JP2014026580A - Bug determination device, and bug determination method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a bug determination device in which a cause of an exception processing occurring after release of a program is identified.SOLUTION: An information processing device stores identification information for identifying a program module having generated exception processing and an occurrence frequency of exception processing generated by the program module in association with each other. Then, the information processing device specifies, when exception processing occurs in the executed program, a program module to be executed by the program having generated the exception processing. Also, the information processing device determines whether or not an occurrence frequency of the exception processing stored in association with the identification information of the specified program module is equal to or smaller than a prescribed value.

Description

  The present invention relates to a bug determination device and a bug determination method.

  When a bug, which is a defect in the program, becomes apparent during program execution, the program may cause an unintended operation and terminate abnormally. A malicious user exploits this bug to cause the program to execute an arbitrary operation. Conventionally, such bugs in a program are automatically detected by a testing process, and found bugs are corrected before the program is released.

  For example, in the program testing process, a technique for finding bugs in advance by performing instruction coverage, branch coverage, condition coverage, etc. as a white box test is used. Also known is a technique for finding a bug as a black box by fuzzing for finding a bug by generating random input data and inputting it into a program.

Barton Miller, “Fuzz Testing of Application Reliability”, [searched July 3, 2012], Internet <URL: http://pages.cs.wisc.edu/~bart/fuzz/>

  However, the above technique has a problem that the cause of exception handling that occurs after the release of the program cannot be specified. Specifically, it cannot be determined whether the exception handling that occurred in the stage of actually using the program is a bug, a vulnerability, or an attack such as malware.

  For example, an attacker tries to infect malware by attacking the vulnerability of the target web browser. The attacker places the web content that attacks the vulnerability on the website prepared by the attacker, and guides the target user to the web browser by using a hyperlink or mail link of another site. On the other hand, even a general Web site may induce a bug in the Web browser due to an incorrect description of the Web content. In this way, it is not possible to determine whether or not a site attacks the vulnerability of a Web browser only by the occurrence of an exception.

  In particular, since the web browser performs various web content reading processes as input, various processing modules are installed. For this reason, even if various runtime exceptions occur in the Web browser, it is difficult to inspect in advance whether or not bugs of each module are mixed as a vulnerability in the case of an exception operation that returns to normal operation. . Because of this, many potentially vulnerable bugs were discovered after the program was released and then fixed by patches. Since bugs in Web browsers are exploited to infect malicious programs such as computer viruses, it is highly important to find bugs that lead to vulnerabilities at an early stage.

  The disclosed technology has been made in view of the above, and an object of the present invention is to provide a bug determination device and a bug determination method that can identify the cause of exception processing that has occurred after the release of a program.

  In one aspect, the bug determination apparatus and the bug determination method disclosed in the present application associate identification information for identifying a program module that has caused exception processing with the number of occurrences of exception processing that has been generated by the program module. The number of times to be stored, the identification unit that identifies the program module that is executed by the program that generated the exception processing when exception processing occurs in the executed program, and the identification of the program module that is identified by the identification unit A determination unit configured to determine whether or not the number of occurrences of the exception process stored in the number storage unit in association with information is equal to or less than a predetermined value;

  According to one aspect of the bug determination apparatus and bug determination method disclosed in the present application, there is an effect that it is possible to specify the cause of the exception processing that has occurred after the release of the program.

FIG. 1 is a diagram illustrating an example of the overall configuration of a system according to the first embodiment. FIG. 2 is a functional block diagram illustrating a functional configuration of the information processing apparatus according to the first embodiment. FIG. 3 is a diagram illustrating an example of information stored in the module read information DB. FIG. 4 is a diagram illustrating an example of information stored in the exception pattern DB. FIG. 5 is a diagram for explaining the relationship between the module name and the offset. FIG. 6 is a diagram illustrating an example of determining a malicious bug. FIG. 7 is a flowchart showing a flow of exception pattern collection processing according to the first embodiment. FIG. 8 is a flowchart showing a flow of exception identification cause identification processing according to the first embodiment. FIG. 9 is a diagram illustrating a computer that executes a bug determination program.

  Embodiments of the bug determination apparatus and bug determination method disclosed in the present application will be described below in detail with reference to the drawings. Note that the present invention is not limited to the embodiments.

[First Embodiment]
[overall structure]
FIG. 1 is a diagram illustrating an example of the overall configuration of a system according to the first embodiment. As shown in FIG. 1, this system is configured by connecting a Web server 1, a Web server 2, a Web server 3, and an information processing apparatus 10 so that they can communicate with each other. The number of servers and the like is merely an example, and is not limited to this.

  The Web server 1 and the Web server 2 are servers that provide a user with a Web site including Web content, and safety is guaranteed. The web server 3 is a server that provides a user with a website including web content, and safety is not guaranteed. Security is guaranteed to be certified by a third party, for example, as having high security, past virus detection count or fault count is below a predetermined value, or can be certified by any method .

  The information processing apparatus 10 is a Web client that accesses each Web server, such as a personal computer or a server. The information processing apparatus 10 stores the identification information for identifying the program module that caused the exception processing and the number of occurrences of the exception processing generated by the program module in association with each other. Then, when an exception process occurs in the executed program, the information processing apparatus 10 specifies a program module to be executed by the program that generated the exception process. Subsequently, the information processing apparatus 10 determines whether or not the number of occurrences of exception processing stored in association with the identification information of the specified program module is equal to or less than a predetermined value.

  That is, the information processing apparatus 10 determines that an exception process with the highest number of occurrences is a mere bug based on the occurrence on a general Web site. On the other hand, the information processing apparatus 10 detects an exception process with a lower occurrence count as a malicious bug on the basis that the occurrence count is low on a general Web site.

  As described above, the information processing apparatus 10 can determine that the bug has a high possibility of being abused when the number of occurrences of exception processing occurring in the accessed Web content is small. As a result, the cause of the exception information generated after the program is released can be identified.

[Configuration of information processing device]
Next, the configuration of the information processing apparatus will be described. Since each Web server has the same configuration as a general Web server, detailed description is omitted. FIG. 2 is a functional block diagram illustrating a functional configuration of the information processing apparatus according to the first embodiment.

  As illustrated in FIG. 2, the information processing apparatus 10 includes a communication unit 11, a storage unit 13, and a control unit 14. Note that the control unit and the like shown here are merely examples, and may include an input unit such as a mouse, a display unit such as a display, and the like.

  The communication unit 11 is a processing unit that performs communication with other devices. For example, the communication unit 11 establishes a connection with each Web server and controls communication using a Web browser or the like.

  The storage unit 13 is a storage device that holds a monitoring target program 13a, a program module 13b, a module read information DB (DataBase) 13c, an exception pattern DB 13d, and a malicious site DB 13e. For example, the storage unit 13 may be a storage device such as a semiconductor element or an HDD (Hard Disk Drive).

  The monitoring target program 13a is a program to be monitored for occurrence of exception processing. For example, in the first embodiment, the monitoring target program 13a is a program that executes a Web browser. Although a Web browser is illustrated here as an example of the content viewer, other viewers such as a system-dedicated viewer can also be used.

  The program module 13b is a program module executed by the monitoring target program 13a. For example, it is a processing module that is executed when a Web browser reads a Web site or Web content on the Web site.

  The module read information DB 13c stores information on the program module 13b loaded in the memory. The information stored here is updated by a module reading monitoring unit 17 or the like which will be described later. FIG. 3 is a diagram illustrating an example of information stored in the module read information DB. As illustrated in FIG. 3, the module read information DB 13c stores “module name, start address, end address” in association with each other.

  The “module name” stored here is the name of the module loaded into the memory, that is, the name of the executed program module. “Start address” is the start address to be loaded, that is, the start address of the memory to which the program module is loaded. The “end address” is the end address to be loaded, that is, the end address of the memory into which the program module is loaded. In the case of FIG. 3, the program module, which is the name of module A, is loaded from the address “100000” on the memory to the address “110000”.

  The exception pattern DB 13d stores information on program modules in which exception processing has occurred. The information stored here is updated by the exception monitoring unit 18 or the like described later. FIG. 4 is a diagram illustrating an example of information stored in the exception pattern DB. As illustrated in FIG. 4, the exception pattern DB 13 d stores “module name, offset, exception type, number of appearances” in association with each other.

  The “module name” stored here is the name of the program module that caused the exception processing. “Offset” is the distance (number of bytes) from the head address at which the program module is loaded to the address where the exception processing occurred. “Exception type” indicates the type of exception handling that has occurred. “Number of occurrences” is the number of times exception processing has occurred at the offset of the module name. In the case of FIG. 4, in module A, the exception process “exception A” occurs 1000 times at an address “1000” offset from the start address.

  The malicious site DB 13e stores the URL (Uniform Resource Locator) of the Web site where the malicious bug is generated. That is, the malicious site DB 13e is a black list of Web sites. Information stored in the malicious site DB 13e is updated by the bug detection unit 20 described later. Information that can uniquely identify a website, such as an IP (Internet Protocol) address and a host name, may be used instead of the URL of the website that caused the malicious bug.

  The control unit 14 includes a collection unit 15 and a bug detection unit 20, and is a processing unit that detects a potentially vulnerable bug. The control unit 14 is, for example, a processor, and each processing unit included in the control unit 14 is a processing unit executed by the processor.

  The collection unit 15 includes a Web access unit 16, a module reading monitoring unit 17, and an exception monitoring unit 18, which monitors the occurrence of exception processing and collects exception processing information. The web access unit 16 is a processing unit that executes the monitoring target program 13a stored in the storage unit 13 and accesses the web server using a web browser. The web access unit 16 loads the monitoring target program into the memory and executes it. The Web access unit 16 executes a necessary program module 13b according to the accessed Web site and Web content. The Web site accessed by the Web access unit 16 may be designated in advance by an administrator or the like, or may be executed at random, regardless of whether the security is not guaranteed.

  The module reading monitoring unit 17 is a processing unit that monitors the program module loaded by the Web access unit 16. Specifically, when the module reading monitoring unit 17 detects that the Web access unit 16 has loaded the program module into the memory, the module reading monitoring unit 17 detects the name of the loaded program module, the loaded start address, and the loaded end address. To do. Then, the module reading monitoring unit 17 stores the acquired program module name, the start address, and the end address in association with each other in the module reading information DB 13c.

  For example, when the module A is loaded from the address “100000” in the memory to “110000”, the module read monitoring unit 17 detects the module A, the start address “100000”, and the end address “110000”, Store in the module read information DB 13c. As described above, the module reading monitoring unit 17 monitors the event that the program module is loaded, and when the event occurs, the program module name (for example, kernel32.dll) and the program module are loaded. The start address and end address are acquired and stored in the module read information DB 13c.

  The exception monitoring unit 18 includes a specifying unit 18a and a counting unit 18b, and is a processing unit that monitors the occurrence of exception processing. The specifying unit 18a is a processing unit that specifies a program module and a memory address to be executed by the Web browser that has generated the exception processing when an exception processing has occurred in the Web browser executed by the Web access unit 16. Specifically, the specifying unit 18a obtains the name of the program module loaded at the address of the memory where the exception processing has occurred, the type of exception that has occurred, and the offset from the start address of the program module to the exception occurrence address. Stored in the exception pattern DB 13d. The program module name includes a DLL (Dynamic Load Library) name.

  Here, the reason why the offset from the head of the program module is used instead of the absolute address of the memory is that the load destination address of the program module may be different every time the program is executed. Therefore, when a bug that exists at a specific location in a certain program module develops, the exception occurrence address changes depending on the load address of the program module. On the other hand, when an exception occurs at a specific location of a program module, the program module name and its offset do not change even if the address at which the program module is loaded changes.

  FIG. 5 is a diagram for explaining the relationship between the module name and the offset. As shown in the left diagram of FIG. 5, when accessing the web site A where the web access unit 16 is located, the module A is loaded starting from the memory address “5000” and offset from the top address “1000”, that is, the address Exception processing occurred at "6000". On the other hand, as shown in the right diagram of FIG. 5, when accessing the web site B where the web access unit 16 is located, the module A is loaded starting from the memory address “15000” and offset from the top address “ 1000 ”, that is, exception handling occurred at address“ 16000 ”.

  As shown in FIG. 5, program modules may be loaded into memory at the beginning of program execution, or may be dynamically loaded into memory during program execution. In these cases, the head address to be loaded changes, but the offset does not change. Therefore, by specifying the offset, the occurrence position of the exception processing can be specified accurately.

  In order to identify the program module loaded at the address where the exception has occurred, the identifying unit 18a sets the address where the exception has occurred between the start address and the end address for each program module recorded in the module read information DB 13c. Search for included content and get program module name. At this time, the specifying unit 18a specifies the type of exception according to the exception processing that has occurred. Next, the specifying unit 18a obtains an offset from the program module by subtracting the exception occurrence address from the start address of the program module for the acquired program module name. By this procedure, when an exception occurs, the specifying unit 18a acquires an “exception pattern” including a combination of a program module name, an offset, and an exception type. Then, the specifying unit 18a stores these in the exception pattern DB 13d.

  Note that the program module name may not be acquired. For example, the program module is not loaded at the exception occurrence address. Depending on the type of bug, the instruction pointer may indicate an address at which no program module is loaded, causing an exception and abnormal termination. In this case, it is not possible to identify retrospective information immediately before the cause of the exception. In this case, the specifying unit 18a stores the module name as null (meaning empty) and the offset as the address where the exception occurred in the exception pattern DB 13d.

  The counting unit 18b is a processing unit that counts the number of occurrences of the exception pattern specified by the specifying unit 18a. For example, when an exception process occurs, the counting unit 18b acquires an exception pattern “module name, offset, exception type” from the specifying unit 18a. Then, when the acquired exception pattern is stored in the exception pattern DB 13d, the counting unit 18b increments the number of appearances corresponding to the exception pattern. On the other hand, when the acquired exception pattern is not stored in the exception pattern DB 13d, the counting unit 18b generates a record of the exception pattern and sets the appearance count to 1.

  The bug detection unit 20 includes a Web access unit 20a, a determination unit 20b, and a detection unit 20c. The bug detection unit 20 is a processing unit that identifies the cause of exception processing that has occurred on a Web site accessed after release.

  The web access unit 20a is a processing unit that executes web access by a user operation after the program is released. Specifically, the web access unit 20a executes the web browser program stored in the storage unit 13 when information storage in the exception pattern DB 13d is completed and a user operation indicating access to the web site is accepted. Then, the web access unit 20a accesses the URL specified by the user. The URL of the access destination may be specified not only by the user but also by an administrator or the like in advance.

  When an exception process occurs in the Web browser executed by the Web access unit 20a, the determination unit 20b specifies a program module that is executed by the program that generated the exception process, and is associated with the identification information of the specified program module. The processing unit determines whether or not the number of occurrences of exception processing stored in the exception pattern DB 13d is equal to or less than a predetermined value.

  For example, when an exception process occurs in the Web browser executed by the Web access unit 20a, the determination unit 20b specifies the module name, offset, and exception type that caused the exception. In addition, the method similar to the module reading monitoring part 17 etc. can be used for the method of specifying each content. Then, the determination unit 20b specifies the number of appearances corresponding to the combination of the specified module name, offset, and exception type from the exception pattern DB 13d. Thereafter, the determination unit 20b determines whether the specified number of appearances is, for example, 500 times or less.

  The detection unit 20c identifies the cause of exception processing that has occurred after the release of the program depending on whether the number of appearances is equal to or less than a predetermined value by the determination unit 20b. Specifically, when the number of appearances is greater than a predetermined value, the detection unit 20c determines that the bug is a simple bug, and when the number of appearances is equal to or less than the predetermined value, the detection unit 20c detects the bug as a malicious bug. When the detection unit 20c determines that the exception processing is a malicious bug, the detection unit 20c extracts the URL of the corresponding Web site and stores it in the malicious site DB 13e. That is, the detection unit 20c stores, as a black list, URLs of websites that have executed modules that have caused malicious bugs.

  Here, an example of detecting a malicious bug will be described. FIG. 6 is a diagram illustrating an example of determining a malicious bug. As shown in FIG. 6, the web access unit 20a accesses a suspicious website that is not secured and is unreliable after the program is released. Then, the determination unit 20b detects that the exception A has occurred at the offset “1000” when the module A is executed to read the Web content that is the Web site. In this case, the determination unit 20b determines that the “appearance count” corresponding to “module A, 1000, exception A” is “500”, which is greater than the predetermined number “300”. As a result, the detection unit 20c determines that “module A, 1000, exception A”, which is the exception content, is merely a bug, that is, a general bug and can be repaired by a patch.

  Furthermore, the determination unit 20b detects that an exception Y has occurred at the offset “1000” when the module Y is executed to read the Web content that is the Web site. In this case, the determination unit 20b determines that the “number of appearances” corresponding to “module Y, 1000, exception Y” is “1” and is equal to or less than the predetermined number “300”. As a result, the detection unit 20c determines that “module Y, 1000, exception Y”, which is the exception content, is a malicious bug.

  Furthermore, the determination unit 20b detects that an exception Z has occurred at the offset “2000” when the module Z is executed to read the Web content that is the Web site. In this case, the determination unit 20b does not have an “appearance count” corresponding to “module Z, 2000, exception Z” in the exception pattern DB 13d. As a result, the detection unit 20c determines that “module Z, 2000, exception Z”, which is the exception content, is a malicious bug.

  As described above, the higher rank of the total results stored in the exception pattern DB 13d is included in many general sites, and the lower rank of the total results is included only in a specific site. Using the exception information tabulation result, it is possible to determine that the one included in the higher rank of the tabulation result is a bug based on a simple description mistake that often occurs in many general sites.

  In other words, high-order bugs are likely to be exceptions that have not been created so that Web content etc. exploits vulnerabilities, and such exceptions may be considered during development so that they do not have vulnerabilities Is expensive. On the other hand, it is considered that the low-order bugs are likely to be vulnerable to Web contents, and such exceptions are difficult to consider at the development stage and are likely to be abused. Therefore, the bug detection unit 20 detects an exception that causes exception processing but has a small number of appearances as a malicious bug. Note that the threshold value for determining the upper or lower order of the aggregation result can be arbitrarily set.

[Flow of exception pattern collection processing]
FIG. 7 is a flowchart showing a flow of exception pattern collection processing according to the first embodiment. As shown in FIG. 7, the Web access unit 16 of the information processing apparatus 10 loads the monitoring target program 13a into the memory and activates the Web browser (S101).

  Then, the web access unit 16 accesses a predetermined website (S102). At this time, in order to read various Web contents on the Web site, the Web access unit 16 appropriately loads the program module 13b into the memory and executes the corresponding module. On the other hand, the module reading monitoring unit 17 monitors the event execution of the program module, acquires the top address, end address, and module name on the memory loaded with the program module, and stores them in the module reading information DB 13c.

  Thereafter, when exception processing occurs (S103: Yes), the specifying unit 18a of the exception monitoring unit 18 acquires address information where the exception processing has occurred (S104), and the module that caused the exception processing is loaded into the memory. It is determined whether or not there is (S105). In addition, when browsing of a Web site is completed without generating exception processing (S103: No), S113 is executed.

  If the specifying unit 18a determines that the module that caused the exception processing is loaded in the memory (S105: Yes), the module 18a acquires the module name, specifies the type of exception (S106), and calculates the offset. (S107). On the other hand, when determining that the module that caused the exception processing is not loaded in the memory (S105: No), the specifying unit 18a determines the module name to be null and specifies the type of exception (S108), and the offset. Is determined as the exception occurrence address which is the address where the exception occurred (S109). The type of exception can be specified from the contents of exception processing or the like, and may be specified in S104.

  Subsequently, the counting unit 18b of the exception monitoring unit 18 determines whether or not the combination of the acquired module name, offset, and exception type is stored in the exception pattern DB 13d (S110).

  When the counting unit 18b determines that the combination of the module name, the offset, and the type of exception is stored in the exception pattern DB 13d (S110: Yes), the counting unit 18b increments the corresponding number of appearances (S111). On the other hand, when the counting unit 18b determines that the combination of the module name, the offset, and the type of exception is not stored in the exception pattern DB 13d (S110: No), the counting unit 18b selects a corresponding record in which the number of appearances is set to 1. Generate (S112).

  Thereafter, when there are other target sites designated for exception pattern collection (S113: Yes), the Web access unit 16 repeats the processing from S102 onward. On the other hand, when there is no other target site designated for exception pattern collection (S113: No), the process is terminated.

[Flow of cause identification processing of exception processing]
FIG. 8 is a flowchart showing a flow of exception identification cause identification processing according to the first embodiment. As shown in FIG. 8, the Web access unit 20a of the information processing apparatus 10 loads the monitoring target program 13a into the memory and starts a Web browser (S201).

  Then, the Web access unit 20a accesses a predetermined Web site whose safety is not guaranteed (S202). At this time, in order to read various Web contents on the Web site, the Web access unit 20a appropriately loads the program module 13b into the memory and executes the module.

  Thereafter, when exception processing occurs (S203: Yes), the determination unit 20b acquires address information where the exception processing has occurred (S204), and determines whether the module that caused the exception processing is loaded in the memory. (S205). Note that if browsing of the Web site is terminated without exception processing (S203: No), the processing is terminated.

  If the determination unit 20b determines that the module that caused the exception processing is loaded in the memory (S205: Yes), the module 20b acquires the module name, specifies the type of exception (S206), and calculates the offset. (S207). On the other hand, if the determination unit 20b determines that the module that caused the exception processing is not loaded in the memory (S205: No), the module name is determined to be null and the type of exception is specified (S208), and the offset is determined. Is determined as the exception occurrence address which is the address where the exception occurred (S209).

  Subsequently, the determination unit 20b determines whether or not the combination of the acquired module name, offset, and exception type is stored in the exception pattern DB 13d (S210).

  If the determination unit 20b determines that the combination of the module name, the offset, and the type of exception is stored in the exception pattern DB 13d (S210: Yes), it determines whether the corresponding number of appearances is equal to or greater than a predetermined value. Determination is made (S211).

  Subsequently, when the detection unit 20c determines that the number of appearances corresponding to the exception process “combination of module name, offset, and exception type” is greater than or equal to a predetermined value (S211: Yes), the exception process is performed as a normal process. It is determined as a bug (S212).

  On the other hand, if the detection unit 20c determines that the number of appearances corresponding to the exception process “combination of module name, offset, and exception type” is less than a predetermined value (S211: No), the exception process is a malicious bug. (S213). Then, the detection unit 20c acquires the URL of the website being accessed that caused the exception processing (S214), and registers the acquired URL in the malicious site DB 13e (S215). Even when the determination unit 20b determines that the combination of the module name, the offset, and the type of exception is not stored in the exception pattern DB 13d (S210: No), S213 and subsequent steps are executed.

[effect]
As described above, in the first embodiment, a general Web site is accessed by a Web browser, and information when an exception occurs is collected. It means that the higher rank of the tabulation result is included in many general sites, and the lower rank of the tabulation result is included only in a specific site. Using the exception information tabulation result, it is possible to determine that the one included in the higher rank of the tabulation result is a bug based on a simple description mistake that often occurs at many general sites. Note that the threshold value for determining the upper or lower order of the aggregation result can be arbitrarily set.

  After the program is released, a Web browser is accessed to a suspicious Web site whose safety is not guaranteed, and information on the occurrence of an exception is collected. If the exception information generated at this time is not included in the total site exception information summary result or is not included in the top level even if it is included in the summary result, it is an exception that leads to an attack that exploits the vulnerability. It can be judged. As a result, it is possible to efficiently find bugs that lead to attacks such as malware infection on the Web browser.

  Also, it is not necessary to create a huge amount of test data and test it by inputting it to the Web browser. After the program is released, loading the contents of a general site will cause a bug due to an exception caused by content that actually exists. Can be found. In addition, if the exception that occurred on a suspicious website that cannot be relied on based on the result of the aggregation does not occur on the aforementioned general site, or if it occurs, the exception is a bug that leads to an attack. Can be judged efficiently.

  Therefore, when the Web site is accessed by a Web browser and the exception information generated at that time is compared with the exception occurrence information that has been aggregated in advance, and it can be determined that the vulnerability is exploited by an attack, the Web browser is reading The URL of the content can be found as a malicious site. This allows real-time detection at the moment of attack. Therefore, it is possible to cope with the batch interval earlier than the case where the batch processing is aggregated at intervals of several hours or days.

  Further, since URLs accessed by the Web browser when it is determined that the vulnerability is linked to an attack, malicious Web contents are distributed, so these URLs can be listed as a black list. This black list can be used for file tallying for protecting a Web client from a malicious site, alerting the operator of the Web site, or the like.

  In addition, since it can be said that the memory address where the exception occurred is in the vicinity of the program causing the bug, specifying this location can be used as information for quickly correcting the bug. For example, if the program module name is mshtml.dll and the offset is 1000 bytes, it can be inferred that the cause of the bug exists around 1000 bytes from the beginning of mshtml.dll.

[Second Embodiment]
The embodiments of the present invention have been described above, but the present invention may be implemented in various different forms other than the first embodiment described above. Therefore, different embodiments will be described below.

(Target program)
In the first embodiment, the Web browser has been described as an example of the monitoring target program, but the present invention is not limited to this. For example, various programs executed by the processor, such as a program for reading and processing a module, can be similarly processed.

(Exception pattern collection destination)
For example, in order to collect exception pattern information stored in the exception pattern DB 13d, it is also possible to access and collect a secure website. In this way, it is possible to collect normal bugs that occur on a website where safety is guaranteed. In addition, in order to collect exception pattern information stored in the exception pattern DB 13d, it is also possible to access and collect both websites that are secured and websites that are not secured.

  In addition, the information processing apparatus 10 accesses a website where safety is guaranteed and aggregates exception patterns. Similarly, the information processing apparatus 10 accesses websites where safety is not guaranteed and totals exception patterns. Match the counting results. Then, the information processing apparatus 10 determines that the exception pattern generated in a website whose safety is not guaranteed is higher than the result of counting using the website whose safety is guaranteed. Is detected as a mere bug. On the other hand, the information processing apparatus 10 is configured so that an exception pattern generated in a website whose safety is not guaranteed is positioned in a lower position in the result of aggregation using the website where safety is guaranteed, or safety Can be detected as a vicious bug if it is not included in the result of aggregation using a Web site that is guaranteed.

(Exception pattern items)
The exception pattern items described in the first embodiment are merely examples, and can be arbitrarily changed. For example, an absolute memory address may be used instead of an offset. Also, by excluding exception types from exception pattern items, exception patterns can be collected from a macro perspective. Also, by increasing the number of exception pattern items, exception patterns can be collected from a micro perspective.

  There are cases where the module name cannot be acquired when an exception occurs, that is, the exception occurrence location is not the address where the module is read, or the module name of the exception pattern is null. In these cases, depending on the type of bug, the instruction pointer may indicate an address at which the program module is not loaded, thereby causing an exception and abnormal termination. At this time, the indicated address may change every time, and even if it is a bug of the same cause, it may be different every time as an exception pattern, so that it appears statistically at a lower level. Therefore, exception patterns caused by such bugs having the same cause but having different exception occurrence addresses may be excluded from the aggregation on condition that the module name is null.

(Applicable system)
Use the method described in the first embodiment in a host-type intrusion detection system for protecting a host system from an attack, a honeypot that operates as a decoy host system, particularly a Web client honeypot that operates as a Web browser. Can detect attacks.

  On the host-type intrusion detection system equipped with the method described in the first embodiment, since the user actually accesses various websites using a web browser, exception information is stored in the host-type intrusion detection system. Accumulated. Similarly, in the Web client honeypot equipped with the method described in the first embodiment, exception information about the Web site to be inspected is accumulated. At this time, if an attack code targeting the Web browser is included in the Web browser, the attack information depends on whether or not the exception information is included in the exception information that has been collected so far. It can be judged that there is a high possibility.

  In particular, in attacks using unknown vulnerabilities such as zero-day attacks, it can be assumed that the exception information that has occurred is not included in the exception information that has been accumulated so far. If new exception information appears, it can be identified as a possible zero-day attack.

(System configuration etc.)
Each component of each illustrated device is functionally conceptual, and does not necessarily need to be the same as the physically illustrated component. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured.

  In addition, among the processes described in the embodiment, all or a part of the processes described as being automatically performed can be manually performed. Further, all or any part of each processing function performed in each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.

(program)
It is also possible to create a bug determination program in which processing executed by the information processing apparatus according to the embodiment is described in a language that can be executed by a computer. In this case, when the computer executes the bug determination program, the same effect as in the above embodiment can be obtained. Further, the same processing as in the above embodiment may be realized by recording such a bug determination program on a computer-readable recording medium, and causing the computer to read and execute the bug detection program recorded on the recording medium. Good. An example of a computer that executes a bug determination program that realizes the same function as the information processing apparatus shown in FIG. 2 will be described below.

  FIG. 9 is a diagram illustrating a computer that executes a bug determination program. As illustrated in FIG. 9, the computer 1000 includes, for example, a memory 1010, a CPU 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1090. The disk drive interface 1040 is connected to the disk drive 1100. A removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100, for example. For example, a mouse 1110 and a keyboard 1120 are connected to the serial port interface 1050. For example, a display 1130 is connected to the video adapter 1060.

  Here, as shown in FIG. 9, the hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. Each DB described in the above embodiment is stored in, for example, the hard disk drive 1090 or the memory 1010.

  Further, the bug determination program is stored in, for example, the hard disk drive 1090 as a program module 1093 in which an instruction to be executed by the computer 1000 is described. Specifically, a Web access procedure for executing information processing similar to that of the Web access unit 16 described in the above embodiment, a module reading monitoring procedure for executing information processing similar to that of the module reading monitoring unit 17, and an exception monitoring unit The hard disk drive 1090 stores a program module 1093 in which an exception monitoring procedure for executing the same information processing as in FIG. 18 and a bug detection procedure for executing the same information processing as in the bug detection unit 20 are described.

  Also, data used for information processing by the bug detection program is stored as program data 1094 in, for example, the hard disk drive 1090. Then, the CPU 1020 reads out the program module 1093 and the program data 1094 stored in the hard disk drive 1090 to the RAM 1012 as necessary, and executes the above-described procedures.

  The program module 1093 and the program data 1094 related to the bug detection program are not limited to being stored in the hard disk drive 1090. For example, the program module 1093 and the program data 1094 are stored in a removable storage medium and read by the CPU 1020 via the disk drive 1100 or the like. May be issued. Alternatively, the program module 1093 and the program data 1094 related to the bug detection program are stored in another computer connected via a network such as a LAN (Local Area Network) or a WAN (Wide Area Network), and are transmitted via the network interface 1070. May be read by the CPU 1020.

1, 2, 3 Web server 10 Information processing device 11 Communication unit 13 Storage unit 13a Monitored program 13b Program module 13c Module read information DB
13d Exception pattern DB
13e Malicious Site DB
DESCRIPTION OF SYMBOLS 14 Control part 15 Collection part 16 Web access part 17 Module reading monitoring part 18 Exception monitoring part 18a Identification part 18b Counting part 20 Bug detection part 20a Web access part 20b Determination part 20c Detection part 1000 Computer 1010 Memory 1011 ROM
1012 RAM
1020 CPU
1030 Hard disk drive interface 1040 Disk drive interface 1050 Serial port interface 1060 Video adapter 1070 Network interface 1080 Bus 1090 Hard disk drive 1091 OS
1092 Application Program 1093 Program Module 1094 Program Data 1100 Disk Drive 1110 Mouse 1120 Keyboard 1130 Display

In one aspect, the bug determination apparatus and the bug determination method disclosed in the present application associate identification information for identifying a program module that has caused exception processing with the number of occurrences of exception processing that has been generated by the program module. The number of times to be stored, the identification unit that identifies the program module that is executed by the program that generated the exception processing when exception processing occurs in the executed program, and the identification of the program module that is identified by the identification unit A determination unit that determines whether or not the number of occurrences of the exception process stored in the number storage unit in association with information is equal to or less than a predetermined value , and the number storage unit is secured for safety Identification information for identifying the program module that caused the exception processing when accessing the Web site, and the number of occurrences of the exception processing A program stored by the content viewer that is executed by the content viewer that has generated the exception processing when the exception processing has occurred in a Web site that is accessed by using the content viewer and is not guaranteed to be safe The module is identified, and the determination unit associates the Web when the number of occurrences of the exception process stored in the number storage unit in association with the identification information of the program module identified by the identification unit is equal to or less than a predetermined value. It is characterized by detecting a site as a malicious site .

Claims (5)

A number-of-times storage unit that stores identification information for identifying a program module that has caused exception processing and the number of occurrences of exception processing that has been generated by the program module in association with each other;
A specific unit that identifies a program module that is executed by the program that generated the exception handling when an exception handling occurs in the executed program;
A determination unit that determines whether or not the number of occurrences of the exception processing stored in the number storage unit in association with the identification information of the program module specified by the specification unit is equal to or less than a predetermined value. Bug determination device. The number-of-times storage unit stores identification information for identifying a program module that has caused an exception process when accessing a secure website and the number of occurrences of the exception process in association with each other.
The specifying unit specifies a program module to be executed by the content viewer that has generated the exception process when an exception process occurs in a website that is accessed using the content viewer and the security is not guaranteed.
The determination unit determines that the Web site is a malicious site when the number of occurrences of the exception process stored in the number-of-times storage unit in association with the identification information of the program module specified by the specifying unit is equal to or less than a predetermined value. The bug determination apparatus according to claim 1, wherein the bug determination apparatus detects the bug.   The bug determination apparatus according to claim 2, wherein the determination unit collects URLs of Web sites detected as the malicious sites and generates a blacklist from the collected URLs. The number-of-times storage unit further associates and stores an offset from a start address at which the program module is loaded to an address at which exception processing has occurred;
The specifying unit further specifies the offset of the program module that caused the exception processing when the exception processing occurs;
The determination unit determines whether the number of occurrences of the exception processing stored in the number-of-times storage unit is associated with a combination of the identification information of the program module specified by the specifying unit and the offset is equal to or less than a predetermined value. The bug determination device according to any one of claims 1 to 3, wherein A bug determination method executed by an information processing apparatus,
A specific step of identifying a program module to be executed by a program that has generated an exception process when an exception process occurs in the executed program;
The program module identified by the specific process with reference to the number storage unit that stores the identification information for identifying the program module that generated the exception process and the number of occurrences of the exception process generated by the program module in association with each other And a determination step of determining whether or not the number of occurrences of the exception processing associated with the identification information is a predetermined value or less.

Images