JP4376587B2 - Access history recording device and access control device - Google Patents

Description

  The present invention relates to an access history recording device and an access control device in a computer system.

Conventionally, there is a technique for setting an access control policy in order to protect a file managed by a computer. For example, Patent Literature 1 discloses a method for setting this access control policy. According to the present invention, when a process is started, a process ID and the like are acquired, and when a file is accessed, an access history such as an access date / time, an access file name, and an access execution file name is recorded, and access management is performed using this log. Execute.
Patent Document 2 discloses a log analysis technique for analyzing a log output when a program is executed by a computer. According to this invention, the log information output at the time of execution of the program is acquired and read, the user specified condition indicating the extracted log information is accepted, the information is extracted from the log information based on the accepted user specified condition, Analyze the cause of errors during execution by determining whether the prerequisites for each operation during program execution are satisfied.
JP 2003-6027 A JP 2002-207612 A

By the way, basic software (so-called OS) such as Linux and Windows (registered trademark) has a function to save a record (log) of information such as the date and time of the execution of the command and the activated user. In Linux, a service is realized by managing a state with a data structure called “process” corresponding to an executed command and starting another command from the command. However, as described in Patent Document 1 described above, the log function of the basic software has a problem that only “which command is executed” is recorded.
Therefore, it is difficult to track cracker behavior (attack procedures) when a computer system receives unauthorized access, and even if it tries to restrict the execution of commands that are particularly important for security, it distinguishes between unauthorized access procedures and others. There was a problem that it could not be done because it was not possible.

  In addition, as described above, there are many methods and implementations that improve the security of basic software by specifying detailed access conditions for access (reading, writing, execution, etc.) to files etc. and denying access other than following them. Existing. In such a system, it is necessary to specify access definition information (policy information) so that only the minimum necessary access is permitted. However, if the access control mechanism supports fine-grained control, the correct policy is required. It is difficult to define all information, and as a result, unnecessary access is not denied, resulting in security vulnerabilities (security holes), or conversely, applications and services that you want to use by restricting necessary access There was a problem that there was a situation that could not be used.

  The present invention has been made in view of such circumstances, and an object of the present invention is to provide an access history recording apparatus and an access control apparatus capable of improving the security of a computer system.

The present invention has been made to solve the above problems, the present invention includes a process information management means for obtaining a transition history consisting of a sequence of a program name of the program name and child of the parent process, and the obtained It is a file access log indicating the file access executed by the child process for the child process of the transition history called from the parent process of the transition history and called last, and the acquired transition history is and characterized by comprising a file input and output management means for obtaining a file access log, an access history recording means for recording the transition history of the previous SL files access log acquired as identification information for identifying the access policy, the comprising To do.

In addition, the present invention provides a process information management means for obtaining a transition history including an arrangement of a program name of a parent process and a program name of a child process , the transition history, and the transition called from the parent process of the transition history. For a file access executed by a child process of the history and the last called child process, an access policy indicating the access restriction information is stored in advance, and is called from the parent process of the acquired transition history. the file access child process was last called the a child process executed file access to perform restricted file access according to the access policy corresponding to the transition history of the acquired an access policy for the storage characterized by comprising a control unit, the

Further, according to the present invention, the storage unit stores in advance the transition history in which an access policy indicating that file access is permitted is stored, and the file access control unit stores the acquired transition history in the storage When the transition history matches, the file access executed by the parent process and the child process indicated by the sequence of program names in the transition history is permitted .

As described above, according to the present invention, “transition history of process parent-child relationship consisting of identification information of parent process and identification information of child process” and a file access log of each process are acquired, and each process is obtained. Each file access log is recorded in a form including “process parent-child relationship transition history” as identification information.
Therefore, it is possible to record the access history for improving the security of the computer system by identifying the process in each context by the “process parent-child relationship transition history” for the same process that cannot be identified. The effect that can be obtained.

In addition, according to the present invention, the file access log of each process is stored in advance by using “process parent-child relationship transition history including parent process identification information and child process identification information” as the identification information of each process. , "Process parent-child relationship transition history" is used as process identification information, and an access policy is set based on the stored file access log.
Then, file access from a process that does not match the set access policy and that uses “process parent-child relationship transition history as identification information” is restricted.
Therefore, for processes that are the same but cannot be identified, set the access policy in the form of identifying the process in each context by the "process parent-child relationship transition history", and "process parent-child relationship transitions that do not match this" Since the file access from the process using the history as identification information is restricted, the effect of improving the security of the computer system can be obtained.

Further, according to the present invention, an access policy for permitting file access is set based on a file access log having a known valid “process parent-child relationship transition history” as process identification information.
Therefore, even if the legitimate “process parent-child relationship transition history” is known, even if the file access is finely restricted, the file access can be surely permitted to the process in the legitimate context. The effect which can be improved is acquired.

Hereinafter, the best mode for carrying out the present invention will be described.
First, the basic concept of the present invention will be described in comparison with the above-described prior art.
In the invention described in Patent Document 1, an access history such as file access executed by one program is recorded, and access control is executed based on this log.
However, in this way of thinking, permission must be given for the maximum range that it accesses for each program, and the existence and work of an administrator who knows in detail the operation of the program are preconditions.
On the other hand, in the present invention, a history of starting programs (context) is recorded. As a result, even when the same program is executed, a range that is considered to be valid is set separately according to the history of starting the program, and access permission is given.

  That is, by storing the actual call relationship of commands as information, it is possible to distinguish in what context the same command is about to be executed. By realizing such a distinction, the access range permitted to the program can be minimized according to the history of program activation. In addition, when an unauthorized access is received by a cracker, the intrusion pattern can be checked from the stored log and necessary measures can be taken. For example, by passing the history of a series of commands as a caller at the time of command execution as a parameter, the combination of commands that seems to be invalid when trying to take over the basic software using the web service or ftp service as a stepping stone If it matches, stop processing or leave a log.

To set a combination of command history that seems to be illegal (or a combination of command history that seems to be legitimate), execute a service or application on the basic software, and use the functions related to the access function of the basic software program Save the call history as a file. Thus, information necessary for policy definition is acquired. Then, the acquired information is converted into a policy information format.
Access control based on policy information is more difficult to operate correctly as the unit of control is finer, and a mechanism for improving security inherently may have the opposite result. By applying the method of the present invention, it is possible to define correct policy information without deep knowledge about basic software, which is effective in improving the security of a computer system.

Hereinafter, an embodiment of an access history recording apparatus and an access control apparatus according to the present invention will be described with reference to the drawings. FIG. 1 is a configuration diagram of an access history recording apparatus 1 of the present embodiment.
As shown in FIG. 1, the access history recording apparatus 1 according to the present embodiment implements an access history recording process with a kernel program executed in the OS kernel space 10 and a user program executed in the user space 11.
Specifically, in the OS kernel space 10, a process information management unit 10A, a process replication unit 10B, a process transition unit 10C, a file input / output processing unit 10D, and a process end unit 10E are executed as programs. In the present embodiment, the program includes the functions of a newly added transition history holding unit 100A, transition history duplicating unit 100B, transition history updating unit 100C, access log holding unit 100D, and transition history discarding unit 100E. Yes.
10 A of process information management parts perform the process which manages the process information of all the programs (for example, process 11A-C) performed in the user space 11. FIG. Here, the process information is information for the OS to manage the process, and is information that the OS has as a standard. As shown in FIG. 1, each process is assigned a unique number for identifying the process. The process 11A is assigned 1 as an ID, and the processes 11B and 11C are assigned 2 as an ID. Since the process 11B is replaced with the process 11C by the process transition unit 10C described later, the processes 11B and 11C have the same ID, but this does not mean that both 11B and 11C can exist at the same time.

In the example shown in FIG. 4, the parent process of the program name (/ sbin / init) calls the child process of the program name (/etc/rc.d/rc), and this program name (/ etc / rc. d / rc) as the parent process, the child process of the program name (/etc/rc3.d/S80sendmail) is called, and the process with this program name (/etc/rc3.d/S80sendmail) as the parent process Indicates that the program name (/ bin / chown) child process has been called. The recursive parent-child relationship described above is defined as command execution history (process transition history) in this specification.
The concept of the command execution history referred to in this specification is shown in the right half of FIG. In other words, the command execution history is not the execution order in which the programs called in order from the reference position are arranged in time series, but the situation (or genealogy) of the transition results of each program. If the situation (or genealogy) is different, even if the finally executed program is the same, it is distinguished as a different command execution history.
The transition history holding unit 100A in the process information management unit 10A holds a command execution history related to each process in the form of a program name with transition information as shown in FIG.

The process duplication unit 10B receives a process duplication (copy) request executed in the user space 11, and executes a process of creating a copy. Specifically, the process duplicating unit 10B creates a copy A ′ of the process A. A and A ′ differ only in the ID, and the others have the same contents. That is, as shown in FIG. 2, in a state where the process 11A is being executed (state 2), a copy of the process A itself (state 2 ′) is generated.
All processes hold their own management information (including the process transition history 100A) in the memory area in the process information management unit 10A, and are replicated when creating their own copies.

  The process transition unit 10C receives a process overwrite (replacement) request executed in the user space 11, and executes a process of overwriting with a new program. For example, when the process 11B requests the process transition unit 10C to replace its image with a new program, the process transition unit 10C overwrites the process 11B with the new program. At this time, at the same time as the process information of the process 11B managed by the process information management unit 10A is updated, the transition history update unit 100C adds the information of the new program to the program execution history of the process 11B in the transition history holding unit 100A. to add. When the process in the process transition unit 10C is completed, the process 11B (state 2 ') starts operation as the process 11C (state 3).

The file input / output processing unit 10D executes a process of receiving a file access request of a process executed in the user space 11, determining whether access is possible, and returning a result. When the access request is permitted by the file input / output processing unit 10D, the access log holding unit 100D displays “transition history of the access request source process stored in the designated path name, access mode, and transition history holding unit 100A”. Get as file access log.
The process end unit 10E receives a request to end the process executed in the user space 11, discards the process information of the end request source process stored in the process information management unit 10A, and notifies the parent process of the process end. At the same time as the process information is discarded in the process end unit 10E, the command execution history of the termination request source process held in the transition history holding unit 100A is also discarded by the transition history discard unit 100E.

In the user space 11, processes (user programs) 11A to 11C and an access log recording unit 11Z are executed.
Processes 11A to 11C are identified by command execution history (program names with transition information: A, A → B, A → C, A → C → D, A → C → D → B, etc.) as shown in FIG. A predetermined process is executed under access control by the kernel.
The access log recording unit 11Z acquires a process file access log (access target file, access mode) from the access log holding unit 100D using the command execution history managed by the transition history management unit 100A as process identification information. In the access log table T1 shown in FIG.

Next, the operation of the access history recording apparatus 1 of the present embodiment will be described with reference to the drawings.
(Process creation and transition processing)
FIG. 5 is a flowchart showing the process creation and transition process in the access history recording apparatus 1 of the present embodiment.
When the process 11A operating in the user space 11 creates a copy of itself for executing a new program, it sends a copy request to the process duplicating unit 10B (step S1 in FIG. 5).
In response to a request from the process 11A, the process replication unit 10B creates a process 11B that is a copy of the process 11A. That is, the process duplicating unit 10B creates a copy of the process 11A including the process information of the process 11A and the command execution history included in the process information (step S2). Thereby, a parent-child relationship between processes in which the process 11A is a parent process and the process 11B is a child process is defined.

Next, the created process 11B sends a request to the process transition unit 10C so as to replace its own image with a new program (step S3).
In response to the image replacement request from the process 11B, the process transition unit 10C overwrites the process 11B with a new program (step S4). At this time, the transition history update unit 100C in the process transition unit 10C updates the command execution history of the process 11B stored in the transition history holding unit 100A managed by the process information management unit 10A. Thereby, the transition of the command execution history is defined. Then, the image replacement request source process 11B starts operation as the process 11C after the processing in the process transition unit 10C is completed (step S5).

(File access processing)
FIG. 6 shows the process of file access processing in the access history recording apparatus 1 of this embodiment. As illustrated in FIG. 6, when the process 11C specifies a path name and requests access to the file input / output processing unit 10D (step S11), the file input / output processing unit 10D receives the path name and permits file access. It is determined whether or not to perform (step S12).
When the file input / output processing unit 10D permits the file access, the access log holding unit 100D displays “the command execution history (transition history information) of the process 11C recorded in the path name, access mode, and transition history holding unit 100A”. "Is recorded as a log (step S13). Then, the application can use the requested file (step S14).

(Process termination processing)
FIG. 7 shows a process end process in the access history recording apparatus 1 of the present embodiment. As shown in FIG. 7, when the process 11C sends a process end request to the process end unit 10E (step S21), the process end unit 10E discards the process information of the process 11C held in the process information management unit 10A. At the same time (step S22), the command execution history of the process 11C recorded in the transition history holding unit 100A is also discarded (step S23).
Then, the process end unit 10E notifies the parent process 11A that the child process 11C has ended (step S24).

(Access log read processing)
FIG. 8 shows a process of access log read processing in the access history recording apparatus 1 of the present embodiment. As shown in FIG. 8, when the log read process 11Z executed by the access log recording unit 11Z requests the file input / output processing unit 10D for the access log stored in the access log holding unit 100D (step S31). The file input / output processing unit 10D reads the access log held by the access log holding unit 100D and returns the result to the process 11Z (step S32).
The process 11Z requests the kernel to store the received access log as “access log 1” in the file (step S33), and the kernel stores the access log in the file (step S34).

(Access log verification process)
The access log stored in the above “access log 1” is verified by the access history recording device 1. That is, the access history recording device 1 reads the access log stored in “access log 1” and checks whether the file requested to be accessed actually exists. Then, the access history recording apparatus 1 takes out only the actual file and stores it in the file as “access log 2”.

(Access log split processing)
Next, the access history recording device 1 separates the information related to the process transition history and the information related to the file access request from the “access log 2” and sets the former as “transition pattern 1” and the latter as “request log 1”. Save to. Regarding the “transition pattern 1” and “request log 1”, the access history recording apparatus 1 further rearranges them in alphabetical order, and then removes the duplicated records to obtain “transition pattern 2” and “request log 2”, respectively. Save to file. Since the information unique to the access history recording device is not required after this division processing, it can be performed using a device other than the access history recording device 1.

(Division processing by transition pattern)
After the access log dividing process, the access history recording apparatus 1 divides the request log for each process transition history while referring to “transition pattern 2” for “request log 2”, and stores it in a file as “request log 3”. “Request logs 3” are created as many as the number of transition patterns.

(Conversion to policy)
After dividing the access log according to the transition pattern, the access history recording apparatus 1 converts it into a policy for each access control implementation based on the “request log 3” and stores it in a file as an “access permission list 1”. “Access permission list 1” is created as many as the number of transition patterns.
As described above, the access history recording apparatus 1 sets the access policy. That is, as shown in FIG. 9, all access logs of programs executed in the user space 11 are recorded in the OS kernel, and an access record read program, an access record analysis program, and a policy output program are executed for necessary access logs. As a result, the above-described processing is realized and the policy is set.

As described above, in the access history recording apparatus 1 according to the present embodiment, for example, as shown in FIG. 3, the program A calls the program B and the program C therein, and the program C further calls the program D, When the program D further calls the program B, first, the program A becomes a parent, and B and C are activated. Next, program C becomes the parent and D is activated. Then, program D becomes the parent and B is activated. At this time, if only the program that is finally executed is viewed, B on the left side of FIG.
On the other hand, as shown in FIG. 10, as a result of being unable to identify only the program that is finally executed, the conventional method must permit access to both the files 1 and 2 for the program B.
However, it is possible to distinguish between A → B and A → C → D → B by maintaining the history of process transitions, so the former can only access file 1 and 2, and the latter only file 2. It ’s fine. Therefore, by realizing such a distinction, the access range permitted to the program can be minimized according to the history of program activation.
In addition, when an unauthorized access is received by a cracker, the intrusion pattern can be checked from the stored log and necessary measures can be taken. For example, by passing the history of a series of commands as a caller at the time of command execution as a parameter, the combination of commands that seems to be invalid when trying to take over the basic software using the web service or ftp service as a stepping stone If it matches, stop processing or leave a log.
By leaving such a log, for example, in the normal processing flow, it is possible to detect a context that seems to be an unauthorized access, such as the program D is not called from other than the program C.

Hereinafter, a flow of executing access control based on the access policy set by the access control apparatus 2 of the present embodiment will be described.
As described above, when it is not set as an access policy that the program D is not called from other than the program C, when the cracker takes over the program A by unauthorized access and starts the program D, the kernel It cannot be recognized that the program C is not routed, and the program D is executed.

On the other hand, a storage unit for storing a file access log of each process is provided in the access control device 2 using the transition history of the process parent-child relationship consisting of the identification information of the parent process and the identification information of the child process as identification information of each process. In addition, the access policy setting unit sets the access policy based on the file access log stored in the storage unit using the process parent / child relationship transition history as process identification information, so that the file access control unit sets the access policy setting unit. It is possible to restrict file access from a process that does not conform to the access policy that uses the process parent-child relationship transition history as identification information.
Specifically, when the cracker takes over the program A by unauthorized access and tries to start the program D, the kernel has an access policy for executing the program D without going through the program C from the command execution history of the current program A. Knowing that it does not exist, it is possible to output a warning message to the administrator without executing the process.

  In the access control apparatus 2 of the present embodiment, the detailed setting method of the access policy is not particularly limited. Specifically, for example, a known valid “process parent-child relationship transition history” is stored. It is conceivable to set an access policy permitting file access based on a file access log included as process identification information.

The access history recording device and the access control device described above have a computer system inside.
A series of processes relating to the access history recording process and the access control process described above are stored in a computer-readable recording medium in the form of a program, and the program is read out and executed by the computer. Is done.
That is, each processing means and processing unit in the access history recording device and the access control device is such that a central processing unit such as a CPU reads the above program into a main storage device such as a ROM or RAM, and processes and processes information. It is realized by executing.
Here, the computer-readable recording medium means a magnetic disk, a magneto-optical disk, a CD-ROM, a DVD-ROM, a semiconductor memory, or the like. Alternatively, the computer program may be distributed to the computer via a communication line, and the computer that has received the distribution may execute the program.

1 is a configuration diagram of an access history recording device 1. FIG. Explanatory drawing of process duplication and transition. Explanatory drawing of command execution history. The block diagram of access log table T1. The flowchart of process creation and transition processing. The flowchart of a file access process. The flowchart of a process end process. The flowchart of an access log read process. Explanatory drawing of access policy setting. Explanatory drawing of access permission range setting.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 ... Access history recording apparatus 2 ... Access control apparatus 10 ... OS kernel space 10A ... Process information management part 10B ... Process replication part 10C ... Process transition part 10D ... File input / output processing part 10E ... Process end part 11 ... User space 11A- 11C ... User process 11Z ... Access log recording unit 100A ... Transition history holding unit 100B ... Transition history duplicating unit 100C ... Transition history updating unit 100D ... Access log holding unit 100E ... Transition history discarding unit

Claims (3)

A process information management means for acquiring a transition history consisting of a sequence of a parent process program name and a child process program name;
For the transition history of the child process is a and finally called child called from the parent process of the transition history of the acquired, a file access log indicating the file access the child process is executed, and the acquired A file input / output management means for acquiring a file access log including a transition history;
Access history recording means for recording the transition history of the acquired file access log as identification information for specifying an access policy ;
An access history recording apparatus comprising: A process information management means for acquiring a transition history consisting of a sequence of a parent process program name and a child process program name;
Said transition history, the file access the transition history of the child process is a by child processes called last called from the parent process of the transition history is executed, the access policy that indicates the limitation information of the access, the Storage means for storing in advance;
An access corresponding to the acquired transition history in the stored access policy for a file access executed by a child process that is called from the parent process of the acquired transition history and is called last. A file access control means for restricting file access according to a policy ;
An access control apparatus comprising: The storage means stores in advance the transition history in which an access policy indicating that file access is permitted is set,
The file access control means permits the file access executed by the parent process and the child process indicated by the program name sequence of the transition history when the acquired transition history matches the stored transition history. The access control apparatus according to claim 2.

Images