JP2012048357A - Communication device with communication control function, method and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To solve a problem that it has been difficult to specify all communication destinations to which each application may communicate in advance according to a method restricting communication of Web applications.SOLUTION: A communication device comprises: a communication unit accessing to a resource; a communication control policy acquisition unit acquiring a communication control policy associated with the resource from a server of an access destination when the communication unit accesses to the resource; and a communication control unit restricting the resource accessed by the communication unit based on the communication control policy.

Description

  The present invention relates to a communication device, method, and program for preventing leakage of user information due to a vulnerability of a Web application.

  In recent years, a plurality of services on the Internet and services that mash-up user information have been widely used. Mashup is to form a new service by combining multiple different information, services, and contents provided on the Web. These services are provided as Web applications, and users use those Web applications using a Web browser. Here, the Web application includes a server-side program that operates on the Web server and a client-side program that operates on the user's browser.

  Client-side programs are mainly implemented in HTML (Hypertext Markup Language) and JavaScript. The server-side program is implemented by Java (registered trademark), PHP (Hypertext Preprocessor), or the like.

  As an example of the mashup service, there is an application that maps restaurant information on a map around the user and presents the information to the user. This application mashups a service that provides restaurant information, a service that provides map information from coordinates, and a user's current location information.

  Such a mashup service transmits and receives various information between a client-side program (hereinafter referred to as a client-side application) and a server-side program (hereinafter referred to as a server-side application). In the above example, first, the client site application on the user's browser acquires restaurant information from the server-side application that provides restaurant information. At the same time, the user's current location information is acquired from the server-side application of the user's communication terminal (local server). Finally, the client application sends the acquired two pieces of information to a server-side application that provides map information, and acquires map information from the server-side application.

  At this time, the information executed between the application executed on the user's communication terminal and the service on the Internet may include important information that the user does not want to leak, especially personal information. . In the above example, the user's communication terminal may have personal information. In addition, a service on the Internet may have personal information.

  When such personal information is used in a mashup service, the personal information must be provided only to trusted applications. In the above example, the server-side application of the communication terminal, when requested by the client-side application, must pass personal information only when the client-side application is a reliable application.

  For this reason, a server-side application that receives a request for personal information generally authenticates a client-side application that requests personal information.

  As an example of a method for the server side application to authenticate the client side application, a method of confirming a Referer included in a request message received from the client side application by the server side application can be considered. Referer is the link source page when clicking a link on one Web page and moving to another page. Referer describes the server identifier of the client-side application download source. If this server identifier points to a trusted server, the server side supplement trusts this client side app. That is, when the distribution source server of the client side application can be trusted, the client side application is also trusted.

  As described above, the server-side application that manages personal information authenticates the client-side application, thereby preventing personal information managed by the server-side application from leaking to an unreliable application.

  However, if a malicious script intended by the attacker is embedded in a reliable client-side application, there is a risk that the attacker may take personal information. Such a situation can be caused by an attack on a server-side application such as a cross site scripting (XSS) attack. An XSS attack is when an attacker runs malicious scripts across vulnerable applications by mixing malicious scripts across sites. A specific example in which personal information is taken by an attacker will be described below.

  A certain server side application performs operation | movement of producing | generating a client side application dynamically according to the request | requirement from a user's communication terminal, and returning to a communication terminal. Specifically, when the server-side application receives some character string, such as a user name, from the user's communication terminal, the server-side application includes the user name in the client-side application and returns it to the user's communication terminal. Furthermore, this server side application is assumed to be trusted by the server side application on the local server in the user's communication terminal. That is, the client side application generated by the server side application is also trusted.

  Here, if this server-side application does not confirm that the character string received from the user is not an invalid character string, this server-side application becomes vulnerable to XSS attacks. This is because an attacker can exploit a server-side application that is vulnerable to this XSS attack and cause the user's communication terminal to load a client-side application containing a malicious script. The attack is carried out as follows. The attacker prepares a link on the site he has prepared.

  This link is a URL (Uniform Resource Locator) of a server-side application vulnerable to the above-mentioned XSS attack, and this URL also includes a malicious script as a parameter. When the user clicks on the above link, a malicious script is sent to the server-side application. As a result, the server-side application generates a client-side application including a malicious script received from the user and returns it to the user's communication terminal.

  At this time, the script included in the client-side application received by the communication terminal performs two operations. One is a script (script 1) for acquiring personal information from the server-side application of the communication terminal and a script (script 2) for transmitting the information to the attacker site.

  The script is executed simultaneously with being loaded into the browser on the communication terminal. First, according to script 1, the communication terminal requests personal information from the server-side application on the local server. Since the client side application is originally an application trusted by the server side application, the server side application on the local server returns personal information to the communication terminal. Next, the script 2 causes the communication terminal to transmit the personal information acquired by the script 1 to the attacker site. In this way, the attacker succeeds in taking the user's personal information.

  It is necessary to prevent the leakage of personal information caused by the vulnerability of the server-side application as described above. As a related technique for dealing with this problem, it is conceivable that the communication terminal performs communication control of the client side application. For example, there is a method in which the communication terminal grasps a list of correct communication destinations of the client-side application, and when the application tries to communicate with other than the list, the communication is stopped. As a result, even if a malicious client-side application includes a malicious script and the communication terminal tries to send personal information to the attacker site by this script, the communication can be stopped. This is because the communication terminal can determine that the communication is an unauthorized communication because the communication to the attacker site is not described in the communication destination list.

  There is Non-Patent Document 1 as a document in which the related technique is described. Non-Patent Document 1 states that an application manager in a communication terminal can limit communication of an application by referring to the attribute file of the Java application. Specifically, the attribute file contains a list of communication destinations of the Java application, and describes the technology by which the application manager can stop the communication if the application tries to communicate with a communication destination not listed in the list. ing.

  Further, as a related technique, Patent Document 1 below describes the following technique. That is, it is a technique for preventing an application operating on a portable terminal connected to another network via a local network from leaking confidential information from the local network. In this related technology, a communication terminal records communication history information indicating a history of a network connected in communication between an application and communication monitoring means for monitoring communication executed by the application. And a communication control means for determining whether or not the application can connect to the network according to the communication history information.

Further, as a related technique, Patent Document 2 below describes the following technique. That is,
A communication apparatus capable of reflecting a communication transfer policy based on a request of each communication apparatus on a communication control apparatus is provided.

JSR 118 Expert Group, Java Community Process "Mobile Information Device Profile for Java. 2 Micro Edition" (P431-P452) [online]. (Retrieved on 2010-03-16) Retrieved from the Internet: <URL: http: // www.nada.kth.se/projects/proj03/minime/other/midp-2_0-fr-spec.pdf>.

JP 2008-191862 A Japanese Patent Laid-Open No. 2005-217828

    However, it is difficult to apply the technique of Non-Patent Document 1 as communication control of a client-side Web application. This is because a client-side application often has links to an unspecified number of sites, and it is not practical to specify in advance all communication destinations with which a Web application can communicate as in Prior Art 1. . Examples of links to an unspecified number of sites include links to related sites and links through advertisements. The total number of these links is large, and preparing an attribute file designating all links for each application places a burden on the application developer.

  The reason for restricting communication to client-side apps is to protect information that users do not want to leak. Therefore, if the client-side application is before acquiring the above information, it is not necessary to place communication restrictions on the application. In other words, it is desirable not to place communication restrictions on client-side applications that do not have information that you do not want to be leaked, but to place communication restrictions when the above information is acquired. However, prior art 1 cannot realize such communication control.

  Further, in Patent Document 1, since it is necessary to store a policy for performing communication control in the communication history DB, there is a possibility of causing a problem of compressing resources of the communication device.

  In Patent Document 2, a policy is applied to a corresponding communication device when a certain communication device is activated or when a communication device activates a specific service, regardless of the type of resource to be accessed, etc. There is a risk of wasteful application of the policy.

  The present invention can be used for communication control of a client-side application, and provides a communication device that can prevent personal information from leaking without the above-described problems when the application acquires important information such as personal information. The purpose is that.

The communication device of the present invention includes a communication unit that accesses a resource;
A communication control policy acquisition unit that acquires a communication control policy associated with the resource from an access destination server when the communication unit accesses the resource;
A communication control unit that limits the resource accessed by the communication unit based on the communication control policy.

Further, the communication control method of the present invention includes a communication step of accessing a resource,
A communication control policy acquisition step of acquiring a communication control policy associated with the resource from an access destination server when the communication step accesses the resource;
A communication control step of limiting the resources accessed by the communication step based on the communication control policy.

The program of the present invention includes a communication step for accessing a resource,
A communication control policy acquisition step of acquiring a communication control policy associated with the resource from an access destination server when the communication step accesses the resource;
Causing the computer to execute a communication control step of limiting the resources accessed by the communication step based on the communication control policy.

The communication system of the present invention is a communication system including a server and a communication device for transmitting and receiving data,
The communication device includes a communication unit that accesses a resource;
A communication control policy acquisition unit that acquires a communication control policy associated with the resource from an access destination server when the communication unit accesses the resource;
A communication control unit that limits the resource accessed by the communication unit based on the communication control policy,
The server responds to a request from the communication device and a response generation unit that returns a communication control policy related to the resource and the resource to the communication device;
Have

  The present invention provides a communication device, method, and program capable of preventing leakage of important information such as personal information without preparing an attribute file that specifies all links for each application in advance. I can do it.

It is a block diagram which shows the communication apparatus in the 1st Embodiment of this invention. It is an example of the policy which the communication control part in the 1st Embodiment of this invention is linked | related with the tab of a request origin, and is memorize | stored. It is an example of the policy which the policy preservation | save part in the 1st Embodiment of this invention preserve | saves. It is an operation | movement sequence which shows the process in which the communication apparatus in the 1st Embodiment of this invention loads a client side application to a browser. It is an operation | movement sequence which shows the process in which the client side application in the 1st Embodiment of this invention accesses a resource. It is an operation | movement sequence which shows the process which the malicious script embedded in the client side application in the 1st Embodiment of this invention communicates with an attacker server. It is a state transition diagram in the first embodiment of the present invention. It is an example of the policy which the policy preservation | save part in the 2nd Embodiment of this invention preserve | saves. It is an example of the policy which the communication control part in the 2nd Embodiment of this invention is linked | related with the tab of a request origin, and is memorize | stored. It is an example of the policy which the communication control part in the 2nd Embodiment of this invention is linked | related with the tab of a request origin, and is memorize | stored. It is an operation | movement sequence which shows the process which operates a policy when the client side application in the 2nd Embodiment of this invention changes a page. It is a block diagram of the communication system in the 3rd Embodiment of this invention. It is an example of the policy which the communication control part in the 3rd Embodiment of this invention has linked | related and stored with the tab of a request origin. It is an example of the policy which the server in the 3rd Embodiment of this invention preserve | saves. It is an operation | movement sequence which shows the process in which the client side application on the communication apparatus in the 3rd Embodiment of this invention acquires a resource. It is an example of the response header in the 3rd Embodiment of this invention. It is an example of the response message body in the 3rd Embodiment of this invention. It is a block diagram of the communication apparatus in the 5th Embodiment of this invention.

(First embodiment)
Next, a first embodiment of the present invention will be described in detail with reference to the drawings.
FIG. 1 is a configuration diagram of a communication apparatus according to the first embodiment of the present invention. The communication apparatus 1 has a browser 101, and the browser 101 includes a client side application 102, a communication unit 103, a communication control unit 104, and a policy storage unit 105.

  The communication device 1 corresponds to a communication terminal having means for communicating with a server such as a notebook PC, a mobile phone, or a PDA. The browser 101 executes a Web application downloaded from the server by the communication device and has a user interface. Examples include Firefox (registered trademark), Internet Explorer (registered trademark), Safari (registered trademark), and the like. The client side application 102 is an application described in a language such as HTML or JavaScript (registered trademark).

  The communication unit 103 is a means for communicating with resources. Here, the resource indicates a server, a server-side application, information managed by the server, and the like. The communication control unit 104 hooks a request transmitted by the browser. Further, the communication control policy stored in itself is checked, and if the request is not permitted, the communication is stopped.

  An example of this policy will be described with reference to FIG. Referring to FIG. 2, resources that are allowed to communicate in association with the tab A of the browser are stored in the communication control unit 104. This indicates that the request from the tab A is permitted to communicate with the server 3 and the server 4. This tab is used to distinguish each application when a plurality of applications are loaded in one window of the browser 101. “Server 3 and server 4” are resource identifiers, such as host names and URLs. For example, “server1, localhost ...” as the host name, and “http://server1.com, http: //localhost.local, http://server1.com/server1.cgi, http: // server1.com/server1.cgi?parama=123, http: //server1.com/* ".

  Further, each time the communication device accesses a resource, the policy related to the resource is extracted from the policy storage unit 105, linked to the tab of the browser, and stored in association with it. At this time, if there is a policy stored in the past, a policy obtained by merging the stored policy and the communication control policy related to the resource accessed last is stored as the latest policy.

  As an example of merging, a method of taking the common part of two policies can be considered. For example, the resources that are permitted to communicate according to the policy already stored in the communication control unit 104 are the server 3, the server 4, and the server 5, and further, communication is permitted according to the policy that the communication control unit 104 has extracted from the policy storage unit. Assume that the resources to be processed are the server 3 and the server 4. At this time, the resources permitted to communicate by the common part of the two policies are the server 3 and the server 4.

  Note that the communication control unit 104 does not have a policy stored in association with a tab newly created by the user. Therefore, communication control is not applied to a tab newly created by the user. The policy storage unit 105 stores policies stored in association with the above-described resources.

  This policy will be described with reference to FIG. Referring to FIG. 3, resources that are associated with the resources and are allowed to communicate are stored. Specifically, resources “server 3, server 4” associated with the resource “server 4” and permitted to communicate are stored. This policy means that when communication with the server 4 is performed, only the server 3 or the server 4 can be communicated thereafter.

Next, the overall operation of the present exemplary embodiment will be described in detail with reference to an operation sequence diagram.
The overall operation of this embodiment is as follows:
1) Processing for communication device to load client-side app into browser 2) Processing for client-side app to acquire resources 3) Processing for malicious script embedded in client-side app to communicate with attacker server
4) It consists of four tab state transitions on the browser.
Details of each process will be described below.

  First, “1) processing in which the communication device loads the client-side application into the browser” will be described with reference to FIG. Hereinafter, only the difference from FIG. 1 will be described in the configuration of FIG. The network 2 is a transmission path for data transmitted and received between the communication device 1 and the server 3, and is composed of network devices such as a wireless LAN, a base station, and a router. The server 3 is a server that distributes the client-side application 102 to the communication device that has received the request. The server side application 301 is a Web application arranged on the server 3 and is an application that generates the client side application 102 when receiving a request from a user.

  The user activates the browser 101 (a tab is newly created) and requests the client-side application 102 from the server 3 (step S101). The communication unit 103 transmits a request for acquiring the client-side application 102 to the communication control unit 104 (step S102). When the communication control unit 104 receives the request, the communication control unit 104 identifies the tab of the request source browser. Here, the tab of the request source is “tab A” (step S103).

  Furthermore, the communication control unit 104 confirms whether or not it stores a policy related to the tab A (step S104). At this time, if the policy is not stored, the request is transmitted to the server 3 via the network 2. If the policy is stored, the process branches, but the description will be given later.

  In the present embodiment, since the user has newly created a tab, there is no policy related to this tab A in step S104. Therefore, a request is transmitted to the server 3 (step S105). Upon receiving the request, the server 3 generates the client side application 102 using the server side application 301 and returns it to the communication device 1 via the network 2 (step S106).

  Upon receiving the response from the server 3, the communication control unit 104 loads the received client application 102 on the browser. At the same time, the communication control unit 104 requests the policy storage unit 105 for a policy related to the request transmission destination (the server 3 or the Web application 102 of the server 3) in step S105 (step S107).

  If there is a policy related to the server 3, the policy storage unit 105 returns it. If there is no policy related to the server 3, it is notified that there is no related policy. In this sequence, since there is no policy related to the server 3, it is notified that there is no policy (step S108).

  When the communication control unit 104 receives the policy, the communication control unit 104 stores the resource permitted for communication described in the policy in association with the request source tab specified in step S103. At this time, if there is already a policy to be associated with the request source tab, the common part between the policy and the policy received in step S108 is stored as a new policy in association with the request source tab.

  For example, the resources that are permitted to communicate by the policy already associated with the request source tab are the server 3, the server 4, and the server 5, and further, the resource that is permitted to communicate by the policy received in step S108 is the server 3 Consider the case of the server 4. At this time, the resources stored in association with the request source tab are the server 3 and the server 4. Also, if a notification without policy is received in step S108, nothing is done. In this sequence, a notification with no policy is received, so nothing is processed here (step S109).

  Further, the communication control unit 104 passes the client side application 102 to the communication unit 103 (step S110).

  Next, “2) processing in which the client-side application acquires resources” will be described with reference to FIG. Hereinafter, only the difference from FIG. 4 will be described in the configuration of FIG. The client side application 102 is a client side web application loaded from the server 3 in 1). The server 4 is a server that distributes personal information to the communication device that has received the request. The server-side application 401 is a Web application that generates personal information when receiving a request.

  The user requests personal information from the server 4 using the client side application 102 (step S201). The communication unit 103 transmits the received request to the communication control unit 104 (step S202).

  Upon receiving the request, the communication control unit 104 specifies the tab “tab A” of the browser that is the request source (step S203). Further, it is confirmed whether or not the policy relating to the tab is stored (step S204).

  In this sequence, since no policy is stored in step S109, the tab A is allowed to communicate without limitation at this point. Therefore, the communication control unit 104 transmits a request to the server 4 (step S205).

  When the server 4 receives the request, it generates personal information using the server-side application 401 and returns it to the communication device 1 (step S206). Upon receiving the personal information, the communication control unit 104 requests the policy storage unit 105 for a policy related to the communication destination resource (the server 4 or the personal information provided by the server 4) in step S205 (step S207).

  If there is a requested policy, the policy storage unit 105 returns the policy (step S208). In this sequence, as illustrated in FIG. 3, the policy storage unit 105 holds the server 3 as a policy related to the server 4 and a policy that allows access to the server 4.

  Upon receiving the policy, the communication control unit 104 stores the policy in association with the tab “tab A” of the request source browser identified in step S203 (step S209). The policy that the communication control unit 104 stores at this time is as shown in FIG. Referring to FIG. 2, resources “server 3, server 4” are stored in association with tab A. This policy means that the communication control is applied to the tab A at this point, and the permitted communication destinations are limited to the server 3 and the server 4.

  Further, the communication control unit 104 passes the personal information to the communication unit 103 (step S210). The communication unit 103 passes the personal information to the client side application 102 (step S211).

  Next, “3) processing in which a malicious script embedded in a client-side application communicates with an attacker server” will be described with reference to FIG. Hereinafter, only the difference from FIG. 4 will be described in the configuration of FIG. This assumes that the server-side application 301 in FIG. 4 that generates the client-side application 102 is vulnerable to an XSS attack, and as a result, a malicious script is embedded in the client-side application 102 in FIG. It is.

  Further, this script operates to send the personal information acquired in 2) to the attacker server 6. The attacker server 6 is a server prepared by an attacker to receive personal information from the client-side application 102.

  The client-side application 102 requests the attacker server 6 to transmit the personal information acquired in step S211 using a malicious script (step S301). The communication unit 103 transmits the received request to the communication control unit 104 (step S302).

  Upon receiving the request, the communication control unit 104 identifies the tab “tab A” of the browser that is the request source (step S303). Further, it is confirmed whether or not the policy relating to the tab is stored (step S304).

  In this sequence, the policy is stored in step S209. Further, it is confirmed whether the request received in step S302 is communication permitted by the stored policy (step S305). In this sequence, as shown in FIG. 2, the server 3 and the server 4 are stored in the tab A. For this reason, it is determined that communication with the attacker server 6 is not permitted, and the request is canceled (step S306).

  As described above, even when a malicious script is embedded in the client-side application 102, since the acquired personal information is stopped from being transmitted to the attacker server, it is possible to prevent the personal information from being leaked unintentionally.

  Next, “4) Tab state transition on the browser” will be described with reference to FIG. This state transition diagram is created based on the policy of FIG.

  First, when the user creates a new tab on the browser, the initial state is entered. There is no policy in the initial state. Here, it communicates with the server 3 from the initial state (acquires the client-side application 102). At this time, since there is no policy associated with the server 3, the initial state is maintained. That is, when the browser loads the client-side application 102, communication control is not applied to the request source tab.

  Next, consider the case of communicating (acquiring personal information) with the server 4 from the initial state. Here, since there is a policy related to the server 4, communication control is applied to the request source tab, and the state transitions to state 1. This state 1 is a state in which resources that the request source tab can communicate with are limited to the server 3 and the server 4.

  Also, consider the case of communicating with the server 5 from the initial state. At this time, since there is a policy related to the server 5, communication control is applied to the request source tab, and the state transitions to state 2. This state 2 is a state in which resources that the request source tab can communicate with are limited to the server 3, the server 4, and the server 5. Further, consider a case where the server 4 is accessed from the state 2 state. Here, since there is a policy related to the server 4, communication control is applied to the tab of the request source. At this time, the common part of the policy in the state 2 and the policy related to the server 4 becomes a new policy. At this time, the server 3 and the server 4 can communicate with the request source tab. That is, the state 1 is changed.

  In this way, communication control related to the resource is applied only after accessing the resource. Thereafter, each time a different resource is accessed, a policy related to that resource is added.

  As described above, in this embodiment, without preparing an attribute file in which all links are specified for each application in advance, information leakage is prevented when a client-side application acquires information that the user does not want to leak. It has the effect of being able to. This is because, when the information is accessed, communication control corresponding to the policy related to the information is applied to the request source tab.

  In the present embodiment, when the client-side application on a certain request source tab changes a page, the communication control unit 104 may delete the policy stored in association with the tab.

  Furthermore, in the present embodiment, the communication control unit 104 stores the policy related to the communicated resource in association with the request source tab, but associates this with the request source window or the URL of the client side application 102. You may remember.

  Furthermore, in the present embodiment, when the communication control unit 104 compares the communication destination and the policy stored by itself, it is assumed that the request to the communication destination is permitted when they completely match. If there is a partial match, the communication destination request may be permitted.

  Furthermore, in the present embodiment, the communication control unit 104 may store a predetermined policy as a policy stored in association with a tab newly created by the user. At this time, communication control is applied to the tab based on a predetermined policy.

  Furthermore, in the present embodiment, the browser 101 may have only a function of executing a client side application.

Furthermore, in the present embodiment, the communication control unit 104 and the policy storage unit 105 are built in the browser 101, but their configuration may be outside the browser 101.
(Second Embodiment)
Next, a second embodiment of the present invention will be described.
Here, only differences from the configuration and operation described in the first embodiment of the present invention will be described.

  The configuration diagram of the communication apparatus in the second embodiment for carrying out the present invention is the same as that of FIG. Here, when the communication control unit 104 accesses a resource described in the policy associated with the resource that matches the policy deletion condition, the communication control unit 104 discards the stored policy. Further, the policy storage unit 105 has a policy as shown in FIG. Referring to FIG. 8, a communication destination resource is stored as a condition for deleting a policy in association with the communicated resource.

Next, the operation of the second exemplary embodiment of the present invention will be described.
The overall operation of the present embodiment is as follows: 1) a process in which the communication device loads the client-side application into the browser 2) a process in which the client-side application acquires resources 3) a process in which the policy is operated when the client-side application makes a page transition Composed. The details of the above processing will be described below.

  1) Processing for loading a client-side application into a browser by the communication apparatus will be described with reference to FIG. Steps S108 to S109 are different from the processing of FIG. 4 in the first embodiment.

  When the policy is requested, the policy storage unit 105 returns a policy related to the server 3. An example of the policy at this time will be described with reference to FIG. Referring to FIG. 8, the policy associated with the server 3 does not describe a resource that is permitted to communicate. This means that communication is permitted without limitation.

Further, “server 7” is described as a condition for keeping the policy at the time of page transition. On the other hand, “*” is described as a condition for deleting a policy at the time of page transition.
The description of the former “server 7” is stored at the time of page transition, that is, when the resource of the communication destination is the server 7 when the client side application 102 changes to a different client side application 102, and is associated with the tab of the request source. It means to keep the policy.

  An example of transitioning between pages is when a user clicks on a link that is attached with an a tag on a client-side application. Also, as a situation where the policy is not deleted, for example, when a page from a client-side application before transition to a different client-side application is passed, information that is not leaked to the user acquired by the application before transition is passed to the page after transition Time can be considered. At this time, since the application after the transition has information that the user does not want to leak, it is desirable to apply the communication control of the application before the transition as it is in order to prevent the information leakage.

  On the other hand, the description of the latter “*” means a so-called wild card, that is, a special character that matches an arbitrary character string. Therefore, in this case, it means that the policy stored in association with the request source tab is deleted in all cases where the communication destination resource is other than “server 7”. This means that when the server 7 is subsequently accessed, the communication control unit 104 deletes the policy stored in association with the request source tab (step S108).

  As a situation where the policy is not deleted, for example, there is a case where a client side application moves (transitions) to a page of a different client side application. When the information acquired by the client-side application before transition is not passed to the client-side application after transition, the client-side application after transition does not have information that the user does not want to leak to the user. In such a case, the communication control applied to the client side application before the transition may be canceled.

  The communication control unit 104 stores the passed policy in association with the tab specified in step S103. The policy stored at this time is as shown in FIG. Referring to FIG. 9, the resource that is associated with tab A and that is allowed to communicate is blank, and thus communication is permitted without limitation. Further, the server 7 is described as a condition for deleting the policy, and the policy stored in the communication control unit 104 at the time of communicating with the server 7 is deleted.

  Next, 2) a process in which the client-side application acquires resources will be described with reference to FIG. Step S209 is different from the processing of FIG. 5 in the first embodiment.

  Upon receiving the policy, the communication control unit 104 stores the common part of the policy that has received the already stored policy as a new policy. The policy stored at this time is as shown in FIG. Here, the resources that are permitted to communicate are “server 3, server 4, and server 7”, and the communication destination resource that is a condition for deleting the policy is “server 7”.

  Next, 3) a process for manipulating a policy when the client-side application changes pages will be described with reference to FIG. Only the differences from FIG. 4 will be described in the configuration of FIG. The server 7 is a server that distributes a client-side application in response to a request from a communication device.

  The server side application 701 is a Web application linked by an a tag or the like on the client side application 102, and generates a client side application different from the client side application 102.

  The user clicks the a tag of the client side application 102, and transmits a request for page transition to the server 7 (step S401). Steps S402 to S404 in FIG. 11 are the same as steps S102 to S104 in FIG. The communication control unit 104 confirms whether the request is an access permitted by the stored policy (step S405). At this time, the stored policy is as shown in FIG. 10, and access to the server 7 is permitted, so the process proceeds to step S406.

  Furthermore, when this request is a request at the time of page transition, the communication control unit 104 confirms whether or not it matches a policy operating condition (step S406). At this time, the policy of FIG. 10 is referred again.

  At this time, since “communication with the server 7” matches the condition “server 7: Keep” for holding the stored policy, the stored policy is held (step S407). The subsequent steps S408 to S413 in FIG. 11 are the same processes as steps S105 to S110 in FIG.

  In the present embodiment, when a request for page transition is transmitted to a server different from the server 7 in step S401, the stored policy is deleted. This is because it matches the condition “*: Delete” for deleting the stored policy in step S407.

Thus, in the second embodiment of the present invention, when a certain client-side application transitions to a different client-side application, whether or not to continue to hold the communication control policy applied to the request source tab, It becomes possible to control according to the communication destination at the time of transition.
(Third embodiment)
Next, a third embodiment for carrying out the present invention will be described.
Here, only differences from the configuration and operation described in the first embodiment will be described.

  FIG. 12 is a configuration diagram of a communication system according to the third embodiment of the present invention. The communication system in the third embodiment includes a communication device 8, a server 9, and a network 2. The configuration of 801 to 803 in the communication device 8 is the same as the configuration of 101 to 103 in FIG. The communication device 8 includes a communication control unit 804.

  In addition to the communication control unit 104 in FIG. 1, the communication control unit 804 acquires a policy from the HTTP response received from the server 9, and stores the policy in association with the tab. An example of a policy stored in association with a tab will be described with reference to FIG.

  Referring to FIG. 13, the server 9 is stored as a resource that is associated with the tab A and is allowed to communicate.

  The server 9 includes a communication unit 901, a response generation unit 902, a personal information storage unit 903, and a policy storage unit 904. The communication unit 901 is a communication unit that transmits and receives data to and from the communication device 8.

  The personal information storage unit 903 is user information (personal information) managed by the server 9. The policy storage unit 904 is a communication control policy recorded in association with personal information. This policy will be described with reference to FIG.

  FIG. 14 shows a list of resources that are allowed to communicate in association with personal information stored in the personal information storage unit 903. Here, the server 9 is a resource to which access is permitted.

  Next, details of a process in which the communication device acquires personal information will be described for the operation of the third exemplary embodiment of the present invention.

  A process in which the client-side application 802 acquires personal information from the server 9 will be described with reference to FIG.

  Steps S501 to S505 in FIG. 15 are the same as steps S201 to S205 in FIG. Upon receiving the request, the communication unit 901 passes the request to the response generation unit 902 (step S506). The response generation unit 902 acquires and stores personal information to be stored in the personal information storage unit 903 (step S507).

Furthermore, the response generation unit 902 requests the policy storage unit 904 for a policy related to the personal information stored in the personal information storage unit 903 (step S508). If there is a related policy, the policy storage unit 904 returns the policy (step S509).
Referring to FIG. 14, at this time, the policy storage unit 904 returns “server 9” as a list of resources permitted to be accessed. The response generation unit 902 generates a response based on the personal information acquired in step S507 and stored in the personal information storage unit 903 and the policy acquired in step S509 (step S510). As a method for describing the policy in the response message, for example, there is a method for describing it in the HTTP response header.

  Specifically, this will be described with reference to FIG. Referring to FIG. 16, “Access-Permit” is added to the HTTP response header as an extension header describing the access permission list. Further, the contents described in the extension header describe “server 9”, which is a list of resources permitted to be accessed described in the policy acquired in step S509.

  This “server 9” is the URL of the server 9, and “http://server9.com” is described. As another method, for example, there is a method described in the body of the HTTP response. Specifically, this will be described with reference to FIG. Referring to FIG. 17, the access permission list is described at the top of the body of the HTTP response. In addition, the description at that time describes “server 9”, which is a list of resources permitted to access described in the policy acquired in step S509. This “server 9” is the URL of the server 9, and “http://server9.com” is described.

  Furthermore, the response generation unit 902 passes the response message to the communication unit 301 (step S511). The communication unit 901 returns a response message to the communication device 8 (step S512).

  When the policy is described in the response message, the communication control unit 804 extracts the policy from the message and stores the policy in association with the request source tab. At this time, if there is a policy that has already been stored, the common part between the policy that has already been stored and the policy extracted from the message is stored as a new policy in association with the tab “tab A” of the request source.

  In this operation sequence, since the communication control unit 804 does not store the policy, it stores the acquired policy as a new policy (step S513). Here, it is assumed that the communication control unit 804 knows a method for the server 9 to describe the policy in the response message in order to extract the policy from the response message.

  The policy stored in the communication control unit 804 at this time will be described with reference to FIG. As illustrated in FIG. 13, it can be seen that the communication control unit 804 stores “server 9” as a list of resources permitted to be accessed in association with the tab A. Further, the communication control unit 804 passes the response message after extracting the policy to the communication unit 803 (step S514).

  As described above, in this embodiment, the communication apparatus can realize communication control according to the resource to be accessed without storing the policy for each resource to be communicated.

  In the present embodiment, when the response generation unit 902 acquires the client side application (HTML) in step S507, the communication control policy may be originally described in the HTML, for example, in the header. At this time, the policy storage unit 904 is not required as a configuration of the server 9, and steps S508 and S509 are also unnecessary.

  In the present embodiment, the communication control policy originally determined by the response generation unit 902 in step S510 may be described in the HTTP response header.

  At this time, the policy storage unit 904 is not required as a configuration of the server 9, and steps S508 and S509 are also unnecessary.

In the present embodiment, a method is described in which a server distributes a policy associated with a resource, but a method in which a proxy server distributes a policy associated with a resource to a communication apparatus may be used. Specifically, when the proxy server receives a response from the server, it may be returned to the communication device including a policy related to the response.
(Fourth embodiment)
Next, a fourth embodiment for carrying out the present invention will be described.

  Here, only differences from the configuration and operation of the first embodiment of the present invention will be described.

  The configuration of the communication device in this embodiment will be described with reference to FIG. In addition to the function in the first embodiment of the present invention, the communication control unit 104 in FIG. 1 sends a warning message to the user via the browser when determining that the request for accessing the resource violates the policy. Display. Alternatively, a warning message is transmitted to the external resource. Here, although the management company of this communication apparatus corresponds as an external resource, it is not limited to this.

  The operation sequence will be described with reference to FIG. In step S305 in FIG. 6, the communication control unit 104 determines that the request from the client-side application 102 violates the policy, and cancels this request. At this time, the communication control unit 104 further displays a warning message on the browser 101. Alternatively, a message indicating that there is a policy violation in an external resource is transmitted. At this time, as an external resource, the server 3 serving as the distribution server of the client-side application 102, the management company of the communication device 1, and the like can be considered.

In this way, when communication that violates the policy occurs, it is possible to notify the user or the management company of this communication device.
(Fifth embodiment)
Next, a fifth embodiment for carrying out the present invention will be described.

  FIG. 18 is a configuration diagram of a communication apparatus according to the fifth embodiment of this invention.

  The communication device 1801 includes a communication unit 1802 that accesses a resource, and a communication control policy acquisition unit 1803 that acquires a communication control policy from an access destination server. Further, the communication device 1801 includes a communication control unit 1804 that restricts resources accessed by the communication unit based on the communication control policy. When the communication unit 1802 accesses a resource, the communication control policy acquisition unit 1803 acquires a communication control policy associated with the resource, and the communication control unit 1804 restricts resources accessed by the communication unit based on the communication control policy. .

  Thus, when the client-side application acquires information that the user does not want to leak, communication control is applied to the application. Therefore, it is possible to prevent leakage of important information such as personal information without preparing an attribute file in which all links are designated for each application in advance.

  In each of the embodiments described so far, the communication device and the server are assumed to be dedicated devices, but may be as follows. That is, for example, a personal computer device that performs various types of data processing is loaded with a board or card that performs processing corresponding to this example, and each processing is executed on the computer device side. In this way, a configuration may be adopted in which software for executing the processing is installed in a personal computer device and executed.

  The program installed in the data processing device such as the personal computer device may be distributed via various recording (storage) media such as an optical disk and a memory card, or distributed via communication means such as the Internet. Also good.

Some or all of the embodiments described above can be described as in the following supplementary notes, but are not limited thereto.
(Appendix 1)
A communication unit that accesses the resource;
A communication control policy acquisition unit that acquires a communication control policy associated with the resource from an access destination server when the communication unit accesses the resource;
A communication control unit that limits the resource accessed by the communication unit based on the communication control policy;
A communication apparatus comprising:
(Appendix 2)
The communication apparatus further includes a policy storage unit that stores the communication control policy, and the communication control unit acquires the communication control policy from the communication control policy storage unit.
The communication device according to supplementary note 1, characterized by the above.
(Appendix 3)
The communication control unit merges the communication control policy acquired when the communication unit communicated in the past with the communication control policy acquired this time, and uses the merged communication control policy to access the communication unit The communication apparatus according to appendix 2, characterized in that:
(Appendix 4)
The merge is a common part between the communication control policy acquired when the communication unit communicated in the past and the communication control policy acquired this time.
The communication apparatus according to appendix 3, wherein:
(Appendix 5)
5. The communication apparatus according to any one of appendices 1 to 4, wherein the acquired communication control policy is discarded or held according to the acquired communication control policy.
(Appendix 6)
The communication according to any one of appendices 1 to 5, wherein a warning message is displayed or transmitted to a user or an external server when it is determined that the communication of the communication unit is a communication control policy violation. apparatus.
(Appendix 7)
A communication process for accessing the resource;
A communication control policy acquisition step of acquiring a communication control policy associated with the resource from an access destination server when the communication step accesses the resource;
A communication control step for limiting the resources accessed by the communication step based on the communication control policy;
A communication control method characterized by comprising:
(Appendix 8)
The communication control method further includes a policy storage step for storing the communication control policy, and acquires the communication control policy from the policy storage step.
The communication control method according to appendix 7, which is characterized by the above.
(Appendix 9)
The communication control process merges the communication control policy acquired when the communication process communicated in the past with the communication control policy acquired this time, and uses the merged communication control policy to determine the resources to be accessed by the communication process. The communication control method according to appendix 8, wherein the communication control method is limited.
(Appendix 10)
The merge is a common part between the communication control policy acquired when the communication process communicated in the past and the communication control policy acquired this time.
The communication control method according to appendix 9, wherein
(Appendix 11)
Discard or hold the acquired communication control policy according to the communication control policy;
The communication control method according to any one of appendices 7 to 10, wherein the communication control method is described above.
(Appendix 12)
The communication according to any one of appendices 7 to 11, wherein a warning message is displayed or transmitted to a user or an external server when it is determined that the communication in the communication step is a communication control policy violation. Control method.
(Appendix 13)
A communication step for accessing the resource;
A communication control policy acquisition step of acquiring a communication control policy associated with the resource from an access destination server when the communication step accesses the resource;
A communication control step for limiting the resources accessed by the communication step based on the communication control policy;
A program that causes a computer to execute.
(Appendix 14)
The communication control step merges the communication control policy acquired when the communication step communicated in the past with the communication control policy acquired this time, and uses the merged communication control policy to determine the resource to be accessed by the communication step. The program according to appendix 13, which is limited.
(Appendix 15)
The merge is a common part between the communication control policy acquired when the communication step communicated in the past and the communication control policy acquired this time.
The program according to supplementary note 14, characterized in that:
(Appendix 16)
A communication system comprising a server and a communication device for transmitting and receiving data,
The communication device includes a communication unit that accesses a resource;
A communication control policy acquisition unit that acquires a communication control policy associated with the resource from an access destination server when the communication unit accesses the resource;
A communication control unit that limits the resource accessed by the communication unit based on the communication control policy,
The server responds to a request from the communication device and a response generation unit that returns a communication control policy related to the resource and the resource to the communication device;
A communication system comprising:

DESCRIPTION OF SYMBOLS 1 Communication apparatus 101 Browser 102 Client side application 103 Communication part 104 Communication control part 105 Policy preservation | save part 2 Network 3 Server 301 Server side application 4 Server 401 Server side application 5 Server 6 Attacker server 7 Server 701 Server side application 8 Communication apparatus 801 Browser 802 Web application 803 Communication unit 804 Communication control unit 9 Server 901 Communication unit 902 Response generation unit 903 Personal information storage unit 904 Policy storage unit

Claims (10)

A communication unit that accesses the resource;
A communication control policy acquisition unit that acquires a communication control policy associated with the resource from an access destination server when the communication unit accesses the resource;
A communication control unit that limits the resource accessed by the communication unit based on the communication control policy;
A communication apparatus comprising: The communication apparatus further includes a policy storage unit that stores the communication control policy, and the communication control unit acquires the communication control policy from the communication control policy storage unit.
The communication apparatus according to claim 1. The communication control unit merges the communication control policy acquired when the communication unit communicated in the past with the communication control policy acquired this time, and uses the merged communication control policy to access the communication unit The communication device according to claim 2, wherein the communication device is limited. The merge is a common part between the communication control policy acquired when the communication unit communicated in the past and the communication control policy acquired this time.
The communication apparatus according to claim 3, wherein:   The communication apparatus according to any one of claims 1 to 4, wherein the acquired communication control policy is discarded or held in accordance with the acquired communication control policy.   The warning message is displayed or transmitted to a user or an external server when it is determined that communication of the communication unit is a communication control policy violation, according to any one of claims 1 to 5, Communication device. A communication process for accessing the resource;
A communication control policy acquisition step of acquiring a communication control policy associated with the resource from an access destination server when the communication step accesses the resource;
A communication control step for limiting the resources accessed by the communication step based on the communication control policy;
A communication control method characterized by comprising: The communication control method further includes a policy storage step for storing the communication control policy, and acquires the communication control policy from the policy storage step.
The communication control method according to claim 7. The communication control process merges the communication control policy acquired when the communication process communicated in the past with the communication control policy acquired this time, and uses the merged communication control policy to determine the resources to be accessed by the communication process. The communication control method according to claim 8, wherein the communication control method is limited. A communication system comprising a server and a communication device for transmitting and receiving data,
The communication device includes a communication unit that accesses a resource;
A communication control policy acquisition unit that acquires a communication control policy associated with the resource from an access destination server when the communication unit accesses the resource;
A communication control unit that limits the resource accessed by the communication unit based on the communication control policy,
The server responds to a request from the communication device and a response generation unit that returns a communication control policy related to the resource and the resource to the communication device;
A communication system comprising:

Images