JP2021114156A - Information processing apparatus, processing method thereof, and program - Google Patents

Abstract

To notify an external device about alteration of a program when the alteration occurs.SOLUTION: An information processing apparatus includes: first start means which starts a first software module in response to start of a boot program; first verification means which verifies alteration of a program in a second software module when the first software module is started; and notification means which starts a communication module in the second software module when it is determined that at least one program in the second software module has been altered and the communication module in the second software module has not been altered, to notify an external device about the alteration.SELECTED DRAWING: Figure 6

Description

The present invention relates to an information processing device, a processing method and a program of the information processing device.

Attacks that exploit software by tampering with software vulnerabilities and exploiting computers have become a problem. As a countermeasure against such attacks, a method is known in which a program is signed and saved, and the presence or absence of tampering is detected by verifying the signature of the program each time it is started.

Patent Document 1 discloses a method in which a program is modularized so as to be partially exchangeable, and a process for verifying a signature for each module and a method for containing and storing key information necessary for verification are included in each module. Has been done. Patent Document 2 discloses a method of verifying whether the correct answer values of each program match at startup.

JP-A-2019-75000 Japanese Unexamined Patent Publication No. 2019-191698

If tampering is detected at startup, the operation of each program is stopped to prevent malicious operation. An error code or the like is displayed on the operation unit in order to notify the user that the alteration has been performed.

However, in this case, since the program does not operate, the user cannot recover it. Furthermore, since error notification to an external device such as a management server cannot be made, notification to an administrator or a service person cannot be made, and the initial response for recovery is delayed. Therefore, a long downtime occurs in which the user cannot use the information processing device.

An object of the present invention is to be able to notify an external device that the program has been tampered with when the program has been tampered with.

The information processing apparatus of the present invention has a first activation means for activating a first software module in response to activation of a boot program, and tampering with a program in the second software module when the first software module is activated. It is determined that the first verification means for verifying the above and at least one program in the second software module have been tampered with, and the communication module in the second software module has not been tampered with. In that case, it has a notification means for activating the communication module in the second software module and notifying the external device that the tampering has been performed.

According to the present invention, when the program has been tampered with, it is possible to notify the external device that the program has been tampered with.

It is a figure which shows the configuration example of an information processing system. It is a figure which shows the hardware configuration example of a multifunction device. It is a figure which shows the functional configuration example of a multifunction device. It is a figure which shows the correct answer value list. It is a figure which shows the operation at the time of starting a multifunction device. It is a flowchart which shows the processing method of a multifunction device.

Hereinafter, embodiments will be described with reference to the drawings. It should be noted that the following embodiments do not limit the present invention according to the claims, and not all combinations of features described in the present embodiments are essential to the means for solving the present invention. .. Further, as an information processing device according to the embodiment, a multifunction device (digital multifunction device / MFP / Multifunction Peripheral) will be described as an example. However, the scope of application is not limited to the multifunction device, and any information processing device may be used.

FIG. 1 is a diagram showing a configuration example of the information processing system 110 according to the present embodiment. The information processing system 110 includes a multifunction device 100, a computer 101, a management server 102, and a network 118.

The multifunction device 100 is connected to the computer 101 and the management server 102 via the network 118. The computer 101 can transmit print data to the multifunction device 100 and execute a firmware update of the multifunction device 100.

The management server 102 can manage the state of the multifunction device 100 by the notification from the multifunction device 100. The management server 102 manages the number of prints, the remaining amount of toner, and the like, and manages the error status, and when it is necessary to dispatch a serviceman, the management server 102 can send an e-mail notification to the serviceman.

FIG. 2 is a diagram showing a hardware configuration example of the multifunction device 100 according to the present embodiment. The multifunction device 100 is an example of an information processing device. The multifunction device 100 includes a CPU 201, a ROM (Read-Only Memory) 202, a RAM (Random Access Memory) 203, and an HDD (Hard Disk Drive) 204. Further, the multifunction device 100 includes a network I / F control unit 205, a scanner I / F control unit 206, a printer I / F control unit 207, a panel control unit 208, a scanner 211, a printer 212, an embedded controller 213, and a flash memory 214. And LED 217. The embedded controller 213 has a CPU 215 and a RAM 216.

The CPU 201 executes the program of the multifunction device 100 and controls the entire multifunction device 100 in an integrated manner. The ROM 202 is a read-only memory, and stores the BIOS (Basic Input / Output System), fixed parameters, and the like of the multifunction device 100. The RAM 203 is a random access memory, and stores programs and temporary data when the CPU 201 controls the multifunction device 100. The HDD 204 is a hard disk drive and stores some applications and various data. The flash memory 214 stores various software modules such as a loader, a kernel, and an application.

The CPU 215 of the embedded controller 213 executes the program of the embedded controller 213 and performs a part of control in the multifunction device 100. The RAM 216 is a random access memory, and stores programs and temporary data when the CPU 215 controls the multifunction device 100. The multifunction device 100 has a main controller that controls the embedded controller 213 in an integrated manner. The main controller includes at least CPU 201, ROM 202, and RAM 203.

The network I / F control unit 205 controls the transmission / reception of data to the network 118. The scanner I / F control unit 206 controls the scanning of the document by the scanner 211. The printer I / F control unit 207 controls printing processing and the like by the printer 212. The panel control unit 208 controls the touch panel type operation panel 210 to control the display of various information and the input of instructions from the user. The bus 209 connects the CPU 201, ROM 202, RAM 203, HDD 204, network I / F control unit 205, scanner I / F control unit 206, and printer I / F control unit 207 to each other. Further, the bus 209 also connects the panel control unit 208, the embedded controller 213, and the flash memory 214 to each other. A control signal from the CPU 201 and a data signal between each component are transmitted and received via the bus 209. The LED 217 lights up as needed and is used to notify the outside of a program or hardware abnormality.

FIG. 3 is a diagram showing a functional configuration example of the multifunction device 100 according to the present embodiment. The multifunction device 100 includes a boot program 309 in the embedded controller 213 as a software module. Further, the multifunction device 100 includes a BIOS 310, a loader 311, a kernel 312, an Intrud 313, a controller software 314, a UI control unit 303, and a communication management unit 307 as software modules.

The communication management unit 307 controls the network I / F control unit 205 connected to the network 118 to transmit / receive data to / from the outside via the network 118. The UI control unit 303 receives the input to the operation panel 210 via the panel control unit 208, and performs processing according to the input and display on the operation panel 210. The boot program 309 is a program that is executed by the CPU 215 of the embedded controller 213 when the power of the multifunction device 100 is turned on. include.

The BIOS 310 is a program executed by the CPU 201 after the boot program 309 is executed, and includes a loader tampering detection unit 302 that verifies tampering with the loader 311 in addition to executing a process related to booting. The loader 311 is a program executed by the CPU 201 after the processing of the BIOS 310 is completed, and has a kernel tampering detection unit 304 that verifies the tampering of the kernel 312 in addition to executing the processing related to booting.

The kernel 312 is a program executed by the CPU 201 after the processing of the loader 311 is completed, and has an Initial tamdisk detection unit 305 that verifies the tampering of the Initial 313 in addition to executing the processing related to startup. The Intrud 313 reads the controller software 314 from the flash memory 214 and executes a process of starting the controller software 314. The Initial 313 is internally composed of the control software as the Initial and the signature data for the control software. The startup verification unit 306 is included in the Intrud 313, and includes a process of verifying all the program files constituting the controller software 314 at startup, and a public key for the given signature. Here, the private key for all signature data is used only during software development and is not distributed to the general public.

The controller software 314 is a program executed by the CPU 201, and includes a plurality of programs that provide each function of the multifunction device 100. For example, the controller software 314 includes a program for controlling the scanner I / F control unit 206 and the printer I / F control unit 207, a start program, and the like. As one of the programs of the controller software 314, there is a management server communication unit 308 that communicates with the management server 102 that manages the state of the multifunction device 100. The management server communication unit 308 transmits and receives various data to and from the management server 102 via the communication management unit 307. For example, the management server communication unit 308 notifies the serial number of the multifunction device 100, the firmware version of the controller, the error code that has occurred, and the like. Further, the controller software 314 has a correct answer value list 315 for verification at startup, and is used by the verification unit 306 at startup for verification processing.

FIG. 4 is a diagram showing a list of correct answer values 315 for verification at startup. The correct answer value list 315 is a list of combinations of the file name 401 and the hash value 402 for all the program files included in the controller software 314. The program file contains an OS program and / or an application program that provides a function. The correct value list 315 is assumed to include at least a file name, a file location, and a value unique to the file, and the information is listed. For example, the correct answer list 315 uses the hash value 402.

5 (a) to 5 (d) are diagrams showing a procedure for starting the software module of the multifunction device 100. FIG. 5A shows the order in which the multifunction device 100 is started without detecting falsification. The boot program 309 boots the BIOS 310, the BIOS 310 boots the loader 311, the loader 311 boots the kernel 312, and the kernel 312 boots the boot program from within the Intrud 313. The controller software 314 is started in the start program to provide the functions of the multifunction device 100. In this way, startup control of each software module is performed in a predetermined order, and when the startup of the previous software module is completed, the startup process of the next software module is executed.

FIG. 5B shows the order in which the multifunction device 100 is started while detecting falsification. As shown in the figure, the boot program 309 is started while detecting tampering in the order of BIOS310, loader 311, kernel 312, Intrud 313, and controller software 314. The software module that was started immediately before detects tampering with the software module that is started. For example, the boot program 309 detects tampering with the BIOS 310.

FIG. 5B shows a storage location of each program, a digital signature (hereinafter referred to as a signature), and a storage location of a public key (verification information) for verifying the signature. In the following, the boot program 309 and the BIOS 310 are stored in the ROM 202, and the loader 311, the kernel 312, the Intrud 313, and the controller software 314 are stored in the flash memory 214.

The boot program 309 includes a public key 500 for verifying the signature of the BIOS. The BIOS 310 includes a BIOS signature 502 and a public key 503 for loader verification. The loader 311 includes a loader signature 504 and a public key 505 for kernel verification. Kernel 312 includes a kernel signature 506 and a public key 507 for Initial verification. The Initial 313 includes an Initial 509 signature. It is desirable that these public keys and signatures be given to the software module (program) in advance before the multifunction device 100 is shipped from the factory. The BIOS tampering detection unit 301, the loader tampering detection unit 302, the kernel tampering detection unit 304, and the Initial tamdisk detection unit 305 verify the tampering of each software module to be started next, and if there is no problem, start the next software module. do.

FIG. 5C shows a verification procedure of the controller software 314. The startup verification unit 306 of the Intrud 313 verifies the controller software 314. The controller software 314 is composed of a plurality of software, and the management server communication unit 308, which is a communication module for communicating with the management server 102, is one of them.

The startup verification unit 306 calculates the hash value of each software and compares it with the hash value 402 described in the correct answer value list 315 included in the controller software 314. If the comparison results match, the startup verification unit 306 determines that the software has not been tampered with, and verifies the next software. When the verification of all the software is normally completed, the startup verification unit 306 determines that the controller software 314 has not been tampered with, and ends the verification. When the verification is completed, the Intrud 313 starts each software. The startup order of the management server communication unit 308, which is a communication module, is not limited.

FIG. 5D shows a procedure when the verification of the controller software 314 fails. The startup verification unit 306 verifies each software in order, and if tampered software is found, the verification process is interrupted as a verification failure. The startup verification unit 306 starts only the management server communication unit 308, which is a communication module, in order to notify the management server 102. The startup verification unit 306 calculates the hash value of the management server communication unit 308, and confirms whether or not it is equal to the hash value 402 shown in the correct answer value list 315. If the verification is successful, the startup verification unit 306 starts and executes only the management server communication unit 308. Although the communication module has been described as one software, it may be composed of a plurality of software. In that case, the start-up verification unit 306 starts up only when the verification of all the communication modules is successful.

FIG. 6 is a flowchart showing a processing method at the time of starting the multifunction device 100 according to the present embodiment. When the power of the multifunction device 100 is turned on, the boot program 309 is read from the ROM 202 into the RAM 216, and the CPU 215 starts the boot program 309.

In step S601, the BIOS tampering detection unit 301 included in the boot program 309 functions as a verification unit, verifies the signature 502 of the BIOS, and determines whether or not it has succeeded. Specifically, the BIOS tampering detection unit 301 reads the BIOS 310 from the flash memory 214, the public key 503 for loader verification, and the signature 502 of the BIOS into the RAM 216. Further, the BIOS tampering detection unit 301 verifies the signature 502 of the BIOS using the public key 500 for the BIOS verification, and determines whether or not it has succeeded. If the BIOS tampering detection unit 301 fails to verify the signature 502, it determines that the BIOS 310 has been tampered with, and proceeds to step S603. On the other hand, if the BIOS tampering detection unit 301 succeeds in verifying the signature 502, it determines that the BIOS 310 has not been tampered with, energizes the CPU 201, ends the boot program process, and proceeds to step S602.

In step S603, the BIOS tampering detection unit 301 turns on the LED 217 and ends the process of FIG.

In step S602, the CPU 201 functions as an activation unit, reads the BIOS 310 from the flash memory 214 and the public key 503 for loader verification into the RAM 203, and activates the BIOS 310. When the BIOS 310 is started, the CPU 201 proceeds to step S604.

In step S604, the CPU 201 executes various initialization processes by the BIOS 310. The loader tampering detection unit 302 included in the BIOS 310 reads the loader 311 from the flash memory 214, the public key 505 for kernel verification, and the loader signature 504 into the RAM 203. Further, the loader tampering detection unit 302 functions as a verification unit, verifies the loader signature 504 using the loader verification public key 505, and determines whether or not the loader signature 504 is successful. If the loader tampering detection unit 302 fails to verify the loader signature 504, it determines that the loader 311 has been tampered with, and proceeds to step S615. On the other hand, if the loader tampering detection unit 304 succeeds in verifying the loader signature 504, it determines that the loader 311 has not been tampered with, and proceeds to step S605.

In step S615, the loader tampering detection unit 302 controls to display an error message on the operation panel 210, and ends the process of FIG.

In step S605, the CPU 201 functions as a startup unit, and the BIOS 310 starts the loader 311 read into the RAM 203. When the loader 311 is started, the CPU 201 proceeds to step S606.

In step S606, the CPU 201 executes various initialization processes by the loader 311. The kernel tampering detection unit 304 included in the loader 311 reads the kernel 312, the public key 507 for verifying the Native program, and the kernel signature 506 from the flash memory 214 into the RAM 203. The kernel tampering detection unit 304 functions as a verification unit, verifies the kernel signature 506 using the public key 505 for kernel verification, and determines whether or not it has succeeded. If the kernel tampering detection unit 304 fails to verify the kernel signature 506, it determines that the kernel 312 has been tampered with, proceeds to step S615, displays an error message on the operation panel 210, and performs the process of FIG. To finish. On the other hand, if the kernel tampering detection unit 304 succeeds in verifying the kernel signature 506, it determines that the kernel 312 has not been tampered with, and proceeds to step S607.

In step S607, the CPU 201 functions as a boot unit, and the loader 311 boots the kernel 312 loaded in the RAM 203. When the kernel 312 is started, the CPU 201 proceeds to step S608.

In step S608, the CPU 201 executes various initialization processes by the kernel 312. The Initial ramdisk tampering detection unit 305 included in the kernel 312 reads the Initial 313 and the Initial 509 signature 509 from the flash memory 214 into the RAM 203. The Initial tamdisk detection unit 305 functions as a verification unit, verifies the signature 509 of the Initial 313 using the public key 507 for the Initial verification, and determines whether or not it has succeeded. If the Initial tamdisk detection unit 305 fails to verify the signature 509 of the Initial 313, it determines that the Initial 313 has been tampered with, proceeds to step S615, displays an error message on the operation panel 210, and performs the process of FIG. finish. On the other hand, if the Initial tamdisk detection unit 305 succeeds in verifying the signature 509 of the Initial 313, it determines that the Initial 313 has not been tampered with, and proceeds to step S609.

In step S609, the CPU 201 functions as a boot unit, and the kernel 312 boots the Intrud 313. When the startup verification unit 306 included in the Intrud 313 is activated, the startup verification unit 306 proceeds to step S610.

In step S610, the startup verification unit 306 reads the startup verification correct answer value list 315 stored in the flash memory 214, and the hash value 402 of all the programs included in the controller software 314 described in the correct answer value list 315. To get. Then, the startup verification unit 306 calculates the hash values of all the programs in the controller software 314 stored in the flash memory 214. The startup verification unit 306 functions as a verification unit, and verifies the tampering of all the programs in the controller software 314 by comparing the calculated hash value with the hash value 402 in the correct answer value list 315. When the startup verification unit 306 fails to verify at least one program in the controller software 314 as a result of comparison and determines that at least one program in the controller software 314 has been tampered with. , Step S612. On the other hand, when the startup verification unit 306 succeeds in verifying all the programs in the controller software 314 as a result of comparison and determines that all the programs in the controller software 314 have not been tampered with, the process proceeds to step S611. move on.

In step S611, the start-up verification unit 306 functions as a start-up unit because the controller software 314 is divided into a plurality of program files, and sequentially starts the programs in the controller software 314 necessary for starting the multifunction device 100. .. When the startup is completed, the startup verification unit 306 ends the process shown in FIG.

In step S612, the startup verification unit 306 functions as a display control unit, controls the operation panel 210 to display an error message, and proceeds to step S613.

In step S613, the startup verification unit 306 functions as a verification unit to start the management server communication unit 308 in the controller software 314, and verifies the falsification of the management server communication unit (communication module) 308 in the controller software 314. I do. The startup verification unit 306 calculates the hash value of the management server communication unit 308 stored in the flash memory 214, and compares the calculated hash value with the hash value 402 in the correct answer value list 315 for startup verification. .. When the startup verification unit 306 determines that the management server communication unit 308 has not been tampered with as a result of comparison, the process proceeds to step S614 and determines that the management server communication unit 308 has been tampered with. In that case, the process of FIG. 6 is terminated.

In step S614, the startup verification unit 306 activates the management server communication unit 308 and proceeds to step S616. The program of the controller software 314 started in step S614 may be a single program or a plurality of linked programs.

In step S616, the management server communication unit 308 notifies the management server 102 via the network 118 that the program in the controller software 314 has been tampered with, together with the serial number and error code of the multifunction device 100. At this time, the management server communication unit 308 functions as a notification unit. The serial number of the multifunction device 100 may be an identifier of the multifunction device 100. The management server 102 is an external device. The communication destination of the management server 102 may be hard-coded in the management server communication unit 308 of the multifunction device 100 in advance, or it may be used as a mechanism that can be set from the user mode, service mode, etc. of the multifunction device 100. good. After notifying the management server 102, the multifunction device 100 stops while displaying an error message on the operation panel 210 in step S612.

As described above, when the multifunction device 100 is detected to be tampered with at the time of startup, the multifunction device 100 can be restored at an early stage by notifying the management server 102 that the tampering has been performed. Become.

The multifunction device 100 is not limited to the above embodiment, and can be modified in various ways. In the above embodiment, it has been described that some public keys are different, but the same ones may be used. Further, although it has been described that the storage location of each program includes the ROM 202, the flash memory 214, and the HDD 204, the storage location is not limited, and another storage medium may be used. Further, the storage location of the program does not have to be in the location described, and for example, the loader 311 may be stored on the ROM 202.

(Other embodiments)
The present invention supplies a program that realizes one or more functions of the above-described embodiment to a system or device via a network or storage medium, and one or more processors in the computer of the system or device reads and executes the program. It can also be realized by the processing to be performed. It can also be realized by a circuit (for example, ASIC) that realizes one or more functions.

It should be noted that all of the above embodiments merely show examples of embodiment in carrying out the present invention, and the technical scope of the present invention should not be construed in a limited manner by these. That is, the present invention can be implemented in various forms without departing from the technical idea or its main features.

100 compound machine, 213 embedded controller, 301 BIOS tampering detection unit, 302 loader tampering detection unit, 304 kernel tampering detection unit, 305 Initial tamdisk detection unit, 306 startup verification unit, 308 management server communication unit, 309 boot program, 310 BIOS 311 loader, 312 kernel, 313 Initial, 314 controller software, 315 list of correct values for boot verification

Claims (12)

The first boot means for booting the first software module in response to the boot program boot,
When the first software module is started, the first verification means for verifying the tampering of the program in the second software module and the first verification means.
When it is determined that at least one program in the second software module has been tampered with and the communication module in the second software module has not been tampered with, the second software module An information processing device characterized by having a notification means for activating a communication module inside and notifying an external device that tampering has been performed. When it is determined that the program in the second software module has not been tampered with, the claim is characterized by further having a second starting means for starting the program in the second software module. Item 1. The information processing apparatus according to item 1. When it is determined that at least one program in the second software module has been tampered with, a second verification means for verifying tampering with the communication module in the second software module is provided. The information processing apparatus according to claim 1 or 2, further comprising. The claim is characterized in that it further has a display control means for controlling to display an error message when it is determined that at least one program in the second software module has been tampered with. The information processing apparatus according to any one of 1 to 3. The information processing device according to any one of claims 1 to 4, wherein the notification means notifies the external device that the falsification has been performed together with the identifier of the information processing device. The information according to any one of claims 1 to 5, wherein the notification means notifies the external device that the falsification has been performed together with the identifier and the error code of the information processing device. Processing equipment. A third boot means that boots the third software module in response to the boot program boot,
When the third software module is started, it further has a third verification means for verifying tampering with the first software module.
Any of claims 1 to 6, wherein the first activation means activates the first software module when it is determined that the first software module has not been tampered with. The information processing apparatus according to item 1. The information processing apparatus according to claim 7, wherein the third verification means verifies the signature of the first software module by using the first public key. Claims 1 to 8 are characterized in that the first verification means calculates a hash value of a program in the second software module and compares the calculated hash value with a stored hash value. The information processing apparatus according to any one of the above items. The third verification means is characterized in that the hash value of the communication module in the second software module is calculated and the calculated hash value is compared with the stored hash value. The information processing device described. The first boot step, which boots the first software module in response to the boot program boot,
When the first software module is started, the first verification step of verifying the tampering of the program in the second software module and
When it is determined that at least one program in the second software module has been tampered with and the communication module in the second software module has not been tampered with, the second software module A processing method of an information processing device, which comprises a notification step of activating a communication module in the device and notifying an external device of the fact that tampering has been performed. A program for causing a computer to function as each means of the information processing apparatus according to any one of claims 1 to 10.

Images