JP2014112304A - Information processor, and method of installing file - Google Patents

Abstract

PROBLEM TO BE SOLVED: To maintain high security by preventing a management file which is stored in a hard disk and monitors malware from being seen by the malware.SOLUTION: A terminal 1 has a HD 11, a MBR 110 and a management file. The HD 11 is divided into at least one or more partitions successively from a head sector, and has the management file stored in a rear region behind a finish sector of the last partition. The MBR 110 stores a partition table PT111 in which information on a head sector and a finish sector of each partition is written, and an exclusive loader for reading the management file into a RAM 12 first at the time of startup of the terminal 1. The management file includes a processing program which, when an order for readout of all LBA stored in a memory chip 11A is generated after the startup of the terminal 1, rewrites the information read out in accordance with the order into information of the finish sector of the last partition.

Description

  The present invention relates to a technique for executing various types of information processing by a CPU.

  In recent years, various viruses and the like have entered or hidden in servers, terminals (personal computers), mobile terminals and other information processing apparatuses connected to networks such as the Internet, thereby eavesdropping, stealing and falsifying data. Damages such as leaks and attacks have occurred. In order to prevent such virus damage as much as possible, measures such as improving or developing software to detect or remove viruses and setting line restrictions (address restrictions) are taken. It has been. However, considering the time delay from the discovery of a new virus species to the development of removal software, it is difficult to reliably prevent the virus from entering.

  Patent Document 1 describes a method for executing a startup program. More specifically, in response to an initial read request from the personal computer to the hard disk, a temporary startup sector storing an arbitrary program such as security is read prior to the startup sector of the storage medium storing the startup program, and the arbitrary program is executed. It has an activation preprocessing step. Then, after execution of an arbitrary program such as security, the original boot program is executed to start the OS. As a result, it is possible to execute an arbitrary program such as security prior to OS startup without changing the BOIS of the personal computer or the startup sector (LBA0) of the storage medium.

  Patent Document 2 describes a computer device in which an operating system privilege mode is set in an operating system, a user privilege mode is set in a user application, and anti-virus measures are taken using the virtual machine and the privilege mode. The computer device further includes a virtual machine monitor (VMM) in which the virtual machine monitor privilege mode is set and a protection agent (VM) in which the protection agent privilege mode is set. The strength of access right is set in the order of privilege mode, protection agent privilege mode, operating system privilege mode, and user privilege mode. Therefore, even if the malware created by the Service-to-Self and sent to the operating system accesses a protection agent whose privilege mode is higher, it does not accept such access and prevents the contents of the protection agent from being altered. ing. When the malware detects a change in resources in the operating system (SSDT, GDT, IDT, etc.) or a change in the protection agent resource, the system is shut down and rebooted to reset the change. .

JP 2006-236193 A Special table 2010-517164 WO 2011/141997 A1 WO 2011/145199 A1

  In Patent Document 1, even when the arbitrary program in the temporary startup sector in the hard disk is a virus check program, an illegal program having, for example, the form of Rootkit is started before the program is executed. Since it is possible to conceal itself (malware), there is a certain limit to the reliability against virus checking. Further, Patent Document 1 does not describe any specific method for monitoring a virus before starting the OS.

  Patent Document 2 uses a virtual machine monitor and a protection agent that sequentially set different privilege levels to prevent unauthorized access of malware entering from an operating system. However, Patent Document 2 only describes access prevention using a difference between a virtual machine and a privilege level, and does not describe anything about a memory map of a computer device memory, and can detect modification of contents. It is not disclosed to the mechanism to do. Further, there is no description about the installation method of the virtual machine monitor and the protection agent, and it is unclear whether the security of these itself is ensured. Furthermore, even if the internal resource can be shut down and rebooted, it does not completely improve the deficiencies. Patent Documents 3 and 4 describe a technique capable of booting an information processing apparatus having a CPU in a secure state, but relates to a boot technique using an external device.

  An object of the present invention is to provide an information processing technique capable of maintaining high security by making a management file stored in a hard disk, which monitors malware, hidden from the malware.

  An information processing apparatus according to the present invention includes a hard disk in which MBR is stored in a head sector and at least an OS is stored on the rear side thereof, a memory member that is associated with the hard disk and stores at least total capacity information of the hard disk, In an information processing apparatus including a CPU and a main memory from which the stored contents of the hard disk are read out after the activation of the MBR by the CPU, the hard disk is sequentially divided into at least one or more partitions after the first sector. The management file is stored in the rear area of the end sector of the partition, and the MBR stores the partition table in which information about the first sector and the end sector of each partition is written, and the management file when the information processing apparatus is started up. First, the main menu The management file corresponds to the command when a read command for the total capacity information stored in the memory member is generated after the information processing apparatus is started. And a processing program for rewriting the information read out to the information of the end sector of the final partition.

  According to the present invention, the end sector of the last partition of the hard disk is shifted to the head side, so that an empty area is formed on the rear side, and the management file is installed in this empty area. In addition, since the end sector of the final partition of the partition table is set excluding the empty area, even if the malware can refer to the partition table, the empty area cannot be detected. On the other hand, since the total capacity information of the hard disk is stored in the memory member, when malware refers to this memory member, it will know the existence of a free area, and as a result, the management file will be destroyed, removed, etc. There is a risk. Therefore, when a processing program is provided in the management file, and a read command for the total capacity information of the memory member (or information including the total capacity information of the memory member) is generated from the OS and AP in addition to the malware, Information read in response to the command is rewritten to information of the end sector of the final partition excluding the free space. As a result, the total capacity information of the hard disk cannot be obtained from the memory member, whether it is regular or malicious, that is, access to the free area is prevented, and the management file is not destroyed, deleted, altered, or the like. .

  A second aspect of the present invention is the information processing apparatus according to the first aspect, wherein the management file is set to a privilege level higher than the OS on the main memory. According to this configuration, an illegal access to the management file is hooked as an exception and invalidated after being expanded on the main memory using the difference in privilege level.

  According to a third aspect of the present invention, in the information processing apparatus according to the first or second aspect, the dedicated loader is obtained by rewriting a bootstrap loader previously stored in the MBR. . According to this configuration, when the BIOS is activated and then the MBR dedicated loader is activated, the management file is first read into the main memory, and the control of the CPU is transferred to the management file.

  According to a fourth aspect of the present invention, in the information processing apparatus according to the third aspect, the bootstrap loader previously stored in the MBR is a region behind the end sector of the final partition before the dedicated loader is written. It is characterized by being evacuated. According to this configuration, it is possible to start the information processing apparatus without a management file by returning the saved bootstrap loader to the MBR.

  According to a fifth aspect of the present invention, in the information processing apparatus according to any one of the first to fourth aspects, the end sector of the last partition is narrowed from the original sector to the head side when storing the management file. It is characterized by being. According to this configuration, the end sector of the final partition is narrowed from the sector on the rear side of the hard disk.

  A sixth aspect of the present invention is the information processing apparatus according to any one of the first to fifth aspects, wherein the management file storage area is the entire area behind the end sector of the final partition. And According to this configuration, the information of the first sector position is sufficient for specifying the management file storage area.

  According to a seventh aspect of the present invention, in the information processing apparatus according to any one of the first to sixth aspects, the management file is obtained by subtracting the entire area on the rear side of the end sector of the final partition from the total capacity information. The end sector of the final partition is calculated. According to this configuration, the management file executes a subtraction operation to form a free area.

  The invention according to claim 8 is the information processing apparatus according to any one of claims 1 to 7, wherein the management file receives an instruction to read the total capacity information stored in the memory member. By executing this, the information is rewritten. According to this configuration, the total capacity information read command is hooked to shift to the interrupt process, and the total capacity information is rewritten by this interrupt process.

  According to a ninth aspect of the present invention, in the information processing apparatus according to the eighth aspect, the interrupt is performed by receiving an access by the CPU to a data register corresponding to the memory member of the I / O port. It is characterized by. According to this configuration, the access to the data register in the I / O port is hooked to shift to the interrupt process.

  According to a tenth aspect of the present invention, in the information processing apparatus according to the eighth aspect, the interrupt causes an access by the CPU corresponding to the memory member of the memory mapped I / O to be a debug exception, a page fault. And receiving one of the hardware interrupts. According to this configuration, one of a debug exception, a page fault, and a hardware interrupt is hooked to shift to an interrupt process.

  According to the eleventh aspect of the present invention, there is provided a file installation method that uses an installer to install a file on a hard disk partitioned into partitions in which MBR is stored in the first sector and at least one OS is stored after the first sector. The file is associated with the hard disk, and a read command for the total capacity information from a memory member in which the total capacity information of the hard disk is stored is sent from an information processing apparatus equipped with the hard disk. A management file having a processing program that rewrites information read in response to the command to information of an end sector of the final partition when it occurs after startup, and sets the end sector of the final partition to at least the capacity of the file Capacity corresponding to A step of setting the new end sector by moving only to the head side, a step of storing the file from the new end sector toward the last side, and an end sector of the last partition written in the MBR. A step of rewriting to a new last sector, and a step of writing in the MBR a dedicated loader that first reads the file into the main memory of the information processing device when the information processing device is activated. . According to the present invention, it is impossible to know the free area where the management file is stored.

  According to a twelfth aspect of the present invention, in the information processing apparatus according to the eleventh aspect, the dedicated loader is obtained by rewriting a bootstrap loader previously stored in the MBR. According to this configuration, when the BIOS is activated and then the MBR dedicated loader is activated, the management file is first read into the main memory, and the control of the CPU is transferred to the management file.

  According to the present invention, it is possible to maintain high security by making the management file stored in the hard disk for monitoring the malware invisible to the malware.

It is a block diagram for demonstrating the function requested | required at the time of installation of the terminal 1 and the installer (2B) to which the information processing apparatus which concerns on this invention is applied. FIG. 2A is a diagram for explaining an installation procedure mainly using installers (2A) and (2B) on a hard disk. FIG. 2A is a memory map in a state where a terminal is assembled (or a state at the time of shipment), and FIG. B) is a memory map after installation by the installer (2A), and FIG. 2C is a memory map after installation by the installer (2B). It is a flowchart which shows the procedure of the installation process of a management file which CPU performs according to the program of an installer (2B). This is the “initial setting” subroutine of FIG. This is a subroutine of “execution execution” in FIG. It is a block diagram explaining the function in operation | movement from starting of the terminal performed by CPU. It is a memory map of RAM and a chipset. It is a memory map of RAM and a chipset. It is a memory map of RAM and a chipset. It is a flowchart explaining the procedure of the starting process performed by CPU of a terminal. An overall outline of GDT indicating a storage location of information is shown. The memory map of PTE is shown. A conversion method for converting a linear address to a physical address is shown in the figure. It shows an example of the relationship between the linear address and the physical address in the protect mode. It is a flowchart which shows the process of the management file after OS boot performed by CPU. It is a functional block diagram for demonstrating embodiment in the case of passing through an I / O port among hook functions. It is a flowchart explaining the flow of the hook process I. The flowchart explaining the flow of the interruption process I is shown. It is a functional block diagram for demonstrating embodiment in the case of going through MMIO. It is a flowchart explaining the flow of the hook process II. The flowchart explaining the flow of the interruption process II is shown. It is a flowchart explaining the flow of the hook process III. It is a flowchart explaining the flow of the hook process IV. (A) (B) is a figure for demonstrating loading to RAM of a specific application. It is a figure for demonstrating the execution method of the specific application under a management file environment. It is a flowchart explaining the execution procedure of the specific application performed by CPU.

  FIG. 1 is a block diagram for explaining functions required when installing a terminal 1 and an installer (2B) to which an information processing apparatus according to the present invention is applied. FIG. 2 is a diagram for explaining an installation procedure mainly using installers (2A) and (2B) on a hard disk, and FIG. 2 (A) is a memory map in a state where a terminal is assembled (or a state at the time of shipment). 2B is a memory map after installation by the installer (2A), and FIG. 2C is a memory map after installation by the installer (2B). 2A to 2C show the contents of the memory chip 11A and the MBR (Master Boot Record) 110.

  In FIG. 1, the terminal 1 has a CPU (Central Processing Unit) 10 as control means. The CPU 10 is connected to an HD (Hard Disc) 11 and a main memory RAM (Random Access Memory) 12. The HD 11 has a predetermined storage capacity, for example, several hundred GB, and data is written in units of sectors (Sector: 512 Byte / track). The terminal 1 writes at least an OS (Operating System) and an AP (application program) file to the HD 11 by setup or the like, and an example thereof is shown in a memory map of FIG. The RAM 12 temporarily stores files read from the HD 11 and information in the middle of processing, and has a predetermined storage capacity, for example, 4 GB.

  The memory chip 11A is provided in association with the HD 11, and information related to the HD 11 is written therein. As shown in FIG. 2, the information related to HD11 written in the memory chip 11A includes at least the model number of HD11 and the total capacity (total LBA: Logical Block Addressing) that is the storage capacity of HD11. Accordingly, quality data and input / output characteristic data are included, and log data for accessing the HD 11 is also included. The memory chip 11A may be a ROM (Read Only Memory), and a writable ROM is adopted in a mode in which log data and the like are written in an update manner.

  Connected to the CPU 10 are an operation unit 13 including a keyboard and a mouse having a numeric keypad for inputting necessary commands and information by an operator, and a display unit 14 for displaying input information and displaying communication contents. Has been.

  The installer (2B) is for installing a predetermined file in the terminal 1 that has undergone the setup process for setting it to a usable state or in conjunction with the setup process, and is a file storage medium such as a CDROM. It is. The installer (2B) is attached (connected) to the external device connection port 10P of the information processing unit 1 and performs a process of writing a file as stored data to the terminal 1.

  The installer (2B) has at least a startup program memory 21, an installation program memory 22, a dedicated loader memory 23, and a management file memory 24. The activation program memory 21 is a memory that stores an activation program for activating the connected terminal 1. The installation program memory 22 is a memory that stores an installation program that causes the activated terminal 1 to execute a file installation operation.

  The dedicated loader memory 23 and the management file memory 24 are memories in which files to be written to the HD 11 by the installation program are stored. The dedicated loader is expanded in a boot memory area 120 (to be described later) of the RAM 12. The dedicated loader is preferably written once after resetting the entire start memory area 120, and is supplemented to create a program part that functions as a loader and 1 MB of transfer data corresponding to the start memory area 120. Including dummy data. Alternatively, the dedicated loader may be configured to reset the entire area of the RAM 12 with dummy data except for the program part developed in the activation memory area 120 of the RAM 12 and the development area of the program part. By this reset process, the BIOS read in the RAM 12 first is deleted. Therefore, even if malware is hidden in the BIOS, it can be removed. The dedicated loader memory 23 is a memory that stores a program for performing processing such as installing the management file from the HD 11 to the RAM 12 with priority over other files in the HD 11 when the terminal 1 is activated. As will be described later, the management file memory 24 is a memory storing a program for monitoring or the like that executes processing corresponding to a specific access.

  The CPU 10 loads the startup program and the installation program from the startup program memory 21 and the installation program memory 22 of the connected installer (2B) into the RAM 12 and executes them, thereby executing the startup processing unit 1001, the installation processing unit 1002, and the operation receiving unit. It functions as 1003. When the activation switch (not shown) is turned on with the installer (2B) connected to the connection port 10P, the activation processing unit 1001 preferentially selects the installer (2B) that is an external device (or manually sets the priority order). In this case, the activation program is fetched from the activation program memory 21. The installation processing unit 1002 fetches an installation program from the installation program memory 22 following the startup process, and executes the installation program. The operation receiving unit 1003 receives an instruction from the operator input via the operation unit 13.

  In FIG. 2, the storage capacity of the HD 11 is represented by the number of sectors. Here, for convenience of explanation, it is assumed that the total number of sectors is 100,000 (that is, total LBA 100,000). In the memory map at the time of shipment shown in FIG. 2A, a pair of HD11 attributes (HD model number, total LBA, etc.) are written in the memory chip 11A.

  In the memory map after installation (or setup) by the installer (2A) shown in FIG. 2 (B), the installer (2A) sets the sector area at the head of the HD 11 to LBA0 in the example of FIG. 2 (B). An MBR 110 (Master Boot Record) writing area is set, and an area behind the MBR 110 is divided into a plurality of partitions, and a predetermined file is written therein. The partition can be divided into a predetermined number, for example, up to four. Here, the first OS is installed in the partition (1), the second OS is installed in the partition (2), and data necessary for the partition (3) is installed. Each application program file (AP) operating in the environment of the first OS and the second OS is also written in the corresponding partition. Further, for convenience of explanation, the partition is divided such that the area of partition (1) is LBA1 to LBA49,999, the area of partition (2) is LBA50,000 to LBA69,999, and the area of partition (3) is Let LBA be 70,000 to LBA 100,000.

  Further, the MBR 110 has a program code (BSL: Boot Strap Loader) for searching and starting an active partition when the terminal 1 is booted, and further has a partition table (PT) 111. The partition table PT111 stores the start LBA, end LBA, and other data for each of the partitions (1) to (3) divided as shown in FIG. In addition, the tables of the partitions (1) to (3) of the partition table PT111 include data of presence / absence of active flag, partition type, and partition size in addition to the start LBA and end LBA. By the way, there is a CSH method as a method of expressing the start position and end position of a partition by a sector number, but it is the same as the LBA method in that it is described by the sector number of the start position and end position. Normally, the active flag is set in a table corresponding to the partition (1). Therefore, when the terminal 1 is booted, the first OS of the partition (1) or the second OS of the partition (2) is set. The OS is selectively expanded in the RAM 12, and then expanded in the RAM 12 in the order of the data of the partition (3) as necessary.

  The installation process by the installer (2B) shown in FIG. 2C installs a management file or the like. Compared to FIG. 2B, the management file is installed behind the partition (3), and the bootstrap loader (BSL) in the MBR 110 is rewritten to a dedicated loader. The area for installing the management file is LBA 90,000 to LBA 100,000 in the example of FIG. Therefore, the area of the partition (3) is LBA70,000 to LBA100,000 in FIG. 2B, whereas it is LBA70,000 to LBA89,999 in FIG. In accordance with this change, the end LBA of the table contents of the partition (3) in the partition table PT111 is rewritten as LBA89,999. The area prepared for installing the management file is referred to as “free area” here. As shown in FIG. 2C, the “empty area” stores the bootstrap loader BSL in the MBR 110 shown in FIG. 2B. By this storage process, the bootstrap loader BSL can be returned to the MBR 110 instead of the dedicated loader (that is, it is possible to return to the environment in which the terminal is used in the setup state of FIG. 2B).

  FIG. 3 is a flowchart showing a management file installation process executed by the CPU 10 in accordance with the installer (2B) program.

  First, when the installer (2B) is connected to the terminal 1 and the activation switch is turned on (or automatically activated), it is then determined whether or not the installer (2B) has been activated (step S1). Subsequent to the activation of the installer (2B), initial setting for installation is executed (step S3), and then installation is executed (step S5). In step S1, it is possible to monitor until the installer (2B) is activated, or if the activation is not confirmed after a predetermined time has elapsed, this flow may be exited.

  FIG. 4 is an “initial setting” subroutine, and FIG. 5 is an “installation execution” subroutine. In FIG. 4, first, the installation processing unit 1002 acquires the total LBA from the memory chip 11A, and the end LBA of the final partition (corresponding to the partition (3) in FIG. 2) from the partition table PT111 in the MBR 110 (step S11). Next, the installation processing unit 1002 creates “free space” by a predetermined LBA from the end LBA of the last partition to the head side (step S13). The “free area” has a storage capacity in which the bootstrap loader BSL in which the management file is installed and saved as necessary is stored. Here, as illustrated in FIG. 2C, sizes of LBA 90,000 to LBA 100,000 are set.

  In addition, since the size of each partition is divided with a margin in advance, the rear portion thereof is generally free of data and is largely free. Therefore, it is possible to forcibly form an empty area in a part on the rear side of the final partition. If there is data in the target area forming the “free area” (or evenly without detecting whether the data exists in the target area), a known defragmentation process is performed by 1 It is possible to secure an “empty area” by repeating the number of times or as many times as necessary. The defragmentation process is a process performed by executing a program file for defragmentation, and means a process for relocating a file in a partition from the head side and eliminating a fragmentary gap area. If file writing and reading are repeated in the HD 11, the file arrangement becomes discontinuous within the partition, and fragmented gap spaces may be scattered. If the gap space is further subdivided, a continuous free area cannot be secured. If this state is left as it is, a new file is divided and stored in two or more gap spaces. Such a situation may occur. This degrades information processing quality, such as a decrease in read / write speed. The defragmentation process solves such a problem, and this makes it possible to collect the gap space as an empty area behind the partition.

  In FIG. 5, first, the bootstrap loader BSL in the MBR 110 is written at a predetermined position after the first LBA of the “free area”, and a save process is performed (step S21). Next, the end LBA of the last partition is subtracted by the empty area, and this subtraction value is updated as a new end LBA to the corresponding table in the partition table PT111 in the MBR 110 (step S23). With this processing, in the example of FIGS. 2B and 2C, the last partition of the partition (3) is described as LBA89,999, and as a result, the first and second OSs for the data in the partition (3) Access from is restricted within the area of LBA70,000 to LBA89,999 by referring to the partition table PT111.

  Subsequently, the management file is read from the management file memory 24 of the installer (2B), and is installed from a predetermined sector of “free area”, for example, from the head LBA (step S25). Next, the dedicated loader is read from the dedicated loader memory 23 of the installer (2B) and written in place of the bootstrap loader BSL in the MBR 110 (step S27).

  The dedicated loader gives an instruction to preferentially read the management file installed in a predetermined sector in the HD 11 to the RAM 12 when the terminal 1 is booted. Although the contents of the management file will be described later, when reading of the management file to the RAM 12 is completed, the first OS, the second OS, and necessary data are sequentially read to the RAM 12 by the loader program included in the management file. It is. When the reading process to the RAM 12 is completed, the management file starts the original management process. In the mode in which the first OS or the second OS and necessary data are read to the RAM 12 by the management file, control is transferred from the dedicated loader to the management file after the management file is read to the RAM 12. Just do it.

  FIG. 6 is a block diagram for explaining functions during operation from the startup of the terminal 1 executed by the CPU 10. In FIG. 6, the CPU 10 executes a program read from the HD 11 to the RAM 12, thereby accepting an operation content that is input via the activation processing unit 101 that controls the activation of the terminal 1 and the operation unit 13. Executed by the processing unit 102, the information processing unit 103 that executes information processing according to the operation content from the operation unit 13 and the information processing program, the display processing unit 104 that creates an image to be displayed on the display unit 14, and the management file And a communication processing unit 106 that communicates with a terminal that is another information processing apparatus via an external network (typically the Internet) via a management processing unit 105 and a NIC (Network Interface Card) 15.

  Although FIG. 1 shows a configuration necessary for installation, the terminal 1 further has a BIOS memory 11B in which a BIOS (Basic Input / Output System) is written, as shown in FIG. The BIOS memory 11B is composed of a ROM or a flash ROM, and a program (BIOS) for booting the terminal 1 is written therein. The BIOS is set to preferentially designate a dedicated loader in the MBR 110 and boot.

  The activation processing unit 101 includes a dedicated loader processing unit 1011, a management file operation environment setting unit 1012, and an OS loader processing unit 1013. After the start switch of the terminal 1 is turned on (powered on), the dedicated loader processing unit 1011 starts the BIOS, reads the dedicated loader in the MBR 110, and then passes control to the dedicated loader, thereby processing by the dedicated loader. Is to execute. The management file operation environment setting unit 1012 sets a high privilege level (described later) in a specific area in the RAM 12 by a program of a part of the dedicated loader or a part of the management file after the management file is expanded in the RAM 12. Is. The OS loader processing unit 1013 reads out the first OS, the second OS, and necessary data in a state where the operating environment of the management file is set, that is, under monitoring described later by the management file. Is.

  The information processing unit 103 uses the various application programs executed in the operating environments of the first and second OSs, receives operation contents from the operation unit 13 and executes desired information processing. . As information processing, for example, creation, processing, and storage of information using document or graphic creation software, and transmission / reception of information performed via the NIC 15 and a network (typically the Internet) are assumed. Is done. The display processing unit 104 performs display control on the display unit 14 of information created and processed and information related to transmission and reception. The management unit 105 performs monitoring of various accesses by the management file and hook processing corresponding to access to the memory chip 11A related to the present invention, and details will be described later. The communication processing unit 106 transmits / receives information to / from other terminals connected to the network via the NIC 15, a data server storing various information, and the like.

  7 to 9 are diagrams showing the transition of the memory map of the RAM 12 from the BIOS loading to the OS operation monitoring. As shown in FIG. 7, in this embodiment, the RAM 12 has a capacity of 4 GB, and files read from the HD 11 are divided into a startup memory area 120 of 0 MB to 1 MB, an area of 1 MB to 100 MB, and an area of 100 MB or more. I try to write. The area division is not limited to the above position and size, and an appropriate division mode can be adopted.

  FIG. 7 shows the RAM 12 and the chip set. The chip set is a main part constituting a mother board (not shown), and controls data exchange between all parts connected to the mother board such as the CPU 10 and various register groups. The RAM 12 is divided into a plurality of areas, and a BIOS 121, a dedicated loader 122, and a temporary GDT (Global Descriptor Table) 123 are expanded in a startup memory area 120 of 0 MB to 1 MB. When the terminal 1 is activated, the BIOS 121 is expanded from the BIOS memory 11B to the activation memory area 120 of 0 to 1 MB in the RAM 12, and then the dedicated loader 122 is read from the HD 11. As described above, the dedicated loader 122 can rewrite the entire activation memory area 120. In this case, so-called reset (clear) processing is performed, and at the same time, the BIOS 121 is erased. Note that the entire RAM 12 may be reset. As a result, all the files before clearing in the RAM 12 are erased.

  The temporary GDT 123 is created by the dedicated loader 122 and is used for addressing for loading the management file 124 in the Unreal mood from 1 MB to 100 MB by the dedicated loader 122. Unreal mode means that data access is only 1MB or more, that is, access to the outside of the startup memory area 120 is enabled by changing the access limit of the data segment register (not shown) in the chipset to 4 GB in the real mode environment. Refers to a special condition.

  A management file 124, a management GDT 125, and a management IDT 126 are expanded in the 1 MB to 100 MB area of the RAM 12. The dedicated loader processing unit 1011 performs a process for reading a management file in the HD 11 into a predetermined position of 1 MB to 100 MB in the RAM 12 and a process related thereto. More specifically, the dedicated loader processing unit 1011 first performs processing for enabling access to 1 MB to 100 MB of the RAM 12, for example, creation of a temporary GDT 123 and setting for various registers in the chipset. In this case, the management file operation environment setting unit 1012 causes the temporary GDT 123 to set DPL (Description Privilege Level) which is a privilege level for all of the programs and management tables (segment descriptors) constituting the management file 124. By setting “0” (so-called ring “0”), the management file 124 can be loaded at the highest privilege level at a predetermined position of 1 MB to 100 MB, and all the information set in this area can be loaded. Load with DPL "0" is realized. As is well known, DPL describes the privilege level of the memory space, and there are four ranks from DPL “0” to DPL “3”. The smaller the DPL value, the higher the privilege level. For example, a program that operates in a space described as a relatively large value of the DPL value cannot access the space side described as a value having a smaller DPL value. That is, in this case, a general protection exception (#GP) or page fault (#PF) described later is issued as a privilege level violation, and access is invalidated. On the other hand, a program operating in a space described as a relatively small value of the DPL value can access or browse the space side where the DPL value is described as a larger value. This makes it possible to determine in advance whether or not the access is inappropriate.

  The dedicated loader processing unit 1011 sets a flag for the register CR0 of the management registers to access the 1 MB to 100 MB area in the protected mode, and separately in the real mode, the temporary GDT 123 The segment limit is set to 1M or more, here 4G, thereby enabling operation in the unreal mode. In this unreal mode, the management file 124 is loaded, then the management GDT 125 is loaded, and the management IDT (management interrupt vector table) 126 is loaded. Each segment descriptor of the management GDT 125 and the management IDT 126 is created in advance up to the table portion required at that time, and is loaded by the dedicated loader processing unit 1011. The dedicated loader processing unit 1011 passes the control of the CPU 10 to the management file 124 (jumps) after loading the necessary information.

  FIG. 8 is a memory map in a state in which a TSS 127, a PTE (Page Table Entry) 128, and a management interrupt handler 129 are created in an area of 1 MB to 100 MB. Although not shown in the figure, an LDT (Local Descriptor Table) for each task is created as necessary. The management file operation environment setting unit 1012 also creates a TSS 127, a PTE (Page Table Entry) 128, a management interrupt handler 129, and a necessary LDT according to the program of the management file 124. As will be described later, the TSS 127 and the PTE 128 operate in a management (protect) mode table for monitoring tasks (mainly, loading of the OS from the HD 11) operating at 101 MB or more, and operating from 100 MB to 101 MB. And a table for VM8086 mode for monitoring the task to be performed. By appropriately switching the mode with a task switch (not shown), it is possible to load each program constituting the OS and add a segment descriptor of each program of the OS to the management GDT 125 and IDT 126, respectively.

  The TSS 127 is created in association with each management program (task) in the management file 124. In other words, the TSS 127 can return to the current state by transferring the execution state to a necessary program by a task switch and contexting the processing contents of the immediately preceding program to the corresponding TSS in order to run the program according to the operation state. I have to. The PTE 128 is for converting the linear address created by the GDT 125 into a physical address, and is provided corresponding to each piece of information (each program code, each data, each stack, and presence flag P).

  Here, the relationship between the GDT 125 and the PTE 128 and the conversion from the linear address to the physical address will be described with reference to FIGS. First, in the real mode that operates with a 16-bit program that is a mode when the terminal 1 is activated, the address is determined using the segment value and the offset value, and, as is well known, a value obtained by shifting the segment value by 4 bits By adding the offset value to (multiplied by 16), a maximum address (linear address) up to (1 MB + 64 KB) can be immediately calculated as a physical address. On the other hand, the protect mode is adopted for addresses higher than that, and for example, in the mode of operation with a 32-bit program, it is possible to specify addresses up to 4 GB. Since a virtual address space can be set by setting a different address for each piece of information (task), the information (task) can be stored separately for each required data amount.

  FIG. 11 corresponds to such an information storage mode, and shows an overall outline of the GDT 125 indicating information storage locations. The GDT 125 is a list of segment descriptors for managing the storage location of each information in units of 8 bytes, for example. Each segment descriptor has four attributes. The attributes are “type” of information (program code, data, stack), “base address”, “limit”, and “DPL”. The “base address” indicates a storage reference (start) address of information in the RAM 12. “Limit” indicates an access range of information. DPL indicates the privilege level described above. The segment descriptor adopted in the addressing is selected via the information of the segment selector used for conversion from the linear address. Whether or not task access is permitted depends on the CPL (Current Privilege Level) and RPL in the register (for example, one of the registers CS, DS, and SS) written in the chipset when the access is requested. It is determined by comparing (Requested Privilege Level) with the corresponding segment descriptor of GDT125. If this technology is used to limit the memory area that can be accessed (used) by a specific task (program), interference with other tasks (programs) can be prevented, and the terminal 1 can be made safe and stable. Can be operated.

  FIG. 12 shows a PTE memory map. Each page data is divided into a predetermined amount of data, for example, every 4 KB, and each page data is set with a physical address and an access attribute. Each page data includes the type of program code, data, stack, and presence flag P. The physical address is for moving the linear address to a predetermined position in the RAM 12. The access attribute corresponds to a privilege level, and has “supervisor” and “user”. “Supervisor” corresponds to privilege level DPL “0” to DPL “2”, and “user” corresponds to privilege level DPL “3”. Further, NX-Bit (None Execute Bit) is held in the page corresponding to the data, and the instruction code cannot be issued to the CPU 10 from the page. If the access from the CPU 10 violates the privilege level, an exception interrupt general protection exception (#GP) is issued. On the other hand, if the access attribute violates, a page fault (#PF) is issued. Is done. In either case, processing for invalidating access is executed via the interrupt handler 129. The invalidation of access includes a mode of shutting down access itself and a mode of rewriting a modified privilege level value to a correct value. The presence flag P determines whether or not data exists at the converted address based on whether or not the presence flag P is “0”. If the presence flag P is “0”, information on this address is stored. The evacuation process is performed once. A page fault (#PF) is issued when the converted address corresponds to the address. By using this function, that is, a page fault occurs in the memory area where a specific task (program) operates, and the management file is hooked to execute this specific task (program). If it is performed under the management of the management file, access from other tasks (programs) can be prevented, and only specific tasks (programs) can be isolated on the memory and protected.

  FIG. 13 is a diagram illustrating a conversion method for converting a linear address into a physical address. A linear address for accessing certain information created by the CPU 10 is converted into a physical address using the segment selector and base address of the GDT 125 and the physical address of the PTE 128. FIG. 14 shows an example of the relationship between the linear address and the physical address in the protect mode. First, in the real mode, linear addresses 0 MB to 1 MB correspond to physical addresses 0 MB to 1 MB. This range is a 16-bit specification, and they are the same. By the way, as described later, the PTE 128 is prepared for management (area of 100 MB or less) and for VM8086 (area of 100 MB to 101 MB). Here, the management addressing in the protect mode will be described. That is, the linear addresses 0 MB to 1 MB correspond to the physical addresses 100 MB to 101 MB. As described above, a predetermined value of 100 MB (or 101 MB) or more of the physical address is set in the physical address of each task in the management side table in the PTE 128. With this physical address setting, all the tasks of PTE128 (typically OS loading or OS execution) are loaded or expanded at a setting address of 100 MB (or 101 MB) or more. In other words, as a result of paging to a certain address of 100 MB (or 101 MB) or more by the PTE 128, the management file 124 and the GDT 125, IDT 126, TSS 127, PTE 128, and the interrupt handler 129 are accessed 100 MB or less. Therefore, the contents in the GDT 125 and other tables cannot be altered, and this is equivalent to the fact that 100 MB or less is not visible (does not exist) in the first place.

  FIG. 14 shows a state in which an exclusive loader of 0 MB to 1 MB is copied to an area of 100 MB to 101 MB, and an OS loader 130 for loading an OS or the like is created in a predetermined position of the same area. This is a memory map in a state in which each file of DATA 134 read in response to the data and AP 135 read out as needed is loaded in an area of 101 MB or more. The OS 133 includes files of both the first OS and the second OS or one selected OS. The process of writing information to 100 MB to 101 MB is performed in the VM8086 mode. Note that the VM8086 mode means that if the process for switching to the real mode is performed during the execution of the protect mode, the efficiency will be reduced if the complexity of management is taken into consideration. Therefore, the VM bit of the EFLAGS register is switched to perform the address calculation in the real mode. This makes it possible to execute a 16-bit program. During this period, access to information of 0 MB to 100 MB from the area is invalidated by paging.

  The OS loader processing unit 1013 performs a process of loading the 0 MB to 1 MB dedicated loader 122 read to the terminal 1 side into the 100 MB to 101 MB of the RAM 12 and a process of loading the OS loader 130. The OS loader 130 is a program read from the management file 124 or read from the MBR 110.

  In FIG. 9, OS GDT 131 and OS IDT 132 indicated by broken lines are tables in which the OS 133 describes its own behavior.

  The OS loader processing unit 1013 first sets the physical address in the control register CR3 in the state set in the VM8086 mode (that is, CPL “3”), starts the OS loader 130, and configures each program that configures the OS 133 from the HD 11 Are sequentially loaded into an area of 101 MB or more in the RAM 12. The OS 133 loaded from the HD 11 issues an LGDT request to rewrite the contents of the chip set register GDTR in order to create an OS GDT describing its own motion. On the other hand, since the access (rewrite request) to the register GDTR of the chipset is permitted only with CPL “0”, the management unit 105 makes a general protection exception (#GP) as an exception to this access. ). Then, the general protection exception is transferred to the interrupt handler 129 of the management file 124 via the IDT 126. The management unit 105 refers to the register EIP indicating the storage location of the instruction (program) to be executed next by the CPU 10 using the program counter via the interrupt handler 129, and makes a program making an unauthorized access request. And the rewriting of the register GDTR is prohibited, and interrupt handler processing such as rewriting the modified privilege level to the original value is executed for the unauthorized program. In addition, the management view unit 105 adds the illegal program as a new segment descriptor to the GDT 125, sets DPL “2” in the privilege level item, and adds it as a new paging table to the management table of the PTE 128. Then, a predetermined address value of at least 101M (or 100M) or more is set as the physical address. As a result, the access right of the GDT 125 is set to DPL “2”, so that access from 0 MB to 100 MB from the OS side is invalidated as an unauthorized access, and a physical address of 100 M or less from the OS by the PTE128. Conversion is impossible.

  The information processing unit 103 reads and executes a desired AP from the partition (1) of the HD 11 in the first OS environment, or reads and executes a desired AP from the partition (2) of the HD 11 in the second OS environment. Is.

  FIG. 10 is a flowchart for explaining a procedure of boot processing executed by the CPU 10 of the terminal 1. First, after the terminal 1 is powered on, the BIOS 121 is read into the RAM 12 and the BIOS process is started (step S31). That is, the BIOS 121 is activated, and then the POST process is executed. Then, the MBR 110 of the head sector of the HD 11 is selected by the POST process, and the dedicated loader 122 is read (step S33). Next, the control of the CPU 10 is transferred to the dedicated loader 122, the dedicated loader 122 is activated, and the management file 124 is read (step S35). Next, a management file operation environment setting process is executed, and for example, a privilege level is set in the area of the RAM 12 (step S37). Finally, each OS 133, various types of DATA 134, and each AP 135 are loaded (step S39).

  FIG. 15 is a flowchart showing the processing of the management file 124 after the OS is booted, which is executed by the CPU 10. First, it is determined whether or not the management GDT 125 is accessed from the OS (or AP) program from 0 MB to 100 MB (step S51). If there is no access to the management GDT 125, it is assumed that it is a normal OS (or AP) process, and this flow is exited without management. On the other hand, if there is an access to the management GDT 125, a general protection example is issued by collating the privilege level of the accessed OS with the privilege level of the register GDTR (step S53). Then, a jump from the management IDT 126 to the interrupt handler 129 corresponding to the general protection exception is executed (step S55). As a result, the processing of the interrupt handler 129 is executed (step S57). The processing of the interrupt handler 129 here may be processing to rewrite the normal contents on the assumption that access to the management GDT 125 is denied or accessed. By such processing, unauthorized access to the management file 124 from the OS side such as falsification purposes can be rejected, and the management file 124 is maintained in a secure state.

  Subsequently, a management process using the management file 124, more specifically, a management process for extracting information from the memory chip 11A will be described with reference to FIG.

  The memory chip 11A includes information on the total LBA as described above. On the other hand, as shown in the memory map of FIG. 2 (C) and the installation execution process flowchart of FIG. 5, the end LBA of the last partition of HD 11 (partition (3) in the example of FIG. 2) is shifted to the top by a predetermined value, As a result, the “free area” is set in this portion and the management file is stored. In other words, the storage capacity of the HD 11 is set so that the end LBA of the last partition (3) is reduced by the “free area”. In the example of FIGS. 2B and 2C, the LBA is originally 100,000, but is set to LBA 90,000 on the partition table PT111. Therefore, even if the OS refers to the end LBA of the partition table PT111, the existence of the management file cannot be known as it is.

  As described above, the management file is used to monitor processing by the terminal 1. Therefore, it is necessary to prevent the function from being damaged due to an unauthorized access, typically, a program in the management file being altered or damaged by an attack by malware such as a virus. Therefore, the storage capacity of the HD 11 is rewritten, that is, the value of the end LBA of the last partition of the partition table PT111 is rewritten, which is equivalent to the absence of the management file in the HD 11 on the partition table PT111.

  By the way, after the terminal 1 is activated, as described above, the privilege level DPL0 is set by the management file 124 in the RAM 12, and the management file 124 can counter an attack from unauthorized malware. On the other hand, in order to counter the malware attack on the HD 11 side that is the original storage medium in which the management file is stored, a countermeasure against the memory chip 11A is required in addition to the countermeasure against the partition table PT111.

  After the terminal 1 is activated, when the malware is activated separately from the execution of the OS or AP file and the value of the total LBA in the memory chip 11A is referred to, the end LBA of the last partition in the partition table PT111 is referred to. Is detected, and it is known that the “free area” exists in the HD 11. Then, it is conceivable that a resultant file processed or created by the malware is written in this “free area”. As a result, the resultant file resulting from the execution of this malware may be overwritten on the management file of “free space”, and the management file may be deleted, destroyed, or altered from the HD 11. Once the management file stored in the “free area” in the HD 11 is deleted or destroyed, the management file 124 is not expanded on the RAM 12 at the next startup of the terminal 1, and the function of the management file is impaired. It can be. Alternatively, if the management file on the HD 11 is altered, the management file may be executed with a fake management file with different contents, that is, behaved by malware, after the next startup on the terminal 1.

  As modes in which the memory chip 11A is accessed from the outside (OS 133, AP 135, malware, etc.), the case is via the I / O port 10A (see FIG. 16) and the case via the memory mapped I / O (MMIO) There is. Therefore, as a method for countering these accesses, a protection function in which the total LBA is not read from the memory chip 11A is provided in the management file in this embodiment. More specifically, the management file hooks access to the memory chip 11A from the outside (OS, AP, malware, etc.), and reads information read based on the access to the outside (OS, AP, malware). Etc.), the read content (total LBA) is rewritten using the hook operation.

  FIG. 16 is a functional configuration diagram for explaining an embodiment of the hook function via the I / O port 10A. In FIG. 16, an I / O port 10A is provided corresponding to the CPU 10, and is used when accessing the HD 11 (or the memory chip 11A). Hereinafter, access to the HD 11 or the memory chip 11A is referred to as access to the HD 11 or the like. Each port of the I / O port 10 </ b> A corresponds to an address such as HD 11 as viewed from the CPU 10. The read processing of the total LBA of the memory chip 11A is performed using the data register (address 0x01f0), status register, and command register (all addresses 0x01f7) in the I / O port 10A. The status register indicates that the HD 11 side is reading / writing (Busy) or that there is a data transfer request. The command register is for setting a device information acquisition parameter “Oxec: IDENTIFY DEVICE” which is a command for reading data of the memory chip 11A. The data register is a register to which data read by a read command is read. The amount of information to be read is 512B (for one sector), while the data size of the total LBA is 2B of that. In addition, since the capacity of the data register in the I / O port 10A is 16 bits, when reading 512B, the data register is repeatedly processed a plurality of times, so that one general-purpose register in the register group is stored. Will be written.

  The TSS 127 is created in association with each program (task) and has an I / O permission bitmap. Therefore, by setting flag 1 in the I / O permission bitmap of the task corresponding to the access to the data register (address 0x01f0), the management unit 105 executes processing for hooking this access simultaneously with the access. . In the TR register in the register group, the segment of the current task of the TSS 127 is set. By referring to this, the contents of the flag of the I / O permission bitmap can be detected. When detecting the hook, the management unit 105 generates an exception interrupt, shifts to the interrupt handler 129 via the management file 124, and executes a predetermined interrupt processing program. The interrupt processing program is a process of taking out the data written in the general-purpose register, subtracting a predetermined value set in advance from the total LBA data, and writing a new value in the original general-purpose register. The predetermined value to be subtracted is a value obtained by subtracting the “empty area”, and in the examples of FIGS. 2B and 2C, the number of sectors is 10,000. After this process, the interrupt handler 129 returns control to the CPU 10. Therefore, the outside (OS, AP, malware, etc.) accessing the data register (address 0x01f0) acquires the total LBA after rewriting. As a result, the existence of the “free area” is not detected, and the management file in the HD 11 is not deleted.

  FIG. 17 is a flowchart for explaining the flow of the hook process I. First, the contents of the status register of the I / O port 10A are read from the outside (OS, AP, malware, etc.), for example, the OS 133 (step S61) [(1) in FIG. 16]. At this time, if the I / O port 10A is busy or there is a data transfer request, that is, if it is in at least one state (No in step S63), it waits until this state ends. On the other hand, if it is not in any state (Yes in step S63) [(2) in FIG. 16], a data read request command is sent to the command register of the I / O port 10A (step S65) [FIG. Inside (3)]. Next, the data register of the I / O port 10A is accessed (step S67), read from the memory chip 11A [(4) in FIG. 16], and this data is viewed (read). To do. On the other hand, an exception occurs at the time of this access (step S69) [(3) in FIG. 16], and then interrupt processing I is executed based on this exception (step S71) [(in FIG. 5)].

  FIG. 18 is a flowchart for explaining the flow of the interrupt process I. First, the management file 124 accesses a general-purpose register in which data read from the command register of the I / O port 10A is written, and a data read request is made (step S81). Since the management file 124 is at the privilege level DPL0, no exception occurs during this access.

  Next, the number of sectors corresponding to “empty area” is subtracted from the data at the position corresponding to the total LBA in the accessed data in the general-purpose register (step S83). Then, the value obtained by subtraction is written into the original general-purpose register (step S85), that is, the value is rewritten, and then the interrupt is completed. Next, the OS 133 goes to browse data in the general-purpose register [(6) in FIG. 16]. As a result, the OS 133 acquires the rewritten total LBA, not the original total LBA stored in the memory chip 11A.

  Note that the interrupt process is not a method of reading and subtracting data once written to the general-purpose register, but fetching data read into the data register in the I / O port 10A and applying the subtraction process to the register. A method of writing to a predetermined general-purpose register in the group may be used.

  FIG. 19 is a functional configuration diagram for explaining an embodiment in the case of passing through the MMIO. In FIG. 19, the RAM 12 is represented as a system memory map indicating an address space viewed from the CPU 10 for convenience of explanation. The RAM 12 includes a system register area related to access in the chipset, a bus master type PCI (Peripheral Component Interconnect) address space in which MMIO is expanded, a secure area in which the management file 124 is stored, an OS 133, and the like. It is divided into areas to be expanded.

  MMIO is a method in which the CPU 10 can handle an instruction for accessing each I / O device (including the HD 11) in the same address space as an instruction for accessing the RAM 12. MMIO is composed of I / O registers corresponding to device drivers for I / O devices. The CPU 10 controls the corresponding I / O device by reading and writing information such as operation permission in the I / O register. In the MMIO expansion area, an I / O register area corresponding to HD11 is provided as indicated by “HD I / O device”. The HD 11 side can be accessed via an I / O register corresponding to the HD 11.

  The AHCI (Advanced Host Controller Interface) 16 is a controller that is interposed between the RAM 12 and the HD 11 side and performs data transfer between the RAM 12 and the HD 11 side. More specifically, the AHCI 16 has a device conforming to the communication protocol of ATA or SATA below it, and data having a structure called FIS (Frame Information Structure) is a bus master type from the RAM 12 side to the HD 11 side, Data is transferred from the HD 11 side to the RAM 12 side. Data transferred from the RAM 12 side to the HD 11 side is performed by a REGHDFIS 161 structure, and data returned from the HD 11 side to the RAM 12 side is performed by a REGDHFIS 162 structure.

  The address of the “HD I / O device” in the MMIO of the RAM 12 is written in the debug register DR7 in the chipset. That is, when the CPU 10 accesses the address of the “HD I / O device” as data read, the access is hooked by the management file 124 as a debug exception. Based on this hook, the management file 124 causes the interrupt handler 129 to execute a predetermined interrupt process. The interrupt process is a process of reading the contents of the REGDHFIS 162 from the “HD I / O device”, subtracting the number of sectors corresponding to the “empty area”, and restoring it. Since the privilege level is DPL0, the management unit 105 constantly monitors the address of the “HD I / O device” in the MMIO corresponding to HD11, and writes the address to the debug register DR7 at the time of a read task. By doing so, a debug exception is generated, and acquisition of the total LBA in the memory chip 11A by the outside (OS, AP, malware, etc.) is prevented.

  FIG. 20 is a flowchart for explaining the flow of the hook process II. First, request information for reading the total LBA in the memory chip 11A from the outside (OS, AP, malware, etc.) is set in REGHDFIS 161 (step S91) [(1) in FIG. 19]. More specifically, the number information on the HD 11 side (specifically, the memory chip 11A) is set in the REGHDFIS 161, the device information acquisition parameter (0xec: IDENTIFY DEVICE) is set in the command, and transferred to the HD 11 side via the AHCI 16 [FIG. 19 (1)], the processing is performed on the HD 11 side, the device status is returned, and the data including the total LBA which is Identify Data is set in the REGDHFIS 162 and returned [in FIG. (2)].

  Next, the REGDHFIS 162 is written to the address of “HD I / O device” in the MMIO for the HD 11 side (step S 93). Subsequently, when there is an access from outside (OS, AP, malware, or the like) to read the total LBA of the memory chip 11A to the address written in the REGDHFIS 162 (step S95) [(3) in FIG. A debug exception occurs immediately (step S97) [(4) in FIG. 19]. Next, interrupt processing II is executed based on this debug exception (step S99) [(5) in FIG. 19].

  FIG. 21 is a flowchart for explaining the flow of the interrupt process II. First, the “HD I / O device” in which the total LBA of the HD 11 in the REGHFIS 162 is written is accessed by the management file 124 (step S111). Since the management file 124 is at the privilege level DPL0, no exception occurs during this access.

  Next, the number of sectors corresponding to the empty area is subtracted from the total LBA of the HD 11 in the accessed REGDHFIS 162 (step S113), and the subtracted value is returned to the original position of the REGDHFIS 162, that is, rewritten (step S115). After this, the interrupt ends. Next, the OS 133 accesses the “HD I / O device” to view data. As a result, the OS 133 acquires the rewritten total LBA, not the original total LBA stored in the memory chip 11A.

  FIG. 22 is a flowchart for explaining the flow of the hook process III. The hook process III has the following configuration with respect to the functional configuration diagram of FIG. In the RAM 12, the PTE 128 of FIG. 9 is formed. The PTE 128 has the presence flag P as described above, and the task of accessing the address of the “HD I / O device” in the MMIO is set as the flag 0 in the page table register CR3 in the chipset. To do. In this way, when the address of “HD I / O device” is accessed from the outside (OS, AP, malware, etc.), a page fault occurs immediately.

  In FIG. 22, first, an HD total LBA read request is set in REGHDFIS 161 (step S121). More specifically, the number information on the HD 11 side (specifically, the memory chip 11A) is set in the REGHDFIS 161, the device information acquisition parameter (0xec: IDENTIFY DEVICE) is set in the command, and is transferred to the HD 11 side via the AHCI 16 and transferred to the HD 11 The device status is returned, the device status is returned, and data including the total LBA as Identify Data is set in the REGDHFIS 162 and returned.

  Next, the REGDHFIS 162 is written to the address of “HD I / O device” in the MMIO for the HD 11 side (step S123). Subsequently, it is determined whether or not the presence flag P of the page table register CR3 is the flag 0 with respect to the address of the MMIO written in the REGDHFIS 162 (step S125). If the presence flag P of the page table register CR3 is not the flag 0, the present flow is exited. On the other hand, if the presence flag P of the page table register CR3 is the flag 0, a page fault exception is immediately generated (step S127), and then the interrupt process III is executed (step S129). The interrupt process III is the same as the interrupt process II shown in FIG.

  FIG. 23 is a flowchart for explaining the flow of the hook process IV. The hook process IV has the following configuration with respect to the functional configuration diagram of FIG. The AHCI 16 shown in FIG. 19 issues a hardware interrupt (IRQ) when the REGDHFIS 162 created in response to the access to the HD 11 by the REGHDFIS 161 is returned. In response to this hardware interrupt (IRQ), access from the outside (OS, AP, malware, etc.) for reading to the address of the “HD I / O device” in the MMIO to the HD 11 side is performed. It has come to be. On the other hand, the management file 124 detects (hooks) this hardware interrupt (IRQ), and from the interrupt descriptor table IDT 126 created in the secure area of the RAM 12, the interrupt handler 129 performs a predetermined interrupt process. Executed. The interrupt process IV is the same as the interrupt process II shown in FIG.

  As described above, since the storage location of the management file in the HD 11 is not known to the malware, it is possible to prevent the management file from being destroyed, deleted, modified, etc. by the malware. Monitored by a secure management file. If an OS or AP that can operate under the management file environment is loaded within the same privilege level as that of the management file 124 on the RAM 12, the processing of the AP can be executed with high security. .

  Next, FIG. 24 to FIG. 26 are diagrams for explaining another embodiment in which a specific application is executed securely under the management file environment. 24A and 24B are diagrams for explaining the loading of the specific application to the RAM, FIG. 25 is a diagram for explaining the execution method of the specific application under the management file environment, and FIG. FIG. 11 is a flowchart for explaining an execution procedure of a specific application executed by the CPU 10.

  The terminal 1 is also applied to a personal computer, a mobile and the like. In such a case, the terminal 1 is provided with various general-purpose applications (AP) that can be used in the OS environment, but it is desired that a specific application be used in a high security environment. This is a case where the terminal 1 is also applied as means (specific AP) such as electronic commerce, electronic payment, acquisition of information related to personal information, and the like. Therefore, the terminal 1 that is securely controlled by the management file 124 described above can be used in a high security environment even if a specific AP is arranged in the area of various general-purpose APs operating on the OS 133. This will be described below.

  As shown in FIG. 24A, a dummy AP 1351 of a predetermined size is installed in advance at any one of the partitions (1) to (3) of the ROM 11, here the partition (1). In addition, the specific AP 1352 is included in the management file installed in the “free area” described above. The specific AP 1352 is equal to or corresponds to the data size of the dummy AP 1351.

  When loading into the RAM 12, the dummy AP 1351 is loaded as a dummy AP 1351 by the OS 133 at a predetermined location in the same area as the general-purpose AP 135. Subsequently, the specific AP 1352 is loaded by being superposed (including partly superposed) on the dummy AP 1351 on the RAM 12 by the management file 124.

  24A and 24B, when an execution instruction for a specific AP is input from the operation unit 13, the OS 133 receives this instruction and loads the dummy AP 1351. Subsequently, the management file 124 of the privilege level DPL0 overwrites and loads the specific AP. The processing performed by the management file 124 of the privilege level DPL0 cannot be involved from an OS having a relatively low privilege level. Therefore, even if malware exists in the OS 133 or the load area of the OS 133, it cannot be known that the dummy AP 1351 has been updated to the specific AP 1352.

  Further, the management file 124 sets the base address and limit of the GDT or LDT table in the system table corresponding to the specific AP 1352 including the load position of the specific AP 1352. The operation of the specific AP 1352 is limited in the area 1352a (see FIG. 25) described by the base address and limit, and does not affect other APs. The management file 124 is set to generate a page fault for access to this address. When a page fault occurs, the management file 124 hooks it and permits execution of the specific AP via the interrupt handler 129 (see FIG. 25).

  In FIG. 25, the driver group 136 includes various drivers such as a sysplay driver and a network driver. The Agent 137 has an authority to access the specific AP 1352 by the management file 124 during the operation of the specific AP 1352, logs an event that has occurred, and relays the management file 124 and the AP on the OS side (role of IF) It plays the role of a management screen when viewed from the user's perspective. Further, since the OS driver is used during communication, it also plays a role of transmitting data created by the specific AP 1352 to a server on the network. In this case, the encoding process 138 performs an encoding process that encrypts and processes the generated data to make it obfuscated so that even if data leaks through the driver 136, the encoding process 138 can cope with it. Tampering is ensured.

  In FIG. 26, first, it is determined whether or not there is a processing instruction for the specific AP 1352 from the operation unit 13. The process instruction for the specific AP 1352 is, for example, a process associated with the specific AP on the screen of the terminal 1, for example, when an electronic payment icon (or button or key) is selected. This instruction is also associated with a dummy AP in relation to the OS 133 (therefore, the OS 135 loads the dummy AP 1351 into the RAM 12 when this instruction is generated). If there is no instruction, this flow is exited (step S151). In the case of an instruction of another process (general-purpose AP or the like), a process associated with the instruction is executed.

  On the other hand, if there is an instruction in step S151, loading of the dummy AP 1351 by the OS 133 is executed (step S153). The management file 124 monitors the loading of the dummy AP 1351 by the OS 133, acquires the loading position, and performs the process of loading the specific AP at the same position following the loading process (step S155). Next, the management file 124 sets a page fault for the access to the address (that is, for the access to the specific AP 1352), and writes the base address and limit of the GDT at the position in this embodiment. Instead, the page fault area 1352a is set to restrict the operation area of the specific AP 1352 (step S157).

  At the stage where such processing is completed, the management file 124 returns the CPU 10 to the OS 135. The OS 135 accesses this location with the intention of executing the loaded dummy AP 1351. As a result, the OS 133 causes a page fault to occur (step S159). This page fault is hooked by the management file 124 (step S161), and execution of the specific AP 1352 is permitted from the management file 124 via the interrupt handler 129 (step S163). Since the process is based on a page fault, even if malware exists, the page fault area 1352a cannot be involved during that period. Then, when the process of the specific AP is finished, this flow is finished.

  The process in FIG. 26 is performed every time an instruction for a specific AP process is received from the operation unit 13 as shown in the flowchart, so that the specific AP 1352 is reliably loaded every time and executed in a high security environment.

  The present invention can employ the following modes.

(1) In the memory map of the RAM 12, the OS 133, DATA 134, and AP 135 may be arranged on the 0 MB side, and a secure area such as the management file 124 may be arranged on the state side. According to this, by setting the address to a small value, read / write processing of the OS and AP that are repeatedly read and written can be performed easily and at high speed.

(2) Although the embodiments I to IV have been described as the hook processing by the management unit 105, in short, in relation to the processing of reading the total LBA value written in the memory chip 11A, as a result, the total LBA value is Any process may be used as long as it is not obtained from external access.

(3) In the present embodiment, the management file 124 on the RAM 12 can be countered against access from the OS or the like using a privilege level. However, if the management file 12 loaded from the HD 11 is normal, it is exceptional. A protection function is not provided, or other protection functions may be used.

(4) Note that the method of executing the specific AP 1352 due to the page fault is not limited to the mode in which the management file is loaded from the HD 11, and the patent documents 3 and 4, PCT / JP2010 / 68346, Japan by the present applicant. The external boot technique described in Patent Application 2011-235386 may be adopted.

(5) In the above-described embodiment, the example using the BIOS has been described. However, the present invention is also applicable to the case where a next-generation UEFI (Unified Extensible Firmware Interface) is used.

  In UEFI, the current MBR and PT are not used, and a new configuration called GPT (GUID partition table) is used instead of PT. In GPT, sectors LBA1 to LBA33 are used. LBA1 stores the first GPT header and defines the range of HD11 that can be used by the user. In LBA1, the number and size of GPT entries (having definition information for each partition) are defined. Also, the position and size of the second GPT (always set to the last sector of the HD 11) to be replaced when an abnormality occurs in the first GPT are also held. Further, the checksum value of the GPT itself is also held in the GPT header so that the contents of the GPT are not falsified. The GPT entry describes the definition of each partition.

  When the management file according to the present invention is installed in a terminal using GPT, the installation timing is before the second GPT and after the final partition. In this case, the end sector position of the last partition of the first GPT may be rewritten, and at the same time, the checksum value may be recalculated and the value of the first GPT header may be rewritten to maintain consistency. At the same time, the value of the second GPT (or the first GPT) may be backed up in the management file area according to the present invention, and the second GPT may be rewritten in the same manner as the first GPT.

  The subsequent operation can be handled by hooking and rewriting the value such as REGHDFIS of HD11 when referring to the GPT.

(6) Further, in the present embodiment, protection of a management file as an example of specific file information is taken as an example, but the protection target is not limited to that as described later. Usually, data in a partition can be accessed from an OS or an application. Security data such as creation data, e-mail, anti-virus software and firewall, as well as key information used for encryption and encryption logic are also stored in the HD partition. On the other hand, being accessible from the OS means that it can also be accessed from viruses such as malware. On the other hand, the isolation protection area outside the partition created by the present technology cannot be accessed from the OS or application. This means that the area cannot be accessed from viruses. This protects specific file information such as IDs, passwords, encryption key information, encryption logic, security software, Firewall, confidential information and emails from viruses (under high security) It is possible to memorize. In addition, the present invention is not limited to a personal computer, and can be similarly applied to an information processing apparatus such as a copier, a smartphone, or a tablet having a configuration of CPU and HD (including SSD).

1 terminal (information processing equipment)
10 CPU
1002 Installation processing unit 11 HD (hard disk)
110 MBR
111 Partition table 11A Memory chip (memory member)
12 RAM (main memory)
1011 Dedicated loader processing unit 1012 Management file operation environment setting unit 1013 OS loader processing unit 2B Installer 22 Installation program memory 24 Management file memory 122 Dedicated loader 124 Management file

Claims (12)

MBR in the first sector, at least the OS stored on the rear side thereof, a memory member that is associated with the hard disk and stores at least the total capacity information of the hard disk, a CPU, and the MBR of the MBR by the CPU In an information processing apparatus including a main memory from which the storage contents of the hard disk are read out after being activated,
The hard disk is sequentially divided into at least one partition after the first sector, and a management file is stored in the rear area of the end sector of the last partition,
The MBR stores a partition table in which information on the first sector and the end sector of each partition is written, and a dedicated loader that first reads the management file into the main memory when the information processing apparatus is activated,
When the read command for the total capacity information stored in the memory member is generated after the information processing apparatus is activated, the management file stores the information read corresponding to the command in the final partition. An information processing apparatus comprising a processing program for rewriting information of an end sector. The information processing apparatus according to claim 1, wherein the management file is set to a privilege level relatively lower than that of the OS on the main memory. 3. The information processing apparatus according to claim 1, wherein the dedicated loader is obtained by rewriting a bootstrap loader previously stored in the MBR. 4. 4. The information processing apparatus according to claim 3, wherein the bootstrap loader previously stored in the MBR is saved in a region behind the end sector of the final partition before the dedicated loader is written. . 5. The information processing apparatus according to claim 1, wherein an end sector of the final partition is narrowed from an original sector to a head side when the management file is stored. 6. The information processing apparatus according to claim 1, wherein the management file storage area is an entire area on the rear side of an end sector of the final partition. 7. The management file according to claim 1, wherein the management file calculates an end sector of the final partition by subtracting the entire area behind the end sector of the final partition from the total capacity information. The information processing apparatus according to any one of the above. The management file is a file for rewriting the information by executing an interrupt in response to a read command for the total capacity information stored in the memory member. The information processing apparatus according to any one of 7. 9. The information processing apparatus according to claim 8, wherein the interrupt is performed in response to an access by the CPU to a data register corresponding to the memory member in an I / O port. The interrupt is performed by the CPU corresponding to the memory member of the memory mapped I / O by receiving one of a debug exception, a page fault, and a hardware interrupt. The information processing apparatus according to claim 8. A method of installing a file by using an installer on a hard disk partitioned into partitions in which MBR is stored in a head sector and at least one OS is stored after the head sector,
The file is associated with the hard disk, and when a read command for the total capacity information from a memory member in which the total capacity information of the hard disk is stored is generated after the information processing apparatus on which the hard disk is mounted, A management file having a processing program for rewriting information read in response to the command to information on the end sector of the final partition;
Moving the end sector of the last partition to the start side by a capacity corresponding to at least the capacity of the file, and setting a new end sector;
Storing the file from the new end sector toward the end;
Rewriting the end sector of the last partition written in the MBR to a new last sector;
And a step of writing a dedicated loader that first reads the file into the main memory of the information processing apparatus when the information processing apparatus is activated. 12. The file installation method according to claim 11, wherein the dedicated loader is obtained by rewriting a bootstrap loader previously stored in the MBR.

Images