JP5381670B2 - Execution control method, execution control program, and execution control apparatus - Google Patents

Description

  The present invention relates to an execution control method, an execution control program, and an execution control apparatus.

  In recent years, with the spread of the Internet, damage caused by malicious programs such as computer viruses has increased. Such a malicious program, for example, replaces a normal program with itself, impersonates a normal program, and executes unauthorized processing.

  To find it, store the hash value of the normal program in advance, and compare it with the hash value of the executable file of the program of the same name that requests processing (such as writing or reading) to another program To check if the executable file has been tampered with. If tampering is found, the processing request is rejected.

JP 2007-140798 A

  However, although the above-described conventional technique is effective for detecting tampering, a problem arises when the program is properly updated. This problem will be described in detail. The hash value used in the above conventional technique is calculated using the value of the bit string in the program. For this reason, the hash value of the program before and after the update is different even if a person with a legitimate authority corrects the problem of the program or upgrades the version. For this reason, even if a program created by a person with legitimate authority updates another program for a legitimate purpose, the hash value of the updated program is different, so it can be executed even if it tries to execute the updated program. It will disappear.

  Thus, in order to execute a program updated for a legitimate purpose, it is necessary to register the hash value of the updated program with the administrator. However, it is not practical to register the hash value every time the program is updated, since the trouble of the program is repaired and the version is updated every day.

  The disclosed technique has been made in view of the above, and provides an execution control method, an execution control program, and an execution control apparatus that can prevent unauthorized update of a program while allowing the program to be properly updated The purpose is to do.

  The execution control method disclosed in the present application is an execution control method by an information processing apparatus having a plurality of storage units, and a list reading step for reading a program list that defines either permission or restriction of the operation of a specific program; When a write request for another program is received from a predetermined program, the program list is referred to. When the predetermined program is permitted to operate in the program list, the other specified by the write request If the predetermined program is not permitted to operate in the program list without changing the storage destination of the program, the storage destination of the other program specified in the write request is changed to a predetermined storage unit. Change control step to be performed, and the storage destination of the other program by the change control step A change information recording step of recording the change information in association with the predetermined program that has made the write request, the storage destination before the change, and the storage destination after the change when the change is made, and is added to the program list When the changed program is included in the change information, another program written in the changed storage destination is changed based on the storage destination before the change and the storage destination after the change associated with the added program. And a rewrite control step for controlling to rewrite the storage destination before the change.

  According to one aspect of the execution control method disclosed in the present application, it is possible to prevent unauthorized updating of a program while allowing authorized updating of the program.

FIG. 1 is a block diagram illustrating the configuration of the information processing apparatus according to the first embodiment. FIG. 2 is a diagram illustrating the configuration of the information processing system according to the second embodiment. FIG. 3 is a block diagram illustrating the configuration of the information processing apparatus according to the second embodiment. FIG. 4 is a diagram illustrating an example of an operation command issued by the OS when the program performs a file operation. FIG. 5 is a diagram illustrating an example of a management table in which the OS manages processes. FIG. 6 is a diagram illustrating an example of information necessary for specifying a process that has performed a file operation. FIG. 7 is a diagram illustrating an example of an instruction issued by the file access control unit to the change history management unit when the file path is changed. FIG. 8 is a diagram illustrating an example of a white list. FIG. 9 is a diagram illustrating an example of the introduction history. FIG. 10 is a diagram illustrating an example of the update history. FIG. 11 is a diagram illustrating an example of the change history. FIG. 12 is a flowchart showing the processing procedure of the execution control program. FIG. 13 is a flowchart showing the processing procedure of the introductory program write processing. FIG. 14 is a flowchart showing a processing procedure of non-introduction program writing processing. FIG. 15 is a flowchart illustrating the processing procedure of the operation determination process. FIG. 16 is a flowchart showing a processing procedure of white list update processing. FIG. 17 is a flowchart illustrating an example of a processing procedure of whitelist integration processing. FIG. 18 is a flowchart illustrating an example of the processing procedure of the rewriting process.

  Hereinafter, embodiments of an execution control method, an execution control program, and an execution control apparatus disclosed in the present application will be described in detail with reference to the drawings. Note that this embodiment does not limit the disclosed technology.

  FIG. 1 is a block diagram illustrating the configuration of the information processing apparatus according to the first embodiment. As illustrated in FIG. 1, the information processing apparatus 1 includes an internal storage unit 2, an external storage unit 3, a change control unit 4, a change information recording unit 5, and a rewrite control unit 6.

  The internal storage unit 2 is a storage device built in the information processing apparatus 1 such as a hard disk device. The internal storage unit 2 can be executed by the information processing apparatus 1, a program list 2 a that defines the operation of a specific program, a change history 2 b that indicates the change of the storage destination of the data that has been changed. The program 2c is stored.

  The program list 2a is a list in which a program that allows an operation in the information processing apparatus 1 unconditionally and a program that restricts the operation in the information processing apparatus 1 are defined in advance. Thus, only the program designated by the administrator in the information processing apparatus 1 can be used without being restricted.

  The external storage unit 3 is an external device separate from the information processing device 1 such as a USB (Universal Serial Bus) memory, and the information processing device 1 when a predetermined condition such as a USB connection is satisfied. It is a storage device that can be accessed from. The external storage unit 3 stores a program 3c whose storage destination has been changed by the change control unit 4.

  The change control unit 4 changes the storage destination of the program requested to be written by a program whose operation is not permitted in the program list 2 a from the internal storage unit 2 to the external storage unit 3. Then, the change control unit 4 writes the program to be written into the internal storage unit 2 when the storage destination is changed. On the other hand, the change control unit 4 writes the program to be written into the external storage unit 3 when the storage destination is not changed.

  That is, the change control unit 4 does not prohibit the introduction of the program into the information processing apparatus 1 just because it is an introduction program that is not registered in the program list 2a. The introduction program is a program including a program to be introduced and a setting file and various procedures for installing them. In this way, the introduction program that is not registered in the program list 2a is not uniformly prohibited from introducing the program even if it is not registered in the program list 2a at a certain point in time. This is because there is room for addition. In other words, by prohibiting the introduction of a program until it is added to the program list 2a, there is an opportunity that the information processing apparatus 1 cannot handle data received from another device in which the program is installed. It is for preventing.

  However, the change control unit 4 writes the program introduced by the introduction program that is not registered in the program list 2 a into the external storage unit 3 instead of the internal storage unit 2. Even when the information processing apparatus 1 has a problem due to the newly installed program due to the change of the storage destination, the information processing apparatus 1 stores only the programs registered in the program list 2a by disconnecting the external storage unit 3. It can be returned to a clean state. As described above, by storing the program to be installed in the external storage unit 3, it is possible to reduce a risk that an introduction program that is not registered in the program list 2 a introduces the program into the information processing apparatus 1.

  When the storage destination is changed, the change information recording unit 5 associates the storage destination before the change and the storage destination after the change with the program that has made the write request, and records them in the internal storage unit 2 as the change history 2b. .

  When the program added to the program list 2a is included in the change history 2b, the rewrite control unit 6 controls to rewrite the program written in the storage destination after the change to the storage destination before the change. In this way, by rewriting the program written in the storage destination after the change to the storage destination before the change, the trouble of reintroducing the program to the internal storage unit 2 is eliminated even when the external storage unit 3 is removed. To do.

  That is, in a state where the program is written in the external storage unit 3, if the external storage unit 3 is removed, the program cannot be executed. In this case, the trouble of reintroducing the program that should have been already introduced to the user of the information processing apparatus 1 occurs. In order to eliminate such unnecessary trouble, the rewrite control unit 6 rewrites the program written in the external storage unit 3 to the internal storage unit 2.

  As described above, in the information processing apparatus 1 according to this embodiment, the program list 2a is used and the storage destination of the program introduced by the unregistered introduction program in the program list 2a is transferred from the internal storage unit 2 to the external storage unit. Change to 3. For this reason, it is possible to prevent unauthorized updating of the program while permitting authorized updating of the program. In addition, in the information processing apparatus 1 according to the present embodiment, when the program added to the program list 2a is included in the change history 2b, the program written in the storage destination after the change is transferred to the storage destination before the change. Control to rewrite. For this reason, even when the external storage unit 3 is removed, the trouble of reintroducing the program into the internal storage unit 2 can be eliminated.

  Subsequently, an information processing system according to the second embodiment will be described. FIG. 2 is a diagram illustrating the configuration of the information processing system according to the second embodiment. The information processing system 100 executes control for restricting operations of programs not registered in the white list. The white list is a file in which information related to programs that can be executed as usual is registered. Programs that are not registered here are subject to some restrictions during execution.

  As shown in FIG. 2, the information processing system 100 includes information processing apparatuses 10a to 10c, a server 20, and a network 30 that connects them. The information processing devices 10a to 10c are, for example, personal computers, and are connected to external storage devices 11a to 11c, respectively. The information processing apparatuses 10a to 10c execute information processing requested by users and other apparatuses, and also execute the above-described program execution control method and the like.

  The server 20 centrally manages the white list 21. The white list 21 stored in the server 20 is distributed from the server 20 to the information processing apparatuses 10a to 10c, and is used in the information processing apparatuses 10a to 10c to determine whether the program can be executed normally. . The white list 21 may be updated in the information processing devices 10a to 10c. In this case, the updated white list or the difference is transmitted from the information processing devices 10a to 10c to the server 20.

  The network 30 is connected to the Internet 31. The information processing apparatuses 10 a to 10 c are connected to the update file providing apparatus 22 via the network 30 and the Internet 31. The update file providing device 22 is a device that holds an update file for updating a program.

  Note that the information processing system 100 illustrated in FIG. 2 is an example, and the number of devices included in the information processing system 100 and the connection paths between the devices do not have to be as illustrated in FIG. For example, as long as the white list 21 to be distributed to the information processing apparatuses 10a to 10c is shared, a plurality of servers 20 may be provided from the viewpoint of server load distribution.

  Next, the configuration of the information processing apparatuses 10a to 10c illustrated in FIG. 2 will be described. Note that the information processing apparatuses 10a to 10c all have the same configuration, and therefore, the configuration will be described using the information processing apparatus 10a as an example.

  FIG. 3 is a block diagram illustrating a configuration of the information processing apparatus 10a. As shown in FIG. 3, the information processing apparatus 10 a includes a CPU (Central Processing Unit) 110, an input unit 120, a display unit 130, and a network interface unit (hereinafter referred to as “network I / F unit”) 140. Have. Further, the information processing apparatus 10a includes an input / output interface unit (hereinafter referred to as “input / output I / F unit”) 150, a storage medium reading unit 160, a hard disk device 170, a RAM (Random Access Memory) 180, and each unit. And a bus 190 for connecting the two.

  The CPU 110 is an arithmetic circuit that executes various arithmetic processes. The input unit 120 is a device for a user to input instructions and information, and is, for example, a keyboard or a mouse. The display unit 130 is a device that displays characters and graphics, for example, a liquid crystal display device. The network I / F unit 140 realizes communication with other devices connected via the network 30. The input / output I / F unit 150 realizes data input / output with the external storage device 11a.

  The storage medium reading unit 160 reads / writes data from / to a storage medium such as an optical disk. The hard disk device 170 is a storage device that stores various files. The RAM 180 is a work memory in which programs and data are expanded.

  The hard disk device 170 stores, for example, an OS program 171, an application program 172, an execution control program 173, a white list 174, an introduction history 175, an update history 176, and a change history 177.

  The OS program 171 is a program that implements various functions of the OS. The OS program 171 is read from the hard disk device 170 by the CPU 110 when the information processing apparatus 10 a is started up and is expanded in the RAM 180 to function as the OS 181.

  The application program 172 is read from the hard disk device 170 by the CPU 110 and expanded into the RAM 180 to become an execution process 183, which executes predetermined processing while making various requests to the OS 181. The application program 172 includes an update program for updating other programs.

  The execution control program 173 controls the operation of the program based on the white list 174 and prevents the program from being overwritten illegally by another program. The execution control program 173 is read from the hard disk device 170 by the CPU 110 after activation of the OS 181 in accordance with an instruction from the OS 181, developed in the RAM 180, and functions as the execution control process 182. A part of the execution control program 173 is incorporated in the OS 181 so as to function as the file access control unit 181a.

  The file access control unit 181a monitors and controls the reading process and the writing process executed by the OS 181 on the hard disk device 170 based on requests from the various execution processes 183.

  Here, the file access control unit 181 a traps the application program interface “API” prepared by the OS 181 that is used for the execution process 183 to access the file of the hard disk device 170 via the OS 181. In addition, the function of the file access control unit 181a is separated from the execution control program 173 and implemented as a file system driver of the OS 181. As a result, the file access control unit 181a is activated from the time when the OS 181 is activated, and the file access from the execution process 183 to the hard disk device 170 via the OS 181 can be trapped. Alternatively, the execution control program 173 itself may be included in the OS 181 as a driver.

  Specifically, when the OS 181 issues a read instruction or a write instruction to the driver that controls the hard disk device 170, the file access control unit 181a temporarily traps the instruction. Then, the contents of the instruction and the application program 172 that is the entity of the instructing process are acquired from the management table of the OS 181, and these are used as format information and notified to the execution control process 182.

  FIG. 4 shows a data format of a command for the OS 181 to issue a read instruction or a write instruction to the hard disk device 170. FIG. 4 is a diagram illustrating an example of an operation command issued by the OS when the program performs a file operation.

  As shown in FIG. 4, this command includes the process number of the execution process 183 that issued the instruction, a file operation command such as a write process or a read process for the hard disk device 170, and file operation data. . The file operation data includes the target file name in the case of writing or reading processing, and information for further writing when the writing processing is designated.

  The process number is a unique number assigned when the application program 172 becomes the execution process 183 in order to manage an execution process having a plurality of OSs 181.

  Next, a procedure for specifying the application program 172 from the process number is shown. FIG. 5 is a diagram illustrating an example of a management table in which the OS manages processes. FIG. 6 is a diagram illustrating an example of information necessary for specifying a process that has performed a file operation.

  The file access control unit 181a acquires information on an execution process that has requested the OS 181 to perform a read process or a write process from the management table (FIG. 5) in the OS 181. The process number is extracted from the instruction (FIG. 4) acquired by the file access control unit 181a, and compared with the management table (FIG. 5) of the OS 181 to acquire the program path of the application. The program path of this application is information of the application program 172 stored in the hard disk device 170 of FIG. Next, the parent process number corresponding to the process number is acquired from the management table (FIG. 5). If this is not 0 indicating the IDLE process that is the starting point of all processes, the management table is set with the parent process number as the new process number. Compare with FIG. The program path of the retroactive application is acquired until the parent process number becomes zero.

  As a result, the file access control unit 181a generates information that summarizes the process number, parent process number, module name, and application program path as shown in FIG. 6, which is information to be passed to the operation control unit 182a.

  4 and 5 are examples, and the configuration differs depending on the OS.

  Then, the file access control unit 181a performs processing for executing the read instruction and the write instruction as they are, canceling them, or changing the contents of the instructions according to the response from the execution control process 182.

  For example, the file access control unit 181a selects the storage destination specified by the write request for the data generated by the program that the install program not registered in the white list 174 makes a write request or the program that is not registered in the white list 174. change. That is, the file access control unit 181a performs a process of redirecting the storage destination to the external storage device 11a even if the user of the information processing device 10a specifies the storage destination in the hard disk device 170 that is an internal storage device. When the storage destination is changed in this way, the file access control unit 181a notifies the change history management unit 182f, which will be described later, of the change contents of the storage destination, and the change content is used as the change history 177. To register.

  FIG. 7 is a diagram illustrating an example of an instruction issued by the file access control unit 181a to the change history management unit 182f when the file path is changed. As shown in FIG. 7, this command includes a command for controlling the change history management unit 182f, software that has made a write request, a storage destination before the change, and a storage destination after the change.

  In the example shown in FIG. 7, when registering the change history 177, the file access control unit 181 a places “add” in the control command. Furthermore, the file access control unit 181a arranges “the name of the program that issued the write request” as the program name used for creation. Further, the file access control unit 181a arranges “the file path of the internal storage device specified by the write request” as the storage destination before the change, and “the file path redirected to the external storage device” as the storage destination after the change. ". After performing such an arrangement, the file access control unit 181a transmits the command to the change history management unit 182f.

  In addition, when a new program is added to the white list 174, the file access control unit 181a causes the change history management unit 182f to search whether the program is included in the change history 177. In the example illustrated in FIG. 7, the file access control unit 181 a places “search” in the control command. Further, the file access control unit 181a arranges “program name to be searched” for the program name used for creation, and “NULL” is arranged for the storage destination before the change and the storage destination after the change, respectively. After performing such an arrangement, the file access control unit 181a transmits the command to the change history management unit 182f.

  In addition, the file access control unit 181a causes the change history management unit 182f to delete the change history 177 after writing the program or data back to the storage destination before the change. In the example shown in FIG. 7, the file access control unit 181 a arranges “del” in the control command and arranges “program name that has been written back” in the program name used for creation. Further, the file access control unit 181a arranges “the file path of the internal storage device specified by the write request” as the storage destination before the change, and “the file path redirected to the external storage device” as the storage destination after the change. ". After performing such an arrangement, the file access control unit 181a transmits the command to the change history management unit 182f.

  The execution control process 182 includes an operation control unit 182a, an operation determination unit 182b, an introduction control unit 182c, an update control unit 182d, a white list update unit 182e, and a change history management unit 182f. The operation control unit 182a is a control unit that totally controls the execution control process 182, and according to the notification content from the file access control unit 181a, the operation determination unit 182b, the introduction control unit 182c, the update control unit 182d, or the change history management. The function of the unit 182f is called.

  The operation determination unit 182b determines whether or not the designated program is registered in the white list 174 as a program that may be executed as usual. An example of the white list 174 is shown in FIG. As shown in FIG. 8, the white list 174 has items such as a name, a file name, a version, and a hash value.

  The name is the name of the program. The file name is a physical file name of the program. The version is a number for identifying the version of the program. The hash value is a hash value generated by inputting a program into a hash function.

  Specifically, the operation determination unit 182b generates a hash value from the program of the designated program application. If the white list 174 has a row having the same hash value as the generated hash value, the operation determination unit 182b determines that the program can be executed as usual. If the white list 174 does not contain a row having the same hash value as the generated hash value, the hash value is generated from the program of the parent process, and again compared with the white list 174 for determination. If all the parent processes are checked and the white list 174 is not met, it is determined that the program is not a program that can be executed as usual.

  The introduction control unit 182c monitors the introduction process by the introduction program, and records the correspondence between the introduction program and the introduction program in the introduction history 175. An example of the introduction history 175 is shown in FIG. As shown in FIG. 9, the introduction history 175 has items such as an introduction program ID, an introduction program name, an introduced program path name, a version, and a hash value, and a row is added for each installed program.

  The introduction program ID is a unique number assigned for each introduction process by the introduction program. The introduction program name is the name of the introduction program. The installed program path name is a file name with a path of a program installed by the installed program. The version is a number indicating the version of the program installed by the installation program. The hash value is a hash value of a program introduced by the introduction program.

  The value of the introduction program ID in the first and second lines of the introduction history 175 shown in FIG. 9 is common to “INS001”. This indicates that the introduced programs corresponding to the first and second lines are introduced by the same introduction process, that is, introduced by the same introduction program.

  The update control unit 182d monitors the writing process other than the introduction process by the introduction program, prevents the program from being overwritten illegally, and records the result in the update history 176 when the program is properly updated. To do. An example of the update history 176 is shown in FIG. As illustrated in FIG. 10, the update history 176 includes items such as a serial number, an updated program path name, a previous version, a new version, a previous hash value, and a new hash value.

  The serial number is a unique number that is counted up each time a row is added. The update program path name is a file name with the path of the program updated by the update program. The previous version is the number of the version before the update of the program updated by the update program. The new version is an updated version number of the program updated by the update program. The previous hash value is a hash value before the update of the program updated by the update program. The new hash value is an updated hash value of the program updated by the update program.

  The first and third lines of the update history 176 shown in FIG. 10 relate to the same program and indicate that this program has been updated twice. That is, in the first update corresponding to the first row, the program with the version “9.0” and the hash value “873jd75d” is updated to the program with the version “9.1” and the hash value “83s84j7z”. ing. In the second update corresponding to the third line, the program with the version “9.1” and the hash value “83s84j7z” is updated to the program with the version “9.2” and the hash value “93fg492s”. ing.

  The update control unit 182d verifies whether or not these programs are introduced by the same introduction program in order to determine whether or not the program that is trying to update another program is valid. For this verification, the update control unit 182d refers to the update history 176 in addition to the introduction history 175.

  Since only the hash value at the time of introduction of the program remains in the introduction history 175, if the program has already been updated, the current hash value of the program is checked against the introduction history 175. It is not possible to determine whether it was introduced by the installation program. Although it is conceivable to collate with the installed program path name, it is not preferable because the path including the file name may be changed for some reason.

  Therefore, the update control unit 182d compares the current hash value of the program with the introduction history 175, and if it cannot be identified by which introduction program the introduction program is installed, the update control unit 182d refers to the update history 176 to determine the hash value of the program at the time of introduction. get. Then, the acquired hash value at the time of introduction is compared with the introduction history 175 to identify which introduction program has been used for introduction.

  For example, in the case of the program updated twice in the example shown in FIG. 10, the current hash value “93fg492s” is set to the previous one from the data in the third row in which the value of the new hash item is set. The hash value “83s84j7z” is acquired. Subsequently, “873jd75d” that is the second previous hash value is acquired from the data in the first row in which “83s84j7z” that is the previous hash value is set as the value of the item of the new hash.

  And since there is no row in the update history 176 in which the second hash value “873jd75d” is set as the value of the new hash item, “873jd75d” is acquired as the hash value of the program at the time of introduction. The By comparing this “873jd75d” with the introduction history 175 shown in FIG. 9, “INS001” which is the introduction program ID of the introduction program is acquired.

  The update control unit 182d adds the updated program information to the white list 174 if the updated program is registered in the white list 174 when the program is properly updated. This is because the hash value of the updated program has changed, and if this is not done, the updated program will not be executed normally.

  The white list update unit 182e executes update processing of the white list 174. Specifically, the white list update unit 182e makes an inquiry to the server 20, and if the white list 21 has been updated, the white list 21 is downloaded. Then, the white list update unit 182e integrates the white list 21 into the white list 174. The update history is also updated during the integration process. The update of the update history is not performed by the white list update unit 182e, but is updated by requesting an update process from the update control unit 182d.

  Then, the white list update unit 182e compares the integrated white list 174 with the white list 21 and transmits the difference to the server 20 if there is a difference. This difference is added by the update control unit 182d so that the program updated by the update program operates normally, and is used for the update work of the white list 21 in the server 20.

  The change history management unit 182f performs processing such as registration, search, or deletion of the change history 177 based on the control command received from the file access control unit 181a.

  For example, in the example illustrated in FIG. 7, when the control command is “add”, the change history management unit 182 f displays the program name used for creation received together with the control command, the storage destination before the change, and the post-change Are stored as the change history 177 in association with each other.

  When the control command is “search”, the change history management unit 182f uses the “program name to be searched” included in the program name used for the creation received together with the control command, and uses the same program. The change history 177 having the name is searched. The change history management unit 182f returns the search result of the change history 177 to the file access control unit 181a by placing “reply” in the control command. At this time, when the search result of the change history 177 is obtained, the change history, that is, the program name used for creation, the storage destination before the change, and the storage destination after the change are returned together.

  When the control command is “del”, the change history management unit 182 f displays the program name used for creation received together with the control command, the change destination before change, and the change history 177 corresponding to the save destination after change. Is deleted.

  An example of the change history 177 is shown in FIG. As shown in FIG. 11, the change history 177 includes items such as the program name used for creation, the storage destination before the change, and the storage destination after the change, and there is a line for each write request in which the storage destination is changed. Added.

  The program name used for creation is a program that has made a write request to the OS 181 and includes, for example, an introduction program, an update program, and a program used for a specific purpose. The storage destination before the change is a storage destination designated by the user of the information processing apparatus 10a, and basically a file path to the hard disk device 170 inside the information processing apparatus 1 is designated. The changed storage destination is the file path redirected to the external storage device 10a by the file access control unit 181a.

  The first to third lines of the change history 177 shown in FIG. 11 indicate that the storage destination of the file generated by “docviewer” is changed from the hard disk device 170, which is an internal storage device, to the external storage device 10a. Show. For example, in the example of the first line, the file “A.dat” generated by “docviewer” is redirected from “C: \ A.dat” to “D: \ redirect \ C \ A.dat”. It shows that. In the second example, the file “B.dat” generated by “docviewer” is redirected from “C: \ B.dat” to “D: \ redirect \ C \ B.dat”. It shows that. In the example on the third line, the file “C.dat” generated by “docviewer” was redirected from “C: \ C.dat” to “D: \ redirect \ C \ C.dat”. Indicates.

  Further, in the fourth line of the change history 177 shown in FIG. 11, the file “D.dat” created by “A.exe” is changed from “C: \ D.dat” to “D: \ redirect \ C \”. D.dat ”is redirected. In the fifth line of the change history 177 shown in FIG. 11, the file “C.tmp” created by “B.exe” is changed from “C: \ 00001 \ C.tmp” to “D: \ redirect \ C00001 \”. Redirected to “C.tmp”. In the sixth line of the change history 177 shown in FIG. 11, the file “D.bak” created by “D.exe” is changed from “C: \ 00001 \ D.bak” to “D: \ redirect \ C00001 \”. D.bak ”is redirected.

  In addition, in the seventh and eighth lines of the change history 177 shown in FIG. 11, the storage destination of the program introduced by “dvInstall” is the internal storage device and the hard disk device 170 is changed to the external storage device 10a. Show. For example, in the example of the seventh line, “docviewer.exe” installed by “dvInstall” is changed from “C: \ Program Files \ dv \ docviewer.exe” to “D: \ redirect \ C \ Program Files \ dv”. Redirected to "\ docviewer.exe". In the example on the 8th line, “dvupdate.exe” installed by “dvInstall” is changed from “C: \ Program Files \ dv \ dvupdate.exe” to “D: \ redirect \ C \ Program Files \ dv \ dvupdate”. Redirected to “.exe”.

  Further, in the ninth to twelfth lines of the change history 177 shown in FIG. 11, the storage destinations of the programs introduced by “A Install.exe” to “D Install.exe” are the internal storage devices and the hard disk device 170 is stored. This indicates that the external storage device 10a has been changed. For example, in the example of the ninth line, “A.exe” installed by “A Install.exe” is changed from “C: \ 00001 \ A.exe” to “D: \ redirect \ C \ 00001 \ A. Redirected to “exe”. In the example of the 10th line, “B.exe” installed by “B Install.exe” is changed from “C: \ 00001 \ B.exe” to “D: \ redirect \ C \ 00001 \ B.exe”. Indicates that you have been redirected to In the example of the 11th line, “C.exe” installed by “C Install.exe” is changed from “C: \ 00001 \ C.exe” to “D: \ redirect \ C \ 00001 \ C.exe”. Indicates that you have been redirected to In the example of the 12th line, “C.exe” installed by “D Install.exe” is changed from “C: \ 00001 \ D.exe” to “D: \ redirect \ C \ 00001 \ D.exe”. Indicates that you have been redirected to In the example of the last line, the file of `` X.bak '' created by `` Softxxx.exe '' is changed from `` C: \ 0000x \ file_X.bak '' to `` D: \ redirect \ C \ 0000x \ file_X. Redirected to “bak”.

  In the example of FIG. 11, three types of files “dat”, “tmp”, and “bak” are illustrated as files created by the program, but other files may be used, and a program that is not registered in the white list 174 is generated. If you save other files, you will be redirected in the same way.

  Next, the procedure of processing executed by the execution control program 173 shown in FIG. 3 will be described. FIG. 12 is a flowchart showing the processing procedure of the execution control program 173. As shown in FIG. 12, when the execution control program 173 is activated, the white list update unit 182e executes a white list update process described later to update the white list 174 (step S301).

  Subsequently, the operation control unit 182a waits for a file access notification from the file access control unit 181a (step S302). If there is a notification regarding the writing process (Yes at Step S303), the operation control unit 182a identifies the process that has requested the OS 181 to perform the writing process based on the information included in the notification (Step S304). .

  Here, if the process that requested the writing process is the one in which the introduction program is in an execution state (Yes at Step S305), the operation control unit 182a sends the introduction program writing process described later to the introduction control unit 182c. This is executed (step S306). Note that whether or not the introduction program is in an execution state can be determined based on, for example, the extension of the program or the behavior of the process. For example, in the Windows (registered trademark) OS of Microsoft Corp., it is stipulated that the installation program is implemented according to a procedure prescribed by Microsoft Corp. and uses msi as an extension. Prior to the introduction of the introduction program, it was recommended that the introduction program introduced by the introduction program be compiled in a cab format with an extension called a cabinet format. From the above, in the Windows (registered trademark) OS, it is determined whether the program is an installation program with an extension such as msi or cab.

  In other OSs, for example, UNIX (registered trademark) and their derived OSs, such as Linux (registered trademark) and BSD, a management program for managing the installed program in each OS is determined. Therefore, it is possible to determine that the file that started the management program is the introduction program.

  On the other hand, if the process that requested the writing process is not the one in which the introduction program is in an execution state (No in step S305), the operation control unit 182a sends the non-introduction program writing process to be described later to the update control unit 182d. This is executed (step S307).

  When the file access control unit 181a receives a notification regarding the reading process (No at Step S303), the operation control unit 182a identifies the process that has requested the OS 181 to perform the reading process based on information included in the notification. (Step S308). Here, if the process that requested the read process is the one in which the introduction program has been executed (Yes at step S309), the operation control unit 182a instructs the file access control unit 181a to execute the read process as it is. (Step S313).

  On the other hand, if the process that requested the read process is not the one in which the introduction program is in the execution state (No at Step S309), the operation control unit 182a causes the operation determination unit 182b to execute an operation determination process described later (Step S310). ). As a result, if it is found that the process that requested the read process may execute the normal process (Yes in step S311), the operation control unit 182a causes the file access control unit to execute the read process as it is. Instruct 181a (step S313).

  If it is found that the process that requested the reading process is not a process that can execute the normal process (No in step S311), the operation control unit 182a instructs the file access control unit 181a to cancel the reading process. (Step S312).

  After completing the above processing procedure, the operation control unit 182a returns to step S302 and waits for the next notification from the file access control unit 181a.

  FIG. 13 is a flowchart showing a processing procedure of the introductory program writing process (step S306) shown in FIG. As illustrated in FIG. 13, first, an operation determination process by the operation determination unit 182b is executed (step S401).

  Here, if it is found that the introduction program may not execute the normal processing (No at Step S402), the introduction control unit 182c accesses the file so as to change the write destination path to the external storage device 11a. The control unit 181a is instructed (step S403). Then, the file access control unit 181a causes the change history management unit 182f to register the name of the program that has made the write request, the storage destination before the change, and the storage destination after the change as the change history 177 (step S404).

  As described above, the execution control program 173 changes the installation destination of the program to a place different from the normal place, even if the introduction process is not registered in the white list. The program after installation is permitted to start up although the reading and writing of the file is restricted to the external storage device 11a. By such control, it becomes possible to confirm in a safe state the operation and function of a program that is not officially permitted to be executed. Note that the storage destination path change destination need not be the external storage device 11a as long as it does not adversely affect other programs. For example, the server 20 may be used in addition to the external devices 11b and 11c of other information processing apparatuses.

  On the other hand, if it is found that the introduction program can execute the normal processing (Yes at Step S402), the introduction control unit 182c determines the information on the write destination file based on the information included in the notification. Is acquired (step S405). If the writing destination file is not a program (No at Step S406), the introduction control unit 182c instructs the file access control unit 181a to execute the writing process as it is (Step S408).

  If the write destination file is a program (Yes at step S406), the introduction control unit 182c associates the information of the introduction program and the introduction program and stores them in the introduction history 175 (step S407). Then, the introduction control unit 182c instructs the file access control unit 181a to execute the writing process as it is (step S408).

  FIG. 14 is a flowchart showing a processing procedure of the non-introduction program writing process (step S307) shown in FIG. As shown in FIG. 14, first, an operation determination process by the operation determination unit 182b is executed (step S501).

  Here, if it is found that the request source program may not execute normal processing (No in step S502), the update control unit 182d changes the write destination path to the external storage device 11a. The file access control unit 181a is instructed (step S503). Then, the file access control unit 181a causes the change history management unit 182f to register the name of the program that made the write request, the storage destination before the change, and the storage destination after the change as the change history 177 (step S504).

  On the other hand, if it is found that the request source program can execute normal processing (Yes in step S502), the update control unit 182d determines that the write destination file is based on the information included in the notification. The information regarding is acquired (step S505). If the write destination file is not registered in the white list 174 (No in step S506), the update control unit 182d instructs the file access control unit 181a to execute the write process as it is (step S506). S516).

  If the write destination file is registered in the white list 174 (Yes in step S506), the update control unit 182d refers to the introduction history 175 and the update history 176, and introduces the program corresponding to the write destination program. A program ID is acquired (step S507). Further, the update control unit 182d refers to the introduction history 175 and the update history 176, and acquires the introduction program ID corresponding to the program that requested the writing process (step S509).

  Here, if neither of them can be acquired (No in step S508 or No in step S510), the programs are not installed by the same introduction program, so the update control unit 182d cancels the writing process (step S513).

  Further, when both of the introduction program IDs can be acquired (Yes at Step S508 and Yes at Step S510), the update control unit 182d compares the acquired introduction program IDs (Step S511). Here, even when the installation program IDs do not match (No in step S512), the programs are not installed by the same installation program, so the update control unit 182d cancels the writing process (step S1). S513).

  On the other hand, when the introduction program IDs match (Yes at Step S512), the update control unit 182d adds information to the update history 176 (Step S514). Furthermore, the update control unit 182d updates the information in the white list 174 corresponding to the write destination program so that the updated program can be executed normally (step S515). Then, the update control unit 182d instructs the file access control unit 181a to execute the writing process as it is (step S516).

  In the processing procedure shown in FIG. 14, the process of confirming the matching of the installed programs when the program is about to be overwritten is performed only for the programs registered in the white list 174. By controlling in this way, it is possible to reduce the load caused by the process of confirming the matching of the introduction programs.

  FIG. 15 is a flowchart showing a processing procedure of the operation determination processing (step S310, step S401, step S501) shown in FIGS. As illustrated in FIG. 15, the operation determination unit 182b acquires information on the determination target process from the information acquired by the file access control unit 181a and notified to the operation control unit 182a (step S601). Then, the operation determination unit 182b generates a hash value from a program corresponding to the determination target process (step S602), and searches the white list 174 using the hash value as a search key (step S603).

  If the search is hit (Yes at Step S604), the operation determination unit 182b determines that the determination target process may be executed as usual (Step S605). On the other hand, when the search does not hit (No at Step S604), the operation determination unit 182b confirms the presence / absence of the parent process from the information related to the determination target process (Step S606). If there is no parent process (No at Step S607), it is determined that the process to be determined cannot be executed normally (Step S608). If a parent process exists (Yes at step S607), a hash value is generated from the program of the parent process (step S609), and the white list 174 is searched again using the hash value of the parent process as a search key (step S603).

  FIG. 16 is a flowchart of a process procedure of the white list update process shown in FIG. As shown in FIG. 11, the white list update unit 182e inquires of the server 20 whether or not the white list 21 is updated (step S701). If there is no update (No at step S702), the white list update process ends.

  If there is an update (Yes at Step S702), the white list updating unit 182e downloads the white list 21 from the server 20 (Step S703) and integrates it into the white list 174 (Step S704). Then, the white list update unit 182e compares the integrated white list 174 with the white list 21 (step S705), and if there is a difference (Yes in step S706), transmits the difference to the server 20 (step S707).

  At this time, if there is a program newly added to the white list 174 (Yes at step S708), the file access control unit 181a activates a rewriting process described later by transmitting the added program name to the change history management unit 182f. (Step S709).

  FIG. 17 is a flowchart showing a processing procedure of the white list integration processing (step S704) shown in FIG. One line is read from the white list 21 (step S801). If the reading is successful (Yes in step S802), the white list 21 and the white list 174 before integration are compared, and the hash value is confirmed (step S803). For the programs with the matching hash values (Yes at step S804), the white list 21 and the white list 174 determine that the programs are integrated, and the process returns to step S801 to read the next line from the white list 21.

  For programs whose hash values do not match (No at step S804), the white list update unit 182e next checks whether either the name or the file name matches (step S805). If they match (Yes at step S806), the white list update unit 182e compares the version numbers (step S807). Subsequently, when the white list 21 is equal to or larger than the white list 174 (Yes at Step S808), the white list update unit 182e performs integration with the white list 174 (Step S809). It is necessary to add information to the update history 176 following the integration process (step S810). At this time, the white list update unit 182e notifies the update control unit 182d and requests the update history 176 to add information. Then, the process returns to step S801, and the next line is read from the white list 21.

  Conversely, when the version numbers are compared and the white list 174 is larger than the white list 21 (No in step S808), the white list update unit 182e considers the white list 174 as newer information than the white list 21. . That is, without integrating into the white list update unit 182e and the white list 174, the process returns to step S801 to read the next line from the white list 21. If neither the name nor the file name matches (No at Step S806), the white list 21 is integrated into the white list 174 as a new program of the white list update unit 182e (Step S811). Then, the process returns to step S801, and the next line is read from the white list 21.

  If all the lines of the white list 21 have been processed (No at step S802), the process of integrating the white list is ended.

  FIG. 18 is a flowchart showing a processing procedure of the rewrite processing (step S709) shown in FIG. As illustrated in FIG. 18, the change history management unit 182f searches the change history 177 for the program name received from the file access control unit 181a, that is, the program name added to the white list 174 (step S901).

  When the search result of the change history 177 is obtained (Yes at Step S902), the change history management unit 182f returns the change history 177 including the program name added to the white list 174 to the file access control unit 181a. To do.

  Thereafter, the file access control unit 181a reads one line from the change history 177 (step S903). At this time, if the data can be read (Yes at Step S904), the file access control unit 181a rewrites the data written in the changed storage destination included in the change history 177 to the storage destination before the change (Step S905). ). Then, the file access control unit 181a causes the change history management unit 182f to delete the change history written back to the storage destination before the change (step S906). Note that the data that the file access control unit 181a returns at this time includes a program introduced by a program additionally registered in the white list 174 or data generated by a program additionally registered in the white list 174.

  When all the rows of the change history 177 acquired from the change history management unit 182f have been processed (No at step S904), the rewrite processing to the storage destination before the change is ended. If a search result of the change history 177 is obtained (No at step S902), the process ends without performing the file path rewriting.

  As described above, according to the information processing apparatus 10a according to the present embodiment, when the program added to the white list 174 is included in the change history 177, the program written in the storage destination after the change is changed. Control to rewrite to the previous save destination. For this reason, even when the external storage device 11a is removed, the trouble of reintroducing the program to the hard disk device 170 inside the information processing device 10a can be eliminated.

  Further, according to the information processing apparatus 10a according to the present embodiment, when the program added to the white list 174 is included in the change history 177, the data written in the storage destination after the change is stored in the storage destination before the change. Control to rewrite. For this reason, even if the external storage device 11a is removed, the trouble of generating the same data again can be eliminated.

  Further, according to the information processing apparatus 10a according to the present embodiment, the program is illegally determined by determining whether or not overwriting is possible based on whether or not the writing source program and the writing destination program are introduced by the same introduction program. Overwriting can be prevented. That is, by recording the correspondence between the introduction program and the introduction program in the introduction history 175 during the introduction process, it is possible to realize the above-described availability determination without imposing a burden on the system administrator. Furthermore, according to the information processing apparatus 10a according to the present embodiment, not only the program is overwritten by malicious intent, but also the program can be prevented from being overwritten accidentally due to a malfunction, an erroneous operation, a malfunction, or the like.

  In the second embodiment, the description has been given assuming that the information processing apparatus 10a is a personal computer. However, the disclosed execution control method can be similarly applied to other information processing apparatuses such as a mobile phone, PHS (Personal Handyphone System), and PDA (Personal Digital Assistants).

  In the second embodiment, when the white list 21 is downloaded from the server 20, the white list 21 and the existing white list 174 are integrated, and the downloaded white list 21 is compared with the integrated white list. Explained. However, in the information processing apparatuses 10a to 10c, the white list 21 downloaded from the server 20 may be directly overwritten as the white list 174.

  In the first and second embodiments, the case where the writing is redirected from the internal storage unit 2 to the external storage unit 3 has been described. However, for example, instead of the external storage device, another internal storage device is connected to the information processing device 1, that is, two internal storage devices are connected to the information processing device 1, and the other internal storage device is already connected. The configuration may be such that writing is redirected to one internal storage device. In addition, one storage device connected to the information processing device 1 may be logically divided into a plurality of partitions, and writing may be redirected from one partition to another.

DESCRIPTION OF SYMBOLS 1 Information processing apparatus 2 Internal storage device 2a Program list 2b Change history 2c Program 3 External storage device 3c Program 4 Change control part 5 Change information recording part 6 Rewrite control part 10a-10c Information processing apparatus 100 Information processing system 110 CPU
120 Input unit 130 Display unit 140 Network I / F unit 150 Input / output I / F unit 160 Storage medium reading unit 170 Hard disk device 171 OS program 172 Application program 173 Execution control program 174 White list 175 Introduction history 176 Update history 177 Change history 180 RAM
181 OS
181a File access control unit 182 Execution control process 182a Operation control unit 182b Operation determination unit 182c Introduction control unit 182d Update control unit 182e White list update unit 182f Change history management unit 183 Execution process 190 Bus 11a to c External storage device 20 Server 21 White List 22 Update file provider 30 Network 31 Internet

Claims (4)

An execution control method by an information processing apparatus having a plurality of storage units,
A list reading step that reads a program list that defines either the allowed or restricted behavior of a particular program;
When a write request for another program is received from a predetermined program, the program list is referred to. When the predetermined program is permitted to operate in the program list, the other specified by the write request If the predetermined program is not permitted to operate in the program list without changing the storage destination of the program, the storage destination of the other program specified in the write request is changed to a predetermined storage unit. A change control step to
When the storage destination of the other program is changed by the change control step, the predetermined program that has made the write request is associated with the storage destination before the change and the storage destination after the change and is recorded as change information. Change information recording step,
When the program added to the program list is included in the change information, based on the pre-change storage destination and the post-change storage destination associated with the added program, writing to the post-change storage destination And a rewrite control step for controlling to rewrite the other program to the storage destination before the change. The change control step refers to the program list when a write request for data generated by a predetermined program is received, and when the predetermined program is permitted to operate in the program list, the change control step When the storage destination of the data specified by the request is not changed and the operation of the predetermined program is not permitted in the program list, the storage destination of the data specified by the write request is changed to the predetermined storage Change to storage,
In the change information recording step, when the data storage destination is changed by the change control step, the predetermined program that has made the write request is associated with the storage destination before the change and the storage destination after the change. Recorded as change information,
The rewrite control step, when a program added to the program list is included in the change information, based on the storage destination before the change and the storage destination after the change associated with the added program 2. The execution control method according to claim 1, wherein control is performed so that data written in a previous storage destination is rewritten to the storage destination after the change. An execution control program to be executed by a computer having a plurality of storage units,
A list reading step that reads a program list that defines either the allowed or restricted behavior of a particular program;
When a write request for another program is received from a predetermined program, the program list is referred to. When the predetermined program is permitted to operate in the program list, the other specified by the write request If the predetermined program is not permitted to operate in the program list without changing the storage destination of the program, the storage destination of the other program specified in the write request is changed to a predetermined storage unit. A change control step to
When the storage destination of the other program is changed by the change control step, the predetermined program that has made the write request is associated with the storage destination before the change and the storage destination after the change and is recorded as change information. Change information recording step,
When the program added to the program list is included in the change information, based on the pre-change storage destination and the post-change storage destination associated with the added program, writing to the post-change storage destination An execution control program that causes a computer to execute a rewrite control step of controlling to rewrite another program to a storage destination before the change. A plurality of storage units;
A list reading section that reads a program list that defines whether the operation of a specific program is permitted or restricted;
When a write request for another program is received from a predetermined program, the program list is referred to. When the predetermined program is permitted to operate in the program list, the other specified by the write request If the predetermined program is not permitted to operate in the program list without changing the storage destination of the program, the storage destination of the other program specified in the write request is changed to a predetermined storage unit. A change control unit to
When the storage destination of the other program is changed by the change control unit, the predetermined program that has made the write request is associated with the storage destination before the change and the storage destination after the change and is recorded as change information. A change information recording unit to
When the program added to the program list is included in the change information, based on the pre-change storage destination and the post-change storage destination associated with the added program, writing to the post-change storage destination And a rewrite control unit that controls to rewrite the other program to the storage destination before the change.

Images