JP2019008503A - Information processing monitoring apparatus, information processing monitoring method, program, recording medium, and information processing apparatus - Google Patents

Abstract

To analyze attacks on CPUs by malicious programs at the preparation stage to prevent them from happening.SOLUTION: An information processing apparatus includes a first analysis unit 1302, a second analysis unit 1304, and a control unit 1305 which are set to a higher privilege level than an operating system. The first analysis unit 1302 and the second analysis unit 1304 analyze whether or not the process is preparation processing. The process includes at least one fetched instruction code other than a basic instruction code. The preparation processing changes the execution of the basic instruction code issued thereafter to an attack. When the first analysis unit 1302 and the second analysis unit 1304 analyze that the process is the preparation processing, the control unit 1305 invalidates the process.SELECTED DRAWING: Figure 3

Description

  The present invention relates to a security technique for monitoring information processing operations executed by a computer program.

  Conventionally, a malicious application program (unauthorized program) has been deprived of control of a computer due to an intrusion or attack on a computer device, and data destruction such as falsification or deletion of data files stored in memory, communication leakage, etc. This has caused a serious loss of computer security. Therefore, various types of compatible software have recently been proposed that monitor the behavior or behavior of application programs and regulate attacks by malicious programs.

  Patent Document 1 describes an information leakage prevention system that determines whether an access to a storage device such as a hard disk HDD by an application is an unauthorized access such as a virus. That is, this information leakage prevention system hooks access to information stored in a storage device such as a hard disk HDD by an application using a hook function of an operating system (OS), and sets a preset access permission condition table. Matching determination is performed by collating with the contents of. If there is no matching, it is determined that the access is illegal, such as a virus, and the delivery of information stored in the storage device to the application is prohibited.

  Patent Document 2 proposes a security technique that monitors the behavior of an application to determine whether it is normal. In other words, this security technology additionally provides real-time malware detection inspection to offline malware detection inspection, and this added detection inspection records its behavior while the application is running, and extracts the behavior pattern from the recorded behavior The extracted behavior pattern is compared with the basic pattern of a normal application or the pattern of the application recorded previously. This allows the mobile device to automatically detect the malicious behavior of this application even if the malicious application is downloaded, installed and actually executed on a real-world mobile device.

  Patent Document 3 describes an operating system capable of suppressing computer viruses and unauthorized access using the buffer overrun phenomenon. In order to suppress computer viruses and unauthorized access, this operating system obtains a program storage address on the memory device before executing an API (Application Program Interface) requested by the program, and the address is appropriate. By determining whether or not the position is indicated, it is determined whether the program that called the API is appropriate or illegal.

  Patent Document 4 describes an information processing apparatus that can detect an unauthorized program that attacks a security hole such as a vulnerability of a computer system from a process behavior without depending on a definition file. This information processing apparatus acquires information generated in the execution of the process A, for example, the type of module, the type of function called, the value of the argument, the read source address, the time stamp, etc. It detects whether or not there are operations such as file access, network access, and activation of other processes, which are behaviors indicating attacks and intrusions, and is regarded as a malicious program. Further, in Patent Document 4, since a non-invalid process is detected as an illegal program when performing an operation such as file access or network access during a period in which an operation by a user cannot be detected, It is described that the information is registered in advance in the specified white list, and the collation is first performed at the time of detection.

JP 2007-140798 A JP 2017-505944 A International Publication No. 2005/029328 Japanese Patent Laying-Open No. 2015-082191

  Patent Document 1 is based on matching between access to information stored in the hard disk HDD by an application and a preset access permission condition table, and Patent Document 2 records a behavior during execution of the application to be inspected. The behavior pattern is extracted from the recorded behavior, while the extracted behavior pattern is compared with the basic pattern of the normal application or the previously recorded pattern of the application. It can be said to be a collation.

  Patent Document 3 is an invention that focuses on the response to a buffer overrun phenomenon in which unauthorized access is executed with the aim of a vulnerability in which the system malfunctions when data exceeding the buffer size is sent, and the storage address of the program is A judgment program for judging whether it is appropriate or illegal is added to the operating system. In Patent Document 4, a process monitor is set for each process, and this process monitor is a type of module, a type of a called function, a value of an argument, a read source address, and time stamp information. Etc. are collected as behavior, and it is determined whether there has been an unauthorized attack or intrusion, and is not regulated in advance. Also, the range that is difficult to distinguish is checked against the white list.

  The present invention has been made in view of the above, and an information processing monitoring apparatus, an information processing monitoring method, and the like that analyze an attack on a CPU (change in the execution environment of a program) by a malicious program in advance and prevent it in advance. To provide a program, a recording medium, and an information processing apparatus.

  It can be said that the present invention has been made in view of the basic structure given to current computers due to the history and history of the development of computer technology.

  Today, a personal computer is connected to a network and various external devices and can process a large amount of data under 64 bits, and because of its convenience and high performance, most industries including basic industries such as important infrastructures. It is expected to be used under high confidentiality for the fourth industrial revolution that is introduced in the field and supports IoT, AI and big data.

  The personal computer appeared in 1971 as an architecture (4-bit microcomputer) equipped with a 4-bit microprocessor. The 4-bit microcomputer is written with a program that realizes the process intended by the user. As a result, the user directly operates the microcomputer to execute the process according to the user's intention in the microprocessor through the execution of the program. I was letting. That is, at that time, no OS had yet appeared, and the microcomputer was based on a design concept that had a unique relationship between a person who directly operated the microcomputer and a microprocessor (CPU). Next year, an 8-bit microcomputer with an OS was introduced for the purpose of spreading functionality. The OS is located between the user and application and hardware, and provides a standard interface for the user and application and at the same time efficiently manages each resource such as hardware. In the bit design philosophy, he is in a position as a third party.

  Later, especially with the development of networks such as the Internet and various peripheral devices, the microcomputer maintains a 4-bit design philosophy in order to realize quantitative and qualitatively higher information processing triggered by the connection with these devices. In other words, the CPU has been evolved as a 16-bit, 32-bit, and 64-bit architecture while retaining execution instruction processing at the time of 4 bits as a basic operation. Through this process, today's 64-bit microcomputers can execute various extended functions other than basic operations for the purpose of realizing new functions according to the evolution of the CPU while retaining the design philosophy at the time of 4 bits. The extension instruction under the rule to make has been added. The extended rule is a technology that enables the CPU to process various functions added according to the evolution of 16 bits, 32 bits, and 64 bits under unconditional or low conditions.

  By introducing such an extended function, more advanced information processing has become possible, but other than the original basic operation executed based on the user's operation, that is, the user does not recognize or intend, Third-party malicious programs (unfair programs) have entered an environment where they can easily enter and execute.

  In view of such circumstances, the information processing monitoring apparatus according to the present invention provides a preparatory process for changing an execution of a basic instruction code issued after a process including at least one instruction code fetched other than the basic instruction code into an attack. And analyzing means set to a privilege level higher than that of the operating system (OS), and when the analyzing means analyzes that the process is the preparatory process, it controls the execution of the process. And a control means for setting the same privilege level as the high privilege level.

  Moreover, this invention is an information processing apparatus provided with the said information processing monitoring apparatus.

  In addition, the present invention provides an operating system for analyzing whether a process including at least one fetched instruction code other than the basic instruction code is a preparatory process for changing execution of the basic instruction code issued thereafter into an attack. An analysis step that is set to a higher privilege level, and if the analysis step is analyzed as the preparatory process, the same privilege level as the higher privilege level that controls the execution of the process is set. And an information processing monitoring method comprising the controlled steps.

  Further, the present invention is a program that causes a computer to function as the information processing monitoring apparatus, and is a computer-readable recording medium that records the program.

  According to these inventions, risks (infection, intrusion, etc.) at the time of starting the operating system are eliminated. Further, a process including at least one fetched instruction code other than the basic instruction code based on the 4-bit design concept is analyzed. In other words, basically all instruction codes other than those in the 4-bit design philosophy era are analyzed. Therefore, it is possible to analyze whether or not it corresponds to the preparation process for the attack, and when it is analyzed that it corresponds to the preparation for the attack, the execution of the process or the program including this process is controlled in the preparation stage, for example, It is invalidated. Therefore, an attack on the CPU of a malicious program is analyzed at the preparation stage, and the attack is prevented in advance. In the above, the preparation for an attack is also a preparation by an external program for changing the execution environment of the program, and the execution of the program from the outside is equivalent to an attack preparation or an attack. Can be considered.

  In addition, the analysis means analyzes whether the fetched instruction code is a basic instruction code, and if the first analysis means analyzes that the fetched instruction code is not a basic instruction code, whether the process is a preparation process Second analysis means for analyzing whether or not. According to this configuration, when it is analyzed that it is a basic instruction code, for example, it is executed as it is. On the other hand, when it is analyzed with an instruction code other than the basic instruction code, it is analyzed whether it falls under preparation It becomes.

  The analyzing means guides the instruction code of the process to the instruction execution unit when the fetched instruction code is analyzed as a basic instruction code and when the process is analyzed as not being the preparation process. . According to this configuration, an appropriate instruction code analyzed as not corresponding to the attack preparation process is guided to the instruction execution unit and executed as usual.

  The present invention further includes an interrupt means for issuing an interrupt each time an instruction code other than the basic instruction code is fetched. According to this configuration, an instruction code that is highly likely to fall under preparation for an attack is analyzed by an interrupt.

  Further, the analyzing means analyzes the process including the extended instruction code. According to this configuration, it is determined whether or not the process includes a plurality of instruction steps including an extended example code in addition to the individual extended instruction codes.

  Further, the analysis means performs analysis on a process including a syscall instruction. According to this configuration, all syscall instructions issued corresponding to the extended instructions are analyzed, and all accesses to resources are analyzed.

  Further, the analyzing means analyzes a process including an instruction code from a process start syscall instruction to a process end syscall instruction. According to this configuration, since the analysis is performed in the range of the syscall instruction before and after the possibility of the preparation processing period, the analysis at the preparation stage is possible. The preparation processing period may be based on a plurality of syscall instructions in addition to the preceding and following syscall instructions.

  Further, the analysis means analyzes whether or not the instruction code rewrites the msr register. According to this configuration, the process is invalidated immediately after it is analyzed that it corresponds to the preparation for an attack that can be executed by switching the operation mode of the CPU.

  In addition, the present invention includes a rule information storage unit that stores rule information for analyzing whether or not the preparation process is performed. By using the contract information section, it is possible to reliably analyze based on the analysis processing method for each attack preparation action.

  The contract information is for the kernel API. According to this configuration, all syscall instructions for accessing resources are made using the API of the kernel, and all attack orders are analyzed in the analysis processing corresponding to the API.

  Further, the control means stops execution of an instruction code issued after being analyzed with the preparation process. According to this configuration, the execution of an instruction code such as a basic instruction code after being analyzed as being ready is reliably invalidated before the attack is executed.

  The present invention further includes a boot processing unit that activates the analysis unit and the control unit prior to the operating system. According to this configuration, since the analysis unit and the control unit can be activated before the OS, each behavior of the OS program and the application program can be monitored at a higher level than the OS. Infections and intrusions are also detected and blocked.

  According to the present invention, an attack to the CPU (changing the program environment) by a malicious program is analyzed and prevented in advance.

It is a block diagram which shows one Embodiment of the information processing apparatus which concerns on this invention. It is a map figure which shows the outline | summary of the linear address space of a main memory. It is a map figure which shows the outline | summary of the physical memory space of CPU and main memory. It is a flowchart which shows an example of the procedure of a starting process. It is a figure which shows an instruction format. It is a flowchart of the monitoring process I performed by the monitoring module. It is a flowchart of the monitoring process II performed by the monitoring module. It is a flowchart of the monitoring process III performed by the monitoring module. It is a flowchart of the monitoring process IV performed by the monitoring module.

  FIG. 1 is a configuration diagram showing an embodiment of an information processing apparatus according to the present invention. The information processing apparatus 100 to which the present invention is applied operates various personal computers, server apparatuses incorporating a computer, financial, ATM and POS systems, and all infrastructure regardless of whether or not there is communication with an external device. It includes an information processing system, and further includes an information processing terminal that is portable and can process information communication, SNS, electronic money settlement, and the like.

  The information processing apparatus 100 includes a microcomputer and includes a CPU 1 as a processor. The CPU 1 includes a hard disk drive (HDD) 2 as an auxiliary storage device, a flash ROM 2A for BIOS storage, a RAM (Random Access Memory) 3 as a main memory, an input unit 41, and an output unit via a bus BA. 42 is connected. In addition, the CPU 1 is connected to a NIC (Network Interface Card) 43 and can exchange various information with external devices via a network 44 such as a local area and the Internet.

  The HDD 2 stores various programs and necessary data. The HDD 2 is divided into a plurality of partitions. Usually, an OS (Operating System) program such as Windows (registered trademark) and various application programs (APP) operating under the OS are used as locations (paths). Stored in the C drive area. In general, data files that can be used (accessed) by various APPs are stored as paths in the D drive area. The HDD 2 also stores program data that is the monitoring module 130 (see FIG. 3) according to the present invention. Details of the monitoring module 130 will be described later.

  When the information processing apparatus 100 is activated, the RAM 3 is loaded with BIOS, programs, and the like stored in the flash ROM 2A and the HDD 2, and temporarily stores information being processed. In the information processing apparatus 100, program files, data files, and the like stored in the HDD 2 are loaded into the RAM 3 and executed by the CPU 1 to execute various information processing functions such as a document and graphic creation function, a browser function, and the like. Various information processing according to the field to which it is applied is executed.

  The input unit 41 includes a keyboard, a mouse, a touch panel, or the like provided with a numeric keypad, etc., and inputs required information and instructions for processing from an operator. The output unit 42 is assumed to be a display unit that displays processing results and the like as images. The output unit 42 can include a printer and a speaker.

  FIG. 2 is a map diagram showing an outline of the linear address space 31 of the RAM 3. Each data (program data, file data, etc.) mapped in the linear address space 31 indicates a function, and is stored in the page table 303 in the physical memory 30 shown in FIG. 3 in detail. In addition, the CPU 1 can read the data by replacing the linear address with the physical address.

  As shown in FIG. 2, in the present embodiment, a kernel mode area 311 having a privilege level (ring R = 0) and a user mode area 312 having a privilege level (ring R = 3) are set in the linear address space 31. Has been. In the kernel mode area 311, an OS (kernel) API (Application Program Interface) 3111, an OS (kernel) 3112 corresponding to the syscall instruction, a system table 3113, and a process list 3114 such as an E process are expanded. In the user mode area 312, various application programs 3121,... And various syscalls 3122 are developed.

  A syscall 3122 in the user mode area 312 is a group of instructions used when the APP 3121,... Request access to a resource (a memory resource representing a register unit 123 described later). The syscall instruction is an extended instruction code for elevating the privilege level from ring R = 3 to ring R = 0, whereby the API corresponding to the argument of the syscall instruction is selected, and the selection information is set in the general-purpose register rax, for example. The

  An API 3111 in the kernel mode area 311 is provided corresponding to an argument of a syscall instruction issued from the syscall 3122, and executes access processing to resources based on management of the OS 3112. The system table 3113 stores the address of each data (program data, file data, etc.) in the linear address space 31. For example, the system table 3113 includes a GDT (Global Descriptor Table). The GDT in the system table 3113 is a list of segment descriptors for managing the storage location of each data in units of 8 bytes, for example. Each segment descriptor has four attributes, ie, “type” (program code, data, stack) of data, “base address”, “limit”, and “DPL” indicating a privilege level. The GDT in the system table 3113 and the page table 303 in the physical memory 30 realize conversion from a linear address to a physical address. The process list 3114 shows a list of processes of the running program managed by the OS 3112, and includes, for example, an E process (EPROCESS).

  FIG. 3 is a map diagram for explaining the functions of the CPU 1 and the RAM 3 in the physical memory 30 and the relationship between the CPU 1 and the functions of the physical memory 30. In the physical memory 30 configured as a part of the RAM 3, the BIOS 301, the boot manager 302, and the page table 303 are expanded, and the monitoring module 130 is expanded. The BIOS 301 is written in an area of 0 to 1 MB. The boot manager 302 and the page table 303 are written in more areas. The BIOS 301, the boot manager 302, and the page table 303 are written with ring R = 0, which is a privilege level. Note that the page table 303 has a plurality of pages, and each page is divided into a predetermined amount of data, for example, 4 KB. Each page data is set with a physical address and an access attribute. Each page data includes any one of program code, data, and stack. The access attribute corresponds to a privilege level, and has “supervisor” and “user”. “Supervisor” refers to processing in the kernel space (kernel mode), and corresponds to ring R = 0 to ring R = 2, and “user” corresponds to ring R = 3.

  The monitoring module 130 can be managed following the activation of the BIOS 301, that is, before the OS, so that the OS can be managed, that is, a privilege level higher than that of the OS can be set. For example, in a mode in which the monitoring module 130 is applied to the virtualization support technology VT-x including the virtual machine VM that is the guest OS and the virtual machine monitor VMM that is the host OS, the monitoring module 130 is read into the virtual machine monitor VMM. It may be. Then, by controlling the Entry / Exit process for the guest OS by the monitoring module 130, a privilege level (R = −1) substantially higher than that of the OS can be secured. Further, by rewriting the OS to the privilege level R = 1 or 2 and setting the monitoring module 130 to the privilege level R = 0, a privilege level higher than that of the OS can be secured.

  The CPU 1 includes a memory controller (MMU) 11, a control unit 12, and an arithmetic unit 13. The memory controller 11 is connected between the page table 303 in the physical memory 30 and the control unit 12, and accesses the fetched linear address by referring to the page table 303 and converting it into a physical address. The access contents are guided to the control unit 12.

  In this embodiment, the monitoring module 130 includes a memory management unit 1301, a first analysis unit 1302, a hardware interrupt processing unit 1303, a second analysis unit 1304, a control unit 1305, and a contract information unit 1306, and an OS. A boot program (boot processing unit) for starting up under predetermined monitoring is provided. Details of these will be described later. The arithmetic unit 13 includes an instruction execution unit 131 that executes an instruction code fetched and output by the monitoring module 130.

  By disposing the monitoring module 130 in the physical memory 30, it is possible to make it appear to the OS as a part of hardware (MMIO (Memory-mapped I / O) space). As a result, the monitoring module 130 can be isolated from the OS and protected from malicious programs. The memory management unit 1301 arranges the first analysis unit 1302, the hardware interrupt processing unit 1303, the second analysis unit 1304, the control unit 1305, and the rule information unit 1306 in the physical memory 130, generates an executable environment, The access to the physical memory 130 by the OS side program is monitored. Thereby, access to the hardware using the MMIO space and access to the page table 303 constituting the linear address space are also monitored.

In the control unit 12, in this embodiment, a fetch unit 121 connected to the memory controller 11 via the memory management unit 1301, a decode unit 122 that converts the fetched instruction format into a machine language and analyzes it, and a register unit 123. It has. FIG. 3 shows an instruction format 128 as an example. Details of the instruction format 128 will be described with reference to FIG. The instruction code 129 is exemplified in assembler language. This illustrated instruction code is
mov rax, 10
It means “copy numeric value 10 to general-purpose register rax”.

  The register unit 123 includes various registers, and includes at least a general-purpose register 124, a control register 125, an instruction execution register 126, and a system register 127. The general-purpose register 124 has rax, rbx, rcx, rdx,... And temporarily writes data and parameters to be processed. The notation of the general register 124 is distinguished from rax for 64 bits, eax for 32 bits, ax for 16 bits, and a or hal for 8 bits. The control register 125 includes registers cr0, cr1, cr2,... And controls the operation mode of the CPU1. The control register 125 is used for control such as receiving an instruction program read from the physical memory 30, executing it, temporarily storing it, and rearranging it. The instruction execution register 126 includes a register RIP (Instraction Pointer) that designates an instruction code to be fetched, and a program counter that instructs an instruction issue order. The system register 127 has various msr registers (Model Specific Registers) in which data currently used is written in the system table 3113 and controls the operation mode. Note that the msr register is used for internal control of the CPU 1 and uses a dedicated rdmsr and wrmsr instruction to read and write. In the msr register, for example, validity / invalidity of the extended function as an operation of the CPU 1 is identified by a flag so that read / write is possible at the privilege level R = 0 in the protect mode, and when it violates, it is hooked. .

  Here, an example of the procedure of the activation process will be described using the flowchart of FIG. First, when the information processing apparatus 100 is powered on, the BIOS program is read (loaded) from the flash ROM 2A to a predetermined area of the RAM 3 and started (step S1). Next, MBR (Master Boot Record) is loaded into the RAM 3 from the head sector of the HDD 2 by the BIOS and activated (step S3).

  Next, a dedicated loader stored in advance in the active partition table of the HDD 2 is loaded into the RAM 3 by the MBR, and a privilege level (ring R = −1 or 0) is given to a predetermined partial area of the physical memory 30 by the dedicated loader. Substantially set, the program of the monitoring module 130 read from outside the file system of the HDD 2 is loaded in this area (step S5). In the above description, the meaning of the ring R = −1 or 0 substantially includes a mode in which the VT-x virtualization support technology is applied and a case of a normal computer, and in any case, a privilege higher than that of the OS 3112. It means that the level is set. When the loading process of the monitoring module 130 is completed, the control of the CPU 1 is transferred to the monitoring module 130, and the boot manager 302 is activated by the boot processing unit of the monitoring module 130 (step S7). Here, ring R = 0 (or 1 or 2) is set as a privilege level in the kernel mode area 311. In this state, the PBR (Partition Boot Record) and IPL created by the boot processing unit of the monitoring module 130 are set. In (Initial Program Loader), the page table 303, the system table 3113 including GDT, and the OS 3112 (including the driver) are loaded into the kernel mode area 311 and activated (step S9). As a result, the monitoring module 130 can see everything in the computer.

  Next, when the booting of the OS 3112 is completed (Yes in step S11), for example, when the first page fault (#PF) is issued, the APP 3121,... Is loaded with the privilege level of ring R = 3 (step S13). The map shown in FIGS. 2 and 3 is completed by this activation process.

  At the time of start-up, the monitoring module 130 validates each setting of the real mode, the protect mode, the IA32e mode (64-bit mode), and the 16-bit SMM (System Management mode) mode, and the page table 303 as the operation mode of the CPU 1. Execute each process of enabling Syscall. The monitoring module 130 also initializes the register unit 123 and initializes environment setting values.

  Returning to FIG. 3, the function of the monitoring module 130 will be described. The memory management unit 1301 of the monitoring module 130 monitors the flow of data between the memory controller 11 and the CPU 1. For example, as a result, the monitoring module 130 manages both the linear address and the physical address and performs linear operation. Addressing the modification of the address and the modification of the physical address, and monitoring for restricting access to changing the environment setting value in the register unit 123 for programs other than the OS (kernel).

  In the present embodiment, the analysis unit of the monitoring module 130 functionally includes a first analysis unit 1302 and a second analysis unit 1304. The first analysis unit 1302 analyzes whether the decoded instruction code is a basic instruction code defined by 4 bits or any other instruction code.

  FIG. 5 shows an instruction format having a predetermined format. As is well known, the instruction format is composed of a part describing an instruction and data and parameter parts. The instruction format consists of 1 byte prefix, 1 or 2 byte opcode (instruction part), 1 byte ModR / M, SIB (Scale Index Base), displacement, and immediate value from the beginning. Has been. The opcode part has a variable length, the basic instruction is described in 4 bits, and the extension instruction is described in 2 bytes.

  The 4-bit basic instruction maintains the 4-bit design philosophy, that is, the basic instruction is execution instruction processing at the time of 4-bit, and mov (transfer, copy), jmp (branch), calculation, An instruction that performs logic, comparison, In / Out, or the like. The basic instruction is composed of 1 byte, and 16 types of instructions (referred to as basic instructions) are defined by the lower 4 bits when the upper 4 bits are “1”.

  On the other hand, extended commands are used for control commands for various operations and multitask processing in addition to operation instructions via the input unit 41 of the information processing apparatus 100 due to the appearance of various peripheral devices, connection to a network, and the like. A control command to a register as a machine switch of mov, jmp for control, and many other control commands are prepared. The extension instruction is composed of 2 bytes, and when the first byte is “0F”, the extension instruction is defined at the second byte. Examples of the extended instructions include various syscall instructions, sysenter instructions prepared for system calls, and a wrmsr instruction that defines the validity / invalidity of the extended instruction function. The extended function enables various control instructions and multitask instructions to be set by combining a prefix, a 2-byte opcode, and a ModR / M part.

  In FIG. 3, the first analysis unit 1302 guides the instruction code to the instruction execution unit 131 if the analysis result is a basic instruction code, and guides the instruction code to the hardware interrupt processing unit 1303 in the case of other instruction codes.

  If the result of analysis by the first analysis unit 1302 is not a basic instruction code (if it is any other instruction code), the hardware interrupt processing unit 1303 executes a hook operation, that is, an interrupt process, Is guided to the second analysis unit 1304. Note that the interrupt process can be restored upon completion of the analysis by the second analysis unit 1304.

  Does the second analysis unit 1304 analyze an instruction other than the basic instruction or a set (process) of the basic instruction and an instruction other than the basic instruction based on the rule of the rule information unit 1306 and corresponds to the preparation for the attack? Decide whether or not. When the analysis target is a process, the second analysis unit 1304 sequentially analyzes whether or not the process falls under preparation every time the instruction code is decoded. The attack itself can be prevented in advance. When the second analysis unit 1304 (or one of the control units 1305 to be described later) determines that the analysis result for the step at a certain time point does not yet correspond to the preparation for the attack, the instruction execution unit of the analyzed instruction code Execution at 131 is permitted. As a result, a process (consisting of a sequence of instructions of a plurality of steps) that was not finally prepared for an attack can be continuously executed more naturally.

  The control unit 1305 outputs a control signal for performing constant control on the execution of the program when the result of analysis by the second analysis unit 1304 is determined immediately or finally as preparation for an attack. This control signal may be a signal that invalidates the program being executed, that is, performs processing such as stopping execution of the program, deleting execution results up to that point, and resetting. The instruction code (including data and parameters) may be monitored by referring to the contents of the decoding unit 122. For example, a part of the E process in the process list 3114 may be used to function as an instruction code logger. Thus, monitoring may be performed.

  An attack on the information processing apparatus 100 means that a basic instruction code based on a 4-bit design philosophy issued in accordance with an operation from the input unit 41 of the information processing apparatus 100 is different from the process intended by the operator. It means that it is executed, regardless of whether there is actual damage or the form of damage. The preparation for the attack refers to a process for guiding the processing so that the processing is different from the processing intended by the operator. The process includes at least one-step instruction code other than the basic instruction or a plurality of steps including the one step.

  Moreover, various aspects are assumed as the timing of preparation for an attack. For example, during execution of a certain program, there is an aspect in which the basic instruction is taken by entering this program. Also, during execution of a plurality of programs (for example, programs A and B) by multitasking, one of the programs B is intruded (attack as the first step), and then the other program A is intervened. There is a mode of taking the basic command (attack as the second step). Further, there is a mode in which, during a period when the program is not being executed, the information processing apparatus 100 (computer) is intruded and prepared, and a basic instruction code issued in the subsequent execution of the program is taken away. Further, there is a mode in which an SMI instruction using an In / Out instruction makes a transition to SMM, which is an operation mode of the CPU, and performs an attack by operating outside the management of the OS. The monitoring module 130 analyzes whether or not all of these are prepared for an attack and prevents the attack in advance.

  When a malicious program attempts to attack using a basic instruction code, a preparatory action that the program itself tries to run without the intention of the operator, such as impersonation, copying, and rewriting, is required. From this point of view, the contract information unit 1306 stores information used when analyzing whether or not all instruction codes fall under preparation for an attack. All instruction codes to be analyzed are, for example, instruction codes of a process called an existing kernel API. For example, the contents of each item of data and parameters that are operands of instruction codes (location (path, token / authority, time, timing, etc.), issuer (data file name, execution file name, etc.), promotion of authority demotion, procedure It contains at least instruction codes other than procedure rules and basic instructions, where the location (path) is, for example, whether it is a file under C: \ ProgramFiles, and the instruction codes other than basic instructions are, for example, currently Whether the API is unused or non-public kernel mode, etc. The token may include authority values of user processes, system processes, service processes, and administrator processes having different authorities. Includes time information related to processing, etc. Includes timing information on the start of processing, etc. When a part of the instruction code data or the like is replaced with an execution file, a software interrupt, an instruction to rewrite the environment setting value of the register unit 123, etc. In addition, in the procedural procedure rule, a process consisting of a plurality of steps cannot be prepared as a preparation process for executing a basic instruction code based on the 4-bit design concept. Contains unnecessary behavior.

  As described above, the rules of the rule information unit 1306 are for maintaining (not changing) the protected program execution environment (program environment) constructed by the OS. For example, an environment that cannot interfere with each other is provided to the activated programs. Specifically, the page address table 303 provided by the CPU 1 is created separately for each program, thereby isolating the linear address space and making it impossible to access other programs. However, this environment can be changed (broken) by using a specific kernel API (syscall). In addition, since the memory area newly required by the program is used as a normal data area, the memory area secured by the kernel is a linear address space where CPU instructions cannot be executed. However, since the memory area secured by using the kernel API (syscall) can be changed to an executable area, this also changes the execution environment in violation of the rules.

  Moreover, the said rule regarding the execution environment of CPU1 becomes a CPU command unit, and it is considered as a violation of a rule when the command used only at the time of starting is used after a specific timing. For instructions used after startup, the program of the issuer is specified from the original analysis result, and the use instructions from other than that are violated the rules.

  FIG. 6 is a flowchart of the monitoring process I executed by the monitoring module 130. When the instruction code is decoded after the execution of the program is started, the first analysis and the second analysis processing are executed (step S21), and whether or not the analysis result corresponds to the preparation for the attack based on the contract information part 1306 (In other words, whether or not the program execution environment is ready to be changed. The same applies hereinafter) is determined (step S23). When it is determined that the analysis result does not correspond to the preparation for the attack, the instruction code is directly guided to the instruction execution unit 131. Then, it is determined whether or not the program has ended (step S25). If the program is being continued, the process returns to step S21 and the same analysis process is continued.

  On the other hand, if it is determined in step S23 that the analysis result corresponds to the preparation for the attack, a control signal is output from the control unit 1305, the program being executed is invalidated (step S27), and this flow ends. .

  FIG. 7 is a flowchart of the monitoring process II executed by the monitoring module 130. When the first syscall instruction (beginning of the process) is decoded at a certain timing during the execution of any program (step S31), the first analysis is performed on each instruction code decoded after the syscall instruction. Then, the second analysis process is executed (step S33), and each time it is determined whether or not the analysis result corresponds to the preparation for the attack (whether it is appropriate) (step S35). If it is determined that the analysis result does not correspond to attack preparation, the instruction code is guided to the instruction execution unit 131. Next, it is determined whether or not a syscall instruction corresponding to the end of the current process has been issued (step S37). If it is determined that the syscall instruction does not correspond to the end of the process, the process returns to step S33. That is, the processing from step S33 to step S37 is repeatedly executed. When it is determined that the analysis result corresponds to the preparation for the attack, a control signal is output from the control unit 1305, the program being executed is invalidated (step S39), and this flow is terminated.

  On the other hand, if it is determined in step S37 that the instruction is a syscall instruction corresponding to the process end, it is determined whether or not the program is ended (step S41). If not, the current syscall instruction is replaced for process start. Then (step S43), the process returns to step S33. Thereby, the presence or absence of an attack preparation within the scope of the process is monitored.

  FIG. 8 is a flowchart of the monitoring process III executed by the monitoring module 130. During the program execution, it is analyzed whether the issued instruction code is a wrmsr instruction (step S51). If the result of the analysis is not the wrmsr instruction, it is then determined whether or not the program has been completed (step S53). If not, the process returns to step S51, and if it has been completed, this flow is terminated. On the other hand, if the analysis result is the wrmsr instruction in step S51, the control unit 1305 outputs a control signal, invalidating the program being executed, and the like (step S55). End the flow.

  FIG. 9 is a flowchart of the monitoring process IV executed by the monitoring module 130. While the basic instruction code is being executed, the SMM is issued by issuing an SMI interrupt, and the extended instruction code is executed. This extended instruction code causes an attack by changing the CPU operation mode, prefix, and other parameters. Done. In the embodiment shown in FIG. 9, first, during execution of the program, it is analyzed whether or not the issued instruction code is a system management interrupt (SMI) instruction (step S61). If the result of the analysis is not an SMI instruction, it is then determined whether or not the program has ended (step S63). If it is not ended, the process returns to step S61. On the other hand, if the analysis result is an SMI command in step S61, the control unit 1305 outputs a control signal, invalidating the program being executed, and the like (step S65). End the flow.

  Note that the monitoring processes shown in FIGS. 6 to 9 may be employed individually, or may employ any two or more types, and it is preferable to employ all the monitoring processes.

  Next, a specific example corresponding to the preparatory operation for the attack (change of the program execution environment) will be described.

(1) Example of access to control register (2 steps)
1) mov eax, 0x8xxxxxxx (Opecode: B8xxxxxxxx)
2) mov cr0, rax (Opecode: 0F2xxx)
For a general-purpose register as an operand to be set in the control register cr0, a process for setting an immediate value in the preceding step 1) (for example, enabling the protection mode and the page table at the same time) Processing) corresponds to the preparation of the attack.

(2) Example of access to msr register (4 steps)
1) mov ecx, 0xCxxxxxxx (Opecode: B9xxxxxxxx)
2) mov edx, 0xFxxxxxxx (Opecode: BAxxxxxxx)
3) mov eax, 0x12xxxxxx ・ (Opecode: B8xxxxxxxx)
4) wrmsr (Opecode: 0Fxx)
This is a process for setting (preparing) a call destination address (Entry Point) of ring R = 0 when a syscall instruction is issued. The fact that the call destination address set in the msr register is divided into upper and lower 4 bits is set in preparation for an attack.

(3) Calling example of kernel API (8 steps)
1) mov rcx, [rsp] (Opecode: 488xxxxxxx)
2) lea rdx, [rsp + 0x10] (Opecode: 488xxxxxxx)
3) lea r8, [rsp + 0x20] ・ (Opecode: 4c8xxxxxxx)
4) mov r9d, 0x01 (Opecode: 41Bxxxxxxx)
5) push byte 0xxx ・ ・ (Opecode: 6xxxx)
6) mov eax, 0xxx ・ (Opecode: B8xxxxxxx)
7) mov r10, rcx (Opecode: 49xxxx)
8) syscall (Opecode: 0Fxx)
The process of erasing a file in the main memory before storing it in the HDD 2 corresponds to preparation for an attack in a broad sense as a trace concealment process.

  The following aspects can be employed in the present invention.

(1) The monitoring module 130 is not limited to the structure of this embodiment, For example, one module may be sufficient. Further, the second analysis unit may execute the function of the control unit 1305. The hardware interrupt processing unit 1303 may be a functional unit that executes a general hook function. The hardware interrupt processing unit 1303 may interrupt all instruction codes.

(2) In the aspect in which the present invention is applied to the virtualization support technology VT, the monitoring module 130 is read out to the virtual machine monitor (VMM) area.

(3) Analysis may be omitted for basic instruction codes, or analysis may be performed within a certain range. For example, the contents of parameters may be checked.

(4) In the above-described embodiment, the configuration and method for restricting the behavior of an invading malicious program have been described. However, a countermeasure for preventing the invasion of a malicious program may be separately taken.

100 Information processing apparatus 1 CPU (computer)
11 Memory Controller 130 Monitoring Module (Information Processing Monitoring Device)
1301 Memory Management Unit 1302 First Analysis Unit 1303 Hardware Interrupt Processing Unit 1304 Second Analysis Unit 1305 Control Unit 1306 Rule Information Unit 2 HDD
3 RAM
3112 OS (kernel)

Claims (16)

Set to a privilege level higher than that of the operating system that analyzes whether a process including at least one fetched instruction code other than the basic instruction code is a preparatory process that changes execution of the basic instruction code that is issued thereafter to an attack. Analyzed means,
An information processing monitoring apparatus comprising: a control means for setting the same privilege level as the high privilege level, which controls the execution of the process when the analysis means analyzes that the process is the preparation process .   A first analyzing unit that analyzes whether the fetched instruction code is a basic instruction code; and if the first analyzing unit analyzes that the fetched instruction code is not a basic instruction code, whether the process is a preparation process or not The information processing monitoring apparatus according to claim 1, further comprising: a second analysis unit that analyzes   The analysis unit guides the instruction code of the process to an instruction execution unit when the fetched instruction code is analyzed as a basic instruction code and when the process is analyzed as not being the preparation process. Information processing monitoring device according to claim 1.   The information processing monitoring apparatus according to claim 1, further comprising an interrupt unit that issues an interrupt each time an instruction code other than the basic instruction code is fetched.   The information processing monitoring apparatus according to claim 1, wherein the analysis unit analyzes a process including an extended instruction code.   The information processing monitoring apparatus according to claim 1, wherein the analysis unit analyzes a process including a syscall instruction.   The information processing monitoring apparatus according to claim 1, wherein the analysis unit performs analysis on a process including an instruction code from a process start syscall instruction to a process end syscall instruction.   The information processing monitoring apparatus according to claim 1, wherein the analysis unit analyzes whether the instruction code rewrites the msr register.   The information processing monitoring apparatus according to claim 1, further comprising a rule information storage unit that stores rule information for analyzing whether the preparation process is performed. The information processing monitoring apparatus according to claim 1, wherein the rule information is for a kernel API.   The information processing monitoring apparatus according to claim 1, wherein the control unit stops execution of an instruction code issued after being analyzed as the preparation process.   The information processing monitoring apparatus according to claim 1, further comprising a boot processing unit that activates the analysis unit and the control unit prior to the operating system.   An information processing apparatus comprising the information processing monitoring apparatus according to claim 1. Set to a privilege level higher than that of the operating system that analyzes whether a process including at least one fetched instruction code other than the basic instruction code is a preparatory process that changes execution of the basic instruction code that is issued thereafter to an attack. Analysis steps performed,
An information processing monitoring method comprising: a control step in which the same privilege level as the high privilege level is set, which controls the execution of the process when the analysis step is analyzed as the preparation process .   A computer-readable recording medium storing a program that causes a computer to function as the information processing monitoring apparatus according to claim 1.   The program which makes a computer function as an information processing monitoring apparatus in any one of Claims 1-12.

Images