JP2017207876A - Dump mask program, dump mask method, and information processing device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To prevent information leakage of secret object data in a memory dump.SOLUTION: An information processing deice 100 detects abnormalities of software SW under execution. The software SW is a system and an application of, for example, an OS, middleware, or the like. The information processing device 100 specifies secret object data in a memory dump when an abnormality of the software SW is detected. The information processing device 100 performs mask processing for rewriting the specified secret object data. The mask processing is processing for rewriting the secret object data into different data to make the original information indecipherable. The information processing device 100 outputs a memory dump subjected to the mask processing.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a dump mask program, a dump mask method, and an information processing apparatus.

  Conventionally, when a trouble occurs during system operation, data developed on a memory is sometimes collected for the purpose of investigating the trouble in order to grasp the state of the system at the time of occurrence of the trouble. Examples of collected data include a memory dump, trace information, and a log.

  As a prior art, for example, when diagnosing a memory dump related to a failure occurring in a customer computer system from a computer system of a maintenance center, information on an area in which confidential information is stored or a predetermined area in the entire space is stored. Some of them send only the other memory dump information to the center computer system.

JP-A-3-34036

  However, it is difficult for the prior art to prevent leakage of confidential information (such as customer personal information) included in the memory dump. For example, if an area that contains confidential information is a non-collection area, the entire area that contains confidential information will be uncollected, and information that is not confidential information will not be collected. There is.

  In one aspect, an object of the present invention is to prevent information leakage of confidential data in a memory dump.

  According to an aspect of the present invention, when software abnormality is detected, the confidential data in the memory dump is identified, mask processing for rewriting the identified confidential data is performed, and the memory dump subjected to the mask processing is stored. An output dump mask program, dump mask method, and information processing apparatus are proposed.

  According to one aspect of the present invention, information leakage of confidential data in a memory dump can be prevented.

FIG. 1 is an explanatory diagram of an example of the dump mask method according to the first embodiment. FIG. 2 is an explanatory diagram illustrating a system configuration example of the system 200. FIG. 3 is a block diagram illustrating a hardware configuration example of the information processing apparatus 100. FIG. 4 is an explanatory diagram showing an example of a procedure for creating the software SW. FIG. 5 is an explanatory diagram showing a specific example of a source program. FIG. 6 is a block diagram of a functional configuration example of the information processing apparatus 100 according to the second embodiment. FIG. 7 is an explanatory diagram showing an image of data arrangement. FIG. 8 is an explanatory diagram (part 1) of a display example of a memory dump. FIG. 9 is a flowchart illustrating an example of a dump mask processing procedure of the information processing apparatus 100 according to the second embodiment. FIG. 10 is a block diagram of a functional configuration example of the information processing apparatus 100 according to the third embodiment. FIG. 11 is an explanatory diagram showing a specific example of the correspondence table 1100. FIG. 12 is an explanatory diagram (part 2) of a display example of a memory dump. FIG. 13 is a flowchart of an example of a dump mask processing procedure of the information processing apparatus 100 according to the third embodiment.

  Exemplary embodiments of a dump mask program, a dump mask method, and an information processing apparatus according to the present invention will be described below in detail with reference to the drawings.

(Embodiment 1)
FIG. 1 is an explanatory diagram of an example of the dump mask method according to the first embodiment. In FIG. 1, the information processing apparatus 100 is a computer that performs a mask process on confidential data in a memory dump.

  Here, the memory dump is binary information that records the contents of part or all of the memory at the time of the trouble in order to investigate and verify the cause of the trouble when trouble occurs during system operation. . The system is software such as an OS (Operating System) and middleware, for example.

  The memory dump includes, for example, an instruction code and data. The instruction code is the code of the program body loaded on the memory for execution. The data is data placed on a memory for use in an instruction code, or data loaded (expanded) on a memory for processing a DB (Database) or a file. The data used in the instruction code includes, for example, parameters specified for functions, return values, variables defined in the program, data exchange contents with other systems, and the like.

  On the other hand, the memory dump may include important information (confidential information). Examples of important information include personal information such as a customer's name, address, IP (Internet Protocol) address, and my number. However, the security measures that are implemented in the file or DB are not performed on the data on the memory. For this reason, even if the data developed on the memory is important information, it is collected as dump data in a lump, and the following actions are possible and the important information may be leaked.

  For example, even if the data is locked on the DB or file, the data can be accessed on the memory, so that all the collected data can be referred to by a third party (for example, a trouble investigator). Specifically, for example, the customer's personal information is often text data, and can be displayed and read easily using a binary editor.

  Further, using a recording medium such as a USB (Universal Serial Bus) memory, there is a possibility that important information is taken out from a customer by a third party and misused. Therefore, it is desirable to make important information invisible even for trouble investigators.

  Therefore, in this embodiment, a mask process is performed on the data to be concealed in the memory dump so that the original information cannot be decrypted, thereby preventing information leakage of the data to be concealed in the memory dump. A masking method will be described. Hereinafter, a processing example of the information processing apparatus 100 will be described.

  (1) The information processing apparatus 100 detects an abnormality of the software SW being executed. Here, the software SW is, for example, a system or an application such as an OS or middleware. The abnormality to be detected is, for example, an abnormality in which dump collection may be performed in trouble investigation such as abnormal termination.

  (2) When the information processing apparatus 100 detects an abnormality in the software SW, the information processing apparatus 100 specifies data to be concealed in the memory dump. Here, the data to be concealed is important information that is desirably prevented from being seen by a third party, and is, for example, personal information such as a customer's name, address, my number, and IP address.

  Specifically, for example, the information processing apparatus 100 sequentially reads necessary data from a memory (for example, a memory 302 shown in FIG. 3 described later) and stores important information in the data 110 before storing the data in the file 110. The data to be concealed is specified by determining whether or not to be protected. In the example of FIG. 1, it is assumed that the confidential data D1 to D4 are specified.

  The information processing apparatus 100, for example, once acquires a memory dump and stores it in a temporary file, and then sequentially reads data (dump data) in the temporary file to determine whether the data includes important information. By determining, the data to be concealed may be specified.

  (3) The information processing apparatus 100 performs a mask process for rewriting the specified confidential object data. Here, the mask process is a process for rewriting the data to be concealed with different data (for example, different characters, numbers, symbols) so that the original information cannot be decoded.

  In the example of FIG. 1, the concealment target data D <b> 1 to D <b> 4 are rewritten into black codes D <b> 1 ′ to D <b> 4 ′ and stored in the file 110. The black coating codes D1 'to D4' are codes for blackening the confidential data D1 to D4 when they are displayed in black, that is, as characters.

  (4) The information processing apparatus 100 outputs a memory dump subjected to mask processing. Specifically, for example, the information processing apparatus 100 outputs the file 110 including the black coating codes D1 ′ to D4 ′ to a trouble investigator computer or a server accessible by the trouble researcher computer. .

  As described above, according to the information processing apparatus 100 according to the first embodiment, when the abnormality of the software SW is detected, the data to be concealed in the memory dump can be specified. Then, according to the information processing apparatus 100, it is possible to perform a mask process for rewriting the specified confidential data and output a memory dump subjected to the mask process.

  Thereby, information leakage of the data to be concealed in the memory dump can be prevented. For example, by making the customer's important information in the memory dump black and making the original information undecipherable, even if it is a trouble investigator, the contents of the important information can not be referred to even when investigating the trouble , Customer name, address, etc. can be prevented from being leaked and misused.

(Embodiment 2)
Next, the information processing apparatus 100 according to the second embodiment will be described. In the second embodiment, it is assumed that the memory map of the software SW is known, that is, how the memory is used. In addition, about the location similar to the location demonstrated in Embodiment 1, the same code | symbol is attached | subjected and description is abbreviate | omitted.

  First, a system configuration example of the system 200 according to the second embodiment will be described.

  FIG. 2 is an explanatory diagram illustrating a system configuration example of the system 200. In FIG. 2, the system 200 includes an information processing apparatus 100 and a survey terminal 201. In the system 200, the information processing apparatus 100 and the investigation terminal 201 are connected via a wired or wireless network 210. The network 210 is, for example, a local area network (LAN), a wide area network (WAN), or the Internet.

  The information processing apparatus 100 is a computer that executes software SW. When an abnormality occurs in the software SW being executed, the information processing apparatus 100 performs a mask process on the data to be concealed in the memory dump and performs the mask process. Output a dump. The information processing apparatus 100 is a server, for example.

  The investigation terminal 201 is a computer used by a trouble investigator, and is, for example, a PC (Personal Computer), a notebook PC, or a tablet PC. The trouble investigator is a person who investigates and verifies the cause of the abnormality in the software SW.

(Hardware configuration example of information processing apparatus 100)
FIG. 3 is a block diagram illustrating a hardware configuration example of the information processing apparatus 100. In FIG. 3, the information processing apparatus 100 includes a CPU (Central Processing Unit) 301, a memory 302, an I / F (Interface) 303, a disk drive 304, and a disk 305. Each component is connected by a bus 300.

  Here, the CPU 301 governs overall control of the information processing apparatus 100. The memory 302 includes, for example, a ROM (Read Only Memory), a RAM (Random Access Memory), and a flash ROM. Specifically, for example, a flash ROM or ROM stores various programs, and a RAM is used as a work area for the CPU 301. The program stored in the memory 302 is loaded into the CPU 301 to cause the CPU 301 to execute the coded process.

  The I / F 303 is connected to the network 210 via a communication line, and is connected to another computer (for example, the investigation terminal 201 shown in FIG. 2) via the network 210. The I / F 303 controls an interface between the network 210 and the apparatus, and controls input / output of data from other computers. For example, a modem or a LAN adapter may be employed as the I / F 303.

  The disk drive 304 controls reading / writing of data with respect to the disk 305 according to the control of the CPU 301. The disk 305 stores data written under the control of the disk drive 304. Examples of the disk 305 include a magnetic disk and an optical disk.

  Note that the information processing apparatus 100 may include, for example, an SSD (Solid State Drive), a keyboard, a mouse, and a display in addition to the above-described components. Also, the investigation terminal 201 shown in FIG. 2 can be realized by the same hardware configuration as the information processing apparatus 100. However, the investigation terminal 201 includes a keyboard, a mouse, a display, and the like in addition to the components described above.

(Procedure for creating software SW)
Next, a procedure for creating software SW including the dump mask program will be described with reference to FIGS.

  FIG. 4 is an explanatory diagram showing an example of a procedure for creating the software SW. In FIG. 4, (i) when the creator defines data by creating the source program of the software SW, as shown in FIG. 5, the creator designates confidential as “important information”. ".

  FIG. 5 is an explanatory diagram showing a specific example of a source program. In FIG. 5, a source program 500 is an excerpt of a part of the source program for software SW. name [20], zip [9], address [50], and age are data items indicating the name, zip code, address, and age, respectively. The numbers in [] indicate the data length (number of bytes).

  In the example of FIG. 5, data of each data item is specified in the order of name (name [20]), postal code (zip [9]), address (address [50]), and age (age). In addition, data items of name (name [20]), zip code (zip [9]), and address (address [50]) are designated as important information, that is, data items to be concealed.

  Returning to the description of FIG. 4, (ii) the information processing apparatus 100 generates the abnormality monitoring function F1 and the mask function F2 of the dump mask program by the preprocessor and incorporates them in the software SW. The preprocessor is a program that performs preprocessing before compilation.

  The abnormality monitoring function F1 is a function for detecting an abnormality of the software SW being executed. The mask function F2 is a function for performing mask processing on the data to be concealed in the memory dump when a software SW abnormality occurs. Thereby, software SW incorporating the abnormality monitoring function F1 and the mask function F2 of the dump mask program is created.

  (Iii) The information processing apparatus 100 compiles the source program of the software SW using a compiler. Thereby, the software SW can be converted into a computer-executable format.

(Functional configuration example of information processing apparatus 100)
FIG. 6 is a block diagram of a functional configuration example of the information processing apparatus 100 according to the second embodiment. In FIG. 6, the information processing apparatus 100 includes a detection unit 601, a specification unit 602, a rewrite unit 603, and an output unit 604. Each of the function units 601 to 604 is a function as a control unit. Specifically, for example, by causing the CPU 301 to execute a program stored in a storage device such as the memory 302 and the disk 305 illustrated in FIG. The function is realized by the I / F 303. The processing result of each functional unit is stored in a storage device such as the memory 302 and the disk 305, for example.

  The detection unit 601 detects an abnormality in the software SW. Here, the abnormality to be detected is an abnormality that may cause dump collection for trouble investigation when it occurs, and can be arbitrarily set. Note that the abnormality monitoring function F1 illustrated in FIG. 4 is realized by, for example, the detection unit 601.

  The identifying unit 602 identifies the data to be concealed in the memory dump. Specifically, for example, when the abnormality of the software SW is detected, the specifying unit 602 acquires the top address of the data area in the memory 302 allocated to the software SW. Then, the specifying unit 602 refers to the data structure defined in the software SW based on the acquired start address of the data area, and stores the data in the memory 302 corresponding to the data item designated as the confidential target. Identify as data.

  Here, specific processing contents of the specifying unit 602 will be described with reference to FIG.

  FIG. 7 is an explanatory diagram showing an image of data arrangement. FIG. 7 shows an arrangement image of data arranged on the memory 302 according to the data structure defined by the source program 500 (see FIG. 5). Specifically, data of each data item is arranged in the order of name (name [20]), postal code (zip [9]), address (address [50]), and age (age).

  In this case, for example, 20 bytes of data from the start address of the data area in the memory 302 is data of a name (name [20]) specified as a data item to be concealed. For this reason, the specifying unit 602 specifies 20 bytes of data (data item: name) from the start address of the data area as the confidential data.

  The next 9 bytes of data are data of a zip code (zip [9]) designated as a data item to be concealed. For this reason, the specifying unit 602 specifies the next 9 bytes of data (data item: zip) as confidential data. Thereafter, the confidential data can be specified in the same manner.

  Returning to the description of FIG. 6, the rewrite unit 603 performs a mask process for rewriting the identified confidential data. Specifically, for example, the rewrite unit 603 may rewrite the specified concealment target data with a predetermined code (black coating code) for blackening. Thereby, the original information (for example, name, zip code, and address) can be masked indecipherably.

  Note that the rewriting unit 603 maintains the length of the original information by combining the data lengths before and after the rewriting. Further, the predetermined code may be defined in the software SW, or may be read from a storage device such as the memory 302 and the disk 305.

  In addition, the rewriting unit 603 may rewrite the identified confidential data into character string data indicating the type of the confidential data, for example. Here, the type of data to be concealed is for determining what kind of characteristics and properties the data to be concealed is, for example, a data item of data to be concealed.

  For example, it is assumed that data with a name (name [20]) is specified as confidential data. In this case, the rewriting unit 603 may rewrite the confidential data to character string data indicating the data item “name” of the confidential data. As a result, it is possible to present the type of original information to the trouble investigator, and to determine what information is present at the masked portion.

  Note that the mask function F2 illustrated in FIG. 4 is realized by the specifying unit 602 and the rewriting unit 603, for example.

  The output unit 604 outputs a memory dump obtained by performing mask processing on the confidential data. As an output format of the output unit 604, for example, storage in a storage device such as the memory 302 and the disk 305, transmission to an external device (for example, the investigation terminal 201 shown in FIG. 2) by the I / F 303, unillustrated There are display on a display, print output to a printer (not shown), and the like.

  Specifically, for example, the output unit 604 may transmit a dump file storing a memory dump obtained by performing mask processing on the concealment target data to the investigation terminal 201. Thereby, the investigation terminal 201 can display the memory dump in a state where the confidential data is masked so as not to be decrypted.

(Output example of memory dump)
Next, a memory dump output example will be described. Here, a display example of a memory dump displayed on the display (not shown) of the investigation terminal 201 will be described as an example. In addition, it is assumed that the contents of the memory dump are displayed as characters using a binary editor or the like.

  FIG. 8 is an explanatory diagram (part 1) of a display example of a memory dump. In FIG. 8, a memory dump 810 indicates a memory dump before the mask process is performed. A memory dump 820 indicates a memory dump after masking (blacking) is performed on the concealment target data 811, 812, and 813 in the memory dump 810.

  The investigation terminal 201 displays a memory dump 820 in which the confidential data 811, 812, 813 is displayed in black. As a result, even when a trouble investigator investigates the trouble, the contents of the confidential data 811, 812, 813 cannot be referred to, and important information such as the customer's name, zip code, and address is prevented from leaking. be able to.

(Dump mask processing procedure of information processing apparatus 100)
Next, the dump mask processing procedure of the information processing apparatus 100 will be described.

  FIG. 9 is a flowchart illustrating an example of a dump mask processing procedure of the information processing apparatus 100 according to the second embodiment. In the flowchart of FIG. 9, first, the information processing apparatus 100 determines whether or not an abnormality of the software SW has been detected (step S901).

  Here, the information processing apparatus 100 waits for detection of an abnormality in the software SW (step S901: No). When the information processing apparatus 100 detects an abnormality in the software SW (step S901: Yes), the information processing apparatus 100 acquires the top address of the data area in the memory 302 allocated to the software SW (step S902).

  Next, the information processing apparatus 100 reads data from the memory 302 with reference to the data structure defined in the software SW (step S903). Then, the information processing apparatus 100 determines whether or not the read data is data designated as confidential (step S904).

  Here, in the case of the data designated as confidential (step S904: Yes), the information processing apparatus 100 performs a mask process for rewriting the read data (step S905). Then, the information processing apparatus 100 stores the masked data in a dump file on the disk 305 (see FIG. 3) (step S906), and proceeds to step S907.

  If the data is not designated as confidential in step S904 (step S904: No), the information processing apparatus 100 stores the read data in a dump file on the disk 305 (step S906). Next, the information processing apparatus 100 determines whether or not reading of data from the memory 302 is completed (step S907).

  If the data reading has not been completed (step S907: NO), the information processing apparatus 100 returns to step S903. On the other hand, when the reading of data is finished (step S907: Yes), the information processing apparatus 100 outputs a dump file (step S908), and the series of processes according to this flowchart is finished.

  As a result, it is possible to output a memory dump (dump file) after masking confidential data such as a customer's name, postal code, and address so that they cannot be decrypted.

  As described above, according to the information processing apparatus 100 according to the second embodiment, with reference to the data structure defined in the software SW, the data in the memory 302 corresponding to the data item designated as the confidential target is stored. It can be specified as confidential data. Then, according to the information processing apparatus 100, it is possible to perform a mask process for rewriting the specified confidential data and output a memory dump subjected to the mask process.

  As a result, when the memory map of the software SW is known, the data item to be concealed is designated in advance in the source program when the software SW is created, so that the concealment target data in the memory dump can be accurately determined. Can be identified well. Also, since confidential data such as important customer information can be masked in a pinpoint manner, it is possible to prevent a portion that is not important information from being masked, thereby avoiding a shortage of information during a trouble investigation.

  Further, according to the information processing apparatus 100 according to the second embodiment, it is possible to rewrite the specified data to be concealed into a predetermined code for making a black state. Thereby, the original information (for example, name, zip code, and address) can be masked indecipherably.

  Further, according to the information processing apparatus 100 according to the second embodiment, the specified confidential data can be rewritten to character string data indicating the type of the confidential data. Thereby, it is possible to present the type of the original information to the trouble investigator and to determine what information is in the masked portion.

(Embodiment 3)
Next, the information processing apparatus 100 according to the third embodiment will be described. In the third embodiment, it is assumed that the memory map of the software SW is not known, that is, the usage of the memory is not known. In addition, about the location similar to the location demonstrated in Embodiment 1, 2, the same code | symbol is attached | subjected and description is abbreviate | omitted.

  First, a functional configuration example of the information processing apparatus 100 according to the third embodiment will be described.

  FIG. 10 is a block diagram of a functional configuration example of the information processing apparatus 100 according to the third embodiment. In FIG. 10, the information processing apparatus 100 includes a detection unit 601, a second specifying unit 1001, a second rewriting unit 1002, and an output unit 604. Each of the function units 601, 604, 1001, and 1002 is a function serving as a control unit. Specifically, for example, the CPU 301 executes a program stored in a storage device such as the memory 302 and the disk 305 illustrated in FIG. Or the I / F 303 realizes the function. The processing result of each functional unit is stored in a storage device such as the memory 302 and the disk 305, for example.

  Hereinafter, functional units different from the information processing apparatus 100 according to the second embodiment will be described. Note that the information processing apparatus 100 according to the third embodiment may have the same functional unit as the specifying unit 602 included in the information processing apparatus 100 according to the second embodiment.

  The second specifying unit 1001 specifies the data to be concealed in the memory dump. Specifically, for example, when the abnormality of the software SW is detected, the second specifying unit 1001 collects necessary data loaded (expanded) on the memory 302 and stores it in a temporary file. Get a memory dump.

  Next, the second specifying unit 1001 extracts a text portion (text data) in the acquired memory dump. Here, important information (customer personal information and the like) is generally expressed in text, and the text is expanded in the memory 302 in binary that can be processed by a computer. For this reason, in order to identify confidential data that is important information, first, the second identifying unit 1001 extracts a text portion.

  Then, the second specifying unit 1001 refers to the structure pattern DB 1010 and compares the extracted text portion with a predetermined pattern. More specifically, for example, the second specifying unit 1001 includes a character string (word, sentence, etc.) obtained by natural language processing (morphological analysis, syntax analysis, semantic analysis, etc.) on the extracted text portion, and a predetermined Compare with the pattern. Then, the second specifying unit 1001 specifies a text portion that matches a predetermined pattern as confidential data.

  Here, the structure pattern DB 1010 stores a predetermined pattern representing the structure of information (important information) that can be a secret object. The structure pattern DB 1010 is realized by a storage device such as the memory 302 and the disk 305, for example. The important information is, for example, a zip code, an address, an IP address, a computer name, a name, and a my number. For example, the predetermined pattern is a regular expression of at least one of a zip code, an address, and an IP address. The predetermined pattern may be an existing zip code, address (city level), or a character string representing a computer name.

  Hereinafter, a specific processing example of the second specifying unit 1001 will be described by taking a zip code, an address, an IP address, and a name as examples of information that can be confidential data.

Postal code The second specifying unit 1001 refers to the structure pattern DB 1010, compares the text part with the existing postal code, and specifies the text part that matches the existing postal code as confidential data. Also, the second specifying unit 1001 refers to the structure pattern DB 1010, compares the text part with the regular expression of the zip code, and specifies the text part that matches the regular expression of the zip code as confidential data.

  As the regular expression of the postal code, for example, “〒 \ d {3}-\ d {4}” can be used. This regular expression represents 〒 (symbol), 3 digits,-(hyphen), and 4 digits. However, the postal code may be stored without the postal code symbol. Therefore, “¥ d {3} ¥ − ¥ d {4}” may also be used as the regular expression of the zip code. This regular expression represents 3 digits,-(hyphen), and 4 digits.

  Thereby, the data indicating the zip code in the memory dump can be specified as the confidential data.

Address The second specifying unit 1001 refers to the structure pattern DB 1010, compares the text part with the existing address, and specifies the text part that matches the existing address as confidential data. Further, the second specifying unit 1001 refers to the structure pattern DB 1010, compares the text part with the regular expression of the address, and specifies the text part that matches the regular expression of the address as the confidential data.

  As a regular expression of an address, for example, “^ ((Hokkaido | Tokyo | (Osaka | Kyoto) Fu | (Kanagawa | Wakayama | Kagoshima) ken | [^ ¥ s ¥ w ¥ d] {2} prefecture) [^ \ S \ w \ d] {1,4} [city / town / town / village] [^ \ s \ w \ d] {1,15}) ". Here, Hokkaido | Tokyo → (Osaka | Kyoto) fu | (Kanagawa | Wakayama | Kagoshima) prefecture indicates Hokkaido, prefecture, or three-letter prefecture.

  [^ ¥ s ¥ w ¥ d] {2} prefecture indicates a 2-character prefecture pattern. ¥ s is a control character such as return or tab. \ W is an alphabet / Arabic numeral / underbar, that is, "[a-zA-Z_0-9]. \ D is a numeral, that is, [0-9]. [^ \ S \ w \ d ] {1, 4} [city / town / town / town / town / town / town / town / town / town / town / town / town / town / town / town / town / village name] [^ \ s / w / d] {1, 15}) Indicates the detailed place name that follows (length may be greater than 15).

  Thereby, the data indicating the address in the memory dump can be specified as confidential data. Note that the second specifying unit 1001 may have, for example, a postal code and address relation DB and check whether or not the extracted postal code matches the address.

IP address The second specifying unit 1001 refers to the structure pattern DB 1010, compares the text part with the regular expression of the IP address, and specifies the text part that matches the regular expression of the IP address as confidential data. .

  As a regular expression of the IP address (IPv4), for example, “/^(¥d|[01]?¥d¥d|2[0-4]¥d|25[0-5])¥.(¥d | [01]? \ D \ d | 2 [0-4] \ d | 25 [0-5]) \. (\ D | [01]? \ D \ d | 2 [0-4] \ d | 25 [0-5]) \. (\ D | [01]? \ D \ d | 2 [0-4] \ d | 25 [0-5]) $ / "can be used.

  The first “/ ^” indicates matching from the beginning of the IP address. The last “$ /” indicates that matching is performed up to the end of the IP address. “¥.” Indicates “.” That delimits numerical values in the IP address expression format 255.255.255. “¥ d” indicates one-digit numbers 0-9. “?” Indicates that the immediately preceding expression is 0 or 1. "|" Indicates or (or).

  That is, “¥ d | [01]? ¥ d ¥ d | 2 [0-4] ¥ d | 25 [0-5]” is [0-9] or [01]? [0-9] [0-9] or 2 [0-4] [0-9] or 25 [0-5] are indicated. [0-9] represents 0 to 9, and [01]? [0-9] [0-9] represents 00 to 199, 2 [0-4] [0-9] represents 200 to 249, and 25 [0-5] represents 250 to 255. .

  Further, as a regular expression indicating the format of the IP address (IPv4), for example, “(¥ d {1,3}) ¥. (¥ d {1,3}) ¥. (¥ d {1,3}) ¥. (¥ d {1,3}) ”can be used. {} Indicates the specified number of times for the preceding character. \ D {1,3} indicates that the numerical value is matched (1, 12, 234) with a repetition of 1 to 3 times. ab {2} indicates matching with abb. ab {2,} indicates that a match is repeated (abb, abbbb, abbbbbbbb, etc.). ab {2, 4} indicates that a match (abb, abbb, abbbb) is performed two to four times.

  Thereby, the data indicating the IP address in the memory dump can be specified as the confidential data. Here, the IPv4 IP address has been described as an example, but the IPv6 IP address can be specified in the same manner.

Name The second specifying unit 1001 adds a title (for example, san, sama, san) to the end of a word obtained by natural language processing (morphological analysis, syntax analysis, semantic analysis, etc.) of the extracted text part. Judge whether or not. Here, when the title is added, the second specifying unit 1001 may specify the word part before the title as the confidential data indicating the name.

  Further, an existing name may be registered in the structure pattern DB 1010 as a name dictionary. In this case, for example, if a word to which a title is added is registered in the name dictionary, the second specifying unit 1001 may conceal the word part before the title (may include the title part) indicating the name. You may decide to specify as object data. In addition, the second specifying unit 1001 compares each word obtained by natural language processing of the text part with the name in the name dictionary, and uses the word that matches the name in the name dictionary as confidential data indicating the name. You may decide to specify.

  Thereby, the data indicating the name (name) in the memory dump can be specified as confidential data.

  Note that the information of the specified confidential data is stored, for example, in a correspondence table 1100 as shown in FIG. Here, a specific example of the correspondence table 1100 will be described.

  FIG. 11 is an explanatory diagram showing a specific example of the correspondence table 1100. In FIG. 11, the correspondence table 1100 has fields of distance, type, and serial number. By setting information in each field, correspondence information (for example, correspondence information 1100-1 to 1100-6) of each concealment target data. Is stored as a record.

  The distance is information indicating the position of the concealment target data in the memory dump, and indicates the distance (relative address) from the top of the memory dump. The type is the type of confidential data. The serial number is a continuous number assigned to the data to be concealed in order from the top of the memory dump. However, the same number is assigned to data to be concealed having the same data content.

  For example, the correspondence information 1100-1 indicates that confidential data of type “IP address” and serial number “001” exists at a distance d1 from the beginning of the memory dump. Correspondence information 1100-4 indicates that there is concealment target data of type “IP address” and serial number “001” at a distance d4 from the beginning of the memory dump. That is, it can be seen that there is confidential data of the same type “IP address” at the distances d1 and d4.

  Returning to the description of FIG. 10, the second rewriting unit 1002 performs a mask process for rewriting the identified confidential data. Specifically, for example, the second rewriting unit 1002 rewrites the specified data to be concealed into a predetermined code (black coating code) that makes the specified confidential data black, similarly to the rewriting unit 603 shown in FIG. You may decide. Further, for example, the second rewriting unit 1002 may rewrite the specified confidential data into character string data indicating the type of the confidential data.

  Further, the second rewriting unit 1002 may rewrite the identified confidential data into character string data indicating the type and serial number of the confidential data. Here, as described above, the serial number is a continuous number assigned to the data to be concealed in order from the beginning of the memory dump, and the data to be concealed having the same data content has the same number.

  Specifically, for example, the second rewriting unit 1002 refers to the correspondence table 1100 shown in FIG. 11 and converts the confidential data in the memory dump into character string data indicating the type and serial number of the confidential data. (For example, IP001). However, the length of the original information is maintained by combining the data length before and after rewriting.

  As a result, the type of the original information can be determined, and when the data to be concealed exists in the memory dump, the mask location where the original information has the same content can be determined. .

  In the above description, the case where the masking process is performed by specifying the concealment target data for the memory dump is described, but the present invention is not limited to this. For example, masking processing may be performed by specifying confidential data for a log / trace file output when a software SW abnormality occurs.

(Output example of memory dump)
Next, a memory dump output example will be described. Here, a display example of a memory dump displayed on the display (not shown) of the investigation terminal 201 (see FIG. 2) will be described as an example. In addition, it is assumed that the contents of the memory dump are displayed as characters using a binary editor or the like.

  FIG. 12 is an explanatory diagram (part 2) of a display example of a memory dump. In FIG. 12, a memory dump 1210 indicates a memory dump before mask processing is performed. The memory dump 1220 indicates a memory dump after masking is performed on the concealment target data 1211, 1212, 1213, 1215, 1216, and 1217 in the text portions 1211 to 1218 in the memory dump 1210. The “...” Portion in FIG. 12 is a portion that is not character data.

  Specifically, the concealment target data 1211 is rewritten to character string data 1221 indicating the type “IP address” and the serial number “001” of the concealment target data 1211. The confidential data 1212 is rewritten to character string data 1222 indicating the type “zip code” and serial number “001” of the confidential data 1212. The concealment target data 1213 is rewritten to character string data 1223 indicating the type “address” and the serial number “001” of the concealment target data 1213. The confidential data 1215 is rewritten to character string data 1224 indicating the type “IP address” and serial number “001” of the confidential data 1215. The confidential data 1216 is rewritten to character string data 1225 indicating the type “IP address” and the serial number “002” of the confidential data 1216. The concealment target data 1217 is rewritten to character string data 1226 indicating the type “name” and the serial number “001” of the concealment target data 1217.

  A memory dump 1220 is displayed on the investigation terminal 201. As a result, the contents of the confidential data 1211, 1212, 1213, 1215, 1216, and 1217 cannot be referred to even if the trouble investigator is in trouble investigation, and the customer's name, zip code, address, IP address, etc. It is possible to prevent leakage of important information.

  In addition, since the type of the original information is presented, the trouble investigator can determine what information is in the masked portion. Further, since the same serial number is assigned to the confidential data having the same content, the trouble investigator can determine the mask location where the original information has the same content. In the example of FIG. 12, the trouble investigator knows that the character string data 1221 and 1224 originally have the same IP address, and can use it for investigation and verification of the cause of the trouble.

(Dump mask processing procedure of information processing apparatus 100)
Next, the dump mask processing procedure of the information processing apparatus 100 will be described.

  FIG. 13 is a flowchart of an example of a dump mask processing procedure of the information processing apparatus 100 according to the third embodiment. In the flowchart of FIG. 13, first, the information processing apparatus 100 determines whether an abnormality of the software SW has been detected (step S1301).

  Here, the information processing apparatus 100 waits for detection of an abnormality in the software SW (step S1301: No). When the information processing apparatus 100 detects an abnormality in the software SW (step S1301: Yes), the information processing apparatus 100 collects data on the memory 302 and stores it in a temporary file, thereby acquiring a memory dump (step S1302).

  Next, the information processing apparatus 100 reads the data in the acquired memory dump from the top (step S1303). The information processing apparatus 100 determines whether the read data is a text part (step S1304). Here, when it is not a text part (step S1304: No), the information processing apparatus 100 transfers to step S1308.

  On the other hand, in the case of a text portion (step S1304: Yes), the information processing apparatus 100 refers to the structure pattern DB 1010 and compares the read data with a predetermined pattern, so that the data is confidential data. It is determined whether or not there is (step S1305).

  Here, in the case of confidential data (step S1305: Yes), the information processing apparatus 100 performs a mask process for rewriting the read data (text portion) (step S1306). Then, the information processing apparatus 100 stores the masked data in a dump file on the disk 305 (see FIG. 3) (step S1307), and proceeds to step S1308.

  In step S1305, if the data is not confidential data (step S1305: No), the information processing apparatus 100 stores the read data in a dump file on the disk 305 (step S1307). Then, the information processing apparatus 100 determines whether reading of data in the memory dump has been completed (step S1308).

  If the data reading has not been completed (step S1308: No), the information processing apparatus 100 returns to step S1303. On the other hand, when the reading of data is finished (step S1308: Yes), the information processing apparatus 100 outputs a dump file (step S1309), and the series of processes according to this flowchart is finished.

  As a result, it is possible to output a memory dump (dump file) after masking confidential data such as the customer's name, postal code, address, and IP address in an indecipherable manner.

  As described above, according to the information processing apparatus 100 according to the third embodiment, the text portion in the memory dump can be extracted. Further, according to the information processing apparatus 100, the extracted text portion is compared with the predetermined pattern with reference to the structure pattern DB 1010, and the text portion that matches the predetermined pattern can be specified as confidential data. . The predetermined pattern is, for example, an existing zip code, address, name, or regular expression of the zip code, address, and IP address. Then, according to the information processing apparatus 100, it is possible to perform a mask process for rewriting the specified confidential data and output a memory dump subjected to the mask process.

  Thereby, when the memory map of the software SW is not known, the data to be concealed in the memory dump can be specified by pattern matching between the text portion in the memory dump and the pattern in the structure pattern DB 1010. For example, even if the software SW does not know the memory map that includes the program portion created by the OS or others, it masks the data to be concealed, such as the zip code, address, name, and IP address in the memory dump. Processing can be performed.

  Further, according to the information processing apparatus 100 according to the third embodiment, in order from the top of the memory dump, serial numbers are assigned to the identified confidential data so that the confidential data with the same data contents have the same number. Can do. According to the information processing apparatus 100, the confidential data can be rewritten into character string data indicating the type and serial number of the confidential data.

  This makes it possible to determine the type of original information when investigating a problem, and when there is confidential data with the same content in a memory dump, it is possible to determine the mask location where the original information has the same content It is possible to support the investigation and verification of the cause of the trouble.

  Note that the dump mask method described in the present embodiment can be realized by executing a program prepared in advance on a computer such as a personal computer or a workstation. This dump mask program is recorded on a computer-readable recording medium such as a hard disk, a flexible disk, a CD-ROM, an MO (Magneto-Optical disk), a DVD (Digital Versatile Disk), a USB memory, and the like. It is executed by being read. The dump mask program may be distributed via a network such as the Internet.

  The following additional notes are disclosed with respect to the embodiment described above.

(Supplementary note 1)
When software abnormality is detected, the data to be concealed in the memory dump is identified,
Apply mask processing to rewrite the identified data to be concealed,
Outputting the memory dump subjected to the mask processing;
A dump mask program characterized by causing processing to be executed.

(Supplementary note 2)
The dump mask program according to appendix 1, wherein data in a memory corresponding to a data item designated as a concealment target is specified as concealment target data with reference to a data structure defined in the software.

(Supplementary note 3)
Extracting the text portion in the memory dump, referring to a storage unit that stores a predetermined pattern representing the structure of information that can be concealed, comparing the extracted text portion with the predetermined pattern, and The dump mask program according to appendix 1 or 2, wherein a text portion that matches the pattern is specified as concealment target data.

(Additional remark 4) The process which performs the said mask process is as follows.
4. The dump mask program according to any one of appendices 1 to 3, wherein the specified data to be concealed is rewritten with a predetermined code for blackening.

(Additional remark 5) The process which performs the said mask process is as follows.
4. The dump mask program according to any one of appendices 1 to 3, wherein the identified concealment target data is rewritten to character string data indicating a type of the concealment target data.

(Supplementary note 6) The dump mask program according to supplementary note 3, wherein the predetermined pattern is a regular expression of at least one of a zip code, an address, and an IP (Internet Protocol) address.

(Additional remark 7) The process which performs the said mask process is as follows.
In order from the top of the memory dump, concealment target data having the same data contents are assigned the same number so that the specified data is the same,
The dump mask program according to appendix 3, wherein the concealment target data is rewritten to character string data indicating the type and serial number of the concealment target data.

(Appendix 8) The computer
When software abnormality is detected, the data to be concealed in the memory dump is identified,
Apply mask processing to rewrite the identified data to be concealed,
Outputting the memory dump subjected to the mask processing;
A dump mask method characterized by executing processing.

(Appendix 9) When software abnormality is detected, the confidential data in the memory dump is specified,
Apply mask processing to rewrite the identified data to be concealed,
Outputting the memory dump subjected to the mask processing;
An information processing apparatus having a control unit.

DESCRIPTION OF SYMBOLS 100 Information processing apparatus 200 System 201 Investigation terminal 210 Network 300 Bus 301 CPU
302 Memory 303 I / F
304 disk drive 305 disk 500 source program 601 detection unit 602 identification unit 603 rewriting unit 604 output unit 810, 820, 1210, 1220 memory dump 1001 second identification unit 1002 second rewriting unit 1010 structural pattern DB
1100 correspondence table

Claims (7)

On the computer,
When software abnormality is detected, the data to be concealed in the memory dump is identified,
Apply mask processing to rewrite the identified data to be concealed,
Outputting the memory dump subjected to the mask processing;
A dump mask program characterized by causing processing to be executed. The process to specify is
2. The dump mask program according to claim 1, wherein data in a memory corresponding to a data item designated as a concealment target is specified as concealment target data with reference to a data structure defined in the software. . The process to specify is
Extracting the text portion in the memory dump, referring to a storage unit that stores a predetermined pattern representing the structure of information that can be concealed, comparing the extracted text portion with the predetermined pattern, and The dump mask program according to claim 1, wherein a text portion that matches the pattern is specified as data to be concealed. The process of applying the mask process is as follows:
The dump mask program according to any one of claims 1 to 3, wherein the identified data to be concealed is rewritten with a predetermined code for blackening. The process of applying the mask process is as follows:
The dump mask program according to any one of claims 1 to 3, wherein the identified concealment target data is rewritten to character string data indicating a type of the concealment target data. Computer
When software abnormality is detected, the data to be concealed in the memory dump is identified,
Apply mask processing to rewrite the identified data to be concealed,
Outputting the memory dump subjected to the mask processing;
A dump mask method characterized by executing processing. When software abnormality is detected, the data to be concealed in the memory dump is identified,
Apply mask processing to rewrite the identified data to be concealed,
Outputting the memory dump subjected to the mask processing;
An information processing apparatus having a control unit.

Images