JP5244551B2 - Information acquisition mediation program, operating system, information acquisition mediation method - Google Patents

Description

  The present invention relates to a data processing technique, and more particularly to a technique for mediating acquisition of secret information of a user.

  Phishing, which is a type of fraud using the Internet, first transmits a fake mail (hereinafter referred to as “phishing mail” as appropriate) pretending to be a mail from a legitimate organization such as a financial institution to the user. The user is directed to a fake website (hereinafter referred to as a “phishing site” as appropriate) pretending to be a website of a legitimate organization by a hyperlink or the like set in a phishing email, and prepared for the phishing site. Personal information such as ID / password may be entered in the input form. As a result, the user's personal information may be acquired and misused by a malicious third party.

Patent Document 1 proposes a technique for identifying whether a user's received mail is a mail from a truly valid organization, that is, whether it is a phishing mail.
JP 2007-323640 A

  Patent Document 1 makes it easy to prevent a user from being guided to a phishing site, but there is no description about a countermeasure after the user is guided to a website that is a link destination of an email. In other words, a user who has accessed a website that is not known authentically needs to check the contents of the web page by himself / herself and determine whether or not the website is a website of a legitimate organization.

  Web page design technology is evolving day by day, and while it is a phishing site, it can be disguised as if it were a website of a legitimate organization. Therefore, it may be difficult for the user to correctly determine the authenticity of the website. As a result of entering personal information on the assumption that the user is accessing a website of a legitimate organization, the user may be stolen by a malicious third party.

  The present invention has been made in view of these problems, and a main purpose thereof is to provide a technique for preventing the confidential information of a user from being stolen by a malicious third party.

  In order to solve the above-described problem, an information acquisition mediation program according to an aspect of the present invention provides an external application that requires confidential information about a user so that the secret information cannot be directly acquired from the user. A request acceptance function that accepts acquisition requests centrally and whether the external application is registered in advance as a trusted application that may provide confidential information before the confidential information is provided to the external application. The computer implements a determination function for determining whether or not and an information providing function for providing secret information to an external application on the condition that the external application is determined to be a trusted application.

  Another aspect of the present invention is an information acquisition mediation method. In this method, in order to prevent an external application that needs confidential information about the user from directly acquiring the confidential information from the user, a step of centrally receiving an acquisition request of the confidential information from the external application, and at least the confidential information is external Determining whether an external application is pre-registered as a trusted application that may provide confidential information before being provided to the application; and determining that the external application is a trusted application And providing the secret information to an external application on the condition that the computer is executed.

  It should be noted that any combination of the above-described constituent elements and a representation of the present invention converted between an apparatus, a method, a system, a program, a recording medium storing the program, and the like are also effective as an aspect of the present invention.

  It is possible to prevent the confidential information of the user from being stolen by a malicious third party.

The outline of the embodiment of the present invention will be described before the configuration thereof is described.
Currently, a general PC is equipped with an operating system (hereinafter referred to as “OS” as appropriate) that provides basic functions commonly used by many applications and manages the entire computer. Various applications, for example, when displaying information on a display, use functions provided by the OS directly or indirectly in various scenes to exhibit functions implemented in the application on the PC.

  FIG. 1 shows an architecture in which an application uses an OS. FIG. 1 shows a general architecture in which an application existing outside the OS acquires information from a user using the OS. The application shown in the figure calls a drawing IF (Interface interface) provided by the OS when displaying an input form for allowing the user to input personal information (hereinafter referred to as “personal information input form” as appropriate). . As a result, the personal information input form is displayed on the display via the kernel and the device driver for display control. In addition, when acquiring the personal information input by the user in the personal information input form, this application calls the input / output IF provided by the OS and acquires the personal information detected by the input / output device.

  The present inventor considered that the fact that an arbitrary application can use the drawing function of the OS without any limitation is one reason that personal information is stolen by phishing. Even a malicious application created by a malicious third party (hereinafter referred to as “malware” as appropriate) can draw an arbitrary image using the OS drawing function. This is because it can be disguised as if it were.

  Based on this knowledge, the present inventor considered adding an information acquisition mediating function that mediates the acquisition of personal information to the user terminal. An application that needs to acquire the user's personal information is sure to acquire the personal information via the information acquisition mediation function. In other words, the application is prohibited from acquiring personal information directly from the user. This information acquisition mediation function confirms that the application that requested acquisition of personal information is an application that may provide personal information (hereinafter referred to as “trusted application” as appropriate), and is a trusted application. Provide personal information only. In this way, we thought that theft of personal information by phishing could be prevented.

  FIG. 2 shows an improved architecture relative to the architecture of FIG. The OS shown in the figure newly includes an information acquisition mediation IF in its API (Application Programming Interface) layer. This information acquisition intermediation IF displays a personal information input form on the screen in place of the calling application. The information acquisition mediation IF executes a process for acquiring personal information input by the user on behalf of the calling application.

  When an application outside the OS needs the user's personal information, it calls the information acquisition mediation IF. The information acquisition mediation IF provides personal information input by the user to the application on condition that the calling application is a trusted application. As a result, the user's personal information is provided only to the trusted application registered in advance in the information acquisition mediation IF.

  FIG. 3 shows a configuration of the web system 10 according to the embodiment of the present invention. In the web system 10, a web server A 20 a and a web server B 20 b that are collectively referred to as a web server 20 and a user terminal 40 are connected via a communication network 30 that includes known communication means such as LAN, WAN, and the Internet without limitation. Is done. In the following description, it is assumed that the web server A 20a establishes a website of a securities company A, which is a legitimate organization, and this website is a trusted application. On the other hand, it is assumed that the web server B 20b has a phishing site.

  The user terminal 40 is a general PC operated by a user, and is connected to the display 50, the keyboard 60, and the dedicated LED 70. The dedicated LED 70 is a light emitting diode that can be controlled to be turned on / off only from a specific program installed in the user terminal 40, here a predetermined program in the OS, and is directly controlled by an application outside the OS. Can't do it.

  The user terminal 40 includes a browser A 42 a and a browser B 42 b that are collectively referred to as a browser 42, and an OS 44. The browser 42 is a web browser that displays the data of the web page acquired from the web server on the screen. In the following description, it is assumed that the browser A 42a is a web browser that is legally introduced into the user terminal 40 and is a trusted application. On the other hand, it is assumed that the browser B42b is malware introduced into the user terminal 40 without the user's knowledge.

  FIG. 4 is a block diagram showing a functional configuration of the OS 44 in FIG. Each block shown in the block diagram of the present specification can be realized in terms of hardware by an element such as a CPU of a computer or a mechanical device, and in terms of software, it can be realized by a computer program or the like. The functional block realized by those cooperation is drawn. Therefore, those skilled in the art will understand that these functional blocks can be realized in various forms by a combination of hardware and software.

  The OS 44 includes an interface unit 110, a kernel unit 160, and a device driver unit 170. The kernel unit 160 provides an OS kernel function. The interface unit 110 provides an interface function between an application outside the OS and the kernel unit 160. Typically, an API corresponding to each of a plurality of services provided by the OS for an application is provided. The device driver unit 170 provides a device driver function for controlling hardware, such as rendering screen data on the display 50.

  Note that the hierarchical structure of the OS 44 shown in FIG. 4 is for convenience, and different hierarchies may be made in the OS 44. For example, the device driver function may be provided as part of the kernel function. In this case, the device driver unit 170 may be configured to be included in the kernel unit 160.

  Further, in the following, for simplicity of explanation, it is described that there is a direct calling relationship between the functional block of the interface unit 110 and the functional block of the device driver unit 170, but indirect via the kernel unit 160. Of course, it may be a simple call relationship. In this case, when data is mediated between the interface unit 110 and the device driver unit 170, predetermined processing may be appropriately executed in the kernel unit 160.

  The device driver unit 170 includes a screen device unit 172, a secure device unit 174, and an input device unit 176. The screen device unit 172 controls screen rendering on the display 50. For example, the personal information input form received from the drawing IF unit 140 is displayed on the display 50. The secure device unit 174 controls turning on and off of the dedicated LED 70. The input device unit 176 detects input data on the keyboard 60. For example, the personal information input in the personal information input form is detected.

  The interface unit 110 includes an information acquisition mediation unit 120, a drawing IF unit 140, and an input / output IF unit 150. The drawing IF unit 140 provides an API for controlling display contents to be displayed on the display 50. The drawing IF unit 140 causes the display 50 to display the screen data acquired when the API is called by transmitting the screen data to the screen device unit 172. The input / output IF unit 150 provides an API for acquiring data input from the keyboard 60. When the API is called, the input / output IF unit 150 acquires input data detected by the input device unit 176, for example, personal information, and transmits it to the caller.

  The information acquisition mediating unit 120 provides a function of mediating the acquisition of the user's personal information in an integrated manner. The information acquisition mediation unit 120 includes an ID holding unit 122, a request reception unit 124, a determination unit 126, a display control unit 128, an information providing unit 130, and a notification control unit 132.

  The ID holding unit 122 is a storage area for storing an ID of a trusted application. This ID may be a URI (Uniform Resource Identifier) of a trusted application existing locally or remotely of the user terminal 40. For example, it may be path information indicating the location of a trusted application on the file system, or a URL (Uniform Resource Locator) of a website. Further, the ID holding unit 122 may store the path information of the browser 42 as the trusted application and the URL of the website as the trusted application in association with each other as the website ID displayed on the browser 42.

  The request receiving unit 124 publishes an API that mediates the acquisition of personal information to the application, and receives request data for requesting acquisition of personal information from the application when the API is called. The request receiving unit 124 publishes a plurality of types of APIs corresponding to the type and number of personal information required on the application side, such as for password acquisition, ID and password acquisition. An application that requires the user's personal information selects and calls an API corresponding to the type of personal information that the user needs, and transmits request data for requesting acquisition of personal information to the request reception unit 124. This request data includes the ID of the request data transmission source application (hereinafter, referred to as “request source application” as appropriate).

  The determination unit 126 determines whether or not the request source application is a trusted application. Specifically, the ID of the request source application included in the request data is compared with the ID of the trusted application stored in the ID holding unit 122. If they match, it is determined that the requesting application is a trusted application.

  The display control unit 128 detects that the determination unit 126 has determined that the request source application is a trusted application, and causes the display 50 to display a personal information input form. Specifically, the API of the drawing IF unit 140 is called with the data of the personal information input form as an argument. At the same time, the display control unit 128 notifies the notification control unit 132 of an instruction to turn on the dedicated LED 70.

  The information providing unit 130 detects that the determining unit 126 determines that the request source application is a trusted application, and calls the API of the input / output IF unit 150. Thereby, the personal information of the user input in the personal information input form is acquired from the input / output IF unit 150. The information providing unit 130 transmits the acquired personal information of the user to the request source application. At the same time, the information providing unit 130 notifies the notification control unit 132 of an instruction to turn off the dedicated LED 70.

  When the display control unit 128 receives an instruction to turn on the dedicated LED 70 from the display control unit 128, the notification control unit 132 notifies the secure device unit 174 of an instruction to turn on the dedicated LED 70, thereby turning on the dedicated LED 70. In addition, when an instruction to turn off the dedicated LED 70 is notified from the information providing unit 130, the dedicated LED 70 is turned off by notifying the secure device unit 174 of an instruction to turn off the dedicated LED 70.

The operation of the above configuration will be described below.
In the following example, it is assumed that the path information of the browser A 42 a and the URL of the website provided by the web server A 20 a are stored in advance in the ID holding unit 122 as the trusted application ID.

  The user activates the browser A42a and accesses the web server A20a to display the web page of the securities company A. FIG. 5 is a screen view of the web page 200 of A securities company. Here, when the user selects the “deal” menu 202, the web server A 20a requests the browser A 42a for a password. For example, the web server A20a notifies the browser A42a of the fact by setting data indicating that the password needs to be input in the HTML response header transmitted to the browser A42a, as in the case of the basic authentication. Also good. When the browser A42a detects a password request from the web server A20a, the browser A42a calls a password acquisition API in the information acquisition mediation unit 120. In this call, the path information of the browser A42a and the URL of the website provided by the web server A20a are designated.

  FIG. 6 is a flowchart showing the operation of the information acquisition mediation unit 120 of FIG. The request reception unit 124 detects that the password acquisition API has been called, and acquires request data for requesting acquisition of the password from the browser A 42a (S10). The determination unit 126 determines whether the data specified in the request data, that is, the path information of the browser A42a and the URL of the website provided by the web server A20a are stored in the ID holding unit 122 as the identification information of the trusted application. Determine whether. In this example, since the request source application is a trusted application (Y in S12), the display control unit 128 displays an input form for password input on the display 50 via the drawing IF unit 140 and the screen device unit 172. (S14). At the same time, the notification control unit 132 turns on the dedicated LED 70 (S16).

  FIG. 7 shows a password input form displayed by the information acquisition mediation unit 120. The pop-up window 300 is a pop-up window that is displayed when the “transaction” menu 202 is selected on the web page 200. The common message 302 is text that is displayed in common in the pop-up window 300, and indicates that the pop-up window 300 is displayed by the information acquisition mediation unit 120. The API message 304 is a message for each API disclosed by the request reception unit 124, and displays text corresponding to the API requested by the request source application. In FIG. 7, the text corresponding to the API for acquiring the password is displayed.

  The request source confirmation message 306 is text indicating identification information of the calling source application. In the application ID column, the path information of the browser A42a is displayed. In the additional information column, the URL of the web page provided by the web server A 20a that requested the password to the browser A 42a is displayed. The input field 308 is a data field for inputting a password. The user who has confirmed the request source confirmation message 306 presses the send button 310 when transmitting the password, and presses the cancel button 312 when not transmitting the password. Returning to FIG.

  The information providing unit 130 waits until the input device unit 176 detects that the user inputs a password in the pop-up window 300 of FIG. 7 and presses the send button 310 (N in S18). When the input of the password is detected in the input device unit 176 (Y in S18), the information providing unit 130 acquires the password via the input device unit 176 and the input / output IF unit 150. Then, the password is transmitted to the request source application (S20). At the same time, the notification control unit 132 turns off the dedicated LED 70 (S22).

  When the determination unit 126 determines that the identification information of the request source application is different from the identification information of the trusted application (N in S12), S14 to S22 are skipped. For example, when the path information of the browser B42b in FIG. 3 is specified in the request data, it is determined that the information is different from the identification information of the trusted application. Similarly, when the URL of the website provided by the web server B 20b is specified in the request data, it is determined that the URL is different from the identification information of the trusted application. Therefore, the information acquisition mediation unit 120 does not display the personal information input form in response to a request from an application that is not registered in advance as a trusted application.

  FIG. 8 shows a password input form displayed on the phishing site. The web page 400 and the pop-up window 410 shown in the figure are displayed on the display 50 by the input form data from the web server B 20b. In other words, the pop-up window 410 shown in the figure is directly displayed on the display 50 by the input form data transmitted from the web server B 20b without using the information acquisition mediation unit 120. Unlike the pop-up window 300, the pop-up window 410 does not indicate that the pop-up window 410 is displayed by the OS anti-phishing function. Further, when the pop-up window 410 in FIG. 8 is displayed, the dedicated LED 70 is not lit.

  According to the present embodiment, a mechanism is realized in which an external application that requires confidential information about the user does not directly acquire the confidential information from the user. Specifically, the information acquisition intermediary unit 120 centrally accepts a user's request for acquiring secret information from an external application, and provides the secret information on condition that the request source application is a trusted application. This can prevent personal information from being provided to malware and phishing sites. In other words, the user's personal information can be prevented from being stolen by a malicious third party by phishing.

  Moreover, according to this Embodiment, a user is alert | reported that the personal information input form is displayed on the display 50 via the function of the information acquisition mediation part 120. FIG. Accordingly, the user can distinguish the external application from displaying the personal information input form without using the information acquisition mediation unit 120, and can provide personal information to the trusted application. For this notification, hardware that can be controlled only via the information acquisition mediation unit 120, for example, the dedicated LED 70 is operated as a notification device. Thereby, it is possible to prevent an external application for the purpose of phishing from operating the notification device and impersonating as if the personal information input form was displayed via the information acquisition mediation unit 120.

  When an application that does not follow the mechanism proposed in this embodiment, that is, a mechanism that mediates the acquisition of the user's confidential information in a centralized manner, displays the personal information input form, the above notification to the user is not executed. . When the personal information input form is displayed without the notification, the user can determine that the personal information form is due to malware or a phishing site and can suppress the input of personal information.

  Furthermore, according to the present embodiment, both the browser 42 ID and the website ID are compared with the trusted application ID to determine whether the web page displayed on the browser 42 is reliable. Accordingly, since the personal information input form is displayed on the condition that the local web browser is not malware in the first place and the website to be displayed is not a phishing site, high security can be ensured.

  Furthermore, according to the present embodiment, the information acquisition mediation unit 120 is configured as a program installed in the OS. Thereby, the information acquisition mediation unit 120 can enjoy the protection function that the OS has in advance, and is less susceptible to malicious programs such as tampering with external applications. In addition, the reliability of the information acquisition mediation unit 120 itself can be improved. That is, the information acquisition mediation unit 120 is pre-installed in the OS, so that it is easy to prevent the malware impersonating the information acquisition mediation unit 120 from being erroneously introduced.

  Although the web system has been described in the present embodiment, the problem that the confidential information of the user is stolen by a malicious third party is not limited to the web system. As described above, this problem is caused by the fact that all the applications that draw the screen on the display 50 of the user terminal 40 can provide the user with a disguised screen. Therefore, it is difficult to identify malware from a plurality of applications in the user terminal 40, and a mechanism that excludes the identified malware from the user terminal 40 does not provide a fundamental solution. The technology proposed in the present embodiment realizes a new mechanism for protecting user secret information. This technology is very important at present when a user can install various applications acquired through a network on his / her terminal.

  The present invention has been described based on the embodiments. This embodiment is an exemplification, and it will be understood by those skilled in the art that various modifications can be made to combinations of the respective constituent elements and processing processes, and such modifications are also within the scope of the present invention. is there.

  In the embodiment, when the determination unit 126 determines that the request source application is not a trusted application, the personal information input form is not displayed. In a modification, even if it is determined that the request source application is not a trusted application, the display control unit 128 may display a personal information input form together with a message indicating that the request source application is not a trusted application. In this case, when the user confirms the content of the request source confirmation message 306 or the like in the pop-up window 300 and determines that the application is reliable, the user can transmit personal information to the request source application.

  Further, in the embodiment, the determination unit 126 determines whether or not the request source application is a trusted application before the display control unit 128 displays the personal information input form. In a modification, the determination unit 126 may perform the determination immediately before the user information is provided to the request source application in the information providing unit 130.

  In the embodiment, the notification control unit 132 controls the operation of the dedicated LED 70. The dedicated LED 70 is an example of a dedicated notification device installed for the information acquisition mediation unit 120, and the notification control unit 132 may control other notification devices. For example, the notification control unit 132 may control a dedicated speaker to output a sound for notification.

  Further, in the embodiment, the information acquisition mediation unit 120 is provided as a function of the OS. In the modification, the information acquisition mediation unit 120 may be arranged as an application outside the OS. In this case, an appropriate measure for ensuring the reliability of the information acquisition intermediary unit 120, for example, a digital certificate that proves that the information acquisition intermediary unit 120 is not malware but reliable software is given to the information acquisition intermediary unit 120. It is desirable to implement measures such as attaching.

  It should also be understood by those skilled in the art that the functions to be fulfilled by the constituent elements recited in the claims are realized by the individual constituent elements shown in the embodiments and the modified examples or by their linkage.

  The “secret information about the user” in the claims means information that is not open to the public. This secret information includes an ID, password, fingerprint, voiceprint, other personal information and attribute information held by the user.

  “External application” in the claims means a software program external to the information acquisition mediation program. In addition to a program existing in a computer in which an information acquisition mediation program is introduced, a program existing outside the computer, typically a program existing in an external computer connected via a network is included. It is a concept.

It is a figure which shows the architecture in which an application utilizes OS. FIG. 2 illustrates an improved architecture relative to the architecture of FIG. It is a figure which shows the structure of the web system which is embodiment of this invention. It is a block diagram which shows the function structure of OS of FIG. It is a screen figure of the web page of A securities company. It is a flowchart which shows operation | movement of the information acquisition mediation part of FIG. It is a figure which shows the input form of the password displayed by the information acquisition mediation part. It is a figure which shows the input form of the password displayed in the phishing site.

Explanation of symbols

  10 web system, 20 web server, 30 communication network, 40 user terminal, 42 browser, 44 OS, 50 display, 60 keyboard, 70 dedicated LED, 110 interface unit, 120 information acquisition mediating unit, 122 ID holding unit, 124 request acceptance Unit, 126 determination unit, 128 display control unit, 130 information providing unit, 132 notification control unit, 160 kernel unit, 170 device driver unit.

Claims (4)

An information acquisition mediation program,
A request accepting function that centrally accepts the acquisition request of the secret information from the external application in order to prevent the external application that needs the secret information about the user from directly acquiring the secret information from the user;
A determination function for determining whether or not the external application is pre-registered as a trusted application that may provide the secret information, at least before the secret information is provided to the external application; ,
A display control function for causing a display device to display an input screen for allowing the user to input the secret information in response to the acquisition request;
When the input screen is displayed, a notification control function for notifying the user that the input screen is displayed by the information acquisition mediation program;
An information providing function for providing the secret information to the external application on the condition that the external application is determined to be the trusted application is realized in a computer .
The information providing function provides the external application with the confidential information input on the input screen on the condition that the external application is determined to be the trusted application.
When the notification control function notifies the user that the input screen is displayed by the information acquisition mediation program, a dedicated notification device that can be controlled only via the information acquisition mediation program is provided in a predetermined manner. An information acquisition mediating program characterized by being operated . The request accepting function accepts an acquisition request for the secret information from a web browser that has accessed a website requesting the secret information,
The determination function determines whether the web browser and the website are registered in advance as the trusted application,
The information providing function provides the secret information to the web browser on the condition that the web browser and the website are determined to be the trusted application, whereby the secret information is provided in the web browser. The information acquisition mediation program according to claim 1 , wherein the information acquisition mediation program can be provided to the website. An operating system comprising the information acquisition mediation program according to claim 1 . An information acquisition mediation method,
In order to prevent an external application that needs confidential information about the user from acquiring the secret information directly from the user, the step of receiving the acquisition request of the secret information from the external application in a unified manner;
Determining whether the external application is pre-registered as a trusted application that may provide the secret information, at least before the secret information is provided to the external application;
In response to the acquisition request, displaying on the display device an input screen for allowing the user to input the secret information;
Informing the user that the input screen is displayed by the information acquisition mediation method when the input screen is displayed;
Providing the secret information to the external application on the condition that the external application is determined to be the trusted application ;
The providing step provides the external application with the secret information input on the input screen on the condition that the external application is determined to be the trusted application.
In the notification step, when notifying the user that the input screen is displayed by the information acquisition mediation method, a dedicated notification device that can be controlled only via the information acquisition mediation program is provided in a predetermined manner. An information acquisition mediating method characterized by operating .

Images