JP4363214B2 - Access policy generation system, access policy generation method, and access policy generation program - Google Patents

Description

  The present invention relates to an access policy generation system that generates an access policy used for policy enforcement, and in particular, an access policy generation system that collects operations based on a program that is a policy enforcement target and generates an access policy from the collected operations, The present invention relates to an access policy generation method and an access policy generation program.

  Conventionally, various policy enforcement systems called secure OS, access control middleware, sandbox, unauthorized intrusion detection system, unauthorized intrusion prevention system have been used to prevent unauthorized use of resources in processing based on control programs. Yes.

  A conventional policy enforcement system uses a specific resource (for example, a file) in a process based on a control program subject to policy enforcement in accordance with a given resource usage requirement (hereinafter referred to as “access policy” or simply “policy”). A function of restricting operation (hereinafter referred to as “access”) of a system, a communication device, and the like.

  FIG. 20 is a block diagram showing a general configuration of the policy enforcement system. This policy enforcement system 500 is configured by a computer (specifically, for example, a central processing unit, a processor, and a data processing unit) that operates under program control, and includes an access auditing unit 502, a resource 503, and a policy storage unit 504. Including.

  The access auditing unit 502 monitors the access to the resource 503 of the computer system 500 that operates according to the program 501 that is subject to policy enforcement, and accesses the resource 503 according to the contents of the policy stored in the policy storage unit 504. Judgment is made.

  Then, the access auditing means 502 allows the access to the resource 503 as it is when the access is permitted, and interrupts the access to the resource 503 when the access is not permitted.

  There are two types of access policies, “permitted policy” and “prohibited policy”. There are three access policy designation methods: a method of designating only “permitted policy”, a method of designating only “prohibited policy”, and a method of designating both.

  In the method of specifying only the permission policy, only the access permitted by the user is described. In this case, access that matches the permission policy is permitted, and other access is prohibited.

  In the method of designating only the prohibited policy, only the prohibited access is described by the user. In this case, access that matches the prohibited policy is prohibited, and other access is permitted.

  In the method of designating both the permitted policy and the prohibited policy, a “meta-policy” that defines processing when the permitted policy and the prohibited policy conflict with each other is separately described by the user.

  In the policy enforcement system 500 as described above, by setting the access policy correctly, damages such as unauthorized access, cracking, virus, and worm are suppressed.

  Specifically, if the prohibition policy “WWW (World Wide Web) server cannot rewrite WWW content” is set, even if an arbitrary code is executed by attacking the vulnerability of WWW server, WWW content Web falsification due to rewriting can be prevented.

  Similarly, for example, if a permission policy that “the WWW server writes only temporary files” is set, even if an arbitrary code is executed by attacking the vulnerability of the WWW server, Web tampering based on writing WWW content Can be prevented.

  However, in the policy enforcement system 500 as described above, it is necessary to manually describe the access policy. The description of the access policy by the user is not only troublesome and time consuming but also prone to errors.

  Therefore, conventionally, a method for automatically generating a permission policy by observing an actual operation of a program has been proposed (for example, see Patent Document 1).

  FIG. 21 is a block diagram showing an example of a conventional access policy generation system 600 described in Patent Document 1. In FIG.

  Access to the resource 503 in the process based on the target program 501 is monitored by the access auditing unit 502. At the time of this monitoring, the contents of access are sent to the policy generation means 505. The policy generation unit 505 adds the access contents to the access policy stored in the policy storage unit 504 as a permitted policy. In this way, an access policy is automatically generated. Such a technique is referred to as “conventional technique 1”.

  Further, not only file input / output but also an access policy generation system that generates resource access via an OS (Operating System), that is, a system call policy has been proposed (for example, see Non-Patent Document 1).

This access policy generation system has a function of not only adding the access destination to the policy as it is, but also manually editing it after adding the access destination. Such a technique is referred to as “conventional technique 2”.

Japanese Patent Laying-Open No. 2003-6027 (FIG. 1) Niels Provos, "CITI Technical Report 02-3 Improving Host Security with System Call Policies", [online], [Search February 13, 2004], Internet <URL: http: // citeseer. nj.nec.com/provos02improving.html>

  The conventional access policy generation technology described above cannot collect all accesses to resources based on the program, so the generated policy is lost, and as a result, despite the normal operation of the program. There is a problem that it may be determined as an illegal operation.

  The reason is that the program access observed during a certain period is used as a policy as it is. In general, since the operations of a program are diverse, it is difficult to enumerate all the operations that can be accessed by the program only by the access observed during a certain period.

  For example, in many server programs, a temporary file (temporary file) is created and information is temporarily stored. The temporary file name is a fixed file name with a random number added. Is often used.

  Therefore, the creation operation of the temporary file is observed for a certain period, access to each file "/ tmp / tmp03123", "/ tmp / tmp04145", "/ tmp / tmp04231" is observed, and this is set as a permission policy in the policy. Even if it is added, for example, since the operation for creating the file “/ tmp / tmp05134” is not included as a permission policy, it is detected as a policy violation operation.

  In the prior art 2 described above, a post-processing step by the user is provided in order to cope with this problem. Specifically, in the post-processing step, the creation of the file “/ tmp / tmp *” (“*” represents an arbitrary character string) is added as a permission policy to solve the above problem. .

  In other words, not only the three files “/ tmp / tmp03123”, “/ tmp / tmp04145”, “/ tmp / tmp04231”, but also the creation of all files starting with “tmp” under the directory “/ tmp” Generalization of the rules (generalizing the rules so as to cover a wider range) makes it possible to deal with the missing access collection based on the program. However, since the user has to perform post-processing to generalize the rules, there is a new problem that the user is forced to perform troublesome post-processing that consumes time and labor.

  An object of the present invention is to solve the above-described problems and generate an access policy by automatically generalizing access collected by operating a program without performing cumbersome post-processing. And

The access policy generation system according to the present invention generates an access policy for enforcing policy based on a permission policy indicating a permission rule for access to resources (for example, access policy generation systems 100, 100a, 200). The access detection unit (for example, the access audit unit 102 and the system call inspection unit 202) and the access detection unit detect the access to the resource based on the target program to be audited when the policy is enforced. Access information acquisition means (for example, access audit means 102, system call inspection means 202) for acquiring access information indicating the content of access (for example, access information shown in FIG. 3), and execution of the target program when access occurs The target pro A state observing means (for example, the state observing means 108, stack checking means 208) for observing the internal state of the ram processing and adding the observation result of the internal state to the access information (for example, step S105), and the added observation result A correlation value indicating a correlation between a plurality of accesses is calculated on the basis, and when the calculated correlation value is higher than a predetermined reference value, a non-common part in the plurality of access information acquired by the access information acquisition unit Generalization means (for example, generalization means 107 and 207) for generating access information generalized in part or all and generalized to a general-purpose format, and access information generalized by the generalization means And a policy generation means (for example, policy generation means 205) for generating an access policy.

  As described above, the access information indicating the content of the detected access is generalized, and the access policy is generated based on the generalized access information. Therefore, the access policy is automatically generated without performing troublesome processing. be able to.

  As described above, the access information indicating the content of the detected access is generalized in consideration of the processing state when the access occurs, so that it is possible to generate an access policy with high accuracy with few omissions. .

  The state observing means includes, for example, a stack checking means (for example, a stack checking means 208) that acquires call stack information including a procedure that has started access by checking a call stack in which a procedure call history is stored. The stack checking means adds the call stack information to the access information indicating the contents of the corresponding access as an observation result (for example, as shown in FIG. 12), and the generalizing means adds the call stack A plurality of pieces of access information whose correlation values calculated based on the information are higher than a reference value are generalized to generate generalized access information.

  The generalization unit includes, for example, a correlation value calculation unit that calculates a correlation value indicating a correlation between a plurality of pieces of access information, a categorization unit that classifies access information based on the correlation value calculated by the correlation value calculation unit, and a categorization unit And a common means for generalizing a plurality of pieces of access information classified by the means into common access information.

  The access information includes, for example, the type of access detected by the access detection unit and the access target, and the generalization unit generalizes the access target in a plurality of pieces of access information having the same access type. The access information is generated.

The access policy generation method of the present invention is an access policy generation method for generating an access policy for policy enforcement based on a permission policy indicating a permission rule for access to a resource, wherein the access detection means includes a policy. When access is made, the access to the resource based on the target program to be audited is detected (for example, step S101), and the access information acquisition unit acquires the access information indicating the content of the detected access (for example, step S101). When access occurs, the state observing means observes the internal state of the processing of the target program that occurs upon execution of the target program (for example, step S105), and the state observing means adds the observation result of the internal state to the access information. (For example, step S105), the generalization means also adds to the added observation result. Calculating a correlation value indicating the correlation between a plurality of access Zui, generalization means is higher than the calculated reference value correlation value predetermined with a plurality of access information acquired by the access information acquiring means Generalize a part or all of the non-common part in to generate access information generalized into a general-purpose format (for example, step S103), and the policy generation means accesses based on the generalized access information A policy is generated (for example, step S104).

  As described above, the access information indicating the content of the detected access is generalized, and the access policy is generated based on the generalized access information. Therefore, the access policy is automatically generated without performing troublesome processing. be able to.

  As described above, the access information indicating the content of the detected access is generalized in consideration of the processing state when the access occurs, so that it is possible to generate an access policy with high accuracy with few omissions. .

Furthermore, an access policy generation program of the present invention is an access policy generation program for generating an access policy for enforcing policy based on a permission policy indicating a permission rule for access to a resource. For example, in the access policy generation system 100, 100a, 200), a step (for example, step S101) of detecting access to a resource based on a target program to be audited when policy is enforced, and an access indicating the content of the detected access A step of acquiring information (for example, step S101), a step of observing the internal state of the processing of the target program that occurs when the target program is executed (for example, step S105), and an access to the observation result of the internal state Append to information Steps (e.g., step S105), when calculating a correlation value indicating the correlation between a plurality of access based on the added observations, the calculated correlation value is higher than the predetermined reference value, obtaining Generalizing part or all of the non-common parts in the plurality of access information generated to generate access information generalized into a general-purpose format (for example, step S103), and generalized access information A step of generating an access policy on the basis (for example, step S104) is executed.

  As described above, the computer is configured to generalize the access information indicating the content of the detected access and execute the process of generating the access policy based on the generalized access information. Thus, an access policy can be generated.

  As described above, the computer is configured to execute the process of generalizing the access information indicating the content of the detected access in consideration of the processing state when the access occurs, so there is little missing and high-precision access A policy can be generated.

  According to the present invention, since the access information indicating the content of the detected access is generalized and the access policy is generated based on the generalized access information, the access policy can be automatically updated without performing troublesome processing. Can be generated.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
Embodiment 1 FIG.
FIG. 1 is a block diagram illustrating an example of a configuration of an access policy generation system 100 according to the first embodiment of this invention.

  The access policy generation system 100 is configured by a computer (central processing unit, processor, data processing unit) that operates under program control. The access policy generation system 100 is connected to an input device 110 for inputting various information. Note that the input device 110 may be included in the system 100.

  As shown in FIG. 1, the access policy generation system 100 includes a target program 101, an access audit unit 102, a resource 103, a policy storage unit 104, a policy generation unit 105, an access storage unit 106, and a generalization unit. 107.

  The target program 101 is a program operating on the system 100 and means a program to be subjected to access audit.

  The access auditing unit 102 operates in one of the “audit mode” and “rule generation mode”. The setting of either “audit mode” or “rule generation mode” is performed by user input from the input device 110.

  In the “audit mode”, the access audit unit 102 monitors access to the resource 103 based on the target program 101 and enforces policy based on the access policy stored in the policy storage unit 104.

  “Policy enforcement” means a process of determining whether to permit or prohibit access based on a set access policy, accepting access determined to be permitted, and rejecting access determined to be prohibited.

  In the “rule generation mode”, the access audit unit 102 monitors the access to the resource 103 based on the target program 101, but does not enforce policy, and stores the content of the detected access in the access storage unit 106. Do.

  The resource 103 means a system resource managed on a base program (for example, an operating system) on which the target program 101 operates. Specifically, file systems and communication devices are applicable.

  Note that “access” is an instruction to the base program based on the target program 101 and means an operation instruction for operating the system resource 103. Further, “access” may be used to mean operation of the system resource 103.

  For example, when the base program is an OS, a system call for performing file reading, file writing, data transmission to the communication network, data reception from the communication network, and the like is “access”.

  It should be noted that “access” may include other system calls for executing processes and securing heap memory.

  Also, for example, when the base program is a Java (registered trademark) VM (Java Virtual Machine), API (Application Programming Interface) calls for Java VM such as object creation and method call of other objects are “access”. .

  The policy storage unit 104 is a storage device that stores the permitted policy generated by the policy generation unit 105.

  The access storage unit 106 is a storage device that temporarily stores access information based on the access detected by the access audit unit 102. The access information is information including an access type and an access target.

  Policy storage unit 104 and access storage unit 106 may be an external storage device such as a hard disk or a main memory mounted in system 100.

  The generalization unit 107 performs a process of generalizing the access information temporarily stored in the access storage unit 106. The generalization process is performed, for example, by generalizing a parameter (access target) included in the access information.

  The policy generation unit 105 converts the parameter generalized by the generalization unit 107 into an access policy and stores it in the policy storage unit 104.

  When the system 100 is operating in the “audit mode”, no policy generation operation is performed, and no access information is output from the access auditing unit 102 to the access storage unit 106. For this reason, in the “audit mode”, the generalization unit 107 and the policy generation unit 105 perform no operation.

Next, the operation of the access policy generation system 100 of this example will be described.
Here, the operation of the access policy generation system 100 when the rule generation mode is set will be described in detail.

  FIG. 2 is a flowchart showing an example of access policy generation processing executed by the access policy generation system 100 when the rule generation mode is set.

  In the access policy generation process, the access audit unit 102 monitors the presence / absence of access based on the target program, and accesses and stores the access information including the access type and the access target every time the access based on the target program 101 occurs. The data is stored in the unit 106 (step S101).

  Access monitoring is continuously executed until a monitoring end condition described later is satisfied. When an access occurs during monitoring, the process of step S101 is executed.

  The monitoring end condition includes, for example, that the processing based on the target program 101 has ended, that the end of the rule generation mode has been designated by the input device 110, that a predetermined period has passed, and that a predetermined number of access information is stored in the access storage unit 106. It is assumed that it is stored in advance, or any combination thereof.

  FIG. 3 is an explanatory diagram illustrating an example of access information stored in the access storage unit 106. In this example, as shown in FIG. 3, the access information including the access type and the access target is stored in a table format.

  The “access type (access name)” is information indicating the contents of access to the resource 103 based on the target program 101 such as file creation (“create”) and file read (“read”).

  “Access target” is information indicating a resource 103 such as a file that is an operation target by access based on the target program 101.

  Specifically, the access information shown in the first line of FIG. 3 means that a file named “/ tmp / tmp03123” has been created. The access information shown in the second line of FIG. 3 means that a file named “/ etc / hosts” has been read.

  When the monitoring termination condition is satisfied (Y in step S102), the access monitoring by the access auditing unit 102 is terminated, and the process proceeds to the generalization process (step S103).

  In the generalization process (step S103), the generalization unit 107 refers to the table (see FIG. 3) stored in the access storage unit 106, and determines each access information from the access name and access target of each access information. A pattern common to each access target corresponding to the same access name is extracted, and the access target is generalized.

  Note that “generalization” refers to conversion of certain data so that it can be used for general purposes. In this example, “generalization” is performed by generalizing non-common parts of data having common parts.

  Various methods can be considered as a generalization method by the generalization process (step S103). Hereinafter, an example of the generalization method will be described by taking the access information shown in FIG. 3 in which the access target is specified by the file name as an example.

  For example, in the generalization process, among the files that are the access targets of the access information shown in FIG. 3, generalization may be performed by generalizing non-common parts of files included in the same directory.

In this case, as shown in FIG. 4, four files included in the same directory “tmp” among the access targets corresponding to the same access name “create” are generalized as “/ tmp / ^* ”. Two files included in the same directory “etc” among the access targets corresponding to the same access name “read” are assumed to be generalized file names “/ etc / ^* ”. It is generalized.

Note that “*” represents an arbitrary character string. That is, the file “/ tmp / ^* ” means an arbitrary file stored in the directory “tmp”.

  When the generalization process is performed as described above, the six pieces of access information (see FIG. 3) are represented by two generalized access information as shown in FIG.

  In addition, in the generalization process, for each file that is the access target of the access information shown in FIG. 3, the part of the file name of the file included in the same directory is treated as a common part, and other non-common You may make it generalize by generalizing a part.

In this case, as shown in FIG. 5, the matching part “tmp” among the file names of the four files included in the same directory “tmp” is also handled as a common part, and these four files are “/ tmp / Generalized to “tmp ^* ”. Since there is no matching part between the file names of the two files included in the same directory “etc”, it is generalized to “/ etc / ^* ” as in the case shown in FIG.

  When generalization processing is performed as described above, the six pieces of access information (see FIG. 3) are represented by two generalized two pieces of access information as shown in FIG.

  Further, in the generalization process, with respect to the file that is the access target of the access information shown in FIG. 3, the part that matches the character type appearing in the file name of the file included in the same directory is treated as a common part, and the character type May be generalized by generalizing as being common.

In this case, as shown in FIG. 6, in addition to the part “tmp” in which the file names of the four files included in the same directory “tmp” match, the part in which the character type matches is also a common part. Handling, these four files are generalized to "/ tmp / tmp [0-9] ^* ".

Here, “[0-9] ^* ” means a character string composed of only one of the numbers from 0 to 9. That is, the file “/ tmp / tmp [0-9] ^* ” is an arbitrary file having a file name in which an arbitrary number is added after “tmp” among files stored in the directory “tmp”. means.

  When generalization processing is performed as described above, the six pieces of access information (see FIG. 3) are represented by two generalized two pieces of access information as shown in FIG.

  When the generalization process ends, the policy generation unit 105 stores the access information generalized by the generalization unit 107 in the policy storage unit 104 as a permitted policy (step S104: policy generation process).

In the policy generation process, when the access information is generalized as shown in FIG. 6 in step S103, “create” for “/ tmp / tmp [0-9] ^* ” and “/ etc / ^* ”. Are stored in the policy storage unit 104 as permission policies, and two permission policies are added.

  As explained above, generalized access information that has been generalized into a form that can be used for general purposes by generalizing part or all of the non-common part of the access information indicating the content of the detected access. Since the access policy is generated based on the above, it is possible to automatically generate a highly accurate access policy with few omissions without performing troublesome processing.

Embodiment 2. FIG.
Next, a second embodiment of the present invention will be described.
FIG. 7 is a block diagram showing an example of the configuration of the access policy generation system 100a according to the second embodiment of the present invention. In FIG. 7, the same reference numerals are given to portions having the same configuration as that of the access policy generation system 100 described above, and detailed description thereof is omitted.

  As shown in FIG. 7, the access policy generation system 100 a includes a configuration included in the access policy generation system 100 described above and a state observation unit 108. That is, the access policy generation system 100 a is configured by adding the state observation means 108 to the configuration of the access policy generation system 100.

  The state observing means 108 checks the internal state of the control means (for example, a computer) that performs processing based on the target program 101 (for example, the contents of the stack, the contents of the registers, the contents of the heap memory, etc. provided in the control means), and the access audit The internal state is added to the access information detected by the means 102 and stored in the access storage unit 106.

  Here, the internal state stored in the access storage unit 106 is preferably only a part of the internal state of the control means. This is because the amount of data representing the internal state of the control means is generally large, and all the data is stored because there is a possibility that a problem may occur in terms of memory utilization efficiency.

  Accordingly, for example, the contents of the stack and the call stack (particularly, the portion storing the history of procedure calls) in the internal state of the control means may be saved.

Next, the operation of the access policy generation system 100a of this example will be described.
Here, the operation of the access policy generation system 100a when the rule generation mode is set will be described in detail.

  FIG. 8 is a flowchart showing an example of access policy generation processing executed by the access policy generation system 100a when the rule generation mode is set. Note that the operation of the access policy generation system 100a in the audit mode in this embodiment is the same as the operation of the access policy generation system 100 described above in the audit mode.

  In the access policy generation process, the access auditing means 102 monitors access to the resource 103 based on the target program, and each time access based on the target program 101 occurs, access information including the type of access and the access target is obtained. Store in the access storage unit 106 (step S101).

  When the access information is stored, the state observing means 108 is the internal state of the control means that performs processing based on the target program 101, and the internal state at the time when the stored access information is detected by the access auditing means 102. The state (here, part of the internal state) is stored in the access storage unit 106 (step S105).

  By repeatedly performing the processing of step S101 and step S105 until the end condition is satisfied, for example, as shown in FIG. 9, the access information to which the internal state is added is stored in a table format.

  The first line in FIG. 9 is access information indicating that a file named “/ tmp / tmp03123” has been created, and the second line indicates that a file named “/ etc / hosts” has been read. Is access information that represents.

  Unlike the example shown in FIG. 3, in the table of FIG. 9, the internal state is added to the access information. The “internal state” shown in FIG. 9 represents the address of the procedure that started the corresponding access.

  When the end condition is satisfied (Y in step S102), the generalization unit 107 performs generalization processing (step S103), and the policy generation unit 105 performs policy generation processing (step S104).

  In the policy generation process, a process of storing the access information generalized by the generalization unit 107 in the policy storage unit 104 as a permitted policy is performed.

  In the generalization process, the generalization unit 107 refers to the table stored in the access storage unit 106 (see FIG. 9), extracts a pattern from the access name, the access target, and the internal state, and generalizes the access target. .

  In the present embodiment, unlike the first embodiment described above, the internal state can be used for pattern extraction. For example, in the case of the example in FIG. 9, it is conceivable to generalize files that are included in the same directory and are accessed by the same procedure.

  Specifically, as shown in FIG. 10, the common part of the access target included in the same directory and called from the same procedure is generalized and generalized. Note that “*” represents an arbitrary character string.

  In the example shown in FIG. 10, compared with the example shown in FIG. 4 in the first embodiment described above, the read for the file “/ etc / hosts” and the read for the file “/ etc / passwd” are from different procedures. Since they are called, both remain ungeneralized.

  In general, accesses called from the same place (same procedure) in the program have the same meaning, and accesses called from different places (different procedures) have different meanings. It is not preferable to include an access having a different meaning in the processing (for example, an access called from a different place) in the permission policy by generalization.

  This is because, generally, the process of creating a temporary file, the process of reading out a password, and the process of reading out a host file are performed at different points in the program.

  For this reason, different handling is performed depending on the process. Generally, the process of creating a temporary file is called from the same place even if the created file name is different, but the process of reading out the password and the process of reading out the host file are different. Called from the place.

  By using such a property of the program, in this embodiment, access information (first, third, fourth, and sixth lines in FIG. 9) indicating creation of a temporary file is generalized and a password is read out. The access information indicating the process (line 5 in FIG. 9) and the access information indicating the process of reading the host file (line 2 in FIG. 9) are not generalized.

  As described above, the configuration is generalized in consideration of not only the access name and the access target but also the processing state (internal state) of the control means when the access is detected, thereby preventing excessive generalization. It is possible to prevent the generated access policy from becoming too loose. That is, it is possible to prevent an access policy from being lost and generate an access policy with high accuracy.

  That is, it is difficult to perform generalization by post-processing with high accuracy only from access names and access targets that can be collected by the access auditing means 102.

  Many server programs refer to OS configuration files during operation. For example, it is assumed that the setting file read operation is observed for a certain period and access to the files “/ etc / passwd”, “/ etc / hosts”, and “/ etc / services” is observed.

  Here, as in the first embodiment described above, it is not always correct to generalize so that “reading of the file“ / etc / * ”” is the permission policy.

  In other words, unlike the case of temporary files, reading of the file “/ etc / passwd”, the file “/ etc / hosts”, and the file “/ etc / services” by the server program is generally a process with different meanings. This is because even if these files are read, reading of the file “/ etc / shadow” may not necessarily be permitted.

  However, it is not possible to determine in what background each access was called based only on the information “what access occurred with respect to what” specified by the access name and the access target.

  On the other hand, in the second embodiment described above, not only the access name and the access target but also the contents of the processing based on the target program (internal information of the control means) are collected. In consideration of information indicating what kind of background is called, generalization processing can be performed, and a highly accurate access policy with few missing points can be generated.

  In the second embodiment described above, the common part of the access target called from the same procedure is generalized and generalized. In other words, a plurality of pieces of access information having the same processing contents (internal information of the control means) based on the target program are generalized, but internal information including a plurality of data (for example, call stack information shown in FIG. 12 described later) ) Is not limited to the case where the internal information is the same, and a plurality of access information that approximates the internal information may be targeted for generalization.

  In this case, for example, in the generalization process in step S103, the generalization unit 107 calculates a correlation value indicating a correlation between a plurality of accesses based on the internal information, and the calculated correlation value is a predetermined reference value. Generalized access information may be generated by generalizing a plurality of higher access information. Specifically, for a plurality of pieces of access information to be compared, a ratio of matching data occupying among a plurality of pieces of data included in internal information added to each is calculated as a correlation value. If the calculated correlation value is higher than a predetermined value (for example, 60%, 80%, etc.) as a reference value, it may be decided to generalize a plurality of corresponding access information. . With this configuration, for example, when the observation range for collecting internal information is widened (for example, when all the stack areas are observed in the embodiments described later), the requirements for generalization are strict. Thus, it is possible to prevent a situation in which the access information to be generalized becomes extremely small.

  Although not specifically mentioned in each of the above-described embodiments, the present invention is naturally applicable to a server device in which software for causing a computer to execute each of the above-described processes is installed. Further, a part of the above-described access policy generation system may be connected via a communication network such as the Internet or a dedicated line, and can be applied to a device connected to such a communication network.

  Further, although not particularly mentioned in each of the above-described embodiments, each process in each of the above-described embodiments is performed based on a control program (access policy generation program) provided in the system.

The access policy generation program is a control program for causing a computer (system 100, 100a) to generate an access policy for performing policy enforcement based on a permission policy indicating a permission rule for access to a resource. Specifically, the access policy generation program detects, for example, a step of detecting access to a resource based on a target program to be audited when a policy is enforced on a computer, and access information indicating the content of the detected access. , A step of observing the internal state of the processing of the target program that occurs when the target program is executed, a step of adding the observation result of the internal state to the access information, and an attached observation A step of calculating a correlation value indicating a correlation between a plurality of accesses based on the result, and one of the non-common parts in the acquired plurality of access information when the calculated correlation value is higher than a predetermined reference value. Generalized part or all, generates access information generalized to a general-purpose format A step that is a control program for executing the steps of generating an access policy based on the generalized access information.

Next, specific examples of the present invention will be described.
FIG. 11 is a block diagram showing an access policy generation system 200 in the present embodiment. The access policy generation system 200 is configured by a system including a personal computer that performs various data processing.

  As shown in FIG. 11, the access policy generation system 200 includes a WWW server 201, a system call inspection unit 202, a Linux OS 203, a policy storage unit 204, a policy generation unit 205, an access storage unit 206, and a generalization. Means 207 and stack inspection means 208 are included.

  A WWW server 201 illustrated in FIG. 11 is a specific example of a control unit that operates according to the target program 101.

  The system call inspection unit 202 is a specific example of the access audit unit 102. The Linux OS 203 is an operating system that manages system resources such as files that are specific examples of the resource 103.

  The system call inspection unit 202 uses the ptrace system call of the Linux OS 203 so that a system call name (an example of an access name) and an argument (an example of an access target) are generated by a software interrupt each time a system call based on the target program occurs. ) Is performed to confirm the contents.

  The confirmation result by the system call inspection unit 202 is stored in the access storage unit 208 as access information. The system call inspection unit 202 performs processing for notifying the stack inspection unit 208 that a system call based on the target program has occurred.

  Note that checking a system call name and the contents of an argument using a method called a ptrace system call is a known process realized by a program called an strace program.

The policy storage unit 204 is a specific example of the policy storage unit 104, and the policy generation unit 205 is a specific example of the policy generation unit 104. The policy generation unit 205 performs processing for generating an access policy based on the generalized access information generated by the generalization unit 207.

  The generalization unit 207 is a specific example of the generalization unit 107, and performs a generalization process for generating a rule that generalizes the data stored in the access storage unit 206.

  The stack inspection unit 208 is a specific example of the state observation unit 108. The stack checking unit 208 checks the call stack of the WWW server 201 at the time when the system call is called.

  The stack checking means 208 checks the call stack to check what procedure in the program the system call was called up by going back up the procedure call hierarchy, and shows the result of the call stack described later. Process to get information.

  Note that checking the call stack and examining the hierarchy of procedure calls at that point in time is a known process implemented by a debugger program such as a gdb (GNU debugger) program.

  The access storage unit 206 is a main memory of the system 200 and is a specific example of the access storage unit 106. The access storage unit 206 stores access information indicating the system call invocation detected by the system call inspecting unit 202 and call stack information at the time of invoking the system call inspected by the stack inspecting unit 208.

  FIG. 12 is an explanatory diagram illustrating an example of access information stored in the access storage unit 206. Here, “system call name” stores the name of the system call, and “argument value” stores the value of the argument of the system call. There may be multiple arguments. The “call stack information” stores information indicating a history of procedure calls at the time of calling a system call.

  Here, the numerical value indicating “call stack information” such as “0x40002340” represents the memory address of the procedure.

  Thus, for example, in the first line (line number 1) in FIG. 12, the read system call is called with an argument "/ etc / passwd", the memory address of the calling procedure is "0x40002340", and The memory address of the procedure that called the procedure is “0x80003128”, the memory address of the procedure that called the procedure is “0x80003320”, and the procedure is the entry point of the process of the target program. .

  Unlike the method exemplified in the second embodiment, by examining all the procedure call hierarchies, for example, even when a system call is called via a shared library, it is possible to accurately distinguish.

  Because, in Linux OS, the address of the procedure that called the system call is generally a procedure in the shared library, not the procedure described in the application program. Generally, the procedure in the shared library that calls the same system call is This is because they are stored at the same address.

  FIG. 13 is a block diagram illustrating an example of a specific configuration of the generalization unit 207. As shown in FIG. 13, the generalization unit 207 includes a correlation value calculation unit 301, a categorization unit 302, and a commoning unit 303.

  Correlation value calculation means 301 is means for calculating correlation values (approximation) between records for each record in the table stored in access storage unit 206 from the system call name and the contents of each call stack. .

  The categorizing unit 302 is a unit that classifies each record based on the correlation value calculated by the correlation value calculating unit 301.

  The commoning unit 303 is a unit that extracts and generalizes a common part from the argument values included in each record classified by the categorizing unit 302.

Next, the operation of the access policy generation system 200 of this embodiment will be described.
Here, the operation of the access policy generation system 200 when the rule generation mode is set will be described in detail.

  FIG. 14 is a flowchart illustrating an example of access policy generation processing performed by the access policy generation system 200 when the rule generation mode is set.

  In this example, when the access generation program installed in the system 200 is started, the access policy generation system 200 starts the WWW server 201 that operates according to the target program (step S201).

  In step S201, instead of newly starting the WWW server 201, processing such as access monitoring from the already started WWW server 201 is started in response to the start of the access policy generation program. May be.

  Such a process is a known process realized by invoking the ptrace system call with the PTRACE_ATTACH option.

  Next, in order to cause the WWW server 201 to execute processing based on the target program, an appropriate request is issued (step S202).

  The request may be issued manually by the user, or may be input mechanically using a WWW server test tool or the like.

  Further, the WWW server 201 may be arranged in an actual operating environment after paying sufficient attention to security so as not to be attacked. In this case, the request is issued in the actual operating environment.

  Requests are repeatedly issued until the number of accesses issued from the WWW server 201 is sufficient and the collection of access information is completed (step S203).

  Here, the determination as to whether or not the collection is complete may be made using not only the number of collected accesses but also the number of requests, or depending on the time the WWW server 201 is operated. May be.

  When the collection is completed, generalization processing is performed by the generalization unit 207 (step S204), and an access policy is generated by the policy generation unit 205 (step S205).

  Next, detailed operations of the correlation value calculating unit 301, the categorizing unit 302, and the commoning unit 303 constituting the generalizing unit 207 will be described.

  FIG. 15 is a flowchart illustrating an example of correlation value calculation processing executed by the correlation value calculation unit 301.

  In the correlation value calculation process, the process shown in FIG. 15 is performed for all two combinations of each record in the table (see FIG. 12) stored in the access storage unit 206.

  In the correlation value calculation process, the correlation value calculation means 301 includes the i-th record Ei (access information of row number i: 1 ≦ i ≦ 6 in the example shown in FIG. 12) and the j-th record Ej (access of row number j). Information: In the example shown in FIG. 12, for 1 ≦ j ≦ 6 and j ≠ i), it is compared whether Ei and Ej are the same system call name (step S301). (Step S302).

  If Ei and Ej are the same system call name, the correlation value calculation means 301 compares the call stack of Ei and the call stack of Ej, and calculates the longest subsequence Cij (step S303).

  Note that a widely known algorithm called an LCS (Longest Common Substring) algorithm may be used as an algorithm for calculating the longest subsequence.

  When the longest subsequence Cij is calculated, the correlation value calculating means 301 calculates (Cij length) / (Ei length) × (Cij length) / (Ej length), and the calculation result is calculated. The correlation value between the record Ei and the record Ej is set (step S304).

  The correlation value calculated in step S304 is 1.0 when Ei and Ej are completely the same, and 0 when they are completely different.

  The correlation value calculating unit 301 performs the above-described processing in steps S301 to S304 for all combinations of i and j.

  FIG. 16 is an explanatory diagram showing correlation values between records in the access information shown in FIG. In this example, as shown in FIG. 16, line number 2 (write system call for "/var/tmp/31240.tmp") and line number 5 (write system call for "/var/tmp/34123.tmp") And between line number 3 (read system call for "/var/html/index.html") and line number 4 (read system call for "/var/html/title.gif") The value is 1.

  Next, an example of classification processing executed by the categorizing unit 302 will be described. The categorizing unit 302 performs processing for classifying access information having a correlation value of 1 calculated by the correlation value calculating unit 301 as the same category.

  FIG. 17 is an explanatory diagram showing a state in which the access information shown in FIG. 12 is categorized. Those classified into the same category are given the same category name in the “category” column.

  In FIG. 17, line number 2 (write system call for “/tmp/31240.tmp”) and line number 5 (write system call for “/tmp/34123.tmp”) belong to the same category A.

  Also, line number 3 (read system call for “/var/html/index.html”) and line number 4 (read system call for “/var/html/title.gif”) belong to the same category B. The other two belong to independent categories.

  Next, an example of the sharing process executed by the sharing unit 303 will be described. The common unit 303 performs a process of extracting and generalizing a common part from the values of system call arguments of access information belonging to the same category.

  Here, when the value of the argument is a character string, the common unit 303 performs processing using the above-described longest partial character string calculation algorithm (LCS algorithm).

  Also, if the character string is a file name, specially treated characters (slash “/” and period “.”) In the file name are treated as tokens once, and LCS is performed on the tokenized token sequence. An algorithm may be used.

  When processing is performed in this way, since the meaning of the file name is taken into account during generalization, it is possible to perform generalization with higher accuracy.

  For example, when generalizing the file “/var/tmp/31240.tmp” of line number 2 and the file “/var/tmp/34123.tmp” of line number 5 shown in FIG. 12, the LCS algorithm is simply applied. The file will be “/var/tmp/3*.tmp”. Note that “*” represents a variable part, and other characters represent a partial character string.

  As a result, writing to the file `` /var/tmp/31240.tmp '' and writing to the file `` /var/tmp/34123.tmp '' are permitted, but for example, the file `` / var / tmp / 41234. Writing to “tmp” is a policy violation.

  However, this writing is highly likely to be a temporary file writing using a file with random numerical values. In that case, writing to the file “/var/tmp/41234.tmp” is proper.

  On the other hand, when generalizing the file “/var/tmp/31240.tmp” of line number 2 and the file “/var/tmp/34123.tmp” of line number 5 shown in FIG. 12, the slash and period are once separated. By tokenizing it as characters, using the LCS algorithm for the token string, and de- tokenizing, the result of the file “/var/tmp/*.tmp” is obtained.

  FIG. 18 is an explanatory diagram showing an example of a common process that combines the tokenization process executed by the common unit 303 and the LCS algorithm.

  In the sharing process, the sharing unit 303 sets the file names of the file “/var/tmp/31240.tmp” of line number 2 and the file “/var/tmp/34123.tmp” of line number 5 to “/ ”And“. ”Are tokenized (steps S401 and S402).

  Next, the sharing unit 303 calculates the longest subsequence for the token (a group of separated characters, represented by a square frame in FIG. 18) (step S403).

  Finally, the sharing unit 303 obtains a result of the file “/var/tmp/*.tmp” by returning the token to the original character string (step S404).

  Compared to the case where the LCS algorithm is simply applied, for example, writing to the file “/var/tmp/41234.tmp” can be included in the permission policy, and the result can be generalized more accurately. It can be said that.

  When the above common processing is executed for each piece of access information classified into the same category, it is finally generalized to access information as shown in FIG.

  The policy generation means 205 generates an access policy from the generalized access information as shown in FIG. 19 according to the description grammar of the access policy, and outputs the generated access policy.

  With such a configuration, an access policy without excess or deficiency can be generated.

  For example, when the access information shown in FIG. 12 is used as the permission policy as it is, in the related art 1, when the writing to the file “/var/tmp/35321.tmp” occurs, the policy is violated.

  However, as described above, this writing is likely to be a temporary file writing using a file with a random numerical value. In that case, writing to the file "/var/tmp/35321.tmp" is inherently valid. Is. However, in the prior art 1, although it is a normal operation of the program, it is determined as an illegal operation.

  On the other hand, in this embodiment, since the permission policy “permit writing to the file“ /var/tmp/*.tmp ”” is generated, writing to the file “/var/tmp/35321.tmp” is also possible. It is recognized as legitimate and does not cause the above problems.

  When the access information shown in FIG. 12 is generalized by the common processing shown in FIG. 15 without using the call stack information, the file “/var/tmp/31240.tmp”, the file “/ var / tmp / 34123.tmp "and the file" /var/log/httpd.log "are classified as the same category, so" Write to file "/ var / *" "is set as the permission policy. End up.

  However, since writing to the file “/var/log/httpd.log” is not writing of a temporary file, but writing of a log file, it is excessive generalization to generalize all three. It can be said.

  For example, writing to the file “/var/log/troyanhorse.pl” may be an infection activity of a Trojan horse or computer virus and should not be included in the authorization policy.

  On the other hand, in the present embodiment, the stack inspection unit 208 is provided to observe the call stack, and the call stack is used in the generalization processing by the generalization unit 207. Can be suppressed.

  The present invention is applicable to security management based on an access policy such as a policy enforcement system, and in particular, setting of file access authority of a general OS, setting of access authority of a secure OS, policy setting of access control middleware, host This is useful for automatically generating an access policy by applying it to a policy setting of a base intrusion detection system, a host-based intrusion prevention system, or a policy setting of a virtual machine having a sandbox model.

It is a block diagram which shows the example of a structure of the access policy production | generation system in the 1st Embodiment of this invention. It is a flowchart which shows the example of the access policy production | generation process in the 1st Embodiment of this invention. It is explanatory drawing which shows the example of the access information in the 1st Embodiment of this invention. It is explanatory drawing which shows the example of the generalized access information in the 1st Embodiment of this invention. It is explanatory drawing which shows the other example of the generalized access information in the 1st Embodiment of this invention. It is explanatory drawing which shows the further another example of the generalized access information in the 1st Embodiment of this invention. It is a block diagram which shows the example of a structure of the access policy production | generation system in the 2nd Embodiment of this invention. It is a flowchart which shows the example of the access policy production | generation process in the 2nd Embodiment of this invention. It is explanatory drawing which shows the example of the access information in the 2nd Embodiment of this invention. It is explanatory drawing which shows the example of the generalized access information in the 2nd Embodiment of this invention. It is a block diagram which shows the specific example of an access policy production | generation system. It is explanatory drawing which shows the specific example of access information. It is a block diagram which shows the example of the specific structure of a generalization means. It is a flowchart which shows the specific example of an access policy production | generation process. It is a flowchart which shows the example of a correlation value calculation process. It is explanatory drawing which shows the calculation result of a correlation value. It is explanatory drawing which shows the categorized access information. It is explanatory drawing which shows the specific example of a sharing process. It is explanatory drawing which shows the specific example of generalized access information. It is a block diagram which shows the example of the general structure of a policy enforcement system. It is a block diagram which shows the example of the conventional access policy production | generation system.

Explanation of symbols

100, 100a, 200 Access policy generation system 101 Target program 102 Access audit means 103 Resource 104, 204 Policy storage section 105, 205 Policy generation means 106, 206 Access storage section 107.207 Generalization means 108 State observation means 110 Input device 201 WWW server 202 System call inspection means 203 Linux OS
208 Stack inspection means

Claims (12)

An access policy generation system for generating an access policy for policy enforcement based on an authorization policy indicating an authorization rule for access to a resource,
Access detection means for detecting access to the resource based on a target program to be audited when the policy is enforced;
Access information acquisition means for acquiring access information indicating the content of access detected by the access detection means;
A state observing means for observing the internal state of the processing of the target program that occurs when the target program is executed and adding the observation result of the internal state to the access information when the access occurs;
A correlation value indicating a correlation between a plurality of accesses is calculated based on the added observation result, and when the calculated correlation value is higher than a predetermined reference value, a plurality of information acquired by the access information acquisition unit Generalization means for generalizing a part or all of the non-common part in the access information and generating access information generalized in a general-purpose format;
An access policy generation system comprising: policy generation means for generating an access policy based on the access information generalized by the generalization means. The state observing means includes stack checking means for acquiring call stack information including a procedure that has started access by inspecting a call stack in which a history of procedure calls is stored.
The stack inspection means adds the call stack information to the access information indicating the content of the corresponding access as an observation result,
Generalization means, the added the generalization of the plurality of access information is higher than the reference value is a correlation value calculated based on the call stack information, generalization to claim 1, wherein the access policy generation system for generating access information . The generalization means includes a correlation value calculation means for calculating a correlation value indicating a correlation between a plurality of access information, a categorization means for classifying access information based on the correlation value calculated by the correlation value calculation means, and the categorization The access policy generation system according to claim 1, further comprising: a common unit that generalizes a plurality of pieces of access information that are classified into the same classification by the unit to obtain common access information. The access information includes the type of access detected by the access detection means and the target of access.
The access policy according to any one of claims 1 to 3 , wherein the generalization unit generates generalized access information by generalizing an access target in a plurality of access information having the same access type. Generation system. An access policy generation method for generating an access policy for policy enforcement based on an authorization policy indicating an authorization rule for access to a resource,
The access detection means detects access to the resource based on a target program to be audited when the policy is enforced,
The access information acquisition means acquires access information indicating the content of the detected access,
When the access occurs, the state observing means observes the internal state of the processing of the target program that occurs in the execution of the target program,
State observation means adds the observation result of the internal state to the access information,
The generalization means calculates a correlation value indicating a correlation between a plurality of accesses based on the added observation result,
Generalization means generalizes a part or all of non-common parts in a plurality of access information acquired by access information acquisition means when the calculated correlation value is higher than a predetermined reference value. Generate access information generalized in the format used for
Policy generation means, the access policy generation method characterized by generating an access policy based on the generalized access information. The stack checking means included in the state observing means obtains call stack information including the procedure that started the access by inspecting the call stack in which the procedure call history is stored.
The stack inspection means adds the call stack information to the access information indicating the contents of the corresponding access as an observation result,
6. The access according to claim 5 , wherein the generalization means generates the generalized access information by generalizing a plurality of pieces of access information whose correlation value calculated based on the added call stack information is higher than a reference value. Policy generation method. Correlation value calculation means included in the generalization means calculates a correlation value indicating a correlation between a plurality of access information,
The categorizing means included in the generalizing means classifies the access information based on the calculated correlation value,
The access policy according to claim 5 or 6 , wherein the sharing means included in the generalization means generates the generalized access information by using a plurality of access information classified as the same classification as the common access information. Generation method. The access information includes the type of access detected by the access detection means and the target of access.
Generalization means, that the kind of access to generalize the access target in the same plurality of the access information, the access policy according to any one of claims 7 claims 5 to generate a generalized access information Generation method. An access policy generation program for generating an access policy for enforcing a policy based on an authorization policy indicating an access permission rule for a resource,
On the computer,
Detecting access to the resource based on a target program to be audited when the policy is enforced;
Obtaining access information indicating the content of the detected access;
Observing an internal state of processing of the target program that occurs when the target program is executed when the access occurs;
Adding the observation result of the internal state to the access information;
Calculating a correlation value indicating a correlation of a plurality of accesses based on the added observation result;
If the calculated correlation value is higher than a predetermined reference value , generalize part or all of the non-common part in the acquired multiple access information and generalize it into a general-purpose format A step of generating
A program for generating an access policy, comprising: generating an access policy based on generalized access information. On the computer,
As an observation of the internal state of the processing of the target program, by inspecting the call stack in which the procedure call history is stored, the step of obtaining the call stack information including the procedure that initiated the access is executed,
As an addition of the observation result, a step of adding the call stack information to the access information indicating the content of the corresponding access is executed,
The access policy according to claim 9, wherein a step of generating generalized access information is executed by generalizing a plurality of pieces of access information having a correlation value calculated based on the added call stack information higher than a reference value. Generation program. On the computer,
A step of calculating a correlation value indicating a correlation between a plurality of pieces of access information;
And classifying the access information based on the calculated correlation value,
The access policy generation program according to claim 9 or 10 , wherein a step of generating generalized access information is executed by using a plurality of pieces of access information classified into the same classification as common access information. The access information includes the type of access detected by the access detection means and the target of access.
On the computer,
The access policy generation according to any one of claims 9 to 11 , wherein a step of generating generalized access information is executed by generalizing an access target in a plurality of access information having the same access type. Program.

Images