JP5457427B2 - Storage device, terminal device and computer program - Google Patents

Description

  The present invention relates to a storage device, an information processing device, a terminal device, and a computer program, and more particularly to a security technique for suppressing information leakage and the like.

  In today's information society, information terminal devices represented by personal computers (hereinafter referred to as terminal devices) are increasingly used as business forms. Organizations such as government offices, companies, and public facilities use digital data for information they hold. Digitized business documents are extremely easy to duplicate and distribute. Therefore, there is a growing need for information security technology for ensuring the confidentiality, integrity, and availability of data.

  On the other hand, various removable disks that are portable are widely used as external storage devices with high versatility for terminal devices. In particular, a small and detachable USB storage device integrated with a USB connector has been remarkably popular in recent years. For example, it is also possible to store information necessary for business work in advance in a USB storage device, take it out, and connect to a terminal device outside the office to perform work.

  However, while USB storage devices are convenient, they are vulnerable to security. For example, a malicious person may intentionally move or copy confidential information stored in a USB storage device to a third party terminal device.

  Conventionally, techniques for preventing such information leakage have been proposed. According to Patent Document 1, only a specific user who is authenticated by a personal authentication function can store and erase data in a secret area to be protected and concealed, and a USB storage device that can protect the information of the specific user Has been proposed.

  Also, as a reading technique of a USB storage device, according to Patent Document 2, a method of reading by causing a PC to recognize one of storage areas inside a storage device as a CD-ROM device and the other as a removable disk area. Has been proposed.

JP 2006-301772 A Japanese Patent No. 3699717

  However, in the leakage prevention method described in Patent Document 1, the confidential information stored in the USB storage device may be browsed by an external terminal device and then forgotten to be deleted while being stored. As a result, information leakage occurs from the terminal device.

  As another problem, in the USB reading method described in Patent Document 2, it is assumed that the PC recognizes two drives at the same time. For this reason, the drive letter of the PC is likely to be exhausted, or the drive letter assigned to the drive of the PC may be different from the one intended by the user.

Therefore, an object of the present invention is to provide a storage device or the like that prevents confidential information inside the storage area of the storage device from leaking from an external terminal device or the like.
Other issues can be understood throughout the specification.

According to the first aspect,
In a storage device connected to an information processing device via a general-purpose interface,
A first storage area for storing first information;
A second writable storage area for storing editable second information,
The first information is
An information leakage prevention program for preventing the second information from leaking;
There is provided a storage device including at least one of data specifying a storage destination where storage of the second information is permitted.

According to the second aspect,
The first information further includes a startup file for starting an information leakage prevention program in the information processing apparatus when the storage apparatus is connected to the information processing apparatus.

According to the third aspect,
An information leakage prevention program is provided with a storage device that connects an information processing device to a server and causes the information processing device to function as an update unit that updates first information with information received from the server.

According to the fourth aspect,
The storage device is provided in which the first information includes data for specifying a target person who accesses the second information.

According to the fifth aspect,
An information leakage prevention program is a computer program that allows an information processing device to browse second information and prohibits the storage of the second information in the information processing device. Provided.

According to the sixth aspect,
The information leakage prevention program is a computer program that allows the information processing apparatus to edit the second information and store the edited second information in the second storage area. Is done.

According to the seventh aspect,
Removal detecting means for detecting that the storage device has been removed from the information processing device;
When it is detected that the storage device has been removed from the information processing device, the first information and the second information are cleared or uninstalled from the information processing device.
Provided is a storage device that functions an information processing device.

According to the eighth aspect,
Information leakage prevention program
When the storage location of the second information is specified by the first information, the information processing apparatus is allowed to store the second information in the storage location specified in addition to the second storage area. A storage device is provided.

According to the ninth aspect,
An information leakage prevention program is provided with a storage device that allows an information processing device connected to a network to distribute second information over the network.

According to the tenth aspect
The information leakage prevention program prohibits storing the second information in the information processing apparatus by causing the information processing apparatus to function as means for monitoring and controlling the program operation of the information processing apparatus. Is provided.

According to the eleventh aspect,
Means for monitoring and controlling the program operation of the information processing apparatus operates in the kernel mode, and a storage device is provided.

According to the twelfth aspect,
The information leakage prevention program monitors the registry of the information processing apparatus, and when the registry is changed, the information leakage prevention program causes the information processing apparatus to function as means for returning the information changed in the registry to the information before the change. An apparatus is provided.

According to the thirteenth aspect,
A storage device is provided in which the means for returning to the information before the change is means for prohibiting sending the second information by e-mail or using the second information as wallpaper.

According to the fourteenth aspect
The information leakage prevention program is provided with a storage device that causes the information processing device to function as a device that invalidates the device that stores information in the information processing device and the device that transmits information from the information processing device.

According to the fifteenth aspect,
A storage device is provided in which the means for invalidating the device is means for prohibiting writing of information to the flexible drive disk or uploading of information to the network.

According to the sixteenth aspect,
The information leakage prevention program is provided with a storage device that causes the information processing device to function as a means for prohibiting an operation that leads to storing the second information in the information processing device.

According to the seventeenth aspect
17. The storage device according to claim 16, wherein the means for prohibiting the operation is means for prohibiting any one or a combination of dialog display, drag and drop, and clipboard use.

According to the 18th aspect,
In an information processing apparatus that can connect a removable storage device to a general-purpose interface,
The storage device
A first storage area for storing first information;
A second writable storage area for storing editable second information,
The first information includes information for controlling handling for preventing leakage of the second information,
An information processing apparatus is provided that reads and executes first information from a first storage area.

According to the nineteenth aspect
In an information processing device,
A read-only first storage area for storing first information;
A second writable storage area for storing editable second information,
An information processing apparatus is provided in which the first information is information for controlling specification of a storage destination of the second information.
According to the 20th aspect,
An information processing apparatus characterized in that the first information includes an information leakage prevention program for preventing the second information from leaking.

According to the twenty-first aspect,
A first step of reading first information from a first storage area of a storage device connected to the information processing device via a general-purpose interface;
A second step for preventing leakage of the second information by controlling the handling of the editable second information stored in the second storage area of the storage device by the first information by the first information; A computer program for causing an information processing apparatus to execute
The first information is
A computer program is provided that includes a storage location where the second information is allowed to be stored.

According to a twenty-second aspect of the present invention,
A storage device detachable from a general-purpose interface provided in a terminal device,
A first storage area and a second storage area that are alternatively recognized by the terminal device;
A switching program for switching the storage area stored in the first storage area and recognized by the terminal device from the first storage area to the second storage area;
An activation file stored in the first storage area and for activating the switching program in the terminal device when the storage device is connected to the terminal device;
With
When the storage device is connected, the terminal device reads the startup file from the first storage area and executes it to start the switching program, and the storage area recognized by the terminal device is changed from the first storage area to the second storage area. A storage device is provided that functions as switching means for switching to the storage area.

According to a twenty-third aspect of the present invention,
A storage device is provided in which the first storage area is a storage area that can be read only, and the second storage area is a storage area that can be read and written.

According to a twenty-fourth aspect of the present invention,
The startup file is autorun. A storage device is provided that is an inf file.

According to a twenty-fifth aspect of the present invention,
The first storage area and the second storage area are different partitions,
A switching program is provided that switches a partition that is a first storage area to an invisible state and then switches a partition that is a second storage area to a visible state.

According to a twenty-sixth aspect of the present invention,
A first controller that switches a storage area recognized by the terminal apparatus from a first storage area to a second storage area by receiving a switching command issued by the terminal apparatus according to the switching program; A storage device is provided.

According to a twenty-seventh aspect of the present invention,
When the first controller receives the switching command, a storage device is provided that changes the logical unit number of the first storage area and the logical unit number of the second storage area.

According to a twenty-eighth aspect of the present invention,
The switching program causes the terminal device to function as a maintaining unit that maintains the drive letter assigned to the storage device even if the storage region recognized by the terminal device is switched from the first storage region to the second storage region. A storage device is provided.

According to a twenty-ninth aspect of the present invention,
The switching program installs the information leakage prevention program stored in the first storage area in the terminal device, and then switches the storage area recognized by the terminal device from the first storage area to the second storage area. A storage device is provided.

According to a thirtieth aspect of the present invention,
Information leakage prevention program
Removal detecting means for detecting that the storage device is removed from the terminal device;
Provided is a storage device characterized in that when it is detected that the storage device has been removed from the terminal device, the terminal device functions as means for uninstalling programs and files installed from the storage device to the terminal device. Is done.

According to a thirty-first aspect of the present invention,
A third storage area storing a white list in which identification information of processes permitted to access the second storage area among processes executed in the terminal device is stored;
Information leakage prevention program
As an access restriction means for restricting access to the second storage area according to whether or not the identification information of the process executed in the terminal device matches the identification information registered in the white list, the terminal device is A storage device is provided that is functional.

According to a thirty-second aspect of the present invention,
The third storage area stores a black list in which identification information of processes to be canceled regardless of the access target among processes executed in the terminal device is registered.
Information leakage prevention program
Provided by a storage device that causes a terminal device to function as canceling means for canceling an operation by a process when the identification information of a process executed in the terminal device matches the identification information registered in the black list Is done.

According to a thirty-third aspect of the present invention,
Access restriction means
A storage device characterized by limiting access to a storage area of a storage device when the identification information of the process being executed in the terminal device is not registered in either the black list or the white list Is provided.

According to a thirty-fourth aspect of the present invention,
Further including authentication means for executing authentication processing using authentication information stored in advance in the storage device and authentication information input from an input means provided in the terminal device or the storage device, and when the authentication processing is successful, There is provided a storage device characterized in that the switching program switches the storage area recognized by the terminal device from the first storage area to the second storage area.

According to a thirty-fifth aspect of the present invention,
Further including authentication means for executing authentication processing using authentication information stored in advance in the storage device and authentication information input from an input means provided in the terminal device or the storage device, and when the authentication processing is successful, The information leakage prevention program provides a storage device characterized by causing a terminal device to function as release means for releasing the restriction on access to the storage device.

According to a thirty-sixth aspect of the present invention,
If the authentication information is not stored in the storage device in advance, the switching program provides a storage device that causes the terminal device to function as registration means for performing initial registration of the authentication information.

According to a thirty-seventh aspect of the present invention,
A storage device is provided in which the authentication information is terminal device registration information including one or more of a MAC address, a model number, a manufacturing number, and an IP address assigned to the terminal device.

According to a thirty-eighth aspect of the present invention,
A storage device is provided, wherein the authentication information is user registration information including one or more of an identifier for identifying a user, a password, a personal identification number, and biometric information.

According to a thirty-ninth aspect of the present invention,
A method for controlling a storage device detachable from a general-purpose interface provided in a terminal device,
The storage device
A first storage area and a second storage area that are alternatively recognized by the terminal device;
A switching program for switching the storage area stored in the first storage area and recognized by the terminal device from the first storage area to the second storage area;
An activation file stored in the first storage area and for activating the switching program in the terminal device when the storage device is connected to the terminal device;
With
When the terminal device is connected to the storage device, the step of reading and executing the startup file from the first storage area;
Executing the switching program according to the startup file;
And a step of switching the storage area recognized by the terminal device from the first storage area to the second storage area in accordance with the switching program.

According to a forty aspect of the present invention,
When connected to a terminal device in a storage device that is detachable from a general-purpose interface provided in the terminal device and includes a first storage area and a second storage area that are alternatively recognized by the terminal device A computer program stored in the first storage area together with an activation file for starting the computer program in the terminal device, and read from the first storage area when the storage device is connected to the terminal device When the computer program is activated by the terminal device according to the activation file, the terminal device functions as switching means for switching the storage area recognized by the terminal apparatus from the first storage area to the second storage area. A computer program is provided.

According to a forty-first aspect of the present invention,
The switching means installs the information leakage prevention program stored in the first storage area in the terminal device, and then switches the storage area recognized by the terminal device from the first storage area to the second storage area. A computer program is provided.

According to a forty-second aspect of the present invention,
Information leakage prevention program
Removal detecting means for detecting that the storage device is removed from the terminal device;
According to aspect 22, the terminal device functions as means for uninstalling a program and a file installed from the storage device to the terminal device when it is detected that the storage device has been removed from the terminal device. A computer program is provided.

According to a 43rd aspect of the present invention,
A terminal device for connecting a removable storage device to a general-purpose interface,
The storage device
A first storage area and a second storage area that are alternatively recognized by the terminal device;
A switching program for switching the storage area stored in the first storage area and recognized by the terminal device from the first storage area to the second storage area;
An activation file stored in the first storage area and for activating the switching program in the terminal device when the storage device is connected to the terminal device;
With
The terminal device
Means for reading a startup file from the first storage area and executing a switching program according to the startup file when the storage device is connected;
There is provided a terminal device comprising switching means for switching a storage area recognizable from the terminal device from the first storage area to the second storage area in accordance with the switching program.

According to a forty-fourth aspect,
The information leakage prevention program causes a terminal device to function as registry changing means for temporarily changing a registry in order to prevent leakage of a file by a file operation program or a mailer program registered in a white list. A storage device is provided.

According to a 45th aspect,
The information leakage prevention program monitors whether or not a file transmitted from a communication device to the outside is a file subject to information leakage in order to prevent file leakage by a file operation program registered in the white list. When a target file is designated as a transmission target, a storage device is provided that causes a terminal device to function as a transmission prohibition unit that prohibits the transmission of the target file.

According to a forty-sixth aspect,
The information leakage prevention program monitors whether or not the file written to the flexible disk drive is an information leakage target file, and when the information leakage target file is designated as a writing target, as a write prohibiting means for prohibiting the writing, There is provided a storage device characterized by functioning a terminal device.

According to the 47th aspect,
The information leakage prevention program functions the terminal device as a dialog prohibiting means for prohibiting the display of the dialog when the display of the dialog for copying the information leakage target file or a part thereof in the memory of the terminal device is designated. A storage device is provided.

According to the 48th aspect,
The information leakage prevention program monitors the drag and drop between a plurality of windows for the information leakage target file or a part thereof, and when drag and drop is designated, as a drag and drop prohibition means for prohibiting the execution thereof, There is provided a storage device characterized by functioning a terminal device.

According to the 49th aspect,
An information leakage prevention program causes a terminal device to function as a clipboard exclusive means for preventing copying of an information leakage target file or a part thereof to the clipboard by monopolizing use of the clipboard Is provided.

According to the 50th aspect,
In a storage device connected to an information processing device via a general-purpose interface,
A first storage area for storing first information;
A second writable storage area for storing editable second information,
The first information is
An information leakage prevention program for controlling the handling of the second information in order to prevent the leakage of the second information;
There is provided a storage device including a startup file for starting a previous information leakage prevention program in an information processing device.

According to the 51st aspect,
Information leakage prevention program
Connection determination means for determining whether or not the information processing apparatus can connect to a predetermined server;
If the information processing apparatus can be connected to the predetermined server, the first information received from the predetermined server is applied to the second information. If the information processing apparatus is not connectable to the predetermined server, the first information There is provided a storage device characterized by causing an information processing device to function as information switching means for applying first information stored in a storage area to second information.

According to the 52nd aspect,
Information leakage prevention program
User determination means for determining whether a single individual uses the storage device;
If a single individual uses the storage device, the first information stored in the first storage area is applied to the second information, unless the single individual uses the storage device. There is provided a storage device characterized by causing an information processing device to function as information switching means for applying first information received from a predetermined server to second information.

According to the 53rd aspect,
Information leakage prevention program
Determining means for determining whether a predetermined single information processing device uses a storage device or a plurality of predetermined information processing devices use a storage device;
If a single information processing device uses a storage device, the first information stored in the first storage area is applied to the second information, and a plurality of information processing devices use the storage device. In this case, a storage device is provided in which the information processing apparatus functions as information switching means for applying the first information received from a predetermined server to the second information.

According to the 54th aspect,
The first information is
Identification information of a plurality of information processing devices capable of reading the second information from the second storage area and storing the second information in the nonvolatile storage means;
Each of the plurality of information processing devices includes time zone information indicating a time zone in which the second information can be read from the second storage area and stored in the nonvolatile storage means,
Information leakage prevention program
A storage device is provided that restricts the handling of the second information by the information processing device based on time zone information corresponding to the identification information of the information processing device to which the storage device is connected.

According to the 55th aspect,
The first information is
There is provided a storage device including user settings that define handling of second information corresponding to each of a plurality of users.

According to a 56th aspect,
The first information is
A storage device is provided that includes a user setting that defines the handling of the second information for each user group of one or more users.

  According to the first, eighteenth to twenty-first and fifty-first aspects, it is possible to prevent leakage of important information in the storage device from the information processing device to which the storage device can be connected via the general-purpose interface.

  According to the second aspect, the burden on the user for starting the information leakage prevention program can be reduced.

  According to the 3rd viewpoint, it becomes easy to maintain the information required for information leakage prevention in the newest information. Since information necessary for preventing information leakage can be updated remotely from the server, it is possible to provide flexibility in managing the security of the storage device.

  According to the 4th viewpoint, it can prevent leaking other than an object person further.

  According to the fifth aspect, it is possible to prohibit storage in a non-volatile storage device such as a hard disk while allowing the information processing device to browse the second information.

  According to the sixth aspect, the second information edited in the information processing apparatus can be stored in the second storage area. Thereby, it is possible to update the second information using various information processing devices while suppressing information leakage.

  According to the seventh aspect, when the storage device is removed from the information processing apparatus, information leakage can be suppressed by uninstalling the first information and the second information from the information processing apparatus.

  According to the eighth aspect, when the storage destination of the second information is specified, the second information can be set as a storage destination other than the second storage area. Exceptionally, if the storage location of the second information is specified, the convenience of the user will be secured by allowing the storage of the information in the storage location.

  According to the ninth aspect, it is possible to distribute the second information on the network through the information processing apparatus.

  According to the tenth aspect, the second information can be prohibited from being stored in the information processing apparatus, and can be prevented from leaving the data in the USB memory remaining.

  According to the eleventh aspect, since the means for monitoring and controlling the program operation of the information processing apparatus operates in the kernel mode, information leakage can be efficiently prevented on the computer.

  According to the twelfth aspect, when there is a registry change, information leakage and registry alteration can be suppressed by returning the registry to the information before the change.

  According to the thirteenth aspect, it is possible to suppress the second information from being leaked by being transmitted by e-mail or being used as wallpaper.

  According to the fourteenth to fifteenth aspects, information leakage can be suppressed by disabling a device that may cause information leakage in advance.

  According to the sixteenth to seventeenth aspects, operations that cause information leakage of all or part of the second information, such as dialog display, drag and drop, and a clipboard, can be suppressed.

  According to the nineteenth and twentieth aspects, when a plurality of users use the information processing apparatus, it is possible to prevent the other person's data file from being leaked by mistake.

  According to the twenty-second, thirty-ninth, forty-first and forty-third aspects of the present invention, when the storage device is connected to the terminal device, the storage area is automatically switched, so that the burden on the user will be reduced. That is, since the first storage area and the second storage area are alternatively recognized by the terminal device, the influence on the terminal device will be reduced.

  According to the twenty-third aspect, it is possible to prevent information leakage by making the first storage area only readable and allowing the second storage area to be read and written. Generally, confidential information and the like are stored in a second storage area that can be read and written. If the switching program is not installed, the second storage area in which confidential information or the like is stored is a terminal device. It is because it is not recognized by.

  According to the twenty-fourth aspect, widely used autorun. Since the inf file is used, a storage device can be provided easily, accurately, and at low cost.

  According to the twenty-fifth aspect, since the plurality of storage areas are realized by partitions, the present invention can be realized without depending on hardware such as a memory included in the storage device. Further, there is an advantage that the second storage area can be easily changed in size or divided into partitions.

  According to the twenty-sixth aspect, since the first and second storage areas are secured on physically different memories, it is easy to suppress viewing except for the second storage area. When a plurality of storage areas are secured by the partition technology, the plurality of storage areas are simultaneously recognized by the terminal device by making the partition visible. Therefore, if a configuration in which the memory is physically switched is adopted, it is extremely difficult to recognize a plurality of storage areas at the same time.

  According to the twenty-seventh aspect, the storage area can be switched relatively easily by simply changing the logical unit number.

  According to the twenty-eighth aspect, since the drive letter is maintained, the user does not have to worry about the storage area being changed. In addition, the drive letter is less likely to be exhausted.

  According to the twenty-ninth and forty-first aspects, since the second storage area can be recognized after the information leakage prevention program is installed in the terminal device, it is easy to suppress information leakage related to the second storage area. That is, if the information leakage prevention program is not installed, the second storage area cannot be recognized.

  According to the thirtieth and forty-second aspects, when the storage device is removed from the terminal device, since all related programs and files are deleted, information leakage is suppressed.

  According to the thirty-first aspect, since a process not registered in the white list can be restricted from accessing the second storage area, a situation in which information is leaked by an unintended process can be suppressed.

  According to the thirty-second aspect, since the process registered in the black list is prohibited from accessing, it becomes easy to protect the storage device and the terminal device from malicious viruses and the like.

  According to the thirty-third aspect, since it is possible to limit the process not registered in the white list or the black list from accessing the second storage area, it is possible to limit access other than the process that is intentionally permitted by the user. .

  According to the thirty-fourth aspect, since the access to the second storage area is not permitted unless the authentication is successful, the possibility of information leakage can be further reduced.

  According to the thirty-fifth aspect, if the authentication is not successful, the restriction on access to the second storage area is not lifted, so that the possibility of information leakage can be further reduced.

  According to the thirty-sixth aspect, authentication information can be initially registered when no authentication information is registered.

  According to the thirty-seventh and thirty-eighth aspects, since the unique information of the terminal device and the user is used, it is expected to improve the security of the authentication process.

  According to the forty-fourth aspect, file leakage caused by a file operation program that must be registered in the white list can be prevented.

  According to the forty-fifth aspect, file leakage via a communication device by a file operation program that must be registered in the white list can be prevented.

  According to the forty-sixth aspect, file leakage through a flexible disk drive that may occur under special circumstances can be prevented.

  According to the forty-seventh aspect, by prohibiting the display of a predetermined dialog, the information leakage target file or a part thereof can be prevented from being copied on the memory of the terminal device.

  According to the forty-eighth aspect, information leakage due to drag and drop between a plurality of windows of an information leakage target file or a part thereof can be prevented.

  According to the forty-ninth aspect, by monopolizing the use of the clipboard, it is possible to prevent the information leakage target file or a part thereof from being copied to the clipboard.

  According to the fifty-first aspect, information leakage can be prevented according to information held in the server if it can be connected to the server, and information leakage can be prevented according to the information in the storage device if it is not connectable to the server. For example, in an environment where connection to a server is not possible, it is possible to apply stricter access restrictions.

  According to the 52nd and 53rd aspects, the security level can be changed depending on whether a single individual uses or a group of a plurality of individuals uses.

  According to the 54th aspect, it is possible to change the security level according to the time zone in which the storage device is connected to the information processing device.

According to the fifty-fifth aspect, when a plurality of users use a storage device, the security level can be changed for each user.
According to the 56th viewpoint, it becomes possible to change a security level for every user group.

It is a schematic block diagram which shows the USB storage device which is embodiment of the memory | storage device which concerns on this invention, and the terminal device connected to it. 3 is a diagram illustrating an example of a storage area secured in the flash memory 15 according to the first embodiment and data, software, and an installer stored in the storage area. FIG. It is the flowchart which showed an example of the area | region change process which concerns on an Example. It is a figure which shows an example of the management information of the storage area which the terminal device which concerns on an Example acquired. It is a figure which shows an example of the management information of the storage area which the terminal device which concerns on an Example acquired. It is a figure which shows an example of the 1st storage area recognized by the terminal device which concerns on an Example. It is a figure which shows an example of the 2nd storage area recognized by the terminal device which concerns on an Example. 10 is a flowchart illustrating an example of an uninstall process executed when the USB storage device 10 according to the embodiment is removed from the terminal device 20. It is a figure which shows an example of the management information (management table) of LUN which concerns on an Example. It is a figure which shows the management table (initial value) before rewriting LUN. It is a figure which shows the management table after rewriting LUN. It is a figure which shows an example of the management table (initial value) which concerns on an Example. It is a figure which shows an example of the management table (after rewriting) which concerns on an Example. It is a figure which shows an example of the memory content of the memory | storage device which concerns on an Example, and the memory content of a terminal device. 10 is a flowchart illustrating an example of a storage area switching method according to the third embodiment. It is a figure which shows an example of a white list. It is a figure which shows an example of a black list. It is the flowchart which showed an example of operation | movement of a use restriction function. It is a figure which shows an example of the event which a kernel part processes. It is the figure which showed the sequence from a kernel part being started until it reaches a steady state. 20 is a flowchart showing the operation of the third event shown in FIG. 20 is a flowchart showing the operation of the fourth event shown in FIG. 20 is a flowchart showing the operation of the fifth event shown in FIG. 20 is a flowchart showing the operation of the sixth event shown in FIG. It is a table | surface which shows the control means in the user part which concerns on Example 4, its representative example, and a control reason. It is the sequence diagram which showed an example of the group management which concerns on embodiment. It is the figure which showed the USB memory eigenvalue table memorize | stored in HDD25 of a server apparatus. It is the figure which showed the PC eigenvalue table memorize | stored in HDD25 of a server apparatus. It is the figure which showed the user table memorize | stored in HDD25 of a server apparatus. It is the figure which showed the group table memorize | stored in HDD25 of a server apparatus. It is the flowchart which showed an example of operation | movement of the terminal device 20 to which the host PC registration information 18-1 is applied. It is the sequence figure which showed registration of host PC registration information 18-1. It is the sequence figure which showed the modification until registration of the host PC registration information 18-1.

  An embodiment of the present invention is shown below. The individual embodiments described below will help to understand various concepts, such as the superordinate concept, intermediate concept and subordinate concept of the present invention. Further, the technical scope of the present invention is determined by the scope of the claims, and is not limited by the following individual embodiments.

  FIG. 1 is a schematic configuration diagram showing a USB storage device which is an embodiment of a storage device according to the present invention and a terminal device connected thereto. Although a USB storage device in which a memory is integrated with a USB interface that is a general-purpose interface will be described here, the present invention can be applied to a USB storage device that employs a storage medium other than a memory. Further, the interface with the terminal device is not limited to the USB interface, and may be IEEE 1394, wireless USB, or the like.

  The USB storage device 10 is an example of a storage device that can be attached to and detached from a general-purpose interface included in a terminal device, and includes a controller 12, a USB interface 13, a light emitting diode (LED) 14, a flash memory 15, and a fingerprint authentication device 11. Yes.

  The controller 12 includes a memory control unit 12-1, a memory information storage unit 12-2, a USB interface control unit 12-3, and an LED control unit 12-4. The memory control unit 12-1 reads, writes, and deletes data from the flash memory 15 in accordance with instructions received via the USB interface 13. The memory information storage unit 12-2 stores information on a plurality of storage areas secured in the flash memory 15 (eg, partition size, drive letter, etc.). The USB interface control unit 12-3 controls each unit of the USB interface 13 described later. The LED control unit 12-4 controls light emission of the LED 14 described later.

  The USB interface 13 communicates with the terminal device 20 such as a personal computer via the USB bus 31. The USB interface 13 includes a packet transmission / reception unit 13-1, a serial / parallel conversion unit 13-2, a packet generation / decomposition unit 13-3, and a USB bus power control unit 13-4. The packet transmitting / receiving unit 13-1 is connected to a USB connector (not shown) and transmits / receives a packet based on the USB standard. The serial / parallel conversion unit 13-2 converts serial data and parallel data into each other. The packet generation / decomposition unit 13-3 generates a packet for communicating with the terminal device and decomposes the packet to extract data. The USB bus power control unit 13-4 manages the power supplied from the terminal device and distributes the power to each unit of the USB storage device 10.

  The LED 14 is a light emitter that lights up when a file is being read from, written to, or deleted from the flash memory 15. The user is informed that reading, writing, and deletion of a file from the flash memory 15 are being executed.

  The flash memory 15 is a semiconductor memory that does not require a memory holding operation, and can store files and information. The stored data can be read, written, and deleted by the memory control unit 12-1. The flash memory 15 may be replaced with another storage element that requires a storage holding operation.

  The fingerprint authentication device 11 is a device that performs user authentication by reading a fingerprint. The fingerprint authentication device 11 may be replaced with an authentication device that performs other biometrics. This fingerprint authentication device 11 is a so-called option and is not necessary when fingerprint authentication is not included in user authentication. On the other hand, just because the fingerprint authentication device 11 is mounted on the USB storage device 10, the user authentication need not be limited to fingerprint authentication. That is, the authentication function of the fingerprint authentication device 11 may be invalidated, and other authentication methods may be adopted in addition to invalidation. For example, information received from the terminal device 20 by previously storing terminal device registration information including one or more of the MAC address, model number, serial number, and IP address assigned to the terminal device in the flash memory 15 Authentication may be performed by comparing with. In addition, user registration information including one or more of an identifier for identifying a user, a password, a personal identification number, and biometric information is stored in advance in the flash memory 15 and compared with information received from the terminal device 20. Thus, authentication may be performed. There are two types of general fingerprint authentication devices: one that internally authenticates and transmits an authentication result to the terminal device side, and one that transmits fingerprint data to the terminal device side and performs authentication on the terminal device side. In the present invention, either may be adopted.

  The terminal device 20 is a connection destination of the USB storage device 10 and is, for example, a personal computer. The terminal device 20 includes, for example, a CPU 21, ROM 22, RAM 23, disk controller 24, hard disk drive (HDD) 25, CD / DVD drive 26, monitor 27, pointing device 28, USB interface 29, and system bus 30.

  The CPU 21 is a processor that controls each unit based on computer programs stored in the ROM 22 and the HDD 25. A RAM (Random Access Memory) 23 functions as a work area. A ROM (Read Only Memory) 22 is a non-volatile storage element and stores firmware and the like. The disk controller 24 controls reading and writing with respect to the HDD 25 and the CD / DVD drive 26. The HDD 25 stores an operating system, application programs, and the like. A storage area switching program and an information leakage prevention program transferred from the USB storage device 10 are also stored in the HDD 25. The CPU 21 and each unit execute transmission and reception of commands and data via the system bus 30.

  The USB interface 29 is connected to the USB interface 13 in the USB storage device 10 via the USB bus 31. That is, the terminal device 20 and the USB storage device 10 transmit and receive data bidirectionally via the USB bus 31.

  In the following description, it is assumed that the terminal device 20 is a personal computer. However, if the terminal device 20 is a device having an arithmetic processing capability equal to or higher than that of a general personal computer, the type of The model is not limited. For example, an information processing apparatus that does not pass through a network may be used.

[Example 1]
FIG. 2 is a diagram illustrating an example of a storage area secured in the flash memory 15 according to the first embodiment and data, software, and an installer stored in the storage area. In particular, in the first embodiment, the first storage area 16 and the second storage area 17 that are alternatively recognized by the terminal device 20 are secured in the USB storage device 10. There are several methods for securing a plurality of storage areas in this way.

  For example, there is a method of dividing the flash memory 15 as a single device into two areas (first storage area 16 and second storage area 17) on software. Note that an area that can only be read is the first storage area 16, and an area that can be read and written is the second storage area 17.

  The second method of dividing the area is a method of securing two storage areas by dividing a plurality of flash memories on software as necessary. For example, when there are four flash memory elements, the first flash memory element may be assigned to the first storage area 16 and the remaining three flash memory elements may be assigned to the second storage area 17.

  As a method for selectively recognizing a plurality of areas from the CPU 21 (operating system: OS) of the terminal device 20, there is a method using a LUN (logical unit number). The LUN is an address (in a broad sense) given to identify each logical device in a device having a plurality of accessible logical devices, although it is one target. The OS (and its driver, and so on) recognizes a logical drive to which one LUN is assigned as one physical drive to which a drive letter is assigned. If a plurality of LUNs are allocated to a single device, physical drives can be created for the number of allocated LUNs.

  In the present invention, a LUN is assigned to each of a plurality of accessible logical devices (first storage area, second storage area, and (secret area)), so that one target USB storage device is assigned to a plurality of logical devices. The OS can be recognized as a device having a drive (physical drive).

  Among the plurality of storage areas, the first storage area 16 is a storage area that is recognized by default when the USB storage device 10 is connected to the terminal device 20, and includes a software unit 16-1 a and The automatic installer 16-2 is stored.

  The software unit 16-1a includes a plurality of computer programs and other files such as one or more application programs and setting files thereof. The application program includes at least a storage area changing program for switching a storage area recognized by the terminal device 20. That is, the storage area change program is a computer program that switches the storage area stored in the first storage area 16 and recognized by the terminal device 20 from the first storage area 16 to the second storage area 17.

  The automatic installer 16-2 is an installer program (for example, autorun.inf or setup.exe) that installs (stores) the software unit 16-1a in the terminal device 20. The software unit 16-1a and the automatic installer 16-2 may be any one that can perform an installation operation in conjunction with each other. That is, the software storage format is not particularly important for the present invention, and the automatic installer 16-2 can be of any format as long as the software unit 16-1a can be installed in the terminal device 20.

  For example, when the software unit 16-1a is a single file compressed in an archive format or the like, autorun. The CPU 21 activates the automatic installer 16-2 according to the activation file such as inf. autorun. An activation file such as inf is software for storing a switching program in the terminal device 20 when the storage device (USB storage device 10) is connected to the terminal device 20 and stored in the first storage area 17. .

  The activated automatic installer 16-2 decompresses the compressed software section 16-1a and expands it to a directory on the HDD 25. On the other hand, if the software unit 16-1a is stored without compression, the activated automatic installer 16-2 copies the software unit 16-1a to the HDD 25 of the terminal device 20 as it is.

  On the other hand, the software unit 16-1a may be a self-extracting executable file. In this case, autorun. There is an advantage that the automatic installer 16-2 can be made unnecessary except for a startup file such as inf. In the following embodiment, the description will proceed on the assumption that the automatic installer 16-2 is necessary for installing the software section 16-1a.

  The second storage area 17 stores a user use file 17-1 which is data (eg, document file, image file, program file, etc.) used by operating the terminal device 20 connected by the user.

  The HDD storage area 25-1 is a storage area secured in the HDD 25 included in the terminal device 20. The software unit 25-2a is obtained by installing the software unit 16-1a in the first storage area 16 in the HDD storage area 25-1. The software unit 25-2a includes a program execution unit 25-4a. The program execution unit 25-4a is included in, for example, a storage area change program, an automatic uninstallation program that deletes part or all of the software when the USB storage device 10 is removed, and the software unit 25-2a A check program for confirming the operation of the application program. The reason why the check program is necessary is as follows. In this embodiment, since the application program stored in the USB storage device 10 is automatically installed by autorun, it is difficult to manually reinstall it when installation fails. Therefore, a check program is required to check whether installation is successful. If the installation is not successful, the check program activates the automatic installer 16-2 again.

  FIG. 3 is a flowchart illustrating an example of the area changing process according to the embodiment. The area change process is started when the USB storage device 10 is connected to the terminal device 20.

  In step S <b> 301, the OS (CPU 21) of the terminal device 20 starts communication with the controller 12 of the USB storage device 10 connected via the USB bus 31. Here, first, the OS acquires device information of the USB storage device 10 by a device information acquisition command included in a device driver for controlling the USB storage device 10. For example, a command from the OS is converted into a SCSI command or the like via a device driver and is executed by a USB controller. The controller 12 of the USB storage device 10 receives this command via the USB interface 13 and returns device information stored in the controller 12.

  This device information acquisition command is, for example, a command represented by a Get_Descriptor command (a USB standard command included in a USB standard device). The device information transmitted from the USB storage device 10 to the terminal device 20 is, for example, a descriptor of a connected USB device (USB storage device 10). The descriptor is stored in the management area of the USB storage device 10 (not shown). The following discussion will focus on USB standard commands and SCSI commands. Of course, anything that can be defined and used as a subclass, such as ATAPI, may be used. Moreover, you may transmit / receive a command via one or more well-known command conversion means on the way for every subclass.

  In step S <b> 302, the OS (CPU 21) transmits an address setting command represented by the SET Address command (a command for querying the address of the USB storage device 10) to the USB storage device 10, and receives the address setting from the USB storage device 10. . Thereafter, the OS transmits a frame according to the received address setting.

  In step S <b> 303, the OS (CPU 21) acquires the value of the logical unit number (LUN) from the USB storage device 10 using a logical drive number acquisition command typified by the “Get Max Logical Unit Number API” command. By default, the controller 12 of the USB storage device 10 returns information indicating that the value of the logical unit (LUN) in the first storage area 16 is 1.

  In step S304, the OS (CPU 21) obtains the format information of the first storage area 16 by using a format information acquisition command represented by an inquiry command (this is a SCSI command). The controller 12 of the USB storage device 10 returns ISO 9660 indicating that the format information is a CD-ROM. The OS recognizes that the first storage area 16 is a CD-ROM drive based on the received format information (for example, ISO 9660).

  FIG. 4 is a diagram illustrating an example of storage area management information acquired by the terminal device according to the embodiment. FIG. 4 shows that the LUN of the first storage area is 0, the format is ISO9660, recognizable from the OS, the class is mass storage, and the subclass is SCSI.

  According to FIG. 4, since the LUN is not set in the second storage area 17, it is not recognized as a drive from the OS side.

  In step S305, the OS (CPU 21) activates the automatic installer 16-2 from the first storage area 16 recognized as a drive, and moves the software unit 16-1a to the storage area of the HDD 25 according to the activated automatic installer 16-2. Install to 25-1. For example, the CPU 21 performs autorun. Read inf and start the automatic installer described there. Here, auto-run installation is used as an example of automatic installation, but other automatic installation techniques may be used.

  Note that the file installed at this time may be only a part of the software unit 16-1a. As an example in which all programs and software are not installed, a limited-time distribution program is stored in the software section 16-1a, and the date and time of the connection destination PC is checked at the time of installation. For example, the installation can be continued if there is, and the program is not installed if it is out of the period.

  In step S306, the OS (CPU 21) activates the storage area changing program (program execution unit 25-4a) included in the software unit 25-2a in accordance with the activated automatic installer 16-2.

  In step S307, the storage area change program (CPU 21) starts switching of storage areas. For example, the CPU 21 transmits to the USB storage device 10 a recognition flag rewrite command for rewriting the recognition flags (recognizable / impossible) of the first storage area and the second storage area. When receiving the recognition flag rewrite command, the controller 12 of the USB storage device 10 rewrites the recognition flag in the first storage area 16 to be unrecognizable and rewrites the recognition flag in the second storage area 17 to be recognizable. Further, the controller 12 rewrites the LUN of the first storage area 16 from “0” to “null”, and then rewrites the LUN of the second storage area 17 from “null” to “0”. As a result, the first storage area 16 is released, and the second storage area 17 is recognized by the OS of the terminal device 20.

  FIG. 5 is a diagram illustrating an example of storage area management information acquired by the terminal device according to the embodiment. According to FIG. 5, the recognition flag of the second storage area is changed to “permitted”, and the LUN is also assigned to “0”. Conversely, the recognition flag of the first storage area is changed to “impossible”, and the LUN is also assigned to “null”.

  In step S308, the storage area changing program (CPU 21) determines whether or not the drive letters in the first storage area 16 and the drive letters in the second storage area 17 are the same. It is assumed that whether or not they are the same is stored in advance in a setting file or the like. For example, a setting item as to whether or not to use the same drive letter is provided in the list of LUNs managed by the OS (CPU 21), and the setting item is set in advance according to the user's request.

  If the drive letters are the same, the process proceeds to step S309. If different drive letters are used, the process proceeds to step S310.

  In step S309, the storage area changing program (CPU 21) executes drive letter identification processing. For example, a drive letter is fixed by a batch file in which a “Subst” command that is an MS-DOS command is described. It is assumed that this batch file is also stored in the USB storage device 10 in advance. On the other hand, the storage area changing program (CPU 21) may display a dialog on the monitor 27 to inquire the user whether or not to store the same drive letter, and execute the identification process based on the inquiry result. Further, the storage area changing program (CPU 21) may inquire the user of the drive letter to be assigned and assign the drive letter input from the input device such as a keyboard to the second storage area 17. In this case, the user may input the drive letter assigned to the first storage area 16.

  In step S310, the storage area changing program (CPU 21) releases the recognition of the first storage area 16. For example, the CPU 21 also rewrites the LUN of the first storage area 16 stored on the OS side from “0” to “null”. As a result, the OS cannot recognize the first storage area 16.

  In step S <b> 311, the storage area change program (CPU 21) starts recognition processing for the second storage area 17. For example, the CPU 21 rewrites the LUN of the second storage area 17 from “null” to “0”. As a result, the OS can recognize the second storage area 16.

  According to FIG. 5, the OS recognizes the second storage area 17 as a removable disk drive formatted with FAT. This removable disk area includes a user use file 17-1.

  Here, ISO9660 is given as the format information recognized as the CD-ROM area, and FAT is given as the format information recognized as the removable disk area. Of course, these are merely examples.

  In this embodiment, the storage area is switched by rewriting the LUN and the recognition flag. However, the management information in the USB storage device 10 is directly or indirectly used to store the first storage area 16. The second storage area 17 may be recognized by releasing the recognition. For example, if a USB device release command is applied to the first storage area 16 and an initialization command is applied to the second storage area 17 immediately thereafter, the storage area can be switched.

  In addition, two pieces of management information are prepared in advance, and when the USB storage device 10 is first connected to the terminal device 20, the first management information is used. It may be changed. It is assumed that the LUN value and the management information read first are reset each time. This is because the information about the first storage area 16 and the second storage area 17 acquired by the OS is uninstalled when the USB storage device 10 is removed from the terminal device 20, and the subsequent reconnection is performed. This is because the OS acquires the information of the USB storage device 10 again.

  As described above, according to the present embodiment, the terminal device 20 has a form in which the CD-ROM drive and the removable disk are switched in a pseudo manner. That is, the CD-ROM area and the removable area included in the USB storage device are not recognized at the same time. Further, if the drive letters of the CD-ROM area and the removable area are the same, the user can be made to recognize in a pseudo manner that one added drive is replaced from the CD-ROM area to the removable area.

  FIG. 6 is a diagram illustrating an example of the first storage area recognized by the terminal device according to the embodiment. FIG. 7 is a diagram illustrating an example of the second storage area recognized by the terminal device according to the embodiment. Comparing the two, it can be seen that the drive letters match even though the actual storage area is switched. It can be understood that the storage areas are switched because the contents of the stored files are different.

  FIG. 8 is a flowchart illustrating an example of the uninstall process executed when the USB storage device 10 according to the embodiment is disconnected from the terminal device 20. Here, it is assumed that the above-described automatic installer is resident and the automatic installer executes an uninstallation process.

  In step S <b> 801, the automatic installer (CPU 21) monitors whether the USB storage device 10 has been removed from the terminal device 20. If it is detected that it has been removed, the process proceeds to step S802. Thus, the CPU 21 is an example of a removal detection unit that detects that the storage device has been removed from the terminal device.

  In step S <b> 802, the CPU 21 checks whether an application program using a file stored in the storage area of the flash memory 15 included in the USB storage device 10 is operating. If an operating application program remains, the process proceeds to step S803. If an operating application program does not remain, the process proceeds to step S804.

  In step S803, the CPU 21 terminates all the application programs that are operating. At this time, the CPU 21 may display a dialog indicating automatic termination on the monitor 27. For example, a dialog “The storage device has been removed. This application will be forcibly terminated” is displayed.

  In step S804, the CPU 21 checks whether or not there remains an active window for operating the file in the storage area of the USB storage device 10. If an active window remains, the process proceeds to step S805, and if no active window remains, the process proceeds to step S806.

  In step S805, the CPU 21 automatically ends the window operation (closes the window). Also at this time, a dialog indicating that the window is closed may be displayed on the monitor 27.

  In step S <b> 806, the CPU 21 uninstalls (deletes) the program or file installed from the USB storage device 10 to the terminal device 20. For uninstallation, a deletion function provided in the automatic installer may be used. Also, the CPU 21 automatically deletes files copied from the USB storage device 10 to the terminal device 20. Note that the file data from the second storage area 17 stored in the RAM 23 is edited and stored again in the RAM 23. When the user instructs storage in the USB storage device 10, the edited data is stored in the area 2 of the USB storage device 10 and is overwritten or newly stored. When the USB storage device 10 is removed, the data in the RAM 23 is cleared. In addition, documents and images based on the data in the RAM 23 can be viewed on the monitor 27 before and after editing. As will be described later, if the terminal device 20 is not registered as a target host by the USB storage device 10, a document or an image based on the data in the RAM 23 can be viewed but not stored in the HDD 25 and transmitted to the network by mail. I can't do that either. Therefore, when the USB storage device 10 is removed from the terminal, nothing remains in the terminal or elsewhere, so that data in the USB storage device 10 is not duplicated or leaked.

  For example, it is assumed that all necessary programs and files are stored in a directory “Soft-a” and the automatic installation work is a copy of the entire directory “Soft-a”. For example, E: \ Soft-a => C: \ Program Files \ Soft-a. In this case, the CPU 21 deletes this directory (C: \ Program Files \ Soft-a). The same applies to the case of an automatic decompression archive (for example, the directory Soft-b is generated by unpacking Soft-b.exe and copied to C: \ Program Files \ Soft-b).

  Some files and programs may be excluded from being deleted or uninstalled. For example, the USB storage device 10 is used for distribution of multimedia files typified by moving image files. A dedicated player (software) is installed in the first storage area 16 and the moving image files are installed in the second storage area 17. Assume that Furthermore, in the case where a service for distributing a moving image corresponding to a dedicated player on the web is provided at a later date, an operation example in which the dedicated player is left without being uninstalled is considered.

  In this embodiment, the software stored in the first storage area may be anything that can be automatically installed and executed in the terminal device 20. For example, reproduction software for viewing a moving image file on the terminal device 20 and a codec set necessary for reproducing the moving image file are stored in the USB storage device 10, and these are automatically installed. Further, for example, an operation in which a movie digest movie or a game trailer movie is stored in the second storage area and viewed by the user can be considered. These are only examples, and the present invention does not depend on what the application is.

  As described above, when the USB storage device 10 is connected, the terminal device 20 reads the startup file from the first storage area 16 and executes it to start the switching program, and the storage recognized by the terminal device. It functions as switching means for switching the area from the first storage area to the second storage area 17. The CPU 21 is an example of means for uninstalling a program and files installed from the storage device to the terminal device when it is detected that the storage device has been removed from the terminal device.

[Example 2]
In the embodiment described above, the LUN change and the recognition flag change are used to switch the recognizable storage area, but only one of them may be used.

  First, a LUN management method in the USB storage device 10 will be described. The LUN is managed as a table in the controller 12 in the USB storage device 10.

  FIG. 9 is a diagram illustrating an example of LUN management information (management table) according to the embodiment. In this example, it is assumed that three storage areas A, B, and C are provided in the USB storage device 10. As can be seen from FIG. 9, the LUN is allocated to each storage area. The management table includes items such as the format, class, and subclass of each storage area. The internal storage area of the controller 12 that stores the management table is called a memory information storage unit 12-2. As described above, the OS (CPU 21) of the terminal device 20 also acquires the contents of this management table and defines the drive.

  First, when the USB storage device 10 is connected to the terminal device 20, a “logical address” is allocated from the OS as information associated with the LUN. Here, “logical address” and “physical address” refer to a logical storage area address and a physical storage area address in the virtual storage space, respectively. Normally, the USB storage device 10 can read and write files only after the logical address and the physical address are associated with each other.

  A certain number of “logical addresses” are assigned in a configuration unit designated in advance in accordance with the total storage capacity of the USB storage device 10. Simultaneously with the logical address assignment, the “logical address” is associated with the “physical address” in the physical storage area in the storage device. This association is executed by the memory control unit 12-1 included in the controller 12 using the management table. The association is also performed when no LUN is allocated.

  A method for switching the recognized storage area by rewriting the LUN will be described below.

  FIG. 10 is a diagram showing a management table (initial value) before rewriting the LUN. That is, each time the USB storage device 10 is connected to the terminal device 20, the management table is initialized to the initial value. Thus, each time the USB storage device 10 is connected to the terminal device 20, the initial value management table is called first. According to FIG. 10, since the LUN of the first storage area 16 is set to 0 and the LUN of the second storage area 17 is set to null (NUL), only the first storage area 16 is stored. Will be recognized.

  FIG. 11 is a diagram illustrating the management table after rewriting the LUN. When the storage area change described above is executed, the LUN of the first storage area 16 is changed from 0 to NULL, and the LUN of the second storage area 17 is changed from NULL to 0. In this case, since there is no LUN in the first storage area, the first storage area is not treated as a drive by the OS and is not recognized by the OS.

  Next, the controller 12 transmits a signal for causing the second storage area 17 to be pseudo-recognized via the USB interface 13 to the OS (terminal device 20). The OS (CPU 21) transmits a series of commands and acquires information regarding the second storage area 17 in the same manner as when the first storage area 16 is recognized. These commands include, for example, the following commands.

○ Device information acquisition command "Get_Descriptor command"
○ Address setting command “SET Address command”
○ Logical drive number acquisition command “Get Max Logical Unit Number API command” (not required when recognizing the recognition flag)
○ Format information acquisition command “Inquiry command”
With these series of commands, the OS acquires information managed by the management table from the USB storage device 10. Of course, if there is a command necessary for the OS side to recognize the storage area as a drive according to the use environment, it may be used at the same time.

  The OS (CPU 21) recognizes the second storage area 17 as a drive by receiving a reply to the above command from the USB storage device 10.

  Next, a storage area switching method using the recognition flag will be described. The recognition flag is a flag indicating whether or not the OS recognizes the logical drive of the USB storage device 10 as a drive.

  FIG. 12 is a diagram illustrating an example of a management table (initial value) according to the embodiment. According to FIG. 12, although the LUNs are assigned to the two storage areas, the recognition flag of the storage area A is “permitted” and the recognition flag of the storage area B is “impossible”. Therefore, the controller 12 associates the logical first storage area address with the physical first storage area A address (address mapping).

  FIG. 13 is a diagram illustrating an example of a management table (after rewriting) according to the embodiment. Compared to FIG. 12, the recognition flag is rewritten in FIG. That is, the recognition flag of the storage area A is “impossible” and the recognition flag of the storage area B is “possible”. In this case, the controller 12 changes the address mapping to associate the logical first storage area address with the physical second storage area B address. Thus, the recognizable storage area can be changed using only the recognition flag.

  As described above, the controller 12 receives the switching command (eg, command) issued by the terminal device 20 in accordance with the switching program, so that the storage area recognized by the terminal device is changed from the first storage area to the second storage area. It functions as a first controller to switch to. The controller 12 is also an example of a controller that switches the address mapping between the memory corresponding to the first storage area and the memory corresponding to the second storage area when receiving the switching command.

  Note that the recognizable storage area can be changed using a filter driver (Japanese Patent Laid-Open No. 2007-272430). By controlling the SCSI command response to the controller 12, the filter driver sequentially responds to various commands from the OS based on the management information in the management table (FIGS. 10 to 13). The filter driver is also an example of a storage area changing program installed from the USB storage device 10 to the terminal device 20.

  In addition, the first storage area 16 and the second storage area 17 are secured by different partitions, and after the storage area change program switches the partition that is the first storage area to an invisible state, the second storage area The partition that is may be switched to the visible state. Thus, the recognizable storage area can be switched by changing the visibility of the partition.

[Example 3]
In the present embodiment, after the security software stored in the first storage area 16 is installed in the terminal device 20, the storage area recognized by the terminal apparatus is changed from the first storage area to the second storage area. A method for switching to will be described. As security software, for example, there is an information leakage prevention program, which includes a storage area changing program.

  In the present invention, a method for installing the security software in the terminal device 20 after causing the terminal device 20 to recognize the first storage area and switching to the second storage area is described. It is not limited.

  For example, it is possible to install the security software in the terminal device 20 after making the terminal device 20 recognize both the first storage area and the second storage area. As a result, regardless of the method for causing the terminal device 20 to recognize the first storage area and the second storage area, various processes of security software to be described later can be executed.

  FIG. 14 is a diagram illustrating an example of the storage content of the storage device and the storage content of the terminal device according to the embodiment. The parts already described will be given the same reference numerals to simplify the description.

  In the present embodiment, the flash memory 15 is divided into three storage areas, a first storage area 16, a second storage area 17, and a third storage area 18, by being controlled by software. The method for dividing these storage areas is as described above.

  The first storage area 16 stores a security software section 16-1b and an automatic installer 16-2 that are automatically read when the USB storage device 10 is connected to the terminal device 20. The security software unit 16-1b is a specific example of the above-described software unit 16-1a.

  The security software section 16-1b is software including all files necessary for realizing information leakage prevention means. The automatic installer 16-2 is software for installing the security software section 16-1b.

  Any combination of the security software unit 16-1b and the automatic installer 16-2 may be used as long as it can perform the operations described below. Any installation method may be adopted as long as it does not hinder the implementation of the present invention. For example, the security software unit 16-1b may be compressed in an archive format or the like, and the automatic installer 16-2 may decompress the security software unit 16-1b into a directory. On the other hand, if the security software section 16-1b is already expanded in a directory, an installation method in which the directory is directly copied to the storage area 25-1 of the terminal device 20 may be used.

  On the other hand, if the security software section 16-1b is a self-extracting file, the automatic installer 16-2 may be omitted. In the following embodiment, it is assumed that the automatic installer 16-2 is employed for installing the security software section 16-1b. As for the uninstallation of the file installed in the terminal device 20, any uninstallation method may be adopted as long as the object of the present invention can be achieved.

  The second storage area 17 stores a user use file 17-1 that is an object of information leakage prevention.

  The third storage area 18 is a secret area where data can be read and written from the controller 12 but cannot be read and written from the terminal device 20. The third storage area 18 stores host PC registration information 18-1, user registration information 18-2, a white list 18-3, and a black list 18-4. The registration information and the list described above can be stored in the third storage area 18 as a single or a combination of the registration information and the list.

  In the following, the discussion proceeds under the setting that the entire third storage area 18 is a secret area. However, this secret area is not limited to the third storage area 18 independent of the terminal device 20. For example, a directory provided in a part of the first storage area 16 and the second storage area 17 may be used as the third storage area 18. In this case, it is assumed that this directory is encrypted and can be decrypted by the controller 12. Thereby, even if the terminal device 20 can know the existence of the directory which is the third storage area 18, it cannot obtain the information stored therein.

  The host PC registration information 18-1 includes, for example, authentication information (terminal device registration information) for determining whether or not the terminal device 20 is a host PC registered in advance. The authentication information is, for example, one or more of the MAC address, model number, manufacturing number, IP address, and management number of the terminal device 20. The management number indicates, for example, data for an organization to uniquely identify the terminal device 20 or a use manager of the terminal device. It is not necessarily a number, and any identification information is sufficient, but here it is referred to as a management number for convenience. As an embodiment using the management number, for example, the management number of the terminal device 20 is stored in both the terminal device 20 and the USB storage device 10, and the two management numbers are compared when connecting the two, so that the terminal Whether or not the device 20 is valid can be authenticated. The management number may be an internal management number stored in advance in an external device (for example, a USB token) distributed and managed in the organization.

  The user registration information 18-2 is authentication information for authenticating whether or not the user is a registered user (user). The user registration information 18-2 is, for example, a personal identification number, a password, biometric information, or the like input by the user. These pieces of information may be stored in plain text or may be encrypted. Further, the user registration information 18-2 may include a plurality of user authentication information. In this case, the USB storage device 10 can be shared among a plurality of users.

  The white list 18-3 is, for example, a list in which identification information of processes permitted to access the second storage area 17 among processes (eg, applications) executed in the terminal device 20 is registered. The white list 18-3 may be a list of processes that are permitted to operate while the USB storage device 10 is connected, for example. The security software unit 16-1b accesses the second storage area 17 depending on whether or not the identification information of the process being executed in the terminal device 20 matches the identification information registered in the white list. The CPU 21 is caused to function as an access restriction means for restricting the above.

  The black list 18-4 is, for example, a list in which identification information of processes prohibited from being accessed regardless of the access target among the processes executed in the terminal device 20 is registered. Note that the black list 18-4 may be a list of processes whose operations are not permitted at all. For example, when the identification information of the process being executed in the terminal device matches the identification information registered in the black list, the security software unit 16-1b uses the CPU 21 as an access prohibiting unit that prohibits access by the process. Make it work.

  The HDD storage area 25-1 is a storage area in the HDD 25 provided in the terminal device 20. The security software section 25-2 is obtained by installing the security software section 16-1 stored in the first storage area 16. The authentication execution unit 25-3 is one of the elements of the security software unit 25-2, and authenticates the terminal device and the user. The control program 25-4b is a program that executes the information leakage prevention function and the selection and display of the user use file according to the user.

  FIG. 15 is a flowchart illustrating an example of a storage area switching method according to the third embodiment. Here, details of a procedure until the user can operate the file stored in the second storage area of the USB storage device 10 by connecting the USB storage device 10 to the terminal device 20 will be described. Since matters common to the first and second embodiments have already been described, the description will be simplified.

  In step S1501, the USB storage device 10 is connected to the terminal device 20. As a result, connection processing according to the USB standard is executed between the USB interface 29 of the terminal device 20 and the USB interface 13 of the USB storage device 10. When the connection at the USB level is established, the process proceeds to step S1502.

  In step S1502, the OS (CPU 21) of the terminal device 20 recognizes the first storage area 16 of the USB storage device 10 as a CD-ROM area that can only be read. At this time, the second storage area 17 is not recognized by the CPU 21. Further, since the third storage area 18 is a secret area, it is not recognized by the CPU 21. The CPU 21 executes autorun. The automatic installer 16-2 is started according to a startup file such as inf. The CPU 21 installs the security software unit 16-1b stored in the first storage area 16 in the terminal device 20 in accordance with the activated automatic installer 16-2.

  In step S1503, the CPU 21 activates a control program 25-4b (area change program) that is a part of the security software section 16-1b installed in the terminal device 20.

  In step S1504, the CPU 21 determines whether the user registration information 18-2 is stored in the third storage area 18 according to the area change program. Since the third storage area 18 is a secret area, the CPU 21 and the area change program cannot directly recognize the third storage area 18. Therefore, the area change program transmits a predetermined inquiry command to the controller 12. The controller 12 of the USB storage device 10 accesses the third storage area 18 according to the received inquiry command, and confirms whether the user registration information 18-2 is stored. The controller 12 returns this confirmation result as a response to the terminal device 20. The CPU 21 analyzes the content of this response to determine whether or not the user registration information 18-2 is stored in the third storage area 18. If user registration information exists, the process proceeds to step S1505.

  In step S1505, the CPU 21 activates the authentication execution unit 25-3 (authentication program) according to the area change program and executes user authentication. For example, the CPU 21 transfers authentication information such as a password and a password entered from an input device such as a pointing device 28 or a keyboard to the controller 12, and the authentication information received by the controller 12 is compared with the user registration information 18-2. Alternatively, the controller 12 compares the fingerprint information read by the fingerprint authentication device 11 provided in the USB storage device 10 with the fingerprint information that is a part of the user registration information 18-2. Although the security strength is reduced, the controller 12 transmits the user registration information 18-2 to the terminal device 20, and the authentication execution unit 25-3 receives the received user registration information 18-2 and the input authentication information. May be compared. In fingerprint authentication, fingerprint information read by the fingerprint authentication device 11 is also transferred to the terminal device.

  It should be noted that passwords and passwords may be provided with restrictions for improving confidentiality, such as character number restrictions, and authentication information to be verified and compared may be encrypted using an encryption algorithm or the like. The authentication information used for authentication may be, for example, user registration information including one or more of an identifier for specifying a user, a password, a personal identification number, and biometric information.

  The CPU 21 determines whether the user authentication is successful. If successful, the process proceeds to step S1511. On the other hand, if it has failed, the process proceeds to step S1506. Note that the CPU 21, the controller 12, and the authentication execution unit 25-3 use the authentication information stored in advance in the storage device and the authentication information input from the input device provided in the terminal device or the storage device. It is an example of the authentication means which performs.

  In step S1506, the CPU 21 determines whether or not the number of times of user authentication failure is within a specified number. If it is within the specified number of times, the process returns to step S1505, and user authentication is executed again. The specified number of times may be set based on a password restriction, a stranger acceptance rate or an identity rejection rate of the fingerprint authentication device 11. If the number of failures exceeds the specified number, the process proceeds to step S1507.

  In step S1507, the CPU 21 executes forced termination. For example, the CPU 21 uninstalls an installed program or file. At this time, the CPU 21 cancels the connection of the USB storage device 10 or enters the state in which the first storage area 16 (the second storage area 17 and the third storage area 18 if recognized) is not recognized. Or migrate. The method for changing from the recognizable state to the unrecognizable state is as described in the first embodiment. Of course, the CPU 21 also erases from the HDD 25 information to be leaked that has been copied from the second storage area 17 to the HDD 25. Furthermore, when the information that is the target of leakage prevention stored in the HDD 25 is stored in the second storage area 17, the CPU 21 desirably deletes the information.

  If the user registration data cannot be confirmed in step S1504, the process proceeds to step S1508.

  In step S1508, the CPU 21 displays an inquiry as to whether or not to perform new registration on the monitor 27 in accordance with the area change program. The CPU 21 determines whether the user desires new registration based on information input from the input device of the terminal device 20. When new registration is performed, the process proceeds to step S1509.

  In step S1509, the CPU 21 executes initial registration (new registration). The new registration is an operation of writing the user registration information 18-2 used at the next and subsequent authentications into the third storage area 18. Since the terminal device 20 cannot write directly to the third storage area, it issues a predetermined command to the controller 12, and the controller 12 stores the user registration information 18-2 in the third storage area 18. When the new registration is completed, the process proceeds to step S1511. Thus, the CPU 21, the controller 12, and the programs involved are examples of a registration unit that performs initial registration of authentication information if the authentication information is not stored in the storage device in advance.

  If new registration is not performed, the process proceeds to step 1510. In step S1510, the CPU 21 executes forced termination. The forced termination process is as described for step S1507. As a result, the program installed in the terminal device 20 is uninstalled, and the USB storage device 10 is automatically not recognized.

  In step S1511, the CPU 21 uses the authentication execution unit 25-3 to determine whether the terminal device 20 is a host PC designated in advance by the host PC registration information 18-1. Since the CPU 21 cannot directly read the host PC registration information 18-1, the CPU 21 acquires or transfers the authentication information by the same method as the user authentication. The authentication information is, for example, terminal device registration information including one or more of a MAC address, a model number, a manufacturing number, and an IP address assigned to the terminal device. If the connection destination terminal device 20 is not the host PC, the process advances to step S1512.

  In step S1512, the CPU 21 activates a use restriction function which is one function of the control program 25-4b included in the security software unit 25-2. This use restriction function controls access to files using the white list 18-3 and black list 18-4 stored in the third storage area 18, and prevents file movement and duplication. It is a function. Details of these functions will be described later.

  On the other hand, if it is determined that the terminal device 20 is a host PC, step S1512 is skipped and the process proceeds to step S1513. Therefore, the usage restriction function is not applied. The user can freely use the user use file 17-1 between the terminal device 20 and the USB storage device 10.

  That is, the user use file 17-1 can be stored in the terminal device 20 based on information (host PC registration information) specified in advance, and can be distributed over the network via the terminal device 20.

  In step S1513, the CPU 21 switches the storage area recognizable by the terminal device 20 from the first storage area 16 to the second storage area 17 in accordance with the area change program. That is, the first storage area 16 is no longer recognized on the terminal device 20, and the second storage area 17 is recognized at the same time.

  Note that the emission color of the LED 14 may be switched according to the currently recognized storage area. For example, the LED control unit 12-4 turns on the red LED when the first storage area 16 is recognized, and turns on the green LED when the second storage area 17 is recognized. As a result, the user can visually recognize which storage area of the storage area of the USB storage device 10 is recognized by the terminal device 20. This may be particularly useful in cases where the drive letter remains the same when the storage area is switched.

  In step S <b> 1514, the CPU 21 shifts to a standby state in which a file stored in the second storage area 17 can be operated by operating the terminal device 20. When the use restriction function is applied, use restriction is imposed on the second storage area 17. When the user authentication is appropriate, only the user use file 17-1 corresponding to the user may be displayed on the screen of the terminal device 20 by the control program 25-3. As a result, access to the user use file of other users is prohibited, so that a plurality of users can use the same USB storage device 10 while protecting confidential information and preventing information leakage.

  As described above, according to the third embodiment, the area change program installs the information leakage prevention program stored in the first storage area 16 in the terminal apparatus 20 and then stores the storage area recognized by the terminal apparatus 20. It is possible to switch from the first storage area 16 to the second storage area 17.

  The third storage area 18 is a secret area. Therefore, when the information leakage program transmits a read command for reading the information stored in the secret area through the terminal device 20, the controller 12 reads the information from the secret area and transmits the information to the terminal apparatus. As a result, authentication information and extremely important information can be protected.

  Further, according to the third embodiment, the authentication unit that executes the authentication process using the authentication information stored in advance in the storage device and the authentication information input from the input unit provided in the terminal device or the storage device. Can be provided. That is, when the authentication process is successful, the switching program switches the storage area recognized by the terminal device from the first storage area to the second storage area. Therefore, unless the authentication process is successful, reading of the user use file 17-1 from the second storage area 17 to the terminal device 20 can be suppressed. This means that if the authentication process is successful, the information leakage prevention program causes the CPU 21 to function as a release unit that releases the restriction on access to the storage device.

  Also in the third embodiment, when the USB storage device 10 is removed from the terminal device 20, the uninstall process described with reference to FIG. 8 is executed by the control program 25-4b.

  FIG. 16 is a diagram illustrating an example of a white list. In the white list 18-3, identification information (for example, name) of a process permitted to access a file stored in the second storage area 17 is registered. The processes recorded in the white list 18-3 include processes related to highly versatile and safe applications in advance by default. The name of the process determined by the network administrator or the like as safe or useful may be added to the white list 18-3.

  FIG. 17 is a diagram illustrating an example of a black list. The black list 18-4 is a list in which names of processes whose operations are not permitted at all when the use restriction function is active are registered. Similarly to the white list 18-3, here, processes with high risk included in viruses and worms and processes related to information leakage are included by default. Processes judged to be harmful by the administrator or processes judged to be useless by the user may be added to the black list.

  The use restriction function of the control program 25-4b functioning as an information leakage prevention program reads the white list 18-3 and the black list 18-4 each time a process occurs, and controls the operation of the process.

  FIG. 18 is a flowchart illustrating an example of the operation of the use restriction function.

  In step S1801, the CPU 21 determines whether the generated process is registered in the black list 18-4 according to the activated information leakage prevention program. When the black list 18-4 is stored in the third storage area 18, the CPU 21 cannot read it directly. Therefore, as in the authentication process, the CPU 21 transfers the name of the generated process to the controller 12, and the controller 12 compares this name with the black list 18-4 and returns the comparison result to the CPU 21. Alternatively, the black list 18-4 may be transferred from the controller 12 to the CPU 21, and the CPU 21 may execute the comparison process. If the process is registered in the black list 18-4, the process advances to step S1802.

  In step S1802, the CPU 21 cancels the operation of the process itself. Thereby, the unexpected operation | movement by a known virus or worm can be stopped. Also, operations of printing or a process related thereto, a process related to network connection, and a process of capturing a screen as an image (print screen or the like) are prohibited. In this way, the CPU 21 functions as an access prohibiting unit that prohibits access by a process and a canceling unit that cancels the operation of a process.

  If the name of the generated process is not registered in the black list 18-4, the process proceeds to step S1803.

  In step S1803, the CPU 21 determines whether the name of the generated process is registered in the white list 18-3. This determination process is the same as the determination process related to the black list. If the process is registered in the white list 18-3, the process advances to step S1804.

  In step S1804, the CPU 21 prevents the file from being moved or copied from the second storage area 17 by the process. As described above, the information leakage prevention program accesses the second storage area 17 according to whether or not the identification information of the process executed in the terminal device 20 matches the identification information registered in the white list. The terminal device 20 is caused to function as an access restriction means for restricting the above.

  On the other hand, if the process is not registered in the black list 18-4 or the white list 18-3, the process advances to step S1805.

  In step S 1805, the CPU 21 analyzes the access destination of the process. If the access destination is a storage area in the flash memory 15, the CPU 21 terminates the process to cancel the operation of the process. Thereby, access to the flash memory 15 by an unknown application that is not registered in the white list 18-3 can be stopped. That is, a process not registered in the white list 18-3 cannot access a storage area in the flash memory 15. Thus, when not registered in either the black list or the white list, this process is limited to accessing the storage area of the storage device.

  The file migration / duplication prevention process (S1804) is performed by, for example, “cutting” or “pasting” after “copying” the file itself or a part thereof (clipboard or the like) stored in the storage area in the flash memory 15. Is a process for restricting the process related to moving a file by dragging and dropping, or prohibiting “save as” in an application for operating the file. When the storage area in the flash memory 15 or the directory belonging to the storage area is displayed as an active window, the file movement / duplication prevention function performs drag and drop from the inside of the window, movement of the clipboard between applications, Any movement or duplication of the files in the storage area in the flash memory 15 may be prohibited, such as a dialog display of a copy or writing to another removable disk.

  On the other hand, a process in which data movement from the storage area does not substantially occur, such as file editing and processing staying in the storage area inside the flash memory 15, is permitted by the white list 18-3. Specifically, the processes executed in the USB storage device 10 such as overwriting and editing of files, exchanging information between files in the storage area, exchanging information between files on different drives, etc. are executed without limitation. Will be.

  There are several methods for adding and updating process names to the whitelist and blacklist described above. For example, a method in which the terminal device 20 directly edits a white list or black list stored in the USB storage device 10 can be considered. Also, a method is conceivable in which the controller 12 receives the latest white list or black list received by the client (terminal device 20) from the server via the USB bus and writes it in the third storage area. The latter could be called remote update.

[Example 4]
Hereinafter, the above-described use restriction function, that is, the information take-out prevention function using the USB storage device 10 will be described.

  The carry-out prevention function is a general term for the following five functions.

  (1) A function for prohibiting files existing in a directory designated in advance and data in the file from being stored outside the designated directory (stored even when the terminal device 20 is turned off). The directory is an arbitrary directory accessible from the PC, such as a directory secured in the storage device of the PC or a directory secured in the USB memory.

  (2) A function that permits browsing of files existing in a directory designated in advance and data in the file while realizing the function of (1).

  (3) A function of permitting editing of files existing in a directory designated in advance and data inside the file, and saving only within the directory (including the Sub directory).

  (4) A function that does not restrict browsing / editing / saving of files existing in arbitrary directories not specified in advance and data in the files.

  (5) A function of setting a special PC called HostPC by some identifier (eg, MAC address) so that the restrictions of (1) to (3) are not applied at all in the HostPC. As a result, even files and data in a directory designated in advance can be stored in another directory as usual.

  In the fourth embodiment, in order to realize the functions (1) to (5), five types of control mechanisms described below are provided. These control mechanisms will be described below. Note that the above-described functions can be substantially realized by the first control mechanism (file system filter driver). The basic part of the first control mechanism is as described in the third embodiment.

  However, some leaks may occur with only the first control mechanism. Therefore, second to fifth control mechanisms are added to compensate for the leakage.

  Note that, for example, the following two types can be considered as methods for preventing the file in the specified directory and the data in the file from being taken out.

(A). Prevention of movement and duplication in units of files (b). Prevention of movement and duplication of data in files in memory [Information leakage prevention function]
The information leakage prevention function in the fourth embodiment will be described below. The information leakage prevention function is divided into a “kernel part” that is a file system filter driver and a “user part” that supplements the kernel part. Touch lightly about the file system filter driver [File system filter driver (FSFiD)]
The FSFiD is a computer program that can interrupt and acquire a log before or after a file system is about to perform, and is installed in the terminal device 20 from the USB storage device 10. The FSFiD operates in the kernel mode as described above.

  Hereinafter, the information leakage prevention function will be described separately for the kernel part which is the file system filter driver and the user part which is the other part. The kernel unit does not operate unless the filter manager (FltMgr) exists. FltMgr is, for example, a known function (see http://www.microsoft.com/japan/whdc/driver/filterdrv/default.mspx).

  In addition, the user unit has a function assisting function performed by a kernel unit, which will be described later, and a complementary function in an information leakage prevention function. The main words and phrases used in the following explanation are listed and explained below. Necessary words other than those listed below are listed as appropriate.

  * Process identifier An identifier that identifies a process based on a method that assumes the process in advance. Any process can be specified as long as the process can be identified. Examples include process ID, hash value, process author name, company name, and the like.

  * The file identifier is an identifier for identifying a file based on a method assumed in advance, and the format is not limited as long as the file can be specified. Examples include file names, IDs, hash values, process author names, company names, attributes, extensions, and the like.

  * The process determination unit has a function of determining whether a process belongs to a black list or a white list described later. A process identifier for identifying each process is registered in the black list and the white list.

  * Monitoring list This is a list in which process identifiers of processes to be monitored are registered. The monitoring list is stored in a heap area in the kernel, for example. When a process registered in the above-described black list or white list is detected among the processes that are actually activated, the process identifier of the detected process is registered in the monitoring list.

  * Monitored file list A list of file identifiers to be monitored. The monitoring file list is stored, for example, in a heap area in the kernel.

  * The path identifier indicates a flag indicating whether or not the monitoring target is included in the file or process. Whether it is a monitoring target or not is determined by the full path of the directory. The path identifier is stored in a heap area in the kernel, for example.

  * The black list is a list that holds process identifiers indicating processes that are mainly not allowed to be used.

  * The white list is a list that holds process identifiers indicating processes that are mainly permitted to be used.

  * The IO manager is an object that controls all file IOs, and is responsible for interaction between drivers.

  * The process manager is a manager that controls the mounting and unmounting of processes.

  FIG. 19 is a diagram illustrating an example of an event processed by the kernel unit. According to FIG. 19, the event name of each event, the event notification source, the occurrence timing of the event, and the contents of the processing for the event are described.

In FIG. 19 where the outline of each event is explained here,
Event 1 “Initialization” initializes a variable necessary for monitoring file operations (assigning an initial value to the variable).

  The event 2 “monitoring target setting” represents an operation for designating a monitoring target, that is, a drive and directory to which the file information leakage prevention function is applied. In the present invention, the second storage area 17 mainly corresponds thereto. However, the present invention is not limited to this, and any drive and directory can be monitored.

  Event 3 “Before file operation start communication processing” indicates the contents to be interrupted and operated before the IO manager processes “file operation start communication” for processing to start all file operations. That is, this event 3 indicates the timing at which the information leakage prevention program according to the present embodiment performs an operation required before the OS file system executes the process that is the base point of all file operations.

  Event 4 “after processing of file operation start communication” indicates content to be interrupted and operated before the IO manager processes “file operation start communication” that is processed to start all file operations. At this time, processing is performed using the information (attributes) given in event 3. In other words, event 4 indicates the timing at which the information leakage prevention program according to the present embodiment performs an operation necessary after the OS file system has performed processing that is the base point of all file operation logs.

  Event 5 “Process activation” is processing performed by interrupting the process when it is activated.

  Event 6 “End of process” is a process that is interrupted when the process ends. Events 1 and 2 are notified by the user section, events 3 and 4 are notified by the OS filter manager, and events 5 and 6 are notified by the OS process manager. That is, the process manager notifies the event to the kernel part of the information leakage prevention program.

FIG. 20 shows event 1 initialization and event 2 monitoring target setting. First, the user part loads the kernel part (step S2001). In response to this load, the kernel unit initializes the white list and black list of the kernel unit and performs initialization for monitoring (step S2002). Here, initialization means initialization (assignment of initial values) of variables assigned to a stack or heap used in a program that is always performed at the start of the program. When the initialization is completed, the kernel unit notifies the user unit that the initialization has been completed (step S2003).

The kernel unit is notified of the designated drive and directory to be monitored by the user unit (step S2004). The kernel unit registers the designated drive and directory to be monitored in the heap area variable (step S2005). Thereafter, the kernel unit notifies the user unit that a series of preparations have been completed (step S2006).

  FIG. 21 is a flowchart showing the operation of event 3 shown in FIG. Event 3 is an event when a file operation start communication is issued. The file operation start communication indicates that some kind of file operation is about to be performed. Issuing a file operation start communication is equivalent to performing a file operation. That is, event 3 is an event that is the starting point of file operation. Before the file operation start communication that is the starting point of all file operations is processed by the IO manager, the filter manager analyzes the contents of the operation and records necessary information.

  In step S2101, the kernel unit compares the generated process identifier with the process identifier registered in the black list. If they match, the process proceeds to step S2102, and the kernel unit adds Black attribute information indicating that the process is registered in the black list to a variable in the heap. If they do not match in step S2101, the process proceeds to step S2103.

  In step S2103, the kernel unit compares the generated process identifier with the process identifier registered in the white list. If they match, the process proceeds to step S2104, and the kernel unit adds a “white” flag to the variable in the heap. If they do not match in step S2103, the process proceeds to step S2105. By the way, it should be noted that the attribute information of “white” is not fixed at this stage.

  In step S2105, the kernel unit checks the path identifier, which is a variable in the heap, determines whether the operation target directory is a monitoring target, and proceeds to step S2106 if it is determined that the operation target directory is a monitoring target.

In step S 2106, the kernel unit determines whether or not there is a “white” flag added to the variable in the heap in step 2204. If there is no flag, in Step S2107, a Not White attribute indicating that the process is not registered in the white list is added to a variable in the heap. If there is a flag, the kernel unit monitors the monitoring list in Step S2108. Compare the process identifier in the list with the current process identifier. If they match, the process proceeds to step S2109.

  In step S2109, the kernel unit compares the file identifier in the monitoring file list with the current file identifier. If the two do not match, the process advances to step S2110, and the kernel unit newly adds the current file identifier to the monitoring file list. In this case, no attribute information is added to the variable in the heap (step S2113).

  On the other hand, if the process identifier in the monitoring list does not match the current process identifier in S2108, the process proceeds to step S2111. In step S2111, the kernel unit adds the current process identifier to the monitoring list. In this case, no attribute information is finally added to the variable in the heap.

  In step S2105, if the operation target is not a monitoring target, the process proceeds to step S2112. In step S2112, collation similar to that in step S2108 is performed. That is, the kernel unit compares the process identifier in the monitoring list with the current process identifier. If they do not match, no attribute information is added to the variables in the heap in step S2113.

  On the other hand, if the process identifiers match in step S2112, the process advances to step S2114 to check whether or not the file identifiers in the monitoring file list match, as in the previous step S2109. If not, the process proceeds to step S2113, and no attribute information is added.

  If the match of the file identifier is confirmed here, the process proceeds to step S2115, and the “Is white” attribute information is added to the variable in the heap.

  As described above, each process determines Is White, Not White, Black, and none (no attributes are assigned) at event 2.

  In the case of none (no attribute is given), for example, the user use file 17-1 to be monitored is edited and the edited data is stored in the second storage area 17. .

  FIG. 22 is a flowchart showing the operation of the fourth event shown in FIG. In step S2201, the kernel unit determines whether the attribute information is Is White. If it is not IsWhite, the process proceeds to step S2202, and the kernel unit cancels the file operation start communication.

  On the other hand, if it is IsWhite, the process proceeds to step S2203. In step S2203, the kernel unit checks the operation content. At this time, if the operation content is “new file creation”, the process advances to step S2204, and the kernel unit forcibly deletes the newly created file.

  On the other hand, if the existing file is overwritten or rewritten, in step S2205, the kernel unit cancels the file operation start communication. Also, after step S2204 ends, the process moves to step S2205, and the file operation start communication is cancelled.

  If the check in step S2203 is not the above-described three operations, no processing is performed here (S2206).

  That is, for example, new file creation and file saving are prohibited, but file editing on the RAM 23 in the terminal device 20 is possible.

  23a and 23b are flowcharts showing the operations of event 5 and event 6 shown in FIG. At event 5, the process identifier of the process to be started is checked against the process identifier registered in the white list or black list. If the process identifier is registered in either list, the process identifier is added to the monitoring list. To do. If the process identifier of the running process does not fall into either list, do nothing. In the sixth event, the process identifier of the process to be terminated is deleted from.

  FIG. 23 a shows an operation at the time of process activation of event 5. In step S2301, the process manager notifies the kernel unit of the start of the process. Here, the kernel part temporarily interrupts the start of the process and stops the process. In step S2302, the kernel unit acquires a process identifier. In step S2303, the kernel unit determines whether the process acquired using the process determination unit belongs to either the white list or the black list. If it is determined here that it belongs to the white list, in step S2304, the kernel unit registers the target identifier in the WhiteList. On the other hand, if the process determining unit determines that the process belongs to the black list, the process proceeds to step S2305, and the process identifier of the process is added to the black list.

  If it does not belong to any of the above, the process directly proceeds to step S2306, and the process manager is restarted to start the process. This is the same after the addition to the white list in step S2304 and the addition of the black list in step S2305. is there.

  FIG. 23b shows the operation at the end of the process. The kernel unit receives a process end notification from the process manager. At this time, the process termination is stopped halfway in the same manner as when the process is started (step S2307). In step S2308, the kernel unit acquires the process identifier of the process to be terminated. In step S2309, it is checked whether there is a corresponding process identifier from the white list, and if there is, the process identifier is deleted (step 2310).

  Similarly, in step S2311, the process identifier in the black list is compared with the process identifier. If they match, the process proceeds to step S2312, and the identifier in the black list is deleted.

  If it does not belong to any of the above, the process directly proceeds to step S2313, and the process manager is allowed to resume the process. This is the deletion from the white list in step S2310, and the deletion from the black list in step S2312. The same applies to the rest.

  The information leakage prevention function performed by the kernel part has been described above. The contents that operate in the user mode, considering that it is difficult to prevent with the information leakage prevention function by the kernel part, or that reduces the operational load. I will write about.

  The reason for performing control by the user part is an item related to information leakage in the process registered in the white list, an item that cannot be controlled by the kernel part according to the specification of the OS, and the like.

  In the following items, representative examples and control methods controlled by the user unit will be described. The control of the user part is mainly performed using various parameters and functions represented by signals, information, registries, standard APIs, etc. according to each OS, conversion means thereof, programs or files including them. Is called.

  FIG. 24 is a table illustrating a representative example of control contents and a control reason in the user unit according to the fourth embodiment.

  Each item will be described in detail below.

[Registry change prevention means]
The registry change prevention means is a means for monitoring a change in a specific registry and, if there is a registry change, immediately returning the registry to the state before the change. When the monitoring is canceled, the registry is returned to the state before the monitoring state.

  In FIG. 24, “representative examples of registry change prevention means” show representative examples of three control contents. The first control content is to prevent the item “send” in the explorer context menu. Explorer is a whitelisted and highly versatile process. Therefore, the kernel unit cannot prevent the file created by the Explorer from being attached to the mail. As a complementary function, the registry change prevention means prevents, in particular, the activation of the item “send”.

  The second control content is to prevent the wallpaper from being changed. If the file subject to leakage prevention is an image file, it can generally be used as wallpaper. As described above, the Explorer that controls the drawing paper is registered in the white list. Therefore, the kernel part cannot prohibit the use of wallpaper. Therefore, this means for assisting the kernel part prohibits the use of the leakage prevention target file as wallpaper.

  The third control content is to delete the registration of the specified mailer. This is because the kernel unit cannot prevent any mailer registered in the white list from transmitting an arbitrary file as described above.

  As described above, the information leakage prevention program monitors the registry change to prevent the leakage of the file by the file operation program or the mailer program registered in the white list, and the terminal device is used as a registry change prevention means for preventing the change. Make it work.

[Device invalidation means]
The device invalidation means is means for invalidating or prohibiting the device. The device invalidation means invalidates a device when a device change signal is sensed even if a specific device is newly added. On the other hand, when the monitoring is canceled, the device control mechanism returns the prohibited device to the state before monitoring.

  “Representative example of device invalidation means” in FIG. 25 is a diagram illustrating a control device and a control reason in the device according to the fourth embodiment. The device invalidation unit is a function that realizes, for example, the same operation as the operation of invalidating a drive on a UI called a Windows (registered trademark) device manager.

  According to FIG. 25, the control devices are FDD (flexible drive disk) and NIC (network communication card). While the OS does not recognize the FDD disk, the kernel unit cannot be attached. Therefore, depending on the procedure, there is a possibility that only one file can be taken out. Therefore, the control device prohibits the movement of the file by monitoring the FDD.

  The reason for monitoring the NIC is that because the Explorer is registered in the white list, the kernel unit cannot prevent the file within the monitoring target from being uploaded. Therefore, the device invalidation unit prohibits uploading if the file uploaded from the NIC is a leakage prevention target file.

  As described above, according to the fourth embodiment, it is monitored whether or not a file to be written to the flexible disk drive is an information leakage target file. When the information leakage target file is designated as a writing target, the writing that prohibits the writing is performed. The terminal device is caused to function as prohibition means.

  In addition, the information leakage prevention program monitors whether or not a file transmitted from the communication device to the outside in order to prevent the leakage of the file by the file operation program registered in the white list is an information leakage target file, When the information leakage target file is designated as a transmission target, the terminal device is caused to function as a transmission prohibition unit that prohibits the transmission.

[Global hook means]
The global hook means is a function that restricts processing of various messages. When monitoring is released, this control is also released.

  “Representative example of global hook means” in FIG. 24 shows a representative example of control contents in the global hook means according to the fourth embodiment and the reason for the control. The first is a function that prevents a previously designated dialog from being displayed. Specifically, when the caption or window class matches the registered content, the global hook means stops the dialog. This is because, for example, operations on the memory not related to the file system, such as “save with name”, “save with name change”, and “insert object” cannot be controlled by the kernel unit. Therefore, the global hook means stops or invalidates the dialog regarding such an operation.

  The second is a function for prohibiting Drag & Drop across windows by a pointing device represented by a mouse. This is because the kernel unit cannot prevent the data in the file from being taken out by the pointing device or the like using Drag & Drop.

  For example, in the case of a mouse, when a plurality of files are selected and dragged in a window, it is necessary to move the cursor while holding down the button on the mouse. The global hook means captures the coordinates when the button is pressed. If the coordinates are different from the coordinates when the button is pressed when the button is released, the operation is performed by invalidating the operation.

  As described above, according to the fourth embodiment, the information leakage prevention program prohibits the display of the dialog when the display of the dialog for copying the information leakage target file or a part thereof on the memory of the terminal device is designated. The terminal device is caused to function as dialog prohibiting means.

  The information leakage prevention program monitors the drag and drop between a plurality of windows for the information leakage target file or a part thereof, and when the drag and drop is designated, the drag and drop prohibiting means prohibits the execution. The terminal device is caused to function.

[Clipboard use prevention means]
The clipboard use prevention means is a means for preventing literal use of the clipboard. This is a function for preventing the monitored file from leaking through the temporary storage in the clipboard.

  Two examples of this means are described in “Representative examples of clipboard use prevention means” in FIG. Both of these are implemented by making the clipboard use prevention means monopolize the clipboard, thereby preventing other processes from using the clipboard at all. This is because the kernel part cannot control the export of data in the file by the clipboard. When monitoring is released, the clipboard control mechanism is also released.

  As described above, according to the fourth embodiment, the information leakage prevention program monopolizes the use of the clipboard, and as a clipboard exclusive means for preventing the information leakage target file or a part thereof from being copied to the clipboard, the terminal device To work.

  This is the end of the description of the information leakage prevention control by the user unit.

  Although the details of the information leakage prevention means in the fourth embodiment have been described above, the control mode of the kernel unit and the control mode of the user unit in the present invention are complementary to each other. Therefore, there is a possibility that the control in the kernel part and the control in the user part will be interchanged due to the advancement of technology or the OS specification change. However, these controls are within the scope of the present invention as long as they are in accordance with the above means. It will be clear that it is included.

The information leakage prevention program described in the third and fourth embodiments may be used separately from the USB storage device 10. For example,
(1) The second storage area 17 and the third storage area 18 are left as they are, and instead of the first storage area 16, a folder or directory in the HDD 25 is provided corresponding to the first area. It is also possible to store an information leakage prevention program similar to that in the embodiment in advance and prevent leakage of data files in the second area 17 of the USB storage device 10 in the same manner as in the above embodiment.
(2) Instead of the first storage area 16 and the second storage area 17, an arbitrary folder or directory in the HDD 25 is provided corresponding to the storage areas 1 and 2, and the same as in the embodiment An information leakage prevention program and a data file may be stored, and similar program control may be applied to prevent leakage of the data file. As a result, when a plurality of users use the terminal, it is possible to prevent other people's data files from being leaked by mistake.

  Furthermore, in the case of (1) and (2) above, it is also possible to store the information leakage prevention program from the server to the HDD 25 of the client (terminal device 20).

  It is also possible for the client (terminal device 20) to receive the latest information leakage program from the server and add or update it to the USB storage 10 or the first storage area 16 of the HDD 25.

[Example 5]
In the fifth embodiment, a modification of the above-described embodiment will be described. Specifically, a server is arranged on a network (usually an intranet) accessible from the host PC, and information stored in the USB storage device is updated from the server. By making it possible to update the information stored in the USB storage device, it is possible to provide flexibility in security settings such as changing the security settings for each user.

  With this flexibility, group management can be applied to USB storage devices. Group management is to configure a group by a plurality of users and apply common security settings to users belonging to the group. The group may be composed of a plurality of PCs. In this case, all the PCs belonging to the group can be set as the host PC.

  By the way, a general USB memory that does not have an information leakage prevention function can freely carry data from one PC to another. However, in a USB storage device to which the information leakage prevention function described above is applied, carrying arbitrary data from one PC to another PC is limited. That is, when the security setting is strict, the host PC that can use the USB storage device may be limited to one. Such problems can also be solved by introducing group management. That is, a plurality of PCs belonging to a specific group can be registered in the USB storage device as host PCs. As a result, the USB storage device can be used like a general USB memory in a specific group. Of course, when the USB storage device is attached to an unregistered PC, the above-described information leakage prevention function operates, so that data movement or the like is limited.

  FIG. 25 is a sequence diagram illustrating an example of group management according to the embodiment. Here, in order to simplify the description, it is assumed that the hardware configurations of the server device and the client device are equivalent to those of the terminal device 20.

  In step S2501, the CPU 21 of the server apparatus executes association between the device ID and the user ID. Here, the device ID indicates a PC unique value for identifying the terminal device 20 serving as the host PC and a USB memory unique value for identifying the USB storage device. The PC unique value corresponds to the host PC registration information 18-1.

  FIG. 26 is a diagram showing a USB memory eigenvalue table stored in the HDD 25 of the server apparatus. The USB memory unique value table 2601 is a table that associates a unique value of the USB memory with a group ID. In addition, * in the figure means the primary key of the table. The group ID is identification information for identifying each group ID. The CPU 21 of the server device associates the unique value of the USB memory input through the keyboard or the pointing device 28 with the group ID and registers them in the USB memory unique value table 2601.

  FIG. 27 is a diagram showing a PC eigenvalue table stored in the HDD 25 of the server device. The PC unique value table 2701 is a table for associating the unique value of the host PC with the group ID. The CPU 21 of the server device associates the PC unique value input through the keyboard or the pointing device 28 with the group ID and registers them in the PC unique value table 2701.

  For each PC, the time zone (start date / time and end date / time) operable as the host PC may also be registered in the PC unique value table 2701. In this case, as the first information (host PC registration information), the second information (user use file 17-1) is read from the second storage area 17 and stored in the non-volatile storage means (HDD 25 of the terminal device 20). Identification information (PC eigenvalues) of a plurality of information processing devices that can be used, and each of the plurality of information processing devices can read the second information from the second storage area 17 and store it in the nonvolatile storage means Time zone information indicating a time zone is included. Furthermore, the security software, which is an information leakage prevention program, restricts the handling of the second information based on the time zone information corresponding to the identification information (PC unique value) of the terminal device 20 to which the storage device 10 is connected. It will be.

  The first information (host PC registration information 18-1) includes user settings (various security levels shown in FIG. 29) that define the handling of the second information corresponding to each of a plurality of users.

  The first information (host PC registration information 18-1) includes user settings (various security levels for each group) that define the handling of the second information for each user group composed of one or more users. .

  In step S2502, the CPU 21 of the server device sets security for each group in accordance with information input through the keyboard and the pointing device 28.

  FIG. 28 is a diagram showing a user table stored in the HDD 25 of the server device. The user table 2801 is a table that associates user IDs, group IDs, and priority levels. The user ID is identification information for identifying each user. The priority level is information indicating, for example, whether the security function for individuals is applied with priority or the security function for groups is applied with priority.

  The CPU 21 of the server device registers the user ID, the group ID, and the priority level in the user table 2801 in association with each other according to information input through the keyboard and the pointing device 28.

  FIG. 29 is a diagram showing a group table stored in the HDD 25 of the server device. The group table 2901 is a table that associates a group ID with a security level. The security level is information indicating validity / invalidity of various security functions. Examples of security levels are listed below.

Initialization ON / OFF
ON / OFF of clipboard use prohibition
ON / OFF prohibition of drag and drop use
ON / OFF prohibition of use of specific dialog box (save file with name, etc.)
Print prohibition ON / OFF
Network disconnection ON / OFF
ON / OFF of white list and black list update
The initialization includes, for example, deleting the user use file 17-1, updating the host PC registration information information 18-1, user registration information 18-2, white list 18-3, and black list 18-4. It means to do. However, when the USB storage device (storage device 10) is used in the terminal device 20 that is not connected to the server, the white list 18-3 and the black list 18-4 are not deleted.

  The CPU 21 of the server apparatus registers the group ID and various security levels in the group table 2901 in association with each other according to information input through the keyboard and the pointing device 28.

  In step S2503, the CPU 21 of the server device transmits setting information to the client at a predetermined timing. The predetermined timing is, for example, the timing at which the server apparatus receives a request for setting information transmitted from the security software 25-2 activated in the terminal device 20. The CPU 21 of the server device identifies a group ID based on the above table from the user ID included in the setting information request, and determines a PC specific value, a priority level, and various security levels corresponding to the group ID. The CPU 21 of the server device mounts the determined PC specific value, priority level, security level, and the latest white list and black list in the setting information. The setting information may include the latest version of security software. In this case, the security software 16-1b stored in the first storage area is updated to the latest version.

  In step S2504, the CPU 21 of the terminal device 20 that is the client receives the setting information and changes the security setting of the storage device 10. The CPU 21 of the terminal device 20 writes the PC specific value included in the setting information into the host PC registration information 18-1 through the controller 12. Similarly, the CPU 21 writes the received priority level and security level in the third storage area 18. Further, the CPU 21 writes the received white list and black list in the third storage area 18.

  If initialization is set to ON, the CPU 21 of the server device transmits an initialization processing request to the terminal device 20 in step S2505. In step S2506, the CPU 21 executes an initialization process. The CPU 21 of the terminal device 20 determines whether or not the password input from the input device such as a keyboard matches the password included in the user registration information 18-2 stored in the storage device 10. May be. And CPU21 performs an initialization process, only when both correspond.

FIG. 30 is a flowchart showing an example of the operation of the terminal device 20 to which the host PC registration information 18-1 is applied. In step S3001, the CPU 21 reads the priority level stored in the third storage area 18 via the controller 12, and determines whether the priority level is set to an individual or a group. Determine. This determination process is a process of determining whether a single individual uses the storage device 10 or whether a plurality of individuals use the storage device 10. This determination process is a process for determining whether a single terminal device 20 uses the storage device 10 or a plurality of terminal devices 20 uses the storage device 10.
If the priority level is not set to an individual (if set to a group), the process proceeds to step S3002.

  In step S3002, the CPU 21 determines whether or not communication with a predetermined server registered in advance is possible. Information on the URL or address of a predetermined server is provided in advance in the security software 16-1b. If communication with the server is possible, the process proceeds to step S3003.

  In step S3003, the CPU 12 applies the PC unique value included in the setting information received from the server to the security software 16-1b instead of the host PC registration information 18-1 stored in the storage device 10. .

  On the other hand, if it is determined in step S3001 that the priority level is set to an individual, or if it is determined in step S3002 that communication with a predetermined server is not possible, the process proceeds to step S3004.

  In step S3004, the CPU 21 applies the host PC registration information 18-1 stored in the storage device 10 to the security software 16-1b.

  As described above, the security software, which is an information leakage prevention program, can determine whether or not the information terminal device 20 can be connected to a predetermined server, the connection determination means (S3002), and the terminal device 20 can be connected to the predetermined server. If so, the first information received from the predetermined server is applied to the second information (S3003), and if the terminal device 20 cannot be connected to the predetermined server, it is stored in the first storage area. The first information is applied to the second information (S3004), and the terminal device 20 is caused to function as information switching means.

  In addition, the security software includes a user determination unit (S3001) for determining whether or not a single individual uses the storage device 10, and the first software if the single individual uses the storage device 10. If the first information stored in the storage area is applied to the second information (S3004) and a single individual does not use the storage device 10, the first information received from a predetermined server is used as the first information. (S3003) The terminal device 20 is caused to function as information switching means.

  Similarly, the security software determines whether a predetermined single terminal device 20 uses the storage device 10 or a plurality of predetermined terminal devices 20 uses the storage device 10 ( If a single terminal device 20 uses the storage device 10 in S3001), the first information stored in the first storage area is applied to the second information (S3004), and a plurality of terminals If the device 20 uses the storage device 10, the first information received from the predetermined server is applied to the second information (S3003), and the information processing device is caused to function as information switching means.

  FIG. 31 is a sequence diagram showing registration of the host PC registration information 18-1. In step S <b> 3101, the CPU 21 of the terminal device 20, which is a client, transmits a response confirmation request to a predetermined server whose address is registered in advance in the storage device 10. This is for confirming whether the terminal device 20 is connected to the server.

  In step S <b> 3102, upon receiving the response confirmation request, the CPU 21 of the server device transmits information indicating that the server is a predetermined server to the terminal device 20. Further, the CPU 21 of the server device may also transmit host PC registration information (for example, a PC unique value) stored in the HDD 25 to the terminal device 20 together.

  In step S <b> 3103, the CPU 21 of the terminal device 20 determines whether or not the information indicating that the server is the predetermined server transmitted from the server matches the information regarding the predetermined server registered in the storage device 10 in advance. To do. If the two do not match, the CPU 21 discards the received information. On the other hand, if the two match, the process proceeds to step S3104.

  In step S3104, the CPU 21 registers the host PC registration information transmitted from the server in the host PC registration information 18-1.

  FIG. 32 is a sequence diagram showing a modification example until registration of the host PC registration information 18-1. In step S3201, the CPU 21 of the terminal device 20 that is a client transmits information related to the client (for example, a user ID and a device ID) to the server. In step S3202, the CPU 21 of the server device determines whether the information about the client received from the terminal device 20 matches the information about the client stored in the HDD 25 in advance. If the two do not match, the CPU 21 executes error processing. If the two match, the process advances to step S3203.

  In step S3203, the CPU 21 of the server device transmits host PC registration information (for example, a group ID) corresponding to the received information about the client to the terminal device 20.

  In step S 3204, the CPU 21 of the terminal device 20 registers the host PC registration information received from the server as the host PC registration information 18-1 of the storage device 10. The host PC registration information 18-1 may be updated every time the storage device 10 is connected to the terminal device 20, or every predetermined period (for example, every quarter) in consideration of user convenience. May be executed.

  As described above, according to the present embodiment, the security software 25-1 that is the information leakage prevention program connects the terminal device 20 to the server, and updates the first information with the information received from the server. The terminal device 20 is caused to function as a means. Therefore, it becomes possible to update host PC registration information etc. via a server. That is, since the host PC registration information stores the unique values of a plurality of PCs belonging to a specific group, a plurality of host PCs can be realized. For example, the storage device 10 can be used as a general USB memory between a plurality of PCs belonging to a specific group. On the other hand, since an external PC that does not belong to a specific group cannot be a host PC, access to data related to the storage device 10 is restricted. Therefore, the security of the storage device 10 can be maintained flexibly.

  In this embodiment, the security level can be changed for each user group by group management. Of course, if the security level for each user is received from the server and stored in the host PC registration information 18-1, the security level can be changed for each user.

Claims (12)

A storage device detachable from a general-purpose interface provided in a terminal device,
Of the first storage area that can be read only alternatively recognized by the terminal device, the second storage area that can be read and written , and the process executed in the terminal device, the second storage area A third storage area storing a list for restricting the operation of the process with respect to the storage area ;
A switching program for switching the storage area stored in the first storage area and recognized by the terminal device from the first storage area to the second storage area;
An activation file stored in the first storage area and for activating the switching program in the terminal device when the storage device is connected to the terminal device;
An information leakage prevention program stored in the first storage area and preventing information leakage according to the list;
With
The first storage area and the second storage area are different partitions;
The switching program causes the terminal device to switch the partition that is the first storage area to an invisible state, and then switches the partition that is the second storage area to a visible state. . A first controller that switches a storage area recognized by the terminal apparatus from the first storage area to the second storage area by receiving a switching command issued by the terminal apparatus according to the switching program; ,
Further comprising
2. The storage according to claim 1, wherein the first controller changes a logical unit number of the first storage area and a logical unit number of the second storage area when receiving the switching command. apparatus.   The switching program serves as a maintenance unit that maintains a drive letter assigned to the storage device even when the storage region recognized by the terminal device is switched from the first storage region to the second storage region. The storage device according to claim 1, wherein the storage device functions. A method for controlling a storage device detachable from a general-purpose interface provided in a terminal device,
The storage device
Of the first storage area that can be read only alternatively recognized by the terminal device, the second storage area that can be read and written , and the process executed in the terminal device, the second storage area A third storage area storing a list for restricting the operation of the process with respect to the storage area ;
A switching program for switching the storage area stored in the first storage area and recognized by the terminal device from the first storage area to the second storage area;
An activation file stored in the first storage area and for activating the switching program in the terminal device when the storage device is connected to the terminal device;
An information leakage prevention program stored in the first storage area and preventing information leakage according to the list;
With
The control method is:
When the terminal device is connected to the storage device, the step of reading and executing the startup file from the first storage area;
Executing the switching program according to the startup file;
Switching the storage area recognized by the terminal device from the first storage area to the second storage area according to the switching program, wherein the first storage area and the second storage area are: And a step of switching the partition which is the second storage area to the visible state after switching the partition which is the first storage area to the invisible state. A first storage area that can be attached to and detached from a general-purpose interface provided in the terminal device, and that can be selectively recognized by the terminal device; a second storage area that can be read and written ; and Of the processes executed in the terminal device, a computer program when connected to the terminal device in a storage device having a third storage area storing a list for restricting the operation of the process for the second storage area A computer program stored in the first storage area together with an activation file for activating the terminal device and an information leakage prevention program for preventing information leakage according to the list ,
When the computer program is activated by the terminal device according to the activation file read from the first storage area by connecting the storage device to the terminal device,
Switching means for switching a storage area recognized by the terminal device from the first storage area to the second storage area, wherein the first storage area and the second storage area are different partitions. A computer program for causing the terminal device to function as switching means for switching the partition that is the second storage area to the visible state after switching the partition that is the first storage area to the invisible state . A terminal device for connecting a removable storage device to a general-purpose interface,
The storage device
Of the first storage area that can be read only alternatively recognized by the terminal device, the second storage area that can be read and written , and the process executed in the terminal device, the second storage area A third storage area storing a list for restricting the operation of the process with respect to the storage area ;
A switching program for switching the storage area stored in the first storage area and recognized by the terminal device from the first storage area to the second storage area;
An activation file stored in the first storage area and for activating the switching program in the terminal device when the storage device is connected to the terminal device;
An information leakage prevention program stored in the first storage area and preventing information leakage according to the list;
With
The terminal device
Means for reading the startup file from the first storage area and executing the switching program according to the startup file when the storage device is connected;
Switching means for switching a storage area recognizable from the terminal device from the first storage area to the second storage area in accordance with the switching program, the first storage area and the second storage area Are different partitions, and include switching means for switching the partition which is the second storage area to the visible state after switching the partition which is the first storage area to the invisible state according to the switching program. Characteristic terminal device. The information leakage prevention program temporarily changes a registry in order to prevent file leakage by a file operation program or a mailer program registered in the list, or returns a changed registry to the previous one. as a storage device according to claim 1, characterized in that to function the terminal device. In order to prevent the leakage of files by the file operation program registered in the list, the information leakage prevention program
It is connected, or the means for temporarily disabling the particular communication device is additionally connected, a storage device according to claim 1, characterized in that to function the terminal device. The information leakage prevention program causes the terminal device to function as a means for temporarily invalidating a flexible drive that is connected or additionally connected in order to prevent file leakage by the flexible disk drive. The storage device according to claim 1 . When the display of a dialog for copying the information leakage target file or a part thereof on the memory of the terminal device is designated, the information leakage prevention program is used as the dialog prohibiting means for prohibiting the display of the dialog. The storage device according to claim 1 , wherein the device is made to function. The information leakage prevention program monitors a drag-and-drop between a plurality of windows for an information leakage target file or a part thereof, and as a drag-and-drop prohibiting unit for prohibiting the execution when the drag-and-drop is designated. the storage device according to claim 1, characterized in that to function the terminal device. The information leakage prevention program causes the terminal device to function as a clipboard exclusive means for preventing copying of an information leakage target file or a part thereof to the clipboard by monopolizing the use of the clipboard. The storage device according to claim 1 .

Images