JP2021196987A - Information processing system and information processing method - Google Patents

Abstract

To make it possible to maintain a multiple system by quickly restoring a program before alteration without using the Internet when alteration of the program is detected when the operation of the multiple system is performed with a plurality of servers.SOLUTION: Each of servers 100 constituting a multiple system detects alteration of a program held by its own server 100, and when detecting alteration, transmits notification of alteration detection to one or more other servers 200. The altered program is overwritten and restored with a program before alteration, transmitted from another server 200. Furthermore, when receiving notification of alteration detection from another server 200, the server restarts the server 200 that transmitted the notification of alteration detection, and transmits the program before alteration to the restarted server 200.SELECTED DRAWING: Figure 1

Description

The present invention relates to an information processing system and an information processing method.

In recent years, in server operation in the field of control systems, a form of connecting and using the Internet and a control system has become widespread in order to utilize IoT (Internet of Things) and data outside the system.
However, by connecting the Internet to the control system, there is a risk that the server in the control system will be attacked maliciously and the program in the server will be tampered with. In addition, if the server is stopped due to falsification of the program, it becomes difficult to operate the control system, and the range of damage is large especially in the field of social infrastructure.

In the field of social infrastructure, we use a configuration called a multiplex system that can be operated as a control system even if some servers are stopped by operating multiple servers with the same configuration.
However, when the server is stopped, the control system is operated only by the remaining servers unless the stopped server is restarted, which makes it difficult to maintain the multiplex system.
Therefore, when a program is tampered with, it is necessary to promptly detect the tampering and then restore the tampered program to the program before tampering.

In Patent Document 1, as a method for detecting tampering with a program, the validity of the program is verified by extracting a specific value from the author's confidential information including the specific value and the specific value in the server and comparing them. The technology to be used is described.
Further, Patent Document 2 describes, as a method of restoring a program, a technique of detecting alteration of the program and then downloading the unaltered program from the Internet existing outside the server to the server and restoring the program.

Japanese Unexamined Patent Publication No. 2019-186848 Japanese Unexamined Patent Publication No. 2019-215754

Since Patent Document 1 does not disclose a method for restoring the program before falsification, the technique described in Patent Document 1 performs restoration to the program before falsification after detecting the falsified program. Can't.
Furthermore, if there is no way to restore the tampered program, it is necessary to cut off the connection between the server and the Internet and then manually install the tampered program on the server. Therefore, it takes time to restore the program, and it is difficult to quickly restore the control system.

Further, in the technique described in Patent Document 2, since the restoration of the program before the alteration and the alteration of the program performed through the Internet are performed by the same route, it may not be possible to reliably restore to a normal server.

Therefore, an object of the present invention is to provide an information processing system and an information processing method capable of promptly restoring to the program before the alteration and maintaining a multiplex system when the alteration of the program is detected without using the Internet.

In order to solve the above problems, for example, the configuration described in the claims is adopted.
The present application includes a plurality of means for solving the above problems. For example, a plurality of servers having the same program and a network in which a group of servers by a plurality of servers are connected to each other are used. An information processing system that each server has, and each server detects tampering with the program of its own server, and when tampering is detected, sends a notification of tampering detection to one or more other servers. The tampering detection processing unit, the program restoration processing unit that overwrites the tampered program detected by the program tampering detection processing unit with the pre-tampering program sent from another server, and the tampering detection notification from the other server. When this happens, the server that is the source of the tampering detection notification is restarted, and the restarted server is provided with a program transmission processing unit that transmits the program before tampering.

According to the present invention, when a program possessed by a specific server in a group of servers constituting a multiplex system is tampered with, the program before tampering can be restored by using the program before tampering possessed by another server. , It is possible only within the network to which the server group is connected. Therefore, the tampered program can be restored without going through the Internet.
Issues, configurations and effects other than those described above will be clarified by the following description of the embodiments.

It is a block diagram which shows the example of the system configuration by the example of one Embodiment of this invention. It is a figure which shows the data structure of the server state management table by the example of one Embodiment of this invention. It is a figure which shows the example of the data structure of the program information falsified by the example of one Embodiment of this invention. It is a figure which shows the example of the data structure of the communication data at the time of request / response by the example of one Embodiment of this invention. It is a flowchart of the program tampering detection processing by one Embodiment of this invention. It is a flowchart of the reception processing of the program tampering notification by one Embodiment of this invention. It is a flowchart of the program restoration processing by one Embodiment of this invention. It is a flowchart of the program transmission processing by one Embodiment of this invention.

Hereinafter, an example of an embodiment of the information processing system of the present invention (hereinafter referred to as this example) will be described with reference to the accompanying drawings.
The information processing system of this example is applied to a system having a significant social impact due to the shutdown of a server, for example, in the field of social infrastructure.
As an attack on the system, there is a case where a legitimate program file placed on a server in the system is overwritten by an unauthorized program file from outside the system via the Internet or the like.

Here, a legitimate program file is a program file that the system operator assumes to operate by design. An invalid program file is a program file placed on a server in the system from outside the system, which the system operator does not assume to operate by design.
When an attack occurs on the system from outside the system, the availability of the system is maintained by restoring the malicious program file to the legitimate program file only by the server in the system.

[System configuration]
FIG. 1 shows the configuration of the entire system of the information processing system of this example.
As shown in FIG. 1, the information processing system of this example includes a server 100 and a server 200, and a multiplex system is constructed by the plurality of servers 100 and 200. The multiplex system is a system in which system operation can be continued by other servers even if some of the servers having the same configuration cannot operate.

FIG. 1 shows the internal configuration of the server 100, and the internal configuration of the server 200 is omitted. The server 100 and the server 200 have the same configuration. Further, in the server 100 shown in FIG. 1, when a legitimate program file is rewritten into a legitimate program file, only the configuration necessary for restoring the legitimate program file to a legitimate one is shown. ..

The server 100 includes a memory 110, a recording medium 120, network interfaces (hereinafter referred to as network IFs) 130 and 140, and a control unit 150. The program stored (recorded) in the memory 110 or the recording medium 120 is read out and executed under the control of the control unit 150. Since the server 200 has the same configuration as the server 100, the following description of the server 100 also applies to the server 200.

The network IF 130 is for an internal LAN (Local Area Network), and the network IF 140 is for an external LAN.
The memory 110 includes a server state management table 111, and here, it is assumed that the program information 112 managed by the server state management table 111 is a program that has been tampered with for some reason. Further, the memory 110 stores the communication data 113 at the time of request / response.

Further, the memory 110 includes a program tampering detection processing unit 114, a tampering notification reception processing unit 115, a program restoration processing unit 116, and a program transmission processing unit 117 as processing units executed by the operation of the written program. To prepare for.

The recording medium 120 is a large-capacity data storage device composed of an SSD (Solid State Drive), an HDD (Hard Disk Drive), or the like.
A legitimate program file 125, a legitimate signature 126, and a decryption key 121 for carrying out system operation are recorded on the recording medium 120. The signature 126 is a hash value obtained by encrypting the attribute of the program file, which is given to the legitimate program file as an extended attribute.

The decryption key 121 is a file in which data for decrypting the attributes of the program file from a valid signature is stored.
Further, when a legitimate program file in the server 100 is overwritten by an invalid program file due to an attack on the system, a program file 122 having no signature or a program file 123 having an invalid signature 124 is included in the system. Will be placed in.

The server 100 is connected to another server from the network IF 130 by the internal LAN cable 131. Further, the server 100 is connected to the external device 300 from the network IF 140 by the external LAN 141. The external device 300 connects the server 100 to the Internet 400, which is outside the system.

[Example of table and information configuration]
FIG. 2 shows an example of the data structure of the server state management table 111.
The server status management table 111 manages the permission for restarting each server so that the program will not be restarted during the restoration. The server status management table 111 has the IP address 1111 of the server and the restart permission flag 1112 as data items. The IP address of the server in the system is registered in the IP address 1111 of the server. The restart permission flag 1112 is associated with the IP address of the server, and an OFF flag is registered when the server is restarted, and an ON flag is registered after the program is restored.

FIG. 3 shows an example of the data structure of the falsified program information 112.
The falsified program information 112 has data for notifying another server when a falsified program file is detected. The tampered program information 112 has the IP address 1121 of the tampered server, the program name 1122, the path 1123, and the identifier 1124 as data items.

The IP address of the server that detected the falsification of the program file is registered in the IP address 1121 of the falsified server. The file name of the falsified program file is registered in the program name 1122. The absolute path of the falsified program file is registered in the path 1123. An identifier indicating that the program has been tampered with is registered in the identifier 1124.

FIG. 4 shows an example of the data structure of the communication data 113 at the time of request / response.
The communication data 113 at the time of request / response has data for managing the restoration status of the program in which the server has been tampered with.
The communication data 113 at the time of request / response has a source IP address 1131 and an identifier 1132 as data items.
In the source IP address 1131, the IP address of the server that transmits the communication data at the time of request / response is registered.
In the identifier 1132, the restoration request, the response to the restoration request, the transmission request, and the transmission completion are registered as the program restoration status of each server.

[Processing from detection to restoration when program is tampered with]
FIG. 5 is a flowchart showing the flow of the program tampering detection processing performed by the program tampering detection processing unit 114.
First, the program tampering processing unit 114 periodically refers to the signature given to the program file in its own server (step S11). With this reference, the program tampering processing unit 114 confirms whether or not the signature does not exist (step S12).

When it is confirmed in step S12 that the signature exists (NO in step S12), the program tampering processing unit 114 refers to the unique information of the program file (step S13). Then, the program tampering processing unit 114 decrypts the signature with the decryption key 121 and extracts the unique information of the program file (step S14). After that, the program tampering processing unit 114 compares the unique information of the program file with the unique information of the program file extracted from the signature (step S15), and determines whether or not the unique information matches (step S16).
If it is determined in step S16 that the unique information matches (YES in step S16), the program tampering processing unit 114 returns to the reference of the signature given to the program file in step S11.

Further, when it is determined in step S16 that the unique information does not match (NO in step S16), and when it is confirmed in step S12 that the signature does not exist (YES in step S12), the program tampering processing unit 114 Sends the altered program information 112 to another server (step S17).
That is, the program tampering processing unit 114 uses the IP address 1121 of its own server, the tampered program name 1122, the tampered program path 1123, and the identifier 1124 as the tampered program information 112 to another server. Send to.
Then, the program tampering processing unit 114 sends the program information 112 tampered with in step S17 to another server, and then returns to the reference of the signature given to the program file in step S11.

FIG. 6 is a flowchart showing the flow of the program tampering detection processing performed by the program tampering detection processing unit 114.
First, the program tampering notification reception processing unit 115 turns on the restart permission flag 1112 of all the servers in the server status management table 111 at the first startup (step S21). Then, the reception processing unit 115 of the program falsification notification waits for the reception of the program information 112 that has been falsified periodically (step S22). After that, the reception processing unit 115 of the program falsification notification determines whether or not the newly falsified program information 112 has been received (step S23).

If the newly tampered program information 112 is not received in step S23 (NO in step S23), the reception processing unit 115 for the program tampering notification returns to waiting for reception of the tampered program information in step S22.
Further, when the newly tampered program information 112 is received in step S23 (YES in step S23), the program tampering detection processing unit 114 asks whether the identifier 1124 in the tampered program information 112 is the tampered program. It is determined whether or not (step S24).

In step S24, if the identifier 1124 in the falsified program information 112 is not a falsified program (NO in step S24), waiting for reception of the falsified program information by the reception processing unit 115 of the program falsification notification in step S22. Return to.
Further, in step S24, when the identifier 1124 in the tampered program information 112 is a tampered program (YES in step S24), the program tampering notification reception processing unit 115 refers to the restart permission flag 1112 (YES in step S24). Step S25).

In this step S25, the reception processing unit 115 of the program tampering notification has the IP address 1111 of the server in the server status management table 111 that matches the IP address 1121 of the tampered server of the received tampered program information 112. Refer to the restart permission flag 1112.

Next, the tampering notification reception processing unit 115 with reference to the restart permission flag 1112 determines whether or not the restart permission flag 1112 is ON (step S26). If it is determined in step S26 that the restart permission flag 1112 is ON (YES in step S26), the falsification notification reception processing unit 115 corresponds to the IP address of the falsified server of the falsified program information 112. Restart the server (step S27).

Then, the receiving processing unit 115 of the program tampering notification corresponds to the IP address of the tampered server of the tampered program information 112 in the server status management table 111 in order to prevent the server from being restarted again. The restart permission flag 1112 of the server to be restarted is turned off (step S28).
After that, the reception processing unit 115 of the program tampering notification transmits the server status management table 111 to another server in order to share the restart permission flag 1112 of the server (step S29). Then, after transmitting in step S29, the reception processing unit 115 of the program falsification notification returns to the reception waiting of the falsified program information 112 in step S22.

Further, even when the restart permission flag 1112 is OFF in step S26 (NO in step S26), the program tampering notification reception processing unit 115 returns to waiting for reception of the tampered program information 112 in step S22.

FIG. 7 is a flowchart showing the flow of the program restoration process performed by the program restoration processing unit 116.
The program restoration processing unit 116 executes the program restoration processing when the server is started. First, the program restoration processing unit 116 activates the network IF 130 for the internal LAN in order to communicate with another server (step S31). Then, the program restoration processing unit 116 transmits the restoration request of the source IP address 1131 and the identifier 1132 to another server as the communication data 113 at the time of request / response (step S32). After that, the program restoration processing unit 116 confirms the response to the restoration request of the source IP address 1131 and the identifier 1132 in the communication data 113 at the time of request / response from another server (step S33).

Here, the program restoration processing unit 116 determines whether or not there is a response (step S34). If it is determined in step S34 that there is no response (NO in step S34), the program restoration processing unit 116 returns to the confirmation of the response to the restoration request again in step S33.
If it is determined in step S34 that there is a response (YES in step S34), the program restoration processing unit 116 is linked to the response to the restoration request of the identifier 1132 in the communication data 113 at the time of the first received request / response. A transmission request of the source IP address 1131 and the identifier 1132 in the communication data 113 at the time of request / response of the own server is transmitted to the attached source IP address 1131 (step S35).
Then, the program restoration processing unit 116 confirms the completion of transmission of the identifier 1132 in the communication data 113 at the time of request / response in order to wait for the restoration of the legitimate program from another server after the transmission request (step S36).

After that, the program restoration processing unit 116 determines whether or not transmission is completed (step S37). If it is determined in step S37 that the transmission is not completed (NO in step S37), the program restoration processing unit 116 returns to the confirmation of the transmission completion again in step S36. Further, when it is determined in step S37 that the transmission completion has been received (YES in step S37), the program restoration processing unit 116 contains the altered program information 112 in order to confirm whether the received program file is a legitimate program file. Refer to the signature given to the program file overwritten on the path 1123 (step S38).

Further, the program restoration processing unit 116 confirms whether or not the signature does not exist (step S39).
When it is determined in step S39 that the signature exists (NO in step S39), the program restoration processing unit 116 refers to the unique information of the program file (step S40). Then, the program restoration processing unit 116 decodes the signature with the decryption key 121 and extracts the unique information of the program file (step S41). Further, the program restoration processing unit 116 compares the unique information of the program file with the unique information of the program file extracted from the signature (step S42). In the comparison in step S42, the program restoration processing unit 116 determines whether or not the unique information does not match (step S43).

When it is determined in step S43 that the unique information matches (NO in step S43), the program restoration processing unit 116 determines that the unique information matches the IP address 1111 of the local server in the server status management table 111, and the restart permission flag 1112. Is set to ON (step S44). Then, the program restoration processing unit 116 performs a process of restoring the own server to a legitimate program and notifying another server that the restart is possible.

That is, the program restoration processing unit 116 transmits the restart permission flag 1112 that matches the IP address 1111 of the local server in the server status management table 111 to another server (step S45). Further, the program restoration processing unit 116 enables the network IF140 for the external LAN in order to enable communication from outside the system (step S46).

Further, when it is determined in step S39 that the signature does not exist (YES in S39), and when it is determined in step S43 that the unique information of the program file and the unique information of the program file extracted from the signature do not match (in step S43). YES), the program restoration processing unit 116 shuts down its own server (step S47).

FIG. 8 is a flowchart showing the processing flow of the program transmission processing unit 117.
The program transmission processing unit 117 transmits a legitimate program when it receives a program restoration request from another server.

The program transmission processing unit 117 periodically confirms the receipt of the restoration request of the identifier 1132 in the communication data 113 at the time of request / response (step S51), and determines whether or not the restoration request has been received (step S52). .. If it is determined in step S52 that the restoration request has been received (YES in step S52), the program transmission processing unit 117 transmits a response to the restoration request (step S53). At this time, for the source IP address 1131 associated with the restoration request of the identifier 1132 in the received request / response communication data 113, the source IP address 1131 in the communication data 113 at the time of request / response of the own server. And the response to the restore request of identifier 1132.

If it is determined in step S52 that the restoration request is not received (NO in step S52), the program transmission processing unit 117 returns to step S51 and periodically again periodically again periodically requests and responds to the identifier 1132 in the communication data 113. Confirm receipt of the restore request.

After transmitting the response to the restoration request in step S53, the program transmission processing unit 117 confirms the reception of the transmission request of the identifier 1132 in the communication data 113 at the time of request / response (step S54), and receives the transmission request. Whether or not it is determined (step S55).
If it is determined in step S55 that the transmission request is not received (NO in step S55), the program transmission processing unit 117 returns to step S54 and again requests transmission of the identifier 1132 in the communication data 113 at the time of request / response. Confirm receipt of.

If it is determined in step S55 that the transmission request has been received (YES in step S55), the program transmission processing unit 117 has a valid program file of its own server corresponding to the path 1123 in the altered program information 112. Refer to the signature to confirm that it is a program file (step S56).
From the reference result of the signature in step S56, the program transmission processing unit 117 determines whether or not the signature does not exist (step S57).

When it is determined in step S57 that the signature exists (NO in step S57), the program transmission processing unit 117 refers to the unique information of the program file (step S58). Then, the program transmission processing unit 117 decrypts the signature with the decryption key 121 and extracts the unique information of the program file (step S59). Further, the program transmission processing unit 117 compares the unique information of the program file with the unique information of the program file extracted from the signature (step S60), and determines whether or not the unique information does not match (step S61).

When it is determined in step S61 that the unique information matches (NO in step S61), the program transmission processing unit 117 determines that the program corresponding to the path 1123 in the altered program information 117 is valid. It is transmitted to the server of the source IP address 1131 associated with the transmission request of the identifier 1132 in the communication data 113 at the time of request / response (step S62).

Further, in order to share the current server status with the altered server, the program transmission processing unit 117 associates the server status management table 111 with the transmission request of the identifier 1132 in the communication data 113 at the time of request / response. It is transmitted to the server with the IP address 1131 (step S63).
Further, the program transmission processing unit 117 transmits the transmission completion of the source IP address 1131 and the identifier 1132 as the communication data 113 at the time of request / response in association with the transmission request of the identifier 1132 in the communication data 113 at the time of request / response. It is transmitted to the server of the original IP address 1131 (step S64).

Further, when it is determined in step S57 that the signature does not exist (YES in step S57), and when it is determined in step S61 that the unique information of the program file and the unique information of the program file extracted from the signature do not match (step S61). YES), the program transmission processing unit 117 ends the processing.

As described above, according to the information processing system of this example, when the server 100 or the server 200 is attacked and the legitimate program file in each server 100 or 200 is overwritten by the invalid program file, it is automatically performed. It can be restored to a legally legitimate program. In the program restoration process of this example, when the server 100 or the server 200 is attacked by the system, it can be automatically restored without human intervention, and the system availability can be improved.

Further, in the information processing system of this example, the program can be restored only in the system by using the network IF130 for the internal LAN in the state where the network IF140 for the external LAN connected to the external device 300 is invalidated. Therefore, it is possible to prevent the server in the process of being restored from the outside via the Internet from being overwritten with an invalid program file again, and to reliably restore the program.

[Modification example]
The present invention is not limited to the above-described embodiments, but includes various modifications. For example, the above-described embodiment has been described in detail in order to explain the present invention in an easy-to-understand manner, and is not necessarily limited to the one including all the described configurations.

For example, in the configuration diagram shown in FIG. 1, the signal lines and control lines show only those considered necessary for explanation, and do not necessarily show all the control lines and information lines in the product. In practice, it can be considered that almost all configurations are interconnected.

Further, in the configuration shown in FIG. 1, a multi-system system including two servers 100 and 200 is used, but a multi-system system including three or more servers may be used. When three or more servers are provided, if the program of any one server is tampered with, one of the other servers may send a legitimate program.

Further, in the server configuration shown in FIG. 1, the program tampering detection processing unit 114, the program tampering notification reception processing unit 115, the program restoration processing unit 116, and the program transmission processing unit 117 each execute a program in the memory 110. Changed to function as the corresponding processing unit. On the other hand, hardware that executes the function as each processing unit may be prepared.

100, 200 ... server, 300 ... external device, 400 ... Internet, 110 ... memory, 111 ... server status management table, 112 ... program information, 113 ... communication data at the time of request / response, 114 ... program tampering detection processing unit, 115 ... Program tampering notification reception processing unit, 116 ... Program restoration processing unit, 117 ... Program transmission processing unit, 120 ... Recording medium, 121 ... Decoding key, 122 ... Unsigned tampered program file, 123 ... Unauthorized signature The given tampered program file, 124 ... Illegal signature, 125 ... Legitimate program file, 126 ... Legitimate signature, 130 ... Internal LAN network interface (network IF), 140 ... External LAN network interface (network IF) , 150 ... Control unit

Claims (10)

An information processing system including a plurality of servers having the same program and a network for interconnecting a group of servers by the plurality of servers.
Each of the above servers
A program tampering detection processing unit that detects tampering with the program of its own server and sends a tampering detection notification to one or more other servers when tampering is detected.
A program restoration processing unit that overwrites the altered program detected by the program alteration detection processing unit with a program before alteration transmitted from another server, and a program restoration processing unit.
When the tampering detection notification is received from another server, the program transmission processing unit that restarts the server that sent the tampering detection notification and sends the program before tampering to the restarted server. Information processing system equipped with. The information processing system according to claim 1, wherein the program tampering detection processing unit detects a tampered program depending on the presence or absence of a signature given to the program. Further, the information according to claim 2, wherein the program restoration processing unit verifies whether or not the program before tampering received from one of the one or more servers has been tampered with by the presence or absence of a signature given to the program. Processing system. The information processing system according to claim 2, wherein the program transmission processing unit verifies the presence or absence of falsification of the program to be transmitted before falsification by the presence or absence of a signature given to the program. In addition, it is equipped with a tampered program storage unit that stores the IP address, program name, path, and communication identifier of the server whose program has been tampered with.
The information processing system according to claim 1, wherein when the program tampering detection processing unit detects a tampered program, the data of the tampered program storage unit is transmitted to one or more other servers. Further, it is provided with a server state storage unit that stores the IP addresses of the server in which the program has been tampered with and the IP addresses of the other one or more servers and the restart permission state.
After restarting the tampered server based on the data stored in the server state storage unit, restart the tampered server again until the program restoration processing unit completes the program restoration. The information processing system according to claim 1 to be prevented. Each of the plurality of the servers includes a communication data storage unit that stores the IP address of each server used for communication in the network and the identifier used for communication.
The information processing system according to claim 1, wherein each server communicates with another server in the network using the data stored in the communication data storage unit. The server in which the program has been tampered with performs a process of transmitting a restoration request for the tampered program to all of the other one or more servers.
The other one or more servers perform a process of transmitting a response to the restore request to the server on which the program has been tampered with in response to the restore request received from the server on which the program has been tampered with.
The server in which the program has been tampered with makes a transmission request to the IP address of the first received response in the response to the restore request.
The information processing system according to claim 1, wherein the server that has received the transmission request reports the completion of transmission after the transmission of the program transmitted based on the transmission request is completed. It has a network interface that connects the server group to an external device, and has a network interface.
The information processing system according to claim 1, wherein the network interface is activated after the program is restored to connect to the Internet. It is an information processing method applied to a network in which a group of servers consisting of multiple servers with the same program are interconnected.
Each server constituting the server group is
It detects tampering with the program of its own server, and when it detects tampering, it performs program tampering detection processing that sends a tampering detection notification to one or more other servers.
When the notification of falsification detection is received, the server that is the source of the notification of falsification detection is restarted, and a program transmission process for transmitting the program before falsification is performed to the restarted server.
An information processing method for performing a program restoration process of overwriting the tampered program detected by the program tampering detection process with a program before tampering transmitted from another server by the program transmission process.

Images