note that the user can selectively use the host OS 200 and the guest OS 202. Here, in this system, when the host OS 200 is used by the virtual machine management module 207, the host OS screen can be operated by pressing “F7” of the Function Key, and the guest OS can be operated by pressing “F8” of the Function Key. When the OS is switched, the desktop screens of both OSs are displayed in full screen size, and it is impossible to operate both OSs simultaneously.

After the host OS 200 and the guest OS 202 are activated (s400), when “F7” is pressed by the user (s401), the desktop screen of the host OS 200 is displayed in the full screen mode (s402). Thereafter, the user can operate the host OS 20 until “F8” is pressed or shut down by the user (s403).
The user can perform operations such as editing using an application pre-installed on the host OS 200 in the same manner as a normal PC. At this time, when the user saves data in an arbitrary folder (s404), the write monitoring module 204 monitors file I / O to the secondary storage device and notifies the share management module 209 of the saved data ( s405). Thereafter, when OS shutdown is executed from the host OS 200 or the guest OS 202 (s406), the share management module 209 transmits a signal for confirming whether another terminal 100 on the network is activated (s407). .

  When the storable terminal 100 is confirmed, the share management module 209 on the host OS 200 notifies the secret sharing module 208 of the file to be secret shared. The secret sharing module 208 secret-shares the notified target file (s408), transfers it to the other storable terminal 100 (s409), and shuts down (s410).

When there is no other terminal 100 that can store the share, the user is allowed to select whether to shut down as it is or cancel the shutdown (s411). When the user selects to cancel the shutdown, the terminal returns to the usable state (s403) again.
When the shutdown is selected as it is, the data is deleted without performing secret sharing (s412), and the shutdown is performed (s410).
As a result, data does not remain on the secondary storage device of the information terminal 100.

FIG. 5 is a process flow after the guest OS 202 is activated.
After the host OS 200 and the guest OS 202 are activated (s500), the user can use the guest OS 202 by pressing “F8” (s501) (s502). Thereafter, the user can operate the guest OS 202 until “F7” is pressed or shut down by the user. Thereafter, the user can edit the data on the confidential server 102 on the information terminal 100 in the same manner as a normal PC using an application installed on the guest OS 202 (s503).
Here, when an operation for saving the data edited by the user in the virtual HDD is performed (s504), the writing control module 212 cancels the writing to the virtual HDD and caches it on the main storage device (s505). Thereafter, when the terminal 100 is shut down, the cached data is refreshed (s507).
With this function, the user is forced to save the edited data in the confidential server 102.
(Second Embodiment)

In the first embodiment described above, the storage and reading of the share data secret-distributed on the host OS 200 is performed on the other information terminals 100 in the network. This is because the secret-distributed data is stored in another information terminal 100 in the same network, so that the other information terminal 100 is activated is a necessary condition for data decryption of the own information terminal 100. In this way, it is intended to monitor the use of data with each other and increase the security.
On the other hand, if the terminal for transferring the share cannot be found at the stage of confirming the storage destination of the share data created on the host OS 200 (s407 in FIG. 4), the share is transferred / stored on the general server 101. Thus, it is possible to save data on the host OS 200 even when the other information terminal 100 is not activated.
In addition, share download is performed from the general server 101 in the same manner as storage, so that data on the host OS 200 can be restored even if another information terminal 100 is not activated.

1 is a system configuration diagram showing a first embodiment of an information processing system according to the present invention. It is an internal block diagram of the information terminal in FIG. It is a flowchart which shows the process at the time of starting in embodiment of FIG. It is a flowchart which shows the process after starting of host OS in embodiment of FIG. It is a flowchart which shows the process after starting of guest OS in embodiment of FIG.

Explanation of symbols

100 Information terminal 101 Confidential server 102 General server 103 LAN
200 Host OS
201 Virtual machine 202 Guest OS
203 Installation monitoring module 204 Write monitoring module 205 Network monitoring module A
206 Export control module A
207 Virtual machine management module 208 Secret sharing module 209 Share management module 210 Write prohibition module 211 Network monitoring module B
212 Write control module 213 File transfer monitoring module

Claims (3)

  A first means for constructing a first OS environment for prohibiting data writing to the secondary storage device and a second OS environment for permitting data writing to the secondary storage device; The second means for changing the storage destination to the main storage device when the data created and edited in the secondary OS environment is stored in the secondary storage device, and the data created and edited in the second OS environment are A third means for dividing the data stored in the secondary storage device when the information processing device is shut down, and transferring the data to other information terminals or servers for distributed storage when the information processing device is shut down An information processing apparatus comprising:   The information processing apparatus according to claim 1, wherein the second unit changes a storage destination to a server dedicated to confidential data instructed by a user instead of the main storage device.   The third means transfers the data to be distributed and stored to another information processing apparatus in the same network as the storage destination and stores the data, and the data that has been distributed and stored is activated on the other information processing apparatus. The information processing apparatus according to claim 1, wherein the information processing apparatus is restored as follows.

Images