JP5386015B1 - Bug detection apparatus and bug detection method - Google Patents

Abstract

An object of the present invention is to find bugs that are potentially vulnerable at an early stage.
An information processing apparatus executes a plurality of programs and, when exception processing occurs in the executed program, specifies a program module to be executed by the program that generated the exception processing. Then, the information processing apparatus counts the number of times exception processing has occurred in the program module in association with identification information for identifying the specified program module. Thereafter, the information processing apparatus detects a program module corresponding to the occurrence count less than a predetermined value among the counted occurrence counts of exception processing.
[Selection] Figure 2

Description

  The present invention relates to a bug detection device and a bug detection method.

  When a bug, which is a defect in the program, becomes apparent during program execution, the program may cause an unintended operation and terminate abnormally. A malicious user exploits this bug to cause the program to execute an arbitrary operation. Conventionally, such bugs in a program are automatically detected by a testing process, and found bugs are corrected before the program is released.

  For example, in the program testing process, a technique for finding bugs in advance by performing instruction coverage, branch coverage, condition coverage, etc. as a white box test is used. Also known is a technique for finding a bug as a black box by fuzzing for finding a bug by generating random input data and inputting it into a program.

Barton Miller, “Fuzz Testing of Application Reliability”, [searched July 3, 2012], Internet <URL: http://pages.cs.wisc.edu/~bart/fuzz/>

  However, there is a problem in the above-mentioned technology that there is a high possibility that a potentially vulnerable bug is overlooked, and it cannot be detected early.

  For example, recent programs have become huge, and it is difficult to carry out a comprehensive test of the program by a white box test. In addition, since the internal processing operation of the program varies depending on the input value, bugs may become apparent depending on the input value, but there are an infinite number of input values. For this reason, it is difficult to comprehensively execute the creation of a huge amount of test data and the test of the program that has input it by fuzzing for an infinite number of input values.

  In particular, since the web browser performs various web content reading processes as input, various processing modules are installed. For this reason, even if various runtime exceptions occur in the Web browser, it is difficult to inspect in advance whether or not bugs of each module are mixed as a vulnerability in the case of an exception operation that returns to normal operation. . Because of this, many potentially vulnerable bugs were discovered after the program was released and then fixed by patches. Since bugs in Web browsers are exploited to infect malicious programs such as computer viruses, it is highly important to find bugs that lead to vulnerabilities at an early stage.

  The disclosed technology has been made in view of the above, and an object thereof is to provide a bug detection device and a bug detection method capable of finding a potentially vulnerable bug at an early stage.

  In one aspect, a bug detection device and a bug detection method disclosed in the present application, when an exception process occurs in an execution unit that executes a plurality of programs and a program executed by the execution unit, generates an exception process. A specifying unit for specifying a program module to be executed by the program, and a counting unit for counting the number of occurrences of exception processing generated in the program module in association with identification information for identifying the program module specified by the specifying unit; And a detection unit that detects a program module corresponding to the number of occurrences of exception processing counted less than a predetermined value among the number of occurrences of exception processing counted by the counting unit as a potentially vulnerable bug.

  According to one aspect of the bug detection apparatus and the bug detection method disclosed in the present application, there is an effect that a potentially vulnerable bug can be found early.

FIG. 1 is a diagram illustrating an example of the overall configuration of a system according to the first embodiment. FIG. 2 is a functional block diagram illustrating a functional configuration of the information processing apparatus according to the first embodiment. FIG. 3 is a diagram illustrating an example of information stored in the module read information DB. FIG. 4 is a diagram illustrating an example of information stored in the exception pattern DB. FIG. 5 is a diagram for explaining the relationship between the module name and the offset. FIG. 6 is a flowchart showing a flow of processing from exception pattern collection to potential bug detection according to the first embodiment. FIG. 7 is a diagram illustrating a computer that executes a bug detection program.

  Embodiments of a bug detection device and a bug detection method disclosed in the present application will be described below in detail with reference to the drawings. In addition, this invention is not limited by this embodiment.

[First Embodiment]
[overall structure]
FIG. 1 is a diagram illustrating an example of the overall configuration of a system according to the first embodiment. As shown in FIG. 1, this system is configured by connecting a Web server 1, a Web server 2, a Web server 3, and an information processing apparatus 10 so that they can communicate with each other. The number of servers and the like is merely an example, and is not limited to this.

  The Web server 1 and the Web server 2 are servers that provide a user with a Web site including Web content, and safety is guaranteed. The web server 3 is a server that provides a user with a website including web content, and safety is not guaranteed. Security is guaranteed to be certified by a third party, for example, as having high security, past virus detection count or fault count is below a predetermined value, or can be certified by any method .

  The information processing apparatus 10 is a Web client that accesses each Web server, such as a personal computer or a server. The information processing apparatus 10 executes a plurality of programs, and when an exception process occurs in the executed program, specifies the program module to be executed by the program that generated the exception process. Then, the information processing apparatus 10 counts the number of times exception processing has occurred in the program module in association with identification information for identifying the specified program module. Thereafter, the information processing apparatus 10 detects a program module corresponding to the occurrence count less than a predetermined value among the counted occurrence counts of exception processing.

  That is, the information processing apparatus 10 determines that an exception process with the highest number of occurrences is a mere bug based on the occurrence on a general Web site. On the other hand, the information processing apparatus 10 determines that an exception process whose total occurrence count is lower is a potentially vulnerable bug based on the fact that the occurrence count is low on a general Web site.

  As described above, the information processing apparatus 10 preferentially detects bugs that are likely to be misused because the patch generation is slow because the number of occurrences is small, so that potentially vulnerable bugs are detected early. Can be found in.

[Configuration of information processing device]
Next, the configuration of the information processing apparatus will be described. Since each Web server has the same configuration as a general Web server, detailed description is omitted. FIG. 2 is a functional block diagram illustrating a functional configuration of the information processing apparatus according to the first embodiment.

  As illustrated in FIG. 2, the information processing apparatus 10 includes a communication unit 11, a storage unit 13, and a control unit 14. Note that the control unit and the like shown here are merely examples, and may include an input unit such as a mouse, a display unit such as a display, and the like.

  The communication unit 11 is a processing unit that performs communication with other devices. For example, the communication unit 11 establishes a connection with each Web server and controls communication using a Web browser or the like.

  The storage unit 13 is a storage device that holds a monitoring target program 13a, a program module 13b, a module read information DB (DataBase) 13c, and an exception pattern DB 13d. For example, the storage unit 13 may be a storage device such as a semiconductor element or an HDD (Hard Disk Drive).

  The monitoring target program 13a is a program to be monitored for occurrence of exception processing. For example, in the first embodiment, the monitoring target program 13a is a program that executes a Web browser. Although a Web browser is illustrated here as an example of the content viewer, other viewers such as a system-dedicated viewer can also be used.

  The program module 13b is a program module executed by the monitoring target program 13a. For example, it is a processing module that is executed when a Web browser reads a Web site or Web content on the Web site.

  The module read information DB 13c stores information on the program module 13b loaded in the memory. The information stored here is updated by a module reading monitoring unit 17 or the like which will be described later. FIG. 3 is a diagram illustrating an example of information stored in the module read information DB. As illustrated in FIG. 3, the module read information DB 13c stores “module name, start address, end address” in association with each other.

  The “module name” stored here is the name of the module loaded into the memory, that is, the name of the executed program module. “Start address” is the start address to be loaded, that is, the start address of the memory to which the program module is loaded. The “end address” is the end address to be loaded, that is, the end address of the memory into which the program module is loaded. In the case of FIG. 3, the program module, which is the name of module A, is loaded from the address “100000” on the memory to the address “110000”.

  The exception pattern DB 13d stores information on program modules in which exception processing has occurred. The information stored here is updated by the exception monitoring unit 18 or the like described later. FIG. 4 is a diagram illustrating an example of information stored in the exception pattern DB. As illustrated in FIG. 4, the exception pattern DB 13 d stores “module name, offset, exception type, number of appearances” in association with each other.

  The “module name” stored here is the name of the program module that caused the exception processing. “Offset” is the distance (number of bytes) from the head address at which the program module is loaded to the address where the exception processing occurred. “Exception type” indicates the type of exception handling that has occurred. “Number of occurrences” is the number of times exception processing has occurred at the offset of the module name. In the case of FIG. 4, in module A, the exception process “exception A” occurs 1000 times at an address “1000” offset from the start address.

  The control unit 14 includes a collection unit 15 and a bug detection unit 20, and is a processing unit that detects a potentially vulnerable bug. The control unit 14 is, for example, a processor, and each processing unit included in the control unit 14 is a processing unit executed by the processor.

  The collection unit 15 includes a Web access unit 16, a module reading monitoring unit 17, and an exception monitoring unit 18, which monitors the occurrence of exception processing and collects exception processing information. The web access unit 16 is a processing unit that executes the monitoring target program 13a stored in the storage unit 13 and accesses the web server using a web browser. The web access unit 16 loads the monitoring target program into the memory and executes it. The Web access unit 16 executes a necessary program module 13b according to the accessed Web site and Web content. The Web site accessed by the Web access unit 16 may be designated in advance by an administrator or the like, or may be executed at random, regardless of whether the security is not guaranteed.

  The module reading monitoring unit 17 is a processing unit that monitors the program module loaded by the Web access unit 16. Specifically, when the module reading monitoring unit 17 detects that the Web access unit 16 has loaded the program module into the memory, the module reading monitoring unit 17 detects the name of the loaded program module, the loaded start address, and the loaded end address. To do. Then, the module reading monitoring unit 17 stores the acquired program module name, the start address, and the end address in association with each other in the module reading information DB 13c.

  For example, when the module A is loaded from the address “100000” in the memory to “110000”, the module read monitoring unit 17 detects the module A, the start address “100000”, and the end address “110000”, Store in the module read information DB 13c. As described above, the module reading monitoring unit 17 monitors the event that the program module is loaded, and when the event occurs, the program module name (for example, kernel32.dll) and the program module are loaded. The start address and end address are acquired and stored in the module read information DB 13c.

  The exception monitoring unit 18 includes a specifying unit 18a and a counting unit 18b, and is a processing unit that monitors the occurrence of exception processing. The specifying unit 18a is a processing unit that specifies a program module and a memory address to be executed by the Web browser that has generated the exception processing when an exception processing has occurred in the Web browser executed by the Web access unit 16. Specifically, the specifying unit 18a obtains the name of the program module loaded at the address of the memory where the exception processing has occurred, the type of exception that has occurred, and the offset from the start address of the program module to the exception occurrence address. Stored in the exception pattern DB 13d. The program module name includes a DLL (Dynamic Load Library) name.

  Here, the reason why the offset from the head of the program module is used instead of the absolute address of the memory is that the load destination address of the program module may be different every time the program is executed. Therefore, when a bug that exists at a specific location in a certain program module develops, the exception occurrence address changes depending on the load address of the program module. On the other hand, when an exception occurs at a specific location of a program module, the program module name and its offset do not change even if the address at which the program module is loaded changes.

  FIG. 5 is a diagram for explaining the relationship between the module name and the offset. As shown in the left diagram of FIG. 5, when accessing the web site A where the web access unit 16 is located, the module A is loaded starting from the memory address “5000” and offset from the top address “1000”, that is, the address Exception processing occurred at "6000". On the other hand, as shown in the right diagram of FIG. 5, when accessing the web site B where the web access unit 16 is located, the module A is loaded starting from the memory address “15000” and offset from the top address “ 1000 ”, that is, exception handling occurred at address“ 16000 ”.

  As shown in FIG. 5, program modules may be loaded into memory at the beginning of program execution, or may be dynamically loaded into memory during program execution. In these cases, the head address to be loaded changes, but the offset does not change. Therefore, by specifying the offset, the occurrence position of the exception processing can be specified accurately.

  In order to identify the program module loaded at the address where the exception has occurred, the identifying unit 18a sets the address where the exception has occurred between the start address and the end address for each program module recorded in the module read information DB 13c. Search for included content and get program module name. At this time, the specifying unit 18a specifies the type of exception according to the exception processing that has occurred. Next, the specifying unit 18a obtains an offset from the program module by subtracting the exception occurrence address from the start address of the program module for the acquired program module name. By this procedure, when an exception occurs, the specifying unit 18a acquires an “exception pattern” including a combination of a program module name, an offset, and an exception type. Then, the specifying unit 18a stores these in the exception pattern DB 13d.

  Note that the program module name may not be acquired. For example, the program module is not loaded at the exception occurrence address. Depending on the type of bug, the instruction pointer may indicate an address at which no program module is loaded, causing an exception and abnormal termination. In this case, it is not possible to identify retrospective information immediately before the cause of the exception. In this case, the specifying unit 18a stores the module name as null (meaning empty) and the offset as the address where the exception occurred in the exception pattern DB 13d.

  The counting unit 18b is a processing unit that counts the number of occurrences of the exception pattern specified by the specifying unit 18a. For example, when an exception process occurs, the counting unit 18b acquires an exception pattern “module name, offset, exception type” from the specifying unit 18a. Then, when the acquired exception pattern is stored in the exception pattern DB 13d, the counting unit 18b increments the number of appearances corresponding to the exception pattern. On the other hand, when the acquired exception pattern is not stored in the exception pattern DB 13d, the counting unit 18b generates a record of the exception pattern and sets the appearance count to 1.

  The bug detection unit 20 is a processing unit that detects a program module corresponding to the number of occurrences of exception processing counted by the counting unit 18b that is less than a predetermined value as a potentially vulnerable bug. For example, the bug detection unit 20 detects a combination of a module having an appearance count of less than 600, an offset, and an exception type among the records stored in the exception pattern DB 13d as a potentially vulnerable bug.

  That is, the higher rank of the tabulation results stored in the exception pattern DB 13d is included in many general sites, and the lower rank of the tabulation results is included only in a specific site. Using the exception information tabulation result, it is possible to determine that the one included in the higher rank of the tabulation result is a bug based on a simple description mistake that often occurs in many general sites.

  That is, there is a high possibility that the upper bug is an exception that is not created so that the Web content or the like is vulnerable. Such exceptions are likely to be considered during development so as not to be vulnerable. On the other hand, it is considered that the low-order bugs are likely to be vulnerable to Web contents, and such exceptions are difficult to consider at the development stage and are likely to be abused. Therefore, the bug detection unit 20 detects an exception that causes exception processing but has a small number of appearances as a potentially vulnerable bug. Note that the threshold value for determining the upper or lower order of the aggregation result can be arbitrarily set.

[Process flow]
FIG. 6 is a flowchart showing a flow of processing from exception pattern collection to potential bug detection according to the first embodiment. As shown in FIG. 6, the Web access unit 16 of the information processing apparatus 10 loads the monitoring target program 13a into the memory and starts the Web browser (S101).

  Then, the web access unit 16 accesses a predetermined website (S102). At this time, in order to read various Web contents on the Web site, the Web access unit 16 appropriately loads the program module 13b into the memory and executes the corresponding module. On the other hand, the module reading monitoring unit 17 monitors the event execution of the program module, acquires the top address, end address, and module name on the memory loaded with the program module, and stores them in the module reading information DB 13c.

  Thereafter, when exception processing occurs (S103: Yes), the specifying unit 18a of the exception monitoring unit 18 acquires address information where the exception processing has occurred (S104), and the module that caused the exception processing is loaded into the memory. It is determined whether or not there is (S105). In addition, when browsing of a Web site is completed without generating exception processing (S103: No), S113 is executed.

  If the specifying unit 18a determines that the module that caused the exception processing is loaded in the memory (S105: Yes), the module 18a acquires the module name, specifies the type of exception (S106), and calculates the offset. (S107). On the other hand, when determining that the module that caused the exception processing is not loaded in the memory (S105: No), the specifying unit 18a determines the module name to be null and specifies the type of exception (S108), and the offset. Is determined as the exception occurrence address which is the address where the exception occurred (S109). The type of exception can be specified from the contents of exception processing or the like, and may be specified in S104.

  Subsequently, the counting unit 18b of the exception monitoring unit 18 determines whether or not the combination of the acquired module name, offset, and exception type is stored in the exception pattern DB 13d (S110).

  When the counting unit 18b determines that the combination of the module name, the offset, and the type of exception is stored in the exception pattern DB 13d (S110: Yes), the counting unit 18b increments the corresponding number of appearances (S111). On the other hand, when the counting unit 18b determines that the combination of the module name, the offset, and the type of exception is not stored in the exception pattern DB 13d (S110: No), the counting unit 18b selects a corresponding record in which the number of appearances is set to 1. Generate (S112).

  Thereafter, when there are other target sites designated for exception pattern collection (S113: Yes), the Web access unit 16 repeats the processing from S102 onward. On the other hand, when there is no other target site designated for exception pattern collection (S113: No), the bug detection unit 20 refers to the exception pattern DB 13d (S114), and identifies a module whose appearance count is equal to or smaller than a predetermined value. (S115). Then, the bug detection unit 20 detects the identified module as a potential bug (S116). At this time, the bug detection unit 20 specifies a combination of a module name, an offset, and an exception type corresponding to the number of appearances equal to or less than a predetermined value. Also, the bug identified here, that is, the above combination is preferentially processed as a patch application target.

[effect]
As described above, in the first embodiment, it is not necessary to create a huge amount of test data and input it to the web browser for testing, and it is realistic to read the contents of a general site after the program is released. Bugs can be found by exceptions caused by content present in Also, by counting according to the location of the exception and the type of exception, it is possible to determine the bug that the system user should deal with, so that the bug can be dealt with efficiently.

  Further, in order to efficiently find bugs in the Web browser, a general Web site is accessed by the Web browser, and information at the time of occurrence of an exception is collected. This makes it possible to collect exception information due to simple bugs based on erroneous Web content descriptions that often occur on general sites. There is a high possibility that this is an exception that has not been created so that the Web content is vulnerable. Such exceptions are likely to be considered during development so as not to be vulnerable. Therefore, the exception information at this time can be identified as a normal exception pattern.

  In addition, bugs that are recognized as normal operations during normal use and are often overlooked with potential vulnerabilities can be found. In addition, it is not necessary to create a huge amount of test data and test it by inputting it to a Web browser. After the program is released, the content of a general site can be read and an exception caused by content that actually exists Can find bugs. Also, by counting according to the location where the exception occurred and the type of exception, it is possible to efficiently determine the bug to be dealt with by the user of the system equipped with the information processing apparatus described in the first embodiment. Bugs can be dealt with.

  In addition, since it can be said that the memory address where the exception occurred is in the vicinity of the program causing the bug, specifying this location can be used as information for quickly correcting the bug. For example, if the program module name is mshtml.dll and the offset is 1000 bytes, it can be inferred that the cause of the bug exists around 1000 bytes from the beginning of mshtml.dll.

[Second Embodiment]
The embodiments of the present invention have been described above, but the present invention may be implemented in various different forms other than the first embodiment described above. Therefore, different embodiments will be described below.

(Target program)
In the first embodiment, the Web browser has been described as an example of the monitoring target program, but the present invention is not limited to this. For example, various programs executed by the processor, such as a program for reading and processing a module, can be similarly processed.

(Exception pattern collection destination)
For example, in order to collect exception pattern information stored in the exception pattern DB 13d, it is also possible to access and collect a secure website. By doing so, it is possible to detect a bug that is not generally noticed, that is, a bug with a small number of occurrences of exception processing, even for a Web site whose safety is guaranteed. As a result, it is possible to detect small vulnerabilities that are likely to be used by malicious users.

  In addition, the information processing apparatus 10 accesses a website where safety is guaranteed and aggregates exception patterns. Similarly, the information processing apparatus 10 accesses websites where safety is not guaranteed and totals exception patterns. Match the counting results. Then, the information processing apparatus 10 determines that the exception pattern generated in a website whose safety is not guaranteed is higher than the result of counting using the website whose safety is guaranteed. Is detected as a mere bug. On the other hand, the information processing apparatus 10 is configured so that an exception pattern generated in a website whose safety is not guaranteed is positioned in a lower position in the result of aggregation using the website where safety is guaranteed, or safety If the exception pattern is not included in the result of aggregation using a guaranteed Web site, the exception pattern is detected as a potentially vulnerable bug.

  In this way, bugs that can use exceptions below the threshold for attacks due to a match between the actual attack site and the site that may be the attack site and the statistical data of the occurrence of exceptions in the normal site Can also be extracted. In addition, it is possible to detect a malicious website by associating the exception pattern with the URL (Uniform Resource Locator) of the website.

(Exception pattern items)
The exception pattern items described in the first embodiment are merely examples, and can be arbitrarily changed. For example, an absolute memory address may be used instead of an offset. Also, by excluding exception types from exception pattern items, exception patterns can be collected from a macro perspective. Also, by increasing the number of exception pattern items, exception patterns can be collected from a micro perspective.

  There are cases where the module name cannot be acquired when an exception occurs, that is, the exception occurrence location is not the address where the module is read, or the module name of the exception pattern is null. In these cases, depending on the type of bug, the instruction pointer may indicate an address at which the program module is not loaded, thereby causing an exception and abnormal termination. At this time, the indicated address may change every time, and even if it is a bug of the same cause, it may be different every time as an exception pattern, so that it appears statistically at a lower level. Therefore, exception patterns caused by such bugs having the same cause but having different exception occurrence addresses may be excluded from the aggregation on condition that the module name is null.

(Applicable system)
Use the method described in the first embodiment in a host-type intrusion detection system for protecting a host system from an attack, a honeypot that operates as a decoy host system, particularly a Web client honeypot that operates as a Web browser. Can detect attacks.

  On the host-type intrusion detection system equipped with the method described in the first embodiment, since the user actually accesses various websites using a web browser, exception information is stored in the host-type intrusion detection system. Accumulated. Similarly, in the Web client honeypot equipped with the method described in the first embodiment, exception information about the Web site to be inspected is accumulated. At this time, if an attack code targeting the Web browser is included in the Web browser, the attack information depends on whether or not the exception information is included in the exception information that has been collected so far. It can be judged that there is a high possibility.

  In particular, in attacks using unknown vulnerabilities such as zero-day attacks, it can be assumed that the exception information that has occurred is not included in the exception information that has been accumulated so far. If new exception information appears, it can be identified as a possible zero-day attack.

(System configuration etc.)
Each component of each illustrated device is functionally conceptual, and does not necessarily need to be the same as the physically illustrated component. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured.

  In addition, among the processes described in the embodiment, all or a part of the processes described as being automatically performed can be manually performed. Further, all or any part of each processing function performed in each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.

(program)
It is also possible to create a bug detection program in which processing executed by the information processing apparatus according to the embodiment is described in a language that can be executed by a computer. In this case, when the computer executes the bug detection program, the same effect as in the above embodiment can be obtained. Furthermore, the bug detection program may be recorded on a computer-readable recording medium, and the bug detection program recorded on the recording medium may be read and executed by the computer to execute the same processing as in the above embodiment. Good. An example of a computer that executes a bug detection program that implements the same function as the information processing apparatus shown in FIG.

  FIG. 7 is a diagram illustrating a computer that executes a bug detection program. As illustrated in FIG. 7, the computer 1000 includes, for example, a memory 1010, a CPU 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1090. The disk drive interface 1040 is connected to the disk drive 1100. A removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100, for example. For example, a mouse 1110 and a keyboard 1120 are connected to the serial port interface 1050. For example, a display 1130 is connected to the video adapter 1060.

  Here, as shown in FIG. 7, the hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. Each DB described in the above embodiment is stored in, for example, the hard disk drive 1090 or the memory 1010.

  Further, the bug detection program is stored in, for example, the hard disk drive 1090 as a program module 1093 in which an instruction to be executed by the computer 1000 is described. Specifically, a Web access procedure for executing information processing similar to that of the Web access unit 16 described in the above embodiment, a module reading monitoring procedure for executing information processing similar to that of the module reading monitoring unit 17, and an exception monitoring unit The hard disk drive 1090 stores a program module 1093 in which an exception monitoring procedure for executing the same information processing as in FIG. 18 and a bug detection procedure for executing the same information processing as in the bug detection unit 20 are described.

  Also, data used for information processing by the bug detection program is stored as program data 1094 in, for example, the hard disk drive 1090. Then, the CPU 1020 reads out the program module 1093 and the program data 1094 stored in the hard disk drive 1090 to the RAM 1012 as necessary, and executes the above-described procedures.

  The program module 1093 and the program data 1094 related to the bug detection program are not limited to being stored in the hard disk drive 1090. For example, the program module 1093 and the program data 1094 are stored in a removable storage medium and read by the CPU 1020 via the disk drive 1100 or the like. May be issued. Alternatively, the program module 1093 and the program data 1094 related to the bug detection program are stored in another computer connected via a network such as a LAN (Local Area Network) or a WAN (Wide Area Network), and are transmitted via the network interface 1070. May be read by the CPU 1020.

1, 2, 3 Web server 10 Information processing device 11 Communication unit 13 Storage unit 13a Monitored program 13b Program module 13c Module read information DB
13d Exception pattern DB
DESCRIPTION OF SYMBOLS 14 Control part 15 Collection part 16 Web access part 17 Module reading monitoring part 18 Exception monitoring part 18a Identification part 18b Counting part 20 Bug detection part 1000 Computer 1010 Memory 1011 ROM
1012 RAM
1020 CPU
1030 Hard disk drive interface 1040 Disk drive interface 1050 Serial port interface 1060 Video adapter 1070 Network interface 1080 Bus 1090 Hard disk drive 1091 OS
1092 Application Program 1093 Program Module 1094 Program Data 1100 Disk Drive 1110 Mouse 1120 Keyboard 1130 Display

Claims (5)

An execution unit for executing a plurality of programs;
When an exception process occurs in the program executed by the execution unit, a specifying unit that specifies a program module to be executed by the program that generated the exception process;
A counting unit that counts the number of times exception processing has occurred in the program module in association with identification information that identifies the program module specified by the specifying unit;
A bug detection device comprising: a detection unit that detects a program module corresponding to a number of occurrences of exception processing counted less than a predetermined value among the number of occurrences of exception processing counted by the counting unit. The execution unit executes a content viewer program, accesses a plurality of websites using the executed content viewer,
The said specific | specification part specifies the program module which the said content viewer which generated exception processing specifies, when exception processing generate | occur | produces in the Web site accessed by the said execution part. Bug detection device. The execution unit accesses a plurality of websites whose safety is guaranteed and a plurality of websites whose safety is not guaranteed,
The specifying unit specifies the program module that caused the exception processing when the exception processing occurs in the plurality of Web sites that are guaranteed the safety, and the plurality of Webs that are not guaranteed the safety. When exception processing occurs on the site, the program module that caused the exception processing is identified,
The counting unit generates a total result obtained by counting the number of occurrences of the exception processing for each of the plurality of websites for which the safety is guaranteed, and the exception for each of the plurality of websites for which the safety is not guaranteed. Generate a count result that counts the number of processing occurrences,
The detecting unit collates each counting result generated by the counting unit, and detects a program module corresponding to the number of occurrences less than the predetermined value from the counting result of the Web site whose safety is not guaranteed. The bug detection device according to claim 2. The specifying unit further specifies an offset from a start address at which the program module is loaded to an address at which exception processing has occurred,
The counting unit counts the number of occurrences of the exception handling in association with the combination of the identification information and the offset,
The said detection part detects the combination of the said program module and the said offset corresponding to the frequency | count of generation | occurrence | production less than predetermined value among the generation | occurrence | production counts of the exception process counted by the said counting part. The bug detection device according to any one of the above. A bug detection method executed by an information processing apparatus,
An execution process for executing a plurality of programs;
A specific step of specifying a program module to be executed by the program that generated the exception process when an exception process occurs in the program executed by the execution step;
A counting step of counting the number of occurrences of exception processing occurring in the program module in association with identification information for identifying the program module specified in the specifying step;
A bug detecting method comprising: detecting a program module corresponding to the number of occurrences of exception processing counted in the counting step that is less than a predetermined value.

Images