JP2015166952A - Information processor, information processing monitoring method, program and recording medium - Google Patents

Abstract

PROBLEM TO BE SOLVED: To prevent an illegal program from entering a kernel even when resources are accessed through execution of the illegal program, by detecting such access.SOLUTION: A virtual machine monitor 32 includes: a hook processing unit 322 that hooks and exits issuance of a Syscall order to a kernel for making a processing request to resources; a correctness evaluation unit 325 that evaluates correctness of the Syscall order hooked by the hook processing unit 322; and a processing unit 326 that issues an order for processing corresponding to an evaluation result.

Description

  The present invention relates to a technique for monitoring an information processing operation executed by a processor.

  In recent years, the security of a computer has been greatly impaired by rewriting a file or changing a system setting by a malicious program (hereinafter referred to as a malicious program) created with the intention of performing an illegal and harmful operation. The behavior of the malicious program is to obtain the privilege level (ring 0) by intruding on the access to the kernel space resource from the user mode accompanying the execution of the application program (AP) after entering the memory in the computer from the outside. Thereafter, the intended fraud can be executed by controlling the resource control. Today, various types of compatible software that monitors the execution of malicious programs and regulates illegal operations have been proposed.

  Japanese Patent Application Laid-Open No. 2004-151867 discloses a step of detecting activation of an application, a step of temporarily suspending a processing request for a resource issued from the activated application, and a case where the activated application is a regular application in order to limit use of the API. An application for preventing information leakage of resources, comprising: a step of authenticating whether or not the application is activated; and a step of permitting processing based on the temporarily suspended processing request only when the authentication result of the activated application is successful The monitoring method is described.

  In Patent Document 2, when an application executed on a computer accesses information stored in a storage device such as a hard disk HDD, the application is hooked using an operating system (OS) hook function in advance. The determination unit determines whether or not the set access permission condition is satisfied, and if it is determined that the virus or the like is unauthorized access, the information leakage of the computer prohibiting the transfer of the information stored in the storage device to the application A prevention system is described.

  In Patent Document 3, a virtual machine monitor (VMM) is executed on a computer, so that a plurality of operation systems (OS) can be independently executed as guest virtual machines (VMs). A technique for monitoring the behavior of guest software is described. That is, when a certain fault event with privilege occurs during VM operation, or when the guest software tries to access a resource with privilege (ring 0), the control of the processor is shifted to the VMM. (Referred to as VM termination). Subsequent to this VM termination, the VMM to which control has been transferred is caused to execute various processes, and thereafter control can be returned to the guest software (VM entry). At this time, the processor privileged the current privilege level of the guest VM to determine whether VM termination should occur based on the privilege level termination criteria stored in the VMCS specified by the VMM. If the level monitoring logic (PLML) evaluates and then PLML determines that the current guest privilege level meets the privilege level exit criteria, the processing logic is responsible for VM termination from the guest software to the VMM.

JP 2003-108253 A JP 2007-140798 A JP 2006-24207 A

  In the application monitoring method for preventing information leakage of resources described in Patent Document 1, since the filter module and the authentication module for hooking are provided in the same process space as the application, the hook operation by these modules is performed. And there is a big problem in both reliability of authentication operation. In addition, since the hash values of the hooked application and the pre-registered application are authenticated by collation, and this authentication is unsuccessful, the application is forcibly terminated or notified to the administrator. There is a problem that the operation of may stop.

  The information leakage prevention system described in Patent Document 2 is intended for functions related to input / output of a file system. As an access permission condition, an operation such as writing of file data input via a computer user interface is performed. By utilizing predetermined check items such as IO type, application name, data file name, execution constraint condition (date, range, etc.) of the execution program, the file system itself has a virus monitoring function according to user settings. The judgment function is retained. Therefore, there is a limit to appropriately monitoring the entire process of accessing kernel space resources from the user space without relating to reading of file data.

  Further, the invention described in Patent Document 3 is based on the current privilege level for determining whether or not to end a VM, and does not suggest a countermeasure against an intrusion process of a malicious program into hardware resources.

  The present invention has been made in view of the above, and detects an access instruction to the kernel for a processing request for a resource, evaluates whether the access instruction is correct, and issues a treatment instruction according to the evaluation result. An information processing apparatus, an information processing monitoring method, a program, and a recording medium are provided.

  An information processing apparatus according to the present invention includes: a detection unit that detects issuance of an access instruction to a kernel for a processing request for a resource; an evaluation unit that evaluates whether the access instruction detected by the detection unit is correct; And a treatment means for issuing a treatment instruction according to the result. In addition, a program and a recording medium for causing a processor to function as each means are used as an information processing monitoring method.

  According to these inventions, when an access instruction to the kernel for a processing request for a resource is issued, this access instruction is detected by the detecting means. The detection includes a violation of privileged instructions and a method using a virtual machine monitor. The access command detected by the detection means is evaluated for correctness by the evaluation means. Evaluation is done in a way that relates to the potential for malware. Then, a treatment instruction according to the evaluation result is issued by the treatment means. The evaluation result assumes both when the evaluation is valid and when it is invalid. In either case, a new instruction is issued by the treatment means, and the original access instruction from the issuer is not used. Yes. Therefore, intrusion of resources through the kernel of the malicious program and further hiding are prevented.

  Further, it is preferable to provide invalidation means for invalidating the access command. Although the method of changing the content of the detected access instruction or rewriting it immediately after being accessed as it is can be considered (the aspect included in claim 1), more preferably, the original access instruction is invalidated by invalidating means. By doing so, the risk of malware infection is further suppressed.

  A virtual machine monitor that monitors the operation of the virtual machine, wherein the detection unit, the evaluation unit, and the treatment unit are provided in the virtual machine monitor, and the detection unit issues the access command from the virtual machine; It is preferable to shift the control to the virtual machine monitor at the time of being performed. According to this configuration, since the access instruction from the virtual machine is monitored by the virtual machine monitor, the kernel of the virtual machine can be loaded and executed as it is without changing the privileged instruction.

  It is preferable that invalid means for invalidating the access command is provided in the virtual machine monitor. According to this configuration, by invalidating the original access instruction, the risk of unauthorized program infection is further suppressed.

  Moreover, it is preferable that the detection means detects the access instruction as an invalid opcode violation. According to this configuration, it is possible to reliably detect a problem access instruction.

  Further, it is preferable that the access instruction is a syscall instruction, and the evaluation unit evaluates whether the access instruction is correct or not based on collation with information related to an API constituting the syscall instruction. According to this configuration, information relating to an API (Application Programming Interface) that configures the syscall, such as attributes, storage location, and source, is detected by paying attention to a syscall instruction that allows the application program to access the resource. Therefore, it is evaluated whether the program is an unauthorized program.

  Further, when the evaluation means determines that the access instruction is valid, the processing means issues the same content as the access instruction to the kernel, and when the evaluation means determines that the access instruction is illegal, Preferably, an instruction that passes through the access instruction is issued to the kernel, or an instruction that skips the access instruction is returned to the issuer of the access instruction. According to this configuration, even if the access command is valid or illegal, a new command is created by the treatment means, so that the risk of unauthorized program infection is suppressed.

  According to the present invention, even when a resource is accessed by executing a malicious program, the access can be detected and the malicious program can be prevented from entering the resource through the kernel.

It is a block diagram which shows one Embodiment of the information processing apparatus which concerns on this invention. FIG. 2 is an example of a functional configuration diagram when the information processing apparatus of FIG. 1 is applied to a virtual machine. It is explanatory drawing which shows the procedure of a monitoring process. It is a functional block diagram which shows an example of the monitoring software which VMM performs. It is a flowchart which shows an example of starting processing. It is a flowchart which shows an example of a Syscall monitoring process. It is a flowchart which shows an example of a MSR monitoring process. It is a flowchart which shows an example of a log process. It is a flowchart which shows an example of an environmental monitoring process.

  FIG. 1 is a configuration diagram showing an embodiment of an information processing apparatus according to the present invention. The information processing apparatus 1 to which the present invention is applied includes a server apparatus incorporating a computer, a general-purpose personal computer, a portable information processing terminal, and various information processing apparatuses having a function of communicating via a network. Including.

  The information processing apparatus 1 is configured by a microcomputer, and includes a hardware unit (HW) 10 as a chip set including a CPU (Central Processing Unit) 11 as a processor. The CPU 10 includes an auxiliary storage device 20 including a flash ROM (Read Only Memory) 21 and a hard disk drive (HDD) 22, a RAM (Random Access Memory) 30, an input unit 40, an output unit 50, and necessary via a bus BA. It is connected to a log storage unit 60 provided accordingly.

  The flash ROM 21 stores a BIOS (Basic Input / Output System). The HDD 22 stores various programs and necessary data. In the present embodiment, an example in which the information processing apparatus 1 is applied to a virtual machine will be described. As shown in FIG. 2, various programs stored in the HDD 22 construct a virtual machine environment including a hardware unit (HW) 10 and software (SW) representing functions read (loaded) into the RAM 30. Each program and data necessary to do this are included. Details will be described with reference to FIG.

  The RAM 30 is loaded with a program or the like stored in the auxiliary storage device 20 when the information processing apparatus 1 is activated, and temporarily stores information being processed. The information processing apparatus 1 functions as various processing execution units as shown in FIG. 4 when a program or the like stored in the auxiliary storage device 20 is loaded into the RAM 30 and executed by the CPU 11.

  The input unit 40 includes a keyboard, a mouse, a touch panel, and the like provided with a numeric keypad and the like, and inputs required information and instructs processing. The output unit 50 is assumed to be a display unit that displays an image. The output unit 50 may be a printer unit, a communication unit that is connected to a network such as the Internet, and exchanges information. As will be described later, the log storage unit 60 has a history (program) of access (Syscall, Sysenter, call gate, etc.) by a privileged instruction that is a processing request for a resource, which occurs during the operation of the information processing apparatus 1, and the instruction. A log of the processing contents related to is recorded over time.

  FIG. 2 shows an example of a functional configuration diagram when the information processing apparatus 1 is applied to a virtual machine. A hardware unit (HW) 10 including a CPU 11 and a software unit (SW) loaded in the RAM 30 are shown. Consists of.

  The hardware unit 10 includes a CPU 11 as a processor, a virtualization support technology 12 (VT), a VMCS (Virtual Machine Control Structure) 13 which is a control mechanism for each virtual machine configured by a RAM (Random Access Memory) and the like. And an EPT (Extended Page Table) 14 comprising a RAM. The hardware unit 10 includes a flag register indicating the current state of the CPU 11, an MSR (Model Specific Register) 1111, a general-purpose register 1112 for storing data, an index register or a special register related to memory addressing, It has a register group 111 including segment registers related to the memory management system. In the register group 111, as described above, the operation state of the CPU 11, flags and data indicating operation instructions are set.

  The software unit (SW) includes a virtual machine VM31 that is one or more guest OSs (guest software) and a virtual machine monitor VMM32 that is a host OS (host software). In FIG. 2, two virtual machines VM and VM-2 are shown, but the following description will be made with the virtual machine VM31 as a representative.

  The VMM 32 that is host software is stored in the HDD 22 in the auxiliary storage device 20, and is loaded from the HDD 22 to a predetermined area (area A, see FIG. 3) from the HDD 22 upon activation of the information processing apparatus 1. The VMM 32 includes monitoring software according to the present invention (see FIG. 3), and is loaded together with the loading of the VMM 32. The guest software of the VM 31 that is a virtual machine is loaded into a predetermined area of the RAM 30 under the management of the loaded VMM 32. When loading the VM 31, a system table including a GDT (Global Descriptor Table) for operating the guest software of the VM 31, an IDT (Interrupt Descriptor Table), and a PTE (Page Table Entry) for converting a linear address from the GDT into a physical address. 31A is created.

  As shown in FIG. 3, the VM 31 is an operating system OS (mainly a kernel) 311 and various application programs that operate under the environment of the kernel 311 as guest software, AP (1) 312 to AP (n). 313 is included. The kernel 311 is stored in the area B of the RAM 30 as shown in FIG. Furthermore, a dynamic link library dll (dynamic link) which is a dynamic list of API (Application Programming Interface) which is a function for executing access from the AP (1) 312 to AP (n) 313 to the OS (kernel) 311. library) (API) 314. AP (1) 312 to AP (n) 313 and dll (API) 314 are stored in the area C of the RAM 30 as shown in FIG. The API structure issued by the dll (API) 314 and issued to the kernel 311 at the privilege level 0 at the time of processing request to the resource is called a Syscall instruction.

  The API is a specification that defines procedures and data formats for calling various functions (software) that can be commonly used by a plurality of programs. dll (API) refers to a shared library in which programs implemented in a modular manner are combined at the time of execution by dynamic linking.

  FIG. 4 is a functional configuration diagram illustrating an example of monitoring software executed by the VMM 32. The VMM 32 executes processing by a program and hardware loaded in the RAM 30, thereby executing a load processing unit 321, a hook processing unit 322, a mode switching unit 323, a hook content analysis unit 324, a correctness evaluation unit 325, a treatment unit 326, It functions as an environment monitoring unit 327 and a log processing unit 328.

  The load processing unit 321 starts up the host software of the VMM 32 loaded into the RAM 30 by the MBR (Master Boot Record) loaded from the HDD 22 into the RAM 30, sets the VMM 32 environment, loads the kernel 311, etc., and loads Monitor inside. In the above, the VMM 32 creates its own system table when it is loaded into the area A of the RAM 30, and sets a high privilege level 0 (ring 0) for GDT and PTE. Further, the VMM 32 loads the kernel 311 at the privilege level 0 (ring 0), and loads the AP (1) 312-AP (n) 313 and dll 314 at the privilege level 3 (ring 3) as usual. Furthermore, the physical address that becomes the work area is also set in each of the areas B and C other than the load area of the VMM 32.

  The VMM 32 includes software and data for executing various functions to be described later, and controls the operation of the VM 31 using the register group 111 and the data area of the VMCS 13. More specifically, the VMM 32 generally (1) sets the transition program (and return program) to the mode in which the guest software is executed as the VM 31, and (2) passes the control of the CPU 11 to the VMM 32 and enters the VMXroot mode. Instruction, conversely, the process of passing the control of the CPU 11 to the VM 31 and setting the Entry instruction in the VMX non-root mode in the VT 12, (3) the problem instruction that affects the virtualization in the various guest software executed by the VM 31 ( (Fault event), other exceptions, instructions to be interrupted, etc. are set in the register group 111 for each hook target. (4) Register group 111 in the chipset (for example, instruction pointer EIP (InstructionPointer ), MSR1111, etc.) The register contents (flags and values indicating the state) during 31 operation and the physical address-physical address conversion table contents during VM 31 operation and the contents written in the EPT 14 are changed every time the VMXroot mode and the VMXnon-root mode are switched. , Saving and loading (corresponding to loading to the register group 111 of the CPU 11) is performed in the corresponding area in the VMCS 13 (note that saving and loading to the MSR 1111 are performed only by the register group 111. ) Program processing, and (5) The VMCS 13 has a function of setting to the VT 12 the monitoring function of whether or not each command set in (3) is issued by the VMCS 13 during the operation of the VM 31.

  The VMCS 13 is a data structure for holding the contents of the register group 111, the EPT 14, and the like at the time of Entry / Exit and controlling the behavior. In the guest-side list 131 in the VMCS 13, the contents set in (3) above, that is, all the matching data corresponding to the exit cause are set. Exit causes include various exceptions, interrupts, invalid opcode violations, and the like. In this embodiment, access in the privileged ring 0 that issues a processing request to the above-described resource, in this case, the Syscall instruction is set as an invalid opcode fault. An invalid opcode violation is, for example, when there is no valid computer instruction or when the processor attempts to execute an instruction that contains an invalid operand. Depending on the type of invalid opcode violation, the violation cannot be recovered, that is, the system Forced to restart or shut down. Since the access means for processing requests to the resource is the Syscall instruction, in consideration of the possibility of unauthorized programs being involved in the Syscall instruction (latency etc.), in this embodiment, the Syscall instruction is uniformly invalid opcode. The target of the hook is a violation.

  More specifically, the hook processing unit 322 sets a disable hook condition for a register related to the Syscall instruction in the MSR 1111 of the register group 111 in addition to (3) to (5) of the functions performed by the VMM 32. I do. During the operation of the VM 31, as shown in FIG. 3, for example, when the AP (1) 312 issues a processing request to a predetermined resource, it accesses the dll (API) 314 (see FIG. 3, step (1)). ), Construct an API and create a Syscall instruction (see FIG. 3, step (2)). Next, the Syscall instruction accesses the kernel 311 at the privilege level 0 (see FIG. 3, step (3)). At this time, when the Syscall instruction is issued, the hook processing unit 322 is hooked as an invalid opcode violation. As a result of the invalid opcode violation being set in the list 131 of the VMCS 13, an Exit instruction is sent to the CPU 11 by collation by the monitoring logic of the VT12. The mode switching unit 323 causes the control of the CPU 11 to transition to the VMXroot mode (see FIG. 3, step (4)). The VT 12 is a virtualization support technology configured by hardware that can execute the VMM 32. The VT 12 saves in the VMCS 13 the state of the VM 31 at the time of receiving the Exit instruction, for example, the content of the invalid opcode violation that caused the Exit.

  By the way, since there is a target other than the Syscall instruction that is an invalid opcode violation, the cause of the Exit and further analysis of the Syscall instruction are performed by the VMM 32 that has transitioned to the VMXroot mode when the VT 12 has generated an Exit. In other words, the Syscall instruction is uniformly invalidated immediately after Exit (for example, discarding the Syscall instruction itself), and the processing unit 326 of the VMM 32 performs the following processing according to the evaluation result of the correctness (validity). (Refer to FIG. 3, steps (51) and (52)). Next, the mode switching unit 323 of the VMM 32 receives the Entry command via the VT 12 and transitions to the VMXnon-root mode.

  When the VMM 32 receives the Exit command, the mode switching unit 323 makes a transition to the VMXroot mode, and the hook content analysis unit 324 analyzes the program command causing the Exit issuance. The hook content analysis unit 324 refers to the EXIT Reason (cause of Exit) saved in the VMCS 13 when an Exit occurs, and recognizes that, for example, an invalid opcode violation has occurred. Further, the hook content analysis unit 324 refers to the data of the instruction pointer EIP saved in the VMCS 13, that is, the execution address of the instruction in which the invalid opcode violation has occurred, and determines whether or not the cause is the Syscall instruction.

  Further, when the cause is a Syscall instruction, the correctness evaluation unit 325 saves, for example, each register of eax, ebx, ecx, edx, etc. in the general-purpose register 1112 saved in the VMCS 13 at that time and the previous processing contents. Whether the call function of the kernel 311 and its parameters are correct or not is determined from the contents of the stored stack (such as the code of the Syscall instruction). Here, correct / invalid relates to the evaluation of the possibility of a Syscall instruction being issued by an unauthorized program. Note that, for example, the correctness evaluation unit 325 of the VMM 32 sets a command that invalidates writing to the physical address that is the execution destination of the Syscall instruction at this time. Alternatively, the invalid command may be set when another processing unit, for example, the hook processing unit 322 determines that the invalid opcode violation is detected or at the time of Exit.

  Whether the call function of the kernel 311 and its parameters are correct or not by the correctness evaluation unit 325 is determined based on the attributes of the reference information 32A in the VMM 32 and the process management information 31B loaded in the load area of the VM 31. For example, the verification is performed by using the information. In the reference information 32A, candidates with high injustice are set in the API codes constituting the Syscall instruction. Examples of API candidates with high injustices include: (a) APIs that are not used or unpublished at present, (b) Reading / writing (tampering and falsification) to files under C: ¥ WINDOWS (registered trademark) and C: ¥ ProgramFiles. (C) control of authority (Token) granted from the kernel (for example, request for promotion from user authority to administrator authority). In addition, the process management information 31B refers to a PCR (Processor Control Region) that describes the relationship between threads and processes for AP (1) 312 to AP (n) 313, and (a) APs that are permitted to operate. (For example, whether or not the AP path (folder) is a folder for which installation is permitted), and (b) whether the data write destination folder is a folder for which writing is permitted. To do. Also, (c) the process (application program) from which the API is issued is distinguished, for example, whether a process without communication issuance has issued a communication API, (d) the process that has issued the communication API Including contents that distinguish whether or not a process generated by a process operated by a person depends on an artificial operation via the input unit 40 or on a program (generally, It is preferable to be able to distinguish whether the program is a malicious program. The correctness evaluation unit 325 determines correctness by referring to at least the information of the reference information 32A in the reference information 32A and the process management information 31B.

  When it is determined that the evaluation result is valid, the treatment unit 326 performs processing on behalf of transferring control to the kernel 311 (see FIG. 3, step (51)). In the proxy process for transferring control to the kernel 311, the instruction pointer EIP of the VMCS 13 is rewritten to the entry point of the kernel 311 and the contents of the stack of the entry point are rewritten to instruct the VT 12 to issue the Entry instruction. The treatment unit 326 issues the same content as the Syscall instruction invalidated as an invalid opcode violation as an instruction for controlling the kernel 311.

  On the other hand, if the treatment unit 326 determines that it is illegal, the control unit 326 shifts the control to the kernel 311 (see FIG. 3, step (52)) or returns the next instruction following the Syscall instruction to the issuing AP ( (See FIG. 3, step (52-2)). The procedure for transferring control to the kernel 311 is performed in the same manner as in the case of justification. Note that the Syscall instruction created by the treatment unit 326 instructs to forcibly terminate the program, that is, returns without performing any processing (through). Also, in the process of returning the next instruction following the Syscall instruction to the issuing AP, the number of bytes of the Syscall instruction is added and the VT 12 is instructed to issue the Entry instruction. By returning to the address added by the number of bytes of the Syscall instruction and performing Entry, control is returned to the subsequent instruction in the same manner as when the Syscall instruction is skipped.

  When the VM 31 is in operation, the environment monitoring unit 327 sets to exit when it receives a write instruction access to a register related to the Syscall instruction in the MSR 1111. That is, the write instruction wrmsr to the register related to the Syscall instruction in the MSR 1111 is included in the list 131 of the VMCS 13 so as to be an Exit target. Since the VMM 32 operates the kernel 311 of the VM 31 as the ring 0, the privileged instruction is not an exception. Therefore, it is necessary to use the Exit function of the VMM 32. When the kernel of the VM 31 issues a wrmsr instruction for writing to a register relating to the Syscall instruction in the MSR 1111, an Exit instruction is issued by the VT 12, and the mode of the CPU 11 is switched to the VMX-root mode. In this mode, the environment monitoring unit 327 refers to the EXIT Reason (exit cause) stored in the VMCS 13 at the time of Exit and determines whether the cause is a wrmsr instruction by the kernel. When the cause of the exit is the wrmsr instruction, the environment monitoring unit 327 writes 0 in the Disable bit of the corresponding register in the MSR 1111. Further, the environment monitoring unit 327 adds the number of bytes of the wrmsr instruction to the EIP of the VMCS 13 and issues an Entry (vmresume instruction) to return control to the VM 31, thereby issuing the next rmsr instruction following the VM 31. Return control to the instruction. As a result, it is possible to prevent the CPU 11 during the operation of the VM 31 from performing an invalid write command to the register related to the Syscall instruction in the MSR 1111 by performing the write instruction invalidation process. As a result, the Syscall instruction It is possible to maintain the MSR 1111 monitorable state for setting an Exit as an invalid opcode violation.

  By the way, since the management of the register group 111 and the like is in the CPU 11 that controls the VM 31 while the VM 31 is in operation, the contents of a specific register or the like in the register group 111 may be rewritten by a malicious program. Therefore, the environment monitoring unit 327 sets the list 131 as an Exit target so that when a write access to a specific register or the like in the register group 111 is issued, an Exit instruction is issued for this access. . As a result, a write access instruction to a specific register or the like is hooked by the list 131 of the VMCS 13 and the Exit instruction is issued by the VT 12. The specific register or the like is a register (and VMCS 13) in which a basic environment setting value required for the operation of the CPU 11 is set. The basic environment setting values include the following. The environment monitoring unit 327 exits access to a specific register or the like in which these environment setting values are set, in particular, write access as a general protection exception or invalid opcode violation, etc. After transitioning to the root mode to prevent access (invalid, prohibited, or restored), the entry is made to return to the VMXnon-root mode.

  Basic environment setting values include (1) OS (kernel) environment setting values indicating process management information (PCR, PRCB, ETHREAD, EPROCESS, etc. of Windows (registered trademark) OS), and (2) control register (CR0 , CR4, CR3), the debug register (DR0 to DR7), the MSR (IA32E_EFER, etc.), and the environment setting value of the CPU 11 for exiting and monitoring the access to the GDTR, IDTR, and LDTR by the setting of the VMCS 13, (3) By setting the VMCS 13, the CPU 31 exits with the threshold value of the clock (Clock) count of the CPU 11, and the CPU clock for switching to the Effective of the VMM 32 (checking the kernel state of the VM 31 or checking the PTE) Environment setting value, (4) VMCS created for each VM is created in the physical memory area in the VMM 32, and is not usable from the VM side . In consideration of forced access to this unusable area, access monitoring is performed by EPT. Also, an environment setting value of the VMCS 13 for exiting an access instruction (vmread, vmwrite) to the VMCS, (5) an environment setting value of an API for monitoring parameters and data immediately before requesting the kernel and immediately after returning from the kernel, ( 6) Standardized computer power control and hardware components, ACPI (Advanced Configuration and Power Interface) environment setting values for obscure the physical memory map configured by the VMM 32 in the VM 31, (7) The VM 31 BIOS jump instruction environment setting value for hooking the real mode interrupt vector for the purpose of preventing tampering and unauthorized use of the BIOS Function used using software interrupts in real mode, (8) “ If you try to change the CPU 11 environment setting value, ignore the command And unloads also include configuration settings of Kernel Driver for inhibiting loading of the driver from the application.

  In addition, the log processing unit 328 stores all the program contents when the cause of Exit set in the list 131 occurs in the log storage unit 60 in the chronological direction. Preferably, it is stored including occurrence time information. When the log storage unit 60 is positioned as a data server device via a network such as the Internet, the log storage unit 60 is transmitted with the transmission source IP address stored therein. In the case of an external data server device, log management for each information processing device can be performed by sorting by IP address. The log information only needs to include at least a Syscall instruction for invalid opcode violation. In addition, the function of the log processing unit 328 is illegal in a mode unrelated to the functional parts of the hook content analysis unit 324 to the treatment unit 326 and the environmental monitoring unit 327, or in a mode unrelated to the functional parts of the environmental monitoring unit 327. A problem solving means for storing a log of accesses with the possibility of program behavior is configured. In this case, the Syscall instruction may be an Exit target other than an invalid opcode violation. Then, the contents saved at the time of Exit may be taken into the log storage unit 60. As described above, all the programs that cause Exit in a specific range are stored for log storage under the management of the VMM 32, so that the storage is performed appropriately. Conventionally, for example, in Japanese Patent Application Laid-Open No. 2012-194814, the VMM memory access monitoring unit 31 stores data for each of a read command and a write command related to a deployment process executed on a virtual memory (not shown) by the monitored process 50. Is described, which makes it possible to increase the efficiency of work related to unpacking by acquiring a memory address from which data is read / written, a value of data read / written, a program counter, and the like as a log. On the other hand, according to the present embodiment, by analyzing the saved contents of the log storage unit 60 later, it is possible to provide a reliable and appropriate post-mortem analysis when there is an abnormal operation or processing. Also, through analysis, it can be used as a lesson for later learning, leading to fraud deterrence effects.

  Note that the log target information in this embodiment includes at least one or all of a process list, a file I / O log, a network transmission / reception log, an environment setting value access log, and monitoring and logging contents. In the process list, the executed program is managed as a process by the OS and stored in the PCR. Since the executed process always interacts with the kernel 311 via Syscall, a list of executed processes can be acquired. The acquired information includes, for example, a program file name and its path, a process ID, and a startup time. By acquiring these, it is possible to determine whether unknown or unnecessary programs are being executed. Further, it can be determined from the acquired information whether the program is abnormal.

  The file I / O log obtains the file I / O request from the API function number (register eax) at the time of Syscall, and uses the parameter value (contents of the general-purpose register 1112 and data in the stack) to determine the file path and its Acquired as an operation (read / write). The acquisition information includes, for example, a file path, an operation method (writing or reading), and a process ID. By acquiring these, it is possible to determine the presence or absence of fraud from the writing of the program file and the operation on the system folder or a user-specified specific folder.

  The network transmission / reception log acquires transmission / reception requests from the API function number (register eax) at the time of Syscall and Sysret, and transmits / receives data and operation (connect, send) from its parameter values (contents of general-purpose register 1112 and data in the stack). , Receive, accept). The acquired information includes, for example, operation methods (connect, send, receive, accept), transmission / reception data, transmission / reception ports, and transmission / reception IP addresses (IPV4 and IPV6). By acquiring these, transmission / reception operations that are the basis of information leakage can be monitored. Further, unauthorized access can be traced based on the transmission destination IP address and the reception source IP address. Furthermore, it enables protection based on analysis of transmitted / received data.

  The environment setting value access log is acquired as monitored content because access to the environment setting value is monitored because an unauthorized operation from the kernel mode does not pass through Syscall. Acquisition information includes, for example, access to MSR1111 and its contents, access to and contents of control registers (CR0, CR2, and CR4), access to and contents of debug registers, execution of cache control instructions, execution of CPUID instructions , Execution of VMM extension instructions (including VMCS access instructions), access to VMM execution memory space (including VMCS13), access to page table PML4, execution of software interrupt instructions, CPU system tables (GDT, IDT, LDT, TSS) access and load instruction, execution EIP and its module name (kernel program or kernel driver), and interrupt to unused interrupt vector and interrupt destination execution code.

  The monitoring and logging contents include access to a physical address of 1 Mbyte or less. Since this is an area that is not used after the OS is started, it can be regarded as unauthorized use. Access to the physical address ACPI management table can be regarded as unauthorized acquisition of terminal information. In the device access (MMIO) physical address setting for all page tables, it can be determined that direct device access from other than the kernel is illegal. The comparison of the kernel program area can check the alteration of the kernel program.

  FIG. 5 is a flowchart illustrating an example of a startup process of the information processing apparatus 1. When the information processing apparatus 1 is powered on, the BIOS is loaded from the flash ROM 21 to a predetermined area of the RAM 30, and then the BIOS is activated (step S1). The BIOS loads the MBR from the HDD 22 to the RAM 30, the active first partition of the HDD 22 is designated by this MBR, and the host software of the VMM 32 stored therein is loaded into the area A of the RAM 30 as described above. Then, a part of the OS loader is started (step S3). The OS (kernel) of each VM is loaded by the OS loader as described above and sequentially activated (step S5), and then the application software AP is loaded for each VM as described above (step S7). This completes the startup process.

  FIG. 6 is a flowchart illustrating an example of the Syscall monitoring process. First, the VMM 32 is in an activated state, and the VMM 32 creates the VMCS 13 to enter the VM to be operated (here, the VM 31) and switches to the VMX non-root mode (step S11). When an access that violates an invalid opcode, such as a Syscall instruction, is issued while the VM 312 is operating, the instruction is hooked (step S13). Since the invalid opcode violation is set as an Exit target in the list 131 of the VMCS 13, Exit is issued, and the CPU 11 transitions to the VMXroot mode (step S15). Next, the hook content analysis unit 324 analyzes the invalid opcode causing the Exit (step S17). As a result of the analysis, if the cause is other than the Syscall instruction (NO in step S19), a corresponding process for other invalid opcodes is performed (step S21).

  On the other hand, if the cause is a Syscall instruction (Yes in step S19), the correctness evaluation unit 325 evaluates the correctness (step S23), and the treatment unit 326 executes a corresponding process according to the evaluation result (step S25). . Next, when the VMM 32 issues a transition instruction to the VMX non-root mode, the VT 12 performs an entry process (step S27), and the control of the CPU 11 returns to the VM 31. Then, it is determined whether or not the operation state of the VM 31 has ended (step S29). If it has not ended, the process returns to step S13, and if it has ended, this flow is exited.

  FIG. 7 is a flowchart illustrating an example of the MSR monitoring process. First, as in step S11, the mode is switched to the VMXnon-root mode (step S41). When an access to be hooked, for example, a wrmsr instruction for writing to a register relating to a Syscall instruction in the MSR 1111 is issued during the operation of the VM 31, the instruction is hooked (step S43). Since this instruction is an access that matches the contents set in the list 131, Exit is issued by the VT 12, and the CPU 11 shifts to the VMXroot mode (step S45). Next, an analysis referring to EXITReason (cause of Exit) is performed (step S47). As a result of the analysis, if the cause is other than the wrmsr instruction by the kernel (NO in step S49), other corresponding processing is performed (step S51).

  On the other hand, when the cause is the wrmsr instruction by the kernel (Yes in step S49), the environment monitoring unit 327 executes the above-described write instruction invalidation process (step S53). Next, when the VMM 32 issues a transition instruction to the VMX non-root mode, the VT 12 performs an entry process (step S55), and the control of the CPU 11 returns to the VM 31. Then, it is determined whether or not the operation state of the VM 31 has ended (step S57). If it has not ended, the process returns to step S43, and if it has ended, this flow is exited.

  FIG. 8 is a flowchart illustrating an example of log processing. First, it is determined whether or not the Syscall instruction is hooked (step S71), and if it is not hooked, this flow is exited. On the other hand, when hooked, the Exit process is executed via the VT 12 as described above (step S73), and the control of the CPU 11 shifts to the VMM 32. The VMM 32 reads and records the cause of the Exit occurrence in the log storage unit 60 with reference to the VMCS 13 (step S75). Next, the Entry process is executed (Step S77), and the same log process is continued until the operation of the VM 31 ends (NO in Step S79). Here, the Syscall instruction is a log target, but the same applies to a case where a specific hook reason, for example, an instruction corresponding to an invalid opcode violation is a log target.

  FIG. 9 is a flowchart illustrating an example of the environment monitoring process. First, similarly to step S11, the mode is switched to the VMXnon-root mode (step S101). During the operation of the VM 31, an access instruction to be hooked, that is, an access instruction to the register group 111 or VMCS 13 (registers matching the list 131 (specific registers, etc.)) in which the fundamental environment setting values are set. Is issued (step S103), the instruction is hooked and exited via the VT 12 (step S105). The CPU 11 transits to the VMXroot mode, and then an analysis referring to EXIT Reason (cause of Exit) is performed (step S107). As a result of the analysis, if the cause is other than a write access command to a specific register or the like (NO in step S109), other corresponding processing is performed (step S111).

  On the other hand, when the cause is a write access instruction to a specific register or the like (Yes in step S109), the environment monitoring unit 327 executes a process for blocking access as described above (step S113). Next, when the VMM 32 issues a transition instruction to the VMX non-root mode, the VT 12 performs an entry process (step S115), and the control of the CPU 11 returns to the VM 31. Then, it is determined whether or not the operation state of the VM 31 has ended (step S117). If it has not ended, the process returns to step S103, and if it has ended, this flow is exited. As a result, even if a processing request for a resource is intended by an unauthorized program during the VM operation, the instruction is blocked or invalidated.

  In the present embodiment, the Syscall instruction is used as an Exit target as an invalid opcode violation. However, the present invention is not limited to an invalid opcode violation, and may be hooked under other conditions as long as it can be hooked as an Exit target.

  In this embodiment, the description is based on the Intel (registered trademark) VMM. However, the present invention is not limited to this, and the VMM and guest kernel of AMD are controlled by the ring 1 or 2 (the guest application is ring 3 or the like). The same applies to the above.

  Further, the function of the environment monitoring unit 327 is that the Syscall instruction is exited as an invalid opcode violation, analyzed, evaluated for correctness, and further associated with a function part that acts on behalf (as in the above embodiment), Regardless of these, it is a problem solving means for the purpose of appropriately maintaining the fundamental environment setting value.

1 Information processing apparatus 11 CPU (processor)
111 registers 12 VT
13 VMCS
131 List 30 RAM
31 VM
32 VMM
322 hook processing unit (detection means)
324 hook content analysis part (detection means)
325 Correctness evaluation unit (evaluation means, invalidation means)
326 Treatment unit (treatment means)
327 Environmental monitoring unit 328 Log processing unit 60 Log storage unit

Claims (10)

Detection means for detecting issuance of an access instruction to the kernel for a processing request for a resource;
Evaluation means for evaluating whether the access command detected by the detection means is correct or not;
An information processing apparatus comprising treatment means for issuing a treatment instruction according to an evaluation result.   The information processing apparatus according to claim 1, further comprising invalidating means for invalidating the access command. Includes a virtual machine monitor that monitors the operation of the virtual machine,
The detection means, the evaluation means, and the treatment means are provided in the virtual machine monitor,
The information processing apparatus according to claim 1, wherein the detection unit shifts the control to the virtual machine monitor when the access command is issued from the virtual machine.   The information processing apparatus according to claim 3, wherein invalid means for invalidating the access command is provided in the virtual machine monitor.   The information processing apparatus according to claim 3, wherein the detection unit detects the access instruction as an invalid opcode violation. The access instruction is a syscall instruction,
The information processing apparatus according to claim 3, wherein the evaluation unit evaluates correctness based on collation with information related to an API constituting the syscall instruction.   When the evaluation means determines that the access instruction is valid, the processing means issues the same content as the access instruction to the kernel, and when the evaluation means determines that the access instruction is invalid, the access instruction The information processing apparatus according to claim 3, wherein an instruction that passes through the access instruction is issued to the kernel, or an instruction that skips the access instruction is returned to the issuer of the access instruction. A detection process for detecting issuance of an access instruction to the kernel for a processing request for a resource;
An evaluation step for evaluating the correctness of the access instruction detected by the detection step;
The information processing monitoring method provided with the treatment process which issues the command of the treatment according to the evaluation result. Detection means for detecting issuance of an access instruction to the kernel for a processing request for a resource;
An evaluation step of evaluating whether the access command detected by the detection means is correct or not;
And a program for causing the processor to function as a treatment process for issuing a treatment instruction according to the evaluation result. Detection means for detecting issuance of an access instruction to the kernel for a processing request for a resource;
An evaluation step of evaluating whether the access command detected by the detection means is correct or not;
And a computer-readable recording medium having recorded thereon a program that causes the processor to function as a treatment process for issuing a treatment instruction according to the evaluation result.

Images