JP2019008732A - Access control device, access control method and access control program - Google Patents

Abstract

To prevent integrity of an access destination file from being lost by an access source process.SOLUTION: An access detection and control part 14 of an access control device 10 detects access to a file by a process. A file data integrity determination part 16 determines, based upon file data, whether the file is altered. An access source process integrity determination part 17 determines whether identification information on an access source process is included in identification information of a permitted process permitted to access the file. An access control determination part 19 determines that access by the access source process is safe when it is determined that the file that the access source process is to access is not altered and when it is determined that the identification information of the access source process is included in the identification information of the permitted process, and determines that the access by the access source process is risky when not.SELECTED DRAWING: Figure 4

Description

  The present invention relates to an access control device, an access control method, and an access control program.

  Conventionally, there is an application control technique in which applications and application components (such as library files and setting files) that are allowed to exist and operate on a computer are registered in advance in a white list. This application control technology allows the operation if the application and application components are whitelisted and the integrity of these files has been verified and is not whitelisted, or When the integrity of these files is lost, the operation is not permitted (see, for example, Non-Patent Document 1). File integrity means, for example, that the file has not been tampered with.

  From the viewpoint of controlling access to a file, an application and an application component are access destination files, and an application process that refers to a library or a setting file can be regarded as an access source process. The above-described conventional technique permits the intended file access by the access source process only when the integrity of the access destination file can be confirmed.

Adam Sedgewick et al., “Guide to Application Whitelisting”, [online], NIST Special Publication 800-167, National Institute of Standards and Technology, [Search June 12, 2017], Internet <URL: http: // nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-167.pdf>

  However, although the above-described conventional technology can confirm the integrity of the access destination file in file access, it cannot confirm the integrity of the access source process accessing the file. The loss of the integrity of the access source process includes, for example, that the access source process is an inappropriate process such as malware. Therefore, there is a problem that it is impossible to prevent the integrity of the access destination file from being lost as a result of the file access by the access source process.

  When the access destination file is an execution file, library, setting file, input / output file, or the like of the application process, if the access destination file has been tampered with, the application process may operate illegally. On the other hand, if the access source process is illegal such as falsified, the access destination file may be illegally altered by accessing the process. Furthermore, there is a possibility that the access destination file altered in such a manner may lead to an unauthorized operation of another application process. That is, in order to confirm the safety of file access, it is necessary to confirm both the integrity of the access destination file and the integrity of the access source process.

  In the above-described prior art, if it is possible to create an exhaustive and accurate application white list, it is possible to prevent execution of an application process lacking in integrity on a computer system. There is no need to check the completeness of the access source process. However, creating and maintaining an exhaustive and accurate application whitelist in a general environment is costly and difficult.

  An example of an embodiment disclosed in the present application has been made in view of the above, and an object thereof is to prevent loss of integrity of an access destination file by an access source process.

  In one example of an embodiment of the present application, an access control device includes a storage unit that stores identification information of a permitted process permitted to access a file for each file, and a detection unit that detects access of an access source process to the file. A file determination unit that determines whether the file has been tampered with based on the file data of the file, and identification information of the access source process in which access to the file is detected by the detection unit is the identification of the permitted process A process determination unit that determines whether or not the information is included in the information, and the file determination unit determines that the file that the access source process is trying to access has not been tampered with, and the identification information of the access source process Is included in the identification information of the authorization process. In this case, it is determined that access of the access source process to the file is safe and it is determined that the file has been tampered with, or the identification information of the access source process is included in the identification information of the permitted process. And an access control determination unit that determines that the access source process accesses the file as dangerous.

  According to an example of the embodiment of the present application, for example, it is possible to prevent the integrity of the access destination file from being lost as a result of the file access by the access source process.

FIG. 1 is a diagram illustrating an example of a relationship among a file, a dependent process, and an access source process. FIG. 2 is a diagram illustrating an example of the relationship between the control flag, file data integrity, and access source process integrity. FIG. 3 is a diagram illustrating an example of recursive integrity confirmation of files and processes. FIG. 4 is a diagram illustrating an example of the configuration of the access control apparatus according to the first embodiment. FIG. 5 is a diagram illustrating an example of an access target file list, a process ACL, a dependent process list, and an incomplete process list according to the first embodiment. FIG. 6 is a diagram illustrating an example of a determination result list according to the first embodiment. FIG. 7 is a flowchart illustrating an example of the initial setting process according to the first embodiment. FIG. 8 is a flowchart illustrating an example of the file access control process according to the first embodiment. FIG. 9 is a diagram illustrating an example of the configuration of the access control apparatus according to the second embodiment. FIG. 10 is a diagram illustrating an example of an access target file list and a process ACL according to the second embodiment. FIG. 11 is a flowchart illustrating an example of a file access control process according to the second embodiment. FIG. 12 is a diagram illustrating an example of a computer in which an access control apparatus is realized by executing a program.

  Hereinafter, an embodiment of an access control device, an access control method, and an access control program as an example of an embodiment of the present application will be described. In addition, the following embodiment shows only an example and does not limit this application. In each of the following embodiments, the description of the same configuration and the same processing as described above will be omitted. Moreover, each embodiment shown below can be combined suitably in the range which is not contradictory.

[Embodiment 1]
(Relationship between files, dependent processes, and access source processes)
Prior to the description of the first embodiment, file access control will be described. FIG. 1 is a diagram illustrating an example of a relationship among a file, a dependent process, and an access source process. In FIG. 1, it is assumed that the access source process, the file F, and the dependent process are managed by the operating system. Note that FIG. 1 is merely an example, and the number of access source processes, files F, and dependent processes, file access relationships, and dependency relationships are not limited to those illustrated.

  The file F illustrated in FIG. 1 is a data file, a setting file, a program file, a script file, or the like. The program file is an execution file, a library file, or the like. Here, the fact that the file F has “file data integrity V1” means that the digest value (for example, hash value) of the file data of the file F matches the reference digest value of the file F that is defined in advance.

  In addition, the dependency process illustrated in FIG. 1 has the correctness of the operation of the dependency process (hereinafter referred to as “dependence process integrity”) as “file data integrity V1” of the file F in which the dependency process is dependent. It is a dependent process. The dependent process is an application process, an operating system, an interpreter process, or the like.

  For example, the dependent process is an application process whose dependent process integrity depends on the “file data integrity V1” of the file F that is an execution file of the application process. Further, for example, the dependent process is an application process whose dependency process integrity depends on “file data integrity V1” of the file F that is a library file of the application process.

  Further, for example, the dependent process is an application process whose dependent process integrity depends on “file data integrity V1” of the file F that is a data file of input data to the application process. Further, for example, the dependent process is an application process whose dependency process integrity depends on “file data integrity V1” of the file F that is a setting file of the application process. The dependent process is identified by the execution file path of the dependent process through the operating system.

  The access source process illustrated in FIG. 1 is a process for accessing the file F. The access source process is an application process, an operating system, an interpreter process, etc. as well as a dependent process.

  For example, the access source process is an application process that references or updates a file F that is a data file. For example, the access source process is an application process that refers to the file F that is a setting file. Further, for example, the access source process is an operating system that executes a file F that is a program file. For example, the access source process is an interpreter process that executes a file F that is a script file.

  Here, the access source process having “access source process integrity V2” means that the access source process is registered in the process ACL (Access Control List) as a process in which file access to the file F is permitted. In addition, a file on which the access source process is dependent has “file data integrity V1”. The access source process is identified by the execution file path or the like of the access source process via the operating system. In FIG. 1, the file with which the access source process is dependent is a file (not shown).

  Here, when the access source process does not have “access source process integrity V2”, the file F may not have “file data integrity V1” as a result of the file access to the file F by the access source process. Arise. Further, if the file F does not have “file data integrity V1”, the dependent process may not have “access source process integrity V2” when acting as the access source process. Thus, “file data integrity V1” and “access source process integrity V2” propagate recursively.

(Access control judgment)
Therefore, in the first embodiment, when the access source process starts file access to the file F and when it is detected that the reference or update of the file F is not performed, the file access of the access source process is performed. It is temporarily stopped and “access control V4” is determined. The access source process has started file access to the file F, for example, that the access source process has instructed the operating system to open the file F, or that the operating system has detected the start event of the file F. Say. The determination of “access control V4” includes determination of “file data integrity V1”, “access source process integrity V2”, and “access integrity V3”.

  In the determination of the “file data integrity V1” of the file F, the digest value of the file data of the file F is calculated, and whether the calculated digest value matches the predefined reference digest value of the file data. Determine whether or not. As a result of comparing the digest value of the file F with the reference digest value, if both match, the determination result of the “file data integrity V1” of the file F is determined to be OK, and if both do not match, the file F The determination result of “file data integrity V1” is determined as NG.

  The determination of “file data integrity V1” is executed when the file F is a “data fixed file” such as a program file and the file data is not updated and is fixed, and the file data such as a log file is updated. If it is a “data fluctuation file”, it is not executed.

  In the determination of “access source process integrity V2”, the access source process is registered in the process ACL as a process in which file access is permitted for the file F, and the access source process has a dependency relationship. It is determined whether or not the determination result of “file data integrity V1” is OK. If the access source process is registered in the process ACL and the determination result of “file data integrity V1” of the file having the dependency on the access source process is OK, the “access source process complete” of the access source process The determination result of “character V2” is determined to be OK. On the other hand, if the access source process is not registered in the process ACL or the determination result of “file data integrity V1” of the file having the dependency on the access source process is NG, the “access source of the access source process” The determination result of “process integrity V2 determination” is determined to be NG.

  In the determination of “access integrity V3”, if the determination results of “file data integrity V1” and “access source process integrity V2” are not NG, “access integrity V3” of the file access to the file F by the access source process. "Is determined to be OK (safe). On the other hand, if either of the determination results of “file data integrity V1 determination” or “access source process integrity V2 determination” is NG, the determination result of “access integrity V3” of file access to the file F by the access source process Is judged as NG (dangerous).

  In the first embodiment, “access control V4” is performed according to the “control flag”. The “control flag” designates an operation mode when either of the determination results of “file data integrity V1” or “access source process integrity V2” set for each file F is NG. The operation modes specified by the “control flag” include “recording mode” and “cut-off mode”.

  In the “recording mode”, each determination result of “file data integrity V1” and “access source process integrity V2” is recorded, and file access to the file F by the access source process is permitted. In the “blocking mode”, file access to the file F of the access source process is blocked. By setting the “blocking mode” or “recording mode” for each file F, flexible file access control and management becomes possible.

  The “blocking mode” is more secure than the “recording mode”, but since there are many cases where risk analysis is performed afterwards, file access to the file F of the access source process is possible even in the “blocking mode”. Each determination result of “file data integrity V1” and “access source process integrity V2” may be recorded.

  In the determination of “access control V4”, based on the determination result of “access integrity V3” and the “control flag”, “permitted” or “blocked” file access to the file F of the access source process that has been suspended is determined. judge. In the determination of “access control V4”, when the determination result of “access integrity V3” is OK or the “control flag” is “recording mode”, the access to the file F by the access source process is determined to be “permitted”. To do. In “access control V4”, if the determination result of “access integrity V3” is NG and the “control flag” is “blocking mode”, the file access to the file F by the access source process is determined to be “blocking”. To do.

(Relationship between control flags and file data integrity and access source process integrity)
FIG. 2 is a diagram illustrating an example of the relationship between the control flag, file data integrity, and access source process integrity. When the file F is a “data fixed file”, since the data such as a program file is not updated, the digest value is a fixed value, and “file data integrity V1” can be determined. On the other hand, when the file F is a “data fluctuation file”, since the data such as the log file is updated, the digest value is not a fixed value and “file data integrity V1” cannot be determined.

  As shown in FIG. 2A, in the case of “control flag” “recording mode” and the determination result of “file data integrity V1” is NG, the classification of file F is “data fixed file”. If there is, there is a “risk in the integrity of dependent processes”. The existence of “risk in the integrity of the dependent process” means that the incompleteness risk of the file F may be propagated to the dependent process.

  Further, in the case of “control flag” “recording mode” and the determination result of “access source process integrity V2” is NG, if the classification of the file F is “data fixed file”, There is a “risk” in integrity. The presence of “risk in the integrity of file F” means that the incompleteness risk of the access source process may be propagated to file F.

  Further, as shown in FIG. 2A, in the case of “control flag” “recording mode” and the file F classification is “data fluctuation file”, the completeness V1 of the file data cannot be determined. There is no case where the integrity of the file data V1 is NG. Further, in the case of “control flag” “recording mode” and the determination result of “access source process integrity V2” is NG, if the classification of the file F is “data fluctuation file”, “Risk in completeness” and “risk in dependent process integrity”.

  In FIG. 2A, even when the “control flag” is “recording mode” and the determination result of “access source process integrity V2” for the file F which is “data fixed file” is NG. Until the next access to the file F is detected, there is no process for accessing the file F, and therefore there is no “risk in the integrity of dependent processes” of the file F. If the determination result of the “file data integrity V1 determination” of the file F is determined to be NG during subsequent access to the file F, “risk in dependency process integrity” occurs. Further, in FIG. 2A, when the determination result of “access source process integrity V2” for the file F which is a “data fluctuation file” is NG, the “dependence process integrity of the file F at that time is determined. "Risk" occurs.

  Further, as shown in FIG. 2B, in the case of “control flag” “blocking mode” and the determination result of “file data integrity V1” is NG, the classification of file F is “data fixed”. If it is a "file", it "protects the integrity of dependent processes". In the case of “control flag” “blocking mode” and the determination result of “access source process integrity V2” is NG, if the classification of file F is “data fixed file”, “file F Protects the integrity of

  Further, as shown in FIG. 2B, when the control flag is “blocking mode” and the classification of the file F is “data fluctuation file”, the completeness V1 of the file data cannot be determined. There is no case where the integrity of the file data V1 is NG. In the case of “control flag” “blocking mode” and the confirmation result of “access source process integrity V2” is NG, if the classification of file F is “data fluctuation file”, “file F Protects the integrity of the dependent processes ”and“ protects the integrity of dependent processes ”.

(Recursive integrity check of files and processes)
FIG. 3 is a diagram illustrating an example of recursive integrity confirmation of files and processes. In the example of FIG. 3, for “monitoring target file” and “file 6”, there are “process that makes the monitoring target file a dependency target” and “monitoring target file permission process”. “Processes whose monitoring target file is a dependency target” are “process (AP4)” and “process (AP5)”. AP is an abbreviation for Application. The “monitored file permission process” is “process (AP2)” and “process (AP3)”.

  In addition, there is a “dependency target file of the monitoring target file permission process” for the “monitoring target file permission process”. “Dependent files of the monitoring target file permission process” include “file 2” to “file 5”.

  In addition, there is a “permission process of the dependency target file for the monitoring target file permission process” as opposed to the “dependency target file of the monitoring target file permission process”. “Process (AP1)” is the “permission process of the dependency target file of the monitoring target file permission process”.

  In addition, there is a “dependency target file for the dependency target file for the monitoring target file permission process” as opposed to a “permission process for the dependency target file for the monitoring target file permission process”. The “dependency target file of the permitted process of the permitted process file of the permitted process of the monitoring target file” is “file 1”.

  “File 1” is an execution file (AP1 execution file) of AP1 on which “process (AP1)” depends. For “file 1”, each determination of “file data integrity V1”, “access source process integrity V2”, and “access integrity V3” is executed during file access.

  “Process (AP1)” is a process that operates when “file 1” is executed. That is, “process (AP1)” is dependent on “file 1”. The “process (AP1)” accesses the “file 3” and the “file 4” during execution.

  “File 2” is an execution file of “Process (AP2)”. “File 3” is a library file of “Process (AP2)”. “File 4” is an input data file of “process (AP2)” and an output data file of “process (AP1)”. That is, the output data of “process (AP1)” is the input data of “process (AP2)”. “File 5” is an execution file of “process (AP3)”. Since these “file 2” to “file 3” and “file 5” are “data fixed files”, at the time of file access, “file data integrity V1”, “access source process integrity V2”, “access completeness”. Each determination of “characteristic V3” is executed. Further, since “file 4” is a “data variation file”, the determination of “file data integrity V1” is not executed at the time of file access, and “access source process integrity V2” and “access integrity V3” are performed. Each determination is performed.

  “Process (AP2)” is a process that operates by executing “file 2” and “file 3” and setting “file 4” as a file of input data. That is, “process (AP2)” is dependent on “file 2” to “file 4”. At the time of execution, “process (AP2)” accesses file “file 6” and outputs the output data of process (AP1) to “file 6”. The process (AP3) ”is a process that operates when“ file 5 ”is executed, that is,“ process (AP3) ”is dependent on“ file 5 ”. "Accesses the file" file 6 "at the time of execution.

  “File 6” is output data of “process (AP1)”. Since “file 6” is a “data fluctuation file”, the determination of “file data integrity V1” is not executed at the time of file access, and each of “access source process integrity V2” and “access integrity V3” is determined. Judgment is performed. “Process (AP4)” and “Process (AP5)” are processes having a dependency relationship with “File 6”.

  Thus, the presence or absence of “file data integrity V1” of “file 1” propagates from “process (AP1)” to “file 3” and “file 4”, but when “file 1” is tampered with In the case of “blocking mode”, “file 3” and “file 4”, and subsequent “process AP2” and “file 6” lose “file data integrity V1” of “file 1” due to tampering. It is cut off from the influence of. On the other hand, in the “record mode” of “file 1”, it is recorded that the loss of “file data integrity V1” is propagated in a chain from “file 1” to “process (AP2)”. The Based on this record, “access control V4” of “file 6” can be executed.

(Access Control Device of Embodiment 1)
FIG. 4 is a diagram illustrating an example of the configuration of the access control apparatus according to the first embodiment. The access control apparatus 10 according to the first embodiment is connected to a file management system 20. In the file management system 20, the access source process P1 operates on the operating system to access the access target file F1.

  The access control device 10 includes a storage unit 11, a control unit 12, an input / output unit 13, an access detection / control unit 14, a data acquisition unit 15, a file data integrity determination unit 16, an access source process integrity determination unit 17, an incomplete A process list management unit 18 and an access control determination unit 19 are included.

(Information stored in the storage unit)
FIG. 5 is a diagram illustrating an example of an access target file list, a process ACL, a dependent process list, and an incomplete process list according to the first embodiment. FIG. 6 is a diagram illustrating an example of a determination result list according to the first embodiment. The storage unit 11 is a storage device such as a magnetic storage device or a semiconductor storage device.

  As shown in FIG. 5, the storage unit 11 stores, as data to be initialized, an access target file list L1, a list group L2 for each record of the access target file list L1, and an incomplete process list generated from the list group L2. L3 is stored. Each list group L2 includes a file path L2-1, a process ACL_L2-2, and a dependent process list L2-3. The storage unit 11 stores a determination result list L4. The access target file list L1, the list group L2, the incomplete process list L3, and the determination result list L4 are recorded in a file, a DBMS (Data Base Management System), or a memory area of a program, and are referred to and updated.

  The access target file list L1 includes items of “file path”, “reference digest value”, “access source process integrity determination flag”, and “control flag”. “File path” is the file path of the access target file F1 of the access source process P1 in the file management system 20.

  The “reference digest value” is a reference digest value of the access target file F1 for determining “file data integrity V1” of the access target file F1, and the file function of the access target file F1 is a hash function such as SHA-256. It is the value converted by. When the access target file F1 is a file in which data such as a log file is changed or updated, the “reference digest value” is not defined.

  The “access source process integrity determination flag” is set to “YES” when determining “access source process integrity V2” of the access target file F1 in the file management system 20, and “NO” when not determining. If the access target file F1 is a file in which data such as a log file for which the “reference digest value” is not defined is changed or updated, “access source process integrity determination flag” “YES” is set. It is essential.

  “Control flag” “blocking mode” is a control for blocking file access to the access target file F1 if the determination result of either “file data integrity V1” or “access source process integrity V2” is NG. This is the operation mode to be performed. The “control flag” and “recording mode” block the file access to the access target file F1 even if the determination result of either “file data integrity V1” or “access source process integrity V2” is NG. This is an operation mode in which control is performed without permission and recording determination results of “file data integrity V1” and “access source process integrity V2”.

  For example, in the access target file list L1, the access target file F1 having the “file path” “d1 / d2 / f1” has the “reference digest value” as “h1 hash value” and the “access source process integrity determination flag” "Is" YES ", and" control flag "is" blocking mode ".

  The “access target file F1” in the access target file list L1 is not all the files on the file management system 20, but is the access destination file that is the protection target among the files on the file management system 20, and the access to these files. This is the dependency target file of the original process.

  The list group L2 corresponding to the record of “file path” “d1 / d2 / f1” in the access target file list L1 includes a file path L2-1 storing “d1 / d2 / f1”, a process ACL_L2-2, A dependency process list L2-3 is included. The process ACL_L2-2 is a list for each access target file F1, and stores an execution file of the access source process P1 that permits access to the access target file F1 of the “file path” “d1 / d2 / f1”. A list of file paths. The dependency process list L2-3 is a list for each access target file F1, and is a list of file paths in which execution files of the dependency processes that depend on the legitimacy of the operation for the access target file F1 are stored.

  For example, in the process ACL_L2-2, the “executable file path of the permitted process” for which the file access to the access target file F1 of the “file path” “d1 / d2 / f1” is permitted is “d1 / d2 / f1”. “D1 / d4 / f5”, “d1 / d5 / f7”, and so on. In the dependency process list L2-3, the “execution file path of the dependency process” that depends on the correctness of the operation with respect to the access target file F1 of the “file path” “d1 / d2 / f1” is “d1 / d2”. / f1 ”“ d1 / d4 / f5 ”...

  The incomplete process list L3 is generated and updated by the incomplete process list management unit 18 as a list shared by all the list groups L2. The incomplete process list L3 is a list that records an execution file path of a process that has a risk of impairing the integrity of the dependent process among the dependent processes whose file paths are registered in the dependent process list L2-3. “The integrity of the dependent process is impaired” means that “file data integrity V1” of the dependency target file on which the dependent process depends is impaired. The incomplete process list L3 is referred to together with the process ACL_L2-2 when determining “access source process integrity V2”.

  That is, when the file path of the execution file of the access source process P1 that accesses the access target file F1 is registered in the process ACL_L2-2 and not registered in the incomplete process list L3, “access source process completeness” The determination result of “V2” is determined to be OK. On the other hand, if the file path of the execution file of the access source process P1 that accesses the access target file F1 is not registered in the process ACL_L2-2 or registered in the incomplete process list L3, “access source process” The determination result of “completeness V2” is determined to be NG.

  The incomplete process list L3 depends on the determination result of “file data integrity V1” of the access target file F1 being NG and the “control flag” “recording mode” of the access target file F1. The execution file path of the dependent process registered in the process list L2-3 is added.

  The determination result list L4 is automatically generated and updated in order to record temporary storage data of determination result records for the suspended file access. In the determination result list L4, the determination result of “file data integrity V1” and the determination result of “access source process integrity V2” of the access target file F1 are recorded. If the determination results of “file data integrity V1” and “access source process integrity V2” are not NG, the determination result OK of “access integrity V3” is recorded in the determination result list L4, and “file When the determination result of at least one of “data integrity V1” and “access source process integrity V2” is NG, the determination result NG of “access integrity V3” is recorded.

  The determination result list L4 records the determination result of “access control V4” and “permitted” when the determination result of “access integrity V3” is OK or the “control flag” is “recording mode”. . On the other hand, in the determination result list L4, when the determination result of “access integrity V3” is NG and the “control flag” is “blocking mode”, the determination result of “access control V4” and “blocking” is recorded. .

  Returning to the description of FIG. The control unit 12 is a processing device such as a CPU (Central Processing Unit) and performs overall control of the access control device 10. The control unit 12 includes a storage unit 11, an input / output unit 13, an access detection / control unit 14, a data acquisition unit 15, a file data integrity determination unit 16, an access source process integrity determination unit 17, and an incomplete process list management unit 18. The access control determination unit 19 is controlled.

  The input / output unit 13 includes an access target file list L1, a file path L2-1 corresponding to all “file paths” registered in the access target file list L1, a process ACL_L2-2, and a dependent process list L2-3. An interface for registering the list group L2 is provided. Specifically, the input / output unit 13 inputs data that describes data of the list group L2 including the access target file list L1, the file path L2-1, the process ACL_L2-2, and the dependent process list L2-3. Is realized by a user interface for an operator to input. The input / output unit 13 is realized by a user interface that outputs output data as a log file or displays output data.

  On the file management system 20, the access detection / control unit 14 detects, for example, a state in which the access source process P1 opens the access target file F1 and the access to the file data of the access target file F1 is not performed. Suspend the file access. Then, the access detection / control unit 14 transmits the access source process ID and the access target file path to the control unit 12.

  Then, when the “access control V4” is “permitted”, the access detection / control unit 14 permits the file access that has been suspended by the file access detection and releases the suspension. In addition, when the “access control V4” is “blocked”, the access detection / control unit 14 blocks the file access that has been temporarily stopped by the file access detection. The access detection / control unit 14 can perform access detection and control for file access on the Linux file system using, for example, fanotify which is an API (Application Programming Interface) of Linux (registered trademark, the same applies hereinafter). . As another example, in order for the operating system to execute a program, an opportunity to access a program file can be detected and controlled.

  The data acquisition unit 15 receives the access source process ID from the control unit 12, and inputs the execution file path of the access source process P1 to the control unit 12. Then, the data acquisition unit 15 acquires the file data of the access target file F1 and inputs it to the control unit 12. The function of the data acquisition unit 15 can be realized by using the function of the operating system.

  When the reference digest value corresponding to the file path of the access target file F1 is defined in the access target file list L1 of the storage unit 11, the file data integrity determination unit 16 determines that the access target file F1 is “data fixed file”. If "," the digest value of the file data of the access target file F1 is calculated, and the calculated digest value is compared with the reference digest value. The file data integrity determination unit 16 determines that the determination result of “file data integrity V1” is OK when the comparison results match, and determines the determination result of “file data integrity V1” when they do not match. Is determined to be NG. Note that when the access target file F1 is a “data variation file”, the file data integrity determination unit 16 does not define a reference digest value corresponding to the file path of the access target file F1, and “file data integrity Since the determination of “V1” is not performed, there is no determination result, and the determination result is “NA”.

  The access source process integrity determination unit 17 states that “the process ACL_L2-2 of the access target file F1 includes the execution file path of the access source process P1, and the incomplete process list L3 includes the execution file of the access source process P1. Judgment of authenticity of “no pass description”. The access source process integrity determination unit 17 states that “the process ACL_L2-2 of the access target file F1 includes the execution file path of the access source process P1, and the incomplete process list L3 includes the execution file of the access source process P1. If “no path description” is true, the determination result of “access source process integrity V2” is OK.

  On the other hand, the access source process integrity determination unit 17 states that “the process ACL_L2-2 of the access target file F1 includes the execution file path of the access source process P1, and the incomplete process list L3 includes the access source process P1. If “execution file path is not described” is false, the determination result of “access source process integrity V2” is determined to be NG.

  When the “file data integrity V1” of the access target file F1 is the determination result NG and the “control flag” of the access target file F1 is “recording mode”, the incomplete process list management unit 18 The execution file path described in the dependent process list L2-3 of the access target file F1 is added to the incomplete process list L3.

  The access control determination unit 19 includes both the determination result of “file data integrity V1” by the file data integrity determination unit 16 and the determination result of “access source process integrity V2” by the access source process integrity determination unit 17. If it is not NG, the determination result of “access integrity V3” is determined to be OK. The access control determination unit 19 also determines the result of “file data integrity V1” by the file data integrity determination unit 16 and the result of determination of “access source process integrity V2” by the access source process integrity determination unit 17. When any of the above is NG, the determination result of “access integrity V3” is determined to be NG.

  Then, the access control determination unit 19 determines that “access control V4” is “permitted” when the determination result of “access integrity V3” is OK or the “control flag” is “recording mode”. The access control determination unit 19 determines that “access control V4” is “blocking” when the determination result NG of “access integrity V3” is “NG” and the “control flag” is “blocking mode”.

(Initial setting process of Embodiment 1)
FIG. 7 is a flowchart illustrating an example of the initial setting process according to the first embodiment. The initial setting process of the first embodiment is executed by the control unit 12 of the access control apparatus 10 when operated by the operator. In step S11, the control unit 12 receives files corresponding to all “file paths” described in the access target file list L1 and the access target file list L1 via the input / output unit 13 in accordance with an instruction from the operator. The initial setting registration of the list group L2 including the path L2-1, the process ACL_L2-2, and the dependent process list L2-3 is accepted and stored in the storage unit 11. When step S11 ends, the control unit 12 ends the initial setting process of the first embodiment.

(File access control processing of Embodiment 1)
FIG. 8 is a flowchart illustrating an example of the file access control process according to the first embodiment. The initial setting process of the first embodiment is executed by the access control device 10 as needed. First, in step S21, the access detection / control unit 14 is in a state in which the access source process P1 opens the access target file F1 and the access to the file data of the access target file F1 is not performed on the file management system 20. Is detected and access is temporarily stopped. Then, the access detection / control unit 14 transmits the access source process ID and the access target file path to the control unit 12 (step S21).

  Next, in step S22, the data acquisition unit 15 receives the access source process ID from the control unit 12, inputs the execution file path of the access source process P1 to the control unit 12, and sets the file path of the access target file F1. File data is acquired and input to the control unit 12.

  Next, in step S23, the file data integrity determination unit 16 determines that the reference digest value corresponding to the access target file path is defined in the access target file list L1 of the storage unit 11, that is, “data fixed file”. If there is, the digest value of the file data of the access target file F1 is calculated, and the calculated digest value is compared with the reference digest value. Then, the file data integrity determination unit 16 determines that the determination result of “file data integrity V1” of the access target file F1 is OK if the calculated digest value and the reference digest value match, and if they do not match. For example, the determination result of “file data integrity V1” of the access target file F1 is determined to be NG. In step S23, when the access target file F1 is the “data variation file”, the file data integrity determination unit 16 does not define a reference digest value corresponding to the file path of the access target file F1, and “ Since the determination of “file data integrity V1” is not performed, there is no determination result, and the determination result is “NA” (step S23).

  Next, in step S24, the access source process integrity determination unit 17 states that “the process ACL_L2-2 of the access target file F1 has a description of the execution file path of the access source process P1 and the incomplete process list L3. Whether the execution file path of the access source process P1 is not described "is determined. The access source process integrity determination unit 17 states that “the process ACL_L2-2 of the access target file F1 includes the execution file path of the access source process P1, and the incomplete process list L3 includes the execution file of the access source process P1. If “no path description” is true, the determination result of “access source process integrity V2” is OK. On the other hand, the access source process integrity determination unit 17 states that “the process ACL_L2-2 of the access target file F1 includes the execution file path of the access source process P1, and the incomplete process list L3 includes the access source process P1. If “no execution file path is described” is false, the determination result of “access source process integrity V2” is NG (step S24).

  Next, in step S25, the incomplete process list management unit 18 determines that “the determination result NG of“ file data integrity V1 ”of the access target file F1 is NG” and the “control flag” of the access target file F1 is “recorded” When it is “mode”, the execution file path of the dependent process described in the dependent process list L2-3 of the access target file F1 is added to the incomplete process list L3.

  Next, in step S26, the access control determination unit 19 determines that “access integrity V3” when both “file data integrity V1” in step S23 and “access source process integrity V2” in step S24 are not NG. Is determined to be OK. The access control determination unit 19 determines “access integrity V3” when the determination result of “file data integrity V1” in step S23 and “access source process integrity V2” in step S24 is NG. The result is determined as NG. Then, the access control determination unit 19 determines that “access control V4” is “permitted” when “access integrity V3” is “OK” or “control flag” is “recording mode”. Further, the access control determination unit 19 determines that “access control V4” is “blocking” when “access integrity V3” is the determination result NG and “control flag” is “blocking mode” (steps above). S26).

  Next, in step S27, when the “access control V4” is “permitted”, the access detection / control unit 14 permits the file access that has been temporarily stopped by the file access detection in step S21. Further, when the “access control V4” is “blocked”, the access detection / control unit 14 blocks the file access that has been temporarily stopped by the file access detection in step S21 (step S27). When step S27 ends, the access control apparatus 10 ends the file access control process of the first embodiment.

  According to the first embodiment described above, it is determined whether or not the access from the program process to the file on the file system is appropriate. It is determined that access to a file that lacks integrity, access to a file from a program process that is not permitted to access, and access to a file from a program process that depends on a file that lacks integrity, is inappropriate. Block access or leave a record of improper access.

  For example, in file access, by determining the integrity of the access source process, if the access source process is an inappropriate process such as malware, the file access by the access source process is blocked, and the access destination file is complete Can be prevented from being lost. Furthermore, by defining whether the access mode is the recording mode or the blocking mode for each access destination file and using the incomplete process list, even if the access source process is an incomplete process, the access source process is allowed to access the file. Record file access log in recording mode. Therefore, it is possible to perform flexible file access control by following a record of a chain of integrity loss propagating from file → process → file.

(Modification of Embodiment 1)
In the modification of the first embodiment, instead of the incomplete process list L3, among the dependent processes whose file paths are registered in the dependent process list L2-3, a list of complete processes that have not lost the integrity of the dependent processes May be used. Alternatively, instead of the incomplete process list L3, a list in which information indicating either complete or incomplete is associated with all the processes of the dependent processes whose file paths are registered in the dependent process list L2-3 is used. May be.

[Embodiment 2]
In the first embodiment, the access control device 10 generates, in the storage unit 11, a list group L2 including an access target file list L1, a file path L2-1, a process ACL_L2-2, a dependent process list L2-3, and a list group L2. Stored incomplete process list L3. However, it may be implemented in a form in which the “control flag” is excluded from the access target file list L1, and the dependent process list L2-3 and the incomplete process list L3 are omitted from the list group L2. Hereinafter, the second embodiment will be described.

(Information stored in the file access control device and the storage unit of the second embodiment)
FIG. 9 is a diagram illustrating an example of the configuration of the access control apparatus according to the second embodiment. FIG. 10 is a diagram illustrating an example of an access target file list and a process ACL according to the second embodiment. Compared to the access control device 10 of the first embodiment, the access control device 10A of the second embodiment replaces the storage unit 11 with the storage unit 11A and the access source process integrity determination unit 17 with the access source process integrity determination. Instead of the unit 17A and the access control determination unit 19, an access control determination unit 19A is provided. Further, in the access control device 10A of the second embodiment, the incomplete process list management unit 18 is omitted as compared to the access control device 10 of the first embodiment.

  The access target file list L1A stored in the storage unit 11A of the access control apparatus 10A of the second embodiment omits the item “control flag” as compared to the access target file list L1 of the second embodiment. . The list group L2A stored in the storage unit 11A of the access control apparatus 10A according to the second embodiment omits the dependency process list L2-3 as compared with the list group L2 according to the first embodiment. In the second embodiment, the incomplete process list L3 is omitted in the storage unit 11A of the access control apparatus 10A. In other respects, the access control apparatus 10A of the second embodiment is the same as the access control apparatus 10 of the first embodiment.

  The access source process integrity determination unit 17A confirms the authenticity of “the process ACL_L2-2 of the access target file F1 includes the execution file path of the access source process P1”. Then, the access source process completeness determination unit 17A determines that “the process ACL_L2-2 of the access target file F1 includes the execution file path of the access source process P1” is true. The determination result of “V2” is determined to be OK.

  On the other hand, if the access source process integrity determination unit 17A indicates that “the process ACL_L2-2 of the access target file F1 includes the execution file path of the access source process P1” is false, The determination result of “V2” is determined to be NG.

  In other words, in the second embodiment, when “access source process integrity V2” is determined, “the execution file path of the access source process P1 is not described in the incomplete process list L3” is not included in the determination condition. This is because the incomplete process list L3 referred to in the determination of “access source process integrity V2” in the first embodiment executes a file that does not have “file data integrity V1”. This is because the risk is present in the list, and in the second embodiment, this risk is not considered recursively propagating. In the second embodiment, by describing the dependency target file of the access source process in the access target file list L1, it is possible to block or record that the access source process having a risk of integrity is executed. In other words, in the file access where the dependency target file of the permitted process is the access destination file, it is determined whether the dependency target file has been tampered with, and depending on the result of the determination, this file access is blocked or recorded. It is possible to block or record the influence of falsification of the dependent file in the file access in which the process is the access source process. The file access in which the dependency process dependent file is the access destination file includes, for example, an operating system access to the execution file of the permission process and an access of the permission process itself to the setting file of the permission process.

  The access control determination unit 19A has both the determination result of “file data integrity V1” by the file data integrity determination unit 16 and the determination result of “access source process integrity V2” by the access source process integrity determination unit 17A. If it is not NG, the determination result of “access integrity V3” is determined to be OK. The access control determination unit 19A also determines the determination result of “file data integrity V1” by the file data integrity determination unit 16 and the determination result of “access source process integrity V2” by the access source process integrity determination unit 17A. When any of the above is NG, the determination result of “access integrity V3” is determined to be NG.

  Then, the access control determination unit 19A determines that “access control V4” is “permitted” when the determination result of “access integrity V3” is OK. Further, the access control determination unit 19A determines that “access control V4” is “blocked” when the determination result of “access integrity V3” is NG.

(File access control process of the second embodiment)
FIG. 11 is a flowchart illustrating an example of a file access control process according to the second embodiment. In FIG. 11, step S21 to step S23 are the same as those in the first embodiment. In step S24 ′ following step S23, the access source process integrity determination unit 17A determines whether the access file process ACL_L2-2 has a description of the execution file path of the access source process P1. To do. If “the process ACL_L2-2 of the access target file includes the description of the execution file path of the access source process P1” is true, the access source process integrity determination unit 17A sets “access source process integrity V2”. The determination result is determined to be OK. On the other hand, if the access source process integrity determination unit 17A indicates that the process ACL_L2-2 of the access target file includes the execution file path of the access source process P1, the access source process integrity determination unit 17A sets “access source process integrity V2”. Is determined to be NG (step S24 ′).

  Next, in step S26 ′, the access control determination unit 19A determines that “file data integrity V1” of the access target file F1 in step S23 and “access source process integrity V2” in step S24 ′ are not NG. At this time, the determination result of “access integrity V3” is determined to be OK. Further, the access control determination unit 19A sets “access integrity V3” when the determination result of “file data integrity V1” in step S23 and “access source process integrity V2” in step S24 ′ is NG. The determination result is determined as NG. Then, the access control determination unit 19A determines that “access control V4” is “permitted” when the determination result of “access integrity V3” is OK. Further, when the determination result of “access integrity V3” is NG, the access control determination unit 19A determines that “access control V4” is “blocking” (step S26 ′).

  Next, in step S27 ', the access detection / control unit 14 permits the file access that has been temporarily stopped by the file access detection when "access control V4" is "permitted". On the other hand, when the “access control V4” is “blocked”, the access detection / control unit 14 blocks the file access that has been temporarily stopped by the file access detection (step S27 ′). When step S27 'ends, the access control apparatus 10A ends the file access control process of the second embodiment.

  According to the second embodiment described above, access to a file lacking completeness and access from a program process that is not permitted to access without using the dependent process list L2-3 and the incomplete process list L3 Access from the program process to files on the file system is appropriate with a simple configuration and processing by judging that the access is inappropriate and blocking the access or leaving a record of execution of inappropriate access. It can be determined whether or not.

(Modification of Embodiment 2)
The access control apparatus 10A according to the second embodiment does not introduce the “control flag” and always operates in the “blocking mode” when the determination result of “access integrity V3” is NG. It may be operated in the “recording mode”.

(Device configuration of access control device)
Each component of the access control apparatuses 10 and 10A shown in FIGS. 4 and 9 is functionally conceptual and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution and integration of the functions of the access control devices 10 and 10A is not limited to that shown in the figure, and all or a part of them can be functionally functioned in arbitrary units according to various loads or usage conditions. It can be physically distributed or integrated. For example, the access detection / control unit 14 may be distributed between an access detection unit and an access control unit.

  In addition, among the processes described in the first and second embodiments, all or a part of the processes described as being automatically performed can be manually performed. Alternatively, all or part of the processes described as being manually performed among the processes described in the first and second embodiments can be automatically performed by a known method. In addition, the above-described and illustrated processing procedures, control procedures, specific names, and information including various data and parameters can be changed as appropriate unless otherwise specified.

(About the program)
FIG. 12 is a diagram illustrating an example of a computer in which an access control apparatus is realized by executing a program. The computer 1000 includes a memory 1010 and a CPU 1020, for example. The computer 1000 also includes a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. In the computer 1000, these units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1031. The disk drive interface 1040 is connected to the disk drive 1041. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1041. The serial port interface 1050 is connected to a mouse 1051 and a keyboard 1052, for example. The video adapter 1060 is connected to the display 1061, for example.

  The hard disk drive 1031 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. That is, a program that defines each process of the access control apparatus 10 is stored in, for example, the hard disk drive 1031 as a program module 1093 in which a command to be executed by the computer 1000 is described. For example, a program module 1093 for executing information processing similar to the functional configuration in the access control apparatus 10 is stored in the hard disk drive 1031.

  The setting data used in the processing in the first and second embodiments is stored as program data 1094 in, for example, the memory 1010 or the hard disk drive 1031. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the memory 1010 and the hard disk drive 1031 to the RAM 1012 as necessary, and executes them.

  Note that the program module 1093 and the program data 1094 are not limited to being stored in the hard disk drive 1031, but may be stored in, for example, a removable storage medium and read out by the CPU 1020 via the disk drive 1041 or the like. Alternatively, the program module 1093 and the program data 1094 may be stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.). The program module 1093 and the program data 1094 may be read by the CPU 1020 via the network interface 1070.

  Embodiments 1 and 2 described above are included in the invention disclosed in the claims and equivalents thereof, as long as they are included in the technology disclosed in the present application.

F file F1 access target file P1 access source process L1, L1A access target file list L2, L2A list group L2-1 file path L2-2 process ACL
L2-3 Dependent process list L3 Incomplete process list 10, 10A Access control device 11, 11A Storage unit 12 Control unit 13 Input / output unit 14 Access detection / control unit 15 Data acquisition unit 16 File data integrity determination unit 17, 17A Access Original process integrity determination unit 18 Incomplete process list management unit 19, 19A Access control determination unit 20 File management system 1000 Computer 1010 Memory 1030 Hard disk drive interface 1031 Hard disk drive 1040 Disk drive interface 1041 Disk drive 1050 Serial port interface 1051 Mouse 1052 Keyboard 1060 Video adapter 1061 Display 1070 Network interface 1080 Bus 1092 Application program 1093 program module 1094 program data

Claims (8)

A storage unit that stores identification information of an authorized process permitted to access a file for each file;
A detection unit for detecting access of the access source process to the file;
A file determination unit that determines whether the file has been tampered with based on the file data of the file;
A process determination unit that determines whether or not the identification information of the permitted process includes the identification information of the access source process in which access to the file is detected by the detection unit;
The file determination unit determines that the file to be accessed by the access source process has not been tampered with, and determines that the identification information of the access source process is included in the identification information of the permitted process In this case, it is determined that access of the access source process to the file is safe and it is determined that the file has been tampered with, or the identification information of the access source process is included in the identification information of the permitted process. An access control apparatus comprising: an access control determination unit that determines that the access by the access source process to the file is dangerous when it is determined that the file is not present. further,
The storage unit stores identification information of a dependency target file on which the access source process depends,
The access control apparatus according to claim 1, wherein the file determination unit determines whether or not a dependency target file on which the access source process depends has been falsified. further,
The storage unit stores identification information of a dependent process dependent on a file for each file, and identification information of an incomplete process in which the file determination unit determines that the file has been tampered with among the dependent processes Remember
The process determination unit determines whether the identification information of the access source process is included in the identification information of the incomplete process,
The access control determination unit determines that the file to be accessed by the access source process has not been tampered with by the file determination unit, and the identification information of the access source process is included in the identification information of the permitted process If it is determined that the access source process identification information is not included in the incomplete process identification information, the access source process access to the file is determined to be safe. Then, it is determined that the file has been tampered with, or it is determined that the identification information of the access source process is not included in the identification information of the permitted process, or the identification information of the access source process is If it is determined that it is included in the identification information of the incomplete process, the file Access control device according to claim 1 or 2, wherein the determining a risk of access of the access source process. further,
The detection unit temporarily stops access of an access source process that has detected access to an access destination file,
The access control determination unit cancels the access suspension of the access source process regarded as safe and blocks the access without releasing the access suspension of the access source process regarded as dangerous. The access control apparatus according to claim 1, further comprising a control unit. further,
The storage unit stores a control flag indicating one of a blocking mode and a recording mode in association with each identification information of the file,
The detection unit temporarily stops access of an access source process that has detected access to an access destination file,
When the access control determination unit determines that access of the access source process to the access destination file is the danger, the control flag corresponding to the identification information of the access destination file indicates the blocking mode. An access control unit that blocks the access without releasing the pause and releases the pause when the control flag indicates the recording mode. The access control apparatus according to item 1. further,
The access control device according to any one of claims 1 to 4, wherein a determination result by the file determination unit and the process determination unit is recorded. An access control method executed by an access control device,
A detection step for detecting access of the access source process to the file;
A file determination step for determining whether the file has been falsified based on the file data of the file;
The identification information of the access source process in which the access to the file is detected by the detection step is stored in the storage unit that stores the identification information of the permitted process permitted to access the file for each file. A process determination step for determining whether or not the identification information is included;
In the file determination step, it is determined that the file that the access source process is trying to access has not been falsified, and it is determined that the identification information of the access source process is included in the identification information of the permitted process In this case, it is determined that access of the access source process to the file is safe and it is determined that the file has been tampered with, or the identification information of the access source process is included in the identification information of the permitted process. An access control determination step for determining that the access by the access source process to the file is dangerous when it is determined that the file is not present.   The access control program for functioning a computer as an access control apparatus of any one of Claims 1-6.

Images